diff options
-rw-r--r-- | openpgp/src/cert/builder.rs | 22 | ||||
-rw-r--r-- | openpgp/src/packet/signature/mod.rs | 19 | ||||
-rw-r--r-- | openpgp/src/packet/signature/subpacket.rs | 2 |
3 files changed, 39 insertions, 4 deletions
diff --git a/openpgp/src/cert/builder.rs b/openpgp/src/cert/builder.rs index f5667cd7..c771c1ce 100644 --- a/openpgp/src/cert/builder.rs +++ b/openpgp/src/cert/builder.rs @@ -278,9 +278,21 @@ impl CertBuilder { /// Sets the creation time. /// - /// If `creation_time` is `None`, the default, this causes the + /// If `creation_time` is not `None`, this causes the /// `CertBuilder` to use that time when [`CertBuilder::generate`] - /// is called. + /// is called. If it is `None`, the default, then the current + /// time minus 60 seconds is used as creation time. Backdating + /// the certificate by a minute has the advantage that the + /// certificate can immediately be customized: + /// + /// In order to reliably override a binding signature, the + /// overriding binding signature must be newer than the existing + /// signature. If, however, the existing signature is created + /// `now`, any newer signature must have a future creation time, + /// and is considered invalid by Sequoia. To avoid this, we + /// backdate certificate creation times (and hence binding + /// signature creation times), so that there is "space" between + /// the creation time and now for signature updates. /// /// Warning: this function takes a [`SystemTime`]. A `SystemTime` /// has a higher resolution, and a larger range than an OpenPGP @@ -942,7 +954,11 @@ impl CertBuilder { use std::convert::TryFrom; let creation_time = - self.creation_time.unwrap_or_else(std::time::SystemTime::now); + self.creation_time.unwrap_or_else(|| { + use crate::packet::signature::SIG_BACKDATE_BY; + time::SystemTime::now() - + time::Duration::new(SIG_BACKDATE_BY, 0) + }); let mut packets = Vec::<Packet>::with_capacity( 1 + 1 + self.subkeys.len() + self.userids.len() diff --git a/openpgp/src/packet/signature/mod.rs b/openpgp/src/packet/signature/mod.rs index f0341a18..dadd69f9 100644 --- a/openpgp/src/packet/signature/mod.rs +++ b/openpgp/src/packet/signature/mod.rs @@ -173,6 +173,25 @@ macro_rules! impl_arbitrary_with_bound { pub mod subpacket; +/// How many seconds to backdate signatures. +/// +/// When creating certificates (more specifically, binding +/// signatures), and when updating binding signatures (creating +/// signatures from templates), we backdate the signatures by this +/// amount if no creation time is explicitly given. Backdating the +/// certificate by a minute has the advantage that the certificate can +/// immediately be customized: +/// +/// In order to reliably override a binding signature, the +/// overriding binding signature must be newer than the existing +/// signature. If, however, the existing signature is created +/// `now`, any newer signature must have a future creation time, +/// and is considered invalid by Sequoia. To avoid this, we +/// backdate certificate creation times (and hence binding +/// signature creation times), so that there is "space" between +/// the creation time and now for signature updates. +pub(crate) const SIG_BACKDATE_BY: u64 = 60; + /// The data stored in a `Signature` packet. /// /// This data structure contains exactly those fields that appear in a diff --git a/openpgp/src/packet/signature/subpacket.rs b/openpgp/src/packet/signature/subpacket.rs index edac6b72..0510acc3 100644 --- a/openpgp/src/packet/signature/subpacket.rs +++ b/openpgp/src/packet/signature/subpacket.rs @@ -2358,7 +2358,7 @@ impl SubpacketAreas { /// /// assert!(sig.key_alive(pk, None).is_ok()); /// // A key is not considered alive prior to its creation time. - /// let the_past = SystemTime::now() - Duration::new(10, 0); + /// let the_past = SystemTime::now() - Duration::new(300, 0); /// assert!(sig.key_alive(pk, the_past).is_err()); /// # Ok(()) } /// ``` |