Fix: use verifyTime in the config time instead of Now()

When decrypting message, we have to use verifyTime in the config
otherwise signatures not valid at verifyTime but valid at Now()
will be seen as valid.

CHANGELOG.md

@@ -4,6 +4,12 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## Unreleased
+
+### Fixed
+
+- Use the provided `verifyTime` instead of the current time when verifying embedded signatures.
+
 ## [2.2.3] 2021-09-21
 ### Changed
 - Keys are now generated with ZLIB as preferred compression algorithm

crypto/keyring_message.go

@@ -5,6 +5,7 @@ import (
 	"crypto"
 	"io"
 	"io/ioutil"
+	"time"
 
 	"github.com/ProtonMail/go-crypto/openpgp"
 	"github.com/ProtonMail/go-crypto/openpgp/packet"
@@ -190,6 +191,7 @@ func asymmetricDecrypt(
 		encryptedIO,
 		privateKey,
 		verifyKey,
+		verifyTime,
 	)
 	if err != nil {
 		return nil, err
@@ -215,7 +217,10 @@ func asymmetricDecrypt(
 
 // Core for decryption+verification (all) functions.
 func asymmetricDecryptStream(
-	encryptedIO io.Reader, privateKey *KeyRing, verifyKey *KeyRing,
+	encryptedIO io.Reader,
+	privateKey *KeyRing,
+	verifyKey *KeyRing,
+	verifyTime int64,
 ) (messageDetails *openpgp.MessageDetails, err error) {
 	privKeyEntries := privateKey.entities
 	var additionalEntries openpgp.EntityList
@@ -228,7 +233,19 @@ func asymmetricDecryptStream(
 		privKeyEntries = append(privKeyEntries, additionalEntries...)
 	}
 
-	config := &packet.Config{Time: getTimeGenerator()}
+	config := &packet.Config{
+		Time: func() time.Time {
+			if verifyTime == 0 {
+				/*
+					We default to current time while decrypting and verifying
+					but the caller will remove signature expiration errors later on.
+					See processSignatureExpiration().
+				*/
+				return getNow()
+			}
+			return time.Unix(verifyTime, 0)
+		},
+	}
 
 	messageDetails, err = openpgp.ReadMessage(encryptedIO, privKeyEntries, nil, config)
 	if err != nil {

crypto/keyring_streaming.go

@@ -194,6 +194,7 @@ func (keyRing *KeyRing) DecryptStream(
 		message,
 		keyRing,
 		verifyKeyRing,
+		verifyTime,
 	)
 	if err != nil {
 		return nil, err

crypto/keyring_test.go

@@ -3,11 +3,13 @@ package crypto
 import (
 	"crypto/ed25519"
 	"crypto/rsa"
+	"errors"
 	"testing"
 
 	"github.com/stretchr/testify/assert"
 
 	"github.com/ProtonMail/go-crypto/openpgp/ecdh"
+	"github.com/ProtonMail/gopenpgp/v2/constants"
 )
 
 var testSymmetricKey []byte
@@ -231,3 +233,43 @@ func TestKeyringCapabilities(t *testing.T) {
 	assert.True(t, keyRingTestMultiple.CanVerify())
 	assert.True(t, keyRingTestMultiple.CanEncrypt())
 }
+
+func TestVerificationTime(t *testing.T) {
+	message := NewPlainMessageFromString("Hello")
+	pgp.latestServerTime = 1632312383
+	defer func() {
+		pgp.latestServerTime = testTime
+	}()
+	enc, err := keyRingTestPublic.Encrypt(
+		message,
+		keyRingTestPrivate,
+	)
+
+	if err != nil {
+		t.Fatalf("Encryption error: %v", err)
+	}
+	_, err = keyRingTestPrivate.Decrypt(
+		enc,
+		keyRingTestPublic,
+		392039755,
+	)
+	if err == nil {
+		t.Fatal("No signature error")
+	}
+	castedErr := &SignatureVerificationError{}
+	isType := errors.As(err, castedErr)
+	if !isType {
+		t.Fatalf("No signature error %v", err)
+	}
+	if castedErr.Status != constants.SIGNATURE_FAILED {
+		t.Fatalf("Wrong status %v", castedErr)
+	}
+	_, err = keyRingTestPrivate.Decrypt(
+		enc,
+		keyRingTestPublic,
+		0,
+	)
+	if err != nil {
+		t.Fatalf("Got an error while decrypting %v", err)
+	}
+}