openpgp: Be tolerant when deciding wheter a signature is alive.

- Consider the following scenario: computer A's clock says 9:00.00 and signs and sends a message to computer B. Computer B's clock says 8:59.59, it receives the message and tries to verify it. From Computer B's perspective, the signature is not valid, because it was generated in the future. - This situation occured, because the two clocks were not completely synchronized. Unfortunately, a few seconds of clock skew are not unusual, particularly when dealing with VMs. - Since it is almost always better to consider such messages as valid, be tolerant when deciding whether a signature is alive.
author: Neal H. Walfield <neal@pep.foundation> 2019-11-11 19:51:04 +0100
committer: Neal H. Walfield <neal@pep.foundation> 2019-11-19 11:04:05 +0100
commit: ec03e1614a48fbe30f1200cb18bb00c7135f5242 (patch)
tree: 363aa6030de4fcb00d727830acbc308703a20468 /openpgp/src/parse
parent: a5fade1d635d75e474294a06870251d8f617db08 (diff)
1 files changed, 4 insertions, 4 deletions
diff --git a/openpgp/src/parse/stream.rs b/openpgp/src/parse/stream.rs
index ff381ea7..3f33e833 100644
--- a/openpgp/src/parse/stream.rs
+++ b/openpgp/src/parse/stream.rs
@@ -486,7 +486,7 @@ impl<'a, H: VerificationHelper> Verifier<'a, H> {
             if let Some(sig) = sig {
                 sig.key_flags().can_sign()
                 // Check expiry.
-                    && sig.signature_alive(t)
+                    && sig.signature_alive(t, None)
                     && sig.key_alive(key, t)
             } else {
                 false
@@ -612,7 +612,7 @@ impl<'a, H: VerificationHelper> Verifier<'a, H> {
                                 let (binding, revocation, key)
                                     = tpk.keys_all().nth(*j).unwrap();
                                 if sig.verify(key).unwrap_or(false) {
-                                    if sig.signature_alive(self.time) {
+                                    if sig.signature_alive(self.time, None) {
                                         VerificationResult::GoodChecksum
                                             (sig, tpk, key, binding,
                                              revocation)
@@ -1316,7 +1316,7 @@ impl<'a, H: VerificationHelper + DecryptionHelper> Decryptor<'a, H> {
                             if let Some(sig) = sig {
                                 sig.key_flags().can_sign()
                                 // Check expiry.
-                                    && sig.signature_alive(t)
+                                    && sig.signature_alive(t, None)
                                     && sig.key_alive(key, t)
                             } else {
                                 false
@@ -1463,7 +1463,7 @@ impl<'a, H: VerificationHelper + DecryptionHelper> Decryptor<'a, H> {
                                     let (binding, revocation, key)
                                         = tpk.keys_all().nth(*j).unwrap();
                                     if sig.verify(key).unwrap_or(false) &&
-                                        sig.signature_alive(self.time)
+                                        sig.signature_alive(self.time, None)
                                     {
                                         // Check intended recipients.
                                         if let Some(identity) =
author	Neal H. Walfield <neal@pep.foundation>	2019-11-11 19:51:04 +0100
committer	Neal H. Walfield <neal@pep.foundation>	2019-11-19 11:04:05 +0100
commit	ec03e1614a48fbe30f1200cb18bb00c7135f5242 (patch)
tree	363aa6030de4fcb00d727830acbc308703a20468 /openpgp/src/parse
parent	a5fade1d635d75e474294a06870251d8f617db08 (diff)