From 619d02d78c19488aed3449b70a22ece3c91adf65 Mon Sep 17 00:00:00 2001 From: larabr Date: Tue, 15 Jun 2021 19:16:52 +0200 Subject: [PATCH] Drop `capabilities, keyID` args in `Key.getExpirationTime()` and consider direct-key sigs (#1319) - Fix #1159: `Key.verifyPrimaryKey` considers expiration time subpackets in direct-key signatures to determine whether the key is expired. - `Key.getExpirationTime()` does not take the `capabilities` and `keyID` arguments anymore, and simply returns the expiration date of the primary key. Also, like for `verifyPrimaryKey`, direct-key signatures are now taken into account. - Keys and signatures are considered expired at the time of expiry, instead of one second later. Breaking change: `Key.getExpirationTime(capabilities, keyID, userID, config)` -> `.getExpirationTime(userID, config)` --- openpgp.d.ts | 2 +- src/key/helper.js | 2 +- src/key/key.js | 60 +++++++++++++++-------------- src/packet/signature.js | 4 +- test/general/key.js | 79 +++++++++++++++++++++++++++++---------- test/general/openpgp.js | 60 +++++++++++++++++++++++++++++ test/general/signature.js | 8 ++++ 7 files changed, 163 insertions(+), 52 deletions(-) diff --git a/openpgp.d.ts b/openpgp.d.ts index d08aa14a..cf8f1d12 100644 --- a/openpgp.d.ts +++ b/openpgp.d.ts @@ -30,7 +30,7 @@ export abstract class Key { public revocationSignatures: SignaturePacket[]; public write(): Uint8Array; public armor(config?: Config): string; - public getExpirationTime(capability?: 'encrypt' | 'encrypt_sign' | 'sign', keyID?: KeyID, userID?: UserID, config?: Config): Promise; // Returns null if `capabilities` is passed and the key does not have the specified capabilities or is revoked or invalid. + public getExpirationTime(userID?: UserID, config?: Config): Promise; public getKeyIDs(): KeyID[]; public getPrimaryUser(date?: Date, userID?: UserID, config?: Config): Promise; // throws on error public getUserIDs(): string[]; diff --git a/src/key/helper.js b/src/key/helper.js index 987d0831..6cb48d65 100644 --- a/src/key/helper.js +++ b/src/key/helper.js @@ -72,7 +72,7 @@ export function isDataExpired(keyPacket, signature, date = new Date()) { const normDate = util.normalizeDate(date); if (normDate !== null) { const expirationTime = getKeyExpirationTime(keyPacket, signature); - return !(keyPacket.created <= normDate && normDate <= expirationTime); + return !(keyPacket.created <= normDate && normDate < expirationTime); } return false; } diff --git a/src/key/key.js b/src/key/key.js index 3d40fed4..205340a3 100644 --- a/src/key/key.js +++ b/src/key/key.js @@ -360,45 +360,49 @@ class Key { if (helper.isDataExpired(primaryKey, selfCertification, date)) { throw new Error('Primary key is expired'); } + // check for expiration time in direct signatures + const directSignature = await helper.getLatestValidSignature( + this.directSignatures, primaryKey, enums.signature.key, { key: primaryKey }, date, config + ).catch(() => {}); // invalid signatures are discarded, to avoid breaking the key + + if (directSignature && helper.isDataExpired(primaryKey, directSignature, date)) { + throw new Error('Primary key is expired'); + } } /** - * Returns the latest date when the key can be used for encrypting, signing, or both, depending on the `capabilities` paramater. - * When `capabilities` is null, defaults to returning the expiry date of the primary key. - * Returns null if `capabilities` is passed and the key does not have the specified capabilities or is revoked or invalid. - * Returns Infinity if the key doesn't expire. - * @param {encrypt|sign|encrypt_sign} [capabilities] - capabilities to look up - * @param {module:type/keyid~KeyID} [keyID] - key ID of the specific key to check + * Returns the expiration date of the primary key, considering self-certifications and direct-key signatures. + * Returns `Infinity` if the key doesn't expire, or `null` if the key is revoked or invalid. * @param {Object} [userID] - User ID to consider instead of the primary user * @param {Object} [config] - Full configuration, defaults to openpgp.config * @returns {Promise} * @async */ - async getExpirationTime(capabilities, keyID, userID, config = defaultConfig) { - const primaryUser = await this.getPrimaryUser(null, userID, config); - const selfCert = primaryUser.selfCertification; - const keyExpiry = helper.getKeyExpirationTime(this.keyPacket, selfCert); - const sigExpiry = selfCert.getExpirationTime(); - let expiry = keyExpiry < sigExpiry ? keyExpiry : sigExpiry; - if (capabilities === 'encrypt' || capabilities === 'encrypt_sign') { - const encryptKey = - await this.getEncryptionKey(keyID, expiry, userID, { ...config, rejectPublicKeyAlgorithms: new Set(), minRSABits: 0 }).catch(() => {}) || - await this.getEncryptionKey(keyID, null, userID, { ...config, rejectPublicKeyAlgorithms: new Set(), minRSABits: 0 }).catch(() => {}); - if (!encryptKey) return null; - const encryptExpiry = await encryptKey.getExpirationTime(null, config); - if (encryptExpiry < expiry) expiry = encryptExpiry; + async getExpirationTime(userID, config = defaultConfig) { + let primaryKeyExpiry; + try { + const { selfCertification } = await this.getPrimaryUser(null, userID, config); + const selfSigKeyExpiry = helper.getKeyExpirationTime(this.keyPacket, selfCertification); + const selfSigExpiry = selfCertification.getExpirationTime(); + const directSignature = await helper.getLatestValidSignature( + this.directSignatures, this.keyPacket, enums.signature.key, { key: this.keyPacket }, null, config + ).catch(() => {}); + if (directSignature) { + const directSigKeyExpiry = helper.getKeyExpirationTime(this.keyPacket, directSignature); + // We do not support the edge case where the direct signature expires, since it would invalidate the corresponding key expiration, + // causing a discountinous validy period for the key + primaryKeyExpiry = Math.min(selfSigKeyExpiry, selfSigExpiry, directSigKeyExpiry); + } else { + primaryKeyExpiry = selfSigKeyExpiry < selfSigExpiry ? selfSigKeyExpiry : selfSigExpiry; + } + } catch (e) { + primaryKeyExpiry = null; } - if (capabilities === 'sign' || capabilities === 'encrypt_sign') { - const signKey = - await this.getSigningKey(keyID, expiry, userID, { ...config, rejectPublicKeyAlgorithms: new Set(), minRSABits: 0 }).catch(() => {}) || - await this.getSigningKey(keyID, null, userID, { ...config, rejectPublicKeyAlgorithms: new Set(), minRSABits: 0 }).catch(() => {}); - if (!signKey) return null; - const signExpiry = await signKey.getExpirationTime(null, config); - if (signExpiry < expiry) expiry = signExpiry; - } - return expiry; + + return util.normalizeDate(primaryKeyExpiry); } + /** * Returns primary user and most significant (latest valid) self signature * - if multiple primary users exist, returns the one with the latest self signature diff --git a/src/packet/signature.js b/src/packet/signature.js index e83aae79..78d74c79 100644 --- a/src/packet/signature.js +++ b/src/packet/signature.js @@ -706,7 +706,7 @@ class SignaturePacket { if (normDate && this.created > normDate) { throw new Error('Signature creation time is in the future'); } - if (normDate && normDate > this.getExpirationTime()) { + if (normDate && normDate >= this.getExpirationTime()) { throw new Error('Signature is expired'); } if (config.rejectHashAlgorithms.has(hashAlgorithm)) { @@ -734,7 +734,7 @@ class SignaturePacket { isExpired(date = new Date()) { const normDate = util.normalizeDate(date); if (normDate !== null) { - return !(this.created <= normDate && normDate <= this.getExpirationTime()); + return !(this.created <= normDate && normDate < this.getExpirationTime()); } return false; } diff --git a/test/general/key.js b/test/general/key.js index dbe507b6..315b21b0 100644 --- a/test/general/key.js +++ b/test/general/key.js @@ -2074,6 +2074,57 @@ usLw5q4tc+I5gdq57aiulJ8r4Jj9rdzsZFA7PzNJ9WPGVYJ3 =GSXO -----END PGP PRIVATE KEY BLOCK-----`; +const expiredPublicKeyThroughDirectSignature = `-----BEGIN PGP PUBLIC KEY BLOCK----- + +xsDNBF2lnPIBDAC5cL9PQoQLTMuhjbYvb4Ncuuo0bfmgPRFywX53jPhoFf4Zg6mv +/seOXpgecTdOcVttfzC8ycIKrt3aQTiwOG/ctaR4Bk/t6ayNFfdUNxHWk4WCKzdz +/56fW2O0F23qIRd8UUJp5IIlN4RDdRCtdhVQIAuzvp2oVy/LaS2kxQoKvph/5pQ/ +5whqsyroEWDJoSV0yOb25B/iwk/pLUFoyhDG9bj0kIzDxrEqW+7Ba8nocQlecMF3 +X5KMN5kp2zraLv9dlBBpWW43XktjcCZgMy20SouraVma8Je/ECwUWYUiAZxLIlMv +9CurEOtxUw6N3RdOtLmYZS9uEnn5y1UkF88o8Nku890uk6BrewFzJyLAx5wRZ4F0 +qV/yq36UWQ0JB/AUGhHVPdFf6pl6eaxBwT5GXvbBUibtf8YI2og5RsgTWtXfU7eb +SGXrl5ZMpbA6mbfhd0R8aPxWfmDWiIOhBufhMCvUHh1sApMKVZnvIff9/0Dca3wb +vLIwa3T4CyshfT0AEQEAAcLA+QQfAQoADAWCX2i/SgWJAT9MWAAhCRD7/MgqAV5z +MBYhBNGmbhojsYLJmA94jPv8yCoBXnMwZNYL/RmU7kIYsi7w8d7sPLiqb5C9fs9k +TJuxLREYpKE7zWz9z16+c9ketkoLpoMSDaZL+4+QEfyAJA+q8c8ZFHJ8E60cPNwe +jN/ZI+vJRloDAfxMkH+BdKshMtvcmlLq2+AbQWzT0kAUkiiKiUiUsQwrTfenjkT5 +FCsZyKviLsarzdIhpwEdd6zCxWQDap55njXfpUh/vQFZo4aHHtWPwXXRjLZRlKA+ +gI8LQyYuIFOCFQMrhZVEwaLJQa6IbauL4B/qD4y5AMenNumW5M06p0G8yj1L22b6 +R2hWS7Ueo0iu9J4abTEDo1gGxeLwCiMRUGpN7L+4J3yrzGNcjjtXz1/FT6/YSvT2 +bnPraOOGaEO5tflQZ6plEOIc9bKnb2vySlwpxnWgJ7CQdAT+lGVT5xRZ//we5yja +vsb4pdo0xIW32YDzFQ36HgAO8XUXnz0NkgVDHLujWsyhjq9xkfMOhSmGSeXxvsXa +1O9uC2n+qX8hV7whWf20UPHKatYbBV0HHJeA280hQm9iIEJhYmJhZ2UgPGJvYkBv +cGVucGdwLmV4YW1wbGU+wsEOBBMBCgA4AhsDBQsJCAcCBhUKCQgLAgQWAgMBAh4B +AheAFiEE0aZuGiOxgsmYD3iM+/zIKgFeczAFAl2lnvoACgkQ+/zIKgFeczBvbAv/ +VNk90a6hG8Od9xTzXxH5YRFUSGfIA1yjPIVOnKqhMwps2U+sWE3urL+MvjyQRlyR +V8oY9IOhQ5Esm6DOZYrTnE7qVETm1ajIAP2OFChEc55uH88x/anpPOXOJY7S8jbn +3naC9qad75BrZ+3g9EBUWiy5p8TykP05WSnSxNRt7vFKLfEB4nGkehpwHXOVF0CR +NwYle42bg8lpmdXFDcCZCi+qEbafmTQzkAqyzS3nCh3IAqq6Y0kBuaKLm2tSNUOl +ZbD+OHYQNZ5Jix7cZUzs6Xh4+I55NRWl5smrLq66yOQoFPy9jot/Qxikx/wP3MsA +zeGaZSEPc0fHp5G16rlGbxQ3vl8/usUV7W+TMEMljgwd5x8POR6HC8EaCDfVnUBC +Pi/Gv+egLjsIbPJZZEroiE40e6/UoCiQtlpQB5exPJYSd1Q1txCwueih99PHepsD +hmUQKiACszNU+RRozAYau2VdHqnRJ7QYdxHDiH49jPK4NTMyb/tJh2TiIwcmsIpG +zsDNBF2lnPIBDADWML9cbGMrp12CtF9b2P6z9TTT74S8iyBOzaSvdGDQY/sUtZXR +g21HWamXnn9sSXvIDEINOQ6A9QxdxoqWdCHrOuW3ofneYXoG+zeKc4dC86wa1TR2 +q9vW+RMXSO4uImA+Uzula/6k1DogDf28qhCxMwG/i/m9g1c/0aApuDyKdQ1PXsHH +Nlgd/Dn6rrd5y2AObaifV7wIhEJnvqgFXDN2RXGjLeCOHV4Q2WTYPg/S4k1nMXVD +wZXrvIsA0YwIMgIT86Rafp1qKlgPNbiIlC1g9RY/iFaGN2b4Ir6GDohBQSfZW2+L +XoPZuVE/wGlQ01rh827KVZW4lXvqsge+wtnWlszcselGATyzqOK9LdHPdZGzROZY +I2e8c+paLNDdVPL6vdRBUnkCaEkOtl1mr2JpQi5nTU+gTX4IeInC7E+1a9UDF/Y8 +5ybUz8XV8rUnR76UqVC7KidNepdHbZjjXCt8/Zo+Tec9JNbYNQB/e9ExmDntmlHE +sSEQzFwzj8sxH48AEQEAAcLA9gQYAQoAIBYhBNGmbhojsYLJmA94jPv8yCoBXnMw +BQJdpZzyAhsMAAoJEPv8yCoBXnMw6f8L/26C34dkjBffTzMj5Bdzm8MtF67OYneJ +4TQMw7+41IL4rVcSKhIhk/3Ud5knaRtP2ef1+5F66h9/RPQOJ5+tvBwhBAcUWSup +KnUrdVaZQanYmtSxcVV2PL9+QEiNN3tzluhaWO//rACxJ+K/ZXQlIzwQVTpNhfGz +AaMVV9zpf3u0k14itcv6alKY8+rLZvO1wIIeRZLmU0tZDD5HtWDvUV7rIFI1WuoL +b+KZgbYn3OWjCPHVdTrdZ2CqnZbG3SXw6awH9bzRLV9EXkbhIMez0deCVdeo+wFF +klh8/5VK2b0vk/+wqMJxfpa1lHvJLobzOP9fvrswsr92MA2+k901WeISR7qEzcI0 +Fdg8AyFAExaEK6VyjP7SXGLwvfisw34OxuZr3qmx1Sufu4toH3XrB7QJN8Xyqqbs +GxUCBqWif9RSK4xjzRTe56iPeiSJJOIciMP9i2ldI+KgLycyeDvGoBj0HCLO3gVa +Be4ubVrj5KjhX2PVNEJd3XZRzaXZE2aAMQ== +=ZeAz +-----END PGP PUBLIC KEY BLOCK-----`; + function versionSpecificTests() { it('Preferences of generated key', function() { const testPref = function(key) { @@ -2891,7 +2942,7 @@ module.exports = () => describe('Key', function() { })).to.be.fulfilled; }); - it('Method getExpirationTime V4 Key', async function() { + it('Key.getExpirationTime()', async function() { const [, pubKey] = await openpgp.readKeys({ armoredKeys: twoKeys }); expect(pubKey).to.exist; expect(pubKey).to.be.an.instanceof(openpgp.PublicKey); @@ -2899,7 +2950,7 @@ module.exports = () => describe('Key', function() { expect(expirationTime.toISOString()).to.be.equal('2018-11-26T10:58:29.000Z'); }); - it('Method getExpirationTime expired V4 Key', async function() { + it('Key.getExpirationTime() - expired key', async function() { const pubKey = await openpgp.readKey({ armoredKey: expiredKey }); expect(pubKey).to.exist; expect(pubKey).to.be.an.instanceof(openpgp.PublicKey); @@ -2907,7 +2958,7 @@ module.exports = () => describe('Key', function() { expect(expirationTime.toISOString()).to.be.equal('1970-01-01T00:22:18.000Z'); }); - it('Method getExpirationTime V4 Subkey', async function() { + it('SubKey.getExpirationTime()', async function() { const [, pubKey] = await openpgp.readKeys({ armoredKeys: twoKeys }); expect(pubKey).to.exist; expect(pubKey).to.be.an.instanceof(openpgp.PublicKey); @@ -2915,34 +2966,22 @@ module.exports = () => describe('Key', function() { expect(expirationTime.toISOString()).to.be.equal('2018-11-26T10:58:29.000Z'); }); - it('Method getExpirationTime V4 Key with capabilities', async function() { + it('Key.getExpirationTime() - never expiring key', async function() { const { minRSABits } = openpgp.config; try { openpgp.config.minRSABits = 1024; const privKey = await openpgp.readKey({ armoredKey: priv_key_2000_2008 }); - privKey.users[0].selfCertifications[0].keyFlags = [1]; const expirationTime = await privKey.getExpirationTime(); expect(expirationTime).to.equal(Infinity); - const encryptExpirationTime = await privKey.getExpirationTime('encrypt_sign'); - expect(encryptExpirationTime.toISOString()).to.equal('2008-02-12T17:12:08.000Z'); } finally { openpgp.config.minRSABits = minRSABits; } - }); - it('Method getExpirationTime V4 Key with capabilities - capable primary key', async function() { - const { minRSABits } = openpgp.config; - try { - openpgp.config.minRSABits = 1024; - const privKey = await openpgp.readKey({ armoredKey: priv_key_2000_2008 }); - const expirationTime = await privKey.getExpirationTime(); - expect(expirationTime).to.equal(Infinity); - const encryptExpirationTime = await privKey.getExpirationTime('encrypt_sign'); - expect(encryptExpirationTime).to.equal(Infinity); - } finally { - openpgp.config.minRSABits = minRSABits; - } + it('Key.getExpirationTime() - key expiration in direct-key signature', async function() { + const privKey = await openpgp.readKey({ armoredKey: expiredPublicKeyThroughDirectSignature }); + const expirationTime = await privKey.getExpirationTime(); + expect(expirationTime.toISOString()).to.equal('2020-06-13T14:57:14.000Z'); }); it("decryptKey() - throw if key parameters don't correspond", async function() { diff --git a/test/general/openpgp.js b/test/general/openpgp.js index afb406ab..41d16a79 100644 --- a/test/general/openpgp.js +++ b/test/general/openpgp.js @@ -781,6 +781,57 @@ EplqEakMckCtikEnpxYe =b2Ln -----END PGP PUBLIC KEY BLOCK-----`; +const expiredPublicKeyThroughDirectSignature = `-----BEGIN PGP PUBLIC KEY BLOCK----- + +xsDNBF2lnPIBDAC5cL9PQoQLTMuhjbYvb4Ncuuo0bfmgPRFywX53jPhoFf4Zg6mv +/seOXpgecTdOcVttfzC8ycIKrt3aQTiwOG/ctaR4Bk/t6ayNFfdUNxHWk4WCKzdz +/56fW2O0F23qIRd8UUJp5IIlN4RDdRCtdhVQIAuzvp2oVy/LaS2kxQoKvph/5pQ/ +5whqsyroEWDJoSV0yOb25B/iwk/pLUFoyhDG9bj0kIzDxrEqW+7Ba8nocQlecMF3 +X5KMN5kp2zraLv9dlBBpWW43XktjcCZgMy20SouraVma8Je/ECwUWYUiAZxLIlMv +9CurEOtxUw6N3RdOtLmYZS9uEnn5y1UkF88o8Nku890uk6BrewFzJyLAx5wRZ4F0 +qV/yq36UWQ0JB/AUGhHVPdFf6pl6eaxBwT5GXvbBUibtf8YI2og5RsgTWtXfU7eb +SGXrl5ZMpbA6mbfhd0R8aPxWfmDWiIOhBufhMCvUHh1sApMKVZnvIff9/0Dca3wb +vLIwa3T4CyshfT0AEQEAAcLA+QQfAQoADAWCX2i/SgWJAT9MWAAhCRD7/MgqAV5z +MBYhBNGmbhojsYLJmA94jPv8yCoBXnMwZNYL/RmU7kIYsi7w8d7sPLiqb5C9fs9k +TJuxLREYpKE7zWz9z16+c9ketkoLpoMSDaZL+4+QEfyAJA+q8c8ZFHJ8E60cPNwe +jN/ZI+vJRloDAfxMkH+BdKshMtvcmlLq2+AbQWzT0kAUkiiKiUiUsQwrTfenjkT5 +FCsZyKviLsarzdIhpwEdd6zCxWQDap55njXfpUh/vQFZo4aHHtWPwXXRjLZRlKA+ +gI8LQyYuIFOCFQMrhZVEwaLJQa6IbauL4B/qD4y5AMenNumW5M06p0G8yj1L22b6 +R2hWS7Ueo0iu9J4abTEDo1gGxeLwCiMRUGpN7L+4J3yrzGNcjjtXz1/FT6/YSvT2 +bnPraOOGaEO5tflQZ6plEOIc9bKnb2vySlwpxnWgJ7CQdAT+lGVT5xRZ//we5yja +vsb4pdo0xIW32YDzFQ36HgAO8XUXnz0NkgVDHLujWsyhjq9xkfMOhSmGSeXxvsXa +1O9uC2n+qX8hV7whWf20UPHKatYbBV0HHJeA280hQm9iIEJhYmJhZ2UgPGJvYkBv +cGVucGdwLmV4YW1wbGU+wsEOBBMBCgA4AhsDBQsJCAcCBhUKCQgLAgQWAgMBAh4B +AheAFiEE0aZuGiOxgsmYD3iM+/zIKgFeczAFAl2lnvoACgkQ+/zIKgFeczBvbAv/ +VNk90a6hG8Od9xTzXxH5YRFUSGfIA1yjPIVOnKqhMwps2U+sWE3urL+MvjyQRlyR +V8oY9IOhQ5Esm6DOZYrTnE7qVETm1ajIAP2OFChEc55uH88x/anpPOXOJY7S8jbn +3naC9qad75BrZ+3g9EBUWiy5p8TykP05WSnSxNRt7vFKLfEB4nGkehpwHXOVF0CR +NwYle42bg8lpmdXFDcCZCi+qEbafmTQzkAqyzS3nCh3IAqq6Y0kBuaKLm2tSNUOl +ZbD+OHYQNZ5Jix7cZUzs6Xh4+I55NRWl5smrLq66yOQoFPy9jot/Qxikx/wP3MsA +zeGaZSEPc0fHp5G16rlGbxQ3vl8/usUV7W+TMEMljgwd5x8POR6HC8EaCDfVnUBC +Pi/Gv+egLjsIbPJZZEroiE40e6/UoCiQtlpQB5exPJYSd1Q1txCwueih99PHepsD +hmUQKiACszNU+RRozAYau2VdHqnRJ7QYdxHDiH49jPK4NTMyb/tJh2TiIwcmsIpG +zsDNBF2lnPIBDADWML9cbGMrp12CtF9b2P6z9TTT74S8iyBOzaSvdGDQY/sUtZXR +g21HWamXnn9sSXvIDEINOQ6A9QxdxoqWdCHrOuW3ofneYXoG+zeKc4dC86wa1TR2 +q9vW+RMXSO4uImA+Uzula/6k1DogDf28qhCxMwG/i/m9g1c/0aApuDyKdQ1PXsHH +Nlgd/Dn6rrd5y2AObaifV7wIhEJnvqgFXDN2RXGjLeCOHV4Q2WTYPg/S4k1nMXVD +wZXrvIsA0YwIMgIT86Rafp1qKlgPNbiIlC1g9RY/iFaGN2b4Ir6GDohBQSfZW2+L +XoPZuVE/wGlQ01rh827KVZW4lXvqsge+wtnWlszcselGATyzqOK9LdHPdZGzROZY +I2e8c+paLNDdVPL6vdRBUnkCaEkOtl1mr2JpQi5nTU+gTX4IeInC7E+1a9UDF/Y8 +5ybUz8XV8rUnR76UqVC7KidNepdHbZjjXCt8/Zo+Tec9JNbYNQB/e9ExmDntmlHE +sSEQzFwzj8sxH48AEQEAAcLA9gQYAQoAIBYhBNGmbhojsYLJmA94jPv8yCoBXnMw +BQJdpZzyAhsMAAoJEPv8yCoBXnMw6f8L/26C34dkjBffTzMj5Bdzm8MtF67OYneJ +4TQMw7+41IL4rVcSKhIhk/3Ud5knaRtP2ef1+5F66h9/RPQOJ5+tvBwhBAcUWSup +KnUrdVaZQanYmtSxcVV2PL9+QEiNN3tzluhaWO//rACxJ+K/ZXQlIzwQVTpNhfGz +AaMVV9zpf3u0k14itcv6alKY8+rLZvO1wIIeRZLmU0tZDD5HtWDvUV7rIFI1WuoL +b+KZgbYn3OWjCPHVdTrdZ2CqnZbG3SXw6awH9bzRLV9EXkbhIMez0deCVdeo+wFF +klh8/5VK2b0vk/+wqMJxfpa1lHvJLobzOP9fvrswsr92MA2+k901WeISR7qEzcI0 +Fdg8AyFAExaEK6VyjP7SXGLwvfisw34OxuZr3qmx1Sufu4toH3XrB7QJN8Xyqqbs +GxUCBqWif9RSK4xjzRTe56iPeiSJJOIciMP9i2ldI+KgLycyeDvGoBj0HCLO3gVa +Be4ubVrj5KjhX2PVNEJd3XZRzaXZE2aAMQ== +=ZeAz +-----END PGP PUBLIC KEY BLOCK-----`; + function withCompression(tests) { const compressionTypes = Object.keys(openpgp.enums.compression).map(k => openpgp.enums.compression[k]); @@ -1541,6 +1592,15 @@ aOU= }); }); + describe('encrypt - unit tests', function() { + it('Does not encrypt to expired key (expiration time subpacket on a direct-key signature)', async function() { + const expiredKey = await openpgp.readKey({ armoredKey: expiredPublicKeyThroughDirectSignature }); + await expect( + openpgp.encrypt({ message: await openpgp.createMessage({ text: 'test' }), encryptionKeys: expiredKey }) + ).to.be.rejectedWith(/Primary key is expired/); + }); + }); + describe('encrypt, decrypt, sign, verify - integration tests', function() { let privateKey_2000_2008; let publicKey_2000_2008; diff --git a/test/general/signature.js b/test/general/signature.js index 57470dc1..376df8d6 100644 --- a/test/general/signature.js +++ b/test/general/signature.js @@ -685,6 +685,14 @@ kCNcH9WI6idSzFjuYegECf+ZA1xOCjS9oLTGbSeT7jNfC8dH5+E92qlBLq4Ctt7k expect(decrypted.signatures[0].signature.packets.length).to.equal(1); }); + it('Consider signature expired at the expiration time', async function() { + const key = await openpgp.readKey({ armoredKey: keyExpiredBindingSig }); + const { embeddedSignature } = key.subkeys[0].bindingSignatures[0]; + expect(embeddedSignature.isExpired(embeddedSignature.created)).to.be.false; + expect(embeddedSignature.isExpired(new Date(embeddedSignature.getExpirationTime() - 1))).to.be.false; + expect(embeddedSignature.isExpired(embeddedSignature.getExpirationTime())).to.be.true; + }); + it('Signing fails if primary key is expired', async function() { const armoredExpiredKey = `-----BEGIN PGP PRIVATE KEY BLOCK-----