openpgp: Enforce that KeyAmalgamations have a binding signature.

  - ValidKeyIter enforces that KeyAmalgamations have a valid binding
    signature.

  - Enforce this constraint when constructing a KeyAmalgamation and
    when modifying a KeyAmalgamation's policy.

2 files changed, 5 insertions, 7 deletions

diff --git a/openpgp-ffi/src/cert.rs b/openpgp-ffi/src/cert.rs
index dc62a7f1..241453c9 100644
--- a/openpgp-ffi/src/cert.rs
+++ b/openpgp-ffi/src/cert.rs
@@ -749,19 +749,17 @@ pub extern "C" fn pgp_cert_valid_key_iter_revoked<'a>(
     iter_wrapper.iter = tmp.revoked(Some(revoked));
 }
 
-/// Returns the next key.  Returns NULL if there are no more elements.
+/// Returns the next valid key.  Returns NULL if there are no more
+/// elements.
 ///
-/// If sigo is not NULL, stores the current self-signature (if any) in
-/// *sigo.  (Note: subkeys always have signatures, but a primary key
-/// may not have a direct signature, and there might not be any user
-/// ids.)
+/// If sigo is not NULL, stores the current self-signature.
 ///
 /// If rso is not NULL, this stores the key's revocation status in
 /// *rso.
 #[::sequoia_ffi_macros::extern_fn] #[no_mangle]
 pub extern "C" fn pgp_cert_valid_key_iter_next<'a>(
     iter_wrapper: *mut ValidKeyIterWrapper<'a>,
-    sigo: Option<&mut Maybe<Signature>>,
+    sigo: Option<&mut *mut Signature>,
     rso: Option<&mut *mut RevocationStatus<'a>>)
     -> Maybe<Key>
 {
diff --git a/openpgp-ffi/src/parse/stream.rs b/openpgp-ffi/src/parse/stream.rs
index 262ff596..67ef6c71 100644
--- a/openpgp-ffi/src/parse/stream.rs
+++ b/openpgp-ffi/src/parse/stream.rs
@@ -184,7 +184,7 @@ fn $fn_name<'a>(
     sig_r: Maybe<*mut Signature>,
     cert_r: Maybe<*mut Cert>,
     key_r: Maybe<*mut Key>,
-    binding_r: Maybe<Maybe<Signature>>,
+    binding_r: Maybe<*mut Signature>,
     revocation_status_r:
     Maybe<*mut RevocationStatus<'a>>)
     -> bool