1 files changed, 25 insertions, 7 deletions

diff --git a/src/mailman_pgp/utils/pgp.py b/src/mailman_pgp/utils/pgp.py
index 416e643..a8f06f2 100644
--- a/src/mailman_pgp/utils/pgp.py
+++ b/src/mailman_pgp/utils/pgp.py
@@ -81,6 +81,7 @@ def key_from_file(file):
 @public
 def revoc_from_blob(blob):
     """
+    Load a key revocation signature from an ASCII-Armored blob.
 
     :param blob:
     :return:
@@ -103,27 +104,44 @@ def revoc_from_blob(blob):
 @public
 def key_usable(key, flags_required):
     """
+    Check that the `key` has the `flags_required` set of KeyFlags.
 
-    :param key:
+    Checks only non-expired, non-revoked key/subkeys. Validates revocations it
+    can, so not those made with some other designated revocation key.
+
+    :param key: The key to check.
     :type key: pgpy.PGPKey
-    :param flags_required:
+    :param flags_required: The set of flags required.
     :type flags_required: set
-    :return:
+    :return: Whether the key has the flags_required.
     :rtype: bool
     """
     if key.is_expired:
         return False
-    primary_revocs = (sig for sig in key.self_signatures if
-                      sig.sigtype is SignatureType.KeyRevocation)
-    for revoc in primary_revocs:
+    for revoc in key.revocation_signatures:
         try:
             verified = key.verify(key, revoc)
         except PGPError:
             continue
         if bool(verified):
             return False
+
     usage_flags = key.usage_flags()
     for subkey in key.subkeys.values():
-        usage_flags |= subkey.usage_flags()
+        if subkey.is_expired:
+            continue
+
+        valid = True
+        for revoc in subkey.revocation_signatures:
+            try:
+                verified = key.verify(subkey, revoc)
+            except PGPError:
+                continue
+            if bool(verified):
+                valid = False
+                break
+
+        if valid:
+            usage_flags |= subkey.usage_flags()
 
     return flags_required.issubset(usage_flags)