From aff2e6b9f0a97a4e634367593adf43ce805a307b Mon Sep 17 00:00:00 2001
From: Paul Schaub <vanitasvitae@fsfe.org>
Date: Fri, 11 Dec 2020 22:09:21 +0100
Subject: [PATCH] Verify that certification key has signing capable algorithm

---
 .../org/pgpainless/key/generation/KeyRingBuilder.java | 11 +++++++++--
 1 file changed, 9 insertions(+), 2 deletions(-)

diff --git a/pgpainless-core/src/main/java/org/pgpainless/key/generation/KeyRingBuilder.java b/pgpainless-core/src/main/java/org/pgpainless/key/generation/KeyRingBuilder.java
index 41428e09..afe3c1c5 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/key/generation/KeyRingBuilder.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/key/generation/KeyRingBuilder.java
@@ -187,16 +187,23 @@ public class KeyRingBuilder implements KeyRingBuilderInterface {
     }
 
     private void verifyMasterKeyCanCertify(KeySpec spec) {
-        if (!canCertifyOthers(spec)) {
+        if (!hasCertifyOthersFlag(spec)) {
             throw new IllegalArgumentException("Certification Key MUST have KeyFlag CERTIFY_OTHER");
         }
+        if (!keyIsCertificationCapable(spec)) {
+            throw new IllegalArgumentException("Key algorithm " + spec.getKeyType().getName() + " is not capable of creating certifications.");
+        }
     }
 
-    private boolean canCertifyOthers(KeySpec keySpec) {
+    private boolean hasCertifyOthersFlag(KeySpec keySpec) {
         int flags = keySpec.getSubpackets().getKeyFlags();
         return KeyFlag.hasKeyFlag(flags, KeyFlag.CERTIFY_OTHER);
     }
 
+    private boolean keyIsCertificationCapable(KeySpec keySpec) {
+        return keySpec.getKeyType().canCertify();
+    }
+
     class WithPrimaryUserIdImpl implements WithPrimaryUserId {
 
         @Override