Fix binding signature generation using shorter hash than expected for some ECDSA subkeys

The required hash size was determined based on the subkey algo rather than the primary key.
As a result, if the subkey being certified required a shorter hash size than the ECDSA primary key,
the issued signature would include a shorter digest than expected.

This issue is not expected to have practical security impact, and
it only affected keys with ECDSA subkeys with smaller key sizes than their ECDSA primary key
(e.g. NIST p521 primary key and NIST p256 subkey).

src/key/helper.js

@@ -89,7 +89,7 @@ export async function createBindingSignature(subkey, primaryKey, options, config
   const subkeySignaturePacket = new SignaturePacket();
   subkeySignaturePacket.signatureType = enums.signature.subkeyBinding;
   subkeySignaturePacket.publicKeyAlgorithm = primaryKey.algorithm;
-  subkeySignaturePacket.hashAlgorithm = await getPreferredHashAlgo(null, subkey, undefined, undefined, config);
+  subkeySignaturePacket.hashAlgorithm = await getPreferredHashAlgo(null, primaryKey, undefined, undefined, config);
   if (options.sign) {
     subkeySignaturePacket.keyFlags = [enums.keyFlags.signData];
     subkeySignaturePacket.embeddedSignature = await createSignaturePacket(dataToSign, null, subkey, {