hockeypuck

Ubuntu PGP keyserver computes incorrect expiry times

Bug #1885374 reported by Jivan Pal
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
hockeypuck
New
Undecided
Unassigned

Bug Description

The Ubuntu keyserver website (http://keyserver.ubuntu.com and https://keyserver.ubuntu.com) shows incorrect expiry times for subkeys of some keys (though what specific conditions must be met to cause this bug, I am not sure). However, the key material stored on the keyserver is correct, and thus if the key is downloaded and imported into a local OpenPGP client (e.g. GnuPG), all expiry times are reported correctly. Thus, this bug only appears to affect the website frontend (that is, the expiry times which users will see if looking at search results on the website). It seems that the expiry times shown on the website for subkeys are being incorrectly computed as:

    *PRIMARY KEY* CREATION TIME + *SUBKEY* VALIDITY DURATION;

rather than:

    *SUBKEY* CREATION TIME + *SUBKEY* VALIDITY DURATION;

where:

    - PRIMARY KEY CREATION TIME refers to the key creation timestamp
      stored in the key's Public Key Packet (packet Tag 6);

    - SUBKEY CREATION TIME refers to the subkey creation timestamp stored
      in the Public Subkey Packet (packet Tag 14) for a given subkey; and

    - SUBKEY VALIDITY DURATION refers to the value given in the
      Key Expiration Time field (signature subpacket Type 9) of a
      Signature Packet (packet Tag 2) that pertains to the given subkey;

subject to the definitions given in RFC 4880.

    * * *

For example, the key with the following fingerprint exhibits this bug:
C62A 7455 5725 AB6D BA14 D1C2 92C8 C442 E2EE C796; which can be found at:
https://keyserver.ubuntu.com/pks/lookup?search=0x92C8C442E2EEC796&op=index

The key expiry times stated in signatures listed for:

    - the primary key (0xE2EEC796, created at 2019-01-10T00:03:22Z); and

    - the subkey which was created at the same time as the primary key
      (0x6C9E5795, also created at 2019-01-10T00:03:22Z);

are correct, but those listed for the other subkeys (0xD0D6987A, 0x0D75406B, 0x98CD505A) are incorrect, in the manner described above. (NOTE: The creation times of the signatures themselves are listed correctly; it is only the key expiration times that are affected.)

In particular:

    - the expiry time of 0xD0D6987A given in the signature created at
      2020-06-24T19:51:57Z is listed as 2019-07-06T01:36:20Z, when it
      should be 2020-06-30T23:59:59Z;

    - the expiry times of 0x0D75406B and 0x98CD505A given in each of the
      signatures created at 2020-07-01T00:00:01Z are listed as
      2019-01-10T00:03:24Z, when they should be 2020-07-01T00:00:02Z.

See original description
Jivan Pal (jivanpal)
description: updated
description: updated
description: updated
description: updated
Jivan Pal (jivanpal)
description: updated
affects: ubuntu → hockeypuck
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.