Remove support for processing compressed detached signatures

Signatures are indistinguishable from randomness, so there is no point in compressing them, apart from attempting to exploit flaws in compression algorithms. Thanks to @DemiMarie for pointing this out Fixes #286
2022-05-07 21:46:03 +02:00 · 2022-05-07 21:46:03 +02:00 · 49d65788b4
parent d3f412873b
commit 49d65788b4
2 changed files with 1 additions and 26 deletions
--- a/pgpainless-core/src/main/java/org/pgpainless/signature/SignatureUtils.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/signature/SignatureUtils.java
@ -17,7 +17,6 @@ import org.bouncycastle.bcpg.sig.IssuerKeyID;
 import org.bouncycastle.bcpg.sig.KeyExpirationTime;
 import org.bouncycastle.bcpg.sig.RevocationReason;
 import org.bouncycastle.bcpg.sig.SignatureExpirationTime;
-import org.bouncycastle.openpgp.PGPCompressedData;
 import org.bouncycastle.openpgp.PGPException;
 import org.bouncycastle.openpgp.PGPObjectFactory;
 import org.bouncycastle.openpgp.PGPPublicKey;
@ -232,7 +231,7 @@ public final class SignatureUtils {

    /**
     * Read and return {@link PGPSignature PGPSignatures}.
-     * This method can deal with signatures that may be armored, compressed and may contain marker packets.
+     * This method can deal with signatures that may be binary, armored and may contain marker packets.
     *
     * @param inputStream input stream
     * @param maxIterations number of loop iterations until reading is aborted
@ -248,11 +247,6 @@ public final class SignatureUtils {
        int i = 0;
        Object nextObject;
        while (i++ < maxIterations && (nextObject = objectFactory.nextObject()) != null) {
-            if (nextObject instanceof PGPCompressedData) {
-                PGPCompressedData compressedData = (PGPCompressedData) nextObject;
-                objectFactory = ImplementationFactory.getInstance().getPGPObjectFactory(compressedData.getDataStream());
-            }
-
            if (nextObject instanceof PGPSignatureList) {
                PGPSignatureList signatureList = (PGPSignatureList) nextObject;
                for (PGPSignature s : signatureList) {
--- a/pgpainless-core/src/test/java/org/pgpainless/signature/SignatureUtilsTest.java
+++ b/pgpainless-core/src/test/java/org/pgpainless/signature/SignatureUtilsTest.java
@ -12,28 +12,9 @@ import java.util.List;
 import org.bouncycastle.openpgp.PGPException;
 import org.bouncycastle.openpgp.PGPSignature;
 import org.junit.jupiter.api.Test;
-import org.pgpainless.key.util.KeyIdUtil;

 public class SignatureUtilsTest {

-    @Test
-    public void readSignaturesFromCompressedData() throws PGPException, IOException {
-        String compressed = "-----BEGIN PGP MESSAGE-----\n" +
-                "Version: PGPainless\n" +
-                "\n" +
-                "owHrKGVhEOZiYGNlSoxcsJtBkVMg3OzZZKnz5jxiiiz+aTG+h46kcR9zinOECZ/o\n" +
-                "YmTYsKve/opb3v/o8J0qq1/MFFBhP9jfEq+/avK6qPMrlh70Zfinu96c+cncX9GK\n" +
-                "B4ui3fUfbUo8tFrVTIRn7kROq69H77hd6cCw9susVdls1as1gNYunnp5V8Qp+wX3\n" +
-                "+jUnwoRB1p4SfPk412lb/cSmShb211fOX07h0JxVH1JXsc/vi2mi5ieG/2Xxb5tk\n" +
-                "LE+r7WwruxSaeXLuLsOmXTPZD0/VtvlqO89RYjsA\n" +
-                "=yZ18\n" +
-                "-----END PGP MESSAGE-----";
-        List<PGPSignature> signatures = SignatureUtils.readSignatures(compressed);
-        assertEquals(2, signatures.size());
-        assertEquals(KeyIdUtil.fromLongKeyId("5736E6931ACF370C"), signatures.get(0).getKeyID());
-        assertEquals(KeyIdUtil.fromLongKeyId("F49AAA6B067BAB28"), signatures.get(1).getKeyID());
-    }
-
    @Test
    public void noIssuerResultsInKeyId0() throws PGPException, IOException {
        String sig = "-----BEGIN PGP SIGNATURE-----\n" +