search

bcgit / bc-java

Bouncy Castle Java Distribution (Mirror)
https://www.bouncycastle.org/java.html
MIT License
2.32k stars 1.14k forks source link

Fix unpacking time (unsigned int) from octets for large values #1836

Open vanitasvitae opened 2 months ago

vanitasvitae commented 2 months ago

Time, as well as offsets (e.g. expiration) in OpenPGP are stored as seconds in unsigned Integers.

I noticed, that https://github.com/bcgit/bc-java/commit/8385a2ca13573435a64d6bd96769c97e2e9edee8 broke some tests in PGPainless that dealt with large expiration time intervals.

Turns out, the changed code accidentally converted the values to signed ints, which break for large (but legal) intervals.

The patch converts back to an unsigned value.

vanitasvitae commented 2 months ago

I wonder if more places in the code are affected by this, e.g. key creation time...

vanitasvitae commented 2 months ago

PublicKeyPacket and SignaturePacket were also affected by this.

I also discovered a discrepancy between StreamUtils.writeTime() (expecting seconds) and StreamUtils.readTime() (returning millis).

I fixed this by changing writeTime() to expect millis and introducing writeSeconds() and readSeconds() dealing with seconds.

vanitasvitae commented 2 months ago

Okay, now I wonder, if large values are handled properly in general (e.g. large lengths) :D