Skip to content

Commit

Permalink
fix: limit clock skew for short-lived keys
Browse files Browse the repository at this point in the history
If the key expires in 30 secs, limit clock skew otherwise key is
considered expired always.

Signed-off-by: Andrey Smirnov <andrey.smirnov@talos-systems.com>
  • Loading branch information
smira committed Nov 7, 2022
1 parent cdb9722 commit 63d4da3
Show file tree
Hide file tree
Showing 2 changed files with 14 additions and 0 deletions.
10 changes: 10 additions & 0 deletions pkg/pgp/key.go
Original file line number Diff line number Diff line change
Expand Up @@ -104,9 +104,19 @@ func (p *Key) ArmorPublic() (string, error) {

// IsExpired returns true if the key is expired with clock skew.
func (p *Key) IsExpired(clockSkew time.Duration) bool {
if clockSkew < 0 {
panic("clock skew can't be negative")
}

now := time.Now()

i := p.key.GetEntity().PrimaryIdentity()
keyLifetimeSecs := i.SelfSignature.KeyLifetimeSecs

if keyLifetimeSecs != nil && *keyLifetimeSecs < uint32(clockSkew/time.Second) {
// if the key is short-lived, limit clock skew to the half of the key lifetime
clockSkew = time.Duration(*keyLifetimeSecs) * time.Second / 2
}

expired := func(t time.Time) bool {
return p.key.GetEntity().PrimaryKey.KeyExpired(i.SelfSignature, t) || // primary key has expired
Expand Down
4 changes: 4 additions & 0 deletions pkg/pgp/key_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -96,6 +96,10 @@ func TestKeyExpiration(t *testing.T) {
lifetime: pgp.MaxAllowedLifetime / 2,
shift: pgp.AllowedClockSkew / 2,
},
{
name: "short-lived key",
lifetime: pgp.AllowedClockSkew / 2,
},
} {
t.Run(tt.name, func(t *testing.T) {
key := genKey(t, uint32(tt.lifetime/time.Second), func() time.Time {
Expand Down

0 comments on commit 63d4da3

Please sign in to comment.