From 7413b5c062fd8eb480797804dda1fe0e63e31580 Mon Sep 17 00:00:00 2001
From: Heiko Schaefer <heiko@schaefer.name>
Date: Mon, 22 Nov 2021 15:35:51 +0100
Subject: [PATCH] Don't check cert revocation status when decrypting.

---
 openpgp-card-sequoia/src/decryptor.rs |  2 +-
 openpgp-card-sequoia/src/signer.rs    |  2 +-
 openpgp-card-sequoia/src/sq_util.rs   | 17 ++++++++++++-----
 3 files changed, 14 insertions(+), 7 deletions(-)

diff --git a/openpgp-card-sequoia/src/decryptor.rs b/openpgp-card-sequoia/src/decryptor.rs
index 41c5c1c..ab58c12 100644
--- a/openpgp-card-sequoia/src/decryptor.rs
+++ b/openpgp-card-sequoia/src/decryptor.rs
@@ -49,7 +49,7 @@ impl<'a> CardDecryptor<'a> {
             let fp = openpgp::Fingerprint::from_bytes(fp.as_bytes());
 
             if let Some(vk) =
-                sq_util::get_subkey_by_fingerprint(cert, policy, &fp)?
+                sq_util::get_subkey_by_fingerprint(cert, policy, &fp, false)?
             {
                 if vk.for_storage_encryption() || vk.for_transport_encryption()
                 {
diff --git a/openpgp-card-sequoia/src/signer.rs b/openpgp-card-sequoia/src/signer.rs
index bdaf558..4c707e1 100644
--- a/openpgp-card-sequoia/src/signer.rs
+++ b/openpgp-card-sequoia/src/signer.rs
@@ -45,7 +45,7 @@ impl<'a> CardSigner<'a> {
             let fp = openpgp::Fingerprint::from_bytes(fp.as_bytes());
 
             if let Some(vk) =
-                sq_util::get_subkey_by_fingerprint(cert, policy, &fp)?
+                sq_util::get_subkey_by_fingerprint(cert, policy, &fp, true)?
             {
                 if vk.for_signing() {
                     let key = vk.key().clone();
diff --git a/openpgp-card-sequoia/src/sq_util.rs b/openpgp-card-sequoia/src/sq_util.rs
index fd6bc44..96c49a4 100644
--- a/openpgp-card-sequoia/src/sq_util.rs
+++ b/openpgp-card-sequoia/src/sq_util.rs
@@ -98,7 +98,11 @@ pub fn get_subkey_by_fingerprint<'a>(
     cert: &'a Cert,
     policy: &'a dyn Policy,
     fp: &Fingerprint,
+    check_revocation: bool,
 ) -> Result<Option<ValidErasedKeyAmalgamation<'a, PublicParts>>, Error> {
+    // FIXME: if `test_revocation`, then first check if the primary key is
+    // revoked?
+
     // Find the (sub)key in `cert` that matches the fingerprint from
     // the Card's signing-key slot.
     let keys: Vec<_> =
@@ -111,11 +115,14 @@ pub fn get_subkey_by_fingerprint<'a>(
         let validkey = keys[0].clone().with_policy(policy, None)?;
         validkey.alive()?;
 
-        if let RevocationStatus::Revoked(_) = validkey.revocation_status() {
-            return Err(Error::InternalError(anyhow!(
-                "(Sub)key {} in the cert is revoked",
-                fp
-            )));
+        if check_revocation {
+            if let RevocationStatus::Revoked(_) = validkey.revocation_status()
+            {
+                return Err(Error::InternalError(anyhow!(
+                    "(Sub)key {} in the cert is revoked",
+                    fp
+                )));
+            }
         }
 
         Ok(Some(validkey))