[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[openpgp] Clarification: calculation of key expiration time



Hi all,

There's an open issue[1] on Golang's openpgp library about calculating
key expiration time.

I believe it is currently calculated incorrectly and would appreciate a
second opinion.

The code[2] currently reads:

```
// KeyExpired returns whether sig is a self-signature of a key that has
// expired.
func (sig *Signature) KeyExpired(currentTime time.Time) bool {
	if sig.KeyLifetimeSecs == nil {
		return false
	}
	expiry := sig.CreationTime.Add(time.Duration(*sig.KeyLifetimeSecs) *
time.Second)
	return currentTime.After(expiry)
}
```

So they're using _signature creation time_ + key expiration time (seconds)

The spec[3] seems pretty clear that you should use _key creation time_ +
key expiration time (seconds):

> 5.2.3.6.  Key Expiration Time
> 
>    (4-octet time field)
> 
>    The validity period of the key.  This is the number of seconds after
>    the key creation time that the key expires.  If this is not present
>    or has a value of zero, the key never expires.  This is found only on
>    a self-signature.

So it seems to me it's a bug, unless I'm missing something?

Kind regards,

Paul



[1]: https://github.com/golang/go/issues/22312
[2]:
https://github.com/golang/crypto/blob/7e6ffbd038512da5ae7ce06c196764f393990be1/openpgp/packet/signature.go#L459
[3]: https://tools.ietf.org/html/rfc4880#section-5.2.3.6

Attachment: signature.asc
Description: OpenPGP digital signature

_______________________________________________
openpgp mailing list
openpgp@xxxxxxxx
https://www.ietf.org/mailman/listinfo/openpgp