Allow generation of keys with empty key flags.

Forbid certification of thirdparty certificates if CERTIFY_OTHERS flag is missing

pgpainless-core/src/main/java/org/pgpainless/algorithm/KeyFlag.java

@@ -18,7 +18,7 @@ import org.bouncycastle.bcpg.sig.KeyFlags;
 public enum KeyFlag {
 
     /**
-     * This key may be used to certify other keys.
+     * This key may be used to certify third-party keys.
      */
     CERTIFY_OTHER  (KeyFlags.CERTIFY_OTHER),
 

pgpainless-core/src/main/java/org/pgpainless/exception/KeyException.java

@@ -67,6 +67,13 @@ public abstract class KeyException extends RuntimeException {
         }
     }
 
+    public static class UnacceptableThirdPartyCertificationKeyException extends KeyException {
+
+        public UnacceptableThirdPartyCertificationKeyException(@Nonnull OpenPgpFingerprint fingerprint) {
+            super("Key " + fingerprint + " has no acceptable certification key.", fingerprint);
+        }
+    }
+
     public static class UnacceptableSelfSignatureException extends KeyException {
 
         public UnacceptableSelfSignatureException(@Nonnull OpenPgpFingerprint fingerprint) {

pgpainless-core/src/main/java/org/pgpainless/key/certification/CertifyCertificate.java

@@ -280,6 +280,10 @@ public class CertifyCertificate {
             throw new KeyException.RevokedKeyException(fingerprint);
         }
 
+        if (!info.isUsableForThirdPartyCertification()) {
+            throw new KeyException.UnacceptableThirdPartyCertificationKeyException(fingerprint);
+        }
+
         Date expirationDate = info.getExpirationDateForUse(KeyFlag.CERTIFY_OTHER);
         if (expirationDate != null && expirationDate.before(now)) {
             throw new KeyException.ExpiredKeyException(fingerprint, expirationDate);

pgpainless-core/src/main/java/org/pgpainless/key/generation/KeyRingBuilder.java

@@ -19,7 +19,6 @@ import java.util.Map;
 import javax.annotation.Nonnull;
 import javax.annotation.Nullable;
 
-import org.bouncycastle.bcpg.sig.KeyFlags;
 import org.bouncycastle.openpgp.PGPException;
 import org.bouncycastle.openpgp.PGPKeyPair;
 import org.bouncycastle.openpgp.PGPKeyRingGenerator;
@@ -128,19 +127,11 @@ public class KeyRingBuilder implements KeyRingBuilderInterface<KeyRingBuilder> {
     }
 
     private void verifyMasterKeyCanCertify(KeySpec spec) {
-        if (!hasCertifyOthersFlag(spec)) {
-            throw new IllegalArgumentException("Certification Key MUST have KeyFlag CERTIFY_OTHER");
-        }
         if (!keyIsCertificationCapable(spec)) {
             throw new IllegalArgumentException("Key algorithm " + spec.getKeyType().getName() + " is not capable of creating certifications.");
         }
     }
 
-    private boolean hasCertifyOthersFlag(KeySpec keySpec) {
-        KeyFlags keyFlags = keySpec.getSubpacketGenerator().getKeyFlagsSubpacket();
-        return keyFlags != null && KeyFlag.hasKeyFlag(keyFlags.getFlags(), KeyFlag.CERTIFY_OTHER);
-    }
-
     private boolean keyIsCertificationCapable(KeySpec keySpec) {
         return keySpec.getKeyType().canCertify();
     }

pgpainless-core/src/main/java/org/pgpainless/key/generation/KeySpec.java

@@ -56,7 +56,7 @@ public class KeySpec {
         return keyCreationDate;
     }
 
-    public static KeySpecBuilder getBuilder(KeyType type, KeyFlag flag, KeyFlag... flags) {
-        return new KeySpecBuilder(type, flag, flags);
+    public static KeySpecBuilder getBuilder(KeyType type, KeyFlag... flags) {
+        return new KeySpecBuilder(type, flags);
     }
 }

pgpainless-core/src/main/java/org/pgpainless/key/generation/KeySpecBuilder.java

@@ -21,7 +21,6 @@ import org.pgpainless.key.generation.type.KeyType;
 import org.pgpainless.signature.subpackets.SelfSignatureSubpackets;
 import org.pgpainless.signature.subpackets.SignatureSubpackets;
 import org.pgpainless.signature.subpackets.SignatureSubpacketsUtil;
-import org.pgpainless.util.CollectionUtils;
 
 public class KeySpecBuilder implements KeySpecBuilderInterface {
 
@@ -34,17 +33,14 @@ public class KeySpecBuilder implements KeySpecBuilderInterface {
     private Set<SymmetricKeyAlgorithm> preferredSymmetricAlgorithms = algorithmSuite.getSymmetricKeyAlgorithms();
     private Date keyCreationDate;
 
-    KeySpecBuilder(@Nonnull KeyType type, KeyFlag flag, KeyFlag... flags) {
-        if (flag == null) {
-            throw new IllegalArgumentException("Key MUST carry at least one key flag");
-        }
+    KeySpecBuilder(@Nonnull KeyType type, KeyFlag... flags) {
         if (flags == null) {
-            throw new IllegalArgumentException("List of additional flags MUST NOT be null.");
+            this.keyFlags = new KeyFlag[0];
+        } else {
+            SignatureSubpacketsUtil.assureKeyCanCarryFlags(type, flags);
+            this.keyFlags = flags;
         }
-        flags = CollectionUtils.concat(flag, flags);
-        SignatureSubpacketsUtil.assureKeyCanCarryFlags(type, flags);
         this.type = type;
-        this.keyFlags = flags;
     }
 
     @Override

pgpainless-core/src/main/java/org/pgpainless/key/info/KeyRingInfo.java

@@ -1170,6 +1170,10 @@ public class KeyRingInfo {
         return new KeyAccessor.SubKey(this, new SubkeyIdentifier(keys, keyId)).getPreferredCompressionAlgorithms();
     }
 
+    public boolean isUsableForThirdPartyCertification() {
+        return isKeyValidlyBound(getKeyId()) && getKeyFlagsOf(getKeyId()).contains(KeyFlag.CERTIFY_OTHER);
+    }
+
     /**
      * Returns true, if the certificate has at least one usable encryption subkey.
      *