stackoom
  简体   繁体   中英

PGP, verify signature on a certificate

 原文  2015-01-10 16:35:47       java/ cryptography/ digital-signature/ bouncycastle/ pgp

Question

I'm developing a simple Java code that, using BouncyCastle v1.51, opens a PGP public key and verifies the signatures contained in it. Currently, I'm able to load the public key and to iterate through all the signatures. However, the verification always returns "false", even if I test the signature using the public key that corresponds to the private key that produced the signature.

This is my code: 

    try {
        PGPPublicKey pkey = PGPEncryptionUtils.readPublicKey(new FileInputStream(new File(HOME_DIR + "to_verify")));
        Iterator it = pkey.getSignatures();

        PGPPublicKey signing_key = PGPEncryptionUtils.readPublicKey(
                new FileInputStream(new File(HOME_DIR + "my_public_key")));

        while (it.hasNext()) {
            PGPSignature sig = (PGPSignature) it.next();
            sig.init(new JcaPGPContentVerifierBuilderProvider().setProvider("BC"), signing_key);
            // Here I'd expect to see at least a "true".
            println(sig.verify());
        }

    } catch (FileNotFoundException e) {
        // TODO Auto-generated catch block
        e.printStackTrace();
    } catch (IOException e) {
        // TODO Auto-generated catch block
        e.printStackTrace();
    } catch (PGPException e) {
        // TODO Auto-generated catch block
        e.printStackTrace();
    }

The code for readPublicKey is taken from here: https://github.com/damico/OpenPgp-BounceCastle-Example/blob/master/src/org/jdamico/bc/openpgp/utils/PgpHelper.java .

What am I doing wrong? Thank you!

1 answers

solution1
 0 ACCPTED  2015-01-22 22:56:43

I don't have experience with PGPSignatures however to verify a signature in public key cryptography you need three things:

  1. The signature.
  2. The publicKey.
  3. The original message which is supposed to be signed.

In your example the original message is missing, you need to provide the original message which was signed though PGPSignature.update(byte[]) method, so your code must looks something like: 

while (it.hasNext()) {
        PGPSignature sig = (PGPSignature) it.next();
        sig.init(new >JcaPGPContentVerifierBuilderProvider().setProvider("BC"), signing_key);

       // here you need the original message
        sig.update("signature original message".getBytes());

        // now you can try to verify!
        println(sig.verify());
}

Hope this helps,

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question How to verify PGP detached signature using Bouncycastle How to verify the signature of a x509 certificate? Certificate of sender expired before signature verify Can not verify signature value with certificate java Bouncycastle PGP decrypt and verify PGP signature format reader Verify a signature in Java using OpenSSL generated key and certificate How to verify aadhar XML signature with the help of public key certificate in Java? Verify signature How to generate a PGP Certificate in Java
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM