Bug Fix - Issue neuhalje#58

- Added a null check in MDC validation stream for signed but unencrypted streams - Fixes bug - neuhalje#58
Sauhardstark · Dec 5, 2023 · 2ddc02e · 2ddc02e
1 parent 9c65a48
commit 2ddc02e
Show file tree

Hide file tree

Showing 3 changed files with 37 additions and 10 deletions.
diff --git a/...e/neuhalfen/projects/crypto/bouncycastle/openpgp/decrypting/MDCValidatingInputStream.java b/...e/neuhalfen/projects/crypto/bouncycastle/openpgp/decrypting/MDCValidatingInputStream.java
@@ -57,10 +57,12 @@ public int read(@Nonnull byte[] b, int off, int len) throws IOException {
 
   /**
    * Checks MDC if present.
+   * If stream is not encrypted, returns directly
    *
    * @throws IOException Error while reading input stream or if MDC fails
    */
   private void validateMDC() throws IOException {
+    if (pbe == null) { return; }
     try {
       if (pbe.isIntegrityProtected()) {
         if (!pbe.verify()) {

diff --git a/...euhalfen/projects/crypto/bouncycastle/openpgp/decrypting/DecryptionStreamFactoryTest.java b/...euhalfen/projects/crypto/bouncycastle/openpgp/decrypting/DecryptionStreamFactoryTest.java
@@ -1,14 +1,6 @@
 package name.neuhalfen.projects.crypto.bouncycastle.openpgp.decrypting;
 
-import static name.neuhalfen.projects.crypto.bouncycastle.openpgp.testtooling.ExampleMessages.IMPORTANT_QUOTE_NOT_ENCRYPTED_TO_ME;
-import static name.neuhalfen.projects.crypto.bouncycastle.openpgp.testtooling.ExampleMessages.IMPORTANT_QUOTE_NOT_SIGNED_NOT_COMPRESSED;
-import static name.neuhalfen.projects.crypto.bouncycastle.openpgp.testtooling.ExampleMessages.IMPORTANT_QUOTE_SIGNED_BY_2_KNOWN_1_UNKNOWN_KEY;
-import static name.neuhalfen.projects.crypto.bouncycastle.openpgp.testtooling.ExampleMessages.IMPORTANT_QUOTE_SIGNED_COMPRESSED;
-import static name.neuhalfen.projects.crypto.bouncycastle.openpgp.testtooling.ExampleMessages.IMPORTANT_QUOTE_SIGNED_MULTIPLE_COMPRESSED;
-import static name.neuhalfen.projects.crypto.bouncycastle.openpgp.testtooling.ExampleMessages.IMPORTANT_QUOTE_SIGNED_MULTIPLE_V2_COMPRESSED;
-import static name.neuhalfen.projects.crypto.bouncycastle.openpgp.testtooling.ExampleMessages.IMPORTANT_QUOTE_SIGNED_NOT_COMPRESSED;
-import static name.neuhalfen.projects.crypto.bouncycastle.openpgp.testtooling.ExampleMessages.IMPORTANT_QUOTE_SIGNED_UNKNOWN_KEY_COMPRESSED;
-import static name.neuhalfen.projects.crypto.bouncycastle.openpgp.testtooling.ExampleMessages.IMPORTANT_QUOTE_TEXT;
+import static name.neuhalfen.projects.crypto.bouncycastle.openpgp.testtooling.ExampleMessages.*;
 import static org.hamcrest.CoreMatchers.equalTo;
 import static org.junit.Assert.assertTrue;
 import static org.mockito.Mockito.never;
@@ -296,7 +288,7 @@ public void decryptingSignedMessage_andSignatureIsNotRequired_succeeds()
   }
 
   @Test
-  public void decryptingSignedMessageWithSingleeSignatures_andAnySignatureIsRequired_succeeds()
+  public void decryptingSignedMessageWithSingleSignature_andAnySignatureIsRequired_succeeds()
       throws IOException, SignatureException {
     final KeyringConfig config = Configs.keyringConfigFromFilesForRecipient();
 
@@ -331,6 +323,18 @@ public void decryptingSignedMessageWithMultipleSignaturesUnknownSignatureFirst_a
     Assert.assertThat(decryptedQuote, equalTo(IMPORTANT_QUOTE_TEXT));
   }
 
+  @Test
+  public void verifyingSignedMessageWithSingleSignature_andNoSignatureIsRequired_succeeds()
+          throws IOException, SignatureException {
+    final KeyringConfig config = Configs.keyringConfigFromFilesForRecipient();
+
+    final String decryptedQuote = decrypt(
+            IMPORTANT_QUOTE_NOT_ENCRYPTED_BUT_SIGNED.getBytes("US-ASCII"), config,
+            SignatureValidationStrategies.ignoreSignatures());
+
+    Assert.assertThat(decryptedQuote, equalTo(IMPORTANT_QUOTE_TEXT));
+  }
+
   @Test(expected = IOException.class)
   public void decryptingTamperedUnSignedCiphertextWithMDC_fails()
       throws IOException, NoSuchAlgorithmException, NoSuchProviderException {

diff --git a/...java/name/neuhalfen/projects/crypto/bouncycastle/openpgp/testtooling/ExampleMessages.java b/...java/name/neuhalfen/projects/crypto/bouncycastle/openpgp/testtooling/ExampleMessages.java
@@ -714,6 +714,27 @@ public class ExampleMessages {
           "znd5CR+Jye1UXfLusnylrlfgKZcCRA==\n" +
           "=q3RN\n" +
           "-----END PGP MESSAGE-----";
+
+  /**
+   * Encrypted-To:    recipient@example.com Signed-By:       not encrypted but signed Compressed:      no
+   */
+  public final static String IMPORTANT_QUOTE_NOT_ENCRYPTED_BUT_SIGNED =
+          "-----BEGIN PGP MESSAGE-----\n" +
+                  "Version: Keybase OpenPGP v2.0.76\n" +
+                  "Comment: https://keybase.io/crypto\n" +
+                  "\n" +
+                  "yMDRAnicO8LLzMDFGLL4trl/RdV2xtNRpQyp+TWTPRVy8stSFVJSE1NyMvNSi/UU\n" +
+                  "gCKZ2akKJRmpCuUZ+fnFGZl56QrF+aV5KSCxSoXcRKBsYjGEk5ZTqZBUqafgkl+a\n" +
+                  "ngMUdExJzC0+dCCGhYGRi4GNlQlkBQMXpwDM3ikLORjazieoXLSXYeKoN/rn9qKQ\n" +
+                  "3/58UNEr+9kXngh2W8knW9ke99/nIB5z4t4l23snT1r7ME2bbfJsbaWoL+fEh9Ws\n" +
+                  "BXWrH9Y/Px9f6Zv7ZWftgXk7TNdWJcm2OWSKMLr8Oz/rhRvn1y3zn5tVy6+RjWed\n" +
+                  "u74w7taaGyf8mHYpC7UzS6TVqiiIv72jv0bg/3/z6T8+/ty57eH26XtrJ8Zfld/w\n" +
+                  "dMYmFuY7k/eKb/JcNzPW7fLa3r4naXuDre/1mx4SmF++cmr3hUl6x9Q7PmzwP/75\n" +
+                  "hMysoIvfc/seZW9OZJsW2lB56/+ed5OKpqzb2/KVvbRa71LNLGWpIHXTlJrWp7qs\n" +
+                  "YU/nvsrk+xQWcdbD7qQdABDtsOc=\n" +
+                  "=5J9M\n" +
+                  "-----END PGP MESSAGE-----\n";
+
   /**
    * Encrypted-To:    sender@example.com Signed-By:       not signed Compressed:      no
    */