[NIFI-13429] EncryptContentPGP Packet Detection Invalid for JPEG Files - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Resolved
Priority: Major
Resolution: Fixed
Affects Version/s: 1.15.0, 1.26.0, 2.0.0-M3
Fix Version/s: 1.27.0, 2.0.0-M4
Component/s: Extensions
Labels:
None

Description

The EncryptContentPGP Processor performs input content evaluation to avoid additional wrapping around signed OpenPGP payloads. This content evaluation inspects the initial bytes for an OpenPGP Packet Tag, but does not evaluate the Packet Type. As a result, some types of input files, such as JPEG, can result in incorrect evaluation, producing invalid output from EncryptContentPGP. When attempting to decrypt malformed files in DecryptContentPGP, the following error occurs:

DecryptContentPGP[id=3687fd8a-0190-1000-345b-fcaaba5a3e0c] Decryption Failed StandardFlowFileRecord[uuid=2c60ab6c-16cd-49c5-b2c8-f4e3d3a8f920,claim=StandardContentClaim [resourceClaim=StandardResourceClaim[id=1718901851045-2, container=default, section=2], offset=0, length=82192],offset=0,name=unsplash.jpg,size=82192]
org.bouncycastle.openpgp.PGPRuntimeOperationException: Iterator failed to get next object: invalid header encountered
	at org.bouncycastle.openpgp.PGPObjectFactory$1.getObject(Unknown Source)
	at org.bouncycastle.openpgp.PGPObjectFactory$1.hasNext(Unknown Source)
	at org.apache.nifi.processors.pgp.DecryptContentPGP$DecryptStreamCallback.getLiteralData(DecryptContentPGP.java:357)
	at org.apache.nifi.processors.pgp.DecryptContentPGP$DecryptStreamCallback.getLiteralData(DecryptContentPGP.java:347)
	at org.apache.nifi.processors.pgp.DecryptContentPGP$DecryptStreamCallback.process(DecryptContentPGP.java:278)
	at org.apache.nifi.controller.repository.StandardProcessSession.write(StandardProcessSession.java:3425)
	at org.apache.nifi.processors.pgp.DecryptContentPGP.onTrigger(DecryptContentPGP.java:181)
	at org.apache.nifi.processor.AbstractProcessor.onTrigger(AbstractProcessor.java:27)
	at org.apache.nifi.controller.StandardProcessorNode.onTrigger(StandardProcessorNode.java:1274)
	at org.apache.nifi.controller.tasks.ConnectableTask.invoke(ConnectableTask.java:244)
	at org.apache.nifi.controller.scheduling.AbstractTimeBasedSchedulingAgent.lambda$doScheduleOnce$0(AbstractTimeBasedSchedulingAgent.java:59)
	at org.apache.nifi.engine.FlowEngine$2.run(FlowEngine.java:110)
	at java.base/java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:572)
	at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:317)
	at java.base/java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:304)
	at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1144)
	at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:642)
	at java.base/java.lang.Thread.run(Thread.java:1583)
Caused by: java.io.IOException: invalid header encountered
	at org.bouncycastle.bcpg.BCPGInputStream.readPacket(Unknown Source)
	at org.bouncycastle.openpgp.PGPSignature.<init>(Unknown Source)
	at org.bouncycastle.openpgp.PGPObjectFactory.nextObject(Unknown Source)
	... 18 common frames omitted

The input packet evaluation should be improved to avoid incorrect identification of non-OpenPGP files.

Attachments

Activity

People

Assignee:: David Handermann

Reporter:: David Handermann

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Dates

Created:: 20/Jun/24 17:20

Updated:: 27/Jun/24 14:43

Resolved:: 21/Jun/24 17:05