Hi all,
There's an open issue[1] on Golang's openpgp library about calculating
key expiration time.
I believe it is currently calculated incorrectly and would appreciate a
second opinion.
The code[2] currently reads:
```
// KeyExpired returns whether sig is a self-signature of a key that has
// expired.
func (sig *Signature) KeyExpired(currentTime time.Time) bool {
if sig.KeyLifetimeSecs == nil {
return false
}
expiry := sig.CreationTime.Add(time.Duration(*sig.KeyLifetimeSecs) *
time.Second)
return currentTime.After(expiry)
}
```
So they're using _signature creation time_ + key expiration time (seconds)
The spec[3] seems pretty clear that you should use _key creation time_ +
key expiration time (seconds):
5.2.3.6. Key Expiration Time
(4-octet time field)
The validity period of the key. This is the number of seconds after
the key creation time that the key expires. If this is not present
or has a value of zero, the key never expires. This is found only on
a self-signature.
So it seems to me it's a bug, unless I'm missing something?
Kind regards,
Paul
[1]: https://github.com/golang/go/issues/22312
[2]:
https://github.com/golang/crypto/blob/7e6ffbd038512da5ae7ce06c196764f393990be1/openpgp/packet/signature.go#L459
[3]: https://tools.ietf.org/html/rfc4880#section-5.2.3.6
signature.asc
Description: OpenPGP digital signature
_______________________________________________
openpgp mailing list
openpgp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/openpgp