mirror of
https://github.com/moparisthebest/open-keychain
synced 2024-11-23 17:22:16 -05:00
warn on signature earlier than key creation, err on significantly earlier
This commit is contained in:
parent
5c8af1c5a5
commit
eb830c6786
@ -401,6 +401,7 @@ public abstract class OperationResult implements Parcelable {
|
|||||||
MSG_KC_SUB_BAD_LOCAL(LogLevel.WARN, R.string.msg_kc_sub_bad_local),
|
MSG_KC_SUB_BAD_LOCAL(LogLevel.WARN, R.string.msg_kc_sub_bad_local),
|
||||||
MSG_KC_SUB_BAD_KEYID(LogLevel.WARN, R.string.msg_kc_sub_bad_keyid),
|
MSG_KC_SUB_BAD_KEYID(LogLevel.WARN, R.string.msg_kc_sub_bad_keyid),
|
||||||
MSG_KC_SUB_BAD_TIME(LogLevel.WARN, R.string.msg_kc_sub_bad_time),
|
MSG_KC_SUB_BAD_TIME(LogLevel.WARN, R.string.msg_kc_sub_bad_time),
|
||||||
|
MSG_KC_SUB_BAD_TIME_EARLY(LogLevel.WARN, R.string.msg_kc_sub_bad_time_early),
|
||||||
MSG_KC_SUB_BAD_TYPE(LogLevel.WARN, R.string.msg_kc_sub_bad_type),
|
MSG_KC_SUB_BAD_TYPE(LogLevel.WARN, R.string.msg_kc_sub_bad_type),
|
||||||
MSG_KC_SUB_DUP (LogLevel.DEBUG, R.string.msg_kc_sub_dup),
|
MSG_KC_SUB_DUP (LogLevel.DEBUG, R.string.msg_kc_sub_dup),
|
||||||
MSG_KC_SUB_PRIMARY_BAD(LogLevel.WARN, R.string.msg_kc_sub_primary_bad),
|
MSG_KC_SUB_PRIMARY_BAD(LogLevel.WARN, R.string.msg_kc_sub_primary_bad),
|
||||||
|
@ -820,6 +820,15 @@ public class UncachedKeyRing {
|
|||||||
continue;
|
continue;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
Date keyCreationTime = key.getCreationTime(), keyCreationTimeLenient;
|
||||||
|
{
|
||||||
|
Calendar keyCreationCal = Calendar.getInstance();
|
||||||
|
keyCreationCal.setTime(keyCreationTime);
|
||||||
|
// allow for diverging clocks up to one day when checking creation time
|
||||||
|
keyCreationCal.add(Calendar.MINUTE, -5);
|
||||||
|
keyCreationTimeLenient = keyCreationCal.getTime();
|
||||||
|
}
|
||||||
|
|
||||||
// A subkey needs exactly one subkey binding certificate, and optionally one revocation
|
// A subkey needs exactly one subkey binding certificate, and optionally one revocation
|
||||||
// certificate.
|
// certificate.
|
||||||
PGPPublicKey modified = key;
|
PGPPublicKey modified = key;
|
||||||
@ -851,6 +860,18 @@ public class UncachedKeyRing {
|
|||||||
continue;
|
continue;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if (cert.getCreationTime().before(keyCreationTime)) {
|
||||||
|
// Signature is earlier than key creation time
|
||||||
|
log.add(LogType.MSG_KC_SUB_BAD_TIME_EARLY, indent);
|
||||||
|
// due to an earlier accident, we generated keys which had creation timestamps
|
||||||
|
// a few seconds after their signature timestamp. for compatibility, we only
|
||||||
|
// error out with some margin of error
|
||||||
|
if (cert.getCreationTime().before(keyCreationTimeLenient)) {
|
||||||
|
badCerts += 1;
|
||||||
|
continue;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
if (cert.isLocal()) {
|
if (cert.isLocal()) {
|
||||||
// Creation date in the future? No way!
|
// Creation date in the future? No way!
|
||||||
log.add(LogType.MSG_KC_SUB_BAD_LOCAL, indent);
|
log.add(LogType.MSG_KC_SUB_BAD_LOCAL, indent);
|
||||||
|
@ -829,6 +829,7 @@
|
|||||||
<string name="msg_kc_sub_bad_local">"Removing subkey binding certificate with 'local' flag"</string>
|
<string name="msg_kc_sub_bad_local">"Removing subkey binding certificate with 'local' flag"</string>
|
||||||
<string name="msg_kc_sub_bad_keyid">"Subkey binding issuer id mismatch"</string>
|
<string name="msg_kc_sub_bad_keyid">"Subkey binding issuer id mismatch"</string>
|
||||||
<string name="msg_kc_sub_bad_time">"Removing subkey binding certificate with future timestamp"</string>
|
<string name="msg_kc_sub_bad_time">"Removing subkey binding certificate with future timestamp"</string>
|
||||||
|
<string name="msg_kc_sub_bad_time_early">"Subkey binding certificate has earlier timestamp than its key!"</string>
|
||||||
<string name="msg_kc_sub_bad_type">"Unknown subkey certificate type: %s"</string>
|
<string name="msg_kc_sub_bad_type">"Unknown subkey certificate type: %s"</string>
|
||||||
<string name="msg_kc_sub_dup">"Removing redundant subkey binding certificate"</string>
|
<string name="msg_kc_sub_dup">"Removing redundant subkey binding certificate"</string>
|
||||||
<string name="msg_kc_sub_primary_bad">"Removing subkey binding certificate due to invalid primary binding certificate"</string>
|
<string name="msg_kc_sub_primary_bad">"Removing subkey binding certificate due to invalid primary binding certificate"</string>
|
||||||
|
Loading…
Reference in New Issue
Block a user