From 87b02b2bae6cc8ee838c8f46208a56339ebf3316 Mon Sep 17 00:00:00 2001
From: "Neal H. Walfield" <neal@pep.foundation>
Date: Wed, 15 Jul 2020 11:42:53 +0200
Subject: openpgp: Set the preferred algorithm subpackets correctly.

  - `CertBuilder` places the `Preferred Hash Algorithm` and `Preferred
    Symmetric Algorithm` subpackets only on subkeys.  But, GnuPG only
    recognizes them on User ID binding signatures, and direct key
    signatures.

  - This means that when GnuPG encrypts a message to a certificate
    generated by Sequoia, it falls back to 3DES (4880's only MUST
    algorithm).

  - Change `CertBuilder` to match GnuPG's expectations: when creating
    a certificate, add the `Preferred Hash Algorithm` and `Preferred
    Symmetric Algorithm` subpackets to the User ID binding signatures,
    User Attribute binding signatures, and direct key signature, and
    don't bother adding them to the subkey binding signatures.

  - See #522.
---
 openpgp/src/cert/builder.rs | 20 +++++++-------------
 1 file changed, 7 insertions(+), 13 deletions(-)

(limited to 'openpgp/src/cert/builder.rs')

diff --git a/openpgp/src/cert/builder.rs b/openpgp/src/cert/builder.rs
index fd82bf21..a17efb02 100644
--- a/openpgp/src/cert/builder.rs
+++ b/openpgp/src/cert/builder.rs
@@ -975,7 +975,7 @@ impl CertBuilder {
                 vec![Packet::from(ua), signature.into()])?;
         }
 
-        // sign subkeys
+        // Sign subkeys.
         for blueprint in self.subkeys {
             let flags = &blueprint.flags;
             let mut subkey = blueprint.ciphersuite
@@ -994,18 +994,7 @@ impl CertBuilder {
                     &subkey,
                     blueprint.expiration.or(self.primary.expiration))?;
 
-            if flags.for_transport_encryption() || flags.for_storage_encryption()
-            {
-                builder = builder.set_preferred_symmetric_algorithms(vec![
-                    SymmetricAlgorithm::AES256,
-                ])?;
-            }
-
             if flags.for_certification() || flags.for_signing() {
-                builder = builder.set_preferred_hash_algorithms(vec![
-                    HashAlgorithm::SHA512,
-                ])?;
-
                 // We need to create a primary key binding signature.
                 let mut subkey_signer = subkey.clone().into_keypair().unwrap();
                 let backsig =
@@ -1054,7 +1043,12 @@ impl CertBuilder {
             .set_key_flags(&self.primary.flags)?
             .set_signature_creation_time(creation_time)?
             .set_key_expiration_time(&key, self.primary.expiration)?
-            .set_preferred_hash_algorithms(vec![HashAlgorithm::SHA512])?;
+            .set_preferred_hash_algorithms(vec![
+                HashAlgorithm::SHA512
+            ])?
+            .set_preferred_symmetric_algorithms(vec![
+                SymmetricAlgorithm::AES256,
+            ])?;
 
         if let Some(ref revocation_keys) = self.revocation_keys {
             sig = sig.set_revocation_key(revocation_keys.clone())?;
-- 
cgit v1.2.3