OpenPGP: High Level API fails to handle third-party signatures properly #2251
Description
Hey!
I already created a patch for this, but I figured it would be better to also create a bug report, so that the issue doesn't slip through until after the next release.
BCs High Level OpenPGP API currently malfunctions if certificates contain third-party signatures newer than respective self-signatures.
When determining properties, algorithm preferences and/or valid userids/subkeys, the API consults the latest component signature on the respective certificate component.
Due to missed filtering calls however, third-party signatures are not being filtered out properly, so the API tries to gather information from third-party signatures, which does fail, since the third-party (issuer) certificate is not available. This failure cripples the functionality, since keys cannot be used to encrypt, signatures on documents fail to verify since the key appears not to be bound properly etc.
Although kind of embarrassing, this does not present a security issue imho. Still, I strongly believe the patch should be included in the next release.
I already created #2217 which addresses these issues.
Let me know if you need more information.