IETF Logo Mail Archive

[openpgp] Clarification: calculation of key expiration time

Paul Fawkesley <paul@fluidkeys.com> Thu, 07 February 2019 09:34 UTC

Return-Path: <paul@fluidkeys.com>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BCF6A12F19D for <openpgp@ietfa.amsl.com>; Thu, 7 Feb 2019 01:34:21 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.262
X-Spam-Level:
X-Spam-Status: No, score=-1.262 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.142, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_NEUTRAL=0.779, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=fluidkeys-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SwSayFo64yyw for <openpgp@ietfa.amsl.com>; Thu, 7 Feb 2019 01:34:18 -0800 (PST)
Received: from mail-wm1-x344.google.com (mail-wm1-x344.google.com [IPv6:2a00:1450:4864:20::344]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A5A65128CF2 for <openpgp@ietf.org>; Thu, 7 Feb 2019 01:34:18 -0800 (PST)
Received: by mail-wm1-x344.google.com with SMTP id t200so5915131wmt.0 for <openpgp@ietf.org>; Thu, 07 Feb 2019 01:34:18 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fluidkeys-com.20150623.gappssmtp.com; s=20150623; h=to:from:subject:openpgp:autocrypt:message-id:date:user-agent :mime-version; bh=RQKFruIB1li0+gFDLnF3l0ziUFF2tznTs1mvNjBAtD8=; b=u2UQWgo36gG1Q0ZYJswmrwRefm/yuTccuv06ceV29b7I8zbaesVhzGN27XfUMLoHJ+ YljStjlFK5tTmmj+QNIa+bp4PnuXGvJDf9taNApNmoUtljczAfQsmascgtIhpRafokBB U1+uiPMMOjFzYneybmJm/9t7nM/AX8TOXfF3Q6Qr+MRMRfou+NMRYTD+kzWtkXu1FYOP OHp4mieXxpTJ4NvJmVJ7Y59hm6IhQUoVFqlLnPfKLgLukf09I79hx8B9CWlTaQ3im1Z4 9rF2VRl4PNg+53Hw8HPtkzG6l40RFlwoPfu1Nr7LmS/RwkpeL1POiNwqCJ8xx6csRL6u 9mBA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:to:from:subject:openpgp:autocrypt:message-id :date:user-agent:mime-version; bh=RQKFruIB1li0+gFDLnF3l0ziUFF2tznTs1mvNjBAtD8=; b=C1JC4Hzx3UQmushmg1jshAetaeclLJMv4rEiqo2cUDG6b7cbSM9JG6g/t0IIe/s0sp lL2NSzDPixzgBZC343e3IIW3dFNJGotrxLjaRUS0H7detyEta7lY0ZrC5mNLFvsPo31v jivlCvKUEs/QUItjOinfUnl1EkZVLvbZH7eyprsNSuZdcGDVZq17ojVEpnkaH5tqQz4l 5MAeliMkaq5XzyDS/uLN6kbRKc0/UdpdCoo3ewM1GdZ19Nq/U9Bt5v7dQluzwgEeQyOA MZ6h3q39/VhXx5Kem5hd9PNv/xDe5yE2rauN7FvLU/GHHHTBKGj3EI755WxhV9qNgB2P /fjg==
X-Gm-Message-State: AHQUAubpJIy1Y9J1fTzCOstaCWaVKj6/h2MpDmbbCNIuoRUP44UU+igB +s0i7F4uOUW6oEY/qD9MEcO86Oz+3w==
X-Google-Smtp-Source: AHgI3IYFcEyBtXOFIrwcWUzxDITwlyLlogXt2Wc/gjl/phTF7B1PlEI+oUEJkN+OcGpxvJtja87FNA==
X-Received: by 2002:a1c:2501:: with SMTP id l1mr6921434wml.102.1549532056687; Thu, 07 Feb 2019 01:34:16 -0800 (PST)
Received: from [10.0.2.15] (191.93.2.81.in-addr.arpa. [81.2.93.191]) by smtp.gmail.com with ESMTPSA id j33sm50959967wre.91.2019.02.07.01.34.15 for <openpgp@ietf.org> (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 07 Feb 2019 01:34:15 -0800 (PST)
To: openpgp@ietf.org
From: Paul Fawkesley <paul@fluidkeys.com>
Openpgp: preference=signencrypt
Autocrypt: addr=paul@fluidkeys.com; keydata= mQINBFuOr7IBEADj5wnhRc07sX1rNNqEvMEZIXYZgElhxNRpN4qc4ES4Xp9rlckLIgqARyiY Nc87arYP3CIgfbTFJTy7g7q3jjbm7jmYSvpxe1J40kgbKMOjAtula2vdKzddXcgNkmDiWHsc bvoG2cxNSqx5lUU9SsPO2lVU1C44g3k0A1NgueEwus9blb2/qwHB6Zn7L/jOSM+AV6zpWeSH gRWigN+1m21GE2i09Um0W/W8WhFJDV5M4+IfYVvysReLcfFvzGJjZMlkVWOfE/nWPhBQpQOC u4Wtu5490hmtTt4/hXBrqYBDOgXFYDZAsyUgTctXUiH0/bBNWZ2hHrMWeMOvGI0p6DhGfuAk M793lttcjsWX1ff6Nz+vBSucqZnXD/tOAhFjTaWggFEMPwb8Shvy79a+0F+LP8Qk0e88y9Jn 5wSlstMee7EYx8CH1KaJuvSchyK3Dvf2QQLVJ1axPTsDrqvbtmETUN5Wo/G/sKwlXcdn8rd9 Z9iCuvremUddN75LcRSOEg2drncK95b08JP0mn4oDrmVLVskEtF24IXxkmyPVE8yH51sMpRf B7VUDS3SftCINOmH0Xh3qtRQapmMp6HJ/Bs2P3DPDLS1NK+8gPA/2vd6zlLwTqWJVJvlKoIZ GShxBb8XI7zriY6Bgmn4OaMJUB9vj3dNjjj7Cvic5gwGzEJWdQARAQABtBQ8cGF1bEBmbHVp ZGtleXMuY29tPokCOQQTAQoALQUCXFQKqgkQcyekTCFXp1gCGwMFCQERU04CGQEFCwkIBwMF FQoJCAsEFgIBAAAArn0QAMD6yzmb3Hf1ShpwDM15ITVCYuDPmEWut3ERCs2E2TbD56VM1BTx 5tyXMsVaee7N5WhkbkqoUy7O0wv53gatJoyoKLgklAPgPd0+bcWORiRJn7Nr+QFGAtg5gm9U W1wofX5QTLWqk2KmumoA86JQ3hp/ElLlmS+fwpqpxGMbs79+6t4xhkIJ7/UMTmA6RsPvFhsX L5uD5upkS84sOzGsoK9fB6UPss3bNbHa5E/g/VEu1x3UUzXmZ4gRcV2gQawRyRaVHKh+WOVE A8Qn0WTzmuH5/RG44/Ls6Lx+xAmqsqSIZt0TUMG555gkC3xjB3vtNk+VUo54ah9b8IUd8nBC TvOJF7DYGrQIP5kYirfx61ahgEjXD5hC86LCJn4JKM9EptHQYEwdZbYBW9HZCtpwjwYvAA9i cYQypcx0QpkkG57UzzX4yEg91h7ZZFJXe89e9eX2ht0f3cvRUox04bvzj6jg6nalCC/P+E5q N7+CfVjCw0vbnRDMDf2F1DvtRCVHExKfbjiGSg0ZqOyzvfPp7/PEdTILeBAv9NQ5XXbUVeD/ NxTi02YdiUoaNV87vgX4ntPDUE/uhThPv1B96mUEGRbSOHNajUEkwol/z9EMIfxlwhlGI8Sm VGr2EIaQgw8qtYn5mgvhco6yzdkJg0ijjErWf+jxPWnlx9tYjIuFxu5/uQENBFxUCqoBCADC Vp6rApf3qrOA9qE4em09OCMcOk87+P+to6fzO0v9YUM6bkpL5rAUdP8h5TPfTIQ2U0h6EKPs lY07Um7NlZ1I4GaQELmRoPRP+u8Nbxy31kBThodceM2yt6qVUrwYN02uU9hVJAMdbFYBiBzj FiZtmWOkWdrr2UG1Rcxyt8cBqJ8DupbsDSIxvpIWFpO0wUad/XHsPQxFIH3sopB4j8yci6p/ +T3ZSL13Gm44eBKVpiiGvao2PoKMq0ivs1pKTyFgp72VWObm54qgB8TGuZlGeVLSA3la5C8k oYlX7f8BjP6xFPz0Cs5oHTYpNi7xQpZqBkeaFPKIqdi9oJ9n1ajTABEBAAGJAiUEGAEKABkF AlxUCqoJEHMnpEwhV6dYAhsMBQkAS/hVAADdQxAAn3hTuna3vK7GDzTKlR6CCcgGgIeOWTEg 1sQoDiA/Rii0UKNp6S4sdQ3TdYkQq0jFYWtmN2cvW+TSSx6OEGfAQY22rJLuhw2OsMTo3TY4 8AgcZOPDg6oZv1YgR4rEMa26xtuRa5kQCPb4n8Zc3zHTlX0HGcbL05NXAzSN2agMmXU8I9u3 ORyAlRztbPdLEIQ2vsXLLAtMWAZxzyxC6pOPQAQ8482tem/JU9hGwat+8p+e4s05fgfCMdUJ 7Ro+9vmEUpAhfQZBvubPTjhtwL2+9OlHrx+5y2q2w5c+gqGJNEwGGIT3Ghee0Dn/hZ2Hkrj8 M9wWLeHF0NUDmv3EjeQHTjpYI4f3Z0qcWMUVaTvvCc50E4ypel24PNqpQW1TzprY7RPWSjUT u3mg5N+/5vj75KJzkcObQORn55iY9l+vmvuWfNovG25ER6PmiS6IPvHISRZNz2YUDR/RVUH2 RpWeseSnhZ7Oq8qyPmZ7n963AhB79B5zwgIRL2nmSxgnzx/yCXrlBUISavkiKz83P2wWdJ3n 6tzYIn+TKsy9PTnKynYOdAVv7jtzlMpWnvqLA22jVq7ZHZ4cfnId+QLNUgtXEdAE8qJHrzHx EqpX7bZz2+RPHTIiWR+SBjWpq/zRPrG9DNSYwIB02Bs5+Q6iHKc/lLxKAL3jXtgebXivl5UX cts=
Message-ID: <0be845d0-bd98-d021-7bc9-5f6562323cd4@fluidkeys.com>
Date: Thu, 07 Feb 2019 09:34:13 +0000
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.4.0
MIME-Version: 1.0
Content-Type: multipart/signed; micalg="pgp-sha512"; protocol="application/pgp-signature"; boundary="WnqZaHVnH5TVbJNw7VTdeNrWiEqdNhLbX"
Archived-At: <https://mailarchive.ietf.org/arch/msg/openpgp/f--SM0L4y4kicxuLER9WLWs-5uc>
Subject: [openpgp] Clarification: calculation of key expiration time
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 07 Feb 2019 09:34:22 -0000

Hi all,

There's an open issue[1] on Golang's openpgp library about calculating
key expiration time.

I believe it is currently calculated incorrectly and would appreciate a
second opinion.

The code[2] currently reads:

```
// KeyExpired returns whether sig is a self-signature of a key that has
// expired.
func (sig *Signature) KeyExpired(currentTime time.Time) bool {
	if sig.KeyLifetimeSecs == nil {
		return false
	}
	expiry := sig.CreationTime.Add(time.Duration(*sig.KeyLifetimeSecs) *
time.Second)
	return currentTime.After(expiry)
}
```

So they're using _signature creation time_ + key expiration time (seconds)

The spec[3] seems pretty clear that you should use _key creation time_ +
key expiration time (seconds):

> 5.2.3.6.  Key Expiration Time
> 
>    (4-octet time field)
> 
>    The validity period of the key.  This is the number of seconds after
>    the key creation time that the key expires.  If this is not present
>    or has a value of zero, the key never expires.  This is found only on
>    a self-signature.

So it seems to me it's a bug, unless I'm missing something?

Kind regards,

Paul



[1]: https://github.com/golang/go/issues/22312
[2]:
https://github.com/golang/crypto/blob/7e6ffbd038512da5ae7ce06c196764f393990be1/openpgp/packet/signature.go#L459
[3]: https://tools.ietf.org/html/rfc4880#section-5.2.3.6

v2.23.0 | Report a Bug | By Email