Dont accept signatures by expired or revoked subkeys

OpenKeychain/src/main/java/org/sufficientlysecure/keychain/pgp/OpenPgpSignatureResultBuilder.java

@@ -84,10 +84,6 @@ public class OpenPgpSignatureResultBuilder {
         this.mUserIds = userIds;
     }
 
-    public boolean isValidSignature() {
-        return mValidSignature;
-    }
-
     public void initValid(CanonicalizedPublicKeyRing signingRing,
                           CanonicalizedPublicKey signingKey) {
         setSignatureAvailable(true);

OpenKeychain/src/main/java/org/sufficientlysecure/keychain/pgp/PgpDecryptVerify.java

@@ -22,6 +22,7 @@ import android.content.Context;
 import android.webkit.MimeTypeMap;
 
 import org.openintents.openpgp.OpenPgpMetadata;
+import org.openintents.openpgp.OpenPgpSignatureResult;
 import org.spongycastle.bcpg.ArmoredInputStream;
 import org.spongycastle.openpgp.PGPCompressedData;
 import org.spongycastle.openpgp.PGPEncryptedData;
@@ -332,7 +333,10 @@ public class PgpDecryptVerify extends BaseOperation {
         }
         signatureResultBuilder.setValidSignature(validSignature);
 
-        if (!signatureResultBuilder.isValidSignature()) {
+        OpenPgpSignatureResult signatureResult = signatureResultBuilder.build();
+
+        if (signatureResult.getStatus() != OpenPgpSignatureResult.SIGNATURE_SUCCESS_CERTIFIED
+                || signatureResult.getStatus() != OpenPgpSignatureResult.SIGNATURE_SUCCESS_UNCERTIFIED) {
             log.add(LogType.MSG_VL_ERROR_INTEGRITY_CHECK, indent);
             return new DecryptVerifyResult(DecryptVerifyResult.RESULT_ERROR, log);
         }
@@ -344,7 +348,7 @@ public class PgpDecryptVerify extends BaseOperation {
         // Return a positive result, with metadata and verification info
         DecryptVerifyResult result =
                 new DecryptVerifyResult(DecryptVerifyResult.RESULT_OK, log);
-        result.setSignatureResult(signatureResultBuilder.build());
+        result.setSignatureResult(signatureResult);
         return result;
     }
 
@@ -773,6 +777,8 @@ public class PgpDecryptVerify extends BaseOperation {
             metadata = null;
         }
 
+        OpenPgpSignatureResult signatureResult = signatureResultBuilder.build();
+
         if (encryptedData.isIntegrityProtected()) {
             updateProgress(R.string.progress_verifying_integrity, 95, 100);
 
@@ -786,7 +792,8 @@ public class PgpDecryptVerify extends BaseOperation {
             // If no valid signature is present:
             // Handle missing integrity protection like failed integrity protection!
             // The MDC packet can be stripped by an attacker!
-            if (!signatureResultBuilder.isValidSignature()) {
+            if (signatureResult.getStatus() != OpenPgpSignatureResult.SIGNATURE_SUCCESS_CERTIFIED
+                    || signatureResult.getStatus() != OpenPgpSignatureResult.SIGNATURE_SUCCESS_UNCERTIFIED) {
                 log.add(LogType.MSG_DC_ERROR_INTEGRITY_CHECK, indent);
                 return new DecryptVerifyResult(DecryptVerifyResult.RESULT_ERROR, log);
             }
@@ -800,7 +807,7 @@ public class PgpDecryptVerify extends BaseOperation {
         DecryptVerifyResult result =
                 new DecryptVerifyResult(DecryptVerifyResult.RESULT_OK, log);
         result.setDecryptMetadata(metadata);
-        result.setSignatureResult(signatureResultBuilder.build());
+        result.setSignatureResult(signatureResult);
         return result;
 
     }

OpenKeychain/src/main/java/org/sufficientlysecure/keychain/service/KeychainIntentService.java

@@ -30,6 +30,7 @@ import com.textuality.keybase.lib.Proof;
 import com.textuality.keybase.lib.prover.Prover;
 
 import org.json.JSONObject;
+import org.openintents.openpgp.OpenPgpSignatureResult;
 import org.spongycastle.openpgp.PGPUtil;
 import org.sufficientlysecure.keychain.Constants;
 import org.sufficientlysecure.keychain.R;

OpenKeychain/src/main/java/org/sufficientlysecure/keychain/ui/ViewKeyTrustFragment.java

@@ -362,7 +362,7 @@ public class ViewKeyTrustFragment extends LoaderFragment implements
         // Create a new Messenger for the communication back after proof work is done
         //
         KeychainIntentServiceHandler handler = new KeychainIntentServiceHandler(getActivity(),
-                getString(R.string.progress_decrypting), ProgressDialog.STYLE_HORIZONTAL) {
+                getString(R.string.progress_verifying_signature), ProgressDialog.STYLE_HORIZONTAL) {
             public void handleMessage(Message message) {
                 // handle messages by standard KeychainIntentServiceHandler first
                 super.handleMessage(message);