From 49d65788b48018bf2e194b21ab392b7c7c7c8d55 Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Sat, 7 May 2022 21:46:03 +0200 Subject: [PATCH] Remove support for processing compressed detached signatures Signatures are indistinguishable from randomness, so there is no point in compressing them, apart from attempting to exploit flaws in compression algorithms. Thanks to @DemiMarie for pointing this out Fixes #286 --- .../pgpainless/signature/SignatureUtils.java | 8 +------- .../signature/SignatureUtilsTest.java | 19 ------------------- 2 files changed, 1 insertion(+), 26 deletions(-) diff --git a/pgpainless-core/src/main/java/org/pgpainless/signature/SignatureUtils.java b/pgpainless-core/src/main/java/org/pgpainless/signature/SignatureUtils.java index 1ebbdda4..cfbf4ce4 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/signature/SignatureUtils.java +++ b/pgpainless-core/src/main/java/org/pgpainless/signature/SignatureUtils.java @@ -17,7 +17,6 @@ import org.bouncycastle.bcpg.sig.IssuerKeyID; import org.bouncycastle.bcpg.sig.KeyExpirationTime; import org.bouncycastle.bcpg.sig.RevocationReason; import org.bouncycastle.bcpg.sig.SignatureExpirationTime; -import org.bouncycastle.openpgp.PGPCompressedData; import org.bouncycastle.openpgp.PGPException; import org.bouncycastle.openpgp.PGPObjectFactory; import org.bouncycastle.openpgp.PGPPublicKey; @@ -232,7 +231,7 @@ public final class SignatureUtils { /** * Read and return {@link PGPSignature PGPSignatures}. - * This method can deal with signatures that may be armored, compressed and may contain marker packets. + * This method can deal with signatures that may be binary, armored and may contain marker packets. * * @param inputStream input stream * @param maxIterations number of loop iterations until reading is aborted @@ -248,11 +247,6 @@ public final class SignatureUtils { int i = 0; Object nextObject; while (i++ < maxIterations && (nextObject = objectFactory.nextObject()) != null) { - if (nextObject instanceof PGPCompressedData) { - PGPCompressedData compressedData = (PGPCompressedData) nextObject; - objectFactory = ImplementationFactory.getInstance().getPGPObjectFactory(compressedData.getDataStream()); - } - if (nextObject instanceof PGPSignatureList) { PGPSignatureList signatureList = (PGPSignatureList) nextObject; for (PGPSignature s : signatureList) { diff --git a/pgpainless-core/src/test/java/org/pgpainless/signature/SignatureUtilsTest.java b/pgpainless-core/src/test/java/org/pgpainless/signature/SignatureUtilsTest.java index 296f20a8..87dd75c2 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/signature/SignatureUtilsTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/signature/SignatureUtilsTest.java @@ -12,28 +12,9 @@ import java.util.List; import org.bouncycastle.openpgp.PGPException; import org.bouncycastle.openpgp.PGPSignature; import org.junit.jupiter.api.Test; -import org.pgpainless.key.util.KeyIdUtil; public class SignatureUtilsTest { - @Test - public void readSignaturesFromCompressedData() throws PGPException, IOException { - String compressed = "-----BEGIN PGP MESSAGE-----\n" + - "Version: PGPainless\n" + - "\n" + - "owHrKGVhEOZiYGNlSoxcsJtBkVMg3OzZZKnz5jxiiiz+aTG+h46kcR9zinOECZ/o\n" + - "YmTYsKve/opb3v/o8J0qq1/MFFBhP9jfEq+/avK6qPMrlh70Zfinu96c+cncX9GK\n" + - "B4ui3fUfbUo8tFrVTIRn7kROq69H77hd6cCw9susVdls1as1gNYunnp5V8Qp+wX3\n" + - "+jUnwoRB1p4SfPk412lb/cSmShb211fOX07h0JxVH1JXsc/vi2mi5ieG/2Xxb5tk\n" + - "LE+r7WwruxSaeXLuLsOmXTPZD0/VtvlqO89RYjsA\n" + - "=yZ18\n" + - "-----END PGP MESSAGE-----"; - List signatures = SignatureUtils.readSignatures(compressed); - assertEquals(2, signatures.size()); - assertEquals(KeyIdUtil.fromLongKeyId("5736E6931ACF370C"), signatures.get(0).getKeyID()); - assertEquals(KeyIdUtil.fromLongKeyId("F49AAA6B067BAB28"), signatures.get(1).getKeyID()); - } - @Test public void noIssuerResultsInKeyId0() throws PGPException, IOException { String sig = "-----BEGIN PGP SIGNATURE-----\n" +