removed -S and -P, replaced by -K, keymgmt determines key type automatically

ChangeLog

@@ -91,6 +91,11 @@
 	existing ones (e.g. -a for armor which is an alias
 	for -z).
 
+	Removed options -P and -S, replaced by -K (long:
+	--import-key) used to import a key. The key type
+	is now determined automatically as well as the
+	encoding.
+
 0.2.0	ED25519 and Curve25519 keys are now generated
 	separately (previously they were generated from
 	one random seed, the curve had been derived from

README.pod

@@ -39,9 +39,8 @@ They've to exchange the public key somehow (which is not my
 problem at the moment, use ssh, encrypted mail, whatever). Once exchanged,
 they have to import it:
 
-
  Alicia                             Bobby
- pcp1 -P -I bobby.pub               pcp1 -P -I alicia.pub
+ pcp1 -K -I bobby.pub               pcp1 -K -I alicia.pub
 
 They will see a response as this when done:
 

README.txt

@@ -37,7 +37,7 @@ QUICKSTART
     have to import it:
 
      Alicia                             Bobby
-     pcp1 -P -I bobby.pub               pcp1 -P -I alicia.pub
+     pcp1 -K -I bobby.pub               pcp1 -K -I alicia.pub
 
     They will see a response as this when done:
 

include/pcp/mgmt.h

@@ -298,11 +298,13 @@ Buffer *pcp_export_c_pub(pcp_key_t *sk);
 */
 Buffer *pcp_export_secret(pcp_key_t *sk, char *passphrase);
 
-pcp_ks_bundle_t *pcp_import_pub(byte *raw, size_t rawsize);
+pcp_ks_bundle_t *pcp_import_binpub(byte *raw, size_t rawsize);
+pcp_ks_bundle_t *pcp_import_pub(byte *raw, size_t rawsize); /* FIXME: deprecate */
 pcp_ks_bundle_t *pcp_import_pub_rfc(Buffer *blob);
 pcp_ks_bundle_t *pcp_import_pub_pbp(Buffer *blob);
 
 /* import secret key */
+pcp_key_t *pcp_import_binsecret(byte *raw, size_t rawsize, char *passphrase);
 pcp_key_t *pcp_import_secret(byte *raw, size_t rawsize, char *passphrase);
 pcp_key_t *pcp_import_secret_native(Buffer *cipher, char *passphrase);
 

libpcp/mgmt.c

@@ -170,6 +170,24 @@ int _check_hash_keysig(Buffer *blob, pcp_pubkey_t *p, pcp_keysig_t *sk) {
   
 }
 
+pcp_ks_bundle_t *pcp_import_binpub(byte *raw, size_t rawsize) {
+  Buffer *blob = buffer_new(512, "importblob");
+
+  buffer_add(blob, raw, rawsize);
+
+  /* now, try to disassemble, if it fails, assume pbp format */
+  uint8_t version = buffer_get8(blob);
+
+  if(version == PCP_KEY_VERSION) {
+    /* ah, homerun */
+    return pcp_import_pub_rfc(blob);
+  }
+  else {
+    /* nope, it's probably pbp */
+    return pcp_import_pub_pbp(blob);
+  }
+}
+
 pcp_ks_bundle_t *pcp_import_pub(byte *raw, size_t rawsize) {
   size_t clen;
   byte *bin = NULL;
@@ -703,6 +721,13 @@ Buffer *pcp_export_secret(pcp_key_t *sk, char *passphrase) {
   return out;
 }
 
+pcp_key_t *pcp_import_binsecret(byte *raw, size_t rawsize, char *passphrase) {
+  Buffer *blob = buffer_new(512, "importskblob");
+  buffer_add(blob, raw, rawsize);
+  return pcp_import_secret_native(blob, passphrase);
+}
+
+
 pcp_key_t *pcp_import_secret(byte *raw, size_t rawsize, char *passphrase) {
   size_t clen;
   byte *bin = NULL;
@@ -753,7 +778,8 @@ pcp_key_t *pcp_import_secret_native(Buffer *cipher, char *passphrase) {
 
   cipherlen = buffer_left(cipher);
   if(cipherlen < minlen) {
-    fatal("expected decrypted secret key size %ld is less than minimum len %ld\n", cipherlen, minlen);
+    fatal("failed to decrypt the secret key file:\n"
+	  "expected encrypted secret key size %ld is less than minimum len %ld\n", cipherlen, minlen);
     goto impserr1;
   }
 

man/details.pod

@@ -181,9 +181,7 @@ Here is a list of commandlines and their possible alternatives:
 
  pcp -s -O key.pcp -r Bob    pcp -s -O key.pcp Bob     use 'Bob' as recipient.
 
- pcp -P -I alice.pcp         pcp -P alice.pcp          use 'alice.pcp' as inputfile.
+ pcp -K -I alice.pcp         pcp -K alice.pcp          use 'alice.pcp' as keyfile.
-
- pcp -S -I alice.pcp         pcp -S alice.pcp          use 'alice.pcp' as inputfile.
 
 
 =head1 ENVIRONMENT VARIABLES

man/options.pod

@@ -55,10 +55,9 @@
     --export               been specified, the public part of your
                            primary secret key will be exported.
                            Use -O to export to a file.
- -S --import-secret        Import a secret key. Use -I to import
+ -K --import               Import a key. pcp determines automatically
+    --import-key           the key type and encodingg. Use -I to import
                            from a file.
- -P --import-public        Import a public key. Use -I to import
-    --import               from a file.
  -y --export-yaml          Export all keys stored in your vault
                            as YAML formatted text. Use -O to put
                            the export into a file.

man/pcp.pod

@@ -39,9 +39,8 @@ They've to exchange the public key somehow (which is not my
 problem at the moment, use ssh, encrypted mail, whatever). Once exchanged,
 they have to import it:
 
-
  Alicia                             Bobby
- pcp1 -P -I bobby.pub               pcp1 -P -I alicia.pub
+ pcp1 -K -I bobby.pub               pcp1 -K -I alicia.pub
 
 They will see a response as this when done:
 

src/keymgmt.c

@@ -428,151 +428,6 @@ void pcp_exportpublic(char *keyid, char *passwd, char *outfile, int format, int
 
 
 
-int pcp_importsecret (FILE *in, char *passwd) {
-  byte *buf = ucmalloc(2048);
-  size_t buflen = fread(buf, 1, 2048, in);
-  pcp_key_t *sk = NULL;
-
-  if(buflen > 0) {
-    /* decrypt the input */
-    if(passwd != NULL) {
-      sk = pcp_import_secret(buf, buflen, passwd);
-    }
-    else {
-      char *passphrase;
-      pcp_readpass(&passphrase,
-		   "Enter passphrase to decrypt the secret key file", NULL, 1);
-      sk = pcp_import_secret(buf, buflen, passphrase);
-      memset(passphrase, 0, strlen(passphrase));
-      free(passphrase);
-    }
-    if(sk == NULL) {
-      goto errpcsexpu1;
-    }
-
-    if(debug)
-      pcp_dumpkey(sk);
-
-    pcp_key_t *maybe = pcphash_keyexists(sk->id);
-    if(maybe != NULL) {
-      fatal("Secretkey sanity check: there already exists a key with the id 0x%s\n", sk->id);
-      goto errpcsexpu1;
-    }
-
-
-    /* store it */
-    if(passwd != NULL) {
-      sk = pcpkey_encrypt(sk, passwd);
-    }
-    else {
-      char *passphrase;
-      pcp_readpass(&passphrase,
-		   "Enter passphrase for key encryption",
-		   "Enter the passphrase again", 1);
-    
-      if(strnlen(passphrase, 1024) > 0) {
-	/* encrypt the key */
-	sk = pcpkey_encrypt(sk, passphrase);
-      }
-      else {
-	/* ask for confirmation if we shall store it in the clear */
-	char *yes = pcp_getstdin(
-		 "WARNING: secret key will be stored unencrypted. Are you sure [yes|NO]?");
-	if(strncmp(yes, "yes", 1024) != 0) {
-	  memset(sk, 0, sizeof(pcp_key_t));
-	  free(sk);
-	  memset(passphrase, 0, strlen(passphrase));
-	  goto errpcsexpu1;
-	}
-      }
-    }
-
-    if(sk != NULL) {
-      /* store it to the vault if we got it til here */
-      if(pcp_sanitycheck_key(sk) == 0) {
-	if(pcp_storekey(sk) == 0) {
-	  pcpkey_printshortinfo(sk);
-	  memset(sk, 0, sizeof(pcp_key_t));
-	  free(sk);
-	  return 0;
-	}
-      }
-    }
-  }
-  else {
-    fatal("Input file is empty!\n");
-    goto errpcsexpu1;
-  }
-
- errpcsexpu1:
-  ucfree(buf, 2048);
-
-  return 1;
-}
-
-int pcp_importpublic (vault_t *vault, FILE *in) {
-  byte *buf = ucmalloc(2048);
-  size_t buflen = fread(buf, 1, 2048, in);
-  pcp_keysig_t *sk = NULL;
-  pcp_pubkey_t *pub = NULL;
-
-  if(buflen > 0) {
-    pcp_ks_bundle_t *bundle = pcp_import_pub(buf, buflen);
-
-    if(bundle == NULL)
-      goto errip1;
-
-    pcp_keysig_t *sk = bundle->s;
-
-    if(bundle != NULL) {
-      pcp_pubkey_t *pub = bundle->p;
-
-      if(debug)
-	pcp_dumppubkey(pub);
-
-      if(sk == NULL) {
-	fatals_ifany();
-	char *yes = pcp_getstdin("WARNING: signature doesn't verify, import anyway [yes|NO]?");
-	if(strncmp(yes, "yes", 1024) != 0) {
-	  free(yes);
-	  goto errip1;
-	}
-	free(yes);
-      }
-
-      if(pcp_sanitycheck_pub(pub) == 0) {
-	if(pcpvault_addkey(vault, (void *)pub,  PCP_KEY_TYPE_PUBLIC) == 0) {
-	  fprintf(stderr, "key 0x%s added to %s.\n", pub->id, vault->filename);
-	}
-	else
-	  goto errip2;
-
-	if(sk != NULL) {
-	  if(pcpvault_addkey(vault, sk, sk->type) != 0)
-	    goto errip2;
-	}
-      }
-      else
-	goto errip2;
-    }
-  }
-  else {
-    fatal("Input file is empty!\n");
-    goto errip1;
-  }
-
- errip2:
-  ucfree(pub, sizeof(pcp_pubkey_t));
-
- errip1:
-  if(sk != NULL) {
-    ucfree(sk->blob, sk->size);
-    ucfree(sk, sizeof(pcp_keysig_t));
-  }
-  ucfree(buf, 2048);
-  return 1;
-}
-
 void pcpdelete_key(char *keyid) {
   pcp_pubkey_t *p = pcphash_pubkeyexists(keyid);
   
@@ -699,4 +554,153 @@ char *pcp_find_id_byrec(char *recipient) {
 }
 
 
+int pcp_import (vault_t *vault, FILE *in, char *passwd) {
+  byte *buf = ucmalloc(2048);
+  size_t bufsize;
+  pcp_pubkey_t *pub = NULL;
+  pcp_key_t *sk = NULL;
+  pcp_ks_bundle_t *bundle = NULL;
+  pcp_keysig_t *keysig = NULL;
+  int success = 1; /* default fail */
 
+  Pcpstream *pin = ps_new_file(in);
+  ps_setdetermine(pin, 1024);
+
+  bufsize = ps_read(pin, buf, PCP_BLOCK_SIZE);
+
+  if(bufsize == 0) {
+    fatal("Input file is empty!\n");
+    goto errimp1;
+  }
+
+  /* first try as rfc pub key */
+  bundle = pcp_import_binpub(buf, bufsize);
+  if(bundle != NULL) {
+    keysig = bundle->s;
+    pub = bundle->p;
+
+    if(debug)
+      pcp_dumppubkey(pub);
+
+    if(keysig == NULL) {
+      fatals_ifany();
+      char *yes = pcp_getstdin("WARNING: signature doesn't verify, import anyway [yes|NO]?");
+      if(strncmp(yes, "yes", 1024) != 0) {
+	free(yes);
+	goto errimp2;
+      }
+      free(yes);
+    }
+
+    if(pcp_sanitycheck_pub(pub) == 0) {
+      if(pcpvault_addkey(vault, (void *)pub,  PCP_KEY_TYPE_PUBLIC) == 0) {
+	fprintf(stderr, "key 0x%s added to %s.\n", pub->id, vault->filename);
+	/* avoid double free */
+	pub = NULL;
+	success = 0;
+      }
+      else
+	goto errimp2;
+      
+      if(keysig != NULL) {
+	if(pcpvault_addkey(vault, keysig, keysig->type) != 0) {
+	  /* FIXME: remove pubkey if storing the keysig failed */
+	  goto errimp2;
+	}
+	keysig = NULL;
+      }
+    }
+    else
+      goto errimp2;
+  }
+  else {
+    /* it's not public key, so let's try to interpret it as secret key */
+    if(passwd != NULL) {
+      sk = pcp_import_secret(buf, bufsize, passwd);
+    }
+    else {
+      char *passphrase;
+      pcp_readpass(&passphrase,
+		   "Enter passphrase to decrypt the secret key file", NULL, 1);
+      sk = pcp_import_secret(buf, bufsize, passphrase);
+      ucfree(passphrase, strlen(passphrase));
+    }
+
+    if(sk == NULL) {
+      goto errimp2;
+    }
+
+    if(debug)
+      pcp_dumpkey(sk);
+
+    pcp_key_t *maybe = pcphash_keyexists(sk->id);
+    if(maybe != NULL) {
+      fatal("Secretkey sanity check: there already exists a key with the id 0x%s\n", sk->id);
+      goto errimp2;
+    }
+
+    /* store it */
+    if(passwd != NULL) {
+      sk = pcpkey_encrypt(sk, passwd);
+    }
+    else {
+      char *passphrase;
+      pcp_readpass(&passphrase,
+		   "Enter passphrase for key encryption",
+		   "Enter the passphrase again", 1);
+    
+      if(strnlen(passphrase, 1024) > 0) {
+	/* encrypt the key */
+	sk = pcpkey_encrypt(sk, passphrase);
+	ucfree(passphrase, strlen(passphrase));
+      }
+      else {
+	/* ask for confirmation if we shall store it in the clear */
+	char *yes = pcp_getstdin(
+		 "WARNING: secret key will be stored unencrypted. Are you sure [yes|NO]?");
+	if(strncmp(yes, "yes", 1024) != 0) {
+	  free(yes);
+	  goto errimp1;
+	}
+	free(yes);
+      }
+    }
+
+    if(sk != NULL) {
+      /* store it to the vault if we got it til here */
+      if(pcp_sanitycheck_key(sk) == 0) {
+	if(pcp_storekey(sk) == 0) {
+	  pcpkey_printshortinfo(sk); 
+	  success = 0;
+	  sk = NULL;
+	}
+      }
+    }
+  }
+
+
+errimp2:
+  if(keysig != NULL) {
+    ucfree(keysig->blob, keysig->size);
+    ucfree(keysig, sizeof(pcp_keysig_t));
+  }
+  
+  if(bundle != NULL) {
+    free(bundle);
+  }
+  
+  if(pub != NULL) {
+    ucfree(pub, sizeof(pcp_pubkey_t));
+  }
+  
+  if(sk != NULL) {
+    ucfree(sk, sizeof(pcp_key_t));
+  }
+
+  ucfree(buf, bufsize);
+
+ errimp1:
+  ps_close(pin);
+
+  return success;
+}

src/keymgmt.h

@@ -57,8 +57,7 @@ pcp_key_t *pcp_getrsk(pcp_key_t *s, char *recipient, char *passwd);
 char *pcp_normalize_id(char *keyid);
 pcp_key_t *pcp_find_primary_secret();
 
-int pcp_importpublic (vault_t *vault, FILE *in);
+int pcp_import (vault_t *vault, FILE *in, char *passwd);
-int pcp_importsecret (FILE *in, char *passwd);
 
 void pcpdelete_key(char *keyid);
 char *pcp_find_id_byrec(char *recipient);

src/pcp.c

@@ -90,9 +90,8 @@ int main (int argc, char **argv)  {
     { "export-secret",   no_argument,       NULL,           's' },
     { "export-public",   no_argument,       NULL,           'p' },
     { "export",          no_argument,       NULL,           'p' }, /* alias -p */
-    { "import-secret",   no_argument,       NULL,           'S' },
+    { "import",          no_argument,       NULL,           'K' }, /* alias -P */
-    { "import-public",   no_argument,       NULL,           'P' },
+    { "import-key",      no_argument,       NULL,           'K' }, /* alias -K */
-    { "import",          no_argument,       NULL,           'P' }, /* alias -P */
     { "remove-key",      no_argument,       NULL,           'R' },
     { "edit-key",        no_argument,       NULL,           'E' },    
     { "export-yaml",     no_argument,       NULL,           'y' },
@@ -122,7 +121,7 @@ int main (int argc, char **argv)  {
     { NULL,              0,                 NULL,            0 }
   };
 
-  while ((opt = getopt_long(argc, argv, "klLV:vdehsO:i:I:pSPRtEx:DzaZr:gcymf:b1F:0",
+  while ((opt = getopt_long(argc, argv, "klLV:vdehsO:i:I:pSPRtEx:DzaZr:gcymf:b1F:0K",
 			    longopts, NULL)) != -1) {
   
     switch (opt)  {
@@ -153,12 +152,8 @@ int main (int argc, char **argv)  {
 	mode += PCP_MODE_EXPORT_PUBLIC;
 	usevault = 1;
 	break;
-      case 'P':
+      case 'K':
-	mode += PCP_MODE_IMPORT_PUBLIC;
+	mode += PCP_MODE_IMPORT;
-	usevault = 1;
-	break;
-      case 'S':
-	mode += PCP_MODE_IMPORT_SECRET;
 	usevault = 1;
 	break;
       case 'R':
@@ -344,8 +339,7 @@ int main (int argc, char **argv)  {
       }
       break;
 
-    case PCP_MODE_IMPORT_PUBLIC:
+    case PCP_MODE_IMPORT: 
-    case PCP_MODE_IMPORT_SECRET:
       if(infile == NULL)
 	infile = extra;
       break;
@@ -436,7 +430,7 @@ int main (int argc, char **argv)  {
 	  free(recipient);
 	break;
 
-      case PCP_MODE_IMPORT_PUBLIC:
+      case PCP_MODE_IMPORT:
 	if(infile == NULL)
 	  in = stdin;
 	else {
@@ -446,20 +440,7 @@ int main (int argc, char **argv)  {
 	    break;
 	  }
 	}
-	pcp_importpublic(vault, in);
+	pcp_import(vault, in, xpass);
-	break;
-
-      case PCP_MODE_IMPORT_SECRET:
-	if(infile == NULL)
-	  in = stdin;
-	else {
-	  if((in = fopen(infile, "rb")) == NULL) {
-	    fatal("Could not open input file %s\n", infile);
-	    free(infile);
-	    break;
-	  }
-	}
-	pcp_importsecret(in, xpass);
 	break;
 
       case PCP_MODE_DELETE_KEY:

src/pcp.h

@@ -54,8 +54,8 @@
 #define PCP_MODE_LISTKEYS      0x00000004
 #define PCP_MODE_EXPORT_SECRET 0x00000009
 #define PCP_MODE_EXPORT_PUBLIC 0x00000011
-#define PCP_MODE_IMPORT_SECRET 0x00000020
+#define PCP_MODE_IMPORT        0x00000020
-#define PCP_MODE_IMPORT_PUBLIC 0x00000038
+#define PCP_MODE_ENCRYPT_ME    0x00000038
 #define PCP_MODE_DELETE_KEY    0x00000061
 #define PCP_MODE_TEXT          0x000000A6
 #define PCP_MODE_EDIT          0x0000011D
@@ -66,7 +66,6 @@
 #define PCP_MODE_SIGN          0x00000FF6
 #define PCP_MODE_VERIFY        0x00001B25
 #define PCP_MODE_YAML          0x00002E27
-#define PCP_MODE_ENCRYPT_ME    0x00004E77
 
 /*
 0x00001B25

src/usage.h

@@ -3,7 +3,7 @@
 #define PCP_HELP "\n" \
 "Usage: pcp1 [ --help          | --version ]\n" \
 "            [ --keygen        | --listkeys      | --remove-key | --edit-key ]\n" \
-"            [ --export-public | --export-secret | --import-public | --import-secret ]\n" \
+"            [ --export-public | --export-secret | --import ]\n" \
 "            [ --encrypt       | --decrypt ]\n" \
 "            [ --sign          | --check-signature ]\n" \
 "            [ arguments ]\n" \

src/usage.txt

@@ -1,7 +1,7 @@
 
 Usage: pcp1 [ --help          | --version ]
             [ --keygen        | --listkeys      | --remove-key | --edit-key ]
-            [ --export-public | --export-secret | --import-public | --import-secret ]
+            [ --export-public | --export-secret | --import ]
             [ --encrypt       | --decrypt ]
             [ --sign          | --check-signature ]
             [ arguments ]

tests/unittests.cfg

@@ -142,7 +142,7 @@ dxmorg@florida.cops.gov
 </test>
 
 <test check-import-public-key>
-  cmd = $pcp -V $vault -P -I bart.pub
+  cmd = $pcp -V $vault -K -I bart.pub
   expect = /key $bartid added/
 </test>
 
@@ -197,12 +197,12 @@ temporarily disabled
   # alicias part
   prepare = echo ${md5msg} > testmessage
   <test check-crypto-alicia-import-secret>
-    cmd = $pcp -V va -S -I key-alicia-sec -x a
+    cmd = $pcp -V va -K -I key-alicia-sec -x a
     expect = /${idalicia}/
   </test>
 
   <test check-crypto-alicia-import-bobbys-key>
-    cmd = $pcp -V va -P -I key-bobby-pub
+    cmd = $pcp -V va -K -I key-bobby-pub
     expect = /${idbobby}/
   </test>
 
@@ -215,12 +215,12 @@ temporarily disabled
 <test check-crypto-bobby-init>
   # bobbys part
   <test check-crypto-bobby-import-secret>
-    cmd = $pcp -V vb -S -I key-bobby-sec -x b
+    cmd = $pcp -V vb -K -I key-bobby-sec -x b
     expect = /${idbobby}/
   </test>
 
   <test check-crypto-alicia-import-alicias-key>
-    cmd = $pcp -V vb -P -I key-alicia-pub
+    cmd = $pcp -V vb -K -I key-alicia-pub
     expect = /${idalicia}/
   </test>
 
@@ -262,7 +262,7 @@ temporarily disabled
   </test>
 
   <test check-vcl-prepare-import-bpub>
-    cmd = $pcp -V vcl -I key-bobby-pub -P
+    cmd = $pcp -V vcl -I key-bobby-pub -K
     expect = /added/
   </test>
 
@@ -272,12 +272,12 @@ temporarily disabled
   </test>
 
   <test check-vcl-import-bsecret>
-    cmd = $pcp -V vb2 -S -I key-bobby-sec -x b
+    cmd = $pcp -V vb2 -K -I key-bobby-sec -x b
     expect = /${idbobby}/
   </test>
 
   <test check-vcl-import-unencrypted-pubkey>
-    cmd =  $pcp -V vb2 -P -I testkeyvcl
+    cmd =  $pcp -V vb2 -K -I testkeyvcl
     expect = /added/
   </test>
 
@@ -350,12 +350,12 @@ temporarily disabled
 #
 # negative tests, check for error handling
 <test check-if-catch-conflicting-params>
-  cmd = $pcp -V $vault -S -P
+  cmd = $pcp -V $vault -K -K
   expect = /invalid combination of commandline parameters/
 </test>
 
 <test check-infile-error>
-  cmd = $pcp -V $vault -I nonexist -P
+  cmd = $pcp -V $vault -I nonexist -K
   expect = /Could not open input file nonexist/
 </test>
 
@@ -414,7 +414,7 @@ temporarily disabled
 </test>
 
 <test check-if-export-public-catch-outfile-error>
-  prepare = $pcp -V $vault -P -I bart.pub
+  prepare = $pcp -V $vault -K -I bart.pub
   cmd =  $pcp -V $vault -l | grep public | cut -d ' ' -f 1 \
          | tail -1 | xargs $pcp -V $vault -p -O nonexistentdir/keyfile
   expect = /Could not create output file nonexistentdir/
@@ -422,13 +422,13 @@ temporarily disabled
 
 <test check-if-catch-empty-input>
   prepare = touch testfile-empty
-  cmd = $pcp -V $vault -P -I testfile-empty
+  cmd = $pcp -V $vault -K -I testfile-empty
   expect = /file is empty/
 </test>
 
 <test check-if-catch-missing-newlines>
   prepare = perl -e 'print "X" x 5000; print "\n"' > testfile-toolong
-  cmd = $pcp -V $vault -P -I testfile-toolong
+  cmd = $pcp -V $vault -K -I testfile-toolong -x x
   expect = /failed/
 </test>
 
@@ -439,7 +439,7 @@ temporarily disabled
 <test check-if-catch-invalid-z85>
   prepare = ./jot 30 | while read ignore; do \
             echo XXXXXXXXXXXXXXXXXX; done > testfile-noz85
-  cmd = $pcp -V $vault -P -I testfile-noz85
+  cmd = $pcp -V $vault -K -I testfile-noz85
   expect = /could not decode input/
 </test>
 */
@@ -447,17 +447,12 @@ temporarily disabled
 <test check-if-catch-nokey-behind-z85>
   prepare = ./jot 30 | while read ignore; do echo XXXXX; done \
             | $pcp -z > testfile-nokey
-  cmd = $pcp -V $vault -P -I testfile-nokey
+  cmd = $pcp -V $vault -K -I testfile-nokey -x x
-  expect = /failed/
-</test>
-
-<test check-if-sanity-catch-nosecret>
-  cmd = $pcp -V $vault -S -I bart.pub -x a
   expect = /failed/
 </test>
 
 <test check-if-sanity-catch-keyexists>
-  cmd = $pcp -V $vault -P -I bart.pub
+  cmd = $pcp -V $vault -K -I bart.pub
   expect = /there already exists a key/
 </test>
 
@@ -471,26 +466,26 @@ temporarily disabled
   prepare = ./invalidkeys
 
 <test check-testkey-wrong-version>
-  cmd = $pcp -V $vault -S -I testkey-wrong-version -x xxx
+  cmd = $pcp -V $vault -K -I testkey-wrong-version -x xxx
   expect = /unknown key version/
 </test>
 
 <test check-testkey-wrong-serial>
-  cmd = $pcp -V $vault -S -I testkey-wrong-serial -x xxx
+  cmd = $pcp -V $vault -K -I testkey-wrong-serial -x xxx
   expect = /invalid serial number/
 </test>
 <test check-testkey-wrong-ctime>
-  cmd = $pcp -V $vault -S -I testkey-invalid-ctime -x xxx
+  cmd = $pcp -V $vault -K -I testkey-invalid-ctime -x xxx
   expect = /invalid creation timestamp/
 </test>
 /*
 <test check-testpubkey-wrong-type>
-  cmd = $pcp -V $vault -P -I testpubkey-wrong-type
+  cmd = $pcp -V $vault -K -I testpubkey-wrong-type
   expect = /key type is not PUBLIC/
 </test>
 
 <test check-testpubkey-wrong-version>
-  cmd = $pcp -V $vault -P -I testpubkey-wrong-version
+  cmd = $pcp -V $vault -K -I testpubkey-wrong-version
   expect = /unknown key version/
 </test>
 */