bc-java icon indicating copy to clipboard operation
bc-java copied to clipboard

Published 20 hours ago verified publisher icon bcgit

Question: How to detect secure key's expiration date?

Open mkarg opened this issue 4 years ago • 1 comments

We are using Bouncy Castle in Sign Maven Plugin to deal with PGP keys and have three questions regarding correctly checking secret key for expiration:

  1. Currently we do secretKey.getPublicKey().getValidSeconds() because we could not find something like secretKey.getValidSeconds(). We noticed there is method secretKey.replacePublicKey, so we assume that for a given secret key, the expiration date will effectively change by such a call, so we assume that in fact a key ring could contain a ring where the expiration date of the secret key is different to the expiration date of the public key. Does this possibility exist? Hence we are wondering if we are doing the expiration check correctly or whether there is a better way to find out the expiration date of the secret key?
  2. Currently we do secretKey.getPublicKey().getCreationTime() because there is no secretKey.getCreationTime(). As the public key apparently can be replace (see 1.), we wonder how to really get the secret key's creation date?
  3. getCreationTime() returns a java.util.Date, i. e. no time zone. So effectively its validity of the key would be different in the same instant when performed at different locations on earth. This is a security risk, so we wonder how to deal with that?

Thanks a lot for maintaining that awesome library and kindly answering our questions!

mkarg avatar Dec 31 '20 11:12 mkarg

Would be nice if anybody could kindly answer our questions, thanks a lot! :-)

mkarg avatar Jan 08 '21 18:01 mkarg

Might be a bit late, but here are my two cents:

We noticed there is method secretKey.replacePublicKey, so we assume that for a given secret key, the expiration date will effectively change by such a call, so we assume that in fact a key ring could contain a ring where the expiration date of the secret key is different to the expiration date of the public key.

No. Expiration date of keys is stored in self-signatures, which only exist on the public key. So while the expiration date of a key can change when new signatures are added to a key, the only source of truth for the expiration date is self-signatures on the public key. The secret key itself does not carry any signatures.

Currently we do secretKey.getPublicKey().getCreationTime() because there is no secretKey.getCreationTime(). As the public key apparently can be replace (see 1.), we wonder how to really get the secret key's creation date?

What you do is correct. The creation time of a key is encoded into the public key. Would the creation time change (which does not happen in practice), the key would defacto become a new key, since its fingerprint would change. Retrieving the creation time from the public key is the correct thing to do.

getCreationTime() returns a java.util.Date, i. e. no time zone. So effectively its validity of the key would be different in the same instant when performed at different locations on earth. This is a security risk, so we wonder how to deal with that?

I think this depends on how you compare the expiration time.

vanitasvitae avatar Jun 13 '23 14:06 vanitasvitae