scip/pcp
1
0
Fork 0
mirror of https://codeberg.org/scip/pcp.git synced 2025-12-17 12:00:56 +01:00
Code Issues Packages Projects Releases Wiki Activity

re-implemented signature system to match the standard (orinal input, including sig for full sig; or 32k blockwise hash of input and sig from hash attached to original input without the hash), verify_buffered currently not implemented, armored sig only for output.

Browse Source
This commit is contained in:
git@daemon.de
2014-01-23 15:40:06 +01:00
parent f09d4774cb
commit c717c060ec
12 changed files with 161 additions and 319 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
bindings/cpp/sign++.h
View File

@@ -42,7 +42,7 @@ namespace pcp {
PubKey P;
Key S;
Vault vault;
pcp_sig_t *sig;
unsigned char *sig;
// constructors
Signature(Key &skey); // sign only
@@ -55,14 +55,12 @@ namespace pcp {
// PK signature methods
// sender pubkey is P
std::string sign(std::vector<unsigned char> message);
std::string sign(std::string message);
std::string sign(unsigned char *message, size_t mlen);
unsigned char *sign(std::vector<unsigned char> message);
unsigned char *sign(unsigned char *message, size_t mlen);
// verify using P or use vault if defined
bool verify(std::string signature, std::string message);
bool verify(std::string signature, std::vector<unsigned char> message);
bool verify(std::string signature, unsigned char *message, size_t mlen);
bool verify(std::vector<unsigned char> message);
bool verify(unsigned char *signature, size_t mlen);
};
};

77
bindings/cpp/sign.cpp
View File

@@ -55,101 +55,46 @@ Signature::~Signature() {
free(sig);
}
std::string Signature::sign(std::vector<unsigned char> message) {
unsigned char *Signature::sign(std::vector<unsigned char> message) {
unsigned char *m = (unsigned char *)ucmalloc(message.size());
for(size_t i=0; i<message.size(); ++i)
m[i] = message[i];
string _s = Signature::sign(m, message.size());
free(m);
return _s;
return Signature::sign(m, message.size());
}
std::string Signature::sign(std::string message) {
unsigned char *m = (unsigned char *)ucmalloc(message.size() + 1);
memcpy(m, message.c_str(), message.size());
string _s = Signature::sign(m, message.size() + 1);
free(m);
return _s;
}
std::string Signature::sign(unsigned char *message, size_t mlen) {
unsigned char *Signature::sign(unsigned char *message, size_t mlen) {
if(! S)
throw exception("Error: cannot sign without a secret key, use another constructor.");
if(S.is_encrypted())
throw exception("Error: cannot sign with an encrypted secret key, decrypt it before using.");
size_t zlen;
sig = pcp_ed_sign(message, mlen, S.K);
if(sig == NULL)
throw exception();
sig2be(sig);
char *encoded = pcp_z85_encode((unsigned char *)sig, sizeof(pcp_sig_t), &zlen);
sig2native(sig);
if(encoded == NULL)
throw exception();
// FIXME: who free()s encoced?
return string((char *)encoded);
return sig;
}
bool Signature::verify(string signature, vector<unsigned char> message) {
bool Signature::verify(vector<unsigned char> message) {
unsigned char *m = (unsigned char *)ucmalloc(message.size());
for(size_t i=0; i<message.size(); ++i)
m[i] = message[i];
bool _b = Signature::verify(signature, m, message.size());
bool _b = Signature::verify(m, message.size());
free(m);
return _b;
}
bool Signature::verify(string signature, string message) {
unsigned char *m = (unsigned char *)ucmalloc(message.size() + 1);
memcpy(m, message.c_str(), message.size());
bool _b = Signature::verify(signature, m, message.size() + 1);
free(m);
return _b;
}
bool Signature::verify(string signature, unsigned char *message, size_t mlen) {
size_t clen;
unsigned char *decoded = pcp_z85_decode((char *)signature.c_str(), &clen);
if(decoded == NULL)
throw exception();
if(clen != sizeof(pcp_sig_t)) {
free(decoded);
throw exception("Error: decoded signature didn't result to a proper sized sig!");
}
sig = (pcp_sig_t *)decoded;
sig2native(sig);
string sigid = string((char *)sig->id);
bool Signature::verify(unsigned char *signature, size_t mlen) {
unsigned char *message;
if(!P) {
if(havevault) {
if(vault.pubkey_exists(sigid)) {
P = vault.get_public(sigid);
}
else {
throw exception("Unable to verify, signed using an unknown key.");
}
}
else {
throw exception("No public key and no vault specified, unable to verify.");
}
}
else {
if(P.get_id() != sigid) {
throw exception("Specified public key doesn't match the signers key.");
}
throw exception("No public key specified, unable to verify.");
}
if(pcp_ed_verify(message, mlen, sig, P.K) == 0) {
message = pcp_ed_verify(signature, mlen, P.K);
if(message != NULL) {
return true;
}
else {

5
include/pcp/defines.h
View File

@@ -40,8 +40,9 @@ typedef unsigned int qbyte; // Quad byte = 32 bits
#define PCP_ZFILE_HEADER "----- BEGIN Z85 ENCODED FILE -----"
#define PCP_ZFILE_FOOTER "------ END Z85 ENCODED FILE ------"
#define PCP_SIG_HEADER "----- BEGIN PCP SIGNATURE FILE -----"
#define PCP_SIG_FOOTER "------ END PCP SIGNATURE FILE ------"
#define PCP_SIG_HEADER "----- BEGIN PCP SIGNED MESSAGE -----"
#define PCP_SIG_START "----- BEGIN PCP SIGNATURE -----"
#define PCP_SIG_END "------ END PCP SIGNATURE ------"
#define PCP_ME "Pretty Curved Privacy"

33
include/pcp/ed.h
View File

@@ -19,6 +19,10 @@
You can contact me by mail: <tlinden AT cpan DOT org>.
*/
/*
ED25519 signatures. Currently unbuffered
*/
#ifndef _HAVE_PCP_ED_H
#define _HAVE_PCP_ED_H
@@ -32,24 +36,19 @@
#include "mem.h"
#include "key.h"
struct _pcp_sig_t {
byte edsig[crypto_sign_BYTES];
char id[17];
uint64_t ctime;
uint32_t version;
};
/* sign a message of messagesize using s->edsecret, if it works
return message+signature (size: messagesize + crypto_sign_BYTES),
returns NULL otherwise */
unsigned char *pcp_ed_sign(unsigned char *message, size_t messagesize, pcp_key_t *s);
typedef struct _pcp_sig_t pcp_sig_t;
/* verify a signature of siglen size using p->edpub, if the signature verifies
return the raw message with the signature removed (size: siglen - crypto_sign_BYTES),
returns NULL otherwise */
unsigned char * pcp_ed_verify(unsigned char *signature, size_t siglen, pcp_pubkey_t *p);
int pcp_ed_verify(unsigned char *input, size_t inputlen,
pcp_sig_t *sig, pcp_pubkey_t *p);
pcp_sig_t *pcp_ed_sign(unsigned char *message,
size_t messagesize, pcp_key_t *s);
pcp_sig_t *sig2native(pcp_sig_t *k);
pcp_sig_t *sig2be(pcp_sig_t *k);
pcp_sig_t *pcp_ed_newsig(unsigned char *hash, char *id);
/* same as pcp_ed_sign() but work on i/o directly, we're making a hash
of the input 32k-wise, copy in=>out, sign the hash and append the
sig only to the output */
size_t pcp_ed_sign_buffered(FILE *in, FILE *out, pcp_key_t *s, int z85);
#endif // _HAVE_PCP_ED_H

118
libpcp/ed.c
View File

@@ -21,79 +21,81 @@
#include "ed.h"
int pcp_ed_verify(unsigned char *input, size_t inputlen, pcp_sig_t *sig, pcp_pubkey_t *p) {
unsigned char *message = ucmalloc(inputlen + crypto_sign_BYTES);
unsigned char *tmpsig = ucmalloc(inputlen + crypto_sign_BYTES); // from sig
size_t mlen = 0;
unsigned char * pcp_ed_verify(unsigned char *signature, size_t siglen, pcp_pubkey_t *p) {
unsigned char *message = ucmalloc(siglen - crypto_sign_BYTES);
size_t mlen;
memcpy(tmpsig, sig->edsig, crypto_sign_BYTES);
memcpy(&tmpsig[crypto_sign_BYTES], input, inputlen);
if(crypto_sign_open(message, &mlen, tmpsig, inputlen + crypto_sign_BYTES, p->edpub) != 0) {
if(crypto_sign_open(message, &mlen, signature, siglen, p->edpub) != 0) {
fatal("Failed to open the signature using the public key 0x%s!\n", p->id);
goto errve1;
}
if(memcmp(message, input, inputlen) != 0) {
fatal("Failed to verify the signature, signed messages differ!\n");
goto errve1;
}
free(tmpsig);
free(message);
return 0;
return message;
errve1:
free(message);
free(tmpsig);
return 1;
return NULL;
}
pcp_sig_t *pcp_ed_sign(unsigned char *message, size_t messagesize, pcp_key_t *s) {
unsigned char *pcp_ed_sign(unsigned char *message, size_t messagesize, pcp_key_t *s) {
size_t mlen = messagesize + crypto_sign_BYTES;
unsigned char *tmp = ucmalloc(mlen);
unsigned char *signature = ucmalloc(crypto_sign_BYTES);
unsigned char *signature = ucmalloc(mlen);
crypto_sign(tmp, &mlen, message, messagesize, s->edsecret);
crypto_sign(signature, &mlen, message, messagesize, s->edsecret);
memcpy(signature, tmp, crypto_sign_BYTES);
pcp_sig_t *sig = pcp_ed_newsig(signature, s->id);
memset(tmp, 0, mlen);
free(tmp);
return sig;
return signature;
}
pcp_sig_t *pcp_ed_newsig(unsigned char *hash, char *id) {
pcp_sig_t *sig = ucmalloc(sizeof(pcp_sig_t));
sig->version = PCP_SIG_VERSION;
sig->ctime = (long)time(0);
memcpy(sig->edsig, hash, crypto_sign_BYTES);
memcpy(sig->id, id, 17);
return sig;
}
size_t pcp_ed_sign_buffered(FILE *in, FILE *out, pcp_key_t *s, int z85) {
unsigned char in_buf[PCP_BLOCK_SIZE];
size_t cur_bufsize = 0;
crypto_generichash_state *st = ucmalloc(sizeof(crypto_generichash_state));
unsigned char hash[crypto_generichash_BYTES_MAX];
pcp_sig_t *sig2native(pcp_sig_t *s) {
#ifdef __CPU_IS_BIG_ENDIAN
return s;
#else
s->version = be32toh(s->version);
s->ctime = be64toh(s->ctime);
return s;
#endif
}
crypto_generichash_init(st, NULL, 0, 0);
pcp_sig_t *sig2be(pcp_sig_t *s) {
#ifdef __CPU_IS_BIG_ENDIAN
return s;
#else
s->version = htobe32(s->version);
s->ctime = htobe64(s->ctime);
return s;
#endif
}
if(z85)
fprintf(out, "%s\nHash: Blake2\n\n", PCP_SIG_HEADER);
while(!feof(in)) {
cur_bufsize = fread(&in_buf, 1, PCP_BLOCK_SIZE, in);
if(cur_bufsize <= 0)
break;
crypto_generichash_update(st, in_buf, cur_bufsize);
fwrite(in_buf, cur_bufsize, 1, out);
}
if(ferror(out) != 0) {
fatal("Failed to write encrypted output!\n");
free(st);
return 0;
}
crypto_generichash_final(st, hash, crypto_generichash_BYTES_MAX);
size_t mlen = + crypto_sign_BYTES + crypto_generichash_BYTES_MAX;
unsigned char *signature = ucmalloc(mlen);
crypto_sign(signature, &mlen, hash, crypto_generichash_BYTES_MAX, s->edsecret);
if(z85) {
if(in_buf[cur_bufsize] != '\n')
fprintf(out, "\n");
fprintf(out, "%s\nVersion: PCP v%d.%d.%d\n\n", PCP_SIG_START, PCP_VERSION_MAJOR, PCP_VERSION_MINOR, PCP_VERSION_PATCH);
size_t zlen;
char *z85encoded = pcp_z85_encode((unsigned char*)signature, crypto_sign_BYTES, &zlen);
fprintf(out, "%s\n%s\n", z85encoded, PCP_SIG_END);
}
else {
fwrite(signature, crypto_sign_BYTES, 1, out);
}
if(fileno(in) != 0)
fclose(in);
if(fileno(out) != 1)
fclose(out);
free(st);
return mlen; // ???
}

4
src/encryption.c
View File

@@ -137,7 +137,7 @@ int pcpencrypt(char *id, char *infile, char *outfile, char *passwd, plist_t *rec
pcp_pubkey_t *tmp = NULL;
pcp_pubkey_t *pub = NULL;
pcp_key_t *secret = NULL;
unsigned char *symkey;
unsigned char *symkey = NULL;
int self = 0;
if(id == NULL && recipient == NULL) {
@@ -256,7 +256,7 @@ int pcpencrypt(char *id, char *infile, char *outfile, char *passwd, plist_t *rec
}
}
size_t clen;
size_t clen = 0;
if(self == 1)
pcp_encrypt_file_sym(in, out, symkey, 0);

27
src/keyprint.c
View File

@@ -102,33 +102,6 @@ int pcptext_infile(char *infile) {
}
}
if(clen == sizeof(pcp_sig_t)) {
// a signature?
pcp_sig_t *sig = (pcp_sig_t *)bin;
sig2native(sig);
if(sig->version == PCP_SIG_VERSION) {
// looks valid
fprintf(stdout, "%s is an ed25519 signature file:\n", infile);
struct tm *c;
time_t t = (time_t)sig->ctime;
c = localtime(&t);
fprintf(stdout, "Signed by key: 0x%s\n", sig->id);
fprintf(stdout, "Creation Time: %04d-%02d-%02dT%02d:%02d:%02d\n",
c->tm_year+1900, c->tm_mon+1, c->tm_mday,
c->tm_hour, c->tm_min, c->tm_sec);
fprintf(stdout, " Signature: ");
pcpprint_bin(stdout, sig->edsig, crypto_sign_BYTES);
fprintf(stdout, "\n");
free(sig);
goto tdone;
}
else {
fprintf(stdout, "%s looks like a ed255 signature but failed sanity checking.\n", infile);
free(sig);
goto errtinf1;
}
}
// still there?
fprintf(stdout, "%s looks Z85 encoded but otherwise unknown and is possibly encrypted.\n", infile);

38
src/pcp.c
View File

@@ -44,11 +44,10 @@ char *default_vault() {
}
int main (int argc, char **argv) {
int opt, mode, usevault, useid, userec, lo;
int opt, mode, usevault, useid, userec, lo, armor;
char *vaultfile = default_vault();
char *outfile = NULL;
char *infile = NULL;
char *sigfile = NULL;
char *keyid = NULL;
char *id = NULL;
char *xpass = NULL;
@@ -63,6 +62,7 @@ int main (int argc, char **argv) {
useid = 0;
userec = 0;
lo = 0;
armor = 0;
static struct option longopts[] = {
// generics
@@ -101,11 +101,11 @@ int main (int argc, char **argv) {
// signing
{ "sign", no_argument, NULL, 'g' },
{ "check-signature", required_argument, NULL, 'c' },
{ "check-signature", no_argument, NULL, 'c' },
{ NULL, 0, NULL, 0 }
};
while ((opt = getopt_long(argc, argv, "klV:vdehsO:i:I:pSPRtEx:DzZr:gc:ym",
while ((opt = getopt_long(argc, argv, "klV:vdehsO:i:I:pSPRtEx:DzZr:gcym",
longopts, NULL)) != -1) {
switch (opt) {
@@ -166,10 +166,10 @@ int main (int argc, char **argv) {
usevault = 1;
break;
case 'z':
mode += PCP_MODE_ZENCODE;
armor = 1;
break;
case 'Z':
mode += PCP_MODE_ZDECODE;
armor = 1;
break;
case 'g':
mode += PCP_MODE_SIGN;
@@ -177,8 +177,6 @@ int main (int argc, char **argv) {
break;
case 'c':
mode += PCP_MODE_VERIFY;
sigfile = ucmalloc(strlen(optarg)+1);
strncpy(sigfile, optarg, strlen(optarg)+1);
usevault = 1;
break;
case 'y':
@@ -234,6 +232,11 @@ int main (int argc, char **argv) {
sodium_init(); // FIXME: better called from the lib?
if(mode == PCP_MODE_ENCRYPT && useid == 0 && userec == 0) {
usevault = 0;
mode = PCP_MODE_ENCRYPT_ME;
}
if(usevault == 1) {
pcphash_init();
vault = pcpvault_init(vaultfile);
@@ -340,10 +343,6 @@ int main (int argc, char **argv) {
// multiple dst
pcpencrypt(NULL, infile, outfile, xpass, recipient);
}
else if(useid == 0 && userec == 0) {
// self mode, same as -m
pcpencrypt(NULL, infile, outfile, xpass, NULL);
}
else {
// -i and -r specified
fatal("You can't specify both -i and -r, use either -i or -r!\n");
@@ -373,11 +372,20 @@ int main (int argc, char **argv) {
break;
case PCP_MODE_SIGN:
pcpsign(infile, outfile, xpass);
pcpsign(infile, outfile, xpass, armor);
break;
case PCP_MODE_VERIFY:
pcpverify(infile, sigfile);
if(useid) {
id = pcp_normalize_id(keyid);
if(id != NULL) {
pcpverify(infile, id);
free(id);
}
}
else {
pcpverify(infile, NULL);
}
break;
case PCP_MODE_YAML:
@@ -434,7 +442,7 @@ int main (int argc, char **argv) {
default:
// mode params mixed
fatal("Sorry, invalid combination of commandline parameters!\n");
fatal("Sorry, invalid combination of commandline parameters (0x%04X)!\n", mode);
break;
}
}

148
src/signature.c
View File

@@ -23,7 +23,7 @@
#include "signature.h"
#include "defines.h"
int pcpsign(char *infile, char *outfile, char *passwd) {
int pcpsign(char *infile, char *outfile, char *passwd, int z85) {
FILE *in = NULL;
FILE *out = NULL;
pcp_key_t *secret = NULL;
@@ -34,14 +34,12 @@ int pcpsign(char *infile, char *outfile, char *passwd) {
goto errs1;
}
if(infile == NULL)
in = stdin;
else {
if((in = fopen(infile, "rb")) == NULL) {
fatal("Could not open input file %s\n", infile);
goto errs2;
goto errs1;
}
}
@@ -50,7 +48,7 @@ int pcpsign(char *infile, char *outfile, char *passwd) {
else {
if((out = fopen(outfile, "wb+")) == NULL) {
fatal("Could not open output file %s\n", outfile);
goto errs2;
goto errs1;
}
}
@@ -68,82 +66,26 @@ int pcpsign(char *infile, char *outfile, char *passwd) {
secret = pcpkey_decrypt(secret, passphrase);
if(secret == NULL)
goto errs3;
goto errs1;
}
unsigned char *input = NULL;
size_t inputBufSize = 0;
unsigned char byte[1];
size_t sigsize = pcp_ed_sign_buffered(in, out, secret, z85);
while(!feof(in)) {
if(!fread(&byte, 1, 1, in))
break;
unsigned char *tmp = realloc(input, inputBufSize + 1);
input = tmp;
memmove(&input[inputBufSize], byte, 1);
inputBufSize ++;
}
fclose(in);
if(sigsize == 0)
goto errs1;
if(inputBufSize == 0) {
fatal("Input file is empty!\n");
goto errs4;
}
size_t zlen;
pcp_sig_t *signature = pcp_ed_sign(input, inputBufSize, secret);
// scip
//printf("sigsize: %d\n", (int)sizeof(pcp_sig_t));
//pcp_dumpsig(signature);
if(signature == NULL)
goto errs5;
sig2be(signature);
char *encoded = pcp_z85_encode((unsigned char *)signature, sizeof(pcp_sig_t), &zlen);
if(encoded == NULL)
goto errs6;
fprintf(out, "%s\n%s\n%s\n", PCP_SIG_HEADER, encoded, PCP_SIG_FOOTER);
if(ferror(out) != 0) {
fatal("Failed to write encrypted output!\n");
goto errs7;
}
fprintf(stderr, "Signed %d bytes successfully\n",
(int)inputBufSize);
fclose(out);
free(encoded);
free(signature);
fprintf(stderr, "Signed %ld bytes successfully\n", sigsize);
return 0;
errs7:
free(encoded);
errs6:
free(signature);
errs5:
errs4:
free(input);
errs3:
errs2:
errs1:
return 1;
}
int pcpverify(char *infile, char *sigfile) {
int pcpverify(char *infile, char *id) {
FILE *in = NULL;
FILE *sigin = NULL;
pcp_pubkey_t *pub = NULL;
unsigned char *message = NULL;
if(infile == NULL)
in = stdin;
@@ -154,36 +96,16 @@ int pcpverify(char *infile, char *sigfile) {
}
}
if((sigin = fopen(sigfile, "rb")) == NULL) {
fatal("Could not open signature file %s\n", sigfile);
goto errv1;
}
char *encoded = pcp_readz85file(sigin);
if(encoded == NULL)
goto errv1;
size_t clen;
unsigned char *decoded = pcp_z85_decode((char *)encoded, &clen);
if(decoded == NULL)
goto errv2;
if(clen != sizeof(pcp_sig_t)) {
fatal("Error: decoded signature file didn't result to a proper sized sig! (got %d bytes)\n", clen);
goto errv2;
}
pcp_sig_t *sig = (pcp_sig_t *)decoded;
sig2native(sig);
HASH_FIND_STR(pcppubkey_hash, sig->id, pub);
if(id != NULL)
HASH_FIND_STR(pcppubkey_hash, id, pub);
/*
if(pub == NULL) {
fatal("Could not find a usable public key in vault %s!\n",
vault->filename);
goto errv3;
}
*/
unsigned char *input = NULL;
size_t inputBufSize = 0;
@@ -204,37 +126,35 @@ int pcpverify(char *infile, char *sigfile) {
goto errv4;
}
if(pcp_ed_verify(input, inputBufSize, sig, pub) == 0) {
fprintf(stderr, "Signature verified.\n");
if(pub != NULL) {
message = pcp_ed_verify(input, inputBufSize, pub);
if(message != NULL) {
fprintf(stderr, "Signature verified (signed by %s <%s>).\n", pub->owner, pub->mail);
}
}
else {
pcphash_iteratepub(pub) {
message = pcp_ed_verify(input, inputBufSize, pub);
if(message != NULL) {
fprintf(stderr, "Signature verified (signed by %s <%s>).\n", pub->owner, pub->mail);
break;
}
}
}
free(decoded);
free(encoded);
if(message == NULL) {
fprintf(stderr, "Could not verify ignature\n");
}
else
free(message);
free(input);
return 0;
errv4:
free(input);
errv3:
free(decoded);
errv2:
// free(encoded); why???
errv1:
return 1;
}
void pcp_dumpsig(pcp_sig_t *sig) {
printf(" ed: ");
pcpprint_bin(stdout, sig->edsig, crypto_sign_BYTES);printf("\n");
printf(" id: %s\n", sig->id);
printf(" ctime: %ld\n", sig->ctime);
printf("version: %04x\n", sig->version);
}

4
src/signature.h
View File

@@ -32,8 +32,8 @@
#include "uthash.h"
#include "z85.h"
int pcpsign(char *infile, char *outfile, char *passwd);
int pcpverify(char *infile, char *sigfile);
int pcpsign(char *infile, char *outfile, char *passwd, int z85);
int pcpverify(char *infile, char *id);

5
tests/cpptest.cpp
View File

@@ -95,9 +95,10 @@ void test3() {
Signature SigA(A);
Signature SigB(PA);
string sig = SigA.sign(message);
unsigned char *sig = SigA.sign((unsigned char*)message.c_str(), message.length());
if(SigB.verify(sig, message) )
// FIXME: bad api here
if(SigB.verify(sig, message.length() + crypto_sign_BYTES) )
cout << "3 ok" << endl;
}

9
tests/unittests.cfg
View File

@@ -129,11 +129,6 @@ dxmorg@florida.cops.gov
expect = /encrypted/
</test>
<test check-determine-signature>
cmd = $pcp -t -I unknown5
expect = /ed25519/
</test>
#
# encryption tests
<test check-crypto-alicia-init>
@@ -221,7 +216,7 @@ dxmorg@florida.cops.gov
expect-file testsig
</test>
<test check-verify-signature>
cmd = $pcp -V vb -c testsig -I README
cmd = $pcp -V vb -c -I testsig -i $idalicia
expect = /verified/
</test>
@@ -393,7 +388,7 @@ dxmorg@florida.cops.gov
<test check-testpubkey-invalid-id>
prepare = ./invalidkeys
cmd = $pcp -V $vault -P -I testpubkey-invalid-id
expect = /nvalid key id/
expect = /(invalid key id|could not decode input)/
</test>
<test check-testpubkey-wrong-serial>