signature

The Legion of the Bouncy Castle – Listing Public Key Certifications

Posted on Updated on

Instead of calling this post Part 6, I’ve decided to just give them nice and descriptive names from now on.

When managing your PGP Keys you often need to know who you trust and who you do not trust. All we need is the public key file (ASCII armored or binary). I have nested the operation in 3 different methods, mainly done for readability.

public void listPublicKeyCertifications() {
	String keysDir = System.getProperty("user.dir")+File.separator+"src/george/crypto/pgp/keys";
	File publicKeyFile = new File(keysDir+File.separator+"MrBilly.asc");
	
	try {
		System.out.println("The public key was certified by: ");	
		List<String> keyIds = listCertifications(publicKeyFile);
		for (String keyId : keyIds) {
			System.out.println("\t"+keyId);
		}
	}
	catch(Exception ex) {
		ex.printStackTrace();
	}
}

public static final List<String> listCertifications(File publicKeyFile) throws IOException {
	FileInputStream keyInputStream = new FileInputStream(publicKeyFile);
	List<String> keyIds = getCertifications(keyInputStream);
	return keyIds;
}

private static final List<String> getCertifications(InputStream input) throws IOException
{
	List<String> keyIds = new ArrayList<String>();
	
	PGPPublicKeyRing pgpPubRing = new PGPPublicKeyRing(PGPUtil.getDecoderStream(input), new JcaKeyFingerprintCalculator());
	PGPPublicKey pubKey = pgpPubRing.getPublicKey();
	
	@SuppressWarnings("unchecked")
	Iterator<PGPSignature> sigIter = pubKey.getSignatures();
	while(sigIter.hasNext()) {
		PGPSignature pgpSig = sigIter.next();
		long keyId = pgpSig.getKeyID();
		keyIds.add(Long.toHexString(keyId).toUpperCase());
	}
	
	return keyIds;
}

Read the rest of this entry »

PGP Cryptography With The Legion of the Bouncy Castle – Part 5

Posted on

We’re back! Back to PGP Cryptography tutorials!! Because when I want to learn something new I learn faster by writing a tutorial about it, sharing code and receiving feedback.

So in Part 4 I apologized that I did not have a lot of time and just showed how to integrate Bouncy Castle with Android by using SpongyCastle. Now I will go through how to generate and verify detached signatures. This has become important since Part 2 did teach how to sign and verify files, but the signature was embedded inside the file. Though this works, it did not work when trying to verify the file using a regular program like GPG / Kleopatra. Also not all PGP clients support ZLIB compression which could break compatibility. So I decided that the need to generate detached signatures was important.

Continuing with the previous examples we have the PGPTools file which I wrote to make cryptography easier with BC (Full source can be found here). Generating a detached signature file needs the following:

  • The file you want to sign
  • The name of signature file that will be generated
  • The PGP Key ring that contains your secret and public keys

Another interesting thing to know to go by is the naming convention of these files. Most programs look for it and makes it easier for the user to utilize and for programs to find. Supposed there is a file called “TheFile.txt”, below is how the signature file would be named:

  • ASCII Armored Signature: TheFile.txt.asc
  • Binary Signature: TheFile.txt.sig

This is not mandatory, but a nice convention to follow.

Read the rest of this entry »

PGP Cryptography With The Legion of the Bouncy Castle – Part 2

Posted on Updated on

In part 1 I went over PGP Key pair generation, DSA/El Gamal key pairs to be exact, and how we can generate them using the Legion of the Bouncy Castle cryptography API. These key pairs can be imported directly into PGP for use or used programmatically via the Bouncy Castle API.

OK, so now that we know how to generate our PGP key pair we now will learn how to digitally sign and verify files. Signing files allows our recipient to verify the authenticity of the origin of the file we send them. It also verifies the integrity of the file as well.

Signing a file

  • PGP Private Key of sender
  • Private Key Passphrase

Verifying a file

  • Public Key of sender

To make a developers life easier I’ve decided to create a static class called PGPCryptoTools which include the sign and verify methods. One just has to send the appropriate parameters (as shown in the bullet points above) to sign and verify files.

Read the rest of this entry »