new keys are cross-certified

2014-01-13 14:36:30 +00:00 · 2014-01-13 14:36:30 +00:00 · 71fd7574ec
parent 92aa5b36bb
commit 71fd7574ec
2 changed files with 13 additions and 6 deletions
--- a/OpenPGP-Keychain/res/raw/help_start.html
+++ b/OpenPGP-Keychain/res/raw/help_start.html
@ -17,7 +17,6 @@ And don't add newlines before or after p tags because of transifex -->
 <ul>
 <li>K9 Mail integration not published</li>
 <li>Importing existing keys will be stripped of certificates right now</li>
-<li>Key cross-certification is NOT supported, so signing with those keys will get a warning when the signature is checked.</li>
 <li>PGP/MIME in K9 Mail is missing</li>
 </ul>
 <p>If you want to contribute, fork it and do a pull request on Github: <a href="https://github.com/dschuermann/openpgp-keychain">https://github.com/dschuermann/openpgp-keychain</a></p>
@ -25,4 +24,4 @@ And don't add newlines before or after p tags because of transifex -->
 <h2>I found a bug in OpenPGP Keychain!</h2>
 <p>Please report it in the <a href="https://github.com/dschuermann/openpgp-keychain/issues">issue tracker of OpenPGP Keychain</a>.</p>
 </body>
-</html>
+</html>
--- a/OpenPGP-Keychain/src/org/sufficientlysecure/keychain/pgp/PgpKeyOperation.java
+++ b/OpenPGP-Keychain/src/org/sufficientlysecure/keychain/pgp/PgpKeyOperation.java
@ -289,6 +289,8 @@ public class PgpKeyOperation {

        updateProgress(R.string.progress_certifying_master_key, 20, 100);

+        //TODO: if we are editing a key, keep old certs, don't remake certs we don't have to.
+
        for (String userId : userIds) {
            PGPContentSignerBuilder signerBuilder = new JcaPGPContentSignerBuilder(
                    masterPublicKey.getAlgorithm(), HashAlgorithmTags.SHA1)
@ -302,8 +304,6 @@ public class PgpKeyOperation {
            masterPublicKey = PGPPublicKey.addCertification(masterPublicKey, userId, certification);
        }

-        // TODO: cross-certify the master key with every sub key (APG 1)
-
        PGPKeyPair masterKeyPair = new PGPKeyPair(masterPublicKey, masterPrivateKey);

        PGPSignatureSubpacketGenerator hashedPacketsGen = new PGPSignatureSubpacketGenerator();
@ -374,13 +374,21 @@ public class PgpKeyOperation {
            usageId = keysUsages.get(i);
            canSign = (usageId == Id.choice.usage.sign_only || usageId == Id.choice.usage.sign_and_encrypt);
            canEncrypt = (usageId == Id.choice.usage.encrypt_only || usageId == Id.choice.usage.sign_and_encrypt);
-            if (canSign) {
+            if (canSign) { //TODO: ensure signing times are the same, like gpg
                keyFlags |= KeyFlags.SIGN_DATA;
+                //cross-certify signing keys
+                PGPContentSignerBuilder signerBuilder = new JcaPGPContentSignerBuilder(
+                    subKey.getPublicKey().getAlgorithm(), PGPUtil.SHA1)
+                    .setProvider(Constants.BOUNCY_CASTLE_PROVIDER_NAME);
+                PGPSignatureGenerator sGen = new PGPSignatureGenerator(signerBuilder);
+                sGen.init(PGPSignature.PRIMARYKEY_BINDING, subPrivateKey);
+                PGPSignature certification = sGen.generateCertification(masterPublicKey, subPublicKey);
+                unhashedPacketsGen.setEmbeddedSignature(false, certification);
            }
            if (canEncrypt) {
                keyFlags |= KeyFlags.ENCRYPT_COMMS | KeyFlags.ENCRYPT_STORAGE;
            }
-            hashedPacketsGen.setKeyFlags(true, keyFlags);
+            hashedPacketsGen.setKeyFlags(false, keyFlags);

            // TODO: this doesn't work quite right yet (APG 1)
            // if (keyEditor.getExpiryDate() != null) {