Repository: camel Updated Branches: refs/heads/master 0ec853096 -> 803e37dd9
CAMEL-11063: PGP Decryptor does not make Integrity check Project: http://git-wip-us.apache.org/repos/asf/camel/repo Commit: http://git-wip-us.apache.org/repos/asf/camel/commit/803e37dd Tree: http://git-wip-us.apache.org/repos/asf/camel/tree/803e37dd Diff: http://git-wip-us.apache.org/repos/asf/camel/diff/803e37dd Branch: refs/heads/master Commit: 803e37dd944ff120ca000de2dc86cf1d64bac7be Parents: 0ec8530 Author: Franz Forsthofer <franz.forstho...@sap.com> Authored: Fri Mar 24 14:14:14 2017 +0100 Committer: Franz Forsthofer <franz.forstho...@sap.com> Committed: Fri Mar 24 14:14:14 2017 +0100 ---------------------------------------------------------------------- .../crypto/PGPKeyAccessDataFormat.java | 34 ++++++++++++++++++-- 1 file changed, 31 insertions(+), 3 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/camel/blob/803e37dd/components/camel-crypto/src/main/java/org/apache/camel/converter/crypto/PGPKeyAccessDataFormat.java ---------------------------------------------------------------------- diff --git a/components/camel-crypto/src/main/java/org/apache/camel/converter/crypto/PGPKeyAccessDataFormat.java b/components/camel-crypto/src/main/java/org/apache/camel/converter/crypto/PGPKeyAccessDataFormat.java index 1f2aae1..d3e17ad 100644 --- a/components/camel-crypto/src/main/java/org/apache/camel/converter/crypto/PGPKeyAccessDataFormat.java +++ b/components/camel-crypto/src/main/java/org/apache/camel/converter/crypto/PGPKeyAccessDataFormat.java @@ -369,7 +369,8 @@ public class PGPKeyAccessDataFormat extends ServiceSupport implements DataFormat try { in = PGPUtil.getDecoderStream(encryptedStream); - encData = getDecryptedData(exchange, in); + DecryptedDataAndPPublicKeyEncryptedData encDataAndPbe = getDecryptedData(exchange, in); + encData = encDataAndPbe.getDecryptedData(); PGPObjectFactory pgpFactory = new PGPObjectFactory(encData, new BcKeyFingerprintCalculator()); Object object = pgpFactory.nextObject(); if (object instanceof PGPCompressedData) { @@ -412,6 +413,12 @@ public class PGPKeyAccessDataFormat extends ServiceSupport implements DataFormat osb.flush(); } verifySignature(pgpFactory, signature); + PGPPublicKeyEncryptedData pbe = encDataAndPbe.getPbe(); + if (pbe.isIntegrityProtected()) { + if (!pbe.verify()) { + throw new PGPException("Message failed integrity check"); + } + } } finally { IOHelper.close(osb, litData, uncompressedData, encData, in, encryptedStream); } @@ -419,7 +426,7 @@ public class PGPKeyAccessDataFormat extends ServiceSupport implements DataFormat return osb.build(); } - private InputStream getDecryptedData(Exchange exchange, InputStream encryptedStream) throws Exception, PGPException { + private DecryptedDataAndPPublicKeyEncryptedData getDecryptedData(Exchange exchange, InputStream encryptedStream) throws Exception, PGPException { PGPObjectFactory pgpFactory = new PGPObjectFactory(encryptedStream, new BcKeyFingerprintCalculator()); Object firstObject = pgpFactory.nextObject(); // the first object might be a PGP marker packet @@ -448,7 +455,7 @@ public class PGPKeyAccessDataFormat extends ServiceSupport implements DataFormat } InputStream encData = pbe.getDataStream(new JcePublicKeyDataDecryptorFactoryBuilder().setProvider(getProvider()).build(key)); - return encData; + return new DecryptedDataAndPPublicKeyEncryptedData(encData, pbe); } private PGPEncryptedDataList getEcryptedDataList(PGPObjectFactory pgpFactory, Object firstObject) throws IOException { @@ -777,4 +784,25 @@ public class PGPKeyAccessDataFormat extends ServiceSupport implements DataFormat protected void doStop() throws Exception { //NOPMD // noop } + + private static class DecryptedDataAndPPublicKeyEncryptedData { + + private final InputStream decryptedData; + + private final PGPPublicKeyEncryptedData pbe; + + DecryptedDataAndPPublicKeyEncryptedData(InputStream decryptedData, PGPPublicKeyEncryptedData pbe) { + this.decryptedData = decryptedData; + this.pbe = pbe; + } + + public InputStream getDecryptedData() { + return decryptedData; + } + + public PGPPublicKeyEncryptedData getPbe() { + return pbe; + } + + } }
