accept primary key binding signatures as signed subpackets (fixes #2113)

OpenKeychain/src/main/java/org/sufficientlysecure/keychain/pgp/UncachedKeyRing.java

@@ -947,19 +947,38 @@ public class UncachedKeyRing {
                     // If this key can sign, it MUST have a primary key binding certificate
                     if (needsPrimaryBinding) {
                         boolean ok = false;
-                        if (zert.getUnhashedSubPackets() != null) try {
+                        try {
-                            // Check all embedded signatures, if any of them fits
+                            if (zert.getUnhashedSubPackets() != null) {
-                            PGPSignatureList list = zert.getUnhashedSubPackets().getEmbeddedSignatures();
+                                // Check all embedded signatures, if any of them fits
-                            for (int i = 0; i < list.size(); i++) {
+                                PGPSignatureList list = zert.getUnhashedSubPackets().getEmbeddedSignatures();
-                                WrappedSignature subsig = new WrappedSignature(list.get(i));
+                                for (int i = 0; i < list.size(); i++) {
-                                if (subsig.getSignatureType() == PGPSignature.PRIMARYKEY_BINDING) {
+                                    WrappedSignature subsig = new WrappedSignature(list.get(i));
-                                    subsig.init(key);
+                                    if (subsig.getSignatureType() == PGPSignature.PRIMARYKEY_BINDING) {
-                                    if (subsig.verifySignature(masterKey, key)) {
+                                        subsig.init(key);
-                                        ok = true;
+                                        if (subsig.verifySignature(masterKey, key)) {
-                                    } else {
+                                            ok = true;
-                                        log.add(LogType.MSG_KC_SUB_PRIMARY_BAD, indent);
+                                        } else {
-                                        badCerts += 1;
+                                            log.add(LogType.MSG_KC_SUB_PRIMARY_BAD, indent);
-                                        continue uids;
+                                            badCerts += 1;
+                                            continue uids;
+                                        }
+                                    }
+                                }
+                            }
+                            if (!ok) {
+                                // Check all embedded signatures, if any of them fits
+                                PGPSignatureList list = zert.getHashedSubPackets().getEmbeddedSignatures();
+                                for (int i = 0; i < list.size(); i++) {
+                                    WrappedSignature subsig = new WrappedSignature(list.get(i));
+                                    if (subsig.getSignatureType() == PGPSignature.PRIMARYKEY_BINDING) {
+                                        subsig.init(key);
+                                        if (subsig.verifySignature(masterKey, key)) {
+                                            ok = true;
+                                        } else {
+                                            log.add(LogType.MSG_KC_SUB_PRIMARY_BAD, indent);
+                                            badCerts += 1;
+                                            continue uids;
+                                        }
                                     }
                                 }
                             }