From 8f40c6df5108f30dc424e4d802f49f3392738724 Mon Sep 17 00:00:00 2001
From: Vincent Breitmoser <valodim@mugenguild.com>
Date: Tue, 6 Oct 2015 15:06:36 +0200
Subject: use only primary and mutually bound subkeys for fingerprint
 verification

---
 .../org/sufficientlysecure/keychain/pgp/CanonicalizedKeyRing.java | 7 ++++++-
 .../org/sufficientlysecure/keychain/provider/ProviderHelper.java  | 3 +--
 .../keychain/ui/CreateYubiKeyImportFragment.java                  | 8 ++++----
 3 files changed, 11 insertions(+), 7 deletions(-)

(limited to 'OpenKeychain/src/main/java/org/sufficientlysecure/keychain')

diff --git a/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/pgp/CanonicalizedKeyRing.java b/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/pgp/CanonicalizedKeyRing.java
index 18a27dd96..6f1e78ce6 100644
--- a/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/pgp/CanonicalizedKeyRing.java
+++ b/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/pgp/CanonicalizedKeyRing.java
@@ -154,8 +154,13 @@ public abstract class CanonicalizedKeyRing extends KeyRing {
         return getRing().getEncoded();
     }
 
-    public boolean containsSubkey(String expectedFingerprint) {
+    /// Returns true iff the keyring contains a primary key or mutually bound subkey with the expected fingerprint
+    public boolean containsBoundSubkey(String expectedFingerprint) {
         for (CanonicalizedPublicKey key : publicKeyIterator()) {
+            boolean isMasterOrMutuallyBound = key.isMasterKey() || key.canSign();
+            if (!isMasterOrMutuallyBound) {
+                continue;
+            }
             if (KeyFormattingUtils.convertFingerprintToHex(
                     key.getFingerprint()).equalsIgnoreCase(expectedFingerprint)) {
                 return true;
diff --git a/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/provider/ProviderHelper.java b/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/provider/ProviderHelper.java
index a6823d3ac..375775ff1 100644
--- a/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/provider/ProviderHelper.java
+++ b/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/provider/ProviderHelper.java
@@ -62,7 +62,6 @@ import org.sufficientlysecure.keychain.provider.KeychainContract.Certs;
 import org.sufficientlysecure.keychain.provider.KeychainContract.KeyRingData;
 import org.sufficientlysecure.keychain.provider.KeychainContract.KeyRings;
 import org.sufficientlysecure.keychain.provider.KeychainContract.Keys;
-import org.sufficientlysecure.keychain.provider.KeychainContract.UserPackets;
 import org.sufficientlysecure.keychain.provider.KeychainContract.UpdatedKeys;
 import org.sufficientlysecure.keychain.remote.AccountSettings;
 import org.sufficientlysecure.keychain.remote.AppSettings;
@@ -968,7 +967,7 @@ public class ProviderHelper {
 
             // If we have an expected fingerprint, make sure it matches
             if (expectedFingerprint != null) {
-                if (!canPublicRing.containsSubkey(expectedFingerprint)) {
+                if (!canPublicRing.containsBoundSubkey(expectedFingerprint)) {
                     log(LogType.MSG_IP_FINGERPRINT_ERROR);
                     return new SaveKeyringResult(SaveKeyringResult.RESULT_ERROR, mLog, null);
                 } else {
diff --git a/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/ui/CreateYubiKeyImportFragment.java b/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/ui/CreateYubiKeyImportFragment.java
index f7925b7f4..648c5f962 100644
--- a/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/ui/CreateYubiKeyImportFragment.java
+++ b/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/ui/CreateYubiKeyImportFragment.java
@@ -49,7 +49,7 @@ public class CreateYubiKeyImportFragment
         extends QueueingCryptoOperationFragment<ImportKeyringParcel, ImportKeyResult>
         implements NfcListenerFragment {
 
-    private static final String ARG_FINGERPRINT = "fingerprint";
+    private static final String ARG_FINGERPRINTS = "fingerprint";
     public static final String ARG_AID = "aid";
     public static final String ARG_USER_ID = "user_ids";
 
@@ -72,7 +72,7 @@ public class CreateYubiKeyImportFragment
         CreateYubiKeyImportFragment frag = new CreateYubiKeyImportFragment();
 
         Bundle args = new Bundle();
-        args.putByteArray(ARG_FINGERPRINT, scannedFingerprints);
+        args.putByteArray(ARG_FINGERPRINTS, scannedFingerprints);
         args.putByteArray(ARG_AID, nfcAid);
         args.putString(ARG_USER_ID, userId);
         frag.setArguments(args);
@@ -86,7 +86,7 @@ public class CreateYubiKeyImportFragment
 
         Bundle args = savedInstanceState != null ? savedInstanceState : getArguments();
 
-        mNfcFingerprints = args.getByteArray(ARG_FINGERPRINT);
+        mNfcFingerprints = args.getByteArray(ARG_FINGERPRINTS);
         mNfcAid = args.getByteArray(ARG_AID);
         mNfcUserId = args.getString(ARG_USER_ID);
 
@@ -149,7 +149,7 @@ public class CreateYubiKeyImportFragment
     public void onSaveInstanceState(Bundle args) {
         super.onSaveInstanceState(args);
 
-        args.putByteArray(ARG_FINGERPRINT, mNfcFingerprints);
+        args.putByteArray(ARG_FINGERPRINTS, mNfcFingerprints);
         args.putByteArray(ARG_AID, mNfcAid);
         args.putString(ARG_USER_ID, mNfcUserId);
     }
-- 
cgit v1.2.3