On Thu 2019-02-07 09:34:13 +0000, Paul Fawkesley wrote:
There's an open issue[1] on Golang's openpgp library about calculating
key expiration time.
I believe it is currently calculated incorrectly and would appreciate a
second opinion.
The code[2] currently reads:
```
// KeyExpired returns whether sig is a self-signature of a key that has
// expired.
func (sig *Signature) KeyExpired(currentTime time.Time) bool {
if sig.KeyLifetimeSecs == nil {
return false
}
expiry := sig.CreationTime.Add(time.Duration(*sig.KeyLifetimeSecs) *
time.Second)
return currentTime.After(expiry)
}
```
So they're using _signature creation time_ + key expiration time (seconds)
The spec[3] seems pretty clear that you should use _key creation time_ +
key expiration time (seconds):
5.2.3.6. Key Expiration Time
(4-octet time field)
The validity period of the key. This is the number of seconds after
the key creation time that the key expires. If this is not present
or has a value of zero, the key never expires. This is found only on
a self-signature.
So it seems to me it's a bug, unless I'm missing something?
I agree with you that this is a bug in Golang's openpgp library. I've
followed up on https://github.com/golang/go/issues/22312 accordingly.
--dkg
signature.asc
Description: PGP signature
_______________________________________________
openpgp mailing list
openpgp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/openpgp