From 71fd7574ec3e02375524db2d65d10e9781115e5c Mon Sep 17 00:00:00 2001
From: Ashley Hughes <spirit.returned@gmail.com>
Date: Mon, 13 Jan 2014 14:36:30 +0000
Subject: [PATCH 1/2] new keys are cross-certified

---
 OpenPGP-Keychain/res/raw/help_start.html         |  3 +--
 .../keychain/pgp/PgpKeyOperation.java            | 16 ++++++++++++----
 2 files changed, 13 insertions(+), 6 deletions(-)

diff --git a/OpenPGP-Keychain/res/raw/help_start.html b/OpenPGP-Keychain/res/raw/help_start.html
index 821e832a1..097e22ba8 100644
--- a/OpenPGP-Keychain/res/raw/help_start.html
+++ b/OpenPGP-Keychain/res/raw/help_start.html
@@ -17,7 +17,6 @@ And don't add newlines before or after p tags because of transifex -->
 <ul>
 <li>K9 Mail integration not published</li>
 <li>Importing existing keys will be stripped of certificates right now</li>
-<li>Key cross-certification is NOT supported, so signing with those keys will get a warning when the signature is checked.</li>
 <li>PGP/MIME in K9 Mail is missing</li>
 </ul>
 <p>If you want to contribute, fork it and do a pull request on Github: <a href="https://github.com/dschuermann/openpgp-keychain">https://github.com/dschuermann/openpgp-keychain</a></p>
@@ -25,4 +24,4 @@ And don't add newlines before or after p tags because of transifex -->
 <h2>I found a bug in OpenPGP Keychain!</h2>
 <p>Please report it in the <a href="https://github.com/dschuermann/openpgp-keychain/issues">issue tracker of OpenPGP Keychain</a>.</p>
 </body>
-</html>
\ No newline at end of file
+</html>
diff --git a/OpenPGP-Keychain/src/org/sufficientlysecure/keychain/pgp/PgpKeyOperation.java b/OpenPGP-Keychain/src/org/sufficientlysecure/keychain/pgp/PgpKeyOperation.java
index 2cbfed28b..e07c802b7 100644
--- a/OpenPGP-Keychain/src/org/sufficientlysecure/keychain/pgp/PgpKeyOperation.java
+++ b/OpenPGP-Keychain/src/org/sufficientlysecure/keychain/pgp/PgpKeyOperation.java
@@ -289,6 +289,8 @@ public class PgpKeyOperation {
 
         updateProgress(R.string.progress_certifying_master_key, 20, 100);
 
+        //TODO: if we are editing a key, keep old certs, don't remake certs we don't have to.
+
         for (String userId : userIds) {
             PGPContentSignerBuilder signerBuilder = new JcaPGPContentSignerBuilder(
                     masterPublicKey.getAlgorithm(), HashAlgorithmTags.SHA1)
@@ -302,8 +304,6 @@ public class PgpKeyOperation {
             masterPublicKey = PGPPublicKey.addCertification(masterPublicKey, userId, certification);
         }
 
-        // TODO: cross-certify the master key with every sub key (APG 1)
-
         PGPKeyPair masterKeyPair = new PGPKeyPair(masterPublicKey, masterPrivateKey);
 
         PGPSignatureSubpacketGenerator hashedPacketsGen = new PGPSignatureSubpacketGenerator();
@@ -374,13 +374,21 @@ public class PgpKeyOperation {
             usageId = keysUsages.get(i);
             canSign = (usageId == Id.choice.usage.sign_only || usageId == Id.choice.usage.sign_and_encrypt);
             canEncrypt = (usageId == Id.choice.usage.encrypt_only || usageId == Id.choice.usage.sign_and_encrypt);
-            if (canSign) {
+            if (canSign) { //TODO: ensure signing times are the same, like gpg
                 keyFlags |= KeyFlags.SIGN_DATA;
+                //cross-certify signing keys
+                PGPContentSignerBuilder signerBuilder = new JcaPGPContentSignerBuilder(
+                    subKey.getPublicKey().getAlgorithm(), PGPUtil.SHA1)
+                    .setProvider(Constants.BOUNCY_CASTLE_PROVIDER_NAME);
+                PGPSignatureGenerator sGen = new PGPSignatureGenerator(signerBuilder);
+                sGen.init(PGPSignature.PRIMARYKEY_BINDING, subPrivateKey);
+                PGPSignature certification = sGen.generateCertification(masterPublicKey, subPublicKey);
+                unhashedPacketsGen.setEmbeddedSignature(false, certification);
             }
             if (canEncrypt) {
                 keyFlags |= KeyFlags.ENCRYPT_COMMS | KeyFlags.ENCRYPT_STORAGE;
             }
-            hashedPacketsGen.setKeyFlags(true, keyFlags);
+            hashedPacketsGen.setKeyFlags(false, keyFlags);
 
             // TODO: this doesn't work quite right yet (APG 1)
             // if (keyEditor.getExpiryDate() != null) {

From 7544d189d08e2d2213d3ec8686d617c007030092 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Dominik=20Sch=C3=BCrmann?= <dominik@dominikschuermann.de>
Date: Tue, 14 Jan 2014 19:52:40 +0100
Subject: [PATCH 2/2] add https://github.com/rtyley/spongycastle-old to README

---
 README.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/README.md b/README.md
index df2e72850..005146a52 100644
--- a/README.md
+++ b/README.md
@@ -131,7 +131,7 @@ Only classes related to QR Code generation are utilized.
 Spongy Castle is the stock Bouncy Castle libraries with a couple of small changes to make it work on Android. OpenPGP Keychain uses a forked version with some small changes to improve key import speed. These changes have been sent to Bouncy Castle, and Spongy Castle will be used again when they have filtered down.
 
 see
-* Spongy Castle: http://rtyley.github.com/spongycastle/
+* Spongy Castle: https://github.com/rtyley/spongycastle-old and http://rtyley.github.com/spongycastle/
 * Fork: https://github.com/ashh87/spongycastle
 
 #### Bouncy Castle resources