1 files changed, 23 insertions, 5 deletions

diff --git a/sm/keylist.c b/sm/keylist.c
index 4f2d009..2d51aa7 100644
--- a/sm/keylist.c
+++ b/sm/keylist.c
@@ -251,9 +251,11 @@ print_capabilities (ksba_cert_t cert, estream_t fp)
 {
   gpg_error_t err;
   unsigned int use;
+  unsigned int is_encr, is_sign, is_cert;
   size_t buflen;
   char buffer[1];
 
+
   err = ksba_cert_get_user_data (cert, "is_qualified",
                                  &buffer, sizeof (buffer), &buflen);
   if (!err && buflen)
@@ -285,17 +287,33 @@ print_capabilities (ksba_cert_t cert, estream_t fp)
       return;
     }
 
+  is_encr = is_sign = is_cert = 0;
+
   if ((use & (KSBA_KEYUSAGE_KEY_ENCIPHERMENT|KSBA_KEYUSAGE_DATA_ENCIPHERMENT)))
-    es_putc ('e', fp);
+    is_encr = 1;
   if ((use & (KSBA_KEYUSAGE_DIGITAL_SIGNATURE|KSBA_KEYUSAGE_NON_REPUDIATION)))
-    es_putc ('s', fp);
+    is_sign = 1;
   if ((use & KSBA_KEYUSAGE_KEY_CERT_SIGN))
+    is_cert = 1;
+
+  /* We need to returned the faked key usage to frontends so that they
+   * can select the right key.  Note that we don't do this for the
+   * human readable keyUsage.  */
+  if ((opt.compat_flags & COMPAT_ALLOW_KA_TO_ENCR)
+      && (use & KSBA_KEYUSAGE_KEY_AGREEMENT))
+    is_encr = 1;
+
+  if (is_encr)
+    es_putc ('e', fp);
+  if (is_sign)
+    es_putc ('s', fp);
+  if (is_cert)
     es_putc ('c', fp);
-  if ((use & (KSBA_KEYUSAGE_KEY_ENCIPHERMENT|KSBA_KEYUSAGE_DATA_ENCIPHERMENT)))
+  if (is_encr)
     es_putc ('E', fp);
-  if ((use & (KSBA_KEYUSAGE_DIGITAL_SIGNATURE|KSBA_KEYUSAGE_NON_REPUDIATION)))
+  if (is_sign)
     es_putc ('S', fp);
-  if ((use & KSBA_KEYUSAGE_KEY_CERT_SIGN))
+  if (is_cert)
     es_putc ('C', fp);
 }