Cleanup fixed time and allow using time offset for crypto operations

Author: KaQuMiQ

crypto/attachment_manual_test.go

@@ -9,8 +9,9 @@ import (
 )
 
 func TestManualAttachmentProcessor(t *testing.T) {
-	pgp.latestServerTime = 1615394034
-	defer func() { pgp.latestServerTime = testTime }()
+	defer SetFixedTime(testTime)
+	SetFixedTime(1615394034)
+
 	passphrase := []byte("wUMuF/lkDPYWH/0ZqqY8kJKw7YJg6kS")
 	pk, err := NewKeyFromArmored(readTestFile("att_key", false))
 	if err != nil {
@@ -86,8 +87,8 @@ func TestManualAttachmentProcessor(t *testing.T) {
 }
 
 func TestManualAttachmentProcessorNotEnoughBuffer(t *testing.T) {
-	pgp.latestServerTime = 1615394034
-	defer func() { pgp.latestServerTime = testTime }()
+	defer SetFixedTime(testTime)
+	SetFixedTime(1615394034)
 	passphrase := []byte("wUMuF/lkDPYWH/0ZqqY8kJKw7YJg6kS")
 	pk, err := NewKeyFromArmored(readTestFile("att_key", false))
 	if err != nil {
@@ -141,8 +142,9 @@ func TestManualAttachmentProcessorNotEnoughBuffer(t *testing.T) {
 }
 
 func TestManualAttachmentProcessorEmptyBuffer(t *testing.T) {
-	pgp.latestServerTime = 1615394034
-	defer func() { pgp.latestServerTime = testTime }()
+	defer SetFixedTime(testTime)
+	SetFixedTime(1615394034)
+
 	passphrase := []byte("wUMuF/lkDPYWH/0ZqqY8kJKw7YJg6kS")
 	pk, err := NewKeyFromArmored(readTestFile("att_key", false))
 	if err != nil {

crypto/base_test.go

@@ -27,7 +27,7 @@ func readTestFile(name string, trimNewlines bool) string {
 }
 
 func init() {
-	UpdateTime(testTime) // 2019-05-13T13:37:07+00:00
+	SetFixedTime(testTime) // 2019-05-13T13:37:07+00:00
 
 	initGenerateKeys()
 	initArmoredKeys()

crypto/gopenpgp.go

@@ -6,15 +6,15 @@ import "sync"
 // GopenPGP is used as a "namespace" for many of the functions in this package.
 // It is a struct that keeps track of time skew between server and client.
 type GopenPGP struct {
-	latestServerTime int64
-	generationOffset int64
-	lock             *sync.RWMutex
+	fixedTime  int64
+	timeOffset int64
+	lock       *sync.RWMutex
 }
 
 var pgp = GopenPGP{
-	latestServerTime: 0,
-	generationOffset: 0,
-	lock:             &sync.RWMutex{},
+	fixedTime:  0,
+	timeOffset: 0,
+	lock:       &sync.RWMutex{},
 }
 
 // clone returns a clone of the byte slice. Internal function used to make sure

crypto/key.go

@@ -447,7 +447,7 @@ func generateKey(
 	cfg := &packet.Config{
 		Algorithm:              packet.PubKeyAlgoRSA,
 		RSABits:                bits,
-		Time:                   getKeyGenerationTimeGenerator(),
+		Time:                   getTimeGenerator(),
 		DefaultHash:            crypto.SHA256,
 		DefaultCipher:          packet.CipherAES256,
 		DefaultCompressionAlgo: packet.CompressionZLIB,

crypto/key_test.go

@@ -221,6 +221,25 @@ func TestIsExpired(t *testing.T) {
 	assert.Exactly(t, true, futureKey.IsExpired())
 }
 
+func TestGeneratedWithOffset(t *testing.T) {
+	defer SetFixedTime(testTime)
+	SetFixedTime(0)
+	defer SetTimeOffset(0)
+	SetTimeOffset(30)
+
+	// generate key with offset
+	keyTestRSA, err := GenerateKey(keyTestName, keyTestDomain, "rsa", 1024)
+	if err != nil {
+		panic("Cannot generate RSA key:" + err.Error())
+	}
+
+	// Bring back offset to zero
+	SetTimeOffset(0)
+
+	// Verify if key was generated with offset
+	assert.GreaterOrEqual(t, keyTestRSA.entity.PrimaryKey.CreationTime.Unix(), GetUnixTime()+30)
+}
+
 func TestGenerateKeyWithPrimes(t *testing.T) {
 	prime1, _ := base64.StdEncoding.DecodeString(
 		"/thF8zjjk6fFx/y9NId35NFx8JTA7jvHEl+gI0dp9dIl9trmeZb+ESZ8f7bNXUmTI8j271kyenlrVJiqwqk80Q==")
@@ -418,10 +437,8 @@ func TestKeyCapabilities(t *testing.T) {
 }
 
 func TestRevokedKeyCapabilities(t *testing.T) {
-	pgp.latestServerTime = 1632219895
-	defer func() {
-		pgp.latestServerTime = testTime
-	}()
+	defer SetFixedTime(testTime)
+	SetFixedTime(1632219895)
 
 	revokedKey, err := NewKeyFromArmored(readTestFile("key_revoked", false))
 	if err != nil {

crypto/keyring_test.go

@@ -236,11 +236,10 @@ func TestKeyringCapabilities(t *testing.T) {
 }
 
 func TestVerificationTime(t *testing.T) {
+	defer SetFixedTime(testTime)
+	SetFixedTime(1632312383)
 	message := NewPlainMessageFromString("Hello")
-	pgp.latestServerTime = 1632312383
-	defer func() {
-		pgp.latestServerTime = testTime
-	}()
+
 	enc, err := keyRingTestPublic.Encrypt(
 		message,
 		keyRingTestPrivate,

crypto/message_test.go

@@ -211,10 +211,8 @@ func TestBinaryMessageEncryption(t *testing.T) {
 }
 
 func TestIssue11(t *testing.T) {
-	pgp.latestServerTime = 1559655272
-	defer func() {
-		pgp.latestServerTime = testTime
-	}()
+	defer SetFixedTime(testTime)
+	SetFixedTime(1559655272)
 
 	var issue11Password = []byte("1234")
 
@@ -258,8 +256,8 @@ func TestIssue11(t *testing.T) {
 }
 
 func TestDummy(t *testing.T) {
-	pgp.latestServerTime = 1636644417
-	defer func() { pgp.latestServerTime = testTime }()
+	defer SetFixedTime(testTime)
+	SetFixedTime(1636644417)
 
 	dummyKey, err := NewKeyFromArmored(readTestFile("key_dummy", false))
 	if err != nil {

crypto/signature_test.go

@@ -139,12 +139,11 @@ func TestVerifyBinDetachedSig(t *testing.T) {
 }
 
 func Test_KeyRing_GetVerifiedSignatureTimestampSuccess(t *testing.T) {
-	message := NewPlainMessageFromString(testMessage)
+	defer SetFixedTime(testTime)
 	var time int64 = 1600000000
-	pgp.latestServerTime = time
-	defer func() {
-		pgp.latestServerTime = testTime
-	}()
+	SetFixedTime(time)
+	message := NewPlainMessageFromString(testMessage)
+
 	signature, err := keyRingTestPrivate.SignDetached(message)
 	if err != nil {
 		t.Errorf("Got an error while generating the signature: %v", err)
@@ -159,12 +158,10 @@ func Test_KeyRing_GetVerifiedSignatureTimestampSuccess(t *testing.T) {
 }
 
 func Test_KeyRing_GetVerifiedSignatureTimestampWithContext(t *testing.T) {
-	message := NewPlainMessageFromString(testMessage)
+	defer SetFixedTime(testTime)
 	var time int64 = 1600000000
-	pgp.latestServerTime = time
-	defer func() {
-		pgp.latestServerTime = testTime
-	}()
+	SetFixedTime(time)
+	message := NewPlainMessageFromString(testMessage)
 	var testContext = "test-context"
 	signature, err := keyRingTestPrivate.SignDetachedWithContext(message, NewSigningContext(testContext, true))
 	if err != nil {
@@ -259,12 +256,10 @@ func getTimestampOfIssuer(signature *PGPSignature, keyID uint64) int64 {
 }
 
 func Test_KeyRing_GetVerifiedSignatureTimestampError(t *testing.T) {
-	message := NewPlainMessageFromString(testMessage)
+	defer SetFixedTime(testTime)
 	var time int64 = 1600000000
-	pgp.latestServerTime = time
-	defer func() {
-		pgp.latestServerTime = testTime
-	}()
+	SetFixedTime(time)
+	message := NewPlainMessageFromString(testMessage)
 	signature, err := keyRingTestPrivate.SignDetached(message)
 	if err != nil {
 		t.Errorf("Got an error while generating the signature: %v", err)
@@ -616,12 +611,13 @@ func Test_VerifyDetachedWithDoubleContext(t *testing.T) {
 }
 
 func Test_verifySignaturExpire(t *testing.T) {
-	defer func(t int64) { pgp.latestServerTime = t }(pgp.latestServerTime)
-	pgp.latestServerTime = 0
+	defer SetFixedTime(testTime)
+	SetFixedTime(0)
 
 	const lifetime = uint32(time.Hour / time.Second)
 
 	cfg := &packet.Config{
+		Time:                   GetTime,
 		Algorithm:              packet.PubKeyAlgoEdDSA,
 		DefaultHash:            crypto.SHA256,
 		DefaultCipher:          packet.CipherAES256,
@@ -655,10 +651,7 @@ func Test_verifySignaturExpire(t *testing.T) {
 
 	sig := NewPGPSignature(signature.GetBinary())
 
-	// packet.PublicKey.KeyExpired will return false here because PublicKey CreationTime has
-	// nanosecond precision, while pgpcrypto.GetUnixTime() has only second precision.
-	// Adjust the check time to be in the future to ensure that the key is not expired.
-	err = keyRing.VerifyDetached(message, sig, GetUnixTime()+1)
+	err = keyRing.VerifyDetached(message, sig, GetUnixTime())
 	if err != nil {
 		t.Fatal(err)
 	}

crypto/time.go

@@ -4,22 +4,22 @@ import (
 	"time"
 )
 
-// UpdateTime updates cached time.
-func UpdateTime(newTime int64) {
+// SetFixedTime updates fixed time used for crypto operations.
+// Setting 0 will cause system time to be used.
+func SetFixedTime(newTime int64) {
 	pgp.lock.Lock()
 	defer pgp.lock.Unlock()
 
-	if newTime > pgp.latestServerTime {
-		pgp.latestServerTime = newTime
-	}
+	pgp.fixedTime = newTime
 }
 
-// SetKeyGenerationOffset updates the offset when generating keys.
-func SetKeyGenerationOffset(offset int64) {
+// SetTimeOffset updates time offset used for crypto operations.
+// Offset will be applied to all crypto operations unless fixed time is used.
+func SetTimeOffset(newOffset int64) {
 	pgp.lock.Lock()
 	defer pgp.lock.Unlock()
 
-	pgp.generationOffset = offset
+	pgp.timeOffset = newOffset
 }
 
 // GetUnixTime gets latest cached time.
@@ -39,31 +39,14 @@ func getNow() time.Time {
 	pgp.lock.RLock()
 	defer pgp.lock.RUnlock()
 
-	if pgp.latestServerTime == 0 {
-		return time.Now()
+	if pgp.fixedTime == 0 {
+		return time.Unix(time.Now().Unix()+pgp.timeOffset, 0)
 	}
 
-	return time.Unix(pgp.latestServerTime, 0)
+	return time.Unix(pgp.fixedTime, 0)
 }
 
 // getTimeGenerator Returns a time generator function.
 func getTimeGenerator() func() time.Time {
 	return getNow
 }
-
-// getNowKeyGenerationOffset returns the current time with the key generation offset.
-func getNowKeyGenerationOffset() time.Time {
-	pgp.lock.RLock()
-	defer pgp.lock.RUnlock()
-
-	if pgp.latestServerTime == 0 {
-		return time.Unix(time.Now().Unix()+pgp.generationOffset, 0)
-	}
-
-	return time.Unix(pgp.latestServerTime+pgp.generationOffset, 0)
-}
-
-// getKeyGenerationTimeGenerator Returns a time generator function with the key generation offset.
-func getKeyGenerationTimeGenerator() func() time.Time {
-	return getNowKeyGenerationOffset
-}

crypto/time_test.go

@@ -7,11 +7,29 @@ import (
 	"github.com/stretchr/testify/assert"
 )
 
-func TestTime(t *testing.T) {
-	UpdateTime(1571072494)
+func Test_SetFixedTime(t *testing.T) {
+	defer SetFixedTime(testTime)
+	SetFixedTime(1571072494)
 	time.Sleep(1 * time.Second)
 	now := GetUnixTime()
 
-	assert.Exactly(t, int64(1571072494), now) // Use latest server time
-	UpdateTime(testTime)
+	assert.Exactly(t, int64(1571072494), now) // Use fixed time
+}
+
+func Test_TimeOffset(t *testing.T) {
+	defer SetFixedTime(testTime)
+	defer SetTimeOffset(0)
+	SetFixedTime(testTime)
+	SetTimeOffset(30)
+	time.Sleep(1 * time.Second)
+	now := GetUnixTime()
+
+	assert.Exactly(t, int64(testTime), now) // Use fixed time without offset
+
+	SetFixedTime(0)
+	SetTimeOffset(0)
+	now = GetUnixTime()
+	SetTimeOffset(30)
+
+	assert.GreaterOrEqual(t, GetUnixTime(), now+30) // Use offset with no fixed time
 }