1
0
Fork 0
mirror of https://github.com/pgpainless/pgpainless.git synced 2024-12-22 19:08:00 +01:00

Remove support for processing compressed detached signatures

Signatures are indistinguishable from randomness, so there is no point in
compressing them, apart from attempting to exploit flaws in compression
algorithms.
Thanks to @DemiMarie for pointing this out

Fixes #286
This commit is contained in:
Paul Schaub 2022-05-07 21:46:03 +02:00
parent d3f412873b
commit 49d65788b4
2 changed files with 1 additions and 26 deletions

View file

@ -17,7 +17,6 @@ import org.bouncycastle.bcpg.sig.IssuerKeyID;
import org.bouncycastle.bcpg.sig.KeyExpirationTime;
import org.bouncycastle.bcpg.sig.RevocationReason;
import org.bouncycastle.bcpg.sig.SignatureExpirationTime;
import org.bouncycastle.openpgp.PGPCompressedData;
import org.bouncycastle.openpgp.PGPException;
import org.bouncycastle.openpgp.PGPObjectFactory;
import org.bouncycastle.openpgp.PGPPublicKey;
@ -232,7 +231,7 @@ public final class SignatureUtils {
/**
* Read and return {@link PGPSignature PGPSignatures}.
* This method can deal with signatures that may be armored, compressed and may contain marker packets.
* This method can deal with signatures that may be binary, armored and may contain marker packets.
*
* @param inputStream input stream
* @param maxIterations number of loop iterations until reading is aborted
@ -248,11 +247,6 @@ public final class SignatureUtils {
int i = 0;
Object nextObject;
while (i++ < maxIterations && (nextObject = objectFactory.nextObject()) != null) {
if (nextObject instanceof PGPCompressedData) {
PGPCompressedData compressedData = (PGPCompressedData) nextObject;
objectFactory = ImplementationFactory.getInstance().getPGPObjectFactory(compressedData.getDataStream());
}
if (nextObject instanceof PGPSignatureList) {
PGPSignatureList signatureList = (PGPSignatureList) nextObject;
for (PGPSignature s : signatureList) {

View file

@ -12,28 +12,9 @@ import java.util.List;
import org.bouncycastle.openpgp.PGPException;
import org.bouncycastle.openpgp.PGPSignature;
import org.junit.jupiter.api.Test;
import org.pgpainless.key.util.KeyIdUtil;
public class SignatureUtilsTest {
@Test
public void readSignaturesFromCompressedData() throws PGPException, IOException {
String compressed = "-----BEGIN PGP MESSAGE-----\n" +
"Version: PGPainless\n" +
"\n" +
"owHrKGVhEOZiYGNlSoxcsJtBkVMg3OzZZKnz5jxiiiz+aTG+h46kcR9zinOECZ/o\n" +
"YmTYsKve/opb3v/o8J0qq1/MFFBhP9jfEq+/avK6qPMrlh70Zfinu96c+cncX9GK\n" +
"B4ui3fUfbUo8tFrVTIRn7kROq69H77hd6cCw9susVdls1as1gNYunnp5V8Qp+wX3\n" +
"+jUnwoRB1p4SfPk412lb/cSmShb211fOX07h0JxVH1JXsc/vi2mi5ieG/2Xxb5tk\n" +
"LE+r7WwruxSaeXLuLsOmXTPZD0/VtvlqO89RYjsA\n" +
"=yZ18\n" +
"-----END PGP MESSAGE-----";
List<PGPSignature> signatures = SignatureUtils.readSignatures(compressed);
assertEquals(2, signatures.size());
assertEquals(KeyIdUtil.fromLongKeyId("5736E6931ACF370C"), signatures.get(0).getKeyID());
assertEquals(KeyIdUtil.fromLongKeyId("F49AAA6B067BAB28"), signatures.get(1).getKeyID());
}
@Test
public void noIssuerResultsInKeyId0() throws PGPException, IOException {
String sig = "-----BEGIN PGP SIGNATURE-----\n" +