PGPainless/pgpainless
PGPainless/pgpainless
1
0
Fork 0
mirror of https://github.com/pgpainless/pgpainless.git synced 2025-12-10 14:21:09 +01:00
Code Issues Releases Wiki Activity

Introduce iteration limit to prevent resource exhaustion when reading keys

Browse source
This commit is contained in:
Paul Schaub 2021-12-06 17:11:42 +01:00
parent c4618617f6
commit 82cbe467f2
Signed by: vanitasvitae
GPG key ID: 62BEE9264BF17311
2 changed files with 159 additions and 7 deletions
Download patch file Download diff file Expand all files Collapse all files

81
pgpainless-core/src/main/java/org/pgpainless/key/parsing/KeyRingReader.java
View file

@ -27,6 +27,8 @@ import org.pgpainless.util.ArmorUtils;
public class KeyRingReader {
public static final int MAX_ITERATIONS = 10000;
public static final Charset UTF8 = Charset.forName("UTF-8");
public PGPPublicKeyRing publicKeyRing(@Nonnull InputStream inputStream) throws IOException {
@ -93,9 +95,23 @@ public class KeyRingReader {
}
public static PGPPublicKeyRing readPublicKeyRing(@Nonnull InputStream inputStream) throws IOException {
return readPublicKeyRing(inputStream, MAX_ITERATIONS);
}
/**
* Read a public key ring from the provided {@link InputStream}.
* If more than maxIterations PGP packets are encountered before a {@link PGPPublicKeyRing} is read,
* an {@link IOException} is thrown.
*
* @param inputStream input stream
* @param maxIterations max iterations before abort
* @return public key ring
*/
public static PGPPublicKeyRing readPublicKeyRing(@Nonnull InputStream inputStream, int maxIterations) throws IOException {
PGPObjectFactory objectFactory = new PGPObjectFactory(
ArmorUtils.getDecoderStream(inputStream),
ImplementationFactory.getInstance().getKeyFingerprintCalculator());
int i = 0;
Object next;
do {
next = objectFactory.nextObject();
@ -108,17 +124,34 @@ public class KeyRingReader {
if (next instanceof PGPPublicKeyRing) {
return (PGPPublicKeyRing) next;
}
} while (true);
} while (++i < maxIterations);
throw new IOException("Loop exceeded max iteration count.");
}
public static PGPPublicKeyRingCollection readPublicKeyRingCollection(@Nonnull InputStream inputStream)
throws IOException, PGPException {
return readPublicKeyRingCollection(inputStream, MAX_ITERATIONS);
}
/**
* Read a public key ring collection from the provided {@link InputStream}.
* If more than maxIterations PGP packets are encountered before the stream is exhausted,
* an {@link IOException} is thrown.
*
* @param inputStream input stream
* @param maxIterations max iterations before abort
* @return public key ring collection
* @throws IOException
*/
public static PGPPublicKeyRingCollection readPublicKeyRingCollection(@Nonnull InputStream inputStream, int maxIterations)
throws IOException, PGPException {
PGPObjectFactory objectFactory = new PGPObjectFactory(
ArmorUtils.getDecoderStream(inputStream),
ImplementationFactory.getInstance().getKeyFingerprintCalculator());
List<PGPPublicKeyRing> rings = new ArrayList<>();
int i = 0;
Object next;
do {
next = objectFactory.nextObject();
@ -138,15 +171,30 @@ public class KeyRingReader {
rings.add(iterator.next());
}
}
} while (true);
} while (++i < maxIterations);
throw new IOException("Loop exceeded max iteration count.");
}
public static PGPSecretKeyRing readSecretKeyRing(@Nonnull InputStream inputStream) throws IOException {
return readSecretKeyRing(inputStream, MAX_ITERATIONS);
}
/**
* Read a secret key ring from the provided {@link InputStream}.
* If more than maxIterations PGP packets are encountered before a {@link PGPSecretKeyRing} is read,
* an {@link IOException} is thrown.
*
* @param inputStream input stream
* @param maxIterations max iterations before abort
* @return public key ring
*/
public static PGPSecretKeyRing readSecretKeyRing(@Nonnull InputStream inputStream, int maxIterations) throws IOException {
InputStream decoderStream = ArmorUtils.getDecoderStream(inputStream);
PGPObjectFactory objectFactory = new PGPObjectFactory(
decoderStream,
ImplementationFactory.getInstance().getKeyFingerprintCalculator());
int i = 0;
Object next;
do {
next = objectFactory.nextObject();
@ -160,17 +208,34 @@ public class KeyRingReader {
Streams.drain(decoderStream);
return (PGPSecretKeyRing) next;
}
} while (true);
} while (++i < maxIterations);
throw new IOException("Loop exceeded max iteration count.");
}
public static PGPSecretKeyRingCollection readSecretKeyRingCollection(@Nonnull InputStream inputStream)
throws IOException, PGPException {
return readSecretKeyRingCollection(inputStream, MAX_ITERATIONS);
}
/**
* Read a secret key ring collection from the provided {@link InputStream}.
* If more than maxIterations PGP packets are encountered before the stream is exhausted,
* an {@link IOException} is thrown.
*
* @param inputStream input stream
* @param maxIterations max iterations before abort
* @return secret key ring collection
*/
public static PGPSecretKeyRingCollection readSecretKeyRingCollection(@Nonnull InputStream inputStream,
int maxIterations)
throws IOException, PGPException {
PGPObjectFactory objectFactory = new PGPObjectFactory(
ArmorUtils.getDecoderStream(inputStream),
ImplementationFactory.getInstance().getKeyFingerprintCalculator());
List<PGPSecretKeyRing> rings = new ArrayList<>();
int i = 0;
Object next;
do {
next = objectFactory.nextObject();
@ -190,7 +255,9 @@ public class KeyRingReader {
rings.add(iterator.next());
}
}
} while (true);
} while (++i < maxIterations);
throw new IOException("Loop exceeded max iteration count.");
}
public static PGPKeyRingCollection readKeyRingCollection(@Nonnull InputStream inputStream, boolean isSilent)