To Software Software - To Software-Assessment - Software/Assessment - To Current Test - Software/CurrentTest
Software Current Tests - Bug 911 (GPG key expired bug)
2011-07-20 00:00 - Bug 911 last updated
Background Informations, Instructions
Testserver Links
Testserver 1: http://cacert1.it-sls.de
14.1
Patch
14.2
Developer
NEO
14.3
Purpose of patch
0000911: Wrong expiration time in newly added GPG Key if Key has no Expire date
14.4
Patch Area
GPG/PGP keys
14.5
Patch Testing Requirements
assured member, at least 50 pts
14.6
Remarks
test gpg keys w/ & w/o expiry date set
Bug 911 - Instructions/Infos
Instructions and Sample Test Matrix for Software Testers
Introduction
In the error case users received expired GPG keys in the view GPG keys list with date set "1971-01-02" in expires field with realy fresh new created GPG keys, expiry date set or not at built time.
CAcert's points system for Assuree's and Assurers is as follows:
0-49 pts
Assurance points, Certs that expires after 1/2 year
50-99 pts
Assurance points, Certs expires after 2 years addtl. GPG/PGP keys can be added
100 pts
Fully Assured (same as 50-99)
100 pts
CATS will be added and activated if CATS passed
Possibility to request Codesigning (adding Codesigning flag onto the account possible)
Possibility to assure others(100+) 0-50 pts
Experience points for each assurance you'll receive 2 experience points
The GPG key and the Expiry date shown in GPG view keys list
A note towards the expire date as shown by CAcert: There is a bug which has hopefully been fixed on the test system but from what I gather from the comments above there is also a misunderstanding:
The expiry date shown is not that of the key itself but of the Signature of CAcert.
That means your key will still be valid in general but the signature that CAcert did on your key will expire so you just have to resign it to get a valid signature again.
Unfortunately most GUI tools don't show the expiration of a signature.
On the command line you can check out the validity of the signatures on a key by running
"gpg --check-sigs <key-ID>". The "X" indicates an eXpired signature.
Preliminaries
For this test you'll need:
- one account with at least 50 assurance points.
- GnuPG installed on your local machine (to create gpg keys)
Instructions to create pgp test keys
gpg --gen-key Please select what kind of key you want: (1) DSA and Elgamal (default) (2) DSA (sign only) (5) RSA (sign only) Your selection? -> 1 DSA keypair will have 1024 bits. ELG-E keys may be between 1024 and 4096 bits long. What keysize do you want? (2048) -> 4096 Requested keysize is 4096 bits Please specify how long the key should be valid. 0 = key does not expire <n> = key expires in n days <n>w = key expires in n weeks <n>m = key expires in n months <n>y = key expires in n years Key is valid for? (0) -> Enter Key does not expire at all Is this correct? (y/N) -> y You need a user ID to identify your key; the software constructs the user ID from the Real Name, Comment and Email Address in this form: "Heinrich Heine (Der Dichter) <heinrichh@duesseldorf.de>" Real name: -> My Givenname Surname Email address: -> my@email.tld Comment: You selected this USER-ID: "My Givenname Surname <my@email.tld>" Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? -> o You need a Passphrase to protect your secret key. Enter passphrase: -> enter a passphrase Repeat passphrase: -> enter your passphrase We need to generate a lot of random bytes. It is a good idea to perform some other action (type on the keyboard, move the mouse, utilize the disks) during the prime generation; this gives the random number generator a better chance to gain enough entropy. +++++++++++++++...++++++++++.+++++++++++++++++++++++++.+++++++++++++++++++++++++ +++++..+++++.++++++++++..++++++++++.+++++++++++++++...++++++++++>++++++++++.<.++ +++...>++++++++++ We need to generate a lot of random bytes. It is a good idea to perform some other action (type on the keyboard, move the mouse, utilize the disks) during the prime generation; this gives the random number generator a better chance to gain enough entropy. ..+++++.+++++++++++++++....++++++++++.++++++++++.+++++.+++++...++++++++++.++++++ ++++...++++++++++.+++++.+++++++++++++++.+++++..+++++..++++++++++.+++++++++++++++ .++++++++++.+++++..+++++++++++++++>+++++.+++++...++++++++++++++++++++.+++++..+++ ++...+++++....+++++>.+++++>+++++>...+++++....................................... ...............................................+++++^^^ gpg: key 5C68118C marked as ultimately trusted public and secret key created and signed. gpg: checking the trustdb gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model gpg: depth: 0 valid: 1 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 1u pub 1024D/5C68118C 2011-07-19 Key fingerprint = 95F2 D66C 4313 839C 77FD F374 AAF6 0782 5C68 118C uid My Givenname Surname <my@email.tld> sub 4096g/5C7F1F26 2011-07-19 Export: (for copy & paste to CAcert website form GPG signing request) gpg --export --armor>ascii-key-filename.extension For debugging: gpg -v ascii-key-filename.extension FAQ: 1. Q: I have problems with my middlename (eg invalid chars) A: remove middlename
Test Matrix for Testers
- create a new key, set expire option to '0'
create a new key, set expire option > '0' (days, weeks, months, years)
- variations in used algorythm
- variations in key-length
Reporting
Report the results under:
of each step you walk thru
Add the used parameters in key generation to the report
report about 5 lines from the signed key:
Output -> gpg -vv your-signed-key.gpg
that includes the "md5len" and "critical hashed subpkt" lines
sample:
:signature packet: algo 17, keyid 4BE7348177F751AC version 4, created 1311159161, md5len 0, sigclass 0x10 digest algo 2, begin of digest 55 de hashed subpkt 2 len 4 (sig created 2011-07-20) critical hashed subpkt 3 len 4 (sig expires after 1y1d0h0m)
Additional Tests
find yourself addtl. test variations ...
Happy testing