[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [openpgp] Clarification: calculation of key expiration time



On Thu 2019-02-07 09:34:13 +0000, Paul Fawkesley wrote:

> There's an open issue[1] on Golang's openpgp library about calculating
> key expiration time.
>
> I believe it is currently calculated incorrectly and would appreciate a
> second opinion.
>
> The code[2] currently reads:
>
> ```
> // KeyExpired returns whether sig is a self-signature of a key that has
> // expired.
> func (sig *Signature) KeyExpired(currentTime time.Time) bool {
> 	if sig.KeyLifetimeSecs == nil {
> 		return false
> 	}
> 	expiry := sig.CreationTime.Add(time.Duration(*sig.KeyLifetimeSecs) *
> time.Second)
> 	return currentTime.After(expiry)
> }
> ```
>
> So they're using _signature creation time_ + key expiration time (seconds)
>
> The spec[3] seems pretty clear that you should use _key creation time_ +
> key expiration time (seconds):
>
>> 5.2.3.6.  Key Expiration Time
>> 
>>    (4-octet time field)
>> 
>>    The validity period of the key.  This is the number of seconds after
>>    the key creation time that the key expires.  If this is not present
>>    or has a value of zero, the key never expires.  This is found only on
>>    a self-signature.
>
> So it seems to me it's a bug, unless I'm missing something?

I agree with you that this is a bug in Golang's openpgp library.  I've
followed up on https://github.com/golang/go/issues/22312 accordingly.

         --dkg

Attachment: signature.asc
Description: PGP signature

_______________________________________________
openpgp mailing list
openpgp@xxxxxxxx
https://www.ietf.org/mailman/listinfo/openpgp