From 12e62d381c38a43aec442dbd187cc1f42fe22eae Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Sun, 8 May 2022 11:24:34 +0200 Subject: [PATCH] Make readSignatures skip over compressed data packets without decompression. --- .../org/pgpainless/signature/SignatureUtils.java | 7 +++++++ .../pgpainless/signature/SignatureUtilsTest.java | 16 ++++++++++++++++ 2 files changed, 23 insertions(+) diff --git a/pgpainless-core/src/main/java/org/pgpainless/signature/SignatureUtils.java b/pgpainless-core/src/main/java/org/pgpainless/signature/SignatureUtils.java index cfbf4ce4..5d68e8b9 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/signature/SignatureUtils.java +++ b/pgpainless-core/src/main/java/org/pgpainless/signature/SignatureUtils.java @@ -17,6 +17,7 @@ import org.bouncycastle.bcpg.sig.IssuerKeyID; import org.bouncycastle.bcpg.sig.KeyExpirationTime; import org.bouncycastle.bcpg.sig.RevocationReason; import org.bouncycastle.bcpg.sig.SignatureExpirationTime; +import org.bouncycastle.openpgp.PGPCompressedData; import org.bouncycastle.openpgp.PGPException; import org.bouncycastle.openpgp.PGPObjectFactory; import org.bouncycastle.openpgp.PGPPublicKey; @@ -26,6 +27,7 @@ import org.bouncycastle.openpgp.PGPSignatureGenerator; import org.bouncycastle.openpgp.PGPSignatureList; import org.bouncycastle.openpgp.operator.PGPContentSignerBuilder; import org.bouncycastle.util.encoders.Hex; +import org.bouncycastle.util.io.Streams; import org.pgpainless.PGPainless; import org.pgpainless.algorithm.HashAlgorithm; import org.pgpainless.algorithm.SignatureType; @@ -247,6 +249,11 @@ public final class SignatureUtils { int i = 0; Object nextObject; while (i++ < maxIterations && (nextObject = objectFactory.nextObject()) != null) { + if (nextObject instanceof PGPCompressedData) { + PGPCompressedData compressedData = (PGPCompressedData) nextObject; + Streams.drain(compressedData.getInputStream()); // Skip packet without decompressing + } + if (nextObject instanceof PGPSignatureList) { PGPSignatureList signatureList = (PGPSignatureList) nextObject; for (PGPSignature s : signatureList) { diff --git a/pgpainless-core/src/test/java/org/pgpainless/signature/SignatureUtilsTest.java b/pgpainless-core/src/test/java/org/pgpainless/signature/SignatureUtilsTest.java index 87dd75c2..757f28e6 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/signature/SignatureUtilsTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/signature/SignatureUtilsTest.java @@ -15,6 +15,22 @@ import org.junit.jupiter.api.Test; public class SignatureUtilsTest { + @Test + public void readSignaturesFromCompressedDataDoesNotAttemptDecompression() throws PGPException, IOException { + String compressed = "-----BEGIN PGP MESSAGE-----\n" + + "Version: PGPainless\n" + + "\n" + + "owHrKGVhEOZiYGNlSoxcsJtBkVMg3OzZZKnz5jxiiiz+aTG+h46kcR9zinOECZ/o\n" + + "YmTYsKve/opb3v/o8J0qq1/MFFBhP9jfEq+/avK6qPMrlh70Zfinu96c+cncX9GK\n" + + "B4ui3fUfbUo8tFrVTIRn7kROq69H77hd6cCw9susVdls1as1gNYunnp5V8Qp+wX3\n" + + "+jUnwoRB1p4SfPk412lb/cSmShb211fOX07h0JxVH1JXsc/vi2mi5ieG/2Xxb5tk\n" + + "LE+r7WwruxSaeXLuLsOmXTPZD0/VtvlqO89RYjsA\n" + + "=yZ18\n" + + "-----END PGP MESSAGE-----"; + List signatures = SignatureUtils.readSignatures(compressed); + assertEquals(0, signatures.size()); + } + @Test public void noIssuerResultsInKeyId0() throws PGPException, IOException { String sig = "-----BEGIN PGP SIGNATURE-----\n" +