MDC (integrity checksum) is not verified when decrypting

[ispringer]

Describe the bug MDC is not verified.

To Reproduce Step through code while decrypting a message that contains an MDC.

Expected behavior MDC should be verified when present. There should also be a way to configure MDC policy - whether MDC is required.

System

• Version: 2.2.0

Additional context https://github.com/neuhalje/bouncy-gpg/blob/master/src/main/java/name/neuhalfen/projects/crypto/bouncycastle/openpgp/decrypting/DecryptionStreamFactory.java does not appear to have any code for verifying MDC (data integrity check). I would expect to find code that looks something like this:

private static void checkDataIntegrity(PGPPublicKeyEncryptedData encryptedData) throws PGPException, IOException {
    if (encryptedData.isIntegrityProtected()) {
        if (!encryptedData.verify()) {
            throw new RuntimeException("Data failed MDC integrity check.");
        }
    } else {
        throw new RuntimeException("MDC not found - cannot check data integrity.");
    }
}

Some background on MDC and why it's important security-wise: https://gpgtools.tenderapp.com/kb/faq/modification-detection-code-mdc-errors

[Sauhardstark]

Hi @neuhalje @ispringer I'm a newbie at contribution to open source projects. I have actually used this very library in my projects, so I thought this would be a good place to start. Would you mind if I picked this up

[neuhalje]

@Sauhardstark that would be really cool!

[Sauhardstark]

@neuhalje - I've written the code but I'm facing certain issues. Is there any forum/platform where we could chat for a few minutes

[neuhalje]

Right now I am AFK. Maybe tomorrow? I think I have a Skype account buried somewhere. Would that suffice?

[Sauhardstark]

Yeah, sure tomorrow is cool. My skype mail - sauhard.sherlockholmes@gmail.com

[Sauhardstark]

Issue has been fixed pursuant to the above PR

[neuhalje]

Fixed in 2.3.0