Skip to content

Commit 63d4da3

Browse files
committed
fix: limit clock skew for short-lived keys
If the key expires in 30 secs, limit clock skew otherwise key is considered expired always. Signed-off-by: Andrey Smirnov <andrey.smirnov@talos-systems.com>
1 parent cdb9722 commit 63d4da3

File tree

2 files changed

+14
-0
lines changed

2 files changed

+14
-0
lines changed

pkg/pgp/key.go

Lines changed: 10 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -104,9 +104,19 @@ func (p *Key) ArmorPublic() (string, error) {
104104

105105
// IsExpired returns true if the key is expired with clock skew.
106106
func (p *Key) IsExpired(clockSkew time.Duration) bool {
107+
if clockSkew < 0 {
108+
panic("clock skew can't be negative")
109+
}
110+
107111
now := time.Now()
108112

109113
i := p.key.GetEntity().PrimaryIdentity()
114+
keyLifetimeSecs := i.SelfSignature.KeyLifetimeSecs
115+
116+
if keyLifetimeSecs != nil && *keyLifetimeSecs < uint32(clockSkew/time.Second) {
117+
// if the key is short-lived, limit clock skew to the half of the key lifetime
118+
clockSkew = time.Duration(*keyLifetimeSecs) * time.Second / 2
119+
}
110120

111121
expired := func(t time.Time) bool {
112122
return p.key.GetEntity().PrimaryKey.KeyExpired(i.SelfSignature, t) || // primary key has expired

pkg/pgp/key_test.go

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -96,6 +96,10 @@ func TestKeyExpiration(t *testing.T) {
9696
lifetime: pgp.MaxAllowedLifetime / 2,
9797
shift: pgp.AllowedClockSkew / 2,
9898
},
99+
{
100+
name: "short-lived key",
101+
lifetime: pgp.AllowedClockSkew / 2,
102+
},
99103
} {
100104
t.Run(tt.name, func(t *testing.T) {
101105
key := genKey(t, uint32(tt.lifetime/time.Second), func() time.Time {

0 commit comments

Comments
 (0)