This is an automated email from the ASF dual-hosted git repository. mattyb149 pushed a commit to branch main in repository https://gitbox.apache.org/repos/asf/nifi.git
The following commit(s) were added to refs/heads/main by this push: new 65739826c4 NIFI-13429 Corrected EncryptContentPGP Packet Detection 65739826c4 is described below commit 65739826c43f12981708a9feaa0f4d609d624653 Author: exceptionfactory <exceptionfact...@apache.org> AuthorDate: Thu Jun 20 15:21:38 2024 -0500 NIFI-13429 Corrected EncryptContentPGP Packet Detection - Added set of expected OpenPGP Packet Tags to avoid misidentification Signed-off-by: Matt Burgess <mattyb...@apache.org> This closes #8990 --- .../apache/nifi/processors/pgp/EncryptContentPGP.java | 12 +++++++++++- .../nifi/processors/pgp/EncryptContentPGPTest.java | 18 ++++++++++++++++++ 2 files changed, 29 insertions(+), 1 deletion(-) diff --git a/nifi-extension-bundles/nifi-pgp-bundle/nifi-pgp-processors/src/main/java/org/apache/nifi/processors/pgp/EncryptContentPGP.java b/nifi-extension-bundles/nifi-pgp-bundle/nifi-pgp-processors/src/main/java/org/apache/nifi/processors/pgp/EncryptContentPGP.java index f62c7caeea..62255ca435 100644 --- a/nifi-extension-bundles/nifi-pgp-bundle/nifi-pgp-processors/src/main/java/org/apache/nifi/processors/pgp/EncryptContentPGP.java +++ b/nifi-extension-bundles/nifi-pgp-bundle/nifi-pgp-processors/src/main/java/org/apache/nifi/processors/pgp/EncryptContentPGP.java @@ -47,6 +47,7 @@ import org.apache.nifi.util.StringUtils; import org.bouncycastle.bcpg.BCPGInputStream; import org.bouncycastle.bcpg.Packet; +import org.bouncycastle.bcpg.PacketTags; import org.bouncycastle.openpgp.PGPEncryptedDataGenerator; import org.bouncycastle.openpgp.PGPException; import org.bouncycastle.openpgp.PGPPublicKey; @@ -321,6 +322,13 @@ public class EncryptContentPGP extends AbstractProcessor { } private static class EncryptStreamCallback extends EncodingStreamCallback { + // Set of OpenPGP Packet Tags indicating signed or packaged messages + private static final Set<Integer> PACKAGED_PACKET_TAGS = Set.of( + PacketTags.ONE_PASS_SIGNATURE, + PacketTags.COMPRESSED_DATA, + PacketTags.LITERAL_DATA + ); + private final PGPEncryptedDataGenerator encryptedDataGenerator; private final ComponentLog logger; @@ -373,7 +381,9 @@ public class EncryptContentPGP extends AbstractProcessor { if (packet == null) { logger.debug("PGP Packet not found"); } else { - packetFound = true; + final int packetTag = packet.getPacketTag(); + logger.debug("PGP Packet Tag [{}] read", packetTag); + packetFound = PACKAGED_PACKET_TAGS.contains(packetTag); } } catch (final Exception e) { logger.debug("PGP Packet read failed", e); diff --git a/nifi-extension-bundles/nifi-pgp-bundle/nifi-pgp-processors/src/test/java/org/apache/nifi/processors/pgp/EncryptContentPGPTest.java b/nifi-extension-bundles/nifi-pgp-bundle/nifi-pgp-processors/src/test/java/org/apache/nifi/processors/pgp/EncryptContentPGPTest.java index acfd413184..8fd453308f 100644 --- a/nifi-extension-bundles/nifi-pgp-bundle/nifi-pgp-processors/src/test/java/org/apache/nifi/processors/pgp/EncryptContentPGPTest.java +++ b/nifi-extension-bundles/nifi-pgp-bundle/nifi-pgp-processors/src/test/java/org/apache/nifi/processors/pgp/EncryptContentPGPTest.java @@ -80,6 +80,8 @@ public class EncryptContentPGPTest { private static final byte[] DATA_BINARY = DATA.getBytes(StandardCharsets.UTF_8); + private static final byte EXPERIMENTAL_PACKET_INDICATOR = -1; + private static final SymmetricKeyAlgorithm DEFAULT_SYMMETRIC_KEY_ALGORITHM = SymmetricKeyAlgorithm.valueOf(EncryptContentPGP.SYMMETRIC_KEY_ALGORITHM.getDefaultValue()); private static final String SERVICE_ID = PGPPublicKeyService.class.getName(); @@ -197,6 +199,22 @@ public class EncryptContentPGPTest { assertSuccess(rsaPrivateKey, DecryptionStrategy.PACKAGED, signedData); } + @Test + public void testSuccessPublicKeyEncryptionExperimentalPacketTag() throws IOException, PGPException, InitializationException { + final PGPPublicKey publicKey = rsaSecretKey.getPublicKey(); + setPublicKeyService(publicKey); + final String publicKeyIdSearch = KeyIdentifierConverter.format(publicKey.getKeyID()); + when(publicKeyService.findPublicKey(eq(publicKeyIdSearch))).thenReturn(Optional.of(publicKey)); + + final byte[] bytes = DATA.getBytes(StandardCharsets.UTF_8); + bytes[0] = EXPERIMENTAL_PACKET_INDICATOR; + + runner.enqueue(bytes); + runner.run(); + + assertSuccess(rsaPrivateKey, DecryptionStrategy.DECRYPTED, bytes); + } + @Test public void testSuccessPasswordBasedAndPublicKeyEncryptionRsaPublicKey() throws IOException, InitializationException, PGPException { final PGPPublicKey publicKey = rsaSecretKey.getPublicKey();