only check for primary binding certificate if key algorithm even supports signing

This commit is contained in:
Vincent Breitmoser 2014-09-28 03:53:14 +02:00
parent 4782d22e26
commit c0abae5cc3

View File

@ -618,7 +618,11 @@ public class UncachedKeyRing {
boolean needsPrimaryBinding = false; boolean needsPrimaryBinding = false;
// if this certificate says it allows signing for the key // If the algorithm is even suitable for signing
if (key.getAlgorithm() != PublicKeyAlgorithmTags.ELGAMAL_ENCRYPT
&& key.getAlgorithm() != PublicKeyAlgorithmTags.RSA_ENCRYPT) {
// If this certificate says it allows signing for the key
if (zert.getHashedSubPackets() != null && if (zert.getHashedSubPackets() != null &&
zert.getHashedSubPackets().hasSubpacket(SignatureSubpacketTags.KEY_FLAGS)) { zert.getHashedSubPackets().hasSubpacket(SignatureSubpacketTags.KEY_FLAGS)) {
int flags = ((KeyFlags) zert.getHashedSubPackets() int flags = ((KeyFlags) zert.getHashedSubPackets()
@ -631,6 +635,8 @@ public class UncachedKeyRing {
needsPrimaryBinding = true; needsPrimaryBinding = true;
} }
}
// If this key can sign, it MUST have a primary key binding certificate // If this key can sign, it MUST have a primary key binding certificate
if (needsPrimaryBinding) { if (needsPrimaryBinding) {
boolean ok = false; boolean ok = false;