1
0
Fork 0
mirror of https://github.com/pgpainless/pgpainless.git synced 2024-12-24 11:57:59 +01:00

Re-certify expired user-ids when changing key expiration date

This commit is contained in:
Paul Schaub 2021-12-20 13:28:16 +01:00
parent 710f961984
commit 3aa9e2915a
Signed by: vanitasvitae
GPG key ID: 62BEE9264BF17311
3 changed files with 39 additions and 12 deletions

View file

@ -349,6 +349,38 @@ public class KeyRingInfo {
return valid;
}
/**
* Return a list of all user-ids that were valid at some point, but might be expired by now.
*
* @return bound user-ids
*/
public List<String> getBoundButPossiblyExpiredUserIds() {
List<String> probablyExpired = new ArrayList<>();
List<String> userIds = getUserIds();
for (String userId : userIds) {
PGPSignature certification = signatures.userIdCertifications.get(userId);
PGPSignature revocation = signatures.userIdRevocations.get(userId);
// Not revoked -> valid
if (revocation == null) {
probablyExpired.add(userId);
continue;
}
// Hard revocation -> invalid
if (SignatureUtils.isHardRevocation(revocation)) {
continue;
}
// Soft revocation -> valid if certification is newer than revocation (revalidation)
if (certification.getCreationTime().after(revocation.getCreationTime())) {
probablyExpired.add(userId);
}
}
return probablyExpired;
}
/**
* Return true if the provided user-id is valid.
*
@ -371,7 +403,6 @@ public class KeyRingInfo {
PGPSignature certification = signatures.userIdCertifications.get(userId);
PGPSignature revocation = signatures.userIdRevocations.get(userId);
// If user-id is expired, certification will be null.
if (certification == null) {
return false;
}

View file

@ -146,15 +146,12 @@ public class SecretKeyRingEditor implements SecretKeyRingEditorInterface {
// Determine previous key expiration date
PGPPublicKey primaryKey = secretKeyRing.getSecretKey().getPublicKey();
/*
KeyRingInfo info = PGPainless.inspectKeyRing(secretKeyRing);
String primaryUserId = info.getPrimaryUserId();
PGPSignature signature = primaryUserId == null ?
info.getLatestDirectKeySelfSignature() : info.getLatestUserIdCertification(primaryUserId);
final Date previousKeyExpiration = signature == null ? null :
SignatureSubpacketsUtil.getKeyExpirationTimeAsDate(signature, primaryKey);
*/
final Date previousKeyExpiration = null;
// Add new primary user-id signature
addUserId(
@ -173,8 +170,8 @@ public class SecretKeyRingEditor implements SecretKeyRingEditorInterface {
protector);
// unmark previous primary user-ids to be non-primary
KeyRingInfo info = PGPainless.inspectKeyRing(secretKeyRing);
for (String otherUserId : info.getValidUserIds()) {
info = PGPainless.inspectKeyRing(secretKeyRing);
for (String otherUserId : info.getBoundButPossiblyExpiredUserIds()) {
if (userId.toString().equals(otherUserId)) {
continue;
}

View file

@ -9,7 +9,6 @@ import static org.junit.jupiter.api.Assertions.assertFalse;
import static org.junit.jupiter.api.Assertions.assertThrows;
import static org.junit.jupiter.api.Assertions.assertTrue;
import java.io.IOException;
import java.security.InvalidAlgorithmParameterException;
import java.security.NoSuchAlgorithmException;
import java.util.Date;
@ -151,7 +150,7 @@ public class ChangePrimaryUserIdAndExpirationDatesTest {
@Test
public void generateA_expire_primaryB_expire_isPrimaryB()
throws PGPException, InvalidAlgorithmParameterException, NoSuchAlgorithmException, InterruptedException, IOException {
throws PGPException, InvalidAlgorithmParameterException, NoSuchAlgorithmException, InterruptedException {
PGPSecretKeyRing secretKeys = PGPainless.generateKeyRing().modernKeyRing("A", null);
SecretKeyRingProtector protector = SecretKeyRingProtector.unprotectedKeys();
@ -165,7 +164,7 @@ public class ChangePrimaryUserIdAndExpirationDatesTest {
KeyRingInfo info = PGPainless.inspectKeyRing(secretKeys);
assertIsPrimaryUserId("A", info);
assertIsNotValid("A", info);
assertIsNotValid("A", info); // A is expired
secretKeys = PGPainless.modifyKeyRing(secretKeys)
.addPrimaryUserId("B", protector)
@ -174,8 +173,8 @@ public class ChangePrimaryUserIdAndExpirationDatesTest {
info = PGPainless.inspectKeyRing(secretKeys);
assertIsPrimaryUserId("B", info);
assertIsValid("B", info);
assertIsNotValid("A", info); // A is still expired
assertIsNotValid("B", info); // A and B are still expired
assertIsNotValid("A", info);
Thread.sleep(1000);
@ -187,7 +186,7 @@ public class ChangePrimaryUserIdAndExpirationDatesTest {
info = PGPainless.inspectKeyRing(secretKeys);
assertIsValid("B", info);
assertIsNotValid("A", info); // A was expired when the expiration date was changed, so it was not re-certified
assertIsValid("A", info); // A got re-validated when changing exp date
assertIsPrimaryUserId("B", info);
secretKeys = PGPainless.modifyKeyRing(secretKeys)