fix(v2): Do not allow encrpytion with a forwarding key

lubux · lubux · commit 9aa010ac9036 · 2024-10-01T15:52:08.000+02:00
diff --git a/openpgp/v2/keys.go b/openpgp/v2/keys.go
@@ -163,12 +163,12 @@ func (e *Entity) DecryptionKeys(id uint64, date time.Time, config *packet.Config
 	for _, subkey := range e.Subkeys {
 		subkeySelfSig, err := subkey.LatestValidBindingSignature(date, config)
 		if err == nil &&
-			isValidEncryptionKey(subkeySelfSig, subkey.PublicKey.PubKeyAlgo) &&
+			isValidDecryptionKey(subkeySelfSig, subkey.PublicKey.PubKeyAlgo) &&
 			(id == 0 || subkey.PublicKey.KeyId == id) {
 			keys = append(keys, Key{subkey.Primary, primarySelfSignature, subkey.PublicKey, subkey.PrivateKey, subkeySelfSig})
 		}
 	}
-	if isValidEncryptionKey(primarySelfSignature, e.PrimaryKey.PubKeyAlgo) {
+	if isValidDecryptionKey(primarySelfSignature, e.PrimaryKey.PubKeyAlgo) {
 		keys = append(keys, Key{e, primarySelfSignature, e.PrimaryKey, e.PrivateKey, primarySelfSignature})
 	}
 	return
@@ -796,6 +796,12 @@ func isValidCertificationKey(signature *packet.Signature, algo packet.PublicKeyA
 }
 
 func isValidEncryptionKey(signature *packet.Signature, algo packet.PublicKeyAlgorithm) bool {
+	return algo.CanEncrypt() &&
+		signature.FlagsValid &&
+		(signature.FlagEncryptCommunications || signature.FlagEncryptStorage)
+}
+
+func isValidDecryptionKey(signature *packet.Signature, algo packet.PublicKeyAlgorithm) bool {
 	return algo.CanEncrypt() &&
 		signature.FlagsValid &&
 		(signature.FlagEncryptCommunications || signature.FlagForward || signature.FlagEncryptStorage)
