OpenPGP signing and encrypting in one pass is the most secure way by which we can send encrypted data. We sign the file with our private key and encrypt it with the public key of the person to whom we are sending the message. This way the encrypted file can be read only by the recipient and she can tell with absolute assurance that it was you who sent the message.
The examples below demonstrate in practice how to achieve this with OpenPGP Library for Java.
1) Sign and encrypt file with keys located in files
This example intentionally sets the parameter withIntegrityCheck to false, as integrity check information is not supported by PGP (r) 6.5 and prior versions, and if you do not know for sure what OpenPGP software your partners are using, it is better to avoid this feature.
import com.didisoft.pgp.PGPLib;
public class SignAndEncryptFile {
public static void main(String[] args) throws Exception{
// create an instance of the library
PGPLib pgp = new PGPLib();
// should output be ASCII or binary
boolean asciiArmor = false;
// should integrity check information be added
boolean withIntegrityCheck = false;
// sign and encrypt
pgp.signAndEncryptFile("INPUT.txt",
"our_private_key.asc",
"private_key_pass_phrase",
"recipient_public_key.asc",
"encrypted.pgp",
asciiArmor,
withIntegrityCheck);
}
}
2) Sign and encrypt file with keys located in a KeyStore
This example is equivalent to the above one except that the encryption (public) key of the receiver has been imported to a KeyStore and our secret key has either been generated or imported in the same KeyStore object.
import com.didisoft.pgp.KeyStore;
import com.didisoft.pgp.PGPLib;
public class KeystoreSignAndEncryptFile {
public static void main(String[] args) throws Exception{
// create an instance of the KeyStore
KeyStore keyStore = new KeyStore("pgp.keystore", "changeit");
// create an instance of the library
PGPLib pgp = new PGPLib();
// is output ASCII or binary
boolean asciiArmor = false;
// should integrity check information be appended
boolean withIntegrityCheck = false;
// The signing key is usually our private key
String signUserId = "demo@didisoft.com";
String signKeyPassword = "changeit";
// the User Id of the recipient, this
// example assumes her public key is
// already imported in the KeyStore file
String encUserId = "recipient@company.com";
pgp.signAndEncryptFile("INPUT.txt",
keyStore,
signUserId,
signKeyPassword,
encUserId,
"encrypted.pgp",
asciiArmor,
withIntegrityCheck);
}
}
3) Sign and encrypt input stream with keys located in files
We can sign and encrypt an input stream source too.
The second parameter of this method is often misunderstood. Although the encrypted data is stored in an output stream, the OpenPGP data format stores in addition to the encrypted bytes a file name string associated with them, so we are forced to set an additional artificial file name label.
import java.io.FileInputStream;
import java.io.FileOutputStream;
import java.io.InputStream;
import java.io.OutputStream;
import com.didisoft.pgp.PGPLib;
public class SignAndEncryptStream {
public static void main(String[] args) throws Exception{
// initialize the library
PGPLib pgp = new PGPLib();
// is output ASCII or binary
boolean asciiOutput = true;
// should integrity check information be appended
boolean withIntegrityCheck = true;
// recipient public key as stream
InputStream recipientPublicKeyStream =
new FileInputStream("recipient_public_key.asc");
// private signing key as stream
InputStream privateKeyStream =
new FileInputStream("our_private_key.asc");
String privateKeyPassword = "changeit";
// input stream to be encrypted
InputStream inputStream = new FileInputStream("INPUT.txt");
// encrypted output destination
OutputStream encryptedOutStream =
new FileOutputStream("encrypted.pgp");
// Here "INPUT.txt" is just a string to be written in
// the message OpenPGP packet which stored
// file name label, timestamp, and the actual data bytes
pgp.signAndEncryptStream(inputStream,
"INPUT.txt",
privateKeyStream,
privateKeyPassword,
recipientPublicKeyStream,
encryptedOutStream,
asciiOutput,
withIntegrityCheck);
}
}
4) Sign and encrypt input stream with keys located in a KeyStore
This example is equivalent to the above one, except the keys are located in a KeyStore.
import java.io.FileInputStream;
import java.io.FileOutputStream;
import java.io.InputStream;
import java.io.OutputStream;
import com.didisoft.pgp.KeyStore;
import com.didisoft.pgp.PGPLib;
public class KeyStoreSignAndEncryptStream {
public static void main(String[] args) throws Exception{
// create an instance of the KeyStore
KeyStore keyStore =
new KeyStore("pgp.keystore", "changeit");
// create an instance of the library
PGPLib pgp = new PGPLib();
// is output ASCII or binary
boolean asciiArmor = true;
// should integrity check information be added
boolean withIntegrityCheck = true;
// The signing key is usually our private key
String signUserId = "demo@didisoft.com";
String signKeyPassword = "changeit";
// the User Id of the recipient, this
// example assumes her public key is
// already imported in the KeyStore file
String encUserId = "recipient@company.com";
InputStream dataStream = new FileInputStream("INPUT.txt");
// this parameter is just a label that is associated with
// the encrypted content in the OpenPGP archive
String encryptedContentLabel = "INPUT.txt";
// create the output stream
OutputStream encryptedStream =
new FileOutputStream("encrypted.pgp");
pgp.signAndEncryptStream(dataStream,
encryptedContentLabel,
keyStore,
signUserId,
signKeyPassword,
encUserId,
encryptedStream,
asciiArmor,
withIntegrityCheck);
}
}
All of the above mentioned examples produce signatures in OpenPGP version 4 format, which is the current format. Some OpenPGP compatible software systems can expect digital signatures in the older version 3 format, although this is a very rare case. To produce version 3 signatures you can either use the examples above and replace the signAndEncrypt methods with the ones that end with Version3 or see the examples from the Examples folder in the library distribution package.
5) Exception Handling
The quick exception handling of the signAndEncrypt set of methods is to catch only java.io.IOException and com.didisoft.pgp.PGPException.
A more thorough exception handling technique is to catch a few sub classes of PGPException before actually catching PGPException. The example below illustrates which exceptions shall we expect:
import java.io.IOException;
import com.didisoft.pgp.*;
import com.didisoft.pgp.exceptions.*;
public class ExceptionHandlingDemo {
public static void main(String[] a) {
PGPLib pgp = new PGPLib();
try {
pgp.signAndEncrypt...
} catch (IOException e) {
// error reading input or writing output
} catch (NoPrivateKeyFoundException e) {
// if the passed private key does not contain a private key or is corrupted
} catch (WrongPasswordException e) {
// the password for the provided private key is wrong
} catch (NoPublicKeyFoundException e) {
// if the supplied public key source does not contain a public key
// or it is corrupted
} catch (KeyIsExpiredException e) {
// the supplied public key is expired
} catch (KeyIsRevokedException e) {
// the supplied public key is revoked
} catch (PGPException e) {
// general decryption error not among the above ones
}
}
}