diff --git a/pgpainless-core/src/main/java/org/pgpainless/signature/consumer/CertificateValidator.java b/pgpainless-core/src/main/java/org/pgpainless/signature/consumer/CertificateValidator.java
index 4c4c6689..c629de2d 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/signature/consumer/CertificateValidator.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/signature/consumer/CertificateValidator.java
@@ -171,7 +171,9 @@ public final class CertificateValidator {
 
         if (signingSubkey == primaryKey) {
             if (!directKeySignatures.isEmpty()) {
-                if (KeyFlag.hasKeyFlag(SignatureSubpacketsUtil.getKeyFlags(directKeySignatures.get(0)).getFlags(), KeyFlag.SIGN_DATA)) {
+                PGPSignature directKeySignature = directKeySignatures.get(0);
+                KeyFlags keyFlags = SignatureSubpacketsUtil.getKeyFlags(directKeySignature);
+                if (keyFlags != null && KeyFlag.hasKeyFlag(keyFlags.getFlags(), KeyFlag.SIGN_DATA)) {
                     return true;
                 }
             }
@@ -225,7 +227,7 @@ public final class CertificateValidator {
                 }
                 PGPSignature directKeySig = directKeySignatures.get(0);
                 KeyFlags directKeyFlags = SignatureSubpacketsUtil.getKeyFlags(directKeySig);
-                if (!KeyFlag.hasKeyFlag(directKeyFlags.getFlags(), KeyFlag.SIGN_DATA)) {
+                if (directKeyFlags == null || !KeyFlag.hasKeyFlag(directKeyFlags.getFlags(), KeyFlag.SIGN_DATA)) {
                     throw new SignatureValidationException("Signature was made by key which is not capable of signing (no keyflags on binding sig, no SIGN flag on direct-key sig).");
                 }
             } else if (!KeyFlag.hasKeyFlag(keyFlags.getFlags(), KeyFlag.SIGN_DATA)) {