diff options
| -rw-r--r-- | OpenKeychain/src/main/java/org/sufficientlysecure/keychain/pgp/UncachedKeyRing.java | 24 |
1 files changed, 15 insertions, 9 deletions
diff --git a/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/pgp/UncachedKeyRing.java b/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/pgp/UncachedKeyRing.java index 99a0ef94e..0e9377890 100644 --- a/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/pgp/UncachedKeyRing.java +++ b/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/pgp/UncachedKeyRing.java @@ -618,17 +618,23 @@ public class UncachedKeyRing { boolean needsPrimaryBinding = false; - // if this certificate says it allows signing for the key - if (zert.getHashedSubPackets() != null && - zert.getHashedSubPackets().hasSubpacket(SignatureSubpacketTags.KEY_FLAGS)) { - int flags = ((KeyFlags) zert.getHashedSubPackets() - .getSubpacket(SignatureSubpacketTags.KEY_FLAGS)).getFlags(); - if ((flags & PGPKeyFlags.CAN_SIGN) == PGPKeyFlags.CAN_SIGN) { + // If the algorithm is even suitable for signing + if (key.getAlgorithm() != PublicKeyAlgorithmTags.ELGAMAL_ENCRYPT + && key.getAlgorithm() != PublicKeyAlgorithmTags.RSA_ENCRYPT) { + + // If this certificate says it allows signing for the key + if (zert.getHashedSubPackets() != null && + zert.getHashedSubPackets().hasSubpacket(SignatureSubpacketTags.KEY_FLAGS)) { + int flags = ((KeyFlags) zert.getHashedSubPackets() + .getSubpacket(SignatureSubpacketTags.KEY_FLAGS)).getFlags(); + if ((flags & PGPKeyFlags.CAN_SIGN) == PGPKeyFlags.CAN_SIGN) { + needsPrimaryBinding = true; + } + } else { + // If there are no key flags, we STILL require this because the key can sign! needsPrimaryBinding = true; } - } else { - // If there are no key flags, we STILL require this because the key can sign! - needsPrimaryBinding = true; + } // If this key can sign, it MUST have a primary key binding certificate |