From c0abae5cc366eb4fc0ed89cbf44e4d2ab8aa7893 Mon Sep 17 00:00:00 2001 From: Vincent Breitmoser Date: Sun, 28 Sep 2014 03:53:14 +0200 Subject: [PATCH] only check for primary binding certificate if key algorithm even supports signing --- .../keychain/pgp/UncachedKeyRing.java | 24 ++++++++++++------- 1 file changed, 15 insertions(+), 9 deletions(-) diff --git a/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/pgp/UncachedKeyRing.java b/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/pgp/UncachedKeyRing.java index 99a0ef94e..0e9377890 100644 --- a/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/pgp/UncachedKeyRing.java +++ b/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/pgp/UncachedKeyRing.java @@ -618,17 +618,23 @@ public class UncachedKeyRing { boolean needsPrimaryBinding = false; - // if this certificate says it allows signing for the key - if (zert.getHashedSubPackets() != null && - zert.getHashedSubPackets().hasSubpacket(SignatureSubpacketTags.KEY_FLAGS)) { - int flags = ((KeyFlags) zert.getHashedSubPackets() - .getSubpacket(SignatureSubpacketTags.KEY_FLAGS)).getFlags(); - if ((flags & PGPKeyFlags.CAN_SIGN) == PGPKeyFlags.CAN_SIGN) { + // If the algorithm is even suitable for signing + if (key.getAlgorithm() != PublicKeyAlgorithmTags.ELGAMAL_ENCRYPT + && key.getAlgorithm() != PublicKeyAlgorithmTags.RSA_ENCRYPT) { + + // If this certificate says it allows signing for the key + if (zert.getHashedSubPackets() != null && + zert.getHashedSubPackets().hasSubpacket(SignatureSubpacketTags.KEY_FLAGS)) { + int flags = ((KeyFlags) zert.getHashedSubPackets() + .getSubpacket(SignatureSubpacketTags.KEY_FLAGS)).getFlags(); + if ((flags & PGPKeyFlags.CAN_SIGN) == PGPKeyFlags.CAN_SIGN) { + needsPrimaryBinding = true; + } + } else { + // If there are no key flags, we STILL require this because the key can sign! needsPrimaryBinding = true; } - } else { - // If there are no key flags, we STILL require this because the key can sign! - needsPrimaryBinding = true; + } // If this key can sign, it MUST have a primary key binding certificate