Fixes #5432 - PGP: Decryption fails if Zammad's address is in BCC

lib/secure_mailing/pgp/incoming.rb

@@ -287,14 +287,11 @@ class SecureMailing::PGP::Incoming < SecureMailing::Backend::HandlerIncoming
 
   def decrypt_keys
     @decrypt_keys ||= begin
-      keys = []
-      mail[:mail_instance].to.each { |to| keys += pgp_keys(to, :encryption, true) }
+      %i[to cc bcc].filter_map do |recipient|
+        next if mail[:mail_instance].send(recipient).blank?
 
-      if mail[:mail_instance].cc.present?
-        mail[:mail_instance].cc.each { |cc| keys += pgp_keys(cc, :encryption, true) }
-      end
-
-      keys
+        mail[:mail_instance].send(recipient).map { |address| pgp_keys(address, :encryption, true) }
+      end.flatten
     end
   end
 

spec/fixtures/files/pgp/generate/run.sh

@@ -172,8 +172,8 @@ done
 echo "Generating encrypted test mails"
 
 # Don't use dashes (-) in email addresses unless you know what you're doing!
-# shellcheck disable=SC2042
-for TEST_MAIL_SENDER_RECIPIENTS in mail-other-key,pgp1@example.com,pgp2@example.com-other,pgp3@example.com mail-decrypt-expired,pgp1@example.com,expiredpgp1@example.com,expiredpgp1@example.com mail-ocb,pgp1@example.com,ocbpgp1@example.com,pgp3@example.com
+# shellcheck disable=SC2042,SC2258
+for TEST_MAIL_SENDER_RECIPIENTS in mail-other-key,pgp1@example.com,pgp2@example.com-other,pgp3@example.com mail-decrypt-expired,pgp1@example.com,expiredpgp1@example.com,expiredpgp1@example.com mail-ocb,pgp1@example.com,ocbpgp1@example.com,pgp3@example.com mail-decrypt-bcc,pgp1@example.com,zammad@localhost,
 do
   TEST_MAIL=${TEST_MAIL_SENDER_RECIPIENTS%,*,*,*}
   EMAIL_ADDRESSES=${TEST_MAIL_SENDER_RECIPIENTS#*,}

spec/fixtures/files/pgp/mail/mail-decrypt-bcc.box

@@ -0,0 +1,48 @@
+Date: Mon, 02 Dec 2024 15:33:52 +0100
+From: pgp1@example.com
+Bcc: zammad@localhost
+Message-ID: <64b697607eba9_133f1224c169a8@MBP-FL.fritz.box.mail>
+Mime-Version: 1.0
+Content-Type: multipart/encrypted;
+ boundary="--==_mimepart_64b6976080889_133f1224c171f3";
+ protocol="application/pgp-encrypted"
+Content-Transfer-Encoding: 7bit
+
+This is an OpenPGP/MIME encrypted message (RFC 3156)
+----==_mimepart_64b6976080889_133f1224c171f3
+Content-Type: application/pgp-encrypted
+Content-Transfer-Encoding: 7bit
+Content-Description: PGP/MIME Versions Identification
+
+Version: 1
+
+----==_mimepart_64b6976080889_133f1224c171f3
+Content-Type: application/octet-stream;
+ name=encrypted.asc
+Content-Transfer-Encoding: 7bit
+Content-Disposition: inline;
+ filename=encrypted.asc
+Content-Description: OpenPGP encrypted message
+Content-ID: <64b69760cfd14_133f1224c172d4@MBP-FL.fritz.box.mail>
+
+-----BEGIN PGP MESSAGE-----
+
+hQIMA1olhvIBk6KWAQ/9FSUMDjCdHxzZQUh0F+30G0iF87pLSo3m6nIVkI3Jl4Op
+mYMCVVY3cM4khtXEwP4gGaHIThlgqP0oIhfw4FiCLfNpfrf41IAAe/y/Go+ACpKU
+Fdcf04CRQNIeZZJuWeUDmQDMrQKH1tvG4yzC7RLU6JIAr8ARFnOydaiC7A9xh9B2
+yS76h+eZNyNMf5Ps3ACTG0xxWBmR3xctNxq4+w29E2sIVqwRlDnk8xkELsr1jhic
+d/3wKQmzcExhGRNwNdu9o1ueavXQHRRt5FcQX+fId2hX9GqQ3xBs6CERHdcGo1Pw
+FxV9XSr2zh0+5+xjgSg4/5TggS9AnU8zXvmOmOuS34tk3WU0zSGuTmCjL7A61XwV
+cy0cgaJxiC1CjtwUzqaZYXjlpih/qlJDMLAqmwo/Bpn+LnC7EDxGtK9Y1wf03ubf
+X6ITZIjjPtJvNE4Qr/4mHalp5SJxyOh/Z/PfSRg+xmHTXJbpkfy/J8sD4o4eLSgA
+xvcy45Tg96GWrGF/xeorJq9kHXcSPIBZySHRzOzDj7ImcFa+OWSVTO2DVB+I5JCh
+Qaf7fJGy+DFmL2Jc7fzDlImIP9W7e0M6AK/E7Dt8HBUd7eIbe3sm2Bdsqo3OzQht
+3/UGnR29O8fWr9GYYb8itvKX3pNObUTov4Z+a50r85O7fsqM5Ven7sc1CubmJszS
+ogF0qPs7a95zVvPGh8bC0AMhps2hXL0i08XQCaSyIlHeI/ZBTNFxM37194VkckRv
+HLlLOMgSspBGppPkaZZI9OgbdxvOxeYUJV2DhGmZJ84xy0FTR3s8mnwvn266b15n
+2tuhgf9UgiEff5mpgV8oRfBA7NwzMoMAJ8Z4HIckWCAIljiGzmEgClkZO7EPIJx1
+V5HBh+eC35Y3dyfnqs4GYAY/UA==
+=Kj01
+-----END PGP MESSAGE-----
+
+----==_mimepart_64b6976080889_133f1224c171f3--

spec/fixtures/files/pgp/mail/mail-decrypt-bcc.message.box

@@ -0,0 +1,5 @@
+Content-Type: text/plain;
+ charset=UTF-8
+Content-Transfer-Encoding: base64
+
+VGVzdGluZyBzb21lIENvbnRlbnQ=

spec/fixtures/files/pgp/mail/mail-decrypt-bcc.part1.box

@@ -0,0 +1,26 @@
+From: pgp1@example.com
+Bcc: zammad@localhost
+Message-ID: <64b697607eba9_133f1224c169a8@MBP-FL.fritz.box.mail>
+Mime-Version: 1.0
+Content-Type: multipart/encrypted;
+ boundary="--==_mimepart_64b6976080889_133f1224c171f3";
+ protocol="application/pgp-encrypted"
+Content-Transfer-Encoding: 7bit
+
+This is an OpenPGP/MIME encrypted message (RFC 3156)
+----==_mimepart_64b6976080889_133f1224c171f3
+Content-Type: application/pgp-encrypted
+Content-Transfer-Encoding: 7bit
+Content-Description: PGP/MIME Versions Identification
+
+Version: 1
+
+----==_mimepart_64b6976080889_133f1224c171f3
+Content-Type: application/octet-stream;
+ name=encrypted.asc
+Content-Transfer-Encoding: 7bit
+Content-Disposition: inline;
+ filename=encrypted.asc
+Content-Description: OpenPGP encrypted message
+Content-ID: <64b69760cfd14_133f1224c172d4@MBP-FL.fritz.box.mail>
+

spec/fixtures/files/pgp/mail/mail-decrypt-bcc.part3.box

@@ -0,0 +1,2 @@
+
+----==_mimepart_64b6976080889_133f1224c171f3--

spec/lib/secure_mailing/pgp_spec.rb

@@ -450,6 +450,22 @@ RSpec.describe SecureMailing::PGP, :aggregate_failures do
             end
           end
         end
+
+        context 'when recipient is bcc only' do
+          let(:mail) do
+            create(:pgp_key, :with_private, fixture: 'zammad@localhost')
+
+            # Import a mail which was created with bcc recipient only.
+            pgp_mail = Rails.root.join('spec/fixtures/files/pgp/mail/mail-decrypt-bcc.box').read
+
+            mail = Channel::EmailParser.new.parse(pgp_mail)
+            SecureMailing.incoming(mail)
+
+            mail
+          end
+
+          it_behaves_like 'decrypting message content'
+        end
       end
 
       context 'with no private key present' do