diff options
| author | Justus Winter <justus@sequoia-pgp.org> | 2023-08-24 14:57:18 +0200 |
|---|---|---|
| committer | Justus Winter <justus@sequoia-pgp.org> | 2023-08-24 15:01:51 +0200 |
| commit | 4ecdbe51561bdec32808841a0b38922f925900bb (patch) | |
| tree | 5e445fc805e47cb119afe44b3c23ae274ad8d840 | |
| parent | d90bba28da377df9ae6b1b03c3e34f5b87c784f1 (diff) | |
openpgp: Add primary key binding signature to auth subkeys.
- Fixes #1019.
| -rw-r--r-- | openpgp/NEWS | 3 | ||||
| -rw-r--r-- | openpgp/src/cert/amalgamation/key.rs | 4 | ||||
| -rw-r--r-- | openpgp/src/cert/builder.rs | 4 | ||||
| -rw-r--r-- | openpgp/src/cert/builder/key.rs | 4 |
4 files changed, 12 insertions, 3 deletions
diff --git a/openpgp/NEWS b/openpgp/NEWS index 7cdbe82d..24628fb8 100644 --- a/openpgp/NEWS +++ b/openpgp/NEWS @@ -27,6 +27,9 @@ no key flags subpacket on either the active binding signature or the active direct key signature, we infer the key flags from the key's role and public key algorithm. + + - When creating an authentication-capable subkey, Sequoia now also + adds a primary key binding signature. ** New functionality - The RustCrypto backend now supports DSA. - crypto::SessionKey::as_protected diff --git a/openpgp/src/cert/amalgamation/key.rs b/openpgp/src/cert/amalgamation/key.rs index f04010a4..aed8dfdf 100644 --- a/openpgp/src/cert/amalgamation/key.rs +++ b/openpgp/src/cert/amalgamation/key.rs @@ -1679,7 +1679,9 @@ impl<'a, P> ValidErasedKeyAmalgamation<'a, P> } else { // To extend the validity of the subkey, create a new // binding signature with updated key validity period. - let backsig = if self.for_certification() || self.for_signing() { + let backsig = if self.for_certification() || self.for_signing() + || self.for_authentication() + { if let Some(subkey_signer) = subkey_signer { Some(signature::SignatureBuilder::new( SignatureType::PrimaryKeyBinding) diff --git a/openpgp/src/cert/builder.rs b/openpgp/src/cert/builder.rs index c8477c95..82045295 100644 --- a/openpgp/src/cert/builder.rs +++ b/openpgp/src/cert/builder.rs @@ -1458,7 +1458,9 @@ impl CertBuilder<'_> { .set_key_flags(flags.clone())? .set_key_validity_period(blueprint.validity.or(self.primary.validity))?; - if flags.for_certification() || flags.for_signing() { + if flags.for_certification() || flags.for_signing() + || flags.for_authentication() + { // We need to create a primary key binding signature. let mut subkey_signer = subkey.clone().into_keypair().unwrap(); let backsig = diff --git a/openpgp/src/cert/builder/key.rs b/openpgp/src/cert/builder/key.rs index 50ba3229..4d211750 100644 --- a/openpgp/src/cert/builder/key.rs +++ b/openpgp/src/cert/builder/key.rs @@ -826,7 +826,9 @@ impl<'a> SubkeyBuilder<'a> { } if let Some(flags) = builder.key_flags() { - if flags.for_certification() || flags.for_signing() { + if flags.for_certification() || flags.for_signing() + || flags.for_authentication() + { // We need to create a primary key binding signature. let mut subkey_signer = if let Some(signer) = subkey_signer { signer |