PGP 签名格式阅读器

Question

In my project I need to verify PGP clear signed signatures using a corresponding public key. While I did manage to find a code which does that (For example: https://github.com/cjmalloy/openbitpub/blob/64485d64a699eb6096f01b27d5f7e51dd726602f/src/main/java/com/cjmalloy/obp/server/pgp/PgpUtil.java ), it operates on a low level and looks pretty horrible.

I was thinking, perhaps there exist some specialized parsers that can consume -----BEGIN PGP PUBLIC KEY BLOCK-----xxx-----END PGP PUBLIC KEY BLOCK----- and -----BEGIN PGP SIGNED MESSAGE-----xxx-----BEGIN PGP SIGNATURE-----xxx-----END PGP SIGNATURE----- blocks so I can check signatures in a more declarative way?

I've found related PEMReader class from bouncycastle.openssl package but nothing PGP-related so far.

Answer 1

I was thinking, perhaps there exist some specialized parsers that can consume -----BEGIN PGP PUBLIC KEY BLOCK-----xxx-----END PGP PUBLIC KEY BLOCK----- and -----BEGIN PGP SIGNED MESSAGE-----xxx-----BEGIN PGP SIGNATURE-----xxx-----END PGP SIGNATURE----- blocks so I can check signatures in a more declarative way?

A parser will not be enough at all -- you will need to implement lots of OpenPGP-specific functions like symmetric key derivation from strings (for encrypted keys), handling of different types of assymetric cryptography algorithms, hash sums, different kinds of packet nesting, ... -- at least you're not required to implement the OpenPGP CBC mode deriate as you don't require encryption (only signatures).

OpenPGP is much to complicated to write your own parser and crypto code, rely on existing libraries instead. In the end, with Java you've got two possible roads to follow:

• Using GnuPG through GPGME's Java interface , which requires a local GnuPG installation.
• Using Bouncy Castle for Java which has a pretty much complete OpenPGP implementation in native Java code, but will require you to perform all the crypto operations in Java. The documentation pretty much consists of the JavaDoc for the OpenPGP package .

I've found related PEMReader class from bouncycastle.openssl package but nothing PGP-related so far.

You probably looked in the wrong BouncyCastle package. OpenPGP does not use keys in PEM format (which belongs to the X.509 standard), so this class will not be useful at all.

Answer 2

I came through the same situation sometimes back.

This was resolved by using the bouncy castle dependency and by using the method

decryptAndVerify(InputStream in, OutputStream fOut, InputStream publicKeyIn, InputStream keyIn, char[] passwd)

in PGP util class

Answer 3

The commercial OpenPGP Library for Java offers a convenient API for verifying clear text signatures. Sample code is:

import com.didisoft.pgp.*;
 
public class VerifyFile {
    public static void main(String[] args) throws Exception{
        // create an instance of the library
        PGPLib pgp = new PGPLib();
 
        // verify and extract the signed content
        SignatureCheckResult signatureCheck = pgp.verifyAndExtract("signed.pgp", "sender_public_key.asc", "OUTPUT.txt");      
        if (signatureCheck == SignatureCheckResult.SignatureVerified) {
            System.out.println("The signature is valid.");
        } else if (signatureCheck == SignatureCheckResult.SignatureBroken) {
            System.out.println("Message corrupted or signature forged");
        } else if (signatureCheck == SignatureCheckResult.PublicKeyNotMatching) {
            System.out.println("Signature not matching provided public key (the message is from another sender)");
        } else {
              System.out.println("No signature found in message");
        }
    }
}

Disclaimer: I work for DidiSoft.