Allow skip in SignatureValidatingInputStream

.gitignore

@@ -6,3 +6,4 @@ build/
 out/
 gradle.properties
 *.iml
+bin/

.travis.yml

@@ -11,9 +11,10 @@ cache:
 jdk:
   - openjdk8
   - oraclejdk8
-# - openjdk10
-  - openjdk11
-  - oraclejdk11
+  - openjdk13
+  - oraclejdk13
+  - openjdk14
+  - oraclejdk14
 
 script:
   - sudo apt-get update
@@ -24,7 +25,7 @@ script:
   - # sudo snap install hugo
   - # export PATH
   - # /snap/bin/hugo version
-  - ./gradlew -PHUGO_EXEC="/snap/bin/hugo" --info --stacktrace check jacocoTestReport # generateWebsite
+  - ./gradlew -PHUGO_EXEC="/snap/bin/hugo"  -info --stacktrace clean check test integrationTest jacocoTestReport
 
 after_success:
   - bash <(curl -s https://codecov.io/bash)

CHANGELOG.md

@@ -1,5 +1,18 @@
 ## V 2.x.x (NEXT)
 
+## V 2.3.0 Bugfix Release
+
+This releases fixes a security issue (#50) where encrypted, but not signed archives could be modified. 
+Some background on MDC and why it's important security-wise: https://gpgtools.tenderapp.com/kb/faq/modification-detection-code-mdc-errors
+
+* Fix: Do not expose logback as compile-time dependency (#41)
+* Fix: java.io.EOFException: Unexpected end of ZIP input stream using 2.2.0 version for PGP file (#46)
+* Fix: KeyFlag#extractPublicKeyFlags throws NullPointerException if called on an older public key with no hashed subpackets (#48)
+* Fix: Encrypting with keys that don't have a KeyFlags subpacket (#50)
+* Fix: MDC (integrity checksum) is not verified when decrypting (#45)
+* Enh: Bump Bouncy Castle to 1.67
+
+
 ## V 2.2.0 Key generation
 
 * new: Add key generation (initial version by Paul Schaub [@vanitasvitae])

README.md

@@ -202,8 +202,8 @@ repositories {
 
 //  ...
 dependencies {
-    compile 'org.bouncycastle:bcprov-jdk15on:1.64'
-    compile 'org.bouncycastle:bcpg-jdk15on:1.64'
+    compile 'org.bouncycastle:bcprov-jdk15on:1.67'
+    compile 'org.bouncycastle:bcpg-jdk15on:1.67'
     //  ...
     compile 'name.neuhalfen.projects.crypto.bouncycastle.openpgp:bouncy-gpg:2.+'
    // ...
@@ -215,10 +215,10 @@ dependencies {
     <dependency>
         <groupId>name.neuhalfen.projects.crypto.bouncycastle.openpgp</groupId>
         <artifactId>bouncy-gpg</artifactId>
-        <version>2.2.0</version>
-    </dependency>
+        <version>2.3.0</version>
+    </dependency>
 ```
-  
+
 ### Install Provider
 
 ```java

TODO.md

@@ -4,10 +4,9 @@ Open TODOs
 Version 3.0
 --------------
 
-Version 2.2
+Version 2.4
 -------------
 
-- [ ] Key generation
 - [ ] Key generation key expiration
 - [ ] Key generation documentation
 - [ ] Add decryptor.getResult() for decryption result
@@ -16,6 +15,15 @@ Version 2.2
 - [ ] Unit tests: iterate different DefaultPGPAlgorithmSuites.secureSuiteForGnuPG() (incl. compression & no signature!)
 - [ ] Extend documentation of key derivation
 
+Version 2.3
+-------------
+- [x] Bugfixes
+
+
+Version 2.2
+-------------
+- [x] Key generation
+
 
 Version 2.1
 -------------

build.gradle

@@ -46,7 +46,7 @@ tasks.withType(Checkstyle) {
 }
 
 jacoco {
-    toolVersion = "0.8.2"
+    toolVersion = "0.8.5"
     reportsDir = file("${buildDir}/jacocoHtml")
 }
 
@@ -87,7 +87,7 @@ sourceCompatibility = 8
 targetCompatibility = 8
 
 group = 'name.neuhalfen.projects.crypto.bouncycastle.openpgp'
-version = '2.2.0'
+version = '2.3.0'
 
 repositories {
     jcenter()
@@ -123,11 +123,10 @@ check.dependsOn integrationTest
 
 
 dependencies {
-    compile 'org.bouncycastle:bcprov-jdk15on:1.64'
-    compile 'org.bouncycastle:bcpg-jdk15on:1.64'
+    compile 'org.bouncycastle:bcprov-jdk15on:1.67'
+    compile 'org.bouncycastle:bcpg-jdk15on:1.67'
 
     compile 'org.slf4j:slf4j-api:1.7.30'
-    compile 'ch.qos.logback:logback-classic:1.2.3'
 
     // @Nullable and friends are not needed at runtime
     compile 'com.google.code.findbugs:jsr305:3.0.2'
@@ -136,6 +135,8 @@ dependencies {
     testCompile 'org.hamcrest:hamcrest-all:1.3'
     testCompile 'org.mockito:mockito-core:3.2.4'
     testCompile 'org.concordion:concordion-api-documentation-extension:0.0.4'
+    testCompile 'ch.qos.logback:logback-classic:1.2.3'
+
 }
 
 
@@ -163,7 +164,7 @@ if (hasProperty('bintray_Username')) {
 apply from: 'website.gradle'
 
 wrapper {
-    gradleVersion = '6.1'
+    gradleVersion = '6.5'
 }
 
 // Generate OSGI bundle metadata

examples/decrypt/build.gradle

@@ -24,10 +24,10 @@ repositories {
 }
 
 dependencies {
-    compile 'org.bouncycastle:bcprov-jdk15on:1.60'
-    compile 'org.bouncycastle:bcpg-jdk15on:1.60'
+    compile 'org.bouncycastle:bcprov-jdk15on:1.67'
+    compile 'org.bouncycastle:bcpg-jdk15on:1.67'
 
-    compile 'name.neuhalfen.projects.crypto.bouncycastle.openpgp:bouncy-gpg:2.2.0'
+    compile 'name.neuhalfen.projects.crypto.bouncycastle.openpgp:bouncy-gpg:2.3.0'
 
     compile 'org.slf4j:slf4j-api:1.7.25'
     compile 'ch.qos.logback:logback-classic:1.2.3'

examples/encrypt/build.gradle

@@ -24,8 +24,8 @@ repositories {
 }
 
 dependencies {
-    compile 'org.bouncycastle:bcprov-jdk15on:1.60'
-    compile 'org.bouncycastle:bcpg-jdk15on:1.60'
+    compile 'org.bouncycastle:bcprov-jdk15on:1.67'
+    compile 'org.bouncycastle:bcpg-jdk15on:1.67'
 
     compile 'name.neuhalfen.projects.crypto.bouncycastle.openpgp:bouncy-gpg:2.+'
 

examples/maven/pom.xml

@@ -25,23 +25,24 @@
 
   <properties>
     <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
+    <bouncycastle.version>1.67</bouncycastle.version>
   </properties>
 
   <dependencies>
     <dependency>
       <groupId>org.bouncycastle</groupId>
       <artifactId>bcprov-jdk15on</artifactId>
-      <version>1.64</version>
+      <version>${bouncycastle.version}</version>
     </dependency>
     <dependency>
       <groupId>org.bouncycastle</groupId>
       <artifactId>bcpg-jdk15on</artifactId>
-      <version>1.64</version>
+      <version>${bouncycastle.version}</version>
     </dependency>
     <dependency>
       <groupId>name.neuhalfen.projects.crypto.bouncycastle.openpgp</groupId>
       <artifactId>bouncy-gpg</artifactId>
-      <version>2.2.0</version>
+      <version>2.3.0</version>
     </dependency>
     <dependency>
       <groupId>ch.qos.logback</groupId>

examples/reencrypt/build.gradle

@@ -24,10 +24,10 @@ repositories {
 }
 
 dependencies {
-    compile 'org.bouncycastle:bcprov-jdk15on:1.60'
-    compile 'org.bouncycastle:bcpg-jdk15on:1.60'
+    compile 'org.bouncycastle:bcprov-jdk15on:1.67'
+    compile 'org.bouncycastle:bcpg-jdk15on:1.67'
 
-    compile 'name.neuhalfen.projects.crypto.bouncycastle.openpgp:bouncy-gpg:2.2.0'
+    compile 'name.neuhalfen.projects.crypto.bouncycastle.openpgp:bouncy-gpg:2.3.0'
 
     compile 'org.slf4j:slf4j-api:1.7.22'
     compile 'ch.qos.logback:logback-classic:1.2.1'

gradle/wrapper/gradle-wrapper.properties

@@ -1,5 +1,4 @@
-#Sun Jan 19 11:34:50 CET 2020
-distributionUrl=https\://services.gradle.org/distributions/gradle-6.1-all.zip
+distributionUrl=https\://services.gradle.org/distributions/gradle-6.5.1-all.zip
 distributionBase=GRADLE_USER_HOME
 distributionPath=wrapper/dists
 zipStorePath=wrapper/dists

src/main/java/name/neuhalfen/projects/crypto/bouncycastle/openpgp/BouncyGPG.java

@@ -2,6 +2,7 @@
 
 
 import java.security.Security;
+
 import name.neuhalfen.projects.crypto.bouncycastle.openpgp.keys.generation.KeyRingBuilder;
 import name.neuhalfen.projects.crypto.bouncycastle.openpgp.keys.generation.KeyRingBuilderImpl;
 import name.neuhalfen.projects.crypto.bouncycastle.openpgp.keys.generation.SimpleKeyRingBuilder;
@@ -82,7 +83,7 @@ public static SimpleKeyRingBuilder createSimpleKeyring() {
    * implementation.
    * </p>
    */
-  public synchronized static void registerProvider() {
+  public static synchronized void registerProvider() {
     Security.removeProvider(BouncyCastleProvider.PROVIDER_NAME);
     Security.insertProviderAt(new BouncyCastleProvider(), 0);
   }

src/main/java/name/neuhalfen/projects/crypto/bouncycastle/openpgp/BuildDecryptionInputStreamAPI.java

@@ -122,11 +122,13 @@ public interface Validation {
     Build andRequireSignatureFromAllKeys(Long... publicKeyIds);
 
     /**
+     * <p>
      * Decryption will enforce that the ciphertext has been signed by ALL of the public key ids
      * passed.
-     *
+     * </p>
+     *<p>
      * Given  the following keyring:
-     *
+     *</p>
      * <pre>{@code
      * $ gpg -k --keyid-format=0xlong
      *

src/main/java/name/neuhalfen/projects/crypto/bouncycastle/openpgp/algorithms/DefaultPGPAlgorithmSuites.java

@@ -6,22 +6,23 @@ public final class DefaultPGPAlgorithmSuites {
   /**
    * GPG default algorithms.
    */
-  private final static PGPAlgorithmSuite DEFAULT_GPG = new PGPAlgorithmSuite(
+  private static final PGPAlgorithmSuite DEFAULT_GPG = new PGPAlgorithmSuite(
       PGPHashAlgorithms.SHA1,
       PGPSymmetricEncryptionAlgorithms.CAST5,
       PGPCompressionAlgorithms.ZLIB);
+
   /**
    * GPG strong crypto algorithms.
    */
-  private final static PGPAlgorithmSuite STRONG_GPG = new PGPAlgorithmSuite(
+  private static final PGPAlgorithmSuite STRONG_GPG = new PGPAlgorithmSuite(
       PGPHashAlgorithms.SHA_256,
       PGPSymmetricEncryptionAlgorithms.AES_128,
       PGPCompressionAlgorithms.ZLIB);
 
   /**
    * Algorithm suite for XEP-0373: OpenPGP for XMPP.
    */
-  private final static PGPAlgorithmSuite DEFAULT_OX = new PGPAlgorithmSuite(
+  private static final PGPAlgorithmSuite DEFAULT_OX = new PGPAlgorithmSuite(
       PGPHashAlgorithms.SHA_256,
       PGPSymmetricEncryptionAlgorithms.AES_128,
       PGPCompressionAlgorithms.UNCOMPRESSED);
@@ -48,6 +49,9 @@ public static PGPAlgorithmSuite strongSuite() {
     return STRONG_GPG;
   }
 
+  /**
+  * Algorithm suite for XEP-0373: OpenPGP for XMPP.
+  */
   public static PGPAlgorithmSuite oxSuite() {
     return DEFAULT_OX;
   }

src/main/java/name/neuhalfen/projects/crypto/bouncycastle/openpgp/algorithms/Feature.java

@@ -13,6 +13,7 @@
  * See the License for the specific language governing permissions and
  * limitations under the License.
  */
+
 package name.neuhalfen.projects.crypto.bouncycastle.openpgp.algorithms;
 
 import java.util.HashMap;

src/main/java/name/neuhalfen/projects/crypto/bouncycastle/openpgp/algorithms/PGPCompressionAlgorithms.java

@@ -30,9 +30,9 @@ public enum PGPCompressionAlgorithms {
    */
   BZIP2(CompressionAlgorithmTags.BZIP2);
 
-  private final static Set<PGPCompressionAlgorithms> RECOMMENDED_ALGORITHMS = SetUtils
+  private static final Set<PGPCompressionAlgorithms> RECOMMENDED_ALGORITHMS = SetUtils
       .unmodifiableSet(BZIP2, ZLIB, ZIP, UNCOMPRESSED);
-  private final static int[] RECOMMENDED_ALGORITHM_IDS =
+  private static final int[] RECOMMENDED_ALGORITHM_IDS =
       RECOMMENDED_ALGORITHMS.stream().mapToInt(algorithm -> algorithm.algorithmId).toArray();
   private final int algorithmId;
 

src/main/java/name/neuhalfen/projects/crypto/bouncycastle/openpgp/algorithms/PGPHashAlgorithms.java

@@ -58,12 +58,12 @@ public enum PGPHashAlgorithms {
    */
   HAVAL_5_160(HashAlgorithmTags.HAVAL_5_160, true,true);
 
-  private final static Set<PGPHashAlgorithms> RECOMMENDED_ALGORITHMS = Collections
+  private static final Set<PGPHashAlgorithms> RECOMMENDED_ALGORITHMS = Collections
       .unmodifiableSet(
           Arrays.stream(
-              PGPHashAlgorithms.values()).filter(alg -> !alg.insecure && alg.supportedInGPG )
+              PGPHashAlgorithms.values()).filter(alg -> !alg.insecure && alg.supportedInGPG)
               .collect(Collectors.toSet()));
-  private final static int[] RECOMMENDED_ALGORITHM_IDS =
+  private static final int[] RECOMMENDED_ALGORITHM_IDS =
       RECOMMENDED_ALGORITHMS.stream().mapToInt(algorithm -> algorithm.algorithmId).toArray();
   private final int algorithmId;
   private final boolean insecure;

src/main/java/name/neuhalfen/projects/crypto/bouncycastle/openpgp/algorithms/PGPSymmetricEncryptionAlgorithms.java

@@ -40,7 +40,7 @@ public enum PGPSymmetricEncryptionAlgorithms {
   BLOWFISH(SymmetricKeyAlgorithmTags.BLOWFISH, true),
 
   /**
-   * SAFER-SK128 (13 rounds) [SAFER] <p> Insecure: 64 bit blocksize.
+   * SAFER-SK128 (13 rounds) [SAFER] [INSECURE]:  64 bit blocksize.
    */
   SAFER(SymmetricKeyAlgorithmTags.SAFER, true),
 
@@ -85,13 +85,13 @@ public enum PGPSymmetricEncryptionAlgorithms {
   CAMELLIA_256(SymmetricKeyAlgorithmTags.CAMELLIA_256, false);
 
 
-  private final static Set<PGPSymmetricEncryptionAlgorithms> RECOMMENDED_ALGORITHMS = Collections
+  private static final Set<PGPSymmetricEncryptionAlgorithms> RECOMMENDED_ALGORITHMS = Collections
       .unmodifiableSet(
           Arrays.stream(
               PGPSymmetricEncryptionAlgorithms.values())
               .filter(alg -> !alg.insecure)
               .collect(Collectors.toSet()));
-  private final static int[] RECOMMENDED_ALGORITHM_IDS =
+  private static final int[] RECOMMENDED_ALGORITHM_IDS =
       RECOMMENDED_ALGORITHMS.stream().mapToInt(algorithm -> algorithm.algorithmId).toArray();
   private final int algorithmId;
   private final boolean insecure;

src/main/java/name/neuhalfen/projects/crypto/bouncycastle/openpgp/algorithms/PublicKeyAlgorithm.java

@@ -13,6 +13,7 @@
  * See the License for the specific language governing permissions and
  * limitations under the License.
  */
+
 package name.neuhalfen.projects.crypto.bouncycastle.openpgp.algorithms;
 
 import java.util.HashMap;