使用BouncyCastle Java API进行PGP签名并使用gpg4win进行验证不起作用
Posted
tags:
篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了使用BouncyCastle Java API进行PGP签名并使用gpg4win进行验证不起作用相关的知识,希望对你有一定的参考价值。
我正在使用BouncyCastle API签名文件。我正在使用bcpg-jdk15on-164.jar,bcprov-jdk15on-164.jar和bcprov-ext-jdk15on-164.jar。
我正在按照他们的示例签名文本文件。对文件签名后,当我更改文本文件中的内容并尝试使用Gpg4Win进行验证时,我仍然看到签名有效,但是没有迹象表明无法验证该文件。
我为同一个文本文件创建了两个签名。一个使用下面的代码生成.asc文件,另一个使用Gpg4Win生成.sig文件。然后,我修改了文本文件。我双击了每个签名,在这些签名中,由于生成签名后文件被更改,我希望签名变得无效。但是,BouncyCastle生成的签名仍然不表示该文件已被更改,如图中所示。 BouncyCastle签名显示为绿色,而Gpg4Win生成的签名显示为红色。图片:Verifying BouncyCastle signature vs GPG4Win signature
import java.io.File;
import java.io.FileInputStream;
import java.io.FileOutputStream;
import java.io.IOException;
import java.io.InputStream;
import java.io.OutputStream;
import java.security.NoSuchAlgorithmException;
import java.security.NoSuchProviderException;
import java.security.Security;
import java.security.SignatureException;
import java.util.Iterator;
import org.bouncycastle.bcpg.ArmoredOutputStream;
import org.bouncycastle.bcpg.BCPGOutputStream;
import org.bouncycastle.jce.provider.BouncyCastleProvider;
import org.bouncycastle.openpgp.PGPCompressedData;
import org.bouncycastle.openpgp.PGPCompressedDataGenerator;
import org.bouncycastle.openpgp.PGPException;
import org.bouncycastle.openpgp.PGPLiteralData;
import org.bouncycastle.openpgp.PGPLiteralDataGenerator;
import org.bouncycastle.openpgp.PGPOnePassSignature;
import org.bouncycastle.openpgp.PGPOnePassSignatureList;
import org.bouncycastle.openpgp.PGPPrivateKey;
import org.bouncycastle.openpgp.PGPPublicKey;
import org.bouncycastle.openpgp.PGPPublicKeyRingCollection;
import org.bouncycastle.openpgp.PGPSecretKey;
import org.bouncycastle.openpgp.PGPSecretKeyRing;
import org.bouncycastle.openpgp.PGPSecretKeyRingCollection;
import org.bouncycastle.openpgp.PGPSignature;
import org.bouncycastle.openpgp.PGPSignatureGenerator;
import org.bouncycastle.openpgp.PGPSignatureList;
import org.bouncycastle.openpgp.PGPSignatureSubpacketGenerator;
import org.bouncycastle.openpgp.PGPUtil;
import org.bouncycastle.openpgp.operator.KeyFingerPrintCalculator;
import org.bouncycastle.openpgp.operator.jcajce.JcaKeyFingerprintCalculator;
import org.bouncycastle.openpgp.operator.jcajce.JcaPGPContentSignerBuilder;
import org.bouncycastle.openpgp.operator.jcajce.JcaPGPContentVerifierBuilderProvider;
import org.bouncycastle.openpgp.operator.jcajce.JcePBESecretKeyDecryptorBuilder;
/**
* A simple utility class that signs and verifies files.
* <p>
* To sign a file: SignedFileProcessor -s [-a] fileName secretKey passPhrase.<br>
* If -a is specified the output file will be "ascii-armored".
* <p>
* To decrypt: SignedFileProcessor -v fileName publicKeyFile.
* <p>
* <b>Note</b>: this example will silently overwrite files, nor does it pay any attention to
* the specification of "_CONSOLE" in the filename. It also expects that a single pass phrase
* will have been used.
* <p>
* <b>Note</b>: the example also makes use of PGP compression. If you are having difficulty getting it
* to interoperate with other PGP programs try removing the use of compression first.
*/
public class SignedFileProcessor
/**
* Generate an encapsulated signed file.
*
* @param fileName
* @param keyIn
* @param out
* @param pass
* @param armor
* @throws IOException
* @throws NoSuchAlgorithmException
* @throws NoSuchProviderException
* @throws PGPException
* @throws SignatureException
*/
private static void signFile(
String fileName,
InputStream keyIn,
OutputStream out,
char[] pass,
boolean armor)
throws IOException, NoSuchAlgorithmException, NoSuchProviderException, PGPException, SignatureException
if (armor)
out = new ArmoredOutputStream(out);
PGPSecretKey pgpSec = readSecretKey(keyIn);
PGPPrivateKey pgpPrivKey = pgpSec.extractPrivateKey(new JcePBESecretKeyDecryptorBuilder().setProvider("BC").build(pass));
PGPSignatureGenerator sGen = new PGPSignatureGenerator(new JcaPGPContentSignerBuilder(pgpSec.getPublicKey().getAlgorithm(), PGPUtil.SHA1).setProvider("BC"));
sGen.init(PGPSignature.BINARY_DOCUMENT, pgpPrivKey);
Iterator it = pgpSec.getPublicKey().getUserIDs();
if (it.hasNext())
PGPSignatureSubpacketGenerator spGen = new PGPSignatureSubpacketGenerator();
spGen.setSignerUserID(false, (String)it.next());
sGen.setHashedSubpackets(spGen.generate());
PGPCompressedDataGenerator cGen = new PGPCompressedDataGenerator(PGPCompressedData.ZLIB);
BCPGOutputStream bOut = new BCPGOutputStream(cGen.open(out));
sGen.generateOnePassVersion(false).encode(bOut);
File file = new File(fileName);
PGPLiteralDataGenerator lGen = new PGPLiteralDataGenerator();
OutputStream lOut = lGen.open(bOut, PGPLiteralData.BINARY, file);
FileInputStream fIn = new FileInputStream(file);
int ch;
while ((ch = fIn.read()) >= 0)
lOut.write(ch);
sGen.update((byte)ch);
lGen.close();
sGen.generate().encode(bOut);
cGen.close();
if (armor)
out.close();
public static void main(
String[] args)
throws Exception
Security.addProvider(new BouncyCastleProvider());
String rootFolder = System.getProperty("user.dir");
String fileName = rootFolder + "\\files\\helloworld.txt";
FileInputStream keyIn = new FileInputStream(rootFolder + "\\files\\sign-and-encrypt_priv.asc");
FileOutputStream out = new FileOutputStream(fileName + ".asc");
signFile(fileName, keyIn, out, "hongkong".toCharArray(), true);
System.out.println("DONE");
/**
* A simple routine that opens a key ring file and loads the first available key
* suitable for signature generation.
*
* @param input stream to read the secret key ring collection from.
* @return a secret key.
* @throws IOException on a problem with using the input stream.
* @throws PGPException if there is an issue parsing the input stream.
*/
static PGPSecretKey readSecretKey(InputStream input) throws IOException, PGPException
PGPSecretKeyRingCollection pgpSec = new PGPSecretKeyRingCollection(
PGPUtil.getDecoderStream(input), new JcaKeyFingerprintCalculator());
//
// we just loop through the collection till we find a key suitable for encryption, in the real
// world you would probably want to be a bit smarter about this.
//
Iterator keyRingIter = pgpSec.getKeyRings();
while (keyRingIter.hasNext())
PGPSecretKeyRing keyRing = (PGPSecretKeyRing)keyRingIter.next();
Iterator keyIter = keyRing.getSecretKeys();
while (keyIter.hasNext())
PGPSecretKey key = (PGPSecretKey)keyIter.next();
if (key.isSigningKey())
return key;
throw new IllegalArgumentException("Can't find signing key in key ring.");
我想念的是什么? BouncyCastle使用上面的代码生成的签名是否有效,以确保文件及其签名的完整性?我尝试了BouncyCastle的早期版本(版本150),也尝试不使用BCPGOutputStream流,但这也没有帮助。
答案
如下更改了signFile,创建了一个分离的签名,该签名与Gpg4Win一起正常工作:
private static void signFile(
String fileName,
InputStream keyIn,
OutputStream out,
char[] pass,
boolean armor)
throws IOException, NoSuchAlgorithmException, NoSuchProviderException, PGPException, SignatureException
if (armor)
out = new ArmoredOutputStream(out);
PGPSecretKey pgpSec = readSecretKey(keyIn);
PGPPrivateKey pgpPrivKey = pgpSec.extractPrivateKey(new JcePBESecretKeyDecryptorBuilder().setProvider("BC").build(pass));
PGPSignatureGenerator sGen = new PGPSignatureGenerator(new JcaPGPContentSignerBuilder(pgpSec.getPublicKey().getAlgorithm(), PGPUtil.SHA1).setProvider("BC"));
sGen.init(PGPSignature.BINARY_DOCUMENT, pgpPrivKey);
BCPGOutputStream bOut = new BCPGOutputStream(out);
InputStream fIn = new BufferedInputStream(new FileInputStream(fileName));
int ch;
while ((ch = fIn.read()) >= 0)
sGen.update((byte)ch);
fIn.close();
sGen.generate().encode(bOut);
if (armor)
out.close();
以上是关于使用BouncyCastle Java API进行PGP签名并使用gpg4win进行验证不起作用的主要内容,如果未能解决你的问题,请参考以下文章
向证书请求添加属性,java + bouncycastle 1.48
Java 中带有 bouncycastle 的 PBKDF2
使用 BouncyCastle 不推荐使用的方法进行贝宝按钮加密的 Java 代码 - 如何修复?
ECDSA 使用 BouncyCastle 签名并使用 Crypto++ 进行验证