PGP: fix expiry time calc when later packets increase or remove it.

peterdettman · peterdettman · commit d153553378ec · 2026-05-03T14:41:00.000+07:00
diff --git a/crypto/src/openpgp/PgpPublicKey.cs b/crypto/src/openpgp/PgpPublicKey.cs
@@ -7,6 +7,7 @@
 using Org.BouncyCastle.Asn1.Gnu;
 using Org.BouncyCastle.Asn1.X509;
 using Org.BouncyCastle.Asn1.X9;
+using Org.BouncyCastle.Bcpg.Sig;
 using Org.BouncyCastle.Crypto;
 using Org.BouncyCastle.Crypto.EC;
 using Org.BouncyCastle.Crypto.Parameters;
@@ -437,34 +438,41 @@ public long GetValidSeconds()
 
         private long GetExpirationTimeFromSig(bool selfSigned, int signatureType)
         {
-            long expiryTime = -1;
-            long lastDate = -1;
+            long expiryTime = -1L;
+            long lastDate = -1L;
 
             foreach (PgpSignature sig in GetSignaturesOfType(signatureType))
             {
-                if (selfSigned && sig.KeyId != this.KeyId)
-                    continue;
-
-                PgpSignatureSubpacketVector hashed = sig.GetHashedSubPackets();
-                if (hashed == null)
-                    continue;
-
-                if (!hashed.HasSubpacket(SignatureSubpacketTag.KeyExpireTime))
-                    continue;
-
-                long current = hashed.GetKeyExpirationTime();
-
-                if (sig.KeyId == this.KeyId)
+                if (sig.KeyId == KeyId)
                 {
-                    if (sig.CreationTime.Ticks > lastDate)
+                    /*
+                     * RFC 4880 5.2.4.1: the most recent self-signature wins, even if it omits the Key Expiration Time
+                     * subpacket (which removes any previously asserted expiry).
+                     */
+                    var thisDate = sig.CreationTime.Ticks;
+                    if (thisDate > lastDate)
                     {
-                        lastDate = sig.CreationTime.Ticks;
-                        expiryTime = current;
+                        lastDate = thisDate;
+
+                        PgpSignatureSubpacketVector hashed = sig.GetHashedSubPackets();
+                        expiryTime = hashed == null ? 0L : hashed.GetKeyExpirationTime();
                     }
                 }
-                else if (current == 0 || current > expiryTime)
+                else if (!selfSigned)
                 {
-                    expiryTime = current;
+                    PgpSignatureSubpacketVector hashed = sig.GetHashedSubPackets();
+                    if (hashed != null)
+                    {
+                        var keyExpireTime = hashed.GetSubpacket(SignatureSubpacketTag.KeyExpireTime);
+                        if (keyExpireTime != null)
+                        {
+                            long current = ((KeyExpirationTime)keyExpireTime).Time;
+                            if (current == 0 || current > expiryTime)
+                            {
+                                expiryTime = current;
+                            }
+                        }
+                    }
                 }
             }
 
diff --git a/crypto/src/openpgp/PgpSignatureSubpacketVector.cs b/crypto/src/openpgp/PgpSignatureSubpacketVector.cs
@@ -129,10 +129,7 @@ public long GetIssuerKeyId()
             return p == null ? 0 : ((IssuerKeyId)p).KeyId;
         }
 
-        public bool HasSignatureCreationTime()
-        {
-            return GetSubpacket(SignatureSubpacketTag.CreationTime) != null;
-        }
+        public bool HasSignatureCreationTime() => GetSubpacket(SignatureSubpacketTag.CreationTime) != null;
 
         public DateTime GetSignatureCreationTime()
         {
@@ -142,10 +139,7 @@ public DateTime GetSignatureCreationTime()
             return ((SignatureCreationTime)p).GetTime();
         }
 
-        public bool HasSignatureExpirationTime()
-        {
-            return GetSubpacket(SignatureSubpacketTag.ExpireTime) != null;
-        }
+        public bool HasSignatureExpirationTime() => GetSubpacket(SignatureSubpacketTag.ExpireTime) != null;
 
         /// <summary>
         /// Return the number of seconds a signature is valid for after its creation date.
@@ -159,6 +153,8 @@ public long GetSignatureExpirationTime()
             return p == null ? 0 : ((SignatureExpirationTime)p).Time;
         }
 
+        public bool HasKeyExpirationTime() => GetSubpacket(SignatureSubpacketTag.KeyExpireTime) != null;
+
         /// <summary>
         /// Return the number of seconds a key is valid for after its creation date.
         /// A value of zero means the key never expires.
diff --git a/crypto/test/src/openpgp/test/PGPRSATest.cs b/crypto/test/src/openpgp/test/PGPRSATest.cs
@@ -1,10 +1,12 @@
 using System;
 using System.IO;
 using System.Text;
+using System.Threading;
 
 using NUnit.Framework;
 
 using Org.BouncyCastle.Bcpg.Attr;
+using Org.BouncyCastle.Bcpg.Sig;
 using Org.BouncyCastle.Crypto;
 using Org.BouncyCastle.Crypto.Parameters;
 using Org.BouncyCastle.Math;
@@ -538,6 +540,64 @@ private void EmbeddedJpegTest()
             }
         }
 
+        private void RemovedExpiryTest()
+        {
+            SecureRandom random = new SecureRandom();
+
+            // RFC 4880 5.2.4.1: a more recent self-signature without a Key Expiration
+            // Time subpacket cancels an earlier self-signature's expiration.
+            char[] passPhrase = "test".ToCharArray();
+            string identity = "TEST <test@test.org>";
+            DateTime date = DateTime.UtcNow;
+
+            var kpg = GeneratorUtilities.GetKeyPairGenerator("RSA");
+            kpg.Init(new RsaKeyGenerationParameters(BigInteger.ValueOf(0x10001), random, 1024, 25));
+
+            var kpSgn = kpg.GenerateKeyPair();
+
+            PgpKeyPair sgnKeyPair = new PgpKeyPair(PublicKeyAlgorithmTag.RsaSign, kpSgn, date);
+
+            PgpSignatureSubpacketGenerator svg = new PgpSignatureSubpacketGenerator();
+            svg.SetKeyExpirationTime(isCritical: true, 86400L * 366 * 2);
+            svg.SetKeyFlags(isCritical: true, KeyFlags.CertifyOther | KeyFlags.SignData);
+            PgpSignatureSubpacketVector hashedPcks = svg.Generate();
+
+            PgpKeyRingGenerator keyRingGen = new PgpKeyRingGenerator(PgpSignature.PositiveCertification, sgnKeyPair,
+                identity, SymmetricKeyAlgorithmTag.Aes256, passPhrase, useSha1: true, hashedPcks, null, random);
+
+            PgpPublicKeyRing keyRing = keyRingGen.GeneratePublicKeyRing();
+
+            // Encode/decode
+            keyRing = new PgpPublicKeyRing(keyRing.GetEncoded());
+
+            PgpPublicKey pKey = keyRing.GetPublicKey();
+
+            if (pKey.GetValidSeconds() != 86400L * 366 * 2)
+            {
+                Fail("initial key expiration time wrong");
+            }
+
+            // Add a newer self-cert that omits KeyExpireTime (intent: remove the expiry).
+            Thread.Sleep(millisecondsTimeout: 1100); // ensure later creation time at one-second granularity
+
+            // TODO[pgp] Add constructor that accepts also sgnKeyPair.PublicKey
+            PgpSignatureGenerator keySigGen = new PgpSignatureGenerator(PublicKeyAlgorithmTag.RsaGeneral,
+                HashAlgorithmTag.Sha1);
+            keySigGen.InitSign(PgpSignature.PositiveCertification, sgnKeyPair.PrivateKey);
+
+            PgpSignatureSubpacketGenerator noExpiry = new PgpSignatureSubpacketGenerator();
+            noExpiry.SetKeyFlags(isCritical: true, KeyFlags.CertifyOther | KeyFlags.SignData);
+            keySigGen.SetHashedSubpackets(noExpiry.Generate());
+
+            pKey = PgpPublicKey.AddCertification(pKey, keySigGen.GenerateCertification(identity, pKey));
+
+            if (pKey.GetValidSeconds() != 0)
+            {
+                Fail("expected getValidSeconds() == 0 after newer self-sig without KEY_EXPIRE_TIME, got "
+                    + pKey.GetValidSeconds());
+            }
+        }
+
         public override void PerformTest()
         {
             //
@@ -897,8 +957,7 @@ public override void PerformTest()
             //
             // use of PgpKeyPair
             //
-            PgpKeyPair pgpKp = new PgpKeyPair(PublicKeyAlgorithmTag.RsaGeneral,
-                kp.Public, kp.Private, DateTime.UtcNow);
+            PgpKeyPair pgpKp = new PgpKeyPair(PublicKeyAlgorithmTag.RsaGeneral, kp, DateTime.UtcNow);
 
             PgpPublicKey k1 = pgpKp.PublicKey;
             PgpPrivateKey k2 = pgpKp.PrivateKey;
@@ -1125,6 +1184,7 @@ public override void PerformTest()
             FingerPrintTest();
             ExistingEmbeddedJpegTest();
             EmbeddedJpegTest();
+            RemovedExpiryTest();
         }
 
         private void PerformTestSig(
