Reject subkeys with no key flags and no primary key binding certificate

Closes #899
This commit is contained in:
Vincent Breitmoser 2014-09-28 03:34:25 +02:00
parent 1a2ec1eb32
commit 1c3d0a58ea

View File

@ -616,43 +616,51 @@ public class UncachedKeyRing {
continue; continue;
} }
boolean needsPrimaryBinding = false;
// if this certificate says it allows signing for the key // if this certificate says it allows signing for the key
if (zert.getHashedSubPackets() != null && if (zert.getHashedSubPackets() != null &&
zert.getHashedSubPackets().hasSubpacket(SignatureSubpacketTags.KEY_FLAGS)) { zert.getHashedSubPackets().hasSubpacket(SignatureSubpacketTags.KEY_FLAGS)) {
int flags = ((KeyFlags) zert.getHashedSubPackets() int flags = ((KeyFlags) zert.getHashedSubPackets()
.getSubpacket(SignatureSubpacketTags.KEY_FLAGS)).getFlags(); .getSubpacket(SignatureSubpacketTags.KEY_FLAGS)).getFlags();
if ((flags & PGPKeyFlags.CAN_SIGN) == PGPKeyFlags.CAN_SIGN) { if ((flags & PGPKeyFlags.CAN_SIGN) == PGPKeyFlags.CAN_SIGN) {
boolean ok = false; needsPrimaryBinding = true;
// it MUST have an embedded primary key binding signature }
try { } else {
PGPSignatureList list = zert.getUnhashedSubPackets().getEmbeddedSignatures(); // If there are no key flags, we STILL require this because the key can sign!
for (int i = 0; i < list.size(); i++) { needsPrimaryBinding = true;
WrappedSignature subsig = new WrappedSignature(list.get(i)); }
if (subsig.getSignatureType() == PGPSignature.PRIMARYKEY_BINDING) {
subsig.init(key); // If this key can sign, it MUST have a primary key binding certificate
if (subsig.verifySignature(masterKey, key)) { if (needsPrimaryBinding) {
ok = true; boolean ok = false;
} else { if (zert.getUnhashedSubPackets() != null) try {
log.add(LogType.MSG_KC_SUB_PRIMARY_BAD, indent); // Check all embedded signatures, if any of them fits
badCerts += 1; PGPSignatureList list = zert.getUnhashedSubPackets().getEmbeddedSignatures();
continue uids; for (int i = 0; i < list.size(); i++) {
} WrappedSignature subsig = new WrappedSignature(list.get(i));
if (subsig.getSignatureType() == PGPSignature.PRIMARYKEY_BINDING) {
subsig.init(key);
if (subsig.verifySignature(masterKey, key)) {
ok = true;
} else {
log.add(LogType.MSG_KC_SUB_PRIMARY_BAD, indent);
badCerts += 1;
continue uids;
} }
} }
} catch (Exception e) {
log.add(LogType.MSG_KC_SUB_PRIMARY_BAD_ERR, indent);
badCerts += 1;
continue;
}
// if it doesn't, get rid of this!
if (!ok) {
log.add(LogType.MSG_KC_SUB_PRIMARY_NONE, indent);
badCerts += 1;
continue;
} }
} catch (Exception e) {
log.add(LogType.MSG_KC_SUB_PRIMARY_BAD_ERR, indent);
badCerts += 1;
continue;
}
// if it doesn't, get rid of this!
if (!ok) {
log.add(LogType.MSG_KC_SUB_PRIMARY_NONE, indent);
badCerts += 1;
continue;
} }
} }
// if we already have a cert, and this one is older: skip it // if we already have a cert, and this one is older: skip it