(nifi) branch main updated: NIFI-15771 Fixed checking empty Private Key for PGP Secret Key (#11084)

Tue, 31 Mar 2026 10:43:25 -0700 

This is an automated email from the ASF dual-hosted git repository.

pvillard pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/nifi.git


The following commit(s) were added to refs/heads/main by this push:
     new de641a96adc NIFI-15771 Fixed checking empty Private Key for PGP Secret 
Key (#11084)
de641a96adc is described below

commit de641a96adc9dcdec8db6124ae603a1518d361a5
Author: David Handermann <[email protected]>
AuthorDate: Tue Mar 31 12:43:10 2026 -0500

    NIFI-15771 Fixed checking empty Private Key for PGP Secret Key (#11084)
---
 .../standard/StandardPGPPrivateKeyService.java     |  5 ++-
 .../exception/PGPConfigurationException.java       |  4 ++
 .../standard/StandardPGPPrivateKeyServiceTest.java | 17 ++++++++-
 .../standard/StandardPGPPublicKeyServiceTest.java  |  3 +-
 .../nifi/pgp/util/PGPSecretKeyGenerator.java       | 43 ++++++++++++++++++++++
 5 files changed, 67 insertions(+), 5 deletions(-)

diff --git 
a/nifi-extension-bundles/nifi-pgp-bundle/nifi-pgp-service/src/main/java/org/apache/nifi/pgp/service/standard/StandardPGPPrivateKeyService.java
 
b/nifi-extension-bundles/nifi-pgp-bundle/nifi-pgp-service/src/main/java/org/apache/nifi/pgp/service/standard/StandardPGPPrivateKeyService.java
index 080df197508..616b1a0e508 100644
--- 
a/nifi-extension-bundles/nifi-pgp-bundle/nifi-pgp-service/src/main/java/org/apache/nifi/pgp/service/standard/StandardPGPPrivateKeyService.java
+++ 
b/nifi-extension-bundles/nifi-pgp-bundle/nifi-pgp-service/src/main/java/org/apache/nifi/pgp/service/standard/StandardPGPPrivateKeyService.java
@@ -114,7 +114,7 @@ public class StandardPGPPrivateKeyService extends 
AbstractControllerService impl
 
             privateKeys = extractedPrivateKeys.stream().collect(
                     Collectors.toMap(
-                            privateKey -> privateKey.getKeyID(),
+                            PGPPrivateKey::getKeyID,
                             privateKey -> privateKey
                     )
             );
@@ -263,6 +263,9 @@ public class StandardPGPPrivateKeyService extends 
AbstractControllerService impl
                 final String keyIdentifier = 
KeyIdentifierConverter.format(keyId);
                 try {
                     final PGPPrivateKey privateKey = 
secretKey.extractPrivateKey(keyDecryptor);
+                    if (privateKey == null) {
+                        throw new PGPConfigurationException("Private Key empty 
for Secret Key [%s]".formatted(keyId));
+                    }
                     extractedPrivateKeys.add(privateKey);
                     getLogger().debug("Extracted Private Key [{}]", 
keyIdentifier);
                 } catch (final PGPException e) {
diff --git 
a/nifi-extension-bundles/nifi-pgp-bundle/nifi-pgp-service/src/main/java/org/apache/nifi/pgp/service/standard/exception/PGPConfigurationException.java
 
b/nifi-extension-bundles/nifi-pgp-bundle/nifi-pgp-service/src/main/java/org/apache/nifi/pgp/service/standard/exception/PGPConfigurationException.java
index 7a6be079515..ed4a979b0f9 100644
--- 
a/nifi-extension-bundles/nifi-pgp-bundle/nifi-pgp-service/src/main/java/org/apache/nifi/pgp/service/standard/exception/PGPConfigurationException.java
+++ 
b/nifi-extension-bundles/nifi-pgp-bundle/nifi-pgp-service/src/main/java/org/apache/nifi/pgp/service/standard/exception/PGPConfigurationException.java
@@ -22,6 +22,10 @@ package org.apache.nifi.pgp.service.standard.exception;
 public class PGPConfigurationException extends RuntimeException {
     private static final long serialVersionUID = 1L;
 
+    public PGPConfigurationException(final String message) {
+        super(message);
+    }
+
     public PGPConfigurationException(final String message, final Throwable 
cause) {
         super(message, cause);
     }
diff --git 
a/nifi-extension-bundles/nifi-pgp-bundle/nifi-pgp-service/src/test/java/org/apche/nifi/pgp/service/standard/StandardPGPPrivateKeyServiceTest.java
 
b/nifi-extension-bundles/nifi-pgp-bundle/nifi-pgp-service/src/test/java/org/apache/nifi/pgp/service/standard/StandardPGPPrivateKeyServiceTest.java
similarity index 90%
rename from 
nifi-extension-bundles/nifi-pgp-bundle/nifi-pgp-service/src/test/java/org/apche/nifi/pgp/service/standard/StandardPGPPrivateKeyServiceTest.java
rename to 
nifi-extension-bundles/nifi-pgp-bundle/nifi-pgp-service/src/test/java/org/apache/nifi/pgp/service/standard/StandardPGPPrivateKeyServiceTest.java
index 5793fdeb01d..aac02b761be 100644
--- 
a/nifi-extension-bundles/nifi-pgp-bundle/nifi-pgp-service/src/test/java/org/apche/nifi/pgp/service/standard/StandardPGPPrivateKeyServiceTest.java
+++ 
b/nifi-extension-bundles/nifi-pgp-bundle/nifi-pgp-service/src/test/java/org/apache/nifi/pgp/service/standard/StandardPGPPrivateKeyServiceTest.java
@@ -14,9 +14,8 @@
  * See the License for the specific language governing permissions and
  * limitations under the License.
  */
-package org.apche.nifi.pgp.service.standard;
+package org.apache.nifi.pgp.service.standard;
 
-import org.apache.nifi.pgp.service.standard.StandardPGPPrivateKeyService;
 import org.apache.nifi.pgp.util.PGPFileUtils;
 import org.apache.nifi.pgp.util.PGPSecretKeyGenerator;
 import org.apache.nifi.util.NoOpProcessor;
@@ -93,6 +92,20 @@ public class StandardPGPPrivateKeyServiceTest {
         runner.assertNotValid(service);
     }
 
+    @Test
+    public void testEmptySecretKeyNotValid() throws Exception {
+        runner.addControllerService(SERVICE_ID, service);
+
+        final PGPSecretKeyRing secretKeyRing = 
PGPSecretKeyGenerator.generateEmptySecretKeyRing();
+        final byte[] secretKeyRingEncoded = secretKeyRing.getEncoded();
+        final String keyring = PGPFileUtils.getArmored(secretKeyRingEncoded);
+
+        runner.setProperty(service, StandardPGPPrivateKeyService.KEYRING, 
keyring);
+        runner.setProperty(service, StandardPGPPrivateKeyService.KEY_PASSWORD, 
String.class.getSimpleName());
+
+        runner.assertNotValid(service);
+    }
+
     @Test
     public void testFindPrivateKeyRsaBinaryKeyring() throws Exception {
         runner.addControllerService(SERVICE_ID, service);
diff --git 
a/nifi-extension-bundles/nifi-pgp-bundle/nifi-pgp-service/src/test/java/org/apche/nifi/pgp/service/standard/StandardPGPPublicKeyServiceTest.java
 
b/nifi-extension-bundles/nifi-pgp-bundle/nifi-pgp-service/src/test/java/org/apache/nifi/pgp/service/standard/StandardPGPPublicKeyServiceTest.java
similarity index 97%
rename from 
nifi-extension-bundles/nifi-pgp-bundle/nifi-pgp-service/src/test/java/org/apche/nifi/pgp/service/standard/StandardPGPPublicKeyServiceTest.java
rename to 
nifi-extension-bundles/nifi-pgp-bundle/nifi-pgp-service/src/test/java/org/apache/nifi/pgp/service/standard/StandardPGPPublicKeyServiceTest.java
index f7a2f7e86db..041bf59ad04 100644
--- 
a/nifi-extension-bundles/nifi-pgp-bundle/nifi-pgp-service/src/test/java/org/apche/nifi/pgp/service/standard/StandardPGPPublicKeyServiceTest.java
+++ 
b/nifi-extension-bundles/nifi-pgp-bundle/nifi-pgp-service/src/test/java/org/apache/nifi/pgp/service/standard/StandardPGPPublicKeyServiceTest.java
@@ -14,10 +14,9 @@
  * See the License for the specific language governing permissions and
  * limitations under the License.
  */
-package org.apche.nifi.pgp.service.standard;
+package org.apache.nifi.pgp.service.standard;
 
 import org.apache.nifi.pgp.service.api.KeyIdentifierConverter;
-import org.apache.nifi.pgp.service.standard.StandardPGPPublicKeyService;
 import org.apache.nifi.pgp.util.PGPFileUtils;
 import org.apache.nifi.pgp.util.PGPSecretKeyGenerator;
 import org.apache.nifi.util.NoOpProcessor;
diff --git 
a/nifi-extension-bundles/nifi-pgp-bundle/nifi-pgp-test-utils/src/main/java/org/apache/nifi/pgp/util/PGPSecretKeyGenerator.java
 
b/nifi-extension-bundles/nifi-pgp-bundle/nifi-pgp-test-utils/src/main/java/org/apache/nifi/pgp/util/PGPSecretKeyGenerator.java
index 6b1df078fcb..4be9309b14b 100644
--- 
a/nifi-extension-bundles/nifi-pgp-bundle/nifi-pgp-test-utils/src/main/java/org/apache/nifi/pgp/util/PGPSecretKeyGenerator.java
+++ 
b/nifi-extension-bundles/nifi-pgp-bundle/nifi-pgp-test-utils/src/main/java/org/apache/nifi/pgp/util/PGPSecretKeyGenerator.java
@@ -16,8 +16,12 @@
  */
 package org.apache.nifi.pgp.util;
 
+import org.bouncycastle.bcpg.BCPGOutputStream;
 import org.bouncycastle.bcpg.HashAlgorithmTags;
 import org.bouncycastle.bcpg.PublicKeyPacket;
+import org.bouncycastle.bcpg.SecretKeyPacket;
+import org.bouncycastle.bcpg.SymmetricKeyAlgorithmTags;
+import org.bouncycastle.bcpg.UserIDPacket;
 import org.bouncycastle.jce.provider.BouncyCastleProvider;
 import org.bouncycastle.openpgp.PGPEncryptedData;
 import org.bouncycastle.openpgp.PGPException;
@@ -30,15 +34,18 @@ import org.bouncycastle.openpgp.PGPSignature;
 import org.bouncycastle.openpgp.operator.PBESecretKeyEncryptor;
 import org.bouncycastle.openpgp.operator.PGPContentSignerBuilder;
 import org.bouncycastle.openpgp.operator.PGPDigestCalculator;
+import org.bouncycastle.openpgp.operator.jcajce.JcaKeyFingerprintCalculator;
 import org.bouncycastle.openpgp.operator.jcajce.JcaPGPContentSignerBuilder;
 import 
org.bouncycastle.openpgp.operator.jcajce.JcaPGPDigestCalculatorProviderBuilder;
 import org.bouncycastle.openpgp.operator.jcajce.JcaPGPKeyPair;
 import 
org.bouncycastle.openpgp.operator.jcajce.JcePBESecretKeyEncryptorBuilder;
 
+import java.io.ByteArrayOutputStream;
 import java.security.KeyPair;
 import java.security.KeyPairGenerator;
 import java.security.NoSuchAlgorithmException;
 import java.util.Date;
+import java.util.Iterator;
 
 /**
  * Pretty Good Privacy Secret Key Generator utilities
@@ -93,6 +100,42 @@ public class PGPSecretKeyGenerator {
         return new PGPSecretKey(PGPSignature.DEFAULT_CERTIFICATION, 
pgpKeyPair, KEY_IDENTITY, digestCalculator, null, null, signerBuilder, 
encryptor);
     }
 
+    /**
+     * Generate Secret Key Ring with an empty Secret Key
+     *
+     * @return PGP Secret Key Ring
+     * @throws Exception Thrown on key generation failures
+     */
+    public static PGPSecretKeyRing generateEmptySecretKeyRing() throws 
Exception {
+        final PGPKeyPair pgpKeyPair = getRsaKeyPair();
+
+        final PGPPublicKey publicKey = pgpKeyPair.getPublicKey();
+        final PublicKeyPacket publicKeyPacket = publicKey.getPublicKeyPacket();
+        final SecretKeyPacket secretKeyPacket = new 
SecretKeyPacket(publicKeyPacket, SymmetricKeyAlgorithmTags.NULL, null, null, 
null);
+
+        final ByteArrayOutputStream outputStream = new ByteArrayOutputStream();
+        final BCPGOutputStream packetOutputStream = new 
BCPGOutputStream(outputStream);
+        secretKeyPacket.encode(packetOutputStream);
+
+        final Iterator<String> userIds = publicKey.getUserIDs();
+        while (userIds.hasNext()) {
+            final String userId = userIds.next();
+            final UserIDPacket userIdPacket = new UserIDPacket(userId);
+            userIdPacket.encode(packetOutputStream);
+
+            final Iterator<PGPSignature> signatures = 
publicKey.getSignaturesForID(userId);
+            while (signatures.hasNext()) {
+                final PGPSignature signature = signatures.next();
+                signature.encode(packetOutputStream);
+            }
+        }
+
+        packetOutputStream.close();
+        final byte[] secretKeyPacketEncoded = outputStream.toByteArray();
+
+        return new PGPSecretKeyRing(secretKeyPacketEncoded, new 
JcaKeyFingerprintCalculator());
+    }
+
     private static PGPKeyPair getDsaKeyPair() throws NoSuchAlgorithmException, 
PGPException {
         final KeyPairGenerator dsaKeyPairGenerator = 
KeyPairGenerator.getInstance(DSA_KEY_ALGORITHM);
         dsaKeyPairGenerator.initialize(DSA_KEY_SIZE);

Reply via email to