mirror of
https://github.com/pgpainless/pgpainless.git
synced 2024-12-23 03:17:58 +01:00
Remove support for processing compressed detached signatures
Signatures are indistinguishable from randomness, so there is no point in compressing them, apart from attempting to exploit flaws in compression algorithms. Thanks to @DemiMarie for pointing this out Fixes #286
This commit is contained in:
parent
d3f412873b
commit
49d65788b4
2 changed files with 1 additions and 26 deletions
|
@ -17,7 +17,6 @@ import org.bouncycastle.bcpg.sig.IssuerKeyID;
|
||||||
import org.bouncycastle.bcpg.sig.KeyExpirationTime;
|
import org.bouncycastle.bcpg.sig.KeyExpirationTime;
|
||||||
import org.bouncycastle.bcpg.sig.RevocationReason;
|
import org.bouncycastle.bcpg.sig.RevocationReason;
|
||||||
import org.bouncycastle.bcpg.sig.SignatureExpirationTime;
|
import org.bouncycastle.bcpg.sig.SignatureExpirationTime;
|
||||||
import org.bouncycastle.openpgp.PGPCompressedData;
|
|
||||||
import org.bouncycastle.openpgp.PGPException;
|
import org.bouncycastle.openpgp.PGPException;
|
||||||
import org.bouncycastle.openpgp.PGPObjectFactory;
|
import org.bouncycastle.openpgp.PGPObjectFactory;
|
||||||
import org.bouncycastle.openpgp.PGPPublicKey;
|
import org.bouncycastle.openpgp.PGPPublicKey;
|
||||||
|
@ -232,7 +231,7 @@ public final class SignatureUtils {
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Read and return {@link PGPSignature PGPSignatures}.
|
* Read and return {@link PGPSignature PGPSignatures}.
|
||||||
* This method can deal with signatures that may be armored, compressed and may contain marker packets.
|
* This method can deal with signatures that may be binary, armored and may contain marker packets.
|
||||||
*
|
*
|
||||||
* @param inputStream input stream
|
* @param inputStream input stream
|
||||||
* @param maxIterations number of loop iterations until reading is aborted
|
* @param maxIterations number of loop iterations until reading is aborted
|
||||||
|
@ -248,11 +247,6 @@ public final class SignatureUtils {
|
||||||
int i = 0;
|
int i = 0;
|
||||||
Object nextObject;
|
Object nextObject;
|
||||||
while (i++ < maxIterations && (nextObject = objectFactory.nextObject()) != null) {
|
while (i++ < maxIterations && (nextObject = objectFactory.nextObject()) != null) {
|
||||||
if (nextObject instanceof PGPCompressedData) {
|
|
||||||
PGPCompressedData compressedData = (PGPCompressedData) nextObject;
|
|
||||||
objectFactory = ImplementationFactory.getInstance().getPGPObjectFactory(compressedData.getDataStream());
|
|
||||||
}
|
|
||||||
|
|
||||||
if (nextObject instanceof PGPSignatureList) {
|
if (nextObject instanceof PGPSignatureList) {
|
||||||
PGPSignatureList signatureList = (PGPSignatureList) nextObject;
|
PGPSignatureList signatureList = (PGPSignatureList) nextObject;
|
||||||
for (PGPSignature s : signatureList) {
|
for (PGPSignature s : signatureList) {
|
||||||
|
|
|
@ -12,28 +12,9 @@ import java.util.List;
|
||||||
import org.bouncycastle.openpgp.PGPException;
|
import org.bouncycastle.openpgp.PGPException;
|
||||||
import org.bouncycastle.openpgp.PGPSignature;
|
import org.bouncycastle.openpgp.PGPSignature;
|
||||||
import org.junit.jupiter.api.Test;
|
import org.junit.jupiter.api.Test;
|
||||||
import org.pgpainless.key.util.KeyIdUtil;
|
|
||||||
|
|
||||||
public class SignatureUtilsTest {
|
public class SignatureUtilsTest {
|
||||||
|
|
||||||
@Test
|
|
||||||
public void readSignaturesFromCompressedData() throws PGPException, IOException {
|
|
||||||
String compressed = "-----BEGIN PGP MESSAGE-----\n" +
|
|
||||||
"Version: PGPainless\n" +
|
|
||||||
"\n" +
|
|
||||||
"owHrKGVhEOZiYGNlSoxcsJtBkVMg3OzZZKnz5jxiiiz+aTG+h46kcR9zinOECZ/o\n" +
|
|
||||||
"YmTYsKve/opb3v/o8J0qq1/MFFBhP9jfEq+/avK6qPMrlh70Zfinu96c+cncX9GK\n" +
|
|
||||||
"B4ui3fUfbUo8tFrVTIRn7kROq69H77hd6cCw9susVdls1as1gNYunnp5V8Qp+wX3\n" +
|
|
||||||
"+jUnwoRB1p4SfPk412lb/cSmShb211fOX07h0JxVH1JXsc/vi2mi5ieG/2Xxb5tk\n" +
|
|
||||||
"LE+r7WwruxSaeXLuLsOmXTPZD0/VtvlqO89RYjsA\n" +
|
|
||||||
"=yZ18\n" +
|
|
||||||
"-----END PGP MESSAGE-----";
|
|
||||||
List<PGPSignature> signatures = SignatureUtils.readSignatures(compressed);
|
|
||||||
assertEquals(2, signatures.size());
|
|
||||||
assertEquals(KeyIdUtil.fromLongKeyId("5736E6931ACF370C"), signatures.get(0).getKeyID());
|
|
||||||
assertEquals(KeyIdUtil.fromLongKeyId("F49AAA6B067BAB28"), signatures.get(1).getKeyID());
|
|
||||||
}
|
|
||||||
|
|
||||||
@Test
|
@Test
|
||||||
public void noIssuerResultsInKeyId0() throws PGPException, IOException {
|
public void noIssuerResultsInKeyId0() throws PGPException, IOException {
|
||||||
String sig = "-----BEGIN PGP SIGNATURE-----\n" +
|
String sig = "-----BEGIN PGP SIGNATURE-----\n" +
|
||||||
|
|
Loading…
Reference in a new issue