From c3c8ce8193fc4738581b04c38d7a145c2069379f Mon Sep 17 00:00:00 2001
From: Paul Schaub <vanitasvitae@fsfe.org>
Date: Mon, 13 Oct 2025 14:46:31 +0200
Subject: [PATCH] Add test for subkey binding signature issuer info

---
 .../java/org/pgpainless/sop/GenerateKeyTest.java    | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/pgpainless-sop/src/test/java/org/pgpainless/sop/GenerateKeyTest.java b/pgpainless-sop/src/test/java/org/pgpainless/sop/GenerateKeyTest.java
index 3abf80bc..002310af 100644
--- a/pgpainless-sop/src/test/java/org/pgpainless/sop/GenerateKeyTest.java
+++ b/pgpainless-sop/src/test/java/org/pgpainless/sop/GenerateKeyTest.java
@@ -12,9 +12,11 @@ import static org.junit.jupiter.api.Assertions.assertTrue;
 
 import java.io.IOException;
 
+import org.bouncycastle.bcpg.KeyIdentifier;
 import org.bouncycastle.openpgp.PGPException;
 import org.bouncycastle.openpgp.PGPSecretKey;
 import org.bouncycastle.openpgp.PGPSecretKeyRing;
+import org.bouncycastle.openpgp.PGPSignature;
 import org.bouncycastle.openpgp.api.OpenPGPKey;
 import org.junit.jupiter.api.BeforeEach;
 import org.junit.jupiter.api.Test;
@@ -44,6 +46,17 @@ public class GenerateKeyTest {
         PGPSecretKeyRing secretKeys = PGPainless.readKeyRing()
                 .secretKeyRing(bytes);
 
+        for (PGPSecretKey subkey : secretKeys) {
+            if (subkey.isMasterKey()) {
+                continue;
+            }
+            PGPSignature binding = subkey.getPublicKey().getKeySignatures().next();
+            for (KeyIdentifier issuer : binding.getKeyIdentifiers()) {
+                assertTrue(issuer.matchesExplicit(secretKeys.getPublicKey().getKeyIdentifier()),
+                        "Subkey signature MUST be issued by primary key.");
+            }
+        }
+
         assertTrue(PGPainless.inspectKeyRing(secretKeys)
                 .isUserIdValid("Alice <alice@pgpainless.org>"));
     }