only check for primary binding certificate if key algorithm even supports signing

This commit is contained in:
Vincent Breitmoser 2014-09-28 03:53:14 +02:00
parent 4782d22e26
commit c0abae5cc3

View File

@ -618,17 +618,23 @@ public class UncachedKeyRing {
boolean needsPrimaryBinding = false;
// if this certificate says it allows signing for the key
if (zert.getHashedSubPackets() != null &&
zert.getHashedSubPackets().hasSubpacket(SignatureSubpacketTags.KEY_FLAGS)) {
int flags = ((KeyFlags) zert.getHashedSubPackets()
.getSubpacket(SignatureSubpacketTags.KEY_FLAGS)).getFlags();
if ((flags & PGPKeyFlags.CAN_SIGN) == PGPKeyFlags.CAN_SIGN) {
// If the algorithm is even suitable for signing
if (key.getAlgorithm() != PublicKeyAlgorithmTags.ELGAMAL_ENCRYPT
&& key.getAlgorithm() != PublicKeyAlgorithmTags.RSA_ENCRYPT) {
// If this certificate says it allows signing for the key
if (zert.getHashedSubPackets() != null &&
zert.getHashedSubPackets().hasSubpacket(SignatureSubpacketTags.KEY_FLAGS)) {
int flags = ((KeyFlags) zert.getHashedSubPackets()
.getSubpacket(SignatureSubpacketTags.KEY_FLAGS)).getFlags();
if ((flags & PGPKeyFlags.CAN_SIGN) == PGPKeyFlags.CAN_SIGN) {
needsPrimaryBinding = true;
}
} else {
// If there are no key flags, we STILL require this because the key can sign!
needsPrimaryBinding = true;
}
} else {
// If there are no key flags, we STILL require this because the key can sign!
needsPrimaryBinding = true;
}
// If this key can sign, it MUST have a primary key binding certificate