Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add expiration to master keys & encryption subkey #64

Merged
merged 8 commits into from
Nov 12, 2020
Merged

Add expiration to master keys & encryption subkey #64

merged 8 commits into from
Nov 12, 2020

Conversation

trishankatdatadog
Copy link
Contributor

@trishankatdatadog trishankatdatadog commented Oct 20, 2020
edited

  • Add expiration to master keys and expiration subkeys
  • Check for expiration of master key when returning encryption/signing subkeys
  • Find newest instead of first unexpired signing subkey

Signed-off-by: Trishank Karthik Kuppusamy trishank.kuppusamy@datadoghq.com

@trishankatdatadog trishankatdatadog mentioned this pull request Oct 20, 2020
Closed
@trishankatdatadog
Copy link
Contributor Author

I suppose there could be a slight difference in the creation and expiration time of the master key and encryption subkey now, but it should not matter in practice.

@twiss
Copy link
Member

twiss commented Oct 22, 2020

Hey @trishankatdatadog, thanks for the PR!

Typically, key expiry is set on the primary key only. Of course subkeys can expire separately, but most typically, the subkeys expire when the primary key expires. (This makes it easier to extend the lifetime of the entire key, since you just have to re-sign one signature.)
Unfortunately, this is not how ProtonMail/crypto currently behaves; subkeys' lifetime currently extends beyond the lifetime of the primary key, but this is a bug. (See ProtonMail/gopenpgp#80, which has this as its root cause.) So probably EncryptionKey should check whether the primary key is expired before looking at the subkeys. (And similarly for SigningKey.) And then, personally I would leave the subkey generation code as it was, to avoid setting an expiration there and also to avoid the (admittedly minor) potential issue of different creation dates.

@trishankatdatadog
Copy link
Contributor Author

trishankatdatadog commented Oct 22, 2020
edited

@twiss, a few comments:

  1. So I fixed the code to return no signing/encryption keys when the primary UID has expired. However, I also added a test to show that this fails when a direct signature on the primary key itself has expired. AFAICT, we do not handle such signature packets at all. How should we handle this test?

  2. I brought back the old code to directly add the encryption subkey. I still find it a little inconsistent to not add expiry on this subkey, but checking the expiration of the primary UID does mitigate this.

  3. I just noticed that we get the newest unexpired encryption subkey, but the first unexpired signing subkey. What is the rationale for this? The latter can lead to unintuitive behavior from an end-user's perspective.

@trishankatdatadog
Copy link
Contributor Author

ping 🙂

@twiss
Copy link
Member

twiss commented Oct 29, 2020

Hey @trishankatdatadog, sorry for the delay, and thanks for the ping :)

  1. IMO, I wouldn't worry about this for now. This is an uncommon way of expiring a key. So I would just leave out this test for now.
  2. Yeah, I understand. This is standard for OpenPGP keys, though
  3. Yeah, good point. It should return the newest in both cases indeed. Feel free to fix it here or in a separate PR, if you feel like :)

@twiss
Copy link
Member

twiss commented Nov 10, 2020

@trishankatdatadog Just for clarity, and as a gentle ping, I'm happy to merge this without the failing test 😊

@trishankatdatadog
Copy link
Contributor Author

@trishankatdatadog Just for clarity, and as a gentle ping, I'm happy to merge this without the failing test 😊

Oh, hey, sorry, lemme get around to this, was busy with other projects, thanks!

@twiss
Copy link
Member

twiss commented Nov 10, 2020

Np, thanks! 🙏

@trishankatdatadog
add expiration to master keys & encryption subkey
05fb51a 
Signed-off-by: Trishank Karthik Kuppusamy <trishank.kuppusamy@datadoghq.com>
@trishankatdatadog
check primary UID exp when returning sign/enc key
b67ab67 
Signed-off-by: Trishank Karthik Kuppusamy <trishank.kuppusamy@datadoghq.com>
@trishankatdatadog
add failing test on expired primary key
91247a5 
Signed-off-by: Trishank Karthik Kuppusamy <trishank.kuppusamy@datadoghq.com>
@trishankatdatadog
Revert "add failing test on expired primary key"
48da1a1 
This reverts commit 444ef1f029871f07d29455cd40e03b3bc041a19a.

Signed-off-by: Trishank Karthik Kuppusamy <trishank.kuppusamy@datadoghq.com>
@trishankatdatadog trishankatdatadog force-pushed the trishankatdatadog/add-keylifetime-to-new-entity branch from 04012e6 to 48da1a1 Compare November 10, 2020 17:23
@trishankatdatadog
Copy link
Contributor Author

trishankatdatadog commented Nov 10, 2020
edited

@twiss Reverted the bad test, let me get around to returning the first newest unexpired signing subkey ASAP in this PR?

@twiss
Copy link
Member

twiss commented Nov 10, 2020

@trishankatdatadog Yeah, of course, thanks! 🙏

@trishankatdatadog
find newest instead of first unexpired sig subkey
e83b426 
Signed-off-by: Trishank Karthik Kuppusamy <trishank.kuppusamy@datadoghq.com>
@trishankatdatadog
Copy link
Contributor Author

Working on testing finding the newest instead of the first unexpired signing subkey...

@trishankatdatadog
test for returning newest unexpired sig subkey
14c42ad
@trishankatdatadog
test for nonexpiring & expiring signatures
f3a375e 
Signed-off-by: Trishank Karthik Kuppusamy <trishank.kuppusamy@datadoghq.com>
@trishankatdatadog
Copy link
Contributor Author

@twiss Done, please take a careful look. In particular, I found that I had to add this line to prevent keys from being considered immediately expired, but the corresponding line seems to have no effect on whether signatures are considered immediately expired (they are not).

twiss
twiss reviewed Nov 11, 2020
View reviewed changes
Copy link
Member

@twiss twiss left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@trishankatdatadog Thanks! Yeah, makes sense. That's probably because SigExpired is not called as often, but yes this change seems correct. I've left two very minor nitpicks, but other than that looks good to me 👍

openpgp/keys.go Outdated Show resolved Hide resolved
openpgp/packet/signature.go Outdated Show resolved Hide resolved
@trishankatdatadog
brush up
52fb9d7 
Signed-off-by: Trishank Karthik Kuppusamy <trishank.kuppusamy@datadoghq.com>
@trishankatdatadog
Copy link
Contributor Author

@trishankatdatadog Thanks! Yeah, makes sense. That's probably because SigExpired is not called as often, but yes this change seems correct. I've left two very minor nitpicks, but other than that looks good to me 👍

Done, please take a final look 👀

twiss
twiss approved these changes Nov 12, 2020
View reviewed changes
Copy link
Member

@twiss twiss left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good, thanks a lot! 👍

@twiss twiss merged commit 41db4ea into ProtonMail:master Nov 12, 2020
@trishankatdatadog trishankatdatadog deleted the trishankatdatadog/add-keylifetime-to-new-entity branch November 12, 2020 11:54
@trishankatdatadog trishankatdatadog mentioned this pull request Nov 12, 2020
Closed
@wussler wussler mentioned this pull request Apr 25, 2022
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@twiss twiss twiss approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@trishankatdatadog @twiss