Add a 2 day offset for signature creation time checking

build.sh

@@ -5,7 +5,7 @@ SCRIPT_LOCATION=$(cd $(dirname $0);echo $PWD)
 OUTPUT_PATH="bin"
 ANDROID_OUT=${OUTPUT_PATH}/"Android"
 IOS_OUT=${OUTPUT_PATH}/"iOS"
-
+gomobile init -ndk $ANDROID_NDK
 # CHECK="${1-0}"
 # if [ ${CHECK} -eq "1" ]; then
 printf "\e[0;32mStart Building iOS framework .. Location: ${IOS_OUT} \033[0m\n\n"
@@ -20,8 +20,6 @@ gomobile bind -target android -o ${ANDROID_OUT}/PM.aar
 
 printf "\e[0;32mInstalling frameworks. \033[0m\n\n"
 
-cp -rf ${IOS_OUT}/PM.framework /Users/Yanfeng/Documents/ProtonMailGit/protonmail_ios/ProtonMail/
-
 printf "\e[0;32mAll Done. \033[0m\n\n"
 
 

common.go

@@ -30,3 +30,7 @@ func trimNewlines(input string) string {
 	var re = regexp.MustCompile(`(?m)[ \t]*$`)
 	return re.ReplaceAllString(input, "")
 }
+
+// Amount of seconds that a signature may be created after the verify time
+// Consistent with the 2 day slack allowed in the ProtonMail Email Parser
+var creationTimeOffset = int64(60 * 60 * 24 * 2)

message.go

@@ -11,7 +11,9 @@ import (
 	"golang.org/x/crypto/openpgp"
 	"golang.org/x/crypto/openpgp/armor"
 	"golang.org/x/crypto/openpgp/packet"
-)
+	errors2 "golang.org/x/crypto/openpgp/errors"
+	"math"
+	)
 
 // DecryptMessage decrypt encrypted message use private key (string )
 // encryptedText : string armored encrypted
@@ -165,12 +167,9 @@ func (o *OpenPGP) decryptMessageVerifyAllBin(encryptedText string, veriferKey []
 		return nil, err
 	}
 
-	config := &packet.Config{ Time: o.getTimeGenerator() }
+	config := &packet.Config{}
-	if verifyTime > 0 {
+	config.Time = func() time.Time {
-		tm := time.Unix(verifyTime, 0)
+		return time.Unix(0, 0)
-		config.Time = func() time.Time {
-			return tm
-		}
 	}
 
 	md, err := openpgp.ReadMessage(encryptedio.Body, privKeyEntries, nil, config)
@@ -184,6 +183,8 @@ func (o *OpenPGP) decryptMessageVerifyAllBin(encryptedText string, veriferKey []
 		return nil, err
 	}
 
+	processSignatureExpiration(md, verifyTime)
+
 	out.Plaintext = string(b)
 	if md.IsSigned {
 		if md.SignedBy != nil {
@@ -209,6 +210,25 @@ func (o *OpenPGP) decryptMessageVerifyAllBin(encryptedText string, veriferKey []
 	return out, nil
 }
 
+// Handle signature time verification manually, so we can add a margin to the creationTime check.
+func processSignatureExpiration(md *openpgp.MessageDetails, verifyTime int64) {
+	if md.SignatureError == errors2.ErrSignatureExpired {
+		if verifyTime > 0 {
+			created := md.Signature.CreationTime.Unix()
+			expires := int64(math.MaxInt64)
+			if md.Signature.KeyLifetimeSecs != nil {
+				expires = int64(*md.Signature.KeyLifetimeSecs) + created
+			}
+			if created - creationTimeOffset <= verifyTime && verifyTime <= expires {
+				md.SignatureError = nil
+			}
+		} else {
+			// verifyTime = 0: time check disabled, everything is okay
+			md.SignatureError = nil
+		}
+	}
+}
+
 // EncryptMessage encrypt message with public key, if pass private key and passphrase will also sign the message
 // publicKey : string armored public key
 // plainText : the input

sign_detached.go

@@ -9,6 +9,7 @@ import (
 	"golang.org/x/crypto/openpgp"
 	"golang.org/x/crypto/openpgp/clearsign"
 	"golang.org/x/crypto/openpgp/packet"
+	errors2 "golang.org/x/crypto/openpgp/errors"
 )
 
 //ReadClearSignedMessage read clear message from a clearsign package
@@ -202,31 +203,11 @@ func (o *OpenPGP) VerifyTextSignDetached(signature string, plainText string, pub
 		return false, err
 	}
 
-	signatureReader := strings.NewReader(signature)
-
 	plainText = trimNewlines(plainText)
 
 	origText := bytes.NewReader(bytes.NewBufferString(plainText).Bytes())
 
-	config := &packet.Config{ Time: o.getTimeGenerator() }
+	return verifySignature(pubKeyEntries, origText, signature, verifyTime)
-	if verifyTime > 0 {
-		tm := time.Unix(verifyTime, 0)
-		config.Time = func() time.Time {
-			return tm
-		}
-	}
-	signer, err := openpgp.CheckArmoredDetachedSignature(pubKeyEntries, origText, signatureReader, config)
-	if err != nil {
-		return false, err
-	}
-	if signer == nil {
-		return false, errors.New("signer is empty")
-	}
-	// if signer.PrimaryKey.KeyId != signed.PrimaryKey.KeyId {
-	// 	// t.Errorf("wrong signer got:%x want:%x", signer.PrimaryKey.KeyId, 0)
-	// 	return false, errors.New("signer is nil")
-	// }
-	return true, nil
 }
 
 // VerifyTextSignDetachedBinKey ...
@@ -239,17 +220,40 @@ func (o *OpenPGP) VerifyTextSignDetachedBinKey(signature string, plainText strin
 		return false, err
 	}
 
-	signatureReader := strings.NewReader(signature)
 	plainText = trimNewlines(plainText)
 	origText := bytes.NewReader(bytes.NewBufferString(plainText).Bytes())
-	config := &packet.Config{ Time: o.getTimeGenerator() }
+
-	if verifyTime > 0 {
+	return verifySignature(pubKeyEntries, origText, signature, verifyTime)
-		tm := time.Unix(verifyTime, 0)
+}
+
+func verifySignature(pubKeyEntries openpgp.EntityList, origText *bytes.Reader, signature string, verifyTime int64) (bool, error) {
+	config := &packet.Config{}
+	if verifyTime == 0 {
 		config.Time = func() time.Time {
-			return tm
+			return time.Unix(0, 0)
+		}
+	} else {
+		config.Time = func() time.Time {
+			return time.Unix(verifyTime + creationTimeOffset, 0)
 		}
 	}
+	signatureReader := strings.NewReader(signature)
+
 	signer, err := openpgp.CheckArmoredDetachedSignature(pubKeyEntries, origText, signatureReader, config)
+
+	if err == errors2.ErrSignatureExpired && signer != nil {
+		if verifyTime > 0 {
+			// Maybe the creation time offset pushed it over the edge
+			// Retry with the actual verification time
+			config.Time = func() time.Time {
+				return time.Unix(verifyTime, 0)
+			}
+			signer, err = openpgp.CheckArmoredDetachedSignature(pubKeyEntries, origText, signatureReader, config)
+		} else {
+			// verifyTime = 0: time check disabled, everything is okay
+			err = nil
+		}
+	}
 	if err != nil {
 		return false, err
 	}
@@ -263,6 +267,7 @@ func (o *OpenPGP) VerifyTextSignDetachedBinKey(signature string, plainText strin
 	return true, nil
 }
 
+
 // VerifyBinSignDetached ...
 func (o *OpenPGP) VerifyBinSignDetached(signature string, plainData []byte, publicKey string, verifyTime int64) (bool, error) {
 
@@ -273,28 +278,8 @@ func (o *OpenPGP) VerifyBinSignDetached(signature string, plainData []byte, publ
 		return false, err
 	}
 
-	signatureReader := strings.NewReader(signature)
-
 	origText := bytes.NewReader(plainData)
-	config := &packet.Config{ Time: o.getTimeGenerator() }
+	return verifySignature(pubKeyEntries, origText, signature, verifyTime)
-	if verifyTime > 0 {
-		tm := time.Unix(verifyTime, 0)
-		config.Time = func() time.Time {
-			return tm
-		}
-	}
-	signer, err := openpgp.CheckArmoredDetachedSignature(pubKeyEntries, origText, signatureReader, config)
-	if err != nil {
-		return false, err
-	}
-	if signer == nil {
-		return false, errors.New("signer is empty")
-	}
-	// if signer.PrimaryKey.KeyId != signed.PrimaryKey.KeyId {
-	// 	// t.Errorf("wrong signer got:%x want:%x", signer.PrimaryKey.KeyId, 0)
-	// 	return false, errors.New("signer is nil")
-	// }
-	return true, nil
 }
 
 // VerifyBinSignDetachedBinKey ...
@@ -306,27 +291,7 @@ func (o *OpenPGP) VerifyBinSignDetachedBinKey(signature string, plainData []byte
 		return false, err
 	}
 
-	signatureReader := strings.NewReader(signature)
-
 	origText := bytes.NewReader(plainData)
 
-	config := &packet.Config{ Time: o.getTimeGenerator() }
+	return verifySignature(pubKeyEntries, origText, signature, verifyTime)
-	if verifyTime > 0 {
-		tm := time.Unix(verifyTime, 0)
-		config.Time = func() time.Time {
-			return tm
-		}
-	}
-	signer, err := openpgp.CheckArmoredDetachedSignature(pubKeyEntries, origText, signatureReader, config)
-	if err != nil {
-		return false, err
-	}
-	if signer == nil {
-		return false, errors.New("signer is empty")
-	}
-	// if signer.PrimaryKey.KeyId != signed.PrimaryKey.KeyId {
-	// 	// t.Errorf("wrong signer got:%x want:%x", signer.PrimaryKey.KeyId, 0)
-	// 	return false, errors.New("signer is nil")
-	// }
-	return true, nil
 }