From cb17c479d6f0787b0b0bcd790904ad3d790d785a Mon Sep 17 00:00:00 2001
From: Paul Schaub <vanitasvitae@fsfe.org>
Date: Mon, 26 Aug 2024 15:30:41 +0200
Subject: [PATCH] Enforce signature/key version matching when verifying

---
 .../java/org/bouncycastle/openpgp/PGPSignature.java  | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/pg/src/main/java/org/bouncycastle/openpgp/PGPSignature.java b/pg/src/main/java/org/bouncycastle/openpgp/PGPSignature.java
index ad0fea7102..68382167ad 100644
--- a/pg/src/main/java/org/bouncycastle/openpgp/PGPSignature.java
+++ b/pg/src/main/java/org/bouncycastle/openpgp/PGPSignature.java
@@ -16,6 +16,7 @@
 import org.bouncycastle.bcpg.MPInteger;
 import org.bouncycastle.bcpg.Packet;
 import org.bouncycastle.bcpg.PublicKeyAlgorithmTags;
+import org.bouncycastle.bcpg.PublicKeyPacket;
 import org.bouncycastle.bcpg.SignaturePacket;
 import org.bouncycastle.bcpg.SignatureSubpacket;
 import org.bouncycastle.bcpg.TrustPacket;
@@ -156,6 +157,17 @@ public void init(PGPContentVerifierBuilderProvider verifierBuilderProvider, PGPP
         {
             throw new PGPException("Illegal signature type 0xFF provided.");
         }
+
+        if (getVersion() == SignaturePacket.VERSION_6 && pubKey.getVersion() != PublicKeyPacket.VERSION_6)
+        {
+            throw new PGPException("MUST NOT verify v6 signature with non-v6 key.");
+        }
+
+        if (getVersion() == SignaturePacket.VERSION_4 && pubKey.getVersion() != PublicKeyPacket.VERSION_4)
+        {
+            throw new PGPException("MUST NOT verify v4 signature with non-v4 key.");
+        }
+
         PGPContentVerifierBuilder verifierBuilder = createVerifierProvider(verifierBuilderProvider);
 
         init(verifierBuilder.build(pubKey));