diff --git a/crates/derive/keyfork-derive-openpgp/src/lib.rs b/crates/derive/keyfork-derive-openpgp/src/lib.rs index 6ba7755..d5633d7 100644 --- a/crates/derive/keyfork-derive-openpgp/src/lib.rs +++ b/crates/derive/keyfork-derive-openpgp/src/lib.rs @@ -71,6 +71,7 @@ pub fn derive(xprv: XPrv, keys: &[KeyFlags], userid: &UserID) -> Result { }; let epoch = SystemTime::UNIX_EPOCH + Duration::from_secs(1); + let now = SystemTime::now(); let expiration_date = match std::env::var("KEYFORK_OPENPGP_EXPIRE").as_mut() { Ok(var) => { let ch = var.pop(); @@ -82,26 +83,27 @@ pub fn derive(xprv: XPrv, keys: &[KeyFlags], userid: &UserID) -> Result { 'y' => 365, _ => unreachable!(), }; - SystemTime::now() + Duration::from_secs(60 * 60 * 24 * expire * multiplier) + now + Duration::from_secs(60 * 60 * 24 * expire * multiplier) } - _ => SystemTime::now() + Duration::from_secs(60 * 60 * 24), + _ => now + Duration::from_secs(60 * 60 * 24), } } - Err(_) => SystemTime::now() + Duration::from_secs(60 * 60 * 24), + Err(_) => now + Duration::from_secs(60 * 60 * 24), }; // Create certificate with initial key and signature let derived_primary_key = xprv.derive_child(&DerivationIndex::new(0, true)?)?; - let primary_key = Key::from(Key4::<_, PrimaryRole>::import_secret_ed25519( + let mut primary_key = Key::from(Key4::<_, PrimaryRole>::import_secret_ed25519( &PrivateKey::to_bytes(derived_primary_key.private_key()), epoch, )?); + primary_key.set_creation_time(epoch)?; let cert = Cert::from_packets(vec![Packet::SecretKey(primary_key.clone())].into_iter())?; // Sign and attach primary key and primary userid let builder = SignatureBuilder::new(SignatureType::PositiveCertification) .set_key_validity_period(expiration_date.duration_since(epoch)?)? - .set_signature_creation_time(epoch)? + // .set_signature_creation_time(now)? .set_key_flags(primary_key_flags.clone())?; let binding = userid.bind(&mut primary_key.clone().into_keypair()?, &cert, builder)?; let cert = cert.insert_packets(vec![Packet::from(userid.clone()), binding.into()])?; @@ -123,7 +125,7 @@ pub fn derive(xprv: XPrv, keys: &[KeyFlags], userid: &UserID) -> Result { let is_non_enc = subkey_flags.for_certification() || subkey_flags.for_signing() || subkey_flags.for_authentication(); - let subkey = if is_enc && is_non_enc { + let mut subkey = if is_enc && is_non_enc { return Err(Error::InvalidKeyFlags(subkey_flags.clone())); } else if is_enc { // Clamp key before exporting as OpenPGP. Reference: @@ -143,15 +145,17 @@ pub fn derive(xprv: XPrv, keys: &[KeyFlags], userid: &UserID) -> Result { )?) }; + subkey.set_creation_time(epoch)?; + // As per OpenPGP spec, signing keys must backsig the primary key let builder = if subkey_flags.for_signing() { SignatureBuilder::new(SignatureType::SubkeyBinding) .set_key_flags(subkey_flags.clone())? - .set_signature_creation_time(epoch)? + // .set_signature_creation_time(epoch)? .set_key_validity_period(expiration_date.duration_since(epoch)?)? .set_embedded_signature( SignatureBuilder::new(SignatureType::PrimaryKeyBinding) - .set_signature_creation_time(epoch)? + //.set_signature_creation_time(epoch)? .sign_primary_key_binding( &mut subkey.clone().into_keypair()?, &primary_key, @@ -161,7 +165,7 @@ pub fn derive(xprv: XPrv, keys: &[KeyFlags], userid: &UserID) -> Result { } else { SignatureBuilder::new(SignatureType::SubkeyBinding) .set_key_flags(subkey_flags.clone())? - .set_signature_creation_time(epoch)? + // .set_signature_creation_time(epoch)? .set_key_validity_period(expiration_date.duration_since(epoch)?)? };