PGPOnePassSignature: check salt size

vanitasvitae · vanitasvitae · commit b1b1b3a8e3e1 · 2024-07-01T12:43:47.000+02:00
diff --git a/pg/src/main/java/org/bouncycastle/openpgp/PGPOnePassSignature.java b/pg/src/main/java/org/bouncycastle/openpgp/PGPOnePassSignature.java
@@ -6,6 +6,7 @@
 
 import org.bouncycastle.bcpg.BCPGInputStream;
 import org.bouncycastle.bcpg.BCPGOutputStream;
+import org.bouncycastle.bcpg.HashUtils;
 import org.bouncycastle.bcpg.OnePassSignaturePacket;
 import org.bouncycastle.bcpg.Packet;
 import org.bouncycastle.bcpg.SignaturePacket;
@@ -65,9 +66,26 @@ public void init(PGPContentVerifierBuilderProvider verifierBuilderProvider, PGPP
         lastb = 0;
         sigOut = verifier.getOutputStream();
 
+        checkSaltSize();
         updateWithSalt();
     }
 
+    private void checkSaltSize()
+            throws PGPException
+    {
+        if (getVersion() != SignaturePacket.VERSION_6)
+        {
+            return;
+        }
+
+        int expectedSaltSize = HashUtils.getV6SignatureSaltSizeInBytes(getHashAlgorithm());
+        if (expectedSaltSize != getSalt().length)
+        {
+            throw new PGPException("RFC9580 defines the salt size for " + PGPUtil.getDigestName(getHashAlgorithm()) +
+                    " as " + expectedSaltSize + " octets, but signature has " + getSalt().length + " octets.");
+        }
+    }
+
     private void updateWithSalt()
             throws PGPException
     {
