diff --git a/src/cryptotech.h b/src/cryptotech.h index 0c2a579a..77a00268 100644 --- a/src/cryptotech.h +++ b/src/cryptotech.h @@ -61,7 +61,7 @@ typedef PEP_STATUS (*revoke_key_t)(PEP_SESSION session, const char *fpr, const char *reason); typedef PEP_STATUS (*key_expired_t)(PEP_SESSION session, const char *fpr, - bool *expired); + const time_t when, bool *expired); typedef PEP_STATUS (*key_revoked_t)(PEP_SESSION session, const char *fpr, bool *revoked); diff --git a/src/keymanagement.c b/src/keymanagement.c index 8c9f6505..58e51b19 100644 --- a/src/keymanagement.c +++ b/src/keymanagement.c @@ -412,7 +412,10 @@ DYNAMIC_API PEP_STATUS myself(PEP_SESSION session, pEp_identity * identity) else { bool expired; - status = key_expired(session, identity->fpr, &expired); + status = key_expired(session, identity->fpr, + time(NULL) + (7*24*3600), // In a week + &expired); + assert(status == PEP_STATUS_OK); if (status != PEP_STATUS_OK) { return status; diff --git a/src/pEpEngine.c b/src/pEpEngine.c index 77be32de..5780b7db 100644 --- a/src/pEpEngine.c +++ b/src/pEpEngine.c @@ -1205,6 +1205,7 @@ DYNAMIC_API PEP_STATUS revoke_key( DYNAMIC_API PEP_STATUS key_expired( PEP_SESSION session, const char *fpr, + const time_t when, bool *expired ) { @@ -1216,7 +1217,7 @@ DYNAMIC_API PEP_STATUS key_expired( return PEP_ILLEGAL_VALUE; return session->cryptotech[PEP_crypt_OpenPGP].key_expired(session, fpr, - expired); + when, expired); } DYNAMIC_API PEP_STATUS key_revoked( diff --git a/src/pEpEngine.h b/src/pEpEngine.h index c65d9242..68b172c7 100644 --- a/src/pEpEngine.h +++ b/src/pEpEngine.h @@ -706,11 +706,13 @@ DYNAMIC_API PEP_STATUS revoke_key( // parameters: // session (in) session handle // fpr (in) ID of key to check as UTF-8 string +// when (in) UTC time of when should expiry be considered // expired (out) flag if key expired DYNAMIC_API PEP_STATUS key_expired( PEP_SESSION session, const char *fpr, + const time_t when, bool *expired ); diff --git a/src/pgp_gpg.c b/src/pgp_gpg.c index 9432ff04..a33bdc90 100644 --- a/src/pgp_gpg.c +++ b/src/pgp_gpg.c @@ -1783,6 +1783,7 @@ PEP_STATUS pgp_revoke_key( PEP_STATUS pgp_key_expired( PEP_SESSION session, const char *fpr, + const time_t when, bool *expired ) { @@ -1799,9 +1800,34 @@ PEP_STATUS pgp_key_expired( if (status != PEP_STATUS_OK) return status; - if (key && key->subkeys) + if ((key && key->expired) || + (key && key->subkeys && key->subkeys->expired)) + { + // Already marked expired + *expired = 1; + } + else if (key) { - *expired = key->subkeys->expired; + // Detect if will be expired + // i.e. Check that keys capabilities will + // not be expired at given time. + gpgme_subkey_t _sk; + bool crt_available = false; + bool sgn_available = false; + bool enc_available = false; + for (_sk = key->subkeys; _sk; _sk = _sk->next) { + if (_sk->expires > when) // not expired at that date ? + { + if (_sk->can_certify) crt_available = true; + if (_sk->can_sign) sgn_available = true; + if (_sk->can_encrypt) enc_available = true; + // Authenticate is not used here. + } + } + if(!(crt_available && sgn_available && enc_available)) + { + *expired = 1; + } } else { diff --git a/src/pgp_gpg.h b/src/pgp_gpg.h index 7ac32d4c..fb44a209 100644 --- a/src/pgp_gpg.h +++ b/src/pgp_gpg.h @@ -61,6 +61,7 @@ PEP_STATUS pgp_revoke_key( PEP_STATUS pgp_key_expired( PEP_SESSION session, const char *fpr, + const time_t when, bool *expired ); diff --git a/src/pgp_netpgp.c b/src/pgp_netpgp.c index 07950587..181904f4 100644 --- a/src/pgp_netpgp.c +++ b/src/pgp_netpgp.c @@ -1597,6 +1597,7 @@ unlock_netpgp: PEP_STATUS pgp_key_expired( PEP_SESSION session, const char *fprstr, + const time_t when, bool *expired ) { @@ -1610,6 +1611,7 @@ PEP_STATUS pgp_key_expired( if (!session || !fprstr || !expired) return PEP_UNKNOWN_ERROR; + // TODO : take "when" in account *expired = false;