Fix: Do not set IssuerKeyId on v6 key-signatures

2025-09-09 10:19:39 +02:00 · 2025-03-05 10:57:06 +01:00 · 2025-03-05 10:57:06 +01:00 · 67af718db9
commit 67af718db9
parent 69fc590d26
3 changed files with 28 additions and 3 deletions
--- a/pgpainless-core/src/main/kotlin/org/pgpainless/key/generation/KeyRingBuilder.kt
+++ b/pgpainless-core/src/main/kotlin/org/pgpainless/key/generation/KeyRingBuilder.kt
@ -97,7 +97,7 @@ class KeyRingBuilder(
        val signatureGenerator = PGPSignatureGenerator(signer, certKey.publicKey)

        val hashedSubPacketGenerator = primaryKeySpec!!.subpacketGenerator
-        hashedSubPacketGenerator.setIssuerFingerprintAndKeyId(certKey.publicKey)
+        hashedSubPacketGenerator.setAppropriateIssuerInfo(certKey.publicKey, version)
        expirationDate?.let { hashedSubPacketGenerator.setKeyExpirationTime(certKey.publicKey, it) }
        if (userIds.isNotEmpty()) {
            hashedSubPacketGenerator.setPrimaryUserId()
--- a/pgpainless-core/src/main/kotlin/org/pgpainless/signature/subpackets/BaseSignatureSubpackets.kt
+++ b/pgpainless-core/src/main/kotlin/org/pgpainless/signature/subpackets/BaseSignatureSubpackets.kt
@ -11,12 +11,25 @@ import org.bouncycastle.bcpg.sig.*
 import org.bouncycastle.openpgp.PGPPublicKey
 import org.bouncycastle.openpgp.PGPSignature
 import org.pgpainless.algorithm.HashAlgorithm
+import org.pgpainless.algorithm.OpenPGPKeyVersion
 import org.pgpainless.algorithm.PublicKeyAlgorithm

 interface BaseSignatureSubpackets {

    interface Callback : SignatureSubpacketCallback<BaseSignatureSubpackets>

+    fun setAppropriateIssuerInfo(key: PGPPublicKey): BaseSignatureSubpackets
+
+    /**
+     * Depending on the given [version], use the appropriate means of setting issuer information.
+     * V6 signatures for example MUST NOT contain an [IssuerKeyID] packet.
+     *
+     * @param key issuer key
+     * @param version signature version
+     * @return this
+     */
+    fun setAppropriateIssuerInfo(key: PGPPublicKey, version: OpenPGPKeyVersion): BaseSignatureSubpackets
+
    /**
     * Add both an [IssuerKeyID] and [IssuerFingerprint] subpacket pointing to the given key.
     *
--- a/pgpainless-core/src/main/kotlin/org/pgpainless/signature/subpackets/SignatureSubpackets.kt
+++ b/pgpainless-core/src/main/kotlin/org/pgpainless/signature/subpackets/SignatureSubpackets.kt
@ -72,7 +72,7 @@ class SignatureSubpackets :
            issuer: PGPPublicKey,
            base: PGPSignatureSubpacketVector
        ): SignatureSubpackets {
-            return createSubpacketsFrom(base).apply { setIssuerFingerprintAndKeyId(issuer) }
+            return createSubpacketsFrom(base).apply { setAppropriateIssuerInfo(issuer) }
        }

        @JvmStatic
@ -82,7 +82,7 @@ class SignatureSubpackets :

        @JvmStatic
        fun createHashedSubpackets(issuer: PGPPublicKey): SignatureSubpackets {
-            return createEmptySubpackets().setIssuerFingerprintAndKeyId(issuer)
+            return createEmptySubpackets().setAppropriateIssuerInfo(issuer)
        }

        @JvmStatic
@ -352,6 +352,18 @@ class SignatureSubpackets :
        this.featuresSubpacket = features
    }

+    override fun setAppropriateIssuerInfo(key: PGPPublicKey) = apply {
+        setAppropriateIssuerInfo(key, OpenPGPKeyVersion.from(key.version))
+    }
+
+    override fun setAppropriateIssuerInfo(key: PGPPublicKey, version: OpenPGPKeyVersion) = apply {
+        when (version) {
+            OpenPGPKeyVersion.v3 -> setIssuerKeyId(key.keyID)
+            OpenPGPKeyVersion.v4 -> setIssuerFingerprintAndKeyId(key)
+            OpenPGPKeyVersion.librePgp, OpenPGPKeyVersion.v6 -> setIssuerFingerprint(key)
+        }
+    }
+
    override fun setIssuerFingerprintAndKeyId(key: PGPPublicKey): SignatureSubpackets = apply {
        setIssuerKeyId(key.keyID)
        setIssuerFingerprint(key)