From 118b7b56a86c27dbbe34791d20ac4a8d116ccd99 Mon Sep 17 00:00:00 2001 From: Vincent Breitmoser Date: Thu, 25 May 2017 19:40:23 +0200 Subject: [PATCH] accept primary key binding signatures as signed subpackets (fixes #2113) --- .../keychain/pgp/UncachedKeyRing.java | 45 +++++++++++++------ 1 file changed, 32 insertions(+), 13 deletions(-) diff --git a/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/pgp/UncachedKeyRing.java b/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/pgp/UncachedKeyRing.java index b0db36b06..907fa6996 100644 --- a/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/pgp/UncachedKeyRing.java +++ b/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/pgp/UncachedKeyRing.java @@ -947,19 +947,38 @@ public class UncachedKeyRing { // If this key can sign, it MUST have a primary key binding certificate if (needsPrimaryBinding) { boolean ok = false; - if (zert.getUnhashedSubPackets() != null) try { - // Check all embedded signatures, if any of them fits - PGPSignatureList list = zert.getUnhashedSubPackets().getEmbeddedSignatures(); - for (int i = 0; i < list.size(); i++) { - WrappedSignature subsig = new WrappedSignature(list.get(i)); - if (subsig.getSignatureType() == PGPSignature.PRIMARYKEY_BINDING) { - subsig.init(key); - if (subsig.verifySignature(masterKey, key)) { - ok = true; - } else { - log.add(LogType.MSG_KC_SUB_PRIMARY_BAD, indent); - badCerts += 1; - continue uids; + try { + if (zert.getUnhashedSubPackets() != null) { + // Check all embedded signatures, if any of them fits + PGPSignatureList list = zert.getUnhashedSubPackets().getEmbeddedSignatures(); + for (int i = 0; i < list.size(); i++) { + WrappedSignature subsig = new WrappedSignature(list.get(i)); + if (subsig.getSignatureType() == PGPSignature.PRIMARYKEY_BINDING) { + subsig.init(key); + if (subsig.verifySignature(masterKey, key)) { + ok = true; + } else { + log.add(LogType.MSG_KC_SUB_PRIMARY_BAD, indent); + badCerts += 1; + continue uids; + } + } + } + } + if (!ok) { + // Check all embedded signatures, if any of them fits + PGPSignatureList list = zert.getHashedSubPackets().getEmbeddedSignatures(); + for (int i = 0; i < list.size(); i++) { + WrappedSignature subsig = new WrappedSignature(list.get(i)); + if (subsig.getSignatureType() == PGPSignature.PRIMARYKEY_BINDING) { + subsig.init(key); + if (subsig.verifySignature(masterKey, key)) { + ok = true; + } else { + log.add(LogType.MSG_KC_SUB_PRIMARY_BAD, indent); + badCerts += 1; + continue uids; + } } } }