Sign and Encrypt

Examples ›› Programs ››
Parent Previous Next

OpenPGP signing and encrypting in one pass is the most secure way by which we can send encrypted data. We sign the file with our private key and encrypt it with the public key of the person to whom we are sending the message. This way the encrypted file can be read only by the recipient and she can tell with absolute assurance that it was you who sent the message.


The examples below demonstrate in practice how to achieve this with OpenPGP Library for Java.


1) Sign and encrypt file with keys located in files


This example intentionally sets the parameter withIntegrityCheck to false, as integrity check information is not supported by PGP (r) 6.5 and prior versions, and if you do not know for sure what OpenPGP software your partners are using, it is better to avoid this feature.


import com.didisoft.pgp.PGPLib;

public class SignAndEncryptFile {

public static void main(String[] args) throws Exception{

  // create an instance of the library

  PGPLib pgp = new PGPLib();

  // should output be ASCII or binary

  boolean asciiArmor = false;

  // should integrity check information be added

  boolean withIntegrityCheck = false;

  // sign and encrypt

  pgp.signAndEncryptFile("INPUT.txt",

                       "our_private_key.asc",

                       "private_key_pass_phrase",

                       "recipient_public_key.asc",

                       "encrypted.pgp",

                       asciiArmor,

                       withIntegrityCheck);

}

}


2) Sign and encrypt file with keys located in a KeyStore


This example is equivalent to the above one except that the encryption (public) key of the receiver has been imported to a KeyStore and our secret key has either been generated or imported in the same KeyStore object.


import com.didisoft.pgp.KeyStore;

import com.didisoft.pgp.PGPLib;

public class KeystoreSignAndEncryptFile {

public static void main(String[] args) throws Exception{

  // create an instance of the KeyStore

  KeyStore keyStore = new KeyStore("pgp.keystore", "changeit");                

  // create an instance of the library

  PGPLib pgp = new PGPLib();

  // is output ASCII or binary

  boolean asciiArmor = false;

  // should integrity check information be appended

  boolean withIntegrityCheck = false;

  // The signing key is usually our private key

  String signUserId = "demo@didisoft.com";

  String signKeyPassword = "changeit";

  // the User Id of the recipient, this

  // example assumes her public key is

  // already imported in the KeyStore file

  String encUserId = "recipient@company.com";

  pgp.signAndEncryptFile("INPUT.txt",

                       keyStore,

                       signUserId,

                       signKeyPassword,

                       encUserId,

                       "encrypted.pgp",

                       asciiArmor,

                       withIntegrityCheck);

}

}


3) Sign and encrypt input stream with keys located in files


We can sign and encrypt an input stream source too.


The second parameter of this method is often misunderstood. Although the encrypted data is stored in an output stream, the OpenPGP data format stores in addition to the encrypted bytes a file name string associated with them, so we are forced to set an additional artificial file name label.


import java.io.FileInputStream;

import java.io.FileOutputStream;

import java.io.InputStream;

import java.io.OutputStream;

import com.didisoft.pgp.PGPLib;

public class SignAndEncryptStream {

public static void main(String[] args) throws Exception{

  // initialize the library

  PGPLib pgp = new PGPLib();

  // is output ASCII or binary

  boolean asciiOutput = true;

  // should integrity check information be appended

  boolean withIntegrityCheck = true;

  // recipient public key as stream

  InputStream recipientPublicKeyStream =

      new FileInputStream("recipient_public_key.asc");

  // private signing key as stream

  InputStream privateKeyStream =

      new FileInputStream("our_private_key.asc");

  String privateKeyPassword = "changeit";

  // input stream to be encrypted

  InputStream inputStream = new FileInputStream("INPUT.txt");

  // encrypted output destination

  OutputStream encryptedOutStream =

      new FileOutputStream("encrypted.pgp");

  // Here "INPUT.txt" is just a string to be written in

  // the message OpenPGP packet which stored

  // file name label, timestamp, and the actual data bytes

  pgp.signAndEncryptStream(inputStream,

                           "INPUT.txt",

                            privateKeyStream,

                            privateKeyPassword,

                            recipientPublicKeyStream,

                            encryptedOutStream,

                            asciiOutput,

                            withIntegrityCheck);

}

}


4) Sign and encrypt input stream with keys located in a KeyStore


This example is equivalent to the above one, except the keys are located in a KeyStore.


import java.io.FileInputStream;

import java.io.FileOutputStream;

import java.io.InputStream;

import java.io.OutputStream;

import com.didisoft.pgp.KeyStore;

import com.didisoft.pgp.PGPLib;

public class KeyStoreSignAndEncryptStream {

public static void main(String[] args) throws Exception{

 // create an instance of the KeyStore

 KeyStore keyStore =

    new KeyStore("pgp.keystore", "changeit");                

 // create an instance of the library

 PGPLib pgp = new PGPLib();

 // is output ASCII or binary

 boolean asciiArmor = true;

 // should integrity check information be added

 boolean withIntegrityCheck = true;

 // The signing key is usually our private key

 String signUserId = "demo@didisoft.com";

 String signKeyPassword = "changeit";

 // the User Id of the recipient, this

 // example assumes her public key is

 // already imported in the KeyStore file

 String encUserId = "recipient@company.com";

 InputStream dataStream = new FileInputStream("INPUT.txt");

 // this parameter is just a label that is associated with

 // the encrypted content in the OpenPGP archive

 String encryptedContentLabel = "INPUT.txt";

 // create the output stream

 OutputStream encryptedStream =

    new FileOutputStream("encrypted.pgp");

 pgp.signAndEncryptStream(dataStream,

                       encryptedContentLabel,

                       keyStore,

                       signUserId,

                       signKeyPassword,

                       encUserId,

                       encryptedStream,

                       asciiArmor,

                       withIntegrityCheck);

}

}


All of the above mentioned examples produce signatures in OpenPGP version 4 format, which is the current format. Some OpenPGP compatible software systems can expect digital signatures in the older version 3 format, although this is a very rare case. To produce version 3 signatures you can either use the examples above and replace the signAndEncrypt methods with the ones that end with Version3 or see the examples from the Examples folder in the library distribution package.


5) Exception Handling


The quick exception handling of the signAndEncrypt set of methods is to catch only java.io.IOException and com.didisoft.pgp.PGPException.


A more thorough exception handling technique is to catch a few sub classes of PGPException before actually catching PGPException. The example below illustrates which exceptions shall we expect:


import java.io.IOException;

import com.didisoft.pgp.*;

import com.didisoft.pgp.exceptions.*;

public class ExceptionHandlingDemo {

public static void main(String[] a) {

  PGPLib pgp = new PGPLib();

  try {

   pgp.signAndEncrypt...

  } catch (IOException e) {

   // error reading input or writing output

  } catch (NoPrivateKeyFoundException e) {

   // if the passed private key does not contain a private key or is corrupted

  } catch (WrongPasswordException e) {

   // the password for the provided private key is wrong

  } catch (NoPublicKeyFoundException e) {

   // if the supplied public key source does not contain a public key

   // or it is corrupted

  } catch (KeyIsExpiredException e) {

    // the supplied public key is expired

  } catch (KeyIsRevokedException e) {

    // the supplied public key is revoked  

  } catch (PGPException e) {

   // general decryption error not among the above ones

  }

}

}