Introduce iteration limit to prevent resource exhaustion when reading keys

2025-09-12 11:49:38 +02:00 · 2021-12-06 17:11:42 +01:00 · 2021-12-06 17:11:42 +01:00 · 82cbe467f2
commit 82cbe467f2
parent c4618617f6
2 changed files with 159 additions and 7 deletions
--- a/pgpainless-core/src/test/java/org/pgpainless/key/parsing/KeyRingReaderTest.java
+++ b/pgpainless-core/src/test/java/org/pgpainless/key/parsing/KeyRingReaderTest.java
@ -5,6 +5,7 @@
 package org.pgpainless.key.parsing;

 import static org.junit.jupiter.api.Assertions.assertEquals;
+import static org.junit.jupiter.api.Assertions.assertThrows;
 import static org.junit.jupiter.api.Assertions.assertTrue;

 import java.io.ByteArrayInputStream;
@ -475,4 +476,88 @@ class KeyRingReaderTest {
        assertTrue(secretKeys.contains(alice.getSecretKey().getKeyID()));
        assertTrue(secretKeys.contains(bob.getSecretKey().getKeyID()));
    }
+
+    @Test
+    public void testReadingSecretKeysExceedsIterationLimit()
+            throws PGPException, InvalidAlgorithmParameterException, NoSuchAlgorithmException, IOException {
+        PGPSecretKeyRing alice = PGPainless.generateKeyRing().modernKeyRing("alice@pgpainless.org", null);
+        MarkerPacket marker = TestUtils.getMarkerPacket();
+
+        ByteArrayOutputStream bytes = new ByteArrayOutputStream();
+        ArmoredOutputStream armor = ArmoredOutputStreamFactory.get(bytes);
+        BCPGOutputStream outputStream = new BCPGOutputStream(armor);
+
+        for (int i = 0; i < 600; i++) {
+            marker.encode(outputStream);
+        }
+        alice.encode(outputStream);
+
+        assertThrows(IOException.class, () ->
+                KeyRingReader.readSecretKeyRing(new ByteArrayInputStream(bytes.toByteArray()), 512));
+    }
+
+    @Test
+    public void testReadingSecretKeyCollectionExceedsIterationLimit()
+            throws PGPException, InvalidAlgorithmParameterException, NoSuchAlgorithmException, IOException {
+        PGPSecretKeyRing alice = PGPainless.generateKeyRing().modernKeyRing("alice@pgpainless.org", null);
+        PGPSecretKeyRing bob = PGPainless.generateKeyRing().modernKeyRing("bob@pgpainless.org", null);
+        MarkerPacket marker = TestUtils.getMarkerPacket();
+
+        ByteArrayOutputStream bytes = new ByteArrayOutputStream();
+        ArmoredOutputStream armor = ArmoredOutputStreamFactory.get(bytes);
+        BCPGOutputStream outputStream = new BCPGOutputStream(armor);
+
+        for (int i = 0; i < 600; i++) {
+            marker.encode(outputStream);
+        }
+        alice.encode(outputStream);
+        bob.encode(outputStream);
+
+        assertThrows(IOException.class, () ->
+                KeyRingReader.readSecretKeyRingCollection(new ByteArrayInputStream(bytes.toByteArray()), 512));
+    }
+
+
+    @Test
+    public void testReadingPublicKeysExceedsIterationLimit()
+            throws PGPException, InvalidAlgorithmParameterException, NoSuchAlgorithmException, IOException {
+        PGPSecretKeyRing secretKeys = PGPainless.generateKeyRing().modernKeyRing("alice@pgpainless.org", null);
+        PGPPublicKeyRing alice = PGPainless.extractCertificate(secretKeys);
+        MarkerPacket marker = TestUtils.getMarkerPacket();
+
+        ByteArrayOutputStream bytes = new ByteArrayOutputStream();
+        ArmoredOutputStream armor = ArmoredOutputStreamFactory.get(bytes);
+        BCPGOutputStream outputStream = new BCPGOutputStream(armor);
+
+        for (int i = 0; i < 600; i++) {
+            marker.encode(outputStream);
+        }
+        alice.encode(outputStream);
+
+        assertThrows(IOException.class, () ->
+                KeyRingReader.readPublicKeyRing(new ByteArrayInputStream(bytes.toByteArray()), 512));
+    }
+
+    @Test
+    public void testReadingPublicKeyCollectionExceedsIterationLimit()
+            throws PGPException, InvalidAlgorithmParameterException, NoSuchAlgorithmException, IOException {
+        PGPSecretKeyRing sec1 = PGPainless.generateKeyRing().modernKeyRing("alice@pgpainless.org", null);
+        PGPSecretKeyRing sec2 = PGPainless.generateKeyRing().modernKeyRing("bob@pgpainless.org", null);
+        PGPPublicKeyRing alice = PGPainless.extractCertificate(sec1);
+        PGPPublicKeyRing bob = PGPainless.extractCertificate(sec2);
+        MarkerPacket marker = TestUtils.getMarkerPacket();
+
+        ByteArrayOutputStream bytes = new ByteArrayOutputStream();
+        ArmoredOutputStream armor = ArmoredOutputStreamFactory.get(bytes);
+        BCPGOutputStream outputStream = new BCPGOutputStream(armor);
+
+        for (int i = 0; i < 600; i++) {
+            marker.encode(outputStream);
+        }
+        alice.encode(outputStream);
+        bob.encode(outputStream);
+
+        assertThrows(IOException.class, () ->
+                KeyRingReader.readPublicKeyRingCollection(new ByteArrayInputStream(bytes.toByteArray()), 512));
+    }
 }