From a7bae10fe8d62bfa4cc5f50fa98be99bece226f2 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Thomas=20Obernd=C3=B6rfer?= <thomas@mailvelope.com>
Date: Wed, 28 Nov 2018 16:46:17 +0100
Subject: [PATCH] Revise check on key revocation sub packet: throwing the
 exception should only be done on single keys and not discard the whole
 armored block with possibly multiple keys. Evaluate only self-signatures.

---
 src/key.js | 21 ++++++++++++++++-----
 1 file changed, 16 insertions(+), 5 deletions(-)

diff --git a/src/key.js b/src/key.js
index 394af502..b43450df 100644
--- a/src/key.js
+++ b/src/key.js
@@ -105,6 +105,7 @@ Key.prototype.packetlist2structure = function(packetlist) {
               continue;
             }
             if (packetlist[i].issuerKeyId.equals(primaryKeyId)) {
+              checkRevocationKey(packetlist[i], primaryKeyId);
               user.selfCertifications.push(packetlist[i]);
             } else {
               user.otherCertifications.push(packetlist[i]);
@@ -118,6 +119,7 @@ Key.prototype.packetlist2structure = function(packetlist) {
             }
             break;
           case enums.signature.key:
+            checkRevocationKey(packetlist[i], primaryKeyId);
             this.directSignatures.push(packetlist[i]);
             break;
           case enums.signature.subkey_binding:
@@ -125,6 +127,7 @@ Key.prototype.packetlist2structure = function(packetlist) {
               util.print_debug('Dropping subkey binding signature without preceding subkey packet');
               continue;
             }
+            checkRevocationKey(packetlist[i], primaryKeyId);
             subKey.bindingSignatures.push(packetlist[i]);
             break;
           case enums.signature.key_revocation:
@@ -1237,11 +1240,6 @@ export async function read(data) {
   try {
     const packetlist = new packet.List();
     await packetlist.read(data);
-    if (packetlist.filterByTag(enums.packet.signature).some(
-      signature => signature.revocationKeyClass !== null
-    )) {
-      throw new Error('This key is intended to be revoked with an authorized key, which OpenPGP.js does not support.');
-    }
     const keyIndex = packetlist.indexOfTag(enums.packet.publicKey, enums.packet.secretKey);
     if (keyIndex.length === 0) {
       throw new Error('No key packet found');
@@ -1632,6 +1630,19 @@ function getExpirationTime(keyPacket, signature) {
   return expirationTime ? new Date(expirationTime) : Infinity;
 }
 
+/**
+ * Check if signature has revocation key sub packet (not supported by OpenPGP.js)
+ * and throw error if found
+ * @param {module:packet.Signature} signature The certificate or signature to check
+ * @param {type/keyid} keyId Check only certificates or signatures from a certain issuer key ID
+ */
+function checkRevocationKey(signature, keyId) {
+  if (signature.revocationKeyClass !== null &&
+      signature.issuerKeyId.equals(keyId)) {
+    throw new Error('This key is intended to be revoked with an authorized key, which OpenPGP.js does not support.');
+  }
+}
+
 /**
  * Returns the preferred signature hash algorithm of a key
  * @param  {module:key.Key} key (optional) the key to get preferences from