Make readSignatures skip over compressed data packets without decompression.

2024-11-20 11:22:05 +01:00 · 2022-05-08 11:24:34 +02:00 · 2022-05-08 11:24:34 +02:00 · 12e62d381c
commit 12e62d381c
parent 08ec140b63
2 changed files with 23 additions and 0 deletions
--- a/pgpainless-core/src/main/java/org/pgpainless/signature/SignatureUtils.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/signature/SignatureUtils.java
@ -17,6 +17,7 @@ import org.bouncycastle.bcpg.sig.IssuerKeyID;
 import org.bouncycastle.bcpg.sig.KeyExpirationTime;
 import org.bouncycastle.bcpg.sig.RevocationReason;
 import org.bouncycastle.bcpg.sig.SignatureExpirationTime;
+import org.bouncycastle.openpgp.PGPCompressedData;
 import org.bouncycastle.openpgp.PGPException;
 import org.bouncycastle.openpgp.PGPObjectFactory;
 import org.bouncycastle.openpgp.PGPPublicKey;
@ -26,6 +27,7 @@ import org.bouncycastle.openpgp.PGPSignatureGenerator;
 import org.bouncycastle.openpgp.PGPSignatureList;
 import org.bouncycastle.openpgp.operator.PGPContentSignerBuilder;
 import org.bouncycastle.util.encoders.Hex;
+import org.bouncycastle.util.io.Streams;
 import org.pgpainless.PGPainless;
 import org.pgpainless.algorithm.HashAlgorithm;
 import org.pgpainless.algorithm.SignatureType;
@ -247,6 +249,11 @@ public final class SignatureUtils {
        int i = 0;
        Object nextObject;
        while (i++ < maxIterations && (nextObject = objectFactory.nextObject()) != null) {
+            if (nextObject instanceof PGPCompressedData) {
+                PGPCompressedData compressedData = (PGPCompressedData) nextObject;
+                Streams.drain(compressedData.getInputStream()); // Skip packet without decompressing
+            }
+
            if (nextObject instanceof PGPSignatureList) {
                PGPSignatureList signatureList = (PGPSignatureList) nextObject;
                for (PGPSignature s : signatureList) {
--- a/pgpainless-core/src/test/java/org/pgpainless/signature/SignatureUtilsTest.java
+++ b/pgpainless-core/src/test/java/org/pgpainless/signature/SignatureUtilsTest.java
@ -15,6 +15,22 @@ import org.junit.jupiter.api.Test;

 public class SignatureUtilsTest {

+    @Test
+    public void readSignaturesFromCompressedDataDoesNotAttemptDecompression() throws PGPException, IOException {
+        String compressed = "-----BEGIN PGP MESSAGE-----\n" +
+                "Version: PGPainless\n" +
+                "\n" +
+                "owHrKGVhEOZiYGNlSoxcsJtBkVMg3OzZZKnz5jxiiiz+aTG+h46kcR9zinOECZ/o\n" +
+                "YmTYsKve/opb3v/o8J0qq1/MFFBhP9jfEq+/avK6qPMrlh70Zfinu96c+cncX9GK\n" +
+                "B4ui3fUfbUo8tFrVTIRn7kROq69H77hd6cCw9susVdls1as1gNYunnp5V8Qp+wX3\n" +
+                "+jUnwoRB1p4SfPk412lb/cSmShb211fOX07h0JxVH1JXsc/vi2mi5ieG/2Xxb5tk\n" +
+                "LE+r7WwruxSaeXLuLsOmXTPZD0/VtvlqO89RYjsA\n" +
+                "=yZ18\n" +
+                "-----END PGP MESSAGE-----";
+        List<PGPSignature> signatures = SignatureUtils.readSignatures(compressed);
+        assertEquals(0, signatures.size());
+    }
+
    @Test
    public void noIssuerResultsInKeyId0() throws PGPException, IOException {
        String sig = "-----BEGIN PGP SIGNATURE-----\n" +