1 files changed, 52 insertions, 18 deletions

diff --git a/src/mailman_pgp/utils/pgp.py b/src/mailman_pgp/utils/pgp.py
index a8f06f2..be97a75 100644
--- a/src/mailman_pgp/utils/pgp.py
+++ b/src/mailman_pgp/utils/pgp.py
@@ -102,31 +102,39 @@ def revoc_from_blob(blob):
 
 
 @public
-def key_usable(key, flags_required):
-    """
-    Check that the `key` has the `flags_required` set of KeyFlags.
-
-    Checks only non-expired, non-revoked key/subkeys. Validates revocations it
-    can, so not those made with some other designated revocation key.
-
-    :param key: The key to check.
-    :type key: pgpy.PGPKey
-    :param flags_required: The set of flags required.
-    :type flags_required: set
-    :return: Whether the key has the flags_required.
-    :rtype: bool
-    """
+def key_flags(key):
     if key.is_expired:
-        return False
+        return set()
     for revoc in key.revocation_signatures:
         try:
             verified = key.verify(key, revoc)
         except PGPError:
             continue
         if bool(verified):
-            return False
+            return set()
+
+    usage_flags = set()
+    uids = (uid for uid in key.userids if uid.is_primary)
+    uids = list(uids)
+    if len(uids) == 0:
+        uids = key.userids
+
+    for uid in uids:
+        revoked = False
+        for sig in uid.signatures:
+            if sig.type is not SignatureType.CertRevocation:
+                continue
+            if sig.signer == key.fingerprint.keyid:
+                try:
+                    verified = key.verify(uid, sig)
+                except PGPError:
+                    continue
+                if bool(verified):
+                    revoked = True
+        if not revoked:
+            usage_flags |= uid.selfsig.key_flags
+            break
 
-    usage_flags = key.usage_flags()
     for subkey in key.subkeys.values():
         if subkey.is_expired:
             continue
@@ -143,5 +151,31 @@ def key_usable(key, flags_required):
 
         if valid:
             usage_flags |= subkey.usage_flags()
+    return usage_flags
+
+
+@public
+def key_usable(key, flags_required):
+    """
+    Check that the `key` has the `flags_required` set of KeyFlags.
+
+    Checks only non-expired, non-revoked key/subkeys. Validates revocations it
+    can, so not those made with some other designated revocation key.
 
-    return flags_required.issubset(usage_flags)
+    :param key: The key to check.
+    :type key: pgpy.PGPKey
+    :param flags_required: The set of flags required.
+    :type flags_required: set
+    :return: Whether the key has the flags_required.
+    :rtype: bool
+    """
+    if key.is_expired:
+        return False
+    for revoc in key.revocation_signatures:
+        try:
+            verified = key.verify(key, revoc)
+        except PGPError:
+            continue
+        if bool(verified):
+            return False
+    return flags_required.issubset(key_flags(key))