Merge branch 'master' of github.com:dschuermann/openpgp-keychain

OpenPGP-Keychain/res/raw/help_start.html

@@ -17,7 +17,6 @@ And don't add newlines before or after p tags because of transifex -->
 <ul>
 <li>K9 Mail integration not published</li>
 <li>Importing existing keys will be stripped of certificates right now</li>
-<li>Key cross-certification is NOT supported, so signing with those keys will get a warning when the signature is checked.</li>
 <li>PGP/MIME in K9 Mail is missing</li>
 </ul>
 <p>If you want to contribute, fork it and do a pull request on Github: <a href="https://github.com/dschuermann/openpgp-keychain">https://github.com/dschuermann/openpgp-keychain</a></p>
@@ -25,4 +24,4 @@ And don't add newlines before or after p tags because of transifex -->
 <h2>I found a bug in OpenPGP Keychain!</h2>
 <p>Please report it in the <a href="https://github.com/dschuermann/openpgp-keychain/issues">issue tracker of OpenPGP Keychain</a>.</p>
 </body>
-</html>
+</html>

OpenPGP-Keychain/src/org/sufficientlysecure/keychain/pgp/PgpKeyOperation.java

@@ -289,6 +289,8 @@ public class PgpKeyOperation {
 
         updateProgress(R.string.progress_certifying_master_key, 20, 100);
 
+        //TODO: if we are editing a key, keep old certs, don't remake certs we don't have to.
+
         for (String userId : userIds) {
             PGPContentSignerBuilder signerBuilder = new JcaPGPContentSignerBuilder(
                     masterPublicKey.getAlgorithm(), HashAlgorithmTags.SHA1)
@@ -302,8 +304,6 @@ public class PgpKeyOperation {
             masterPublicKey = PGPPublicKey.addCertification(masterPublicKey, userId, certification);
         }
 
-        // TODO: cross-certify the master key with every sub key (APG 1)
-
         PGPKeyPair masterKeyPair = new PGPKeyPair(masterPublicKey, masterPrivateKey);
 
         PGPSignatureSubpacketGenerator hashedPacketsGen = new PGPSignatureSubpacketGenerator();
@@ -374,13 +374,21 @@ public class PgpKeyOperation {
             usageId = keysUsages.get(i);
             canSign = (usageId == Id.choice.usage.sign_only || usageId == Id.choice.usage.sign_and_encrypt);
             canEncrypt = (usageId == Id.choice.usage.encrypt_only || usageId == Id.choice.usage.sign_and_encrypt);
-            if (canSign) {
+            if (canSign) { //TODO: ensure signing times are the same, like gpg
                 keyFlags |= KeyFlags.SIGN_DATA;
+                //cross-certify signing keys
+                PGPContentSignerBuilder signerBuilder = new JcaPGPContentSignerBuilder(
+                    subKey.getPublicKey().getAlgorithm(), PGPUtil.SHA1)
+                    .setProvider(Constants.BOUNCY_CASTLE_PROVIDER_NAME);
+                PGPSignatureGenerator sGen = new PGPSignatureGenerator(signerBuilder);
+                sGen.init(PGPSignature.PRIMARYKEY_BINDING, subPrivateKey);
+                PGPSignature certification = sGen.generateCertification(masterPublicKey, subPublicKey);
+                unhashedPacketsGen.setEmbeddedSignature(false, certification);
             }
             if (canEncrypt) {
                 keyFlags |= KeyFlags.ENCRYPT_COMMS | KeyFlags.ENCRYPT_STORAGE;
             }
-            hashedPacketsGen.setKeyFlags(true, keyFlags);
+            hashedPacketsGen.setKeyFlags(false, keyFlags);
 
             // TODO: this doesn't work quite right yet (APG 1)
             // if (keyEditor.getExpiryDate() != null) {

README.md

@@ -125,7 +125,7 @@ Only classes related to QR Code generation are utilized.
 Spongy Castle is the stock Bouncy Castle libraries with a couple of small changes to make it work on Android. OpenPGP Keychain uses a forked version with some small changes to improve key import speed. These changes have been sent to Bouncy Castle, and Spongy Castle will be used again when they have filtered down.
 
 see
-* Spongy Castle: http://rtyley.github.com/spongycastle/
+* Spongy Castle: https://github.com/rtyley/spongycastle-old and http://rtyley.github.com/spongycastle/
 * Fork: https://github.com/ashh87/spongycastle
 
 #### Bouncy Castle resources