From 1fd9d2f0c5571a82a03713a84d5a73f4f7f812a6 Mon Sep 17 00:00:00 2001
From: larabr <7375870+larabr@users.noreply.github.com>
Date: Fri, 29 Sep 2023 12:58:51 +0200
Subject: [PATCH] Fix binding signature generation using shorter hash than
 expected for some ECDSA subkeys

The required hash size was determined based on the subkey algo rather than the primary key.
As a result, if the subkey being certified required a shorter hash size than the ECDSA primary key,
the issued signature would include a shorter digest than expected.

This issue is not expected to have practical security impact, and
it only affected keys with ECDSA subkeys with smaller key sizes than their ECDSA primary key
(e.g. NIST p521 primary key and NIST p256 subkey).
---
 src/key/helper.js | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/key/helper.js b/src/key/helper.js
index 35a01e10..00ae8554 100644
--- a/src/key/helper.js
+++ b/src/key/helper.js
@@ -89,7 +89,7 @@ export async function createBindingSignature(subkey, primaryKey, options, config
   const subkeySignaturePacket = new SignaturePacket();
   subkeySignaturePacket.signatureType = enums.signature.subkeyBinding;
   subkeySignaturePacket.publicKeyAlgorithm = primaryKey.algorithm;
-  subkeySignaturePacket.hashAlgorithm = await getPreferredHashAlgo(null, subkey, undefined, undefined, config);
+  subkeySignaturePacket.hashAlgorithm = await getPreferredHashAlgo(null, primaryKey, undefined, undefined, config);
   if (options.sign) {
     subkeySignaturePacket.keyFlags = [enums.keyFlags.signData];
     subkeySignaturePacket.embeddedSignature = await createSignaturePacket(dataToSign, null, subkey, {