Skip to content

Commit

Permalink
fix(v2): Do not allow encrpytion with a forwarding key
Browse files Browse the repository at this point in the history
  • Loading branch information
@lubux
lubux committed Jul 16, 2024
1 parent f27ab7d commit da66ff5
Showing 1 changed file with 8 additions and 2 deletions.
10 changes: 8 additions & 2 deletions openpgp/v2/keys.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -163,12 +163,12 @@ func (e *Entity) DecryptionKeys(id uint64, date time.Time) (keys []Key) {
for _, subkey := range e.Subkeys {
subkeySelfSig, err := subkey.LatestValidBindingSignature(date)
if err == nil &&
isValidEncryptionKey(subkeySelfSig, subkey.PublicKey.PubKeyAlgo) &&
isValidDecryptionKey(subkeySelfSig, subkey.PublicKey.PubKeyAlgo) &&
(id == 0 || subkey.PublicKey.KeyId == id) {
keys = append(keys, Key{subkey.Primary, primarySelfSignature, subkey.PublicKey, subkey.PrivateKey, subkeySelfSig})
}
}
if isValidEncryptionKey(primarySelfSignature, e.PrimaryKey.PubKeyAlgo) {
if isValidDecryptionKey(primarySelfSignature, e.PrimaryKey.PubKeyAlgo) {
keys = append(keys, Key{e, primarySelfSignature, e.PrimaryKey, e.PrivateKey, primarySelfSignature})
}
return
Expand Down Expand Up @@ -794,6 +794,12 @@ func isValidCertificationKey(signature *packet.Signature, algo packet.PublicKeyA
}

func isValidEncryptionKey(signature *packet.Signature, algo packet.PublicKeyAlgorithm) bool {
return algo.CanEncrypt() &&
signature.FlagsValid &&
(signature.FlagEncryptCommunications || signature.FlagEncryptStorage)
}

func isValidDecryptionKey(signature *packet.Signature, algo packet.PublicKeyAlgorithm) bool {
return algo.CanEncrypt() &&
signature.FlagsValid &&
(signature.FlagEncryptCommunications || signature.FlagForward || signature.FlagEncryptStorage)
Expand Down

0 comments on commit da66ff5

Please sign in to comment.