From 26d79679f0be855b54ad644eeb88d926cd86afba Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Wed, 9 Mar 2022 21:05:00 +0100 Subject: [PATCH] Fix crash when validating unmatched signer's user-id subpacket TODO: We might want to deprecate Signer's UserID subpackets completely and ignore them. See results of sequoias test suite once PR below gets merged. https://gitlab.com/sequoia-pgp/openpgp-interoperability-test-suite/-/merge_requests/28 --- .../signature/consumer/CertificateValidator.java | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/pgpainless-core/src/main/java/org/pgpainless/signature/consumer/CertificateValidator.java b/pgpainless-core/src/main/java/org/pgpainless/signature/consumer/CertificateValidator.java index 7080e368..93d12fc5 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/signature/consumer/CertificateValidator.java +++ b/pgpainless-core/src/main/java/org/pgpainless/signature/consumer/CertificateValidator.java @@ -144,7 +144,13 @@ public final class CertificateValidator { // Specific signer user-id SignerUserID signerUserID = SignatureSubpacketsUtil.getSignerUserID(signature); if (signerUserID != null) { - PGPSignature userIdSig = userIdSignatures.get(signerUserID.getID()).get(0); + List signerUserIdSigs = userIdSignatures.get(signerUserID.getID()); + if (signerUserIdSigs == null || signerUserIdSigs.isEmpty()) { + throw new SignatureValidationException("Signature was allegedly made by user-id '" + signerUserID.getID() + + "' but we have no valid signatures for that on the certificate."); + } + + PGPSignature userIdSig = signerUserIdSigs.get(0); if (userIdSig.getSignatureType() == SignatureType.CERTIFICATION_REVOCATION.getCode()) { throw new SignatureValidationException("Signature was made with user-id '" + signerUserID.getID() + "' which is revoked."); }