only check for primary binding certificate if key algorithm even supports signing

This commit is contained in:
Vincent Breitmoser 2014-09-28 03:53:14 +02:00
parent 4782d22e26
commit c0abae5cc3

View File

@ -618,17 +618,23 @@ public class UncachedKeyRing {
boolean needsPrimaryBinding = false; boolean needsPrimaryBinding = false;
// if this certificate says it allows signing for the key // If the algorithm is even suitable for signing
if (zert.getHashedSubPackets() != null && if (key.getAlgorithm() != PublicKeyAlgorithmTags.ELGAMAL_ENCRYPT
zert.getHashedSubPackets().hasSubpacket(SignatureSubpacketTags.KEY_FLAGS)) { && key.getAlgorithm() != PublicKeyAlgorithmTags.RSA_ENCRYPT) {
int flags = ((KeyFlags) zert.getHashedSubPackets()
.getSubpacket(SignatureSubpacketTags.KEY_FLAGS)).getFlags(); // If this certificate says it allows signing for the key
if ((flags & PGPKeyFlags.CAN_SIGN) == PGPKeyFlags.CAN_SIGN) { if (zert.getHashedSubPackets() != null &&
zert.getHashedSubPackets().hasSubpacket(SignatureSubpacketTags.KEY_FLAGS)) {
int flags = ((KeyFlags) zert.getHashedSubPackets()
.getSubpacket(SignatureSubpacketTags.KEY_FLAGS)).getFlags();
if ((flags & PGPKeyFlags.CAN_SIGN) == PGPKeyFlags.CAN_SIGN) {
needsPrimaryBinding = true;
}
} else {
// If there are no key flags, we STILL require this because the key can sign!
needsPrimaryBinding = true; needsPrimaryBinding = true;
} }
} else {
// If there are no key flags, we STILL require this because the key can sign!
needsPrimaryBinding = true;
} }
// If this key can sign, it MUST have a primary key binding certificate // If this key can sign, it MUST have a primary key binding certificate