[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[openpgp] Clarification: calculation of key expiration time

Hi all,

There's an open issue[1] on Golang's openpgp library about calculating
key expiration time.

I believe it is currently calculated incorrectly and would appreciate a
second opinion.

The code[2] currently reads:

// KeyExpired returns whether sig is a self-signature of a key that has
// expired.
func (sig *Signature) KeyExpired(currentTime time.Time) bool {
	if sig.KeyLifetimeSecs == nil {
		return false
	expiry := sig.CreationTime.Add(time.Duration(*sig.KeyLifetimeSecs) *
	return currentTime.After(expiry)

So they're using _signature creation time_ + key expiration time (seconds)

The spec[3] seems pretty clear that you should use _key creation time_ +
key expiration time (seconds):

>  Key Expiration Time
>    (4-octet time field)
>    The validity period of the key.  This is the number of seconds after
>    the key creation time that the key expires.  If this is not present
>    or has a value of zero, the key never expires.  This is found only on
>    a self-signature.

So it seems to me it's a bug, unless I'm missing something?

Kind regards,


[1]: https://github.com/golang/go/issues/22312
[3]: https://tools.ietf.org/html/rfc4880#section-

Attachment: signature.asc
Description: OpenPGP digital signature

openpgp mailing list