diff options
| -rw-r--r-- | openpgp/NEWS | 1 | ||||
| -rw-r--r-- | openpgp/src/cert/amalgamation/key.rs | 3 | ||||
| -rw-r--r-- | openpgp/src/cert/builder.rs | 4 | ||||
| -rw-r--r-- | openpgp/src/cert/builder/key.rs | 4 | ||||
| -rw-r--r-- | openpgp/src/types/key_flags.rs | 17 |
5 files changed, 23 insertions, 6 deletions
diff --git a/openpgp/NEWS b/openpgp/NEWS index da2b53b3..0c4aa90a 100644 --- a/openpgp/NEWS +++ b/openpgp/NEWS @@ -6,6 +6,7 @@ * Changes in 1.21.0 ** New functionality + - KeyFlags::require_primary_key_binding - The RustCrypto backend now supports ECDH and ECDSA over the NIST curve P-384. - The RustCrypto backend now supports ECDH and ECDSA over the NIST diff --git a/openpgp/src/cert/amalgamation/key.rs b/openpgp/src/cert/amalgamation/key.rs index d25893b8..9811aa06 100644 --- a/openpgp/src/cert/amalgamation/key.rs +++ b/openpgp/src/cert/amalgamation/key.rs @@ -1999,6 +1999,9 @@ impl<'a, P> ValidErasedKeyAmalgamation<'a, P> } else { // To extend the validity of the subkey, create a new // binding signature with updated key validity period. + // + // Note: same condition as + // KeyFlags::require_primary_key_binding, but on Self. let backsig = if self.for_certification() || self.for_signing() || self.for_authentication() { diff --git a/openpgp/src/cert/builder.rs b/openpgp/src/cert/builder.rs index 0d9f77b1..9fe3fdb9 100644 --- a/openpgp/src/cert/builder.rs +++ b/openpgp/src/cert/builder.rs @@ -1506,9 +1506,7 @@ impl CertBuilder<'_> { .set_key_flags(flags.clone())? .set_key_validity_period(blueprint.validity.or(self.primary.validity))?; - if flags.for_certification() || flags.for_signing() - || flags.for_authentication() - { + if flags.require_primary_key_binding() { // We need to create a primary key binding signature. let mut subkey_signer = subkey.clone().into_keypair().unwrap(); let backsig = diff --git a/openpgp/src/cert/builder/key.rs b/openpgp/src/cert/builder/key.rs index 4d211750..76246642 100644 --- a/openpgp/src/cert/builder/key.rs +++ b/openpgp/src/cert/builder/key.rs @@ -826,9 +826,7 @@ impl<'a> SubkeyBuilder<'a> { } if let Some(flags) = builder.key_flags() { - if flags.for_certification() || flags.for_signing() - || flags.for_authentication() - { + if flags.require_primary_key_binding() { // We need to create a primary key binding signature. let mut subkey_signer = if let Some(signer) = subkey_signer { signer diff --git a/openpgp/src/types/key_flags.rs b/openpgp/src/types/key_flags.rs index d6ed335a..fe79f824 100644 --- a/openpgp/src/types/key_flags.rs +++ b/openpgp/src/types/key_flags.rs @@ -453,6 +453,23 @@ impl KeyFlags { pub fn is_empty(&self) -> bool { self.as_bitfield().as_bytes().iter().all(|b| *b == 0) } + + /// Returns whether subkey binding signatures must contain an + /// embedded primary key binding signature ("backsig"). + /// + /// See [Section 11.1 of RFC4880]: + /// + /// > For subkeys that can issue signatures, the subkey binding + /// > signature MUST contain an Embedded Signature subpacket + /// > with a primary key binding signature (0x19) issued by the + /// > subkey on the top-level key. + /// + /// [Section 11.1 of RFC4880]: https://datatracker.ietf.org/doc/html/rfc4880#section-11.1 + pub fn require_primary_key_binding(&self) -> bool { + self.for_signing() + || self.for_certification() + || self.for_authentication() + } } /// This key may be used to certify other keys. |