PGPainless/pgpainless
PGPainless/pgpainless
1
0
Fork 0
mirror of https://github.com/pgpainless/pgpainless.git synced 2025-12-08 21:31:08 +01:00
Code Issues Releases Wiki Activity

Reject data signatures made by non-signing primary key

Browse source
This commit is contained in:
Paul Schaub 2024-04-10 10:38:50 +02:00
parent 741d72eadc
commit a6f3a223b1
Signed by: vanitasvitae
GPG key ID: 62BEE9264BF17311
2 changed files with 240 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

13
pgpainless-core/src/main/kotlin/org/pgpainless/signature/consumer/CertificateValidator.kt
View file

@ -169,6 +169,17 @@ class CertificateValidator {
return true
}
}
// Reject sigs by non-signing keys
if (userIdSignatures.none { (_, sigs) ->
sigs.any {
SignatureSubpacketsUtil.getKeyFlags(it)?.let { f ->
KeyFlag.hasKeyFlag(f.flags, KeyFlag.SIGN_DATA)
} == true
}
}) {
throw SignatureValidationException(
"Signature was generated by non-signing key.")
}
} else { // signing key is subkey
val subkeySigs = mutableListOf<PGPSignature>()
signingSubkey
@ -183,7 +194,7 @@ class CertificateValidator {
}
} catch (e: SignatureValidationException) {
rejections[it] = e
LOGGER.debug("REjecting subkey revocation signature: ${e.message}", e)
LOGGER.debug("Rejecting subkey revocation signature: ${e.message}", e)
}
}