X-Git-Url: https://git.distorted.org.uk/u/mdw/catacomb/blobdiff_plain/4739c68a6cb81cae53cd7df694ecd6176d6f11f8..8cd9f01dac408893755906282d79284c1ee7ddd6:/keyutil.c

diff --git a/keyutil.c b/keyutil.c
index 13b8784..74f6409 100644
--- a/keyutil.c
+++ b/keyutil.c
@@ -1,13 +1,13 @@
 /* -*-c-*-
  *
- * $Id: keyutil.c,v 1.25 2004/04/21 00:38:22 mdw Exp $
+ * $Id$
  *
  * Simple key manager program
  *
  * (c) 1999 Straylight/Edgeware
  */
 
-/*----- Licensing notice --------------------------------------------------* 
+/*----- Licensing notice --------------------------------------------------*
  *
  * This file is part of Catacomb.
  *
@@ -15,12 +15,12 @@
  * it under the terms of the GNU Library General Public License as
  * published by the Free Software Foundation; either version 2 of the
  * License, or (at your option) any later version.
- * 
+ *
  * Catacomb is distributed in the hope that it will be useful,
  * but WITHOUT ANY WARRANTY; without even the implied warranty of
  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  * GNU Library General Public License for more details.
- * 
+ *
  * You should have received a copy of the GNU Library General Public
  * License along with Catacomb; if not, write to the Free
  * Software Foundation, Inc., 59 Temple Place - Suite 330, Boston,
@@ -31,6 +31,7 @@
 
 #include "config.h"
 
+#include <ctype.h>
 #include <errno.h>
 #include <stdio.h>
 #include <stdlib.h>
@@ -46,6 +47,7 @@
 #include <noise.h>
 #include <rand.h>
 
+#include "bintab.h"
 #include "bbs.h"
 #include "dh.h"
 #include "dsa.h"
@@ -55,6 +57,7 @@
 #include "ectab.h"
 #include "fibrand.h"
 #include "getdate.h"
+#include "gfreduce.h"
 #include "key.h"
 #include "mp.h"
 #include "mpmont.h"
@@ -64,6 +67,7 @@
 #include "ptab.h"
 #include "rsa.h"
 
+#include "cc.h"
 #include "sha-mgf.h"
 #include "sha256-mgf.h"
 #include "sha224-mgf.h"
@@ -156,17 +160,17 @@ static void setattr(key_file *f, key *k, char *v[])
 
 const struct seedalg { const char *p; grand *(*gen)(const void *, size_t); }
 seedtab[] = {
-  { "dsarand", 	dsarand_create },
-  { "rmd128-mgf",  rmd128_mgfrand },
-  { "rmd160-mgf",  rmd160_mgfrand },
-  { "rmd256-mgf",  rmd256_mgfrand },
-  { "rmd320-mgf",  rmd320_mgfrand },
-  { "sha-mgf",  sha_mgfrand },
-  { "sha224-mgf",  sha224_mgfrand },
-  { "sha256-mgf",  sha256_mgfrand },
-  { "sha384-mgf",  sha384_mgfrand },
-  { "sha512-mgf",  sha512_mgfrand },
-  { "tiger-mgf",  tiger_mgfrand },
+  { "dsarand", dsarand_create },
+  { "rmd128-mgf", rmd128_mgfrand },
+  { "rmd160-mgf", rmd160_mgfrand },
+  { "rmd256-mgf", rmd256_mgfrand },
+  { "rmd320-mgf", rmd320_mgfrand },
+  { "sha-mgf", sha_mgfrand },
+  { "sha224-mgf", sha224_mgfrand },
+  { "sha256-mgf", sha256_mgfrand },
+  { "sha384-mgf", sha384_mgfrand },
+  { "sha512-mgf", sha512_mgfrand },
+  { "tiger-mgf", tiger_mgfrand },
   { 0, 0 }
 };
 
@@ -193,11 +197,12 @@ typedef struct keyopts {
 #define f_limlee 8u			/* Generate Lim-Lee primes */
 #define f_subgroup 16u			/* Generate a subgroup */
 #define f_retag 32u			/* Remove any existing tag */
+#define f_kcdsa 64u			/* Generate KCDSA primes */
 
 /* --- @dolock@ --- *
  *
  * Arguments:	@keyopts *k@ = key generation options
- *		@key_data *kd@ = pointer to key data to lock
+ *		@key_data **kd@ = pointer to key data to lock
  *		@const char *t@ = tag suffix or null
  *
  * Returns:	---
@@ -205,35 +210,16 @@ typedef struct keyopts {
  * Use:		Does passphrase locking on new keys.
  */
 
-static void dolock(keyopts *k, key_data *kd, const char *t)
+static void dolock(keyopts *k, key_data **kd, const char *t)
 {
   if (!(k->f & f_lock))
     return;
   if (t)
     dstr_putf(&k->tag, ".%s", t);
-  if (key_plock(k->tag.buf, kd, kd))
+  if (key_plock(kd, 0, k->tag.buf))
     die(EXIT_FAILURE, "couldn't lock key");
 }
 
-/* --- @mpkey@ --- *
- *
- * Arguments:	@key_data *kd@ = pointer to parent key block
- *		@const char *tag@ = pointer to tag string
- *		@mp *m@ = integer to store
- *		@unsigned f@ = flags to set
- *
- * Returns:	---
- *
- * Use:		Sets a multiprecision integer subkey.
- */
-
-static void mpkey(key_data *kd, const char *tag, mp *m, unsigned f)
-{
-  key_data *kkd = key_structcreate(kd, tag);
-  key_mp(kkd, m);
-  kkd->e |= f;
-}
-
 /* --- @copyparam@ --- *
  *
  * Arguments:	@keyopts *k@ = pointer to key options
@@ -249,8 +235,12 @@ static int copyparam(keyopts *k, const char **pp)
 {
   key_filter kf;
   key_attriter i;
+  key_data *kd;
   const char *n, *v;
 
+  kf.f = KCAT_SHARE;
+  kf.m = KF_CATMASK;
+
   /* --- Quick check if no parameters supplied --- */
 
   if (!k->p)
@@ -259,20 +249,20 @@ static int copyparam(keyopts *k, const char **pp)
   /* --- Run through the checklist --- */
 
   while (*pp) {
-    key_data *kd = key_structfind(&k->p->k, *pp);
+    key_data *kd = key_structfind(k->p->k, *pp);
     if (!kd)
       die(EXIT_FAILURE, "bad parameter key: parameter `%s' not found", *pp);
-    if ((kd->e & KF_CATMASK) != KCAT_SHARE)
+    if (!KEY_MATCH(kd, &kf))
       die(EXIT_FAILURE, "bad parameter key: subkey `%s' is not shared", *pp);
     pp++;
   }
 
   /* --- Copy over the parameters --- */
 
-  kf.f = KCAT_SHARE;
-  kf.m = KF_CATMASK;
-  if (!key_copy(&k->k->k, &k->p->k, &kf))
-    die(EXIT_FAILURE, "unexpected failure while copying parameters");
+  kd = key_copydata(k->p->k, &kf);
+  assert(kd);
+  key_setkeydata(k->kf, k->k, kd);
+  key_drop(kd);
 
   /* --- Copy over attributes --- */
 
@@ -327,7 +317,8 @@ static void keyrand(key_file *kf, const char *id)
     k = key_bytype(kf, "catacomb-rand");
 
   if (k) {
-    key_data *kd = &k->k, kkd;
+    key_data *kd = k->k, *kkd;
+    key_incref(kd);
 
   again:
     switch (kd->e & KF_ENCMASK) {
@@ -336,10 +327,11 @@ static void keyrand(key_file *kf, const char *id)
       case KENC_ENCRYPT: {
 	dstr d = DSTR_INIT;
 	key_fulltag(k, &d);
-	if (key_punlock(d.buf, kd, &kkd))
+	if (key_punlock(&kkd, kd, d.buf))
 	  die(EXIT_FAILURE, "error unlocking key `%s'", d.buf);
 	dstr_destroy(&d);
-	kd = &kkd;
+	key_drop(kd);
+	kd = kkd;
       } goto again;
       default: {
 	dstr d = DSTR_INIT;
@@ -351,8 +343,7 @@ static void keyrand(key_file *kf, const char *id)
     /* --- Key the generator --- */
 
     rand_key(RAND_GLOBAL, kd->u.k.k, kd->u.k.sz);
-    if (kd == &kkd)
-      key_destroy(&kkd);
+    key_drop(kd);
   }
 }
 
@@ -362,6 +353,7 @@ static void alg_binary(keyopts *k)
 {
   unsigned sz;
   unsigned m;
+  key_data *kd;
   octet *p;
 
   if (!k->bits)
@@ -374,17 +366,19 @@ static void alg_binary(keyopts *k)
   m = (1 << (((k->bits - 1) & 7) + 1)) - 1;
   k->r->ops->fill(k->r, p, sz);
   *p &= m;
-  key_binary(&k->k->k, p, sz);
-  k->k->k.e |= KCAT_SYMM | KF_BURN;
+  kd = key_newbinary(KCAT_SYMM | KF_BURN, p, sz);
   memset(p, 0, sz);
+  dolock(k, &kd, 0);
+  key_setkeydata(k->kf, k->k, kd);
+  key_drop(kd);
   sub_free(p, sz);
-  dolock(k, &k->k->k, 0);
 }
 
 static void alg_des(keyopts *k)
 {
   unsigned sz;
   octet *p;
+  key_data *kd;
   int i;
 
   if (!k->bits)
@@ -404,17 +398,18 @@ static void alg_des(keyopts *k)
     x = x ^ (x >> 1);
     p[i] = (p[i] & 0xfe) | (x & 0x01);
   }
-  key_binary(&k->k->k, p, sz);
-  k->k->k.e |= KCAT_SYMM | KF_BURN;
+  kd = key_newbinary(KCAT_SYMM | KF_BURN, p, sz);
   memset(p, 0, sz);
+  dolock(k, &kd, 0);
+  key_setkeydata(k->kf, k->k, kd);
+  key_drop(kd);
   sub_free(p, sz);
-  dolock(k, &k->k->k, 0);
 }
 
 static void alg_rsa(keyopts *k)
 {
   rsa_priv rp;
-  key_data *kd;
+  key_data *kd, *kkd;
 
   /* --- Sanity checking --- */
 
@@ -451,21 +446,21 @@ static void alg_rsa(keyopts *k)
 
   /* --- Allrighty then --- */
 
-  kd = &k->k->k;
-  key_structure(kd);
-  mpkey(kd, "n", rp.n, KCAT_PUB);
-  mpkey(kd, "e", rp.e, KCAT_PUB);
-
-  kd = key_structcreate(kd, "private");
-  key_structure(kd);
-  mpkey(kd, "d", rp.d, KCAT_PRIV | KF_BURN);
-  mpkey(kd, "p", rp.p, KCAT_PRIV | KF_BURN);
-  mpkey(kd, "q", rp.q, KCAT_PRIV | KF_BURN);
-  mpkey(kd, "q-inv", rp.q_inv, KCAT_PRIV | KF_BURN);
-  mpkey(kd, "d-mod-p", rp.dp, KCAT_PRIV | KF_BURN);
-  mpkey(kd, "d-mod-q", rp.dq, KCAT_PRIV | KF_BURN);
-  dolock(k, kd, "private");
-
+  kd = key_newstruct();
+  key_structsteal(kd, "n", key_newmp(KCAT_PUB, rp.n));
+  key_structsteal(kd, "e", key_newmp(KCAT_PUB, rp.e));
+
+  kkd = key_newstruct();
+  key_structsteal(kkd, "d", key_newmp(KCAT_PRIV | KF_BURN, rp.d));
+  key_structsteal(kkd, "p", key_newmp(KCAT_PRIV | KF_BURN, rp.p));
+  key_structsteal(kkd, "q", key_newmp(KCAT_PRIV | KF_BURN, rp.q));
+  key_structsteal(kkd, "q-inv", key_newmp(KCAT_PRIV | KF_BURN, rp.q_inv));
+  key_structsteal(kkd, "d-mod-p", key_newmp(KCAT_PRIV | KF_BURN, rp.dp));
+  key_structsteal(kkd, "d-mod-q", key_newmp(KCAT_PRIV | KF_BURN, rp.dq));
+  dolock(k, &kkd, "private");
+  key_structsteal(kd, "private", kkd);
+  key_setkeydata(k->kf, k->k, kd);
+  key_drop(kd);
   rsa_privfree(&rp);
 }
 
@@ -478,7 +473,7 @@ static void alg_dsaparam(keyopts *k)
     size_t sz;
     dstr d = DSTR_INIT;
     base64_ctx c;
-    key_data *kd = &k->k->k;
+    key_data *kd;
     dsa_seed ds;
 
     /* --- Choose appropriate bit lengths if necessary --- */
@@ -486,7 +481,7 @@ static void alg_dsaparam(keyopts *k)
     if (!k->qbits)
       k->qbits = 160;
     if (!k->bits)
-      k->bits = 768;
+      k->bits = 1024;
 
     /* --- Allocate a seed block --- */
 
@@ -502,13 +497,15 @@ static void alg_dsaparam(keyopts *k)
 
     /* --- Store the parameters --- */
 
-    key_structure(kd);
-    mpkey(kd, "q", dp.q, KCAT_SHARE);
-    mpkey(kd, "p", dp.p, KCAT_SHARE);
-    mpkey(kd, "g", dp.g, KCAT_SHARE);
+    kd = key_newstruct();
+    key_structsteal(kd, "q", key_newmp(KCAT_SHARE, dp.q));
+    key_structsteal(kd, "p", key_newmp(KCAT_SHARE, dp.p));
+    key_structsteal(kd, "g", key_newmp(KCAT_SHARE, dp.g));
     mp_drop(dp.q);
     mp_drop(dp.p);
     mp_drop(dp.g);
+    key_setkeydata(k->kf, k->k, kd);
+    key_drop(kd);
 
     /* --- Store the seed for future verification --- */
 
@@ -517,6 +514,7 @@ static void alg_dsaparam(keyopts *k)
     c.indent = "";
     base64_encode(&c, ds.p, ds.sz, &d);
     base64_encode(&c, 0, 0, &d);
+    DPUTZ(&d);
     key_putattr(k->kf, k->k, "seed", d.buf);
     DRESET(&d);
     dstr_putf(&d, "%u", ds.count);
@@ -532,11 +530,12 @@ static void alg_dsa(keyopts *k)
   mp *q, *p, *g;
   mp *x, *y;
   mpmont mm;
-  key_data *kd = &k->k->k;
+  key_data *kd, *kkd;
 
   /* --- Get the shared parameters --- */
 
   alg_dsaparam(k);
+  key_split(&k->k->k); kd = k->k->k;
   q = getmp(kd, "q");
   p = getmp(kd, "p");
   g = getmp(kd, "g");
@@ -549,12 +548,12 @@ static void alg_dsa(keyopts *k)
 
   /* --- Store everything away --- */
 
-  mpkey(kd, "y", y, KCAT_PUB);
+  key_structsteal(kd, "y", key_newmp(KCAT_PUB, y));
 
-  kd = key_structcreate(kd, "private");
-  key_structure(kd);
-  mpkey(kd, "x", x, KCAT_PRIV | KF_BURN);
-  dolock(k, kd, "private");
+  kkd = key_newstruct();
+  key_structsteal(kkd, "x", key_newmp(KCAT_PRIV | KF_BURN, x));
+  dolock(k, &kkd, "private");
+  key_structsteal(kd, "private", kkd);
 
   mp_drop(x); mp_drop(y);
 }
@@ -562,24 +561,31 @@ static void alg_dsa(keyopts *k)
 static void alg_dhparam(keyopts *k)
 {
   static const char *pl[] = { "p", "q", "g", 0 };
-  key_data *kd = &k->k->k;
+  key_data *kd;
   if (!copyparam(k, pl)) {
     dh_param dp;
     int rc;
 
     if (k->curve) {
       qd_parse qd;
-      
+      group *g;
+      const char *e;
+
       if (strcmp(k->curve, "list") == 0) {
-	const pentry *pe;
-	printf("Built-in prime groups:\n");
-	for (pe = ptab; pe->name; pe++)
-	  printf("  %s\n", pe->name);
+	unsigned i, w;
+	LIST("Built-in prime fields", stdout, ptab[i].name, ptab[i].name);
 	exit(0);
       }
       qd.p = k->curve;
       if (dh_parse(&qd, &dp))
-	die(EXIT_FAILURE, "error in group spec: %s", qd.e);
+	die(EXIT_FAILURE, "error in field spec: %s", qd.e);
+      if (!qd_eofp(&qd))
+	die(EXIT_FAILURE, "junk at end of field spec");
+      if ((g = group_prime(&dp)) == 0)
+	die(EXIT_FAILURE, "invalid prime field");
+      if (!(k->f & f_quiet) && (e = G_CHECK(g, &rand_global)) != 0)
+	moan("WARNING!	group check failed: %s", e);
+      G_DESTROYGROUP(g);
       goto done;
     }
 
@@ -609,6 +615,24 @@ static void alg_dhparam(keyopts *k)
 	key_putattr(k->kf, k->k, "factors", d.buf);
 	dstr_destroy(&d);
       }
+    } else if (k->f & f_kcdsa) {
+      if (!k->qbits)
+	k->qbits = 256;
+      rc = dh_kcdsagen(&dp, k->qbits, k->bits, 0,
+		       0, k->r, (k->f & f_quiet) ? 0 : pgen_ev, 0);
+      if (!rc) {
+	dstr d = DSTR_INIT;
+	mp *v = MP_NEW;
+
+	mp_writedstr(dp.q, &d, 10);
+	mp_div(&v, 0, dp.p, dp.q);
+	v = mp_lsr(v, v, 1);
+	dstr_puts(&d, ", ");
+	mp_writedstr(v, &d, 10);
+	mp_drop(v);
+	key_putattr(k->kf, k->k, "factors", d.buf);
+	dstr_destroy(&d);
+      }
     } else
       rc = dh_gen(&dp, k->qbits, k->bits, 0, k->r,
 		  (k->f & f_quiet) ? 0 : pgen_ev, 0);
@@ -617,13 +641,15 @@ static void alg_dhparam(keyopts *k)
       die(EXIT_FAILURE, "Diffie-Hellman parameter generation failed");
 
   done:
-    key_structure(kd);
-    mpkey(kd, "p", dp.p, KCAT_SHARE);
-    mpkey(kd, "q", dp.q, KCAT_SHARE);
-    mpkey(kd, "g", dp.g, KCAT_SHARE);
+    kd = key_newstruct();
+    key_structsteal(kd, "p", key_newmp(KCAT_SHARE, dp.p));
+    key_structsteal(kd, "q", key_newmp(KCAT_SHARE, dp.q));
+    key_structsteal(kd, "g", key_newmp(KCAT_SHARE, dp.g));
     mp_drop(dp.q);
     mp_drop(dp.p);
     mp_drop(dp.g);
+    key_setkeydata(k->kf, k->k, kd);
+    key_drop(kd);
   }
 }
 
@@ -632,11 +658,12 @@ static void alg_dh(keyopts *k)
   mp *x, *y;
   mp *p, *q, *g;
   mpmont mm;
-  key_data *kd = &k->k->k;
+  key_data *kd, *kkd;
 
   /* --- Get the shared parameters --- */
 
   alg_dhparam(k);
+  key_split(&k->k->k); kd = k->k->k;
   p = getmp(kd, "p");
   q = getmp(kd, "q");
   g = getmp(kd, "g");
@@ -656,12 +683,12 @@ static void alg_dh(keyopts *k)
 
   /* --- Store everything away --- */
 
-  mpkey(kd, "y", y, KCAT_PUB);
+  key_structsteal(kd, "y", key_newmp(KCAT_PUB, y));
 
-  kd = key_structcreate(kd, "private");
-  key_structure(kd);
-  mpkey(kd, "x", x, KCAT_PRIV | KF_BURN);
-  dolock(k, kd, "private");
+  kkd = key_newstruct();
+  key_structsteal(kkd, "x", key_newmp(KCAT_PRIV | KF_BURN, x));
+  dolock(k, &kkd, "private");
+  key_structsteal(kd, "private", kkd);
 
   mp_drop(x); mp_drop(y);
 }
@@ -669,7 +696,7 @@ static void alg_dh(keyopts *k)
 static void alg_bbs(keyopts *k)
 {
   bbs_priv bp;
-  key_data *kd;
+  key_data *kd, *kkd;
 
   /* --- Sanity checking --- */
 
@@ -686,35 +713,136 @@ static void alg_bbs(keyopts *k)
 
   /* --- Allrighty then --- */
 
-  kd = &k->k->k;
-  key_structure(kd);
-  mpkey(kd, "n", bp.n, KCAT_PUB);
+  kd = key_newstruct();
+  key_structsteal(kd, "n", key_newmp(KCAT_PUB, bp.n));
 
-  kd = key_structcreate(kd, "private");
-  key_structure(kd);
-  mpkey(kd, "p", bp.p, KCAT_PRIV | KF_BURN);
-  mpkey(kd, "q", bp.q, KCAT_PRIV | KF_BURN);
-  dolock(k, kd, "private");
+  kkd = key_newstruct();
+  key_structsteal(kkd, "p", key_newmp(KCAT_PRIV | KF_BURN, bp.p));
+  key_structsteal(kkd, "q", key_newmp(KCAT_PRIV | KF_BURN, bp.q));
+  dolock(k, &kkd, "private");
+  key_structsteal(kd, "private", kkd);
+  key_setkeydata(k->kf, k->k, kd);
+  key_drop(kd);
 
   bbs_privfree(&bp);
 }
 
+static void alg_binparam(keyopts *k)
+{
+  static const char *pl[] = { "p", "q", "g", 0 };
+  if (!copyparam(k, pl)) {
+    gbin_param gb;
+    qd_parse qd;
+    group *g;
+    const char *e;
+    key_data *kd;
+
+    /* --- Decide on a field --- */
+
+    if (!k->bits) k->bits = 128;
+    if (k->curve && strcmp(k->curve, "list") == 0) {
+      unsigned i, w;
+      LIST("Built-in binary fields", stdout,
+	   bintab[i].name, bintab[i].name);
+      exit(0);
+    }
+    if (!k->curve) {
+      if (k->bits <= 40) k->curve = "p1363-40";
+      else if (k->bits <= 56) k->curve = "p1363-56";
+      else if (k->bits <= 64) k->curve = "p1363-64";
+      else if (k->bits <= 80) k->curve = "p1363-80";
+      else if (k->bits <= 112) k->curve = "p1363-112";
+      else if (k->bits <= 128) k->curve = "p1363-128";
+      else {
+	die(EXIT_FAILURE,
+	    "no built-in binary fields provide %u-bit security",
+	    k->bits);
+      }
+    }
+
+    /* --- Check it --- */
+
+    qd.e = 0;
+    qd.p = k->curve;
+    if (dhbin_parse(&qd, &gb))
+      die(EXIT_FAILURE, "error in field spec: %s", qd.e);
+    if (!qd_eofp(&qd))
+      die(EXIT_FAILURE, "junk at end of field spec");
+    if ((g = group_binary(&gb)) == 0)
+      die(EXIT_FAILURE, "invalid binary field");
+    if (!(k->f & f_quiet) && (e = G_CHECK(g, &rand_global)) != 0)
+      moan("WARNING!  group check failed: %s", e);
+    G_DESTROYGROUP(g);
+
+    /* --- Write out the answer --- */
+
+    kd = key_newstruct();
+    key_structsteal(kd, "p", key_newmp(KCAT_SHARE, gb.p));
+    key_structsteal(kd, "q", key_newmp(KCAT_SHARE, gb.q));
+    key_structsteal(kd, "g", key_newmp(KCAT_SHARE, gb.g));
+    mp_drop(gb.q);
+    mp_drop(gb.p);
+    mp_drop(gb.g);
+    key_setkeydata(k->kf, k->k, kd);
+    key_drop(kd);
+  }
+}
+
+static void alg_bin(keyopts *k)
+{
+  mp *x, *y;
+  mp *p, *q, *g;
+  gfreduce r;
+  key_data *kd, *kkd;
+
+  /* --- Get the shared parameters --- */
+
+  alg_binparam(k);
+  key_split(&k->k->k); kd = k->k->k;
+  p = getmp(kd, "p");
+  q = getmp(kd, "q");
+  g = getmp(kd, "g");
+
+  /* --- Choose a suitable private key --- *
+   *
+   * Since %$g$% has order %$q$%, choose %$x < q$%.
+   */
+
+  x = mprand_range(MP_NEWSEC, q, k->r, 0);
+
+  /* --- Compute the public key %$y = g^x \bmod p$% --- */
+
+  gfreduce_create(&r, p);
+  y = gfreduce_exp(&r, MP_NEW, g, x);
+  gfreduce_destroy(&r);
+
+  /* --- Store everything away --- */
+
+  key_structsteal(kd, "y", key_newmp(KCAT_PUB, y));
+
+  kkd = key_newstruct();
+  key_structsteal(kkd, "x", key_newmp(KCAT_PRIV | KF_BURN, x));
+  dolock(k, &kkd, "private");
+  key_structsteal(kd, "private", kkd);
+
+  mp_drop(x); mp_drop(y);
+}
+
 static void alg_ecparam(keyopts *k)
 {
   static const char *pl[] = { "curve", 0 };
   if (!copyparam(k, pl)) {
     ec_info ei;
     const char *e;
-    key_data *kd = &k->k->k;
+    key_data *kd;
 
     /* --- Decide on a curve --- */
 
     if (!k->bits) k->bits = 256;
     if (k->curve && strcmp(k->curve, "list") == 0) {
-      const ecentry *ee;
-      printf("Built-in elliptic curves:\n");
-      for (ee = ectab; ee->name; ee++)
-	printf("  %s\n", ee->name);
+      unsigned i, w;
+      LIST("Built-in elliptic curves", stdout,
+	   ectab[i].name, ectab[i].name);
       exit(0);
     }
     if (!k->curve) {
@@ -741,16 +869,16 @@ static void alg_ecparam(keyopts *k)
 
     /* --- Write out the answer --- */
 
-    key_structure(kd);
-    kd = key_structcreate(kd, "curve");
-    key_string(kd, k->curve);
-    kd->e |= KCAT_SHARE;
+    kd = key_newstruct();
+    key_structsteal(kd, "curve", key_newstring(KCAT_SHARE, k->curve));
+    key_setkeydata(k->kf, k->k, kd);
+    key_drop(kd);
   }
 }
 
 static void alg_ec(keyopts *k)
 {
-  key_data *kd = &k->k->k;
+  key_data *kd;
   key_data *kkd;
   mp *x = MP_NEW;
   ec p = EC_INIT;
@@ -760,6 +888,7 @@ static void alg_ec(keyopts *k)
   /* --- Get the curve --- */
 
   alg_ecparam(k);
+  key_split(&k->k->k); kd = k->k->k;
   if ((kkd = key_structfind(kd, "curve")) == 0)
     die(EXIT_FAILURE, "unexpected failure looking up subkey `curve')");
   if ((kkd->e & KF_ENCMASK) != KENC_STRING)
@@ -774,12 +903,12 @@ static void alg_ec(keyopts *k)
 
   /* --- Store everything away --- */
 
-  kkd = key_structcreate(kd, "p");
-  key_ec(kkd, &p);
-  kkd->e |= KCAT_PUB;
-  kkd = key_structcreate(kd, "private");
-  key_structure(kkd);
-  mpkey(kkd, "x", x, KCAT_PRIV | KF_BURN);
+  key_structsteal(kd, "p", key_newec(KCAT_PUB, &p));
+
+  kkd = key_newstruct();
+  key_structsteal(kkd, "x", key_newmp(KCAT_PRIV | KF_BURN, x));
+  dolock(k, &kkd, "private");
+  key_structsteal(kd, "private", kkd);
 
   /* --- Done --- */
 
@@ -799,11 +928,13 @@ static keyalg algtab[] = {
   { "binary",		alg_binary,	"Plain binary data" },
   { "des",		alg_des,	"Binary with DES-style parity" },
   { "rsa",		alg_rsa,	"RSA public-key encryption" },
+  { "bbs",		alg_bbs,	"Blum-Blum-Shub generator" },
   { "dsa",		alg_dsa,	"DSA digital signatures" },
   { "dsa-param",	alg_dsaparam,	"DSA shared parameters" },
   { "dh",		alg_dh,		"Diffie-Hellman key exchange" },
   { "dh-param",		alg_dhparam,	"Diffie-Hellman parameters" },
-  { "bbs",		alg_bbs,	"Blum-Blum-Shub generator" },
+  { "bindh",		alg_bin,	"DH over a binary field" },
+  { "bindh-param",	alg_binparam,	"Binary-field DH parameters" },
   { "ec-param",		alg_ecparam,	"Elliptic curve parameters" },
   { "ec",		alg_ec,		"Elliptic curve crypto" },
   { 0,			0 }
@@ -815,6 +946,7 @@ static int cmd_add(int argc, char *argv[])
 {
   key_file f;
   time_t exp = KEXP_EXPIRE;
+  uint32 kid = rand_global.ops->word(&rand_global);
   const char *tag = 0, *ptag = 0;
   const char *c = 0;
   keyalg *alg = algtab;
@@ -836,6 +968,7 @@ static int cmd_add(int argc, char *argv[])
       { "comment",	OPTF_ARGREQ,	0,	'c' },
       { "tag",		OPTF_ARGREQ,	0,	't' },
       { "rand-id",	OPTF_ARGREQ,	0,	'R' },
+      { "key-id",	OPTF_ARGREQ,	0,	'I' },
       { "curve",	OPTF_ARGREQ,	0,	'C' },
       { "seedalg",	OPTF_ARGREQ,	0,	'A' },
       { "seed",		OPTF_ARGREQ,	0,	's' },
@@ -844,9 +977,10 @@ static int cmd_add(int argc, char *argv[])
       { "quiet",	0,		0,	'q' },
       { "lim-lee",	0,		0,	'L' },
       { "subgroup",	0,		0,	'S' },
+      { "kcdsa",	0,		0,	'K' },
       { 0,		0,		0,	0 }
     };
-    int i = mdwopt(argc, argv, "+a:b:B:p:e:c:t:R:C:A:s:n:lqrLS",
+    int i = mdwopt(argc, argv, "+a:b:B:p:e:c:t:R:I:C:A:s:n:lqrLKS",
 		   opt, 0, 0, 0);
     if (i < 0)
       break;
@@ -908,7 +1042,7 @@ static int cmd_add(int argc, char *argv[])
       /* --- Expiry dates get passed to @get_date@ for parsing --- */
 
       case 'e':
-	if (strncmp(optarg, "forever", strlen(optarg)) == 0)
+	if (strcmp(optarg, "forever") == 0)
 	  exp = KEXP_FOREVER;
 	else {
 	  exp = get_date(optarg, 0);
@@ -965,7 +1099,7 @@ static int cmd_add(int argc, char *argv[])
       case 's': {
 	base64_ctx b;
 	dstr d = DSTR_INIT;
-	if (seed) die(EXIT_FAILURE, "seed already set"); 
+	if (seed) die(EXIT_FAILURE, "seed already set");
 	base64_init(&b);
 	base64_decode(&b, optarg, strlen(optarg), &d);
 	base64_decode(&b, 0, 0, &d);
@@ -973,7 +1107,7 @@ static int cmd_add(int argc, char *argv[])
 	seed = optarg;
 	dstr_destroy(&d);
       } break;
-	
+
       case 'n': {
 	base64_ctx b;
 	dstr d = DSTR_INIT;
@@ -981,7 +1115,7 @@ static int cmd_add(int argc, char *argv[])
 	unsigned n = strtoul(optarg, &p, 0);
 	if (n == 0 || *p != 0 || n % 8 != 0)
 	  die(EXIT_FAILURE, "bad seed length `%s'", optarg);
-	if (seed) die(EXIT_FAILURE, "seed already set"); 
+	if (seed) die(EXIT_FAILURE, "seed already set");
 	n /= 8;
 	p = xmalloc(n);
 	rand_get(RAND_GLOBAL, p, n);
@@ -991,7 +1125,20 @@ static int cmd_add(int argc, char *argv[])
 	seed = d.buf;
 	k.r = sa->gen(p, n);
       } break;
-	
+
+      /* --- Key id --- */
+
+      case 'I': {
+	char *p;
+	unsigned long id;
+
+	errno = 0;
+	id = strtoul(optarg, &p, 16);
+	if (errno || *p || id > MASK32)
+	  die(EXIT_FAILURE, "bad key-id `%s'", optarg);
+	kid = id;
+      } break;
+
       /* --- Other flags --- */
 
       case 'R':
@@ -1006,6 +1153,9 @@ static int cmd_add(int argc, char *argv[])
       case 'L':
 	k.f |= f_limlee;
 	break;
+      case 'K':
+	k.f |= f_kcdsa;
+	break;
       case 'S':
 	k.f |= f_subgroup;
 	break;
@@ -1022,7 +1172,7 @@ static int cmd_add(int argc, char *argv[])
 
   if ((k.f & f_bogus) || optind + 1 > argc) {
     die(EXIT_FAILURE,
-	"Usage: add [options] type [attr...]");
+	"Usage: add [OPTIONS] TYPE [ATTR...]");
   }
   if (key_chkident(argv[optind]))
     die(EXIT_FAILURE, "bad key type `%s'", argv[optind]);
@@ -1045,12 +1195,10 @@ static int cmd_add(int argc, char *argv[])
   keyrand(&f, rtag);
 
   for (;;) {
-    uint32 id = rand_global.ops->word(&rand_global);
     int err;
-    k.k = key_new(&f, id, argv[optind], exp, &err);
-    if (k.k)
+    if ((err = key_new(&f, kid, argv[optind], exp, &k.k)) == 0)
       break;
-    if (err != KERR_DUPID)
+    else if (err != KERR_DUPID)
       die(EXIT_FAILURE, "error adding new key: %s", key_strerror(err));
   }
 
@@ -1060,7 +1208,9 @@ static int cmd_add(int argc, char *argv[])
     int err;
     key *kk;
     if (k.f & f_retag) {
-      if ((kk = key_bytag(&f, tag)) != 0 && strcmp(kk->tag, tag) == 0)
+      if ((kk = key_bytag(&f, tag)) != 0 &&
+	  kk->tag &&
+	  strcmp(kk->tag, tag) == 0)
 	key_settag(&f, kk, 0);
     }
     if ((err = key_settag(&f, k.k, tag)) != 0)
@@ -1086,7 +1236,7 @@ static int cmd_add(int argc, char *argv[])
   if (ptag) {
     if ((k.p = key_bytag(&f, ptag)) == 0)
       die(EXIT_FAILURE, "parameter key `%s' not found", ptag);
-    if ((k.p->k.e & KF_ENCMASK) != KENC_STRUCT)
+    if ((k.p->k->e & KF_ENCMASK) != KENC_STRUCT)
       die(EXIT_FAILURE, "parameter key `%s' is not structured", ptag);
   }
 
@@ -1096,6 +1246,7 @@ static int cmd_add(int argc, char *argv[])
 
   /* --- Done --- */
 
+  dstr_destroy(&k.tag);
   doclose(&f);
   return (0);
 }
@@ -1178,13 +1329,13 @@ static void showkeydata(key_data *k, int ind, listopts *o, dstr *d)
       if (o->v <= 3)
 	fputs(" encrypted\n", stdout);
       else {
-	key_data kd;
-	if (key_punlock(d->buf, k, &kd))
+	key_data *kd;
+	if (key_punlock(&kd, k, d->buf))
 	  printf(" <failed to unlock %s>\n", d->buf);
 	else {
 	  fputs(" encrypted", stdout);
-	  showkeydata(&kd, ind, o, d);
-	  key_destroy(&kd);
+	  showkeydata(kd, ind, o, d);
+	  key_drop(kd);
 	}
       }
       break;
@@ -1217,7 +1368,7 @@ static void showkeydata(key_data *k, int ind, listopts *o, dstr *d)
 	fputs(", 0x", stdout); mp_writefile(k->u.e.y, stdout, 16);
 	putchar('\n');
       }
-      break;      
+      break;
 
     /* --- Structured keys --- *
      *
@@ -1225,23 +1376,23 @@ static void showkeydata(key_data *k, int ind, listopts *o, dstr *d)
      */
 
     case KENC_STRUCT: {
-      sym_iter i;
-      key_struct *ks;
+      key_subkeyiter i;
+      const char *tag;
       size_t n = d->len;
 
       fputs(" {\n", stdout);
-      for (sym_mkiter(&i, &k->u.s); (ks = sym_next(&i)) != 0; ) {
-	if (!key_match(&ks->k, &o->kf))
+      for (key_mksubkeyiter(&i, k); key_nextsubkey(&i, &tag, &k); ) {
+	if (!key_match(k, &o->kf))
 	  continue;
 	INDENT(ind + 2);
-	printf("%s =", SYM_NAME(ks));
+	printf("%s =", tag);
 	d->len = n;
-	dstr_putf(d, ".%s", SYM_NAME(ks));
-	showkeydata(&ks->k, ind + 2, o, d);
+	dstr_putf(d, ".%s", tag);
+	showkeydata(k, ind + 2, o, d);
       }
       INDENT(ind);
       fputs("}\n", stdout);
-    } break;      
+    } break;
   }
 
 #undef INDENT
@@ -1264,7 +1415,7 @@ static void showkey(key *k, listopts *o)
 
   /* --- Skip the key if the filter doesn't match --- */
 
-  if (!key_match(&k->k, &o->kf))
+  if (!key_match(k->k, &o->kf))
     return;
 
   /* --- Sort out the expiry and deletion times --- */
@@ -1291,10 +1442,10 @@ static void showkey(key *k, listopts *o)
 
   if (!o->v) {
     if (!(o->f & f_newline)) {
-      printf("%8s  %-20s  %-20s  %-10s  %-10s\n",
+      printf("%8s  %-20s  %-20s  %-10s  %s\n",
 	     "Id", "Tag", "Type", "Expire", "Delete");
     }
-    printf("%08lx  %-20s  %-20s  %-10s  %-10s\n",
+    printf("%08lx  %-20s  %-20s  %-10s  %s\n",
 	   (unsigned long)k->id, k->tag ? k->tag : "<none>",
 	   k->type, ebuf, dbuf);
     o->f |= f_newline;
@@ -1336,10 +1487,10 @@ static void showkey(key *k, listopts *o)
     dstr d = DSTR_INIT;
     fputs("key:", stdout);
     key_fulltag(k, &d);
-    showkeydata(&k->k, 0, o, &d);
+    showkeydata(k->k, 0, o, &d);
     dstr_destroy(&d);
   }
-    
+
   o->f |= f_newline;
 }
 
@@ -1381,7 +1532,7 @@ static int cmd_list(int argc, char *argv[])
 	int e = key_readflags(optarg, &p, &o.kf.f, &o.kf.m);
 	if (e || *p)
 	  die(EXIT_FAILURE, "bad filter string `%s'", optarg);
-      } break;	
+      } break;
       default:
 	o.f |= f_bogus;
 	break;
@@ -1389,7 +1540,7 @@ static int cmd_list(int argc, char *argv[])
   }
 
   if (o.f & f_bogus)
-    die(EXIT_FAILURE, "Usage: list [-uqv] [-f filter] [tag...]");
+    die(EXIT_FAILURE, "Usage: list [-uqv] [-f FILTER] [TAG...]");
 
   /* --- Open the key file --- */
 
@@ -1447,7 +1598,7 @@ static int cmd_expire(int argc, char *argv[])
   int rc = 0;
 
   if (argc < 2)
-    die(EXIT_FAILURE, "Usage: expire tag...");
+    die(EXIT_FAILURE, "Usage: expire TAG...");
   doopen(&f, KOPEN_WRITE);
   for (i = 1; i < argc; i++) {
     if ((k = key_bytag(&f, argv[i])) != 0)
@@ -1471,7 +1622,7 @@ static int cmd_delete(int argc, char *argv[])
   int rc = 0;
 
   if (argc < 2)
-    die(EXIT_FAILURE, "Usage: delete tag...");
+    die(EXIT_FAILURE, "Usage: delete TAG...");
   doopen(&f, KOPEN_WRITE);
   for (i = 1; i < argc; i++) {
     if ((k = key_bytag(&f, argv[i])) != 0)
@@ -1493,7 +1644,7 @@ static int cmd_setattr(int argc, char *argv[])
   key *k;
 
   if (argc < 3)
-    die(EXIT_FAILURE, "Usage: setattr tag attr...");
+    die(EXIT_FAILURE, "Usage: setattr TAG ATTR...");
   doopen(&f, KOPEN_WRITE);
   if ((k = key_bytag(&f, argv[1])) == 0)
     die(EXIT_FAILURE, "key `%s' not found", argv[1]);
@@ -1502,6 +1653,29 @@ static int cmd_setattr(int argc, char *argv[])
   return (0);
 }
 
+/* --- @cmd_getattr@ --- */
+
+static int cmd_getattr(int argc, char *argv[])
+{
+  key_file f;
+  key *k;
+  dstr d = DSTR_INIT;
+  const char *p;
+
+  if (argc != 3)
+    die(EXIT_FAILURE, "Usage: getattr TAG ATTR");
+  doopen(&f, KOPEN_READ);
+  if ((k = key_bytag(&f, argv[1])) == 0)
+    die(EXIT_FAILURE, "key `%s' not found", argv[1]);
+  key_fulltag(k, &d);
+  if ((p = key_getattr(&f, k, argv[2])) == 0)
+    die(EXIT_FAILURE, "no attribute `%s' for key `%s'", argv[2], d.buf);
+  puts(p);
+  dstr_destroy(&d);
+  doclose(&f);
+  return (0);
+}
+
 /* --- @cmd_finger@ --- */
 
 static void fingerprint(key *k, const gchash *ch, const key_filter *kf)
@@ -1561,7 +1735,7 @@ static int cmd_finger(int argc, char *argv[])
 
   argv += optind; argc -= optind;
   if (rc)
-    die(EXIT_FAILURE, "Usage: fingerprint [-f filter] [tag...]");
+    die(EXIT_FAILURE, "Usage: fingerprint [-f FILTER] [TAG...]");
 
   doopen(&f, KOPEN_READ);
 
@@ -1585,6 +1759,102 @@ static int cmd_finger(int argc, char *argv[])
   return (rc);
 }
 
+/* --- @cmd_verify@ --- */
+
+static unsigned xdigit(char c)
+{
+  if ('A' <= c && c <= 'Z') return (c + 10 - 'A');
+  if ('a' <= c && c <= 'z') return (c + 10 - 'a');
+  if ('0' <= c && c <= '9') return (c - '0');
+  return (~0u);
+}
+
+static void unhexify(octet *q, char *p, size_t n)
+{
+  unsigned a = 0;
+  int i = 0;
+
+  for (;;) {
+    if (*p == '-' || *p == ':' || isspace((unsigned char)*p)) {
+      p++;
+      continue;
+    }
+    if (!n && !*p)
+      break;
+    if (!*p)
+      die(EXIT_FAILURE, "hex string too short");
+    if (!isxdigit((unsigned char)*p))
+      die(EXIT_FAILURE, "bad hex string");
+    if (!n)
+      die(EXIT_FAILURE, "hex string too long");
+    a = (a << 4) | xdigit(*p++);
+    i++;
+    if (i == 2) {
+      *q++ = U8(a);
+      a = 0;
+      i = 0;
+      n--;
+    }
+  }
+}
+
+static int cmd_verify(int argc, char *argv[])
+{
+  key_file f;
+  int rc = 0;
+  const gchash *ch = &rmd160;
+  ghash *h;
+  key *k;
+  octet *buf;
+  const octet *fpr;
+  key_filter kf = { KF_NONSECRET, KF_NONSECRET };
+
+  for (;;) {
+    static struct option opt[] = {
+      { "filter",	OPTF_ARGREQ,	0,	'f' },
+      { "algorithm",	OPTF_ARGREQ,	0,	'a' },
+      { 0,		0,		0,	0 }
+    };
+    int i = mdwopt(argc, argv, "+f:a:", opt, 0, 0, 0);
+    if (i < 0)
+      break;
+    switch (i) {
+      case 'f': {
+	char *p;
+	int err = key_readflags(optarg, &p, &kf.f, &kf.m);
+	if (err || *p)
+	  die(EXIT_FAILURE, "bad filter string `%s'", optarg);
+      } break;
+      case 'a':
+	if ((ch = ghash_byname(optarg)) == 0)
+	  die(EXIT_FAILURE, "unknown hash algorithm `%s'", optarg);
+	break;
+      default:
+	rc = 1;
+	break;
+    }
+  }
+
+  argv += optind; argc -= optind;
+  if (rc || argc != 2)
+    die(EXIT_FAILURE, "Usage: verify [-f FILTER] TAG FINGERPRINT");
+
+  doopen(&f, KOPEN_READ);
+
+  if ((k = key_bytag(&f, argv[0])) == 0)
+    die(EXIT_FAILURE, "key `%s' not found", argv[0]);
+  buf = xmalloc(ch->hashsz);
+  unhexify(buf, argv[1], ch->hashsz);
+  h = GH_INIT(ch);
+  if (!key_fingerprint(k, h, &kf))
+    die(EXIT_FAILURE, "key has no fingerprintable components (as filtered)");
+  fpr = GH_DONE(h, 0);
+  if (memcmp(fpr, buf, ch->hashsz) != 0)
+    die(EXIT_FAILURE, "key fingerprint mismatch");
+  doclose(&f);
+  return (0);
+}
+
 /* --- @cmd_comment@ --- */
 
 static int cmd_comment(int argc, char *argv[])
@@ -1594,7 +1864,7 @@ static int cmd_comment(int argc, char *argv[])
   int err;
 
   if (argc < 2 || argc > 3)
-    die(EXIT_FAILURE, "Usage: comment tag [comment]");
+    die(EXIT_FAILURE, "Usage: comment TAG [COMMENT]");
   doopen(&f, KOPEN_WRITE);
   if ((k = key_bytag(&f, argv[1])) == 0)
     die(EXIT_FAILURE, "key `%s' not found", argv[1]);
@@ -1634,7 +1904,7 @@ static int cmd_tag(int argc, char *argv[])
 
   argv += optind; argc -= optind;
   if (argc < 1 || argc > 2 || rc)
-    die(EXIT_FAILURE, "Usage: tag [-r] tag [new-tag]");
+    die(EXIT_FAILURE, "Usage: tag [-r] TAG [NEW-TAG]");
   doopen(&f, KOPEN_WRITE);
   if (flags & f_retag) {
     if ((k = key_bytag(&f, argv[1])) != 0 && strcmp(k->tag, argv[1]) == 0)
@@ -1654,17 +1924,17 @@ static int cmd_lock(int argc, char *argv[])
 {
   key_file f;
   key *k;
-  key_data *kd;
+  key_data **kd;
   dstr d = DSTR_INIT;
 
   if (argc != 2)
-    die(EXIT_FAILURE, "Usage: lock qtag");
+    die(EXIT_FAILURE, "Usage: lock QTAG");
   doopen(&f, KOPEN_WRITE);
   if (key_qtag(&f, argv[1], &d, &k, &kd))
     die(EXIT_FAILURE, "key `%s' not found", argv[1]);
-  if (kd->e == KENC_ENCRYPT && key_punlock(d.buf, kd, kd))
+  if ((*kd)->e == KENC_ENCRYPT && key_punlock(kd, 0, d.buf))
     die(EXIT_FAILURE, "couldn't unlock key `%s'", d.buf);
-  if (key_plock(d.buf, kd, kd))
+  if (key_plock(kd, 0, d.buf))
     die(EXIT_FAILURE, "failed to lock key `%s'", d.buf);
   f.f |= KF_MODIFIED;
   doclose(&f);
@@ -1677,17 +1947,17 @@ static int cmd_unlock(int argc, char *argv[])
 {
   key_file f;
   key *k;
-  key_data *kd;
+  key_data **kd;
   dstr d = DSTR_INIT;
 
   if (argc != 2)
-    die(EXIT_FAILURE, "Usage: unlock qtag");
+    die(EXIT_FAILURE, "Usage: unlock QTAG");
   doopen(&f, KOPEN_WRITE);
   if (key_qtag(&f, argv[1], &d, &k, &kd))
     die(EXIT_FAILURE, "key `%s' not found", argv[1]);
-  if (kd->e != KENC_ENCRYPT)
+  if ((*kd)->e != KENC_ENCRYPT)
     die(EXIT_FAILURE, "key `%s' is not encrypted", d.buf);
-  if (kd->e == KENC_ENCRYPT && key_punlock(d.buf, kd, kd))
+  if (key_punlock(kd, 0, d.buf))
     die(EXIT_FAILURE, "couldn't unlock key `%s'", d.buf);
   f.f |= KF_MODIFIED;
   doclose(&f);
@@ -1703,6 +1973,8 @@ static int cmd_extract(int argc, char *argv[])
   int i;
   int rc = 0;
   key_filter kf = { 0, 0 };
+  dstr d = DSTR_INIT;
+  const char *outfile = 0;
   FILE *fp;
 
   for (;;) {
@@ -1728,12 +2000,16 @@ static int cmd_extract(int argc, char *argv[])
 
   argv += optind; argc -= optind;
   if (rc || argc < 1)
-    die(EXIT_FAILURE, "Usage: extract [-f filter] file [tag...]");
+    die(EXIT_FAILURE, "Usage: extract [-f FILTER] FILE [TAG...]");
   if (strcmp(*argv, "-") == 0)
     fp = stdout;
-  else if (!(fp = fopen(*argv, "w"))) {
-    die(EXIT_FAILURE, "couldn't open `%s' for writing: %s",
-	*argv, strerror(errno));
+  else {
+    outfile = *argv;
+    dstr_putf(&d, "%s.new", outfile);
+    if (!(fp = fopen(d.buf, "w"))) {
+      die(EXIT_FAILURE, "couldn't open `%s' for writing: %s",
+	  d.buf, strerror(errno));
+    }
   }
 
   doopen(&f, KOPEN_READ);
@@ -1742,7 +2018,7 @@ static int cmd_extract(int argc, char *argv[])
     key *k;
     for (key_mkiter(&i, &f); (k = key_next(&i)) != 0; )
       key_extract(&f, k, fp, &kf);
-  } else {    
+  } else {
     for (i = 1; i < argc; i++) {
       if ((k = key_bytag(&f, argv[i])) != 0)
 	key_extract(&f, k, fp, &kf);
@@ -1752,8 +2028,9 @@ static int cmd_extract(int argc, char *argv[])
       }
     }
   }
-  if (fclose(fp))
+  if (fclose(fp) || (outfile && rename(d.buf, outfile)))
     die(EXIT_FAILURE, "error writing file: %s", strerror(errno));
+  dstr_destroy(&d);
   doclose(&f);
   return (rc);
 }
@@ -1764,7 +2041,7 @@ static int cmd_tidy(int argc, char *argv[])
 {
   key_file f;
   if (argc != 1)
-    die(EXIT_FAILURE, "usage: tidy");
+    die(EXIT_FAILURE, "Usage: tidy");
   doopen(&f, KOPEN_WRITE);
   f.f |= KF_MODIFIED; /* Nasty hack */
   doclose(&f);
@@ -1779,11 +2056,11 @@ static int cmd_merge(int argc, char *argv[])
   FILE *fp;
 
   if (argc != 2)
-    die(EXIT_FAILURE, "Usage: merge file");
+    die(EXIT_FAILURE, "Usage: merge FILE");
   if (strcmp(argv[1], "-") == 0)
     fp = stdin;
   else if (!(fp = fopen(argv[1], "r"))) {
-    die(EXIT_FAILURE, "couldn't open `%s' for writing: %s",
+    die(EXIT_FAILURE, "couldn't open `%s' for reading: %s",
 	argv[1], strerror(errno));
   }
 
@@ -1793,109 +2070,124 @@ static int cmd_merge(int argc, char *argv[])
   return (0);
 }
 
+/* --- @cmd_show@ --- */
+
+#define LISTS(LI)							\
+  LI("Lists", list,							\
+     listtab[i].name, listtab[i].name)					\
+  LI("Hash functions", hash,						\
+     ghashtab[i], ghashtab[i]->name)					\
+  LI("Elliptic curves", ec,						\
+     ectab[i].name, ectab[i].name)					\
+  LI("Prime Diffie-Hellman groups", dh,					\
+     ptab[i].name, ptab[i].name)					\
+  LI("Binary Diffie-Hellman groups", bindh,				\
+     bintab[i].name, bintab[i].name)					\
+  LI("Key-generation algorithms", keygen,				\
+     algtab[i].name, algtab[i].name)					\
+  LI("Random seeding algorithms", seed,					\
+     seedtab[i].p, seedtab[i].p)
+
+MAKELISTTAB(listtab, LISTS)
+
+static int cmd_show(int argc, char *argv[])
+{
+  return (displaylists(listtab, argv + 1));
+}
+
 /*----- Main command table ------------------------------------------------*/
 
-static struct cmd {
-  const char *name;
-  int (*cmd)(int /*argc*/, char */*argv*/[]);
-  const char *usage;
-  const char *help;
-} cmds[] = {
+static int cmd_help(int argc, char *argv[]);
+
+static cmd cmds[] = {
+  { "help", cmd_help, "help [COMMAND...]" },
+  { "show", cmd_show, "show [ITEM...]" },
+  { "list", cmd_list, "list [-uqv] [-f FILTER] [TAG...]", "\
+Options:\n\
+\n\
+-u, --utc		Display expiry times etc. in UTC, not local time.\n\
+-q, --quiet		Show less information.\n\
+-v, --verbose		Show more information.\n\
+" },
+  { "fingerprint", cmd_finger, "fingerprint [-f FILTER] [TAG...]", "\
+Options:\n\
+\n\
+-f, --filter=FILT	Only hash key components matching FILT.\n\
+-a, --algorithm=HASH	Use the named HASH algorithm.\n\
+			  ($ show hash for list.)\n\
+" },
+  { "verify", cmd_verify, "verify [-f FILTER] TAG FINGERPRINT", "\
+Options:\n\
+\n\
+-f, --filter=FILT	Only hash key components matching FILT.\n\
+-a, --algorithm=HASH	Use the named HASH algorithm.\n\
+			  ($ show hash for list.)\n\
+" },
+  { "extract", cmd_extract, "extract [-f FILTER] FILE [TAG...]", "\
+Options:\n\
+\n\
+-f, --filter=FILT	Only extract key components matching FILT.\n\
+" },
+  { "merge", cmd_merge, "merge FILE" },
+  { "expire", cmd_expire, "expire TAG..." },
+  { "delete", cmd_delete, "delete TAG..." },
+  { "setattr", cmd_setattr, "setattr TAG ATTR..." },
+  { "getattr", cmd_getattr, "getattr TAG ATTR" },
+  { "comment", cmd_comment, "comment TAG [COMMENT]" },
+  { "lock", cmd_lock, "lock QTAG" },
+  { "unlock", cmd_unlock, "unlock QTAG" },
+  { "tag", cmd_tag, "tag [-r] TAG [NEW-TAG]", "\
+Options:\n\
+\n\
+-r, --retag		Untag any key currently called new-tag.\n\
+" },
+  { "tidy", cmd_tidy, "tidy" },
   { "add", cmd_add,
-    "add [options] type [attr...]\n\
-	Options: [-lqrLS] [-a alg] [-bB bits] [-p param] [-R tag]\n\
-	         [-e expire] [-t tag] [-c comment]", "\
+    "add [-OPTIONS] TYPE [ATTR...]\n\
+	Options: [-lqrLKS] [-a ALG] [-bB BITS] [-p PARAM] [-R TAG]\n\
+		 [-A SEEDALG] [-s SEED] [-n BITS] [-I KEYID]\n\
+		 [-e EXPIRE] [-t TAG] [-c COMMENT]", "\
 Options:\n\
 \n\
 -a, --algorithm=ALG	Generate keys suitable for ALG.\n\
+			  ($ show keygen for list.)\n\
 -b, --bits=N		Generate an N-bit key.\n\
 -B, --qbits=N		Use an N-bit subgroup or factors.\n\
 -p, --parameters=TAG	Get group parameters from TAG.\n\
--C, --curve=CURVE	Use elliptic curve CURVE.\n\
+-C, --curve=NAME	Use elliptic curve or DH group NAME.\n\
+			  ($ show ec or $ show dh for list.)\n\
+-A, --seedalg=ALG	Use pseudorandom generator ALG to generate key.\n\
+			  ($ show seed for list.)\n\
+-s, --seed=BASE64	Use Base64-encoded string BASE64 as seed.\n\
+-n, --newseed=COUNT	Generate new COUNT-bit seed.\n\
 -e, --expire=TIME	Make the key expire after TIME.\n\
 -c, --comment=STRING	Attach the command STRING to the key.\n\
 -t, --tag=TAG		Tag the key with the name TAG.\n\
 -r, --retag		Untag any key currently with that tag.\n\
 -R, --rand-id=TAG	Use key named TAG for the random number generator.\n\
+-I, --key-id=ID		Force the key-id for the new key.\n\
 -l, --lock		Lock the generated key with a passphrase.\n\
 -q, --quiet		Don't give progress indicators while working.\n\
 -L, --lim-lee		Generate Lim-Lee primes for Diffie-Hellman groups.\n\
+-K, --kcdsa		Generate KCDSA-style Lim-Lee primes for DH groups.\n\
 -S, --subgroup		Use a prime-order subgroup for Diffie-Hellman.\n\
 " },
-  { "expire", cmd_expire, "expire tag..." },
-  { "delete", cmd_delete, "delete tag..." },
-  { "tag", cmd_tag, "tag [-r] tag [new-tag]", "\
-Options:\n\
-\n\
--r, --retag		Untag any key currently called new-tag.\n\
-" },
-  { "setattr", cmd_setattr, "setattr tag attr..." },
-  { "comment", cmd_comment, "comment tag [comment]" },
-  { "lock", cmd_lock, "lock qtag" },
-  { "unlock", cmd_unlock, "unlock qtag" },
-  { "list", cmd_list, "list [-uqv] [-f filter] [tag...]", "\
-Options:\n\
-\n\
--u, --utc		Display expiry times etc. in UTC, not local time.\n\
--q, --quiet		Show less information.\n\
--v, --verbose		Show more information.\n\
-" },
-  { "fingerprint", cmd_finger, "fingerprint [-f filter] [tag...]", "\
-Options:\n\
-\n\
--f, --filter=FILT	Only hash key components matching FILT.\n\
--a, --algorithm=HASH	Use the named HASH algorithm.\n\
-" },
-  { "tidy", cmd_tidy, "tidy" },
-  { "extract", cmd_extract, "extract [-f filter] file [tag...]", "\
-Options:\n\
-\n\
--f, --filter=FILT	Only extract key components matching FILT.\n\
-" },
-  { "merge", cmd_merge, "merge file" },
   { 0, 0, 0 }
 };
 
-typedef struct cmd cmd;
-
-/*----- Main code ---------------------------------------------------------*/
-
-/* --- @findcmd@ --- *
- *
- * Arguments:	@const char *name@ = a command name
- *
- * Returns:	Pointer to the command structure.
- *
- * Use:		Looks up a command by name.  If the command isn't found, an
- *		error is reported and the program is terminated.
- */
-
-static cmd *findcmd(const char *name)
+static int cmd_help(int argc, char *argv[])
 {
-  cmd *c, *chosen = 0;
-  size_t sz = strlen(name);
-
-  for (c = cmds; c->name; c++) {
-    if (strncmp(name, c->name, sz) == 0) {
-      if (c->name[sz] == 0) {
-	chosen = c;
-	break;
-      } else if (chosen)
-	die(EXIT_FAILURE, "ambiguous command name `%s'", name);
-      else
-	chosen = c;
-    }
-  }
-  if (!chosen)
-    die(EXIT_FAILURE, "unknown command name `%s'", name);
-  return (chosen);
+  sc_help(cmds, stdout, argv + 1);
+  return (0);
 }
 
+/*----- Main code ---------------------------------------------------------*/
+
 /* --- Helpful GNUy functions --- */
 
-void usage(FILE *fp)
+static void usage(FILE *fp)
 {
-  pquis(fp, "Usage: $ [-k keyring] command [args]\n");
+  pquis(fp, "Usage: $ [-k KEYRING] COMMAND [ARGS]\n");
 }
 
 void version(FILE *fp)
@@ -1903,38 +2195,20 @@ void version(FILE *fp)
   pquis(fp, "$, Catacomb version " VERSION "\n");
 }
 
-void help(FILE *fp, char **argv)
+void help_global(FILE *fp)
 {
-  cmd *c;
-
-  version(fp);
-  fputc('\n', fp);
-  if (*argv) {
-    c = findcmd(*argv);
-    fprintf(fp, "Usage: %s [-k keyring] %s\n", QUIS, c->usage);
-    if (c->help) {
-      fputc('\n', fp);	
-      fputs(c->help, fp);
-    }
-  } else {
-    usage(fp);
-    fputs("\n\
-Performs various simple key management operations.  Command line options\n\
-recognized are:\n\
+  usage(fp);
+  fputs("\n\
+Performs various simple key management operations.\n\
 \n\
--h, --help [COMMAND]	Display this help text (or help for COMMAND).\n\
+Global command line options:\n\
+\n\
+-h, --help [COMMAND...]	Display this help text (or help for COMMANDs).\n\
 -v, --version		Display version number.\n\
 -u, --usage		Display short usage summary.\n\
 \n\
--k, --keyring=FILE	Read and write keys in FILE.\n\
--i, --id=TAG		Use key TAG for random number generator.\n\
--t, --type=TYPE		Use key TYPE for random number generator.\n\
-\n\
-The following commands are understood:\n\n",
-	  fp);
-    for (c = cmds; c->name; c++)
-      fprintf(fp, "%s\n", c->usage);
-  }
+-k, --keyring=FILE	Read and write keys in FILE.\n",
+	fp);
 }
 
 /* --- @main@ --- *
@@ -1986,7 +2260,7 @@ int main(int argc, char *argv[])
       /* --- GNU help options --- */
 
       case 'h':
-	help(stdout, argv + optind);
+	sc_help(cmds, stdout, argv + optind);
 	exit(0);
       case 'v':
 	version(stdout);
@@ -2026,7 +2300,7 @@ int main(int argc, char *argv[])
   argc -= optind;
   argv += optind;
   optind = 0;
-  return (findcmd(argv[0])->cmd(argc, argv));
+  return (findcmd(cmds, argv[0])->cmd(argc, argv));
 }
 
 /*----- That's all, folks -------------------------------------------------*/