(nifi) branch support/nifi-1.x updated: NIFI-13429 Corrected EncryptContentPGP Packet Detection

Fri, 21 Jun 2024 10:03:37 -0700 

This is an automated email from the ASF dual-hosted git repository.

mattyb149 pushed a commit to branch support/nifi-1.x
in repository https://gitbox.apache.org/repos/asf/nifi.git


The following commit(s) were added to refs/heads/support/nifi-1.x by this push:
     new cdb0b8d90c NIFI-13429 Corrected EncryptContentPGP Packet Detection
cdb0b8d90c is described below

commit cdb0b8d90cff5929fb7c972520961bbb9790ffc9
Author: exceptionfactory <[email protected]>
AuthorDate: Thu Jun 20 15:21:38 2024 -0500

    NIFI-13429 Corrected EncryptContentPGP Packet Detection
    
    - Added set of expected OpenPGP Packet Tags to avoid misidentification
    
    Signed-off-by: Matt Burgess <[email protected]>
    
    Changed Set.of() for backport
---
 .../apache/nifi/processors/pgp/EncryptContentPGP.java  | 12 +++++++++++-
 .../nifi/processors/pgp/EncryptContentPGPTest.java     | 18 ++++++++++++++++++
 2 files changed, 29 insertions(+), 1 deletion(-)

diff --git 
a/nifi-nar-bundles/nifi-pgp-bundle/nifi-pgp-processors/src/main/java/org/apache/nifi/processors/pgp/EncryptContentPGP.java
 
b/nifi-nar-bundles/nifi-pgp-bundle/nifi-pgp-processors/src/main/java/org/apache/nifi/processors/pgp/EncryptContentPGP.java
index 9b676fd830..578d9b4732 100644
--- 
a/nifi-nar-bundles/nifi-pgp-bundle/nifi-pgp-processors/src/main/java/org/apache/nifi/processors/pgp/EncryptContentPGP.java
+++ 
b/nifi-nar-bundles/nifi-pgp-bundle/nifi-pgp-processors/src/main/java/org/apache/nifi/processors/pgp/EncryptContentPGP.java
@@ -47,6 +47,7 @@ import org.apache.nifi.util.StringUtils;
 
 import org.bouncycastle.bcpg.BCPGInputStream;
 import org.bouncycastle.bcpg.Packet;
+import org.bouncycastle.bcpg.PacketTags;
 import org.bouncycastle.openpgp.PGPEncryptedDataGenerator;
 import org.bouncycastle.openpgp.PGPException;
 import org.bouncycastle.openpgp.PGPPublicKey;
@@ -336,6 +337,13 @@ public class EncryptContentPGP extends AbstractProcessor {
     }
 
     private static class EncryptStreamCallback extends EncodingStreamCallback {
+        // Set of OpenPGP Packet Tags indicating signed or packaged messages
+        private static final Set<Integer> PACKAGED_PACKET_TAGS = new 
HashSet(Arrays.asList(
+                PacketTags.ONE_PASS_SIGNATURE,
+                PacketTags.COMPRESSED_DATA,
+                PacketTags.LITERAL_DATA
+        ));
+
         private final PGPEncryptedDataGenerator encryptedDataGenerator;
 
         private final ComponentLog logger;
@@ -389,7 +397,9 @@ public class EncryptContentPGP extends AbstractProcessor {
                 if (packet == null) {
                     logger.debug("PGP Packet not found");
                 } else {
-                    packetFound = true;
+                    final int packetTag = packet.getPacketTag();
+                    logger.debug("PGP Packet Tag [{}] read", packetTag);
+                    packetFound = PACKAGED_PACKET_TAGS.contains(packetTag);
                 }
             } catch (final Exception e) {
                 logger.debug("PGP Packet read failed", e);
diff --git 
a/nifi-nar-bundles/nifi-pgp-bundle/nifi-pgp-processors/src/test/java/org/apache/nifi/processors/pgp/EncryptContentPGPTest.java
 
b/nifi-nar-bundles/nifi-pgp-bundle/nifi-pgp-processors/src/test/java/org/apache/nifi/processors/pgp/EncryptContentPGPTest.java
index 81447060d6..a65cf0cc03 100644
--- 
a/nifi-nar-bundles/nifi-pgp-bundle/nifi-pgp-processors/src/test/java/org/apache/nifi/processors/pgp/EncryptContentPGPTest.java
+++ 
b/nifi-nar-bundles/nifi-pgp-bundle/nifi-pgp-processors/src/test/java/org/apache/nifi/processors/pgp/EncryptContentPGPTest.java
@@ -81,6 +81,8 @@ public class EncryptContentPGPTest {
 
     private static final byte[] DATA_BINARY = 
DATA.getBytes(StandardCharsets.UTF_8);
 
+    private static final byte EXPERIMENTAL_PACKET_INDICATOR = -1;
+
     private static final SymmetricKeyAlgorithm DEFAULT_SYMMETRIC_KEY_ALGORITHM 
= 
SymmetricKeyAlgorithm.valueOf(EncryptContentPGP.SYMMETRIC_KEY_ALGORITHM.getDefaultValue());
 
     private static final String SERVICE_ID = 
PGPPublicKeyService.class.getName();
@@ -210,6 +212,22 @@ public class EncryptContentPGPTest {
         assertSuccess(rsaPrivateKey, DecryptionStrategy.PACKAGED, signedData);
     }
 
+    @Test
+    public void testSuccessPublicKeyEncryptionExperimentalPacketTag() throws 
IOException, PGPException, InitializationException {
+        final PGPPublicKey publicKey = rsaSecretKey.getPublicKey();
+        setPublicKeyService(publicKey);
+        final String publicKeyIdSearch = 
KeyIdentifierConverter.format(publicKey.getKeyID());
+        
when(publicKeyService.findPublicKey(eq(publicKeyIdSearch))).thenReturn(Optional.of(publicKey));
+
+        final byte[] bytes = DATA.getBytes(StandardCharsets.UTF_8);
+        bytes[0] = EXPERIMENTAL_PACKET_INDICATOR;
+
+        runner.enqueue(bytes);
+        runner.run();
+
+        assertSuccess(rsaPrivateKey, DecryptionStrategy.DECRYPTED, bytes);
+    }
+
     @Test
     public void testSuccessPasswordBasedAndPublicKeyEncryptionRsaPublicKey() 
throws IOException, InitializationException, PGPException {
         final PGPPublicKey publicKey = rsaSecretKey.getPublicKey();

Reply via email to