From 5422468d731559e534d76f2c36d38f385f177345 Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Sat, 31 Jul 2021 22:25:55 +0200 Subject: [PATCH] Check key flags on binding sig to determine if backsig is required --- .../org/pgpainless/signature/SignatureValidator.java | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/pgpainless-core/src/main/java/org/pgpainless/signature/SignatureValidator.java b/pgpainless-core/src/main/java/org/pgpainless/signature/SignatureValidator.java index ec63ba9c..c14096d0 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/signature/SignatureValidator.java +++ b/pgpainless-core/src/main/java/org/pgpainless/signature/SignatureValidator.java @@ -24,6 +24,7 @@ import java.util.List; import java.util.Map; import java.util.concurrent.ConcurrentHashMap; +import org.bouncycastle.bcpg.sig.KeyFlags; import org.bouncycastle.bcpg.sig.NotationData; import org.bouncycastle.bcpg.sig.SignatureCreationTime; import org.bouncycastle.openpgp.PGPException; @@ -33,6 +34,7 @@ import org.bouncycastle.openpgp.PGPSignatureList; import org.bouncycastle.openpgp.PGPSignatureSubpacketVector; import org.bouncycastle.openpgp.PGPUserAttributeSubpacketVector; import org.pgpainless.algorithm.HashAlgorithm; +import org.pgpainless.algorithm.KeyFlag; import org.pgpainless.algorithm.PublicKeyAlgorithm; import org.pgpainless.algorithm.SignatureSubpacket; import org.pgpainless.algorithm.SignatureType; @@ -493,6 +495,15 @@ public abstract class SignatureValidator { return; } + KeyFlags keyFlags = SignatureSubpacketsUtil.getKeyFlags(signature); + if (keyFlags == null) { + return; + } + if (!KeyFlag.hasKeyFlag(keyFlags.getFlags(), KeyFlag.SIGN_DATA) + && !KeyFlag.hasKeyFlag(keyFlags.getFlags(), KeyFlag.CERTIFY_OTHER)) { + return; + } + try { PGPSignatureList embeddedSignatures = SignatureSubpacketsUtil.getEmbeddedSignature(signature); boolean hasValidPrimaryKeyBinding = false;