From ba9b8f3a6009ca60abffccc3e3fbd160e0fa420c Mon Sep 17 00:00:00 2001 From: Vincent Breitmoser Date: Thu, 8 Oct 2015 20:01:04 +0200 Subject: pgpdecryptverify: only use keys for verification which are allowed to sign (OKC-01-013) --- .../sufficientlysecure/keychain/pgp/PgpSignatureChecker.java | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) (limited to 'OpenKeychain/src/main/java/org') diff --git a/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/pgp/PgpSignatureChecker.java b/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/pgp/PgpSignatureChecker.java index a892a8a0d..4067372a1 100644 --- a/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/pgp/PgpSignatureChecker.java +++ b/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/pgp/PgpSignatureChecker.java @@ -132,8 +132,12 @@ class PgpSignatureChecker { CanonicalizedPublicKeyRing signingRing = mProviderHelper.getCanonicalizedPublicKeyRing( KeyRings.buildUnifiedKeyRingsFindBySubkeyUri(sigKeyId) ); + CanonicalizedPublicKey keyCandidate = signingRing.getPublicKey(sigKeyId); + if ( ! signingKey.canSign()) { + continue; + } signatureIndex = i; - signingKey = signingRing.getPublicKey(sigKeyId); + signingKey = keyCandidate; onePassSignature = sigList.get(i); return; } catch (ProviderHelper.NotFoundException e) { @@ -151,8 +155,12 @@ class PgpSignatureChecker { CanonicalizedPublicKeyRing signingRing = mProviderHelper.getCanonicalizedPublicKeyRing( KeyRings.buildUnifiedKeyRingsFindBySubkeyUri(sigKeyId) ); + CanonicalizedPublicKey keyCandidate = signingRing.getPublicKey(sigKeyId); + if ( ! signingKey.canSign()) { + continue; + } signatureIndex = i; - signingKey = signingRing.getPublicKey(sigKeyId); + signingKey = keyCandidate; signature = sigList.get(i); return; } catch (ProviderHelper.NotFoundException e) { -- cgit v1.2.3