Quantcast

Regression with PGP valid days from 1.46 to 1.56 (tested version)

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Regression with PGP valid days from 1.46 to 1.56 (tested version)

Henning Schmiedehausen-2
Hi,

so we just migrated a large(ish) application that used bc 1.46 (both bcprov and bcpg) to 1.56. And we noted an interesting regression:

We have a number of PGP keys that have multiple signatures with different validity periods. For example we have one key that was issued for 10 years and exported and the edited to be only five days valid. And then the exported signature was back imported (don't ask).  gpg2 reports this key as "valid for five days". bc 1.46 considered the key valid for five days. But bc 1.56 reported it valid for 10 years.

I would have liked to file a bug in JIRA but bouncycastle.org/jira seems to be down. 

I have a regression test at https://github.com/hgschmie/bcpgp to reproduce the problem. There clearly is a behavior change between bc 1.46 and 1.56 and I think that 1.46 was correct.

LMK if you need more information.

-h


--
Henning Schmiedehausen - [hidden email]  - +1 650 353 8513
Zuora Engineering - Chief Architect
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Regression with PGP valid days from 1.46 to 1.56 (tested version)

David Hook-3

Hi,

Sorry, not sure what happened there but Jira is now fixed. I'll start looking at it, but if you would add it to jira as well that would help.

Regards,

David

On 18/04/17 13:00, Henning Schmiedehausen wrote:
Hi,

so we just migrated a large(ish) application that used bc 1.46 (both bcprov and bcpg) to 1.56. And we noted an interesting regression:

We have a number of PGP keys that have multiple signatures with different validity periods. For example we have one key that was issued for 10 years and exported and the edited to be only five days valid. And then the exported signature was back imported (don't ask).  gpg2 reports this key as "valid for five days". bc 1.46 considered the key valid for five days. But bc 1.56 reported it valid for 10 years.

I would have liked to file a bug in JIRA but bouncycastle.org/jira seems to be down. 

I have a regression test at https://github.com/hgschmie/bcpgp to reproduce the problem. There clearly is a behavior change between bc 1.46 and 1.56 and I think that 1.46 was correct.

LMK if you need more information.

-h


--
Henning Schmiedehausen - [hidden email]  - +1 650 353 8513
Zuora Engineering - Chief Architect


Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Regression with PGP valid days from 1.46 to 1.56 (tested version)

Henning Schmiedehausen-2
Filed as http://www.bouncycastle.org/jira/browse/BJA-662 

Thank you for looking into this.

-h


On Mon, Apr 17, 2017 at 9:33 PM, David Hook <[hidden email]> wrote:

Hi,

Sorry, not sure what happened there but Jira is now fixed. I'll start looking at it, but if you would add it to jira as well that would help.

Regards,

David


On 18/04/17 13:00, Henning Schmiedehausen wrote:
Hi,

so we just migrated a large(ish) application that used bc 1.46 (both bcprov and bcpg) to 1.56. And we noted an interesting regression:

We have a number of PGP keys that have multiple signatures with different validity periods. For example we have one key that was issued for 10 years and exported and the edited to be only five days valid. And then the exported signature was back imported (don't ask).  gpg2 reports this key as "valid for five days". bc 1.46 considered the key valid for five days. But bc 1.56 reported it valid for 10 years.

I would have liked to file a bug in JIRA but bouncycastle.org/jira seems to be down. 

I have a regression test at https://github.com/hgschmie/bcpgp to reproduce the problem. There clearly is a behavior change between bc 1.46 and 1.56 and I think that 1.46 was correct.

LMK if you need more information.

-h


--
Henning Schmiedehausen - [hidden email]  - <a href="tel:(650)%20353-8513" value="+16503538513" target="_blank">+1 650 353 8513
Zuora Engineering - Chief Architect





--
Henning Schmiedehausen - [hidden email]  - +1 650 353 8513
Zuora Engineering - Chief Architect
Loading...