From db39b779c984a758e13adc16837893509f3b364f Mon Sep 17 00:00:00 2001 From: Vincent Breitmoser Date: Sun, 15 Mar 2015 19:18:35 +0100 Subject: fix expiry of master keys fixes #1141 --- .../keychain/pgp/PgpKeyOperationTest.java | 6 +++++ .../keychain/pgp/CanonicalizedPublicKey.java | 31 +++++++++++----------- 2 files changed, 22 insertions(+), 15 deletions(-) diff --git a/OpenKeychain-Test/src/test/java/org/sufficientlysecure/keychain/pgp/PgpKeyOperationTest.java b/OpenKeychain-Test/src/test/java/org/sufficientlysecure/keychain/pgp/PgpKeyOperationTest.java index dd2feb825..8feff4cc4 100644 --- a/OpenKeychain-Test/src/test/java/org/sufficientlysecure/keychain/pgp/PgpKeyOperationTest.java +++ b/OpenKeychain-Test/src/test/java/org/sufficientlysecure/keychain/pgp/PgpKeyOperationTest.java @@ -536,6 +536,12 @@ public class PgpKeyOperationTest { expiry, modified.getPublicKey(keyId).getUnsafeExpiryTimeForTesting().getTime() / 1000); Assert.assertEquals("modified key must have same flags as before", ring.getPublicKey(keyId).getKeyUsage(), modified.getPublicKey(keyId).getKeyUsage()); + + Date date = modified.canonicalize(new OperationLog(), 0).getPublicKey().getExpiryTime(); + Assert.assertNotNull("modified key must have an expiry date", date); + Assert.assertEquals("modified key must have expected expiry date", + expiry, date.getTime() / 1000); + } { diff --git a/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/pgp/CanonicalizedPublicKey.java b/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/pgp/CanonicalizedPublicKey.java index 303070333..8104c5249 100644 --- a/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/pgp/CanonicalizedPublicKey.java +++ b/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/pgp/CanonicalizedPublicKey.java @@ -126,26 +126,27 @@ public class CanonicalizedPublicKey extends UncachedPublicKey { // the getValidSeconds method is unreliable for master keys. we need to iterate all // user ids, then use the most recent certification from a non-revoked user id if (isMasterKey()) { - Date latestCreation = null; seconds = 0; + long masterKeyId = getKeyId(); + + Date latestCreation = null; for (byte[] rawUserId : getUnorderedRawUserIds()) { Iterator sigs = getSignaturesForRawId(rawUserId); + while (sigs.hasNext()) { + WrappedSignature sig = sigs.next(); + if (sig.getKeyId() != masterKeyId) { + continue; + } + if (sig.isRevocation()) { + continue; + } + + if (latestCreation == null || latestCreation.before(sig.getCreationTime())) { + latestCreation = sig.getCreationTime(); + seconds = sig.getKeyExpirySeconds(); + } - // there is always a certification, so this call is safe - WrappedSignature sig = sigs.next(); - - // we know a user id has at most two sigs: one certification, one revocation. - // if the sig is a revocation, or there is another sig (which is a revocation), - // the data in this uid is not relevant - if (sig.isRevocation() || sigs.hasNext()) { - continue; - } - - // this is our revocation, UNLESS there is a newer certificate! - if (latestCreation == null || latestCreation.before(sig.getCreationTime())) { - latestCreation = sig.getCreationTime(); - seconds = sig.getKeyExpirySeconds(); } } } else { -- cgit v1.2.3