mirror of
https://github.com/moparisthebest/open-keychain
synced 2024-12-25 00:18:51 -05:00
Reject subkeys with no key flags and no primary key binding certificate
Closes #899
This commit is contained in:
parent
1a2ec1eb32
commit
1c3d0a58ea
@ -616,43 +616,51 @@ public class UncachedKeyRing {
|
|||||||
continue;
|
continue;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
boolean needsPrimaryBinding = false;
|
||||||
|
|
||||||
// if this certificate says it allows signing for the key
|
// if this certificate says it allows signing for the key
|
||||||
if (zert.getHashedSubPackets() != null &&
|
if (zert.getHashedSubPackets() != null &&
|
||||||
zert.getHashedSubPackets().hasSubpacket(SignatureSubpacketTags.KEY_FLAGS)) {
|
zert.getHashedSubPackets().hasSubpacket(SignatureSubpacketTags.KEY_FLAGS)) {
|
||||||
|
|
||||||
int flags = ((KeyFlags) zert.getHashedSubPackets()
|
int flags = ((KeyFlags) zert.getHashedSubPackets()
|
||||||
.getSubpacket(SignatureSubpacketTags.KEY_FLAGS)).getFlags();
|
.getSubpacket(SignatureSubpacketTags.KEY_FLAGS)).getFlags();
|
||||||
if ((flags & PGPKeyFlags.CAN_SIGN) == PGPKeyFlags.CAN_SIGN) {
|
if ((flags & PGPKeyFlags.CAN_SIGN) == PGPKeyFlags.CAN_SIGN) {
|
||||||
boolean ok = false;
|
needsPrimaryBinding = true;
|
||||||
// it MUST have an embedded primary key binding signature
|
}
|
||||||
try {
|
} else {
|
||||||
PGPSignatureList list = zert.getUnhashedSubPackets().getEmbeddedSignatures();
|
// If there are no key flags, we STILL require this because the key can sign!
|
||||||
for (int i = 0; i < list.size(); i++) {
|
needsPrimaryBinding = true;
|
||||||
WrappedSignature subsig = new WrappedSignature(list.get(i));
|
}
|
||||||
if (subsig.getSignatureType() == PGPSignature.PRIMARYKEY_BINDING) {
|
|
||||||
subsig.init(key);
|
// If this key can sign, it MUST have a primary key binding certificate
|
||||||
if (subsig.verifySignature(masterKey, key)) {
|
if (needsPrimaryBinding) {
|
||||||
ok = true;
|
boolean ok = false;
|
||||||
} else {
|
if (zert.getUnhashedSubPackets() != null) try {
|
||||||
log.add(LogType.MSG_KC_SUB_PRIMARY_BAD, indent);
|
// Check all embedded signatures, if any of them fits
|
||||||
badCerts += 1;
|
PGPSignatureList list = zert.getUnhashedSubPackets().getEmbeddedSignatures();
|
||||||
continue uids;
|
for (int i = 0; i < list.size(); i++) {
|
||||||
}
|
WrappedSignature subsig = new WrappedSignature(list.get(i));
|
||||||
|
if (subsig.getSignatureType() == PGPSignature.PRIMARYKEY_BINDING) {
|
||||||
|
subsig.init(key);
|
||||||
|
if (subsig.verifySignature(masterKey, key)) {
|
||||||
|
ok = true;
|
||||||
|
} else {
|
||||||
|
log.add(LogType.MSG_KC_SUB_PRIMARY_BAD, indent);
|
||||||
|
badCerts += 1;
|
||||||
|
continue uids;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
} catch (Exception e) {
|
|
||||||
log.add(LogType.MSG_KC_SUB_PRIMARY_BAD_ERR, indent);
|
|
||||||
badCerts += 1;
|
|
||||||
continue;
|
|
||||||
}
|
|
||||||
// if it doesn't, get rid of this!
|
|
||||||
if (!ok) {
|
|
||||||
log.add(LogType.MSG_KC_SUB_PRIMARY_NONE, indent);
|
|
||||||
badCerts += 1;
|
|
||||||
continue;
|
|
||||||
}
|
}
|
||||||
|
} catch (Exception e) {
|
||||||
|
log.add(LogType.MSG_KC_SUB_PRIMARY_BAD_ERR, indent);
|
||||||
|
badCerts += 1;
|
||||||
|
continue;
|
||||||
|
}
|
||||||
|
// if it doesn't, get rid of this!
|
||||||
|
if (!ok) {
|
||||||
|
log.add(LogType.MSG_KC_SUB_PRIMARY_NONE, indent);
|
||||||
|
badCerts += 1;
|
||||||
|
continue;
|
||||||
}
|
}
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
||||||
// if we already have a cert, and this one is older: skip it
|
// if we already have a cert, and this one is older: skip it
|
||||||
|
Loading…
Reference in New Issue
Block a user