bouncy-gpg icon indicating copy to clipboard operation
bouncy-gpg copied to clipboard

Published 20 hours ago verified publisher icon neuhalje

NullPointerException when trying to decrypt non-encrypted data (v2.3.0)

Open lclement57 opened this issue 4 years ago • 6 comments

Describe the bug When we call the method decryptAndVerifyStream with an input stream that contains data that is not encrypted (for example only signed), there is a NullPointerException when reading the returned InputStream later thrown by name.neuhalfen.projects.crypto.bouncycastle.openpgp.decrypting.MDCValidatingInputStream.validateMDC, where the local variable pbe is null.

In v2.2.0, there was no exception, trying to decrypt a non-encrypted stream just returned the original stream. The same thing happens when trying to read an input stream obtained after trying to decrypt an input stream that was (incorrectly) encrypted twice (which is a unit test we are running).

The issue seems to be introduced by the following commit: https://github.com/neuhalje/bouncy-gpg/commit/986d43609d52e841e608d66b7c8157f321d7e760#diff-f7bfd613f0ac7d22e02bd9c1727a319dad532f787e9de5ae702da71b252580b4

Here the new MDCValidatingInputStream class is introduced, and we see that the value of pbe comes from DecryptionStreamFactory, where it is initialized only if the method nextDecryptedStream finds an instance of PGPEncryptedDataList, otherwise it stays null and is passed to the MDCValidatingInputStream where there is no null check.

To Reproduce In v2.3.0, execute a decryption with:

BouncyGPG
                        .decryptAndVerifyStream()
                        .withConfig(keyringConfig)
                        .andIgnoreSignatures()
                        .fromEncryptedInputStream(in)

where in is an input stream containing not encrypted, but signed data.

Expected behavior No NullPointerException thrown.

** System (please complete the following information):**

  • Device: workstation
  • OS: Linux
  • Java:
openjdk version "11.0.9.1" 2020-11-04
OpenJDK Runtime Environment (build 11.0.9.1+1-Ubuntu-0ubuntu1.20.04)
OpenJDK 64-Bit Server VM (build 11.0.9.1+1-Ubuntu-0ubuntu1.20.04, mixed mode, sharing)
  • Version 2.3.0

lclement57 avatar Jan 04 '21 16:01 lclement57

Thanks for the very detailed error report! This seems to be a bug. I'll try to get into that during the weekend (or ideally review a PR ;-) )

neuhalje avatar Jan 05 '21 21:01 neuhalje

Same here. Spent a couple of hours trying to understand what critical part is missing or I'm doing something completely wrong way. Until I searched "validateMDC" in this repo and get came upon this issue. Changed the version to 2.2.0 and it's working as expected. I'm not sure about PR in which cases MDCValidatingInputStream needs to be bypassed.

miks avatar Jun 16 '21 09:06 miks

It seems to be linked to my changes related to MDC verification

@neuhalje Should we look into adding a null check at the MDC verification or should we check which streams should be wrapped with the MDCVerificationInputStream in the first place ?

Sauhardstark avatar Jul 29 '21 15:07 Sauhardstark

@neuhalje / @Sauhardstark , can this be fixed asap?. we cannot downgrade to 2.2.0 as we had #56 issue in that release. Could you please check and let us know when can this be fixed. Thanks!

SandeepLakka avatar Nov 09 '23 12:11 SandeepLakka

Hi, I'll raise a PR for this immediately

Sauhardstark avatar Dec 05 '23 01:12 Sauhardstark

@SandeepLakka / @neuhalje - I've raised a PR for this. Please take a look

Sauhardstark avatar Dec 05 '23 20:12 Sauhardstark