Skip to content

Commit

Permalink
fix: account for time truncation to a second resolution
Browse files Browse the repository at this point in the history
ProtonMail go-crypto library introduced a breaking change in `packet.PublicKey.KeyExpired` method. Account for it.

Signed-off-by: Dmitriy Matrenichev <dmitry.matrenichev@siderolabs.com>
  • Loading branch information
DmitriyMV committed Sep 3, 2024
1 parent 1b35ea8 commit 8807c5e
Show file tree
Hide file tree
Showing 2 changed files with 14 additions and 1 deletion.
10 changes: 10 additions & 0 deletions pkg/pgp/key_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -170,6 +170,16 @@ func TestKeyValidation(t *testing.T) {
pgp.WithValidEmailAsName(false),
},
},
{
name: "should be ok",
email: "keytest@example.com",
lifetime: pgp.DefaultMaxAllowedLifetime,
},
{
name: "should be ok (with time truncation)",
email: "keytest@example.com",
lifetime: pgp.DefaultMaxAllowedLifetime + time.Minute - time.Nanosecond,
},
} {
t.Run(tt.name, func(t *testing.T) {
key := genKey(t, uint32(tt.lifetime/time.Second), tt.email, func() time.Time {
Expand Down
5 changes: 4 additions & 1 deletion pkg/pgp/validate.go
Original file line number Diff line number Diff line change
Expand Up @@ -100,7 +100,10 @@ func (p *Key) validateLifetime(opts *validationOptions) error {
return fmt.Errorf("key does not contain a valid key lifetime")
}

expiration := time.Now().Add(opts.maxAllowedLifetime)
// We don't care when the key was created, only when it expires relative to the server "now" time.
//
// Also add one minute to account for rounding errors or time skew.
expiration := time.Now().Add(opts.maxAllowedLifetime + time.Minute)

if !entity.PrimaryKey.KeyExpired(sig, expiration) {
return fmt.Errorf("key lifetime is too long: %s", time.Duration(*sig.KeyLifetimeSecs)*time.Second)
Expand Down

0 comments on commit 8807c5e

Please sign in to comment.