cthrace/open-keychain
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Reject subkeys with no key flags and no primary key binding certificate

Browse Source 
Closes #899
This commit is contained in:
Vincent Breitmoser
2014-09-28 03:34:25 +02:00
parent 1a2ec1eb32
commit 1c3d0a58ea
1 changed files with 35 additions and 27 deletions
Download Patch File Download Diff File Expand all files Collapse all files

18
OpenKeychain/src/main/java/org/sufficientlysecure/keychain/pgp/UncachedKeyRing.java
View File

@@ -616,16 +616,26 @@ public class UncachedKeyRing {
continue; continue;
} }
boolean needsPrimaryBinding = false;
// if this certificate says it allows signing for the key // if this certificate says it allows signing for the key
if (zert.getHashedSubPackets() != null && if (zert.getHashedSubPackets() != null &&
zert.getHashedSubPackets().hasSubpacket(SignatureSubpacketTags.KEY_FLAGS)) { zert.getHashedSubPackets().hasSubpacket(SignatureSubpacketTags.KEY_FLAGS)) {
int flags = ((KeyFlags) zert.getHashedSubPackets() int flags = ((KeyFlags) zert.getHashedSubPackets()
.getSubpacket(SignatureSubpacketTags.KEY_FLAGS)).getFlags(); .getSubpacket(SignatureSubpacketTags.KEY_FLAGS)).getFlags();
if ((flags & PGPKeyFlags.CAN_SIGN) == PGPKeyFlags.CAN_SIGN) { if ((flags & PGPKeyFlags.CAN_SIGN) == PGPKeyFlags.CAN_SIGN) {
needsPrimaryBinding = true;
}
} else {
// If there are no key flags, we STILL require this because the key can sign!
needsPrimaryBinding = true;
}
// If this key can sign, it MUST have a primary key binding certificate
if (needsPrimaryBinding) {
boolean ok = false; boolean ok = false;
// it MUST have an embedded primary key binding signature if (zert.getUnhashedSubPackets() != null) try {
try { // Check all embedded signatures, if any of them fits
PGPSignatureList list = zert.getUnhashedSubPackets().getEmbeddedSignatures(); PGPSignatureList list = zert.getUnhashedSubPackets().getEmbeddedSignatures();
for (int i = 0; i < list.size(); i++) { for (int i = 0; i < list.size(); i++) {
WrappedSignature subsig = new WrappedSignature(list.get(i)); WrappedSignature subsig = new WrappedSignature(list.get(i));
@@ -653,8 +663,6 @@ public class UncachedKeyRing {
} }
} }
}
// if we already have a cert, and this one is older: skip it // if we already have a cert, and this one is older: skip it
if (selfCert != null && cert.getCreationTime().before(selfCert.getCreationTime())) { if (selfCert != null && cert.getCreationTime().before(selfCert.getCreationTime())) {
log.add(LogType.MSG_KC_SUB_DUP, indent); log.add(LogType.MSG_KC_SUB_DUP, indent);