OpenPGP Library for Java News

Articles related to DidiSoft OpenPGP Library for Java

Maven repository

After years finally we’ve made the step to offer a private Maven repository for DidiSoft OpenPGP Library for Java.

The traditional way of downloading new versions from our customers’ section will remain as well but for development teams that rely on Maven as build tool, switching to a newer version of the library will be just changing the version number in their pom.xml

That’s why we’ve released version 3.1.2.1 which is just mavenized 3.1.1.10. If you wish to swith to the Maven integration described below you have to start from the new version 3.1.2.1.

Maven Integration how-to

In your ~/.m2/settings.xml you have to specify your login credentials (the same email used for accessing our customers’ section)

<settings xmlns="http://maven.apache.org/SETTINGS/1.0.0"
      xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
      xsi:schemaLocation="http://maven.apache.org/SETTINGS/1.0.0
                          https://maven.apache.org/xsd/settings-1.0.0.xsd">
...						  
      <servers>
	<server>
            <id>didisoft-repository</id>
            <username>email address for accessing DidiSoft Customers section</username>
            <password>email address for accessing DidiSoft Customers section</password>
        </server>
      </servers>		
...	  
    </settings>

And in your project pom.xml you have to define the URL of our repository:

<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
	xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
 
	...
	<repositories>
		<repository>
		  <id>didisoft-repository</id>
		  <url>https://didisoft.com/repox/</url>
		</repository>
	 </repositories>
	 ...
</project>

The final step is to actually define the pgplib JAR file as dependency in your project pom.xml:

   <dependencies>
	<dependency>
	  <groupId>com.didisoft</groupId>
	  <artifactId>pgplib</artifactId>
	  <version>3.1.2.1</version>
	</dependency>
  </dependencies>

Specifying only the version of the pgplib JAR is enough, the dependent versions of our shaded BouncyCastle version will be downloaded.

Shaded BouncyCastle

The BouncyCastle JAR files that we use are a shaded version of the original BouncyCastle jars but with the org.bouncycastle package naming changed to lw.bouncycastle (this is in order to avoid class loading collisions).

Acknowledgements

A great part of this effort was made with the help of Mykel Alvis from Cotivity.

Read more...

Long Hex Key ID’s in OpenPGP Library for Java

In relation to the recent threats related to faking Linus Torvalds’ public key by providing a key with the same lower 4 bytes of the Key ID (the same short hexadecimal key ID) we have updated DidiSoft OpenPGP Library for Java to provide full support to long key ID’s.

What is a short Key ID

A short Key ID consists of a the low 4 bytes of the real Key ID which is of type java.lang.Long and is 8 bytes long. So the threat was someone to try to generates multiple keys until there is a key with the same lower 4 bytes as your key. Command line PGP and GnuPG tools are usually used by specifying the short Key ID like:

gpg --encrypt --recipient A3B26901

With our library you can specify a key with the hexadecimal key ID everywhere where a KeyStore and User ID parameters are expected. For example:

PGPLib pgp = new PGPLib();
KeyStore ks = new KeyStore("my.keystore", "keystore pass");
boolean asciiArmor = true;
String shortKeyID = "A3B26901";pgp.encryptFile("data.txt", ks, shortKeyID, "data.pgp", asciiArmor);

As of version 3.1.1.8 we can use long key ID’s as well:

PGPLib pgp = new PGPLib();
KeyStore ks = new KeyStore("my.keystore", "keystore pass");
boolean asciiArmor = true;
String longKeyID = "B21345CA3B26901";pgp.encryptFile("data.txt", ks, longKeyID, "data.pgp", asciiArmor);

 

Read more...

OpenPGP Library for Java 3.1.1 has been released

DidiSoft OpenPGP Library for Java version 3.1.1 has been released.

This version brings improved speed for generating Diffie-Hellman (DH/DSS) keys, ability to add and remove sub keys and a new KeyStore.importKey method.

Speed of DH/DSS key creation

Till now by default the time needed for generating an ElGamal  (Diffie-Hellman) based OpenPGP key with the library was impractically long and for keys with key sizes greater than 2048 bits was not suitable for a real world application.

As of version 3.1.1 by default the library uses the public values for the p and g components of the Diffie-Hellman key exchange algorithm defined in RFC 3526. If you still wish to obtain your own p and g for newly generated key, you can do so by switching off the usePrecomputedPrimes property of the KeyStore class:

KeyStore ks = new KeyStore();
ks.setUsePrecomputedPrimes(false);

Additional sub keys

This version also allows the creation of additional sub keys. Check the examples how to create and add a new sub key to an existing key pair and how to remove a sub key.

New importKey method

The existing methods for importing individual keys into a com.didisoft.pgp.KeyStore were cumbersome, because the result from the operation was an array of com.didisoft.pgp.KeyPairInformation objects, instead of a single object. Now you can use a new KeyStore.importKey method instead that works over private, public and combined keys.

Read more...

OpenPGP for Java version 3.1 was released

DidiSoft OpenPGP Library for Java version 3.1 was released today.

New way to check digital signatures

The major change in this release is a new way to check the outcome of OpenPGP digital signatures verification and the introduction of a new enum com.didisoft.pgp.SignatureCheckResult

/** Represents the result of an OpenPGP signature check */
public enum SignatureCheckResult {
    /** Signature verified with the provided public key(s) */
    SignatureVerified,
    /** Signature broken or forged */
    SignatureBroken,
    /** The signature wasn't made with the provided public key */
    PublicKeyNotMatching,
    /** No signature was found in the input data */
    NoSignatureFound        	
}

Till now the outcome of checking signatures was a boolean result. When it was true it was clear that the signature is correct. The problem was when the result was false. In that case it was unclear was the signature tempered, or we have used a wrong public key to check it, or there was no signature in the .pgp message at all.

In order to solve this weakness a new set of methods was introduced:

PGPLib.verifyAndExtract verifies an OpenPGP signed or clear text signed message and extracts the data
PGPLib.verifyWithoutExtracting verifies an OpenPGP signed or clear text signed message without extracts the data
PGPLib.decryptAndVerify verifies an OpenPGP signed and encrypted message and extracts the data
PGPLib.detachedVerify verifies an OpenPGP detached signature

All of the above mentioned methods return com.didisoft.pgp.SignatureCheckResult which recognizes four cases : the signature is OK, the signature is tempered, we have tried to check with a wrong key / or in case when we use a KeyStore there is no matching key and finally the specified .pgp message has no digital signature at all.

Te benefit of this new API is that the outcome is more accurate and there is no need of additional checks with PGPInspectLib in order to investigate the fault cases.

Backward compatibility

Upgrading is safe and will not harm your application. All the existing methods will stay although marked as obsolete. The reason for marking them obsolete is to encourage new application development to use the more accurate new set of methods.

Read more...

Announcing OpenPGP Library for Java 3.0.0

Today has been released version 3.0.0 of DidiSoft OpenPGP Library for Java.

Why version 3.0?

The major version number change is made due to two main things:

1) The library no longer needs the Unlimited JCE (Java Cryptography Extensions) policy files. This means that from now on the library can be used in any application without modification in the host machine Java VM installation. The main benefit from this change is for mass market applications especially for B2C applications that have to be installed with minimal interventions on the client computer.

2) The library now can run side by side with any other version of the BouncyCastle library. You just have to use the library JAR files (located in the \Library folder of the distribution ZIP file) in your application classpath, no matter if there are any other versions of the BouncyCastle library.

Upgrade instructions

The upgrade consists of replacing the old JAR files with the new ones:

1) bcpg-jdk15on-15-lw.jar
2) bcprov-jdk15on-15-lw.jar
3) pgplib-3.0.0.jar

Java 1.4 dropped

The library no longer ships with JAR files built for Java 1.4. Please let us know if you still need that version, and we will include it for you!

The DidiSoft Team

Read more...

Announcing OraPGP

OpenPGP for Oracle DB

Announcing DidiSoft OraPGP, a package of PL/SQL functions for the Oracle(c) Database platform version 11 and 12 offering OpenPGP cryptography functions.

The package conforms to the OpenPGP standard RFC 4880 and RFC 6637, with compatibility to the older standard RFC 1991.

The package is licensed per server and also an Enterprise wide license is available, which ships with an Enterprise License for DidiSoft OpenPGP Library for Java as an extra add-on.

Read more...

OpenPGP Library for Java version 2.7 has been released

Today has been released version 2.7.0 of DidiSoft OpenPGP Library for Java.

This version was migrated to the latest version of the BouncyCastle JAR files (1.51), but if you have dependencies in your project that require older version of BouncyCastle, you can still migrate to the new version, because the library ships with pre-built JARs for BouncyCastle from version 1.41 till 1.51.

Oracle DB

The new version allows the library to be used inside the Oracle(c) Database JVM environment and to be invoked from Java stored procedures.

Inline keys

A key new feature is the acceptance of ASCII armored OpenPGP keys as strings in all methods that expect a key file name location. For example:

    String lineFeed = System.getProperty("line.separator");
    String inlinePubKey = "-----BEGIN PGP PUBLIC KEY BLOCK-----"+lineFeed+
    "Version: GnuPG v2.1.0-ecc (GNU/Linux)" +lineFeed+
    lineFeed+
    "mFIETJPQrRMIKoZIzj0DAQcCAwQLx6e669XwjHTHe3HuROe7C1oYMXuZbaU5PjOs"+lineFeed+
    "xSkyxtL2D00e/jWgufuNN4ftS+6XygEtB7j1g1vnCTVF1TLmtCRlY19kc2FfZGhf"+lineFeed+
    "MjU2IDxvcGVucGdwQGJyYWluaHViLm9yZz6IegQTEwgAIgUCTJPQrQIbAwYLCQgH"+lineFeed+
    "AwIGFQgCCQoLBBYCAwECHgECF4AACgkQC6Ut8LqlnZzmXQEAiKgiSzPSpUOJcX9d"+lineFeed+
    "JtLJ5As98Alit2oFwzhxG7mSVmQA/RP67yOeoUtdsK6bwmRA95cwf9lBIusNjehx"+lineFeed+
    "XDfpHj+/uFYETJPQrRIIKoZIzj0DAQcCAwR/cMCoGEzcrqXbILqP7Rfke977dE1X"+lineFeed+
    "XsRJEwrzftreZYrn7jXSDoiXkRyfVkvjPZqUvB5cknsaoH/3UNLRHClxAwEIB4hh"+lineFeed+
    "BBgTCAAJBQJMk9CtAhsMAAoJEAulLfC6pZ2c1yYBAOSUmaQ8rkgihnepbnpK7tNz"+lineFeed+
    "3QEocsLEtsTCDUBGNYGyAQDclifYqsUChXlWKaw3md+yHJPcWZXzHt37c4q/MhIm"+lineFeed+
    "oQ=="+lineFeed+
    "=hMzp"+lineFeed+
    "-----END PGP PUBLIC KEY BLOCK-----";
 
 PGPLib pgp = new PGPLib();
 String enc = pgp.encryptString("Hello World", inlinePubKey);
 
 String enc = pgp.encryptString("Hello World", "/usr/didisoft/keys/key.asc");

What’s next

In the next version we are gong to provide full support for OpenPGP emails (RFC 3156).

The DidiSoft Team

Read more...

OpenPGP Library for Java v2.6.6.0 has been released

Dear friends,

We are happy to announce that version 2.6.6.0 of DidiSoft OpenPGP Library for Java has been released.

Existing customers can download the updated version from our customers’ section located at https://www.didisoft.com/customers/

What’s new in this version?

PGP 2.x comaptibility

This version provides a setter method that modifies the behavior of the PGPLib class and it starts to produce PGP 2.x compatible encrypted and signed and encrypted output : PGPLib.pgp.setPgp2Compatible(boolean)

This setting shall be used with caution as it uses only the encryption and hashing algorithms available in PGP 2.x (more information can be found in www.ietf.org/rfc/rfc1991.txt). You must use it only if you are certain that your recipient is using a PGP 2.x software (yes, such software still runs in some organizations).

Output streams are left open

In the methods that deal with streams (e.g. PGPLib.encryptStream, signStream, etc.) we were implicitly closing the output streams. Now the streams are left open, as we had a customer that needed to write additional data afterwards. You must close them explicitly like:

PGPLib pgp = new PGPLib();
OutputStream outStream = ...
try {
 pgp.encryptStream( dataStream, keyStream, outStream, ...
} finally {
 outStream.close();
}

For a complete list of changes, please check the ReleaseNotes.

Read more...

OpenPGP Library for Java v.2.6.5 provides access to OpenPGP key servers

Today has been released DidiSoft OpenPGP Library for Java version 2.6.5.0

The main thing that this new version provides is the ability to exchange keys with OpenPGP key servers. Detailed examples can be found in:

In the near future we are also planning to integrate with Townsend Security Key server, once they provide a storage for OpenPGP keys (expected at the second half of this year).

As usual this version is fully backward compatible with the previous version 2.6.4.x

Read more...

OpenPGP Library for Java Roadmap 2014

Another year has passed and the New Year 2014 is waiting for our plans to extend DidiSoft OpenPGP Library for Java with new features.

Below is a short list of the main additions that we are planning to release this year.

First Quarter of the year (Q1):

Support for exchanging keys with OpenPGP key servers.

Q2

Support for wrapping X.509 keys (we have postponed this for a while..)

Q3

Support for images in OpenPGP keys
Support for sending OpenPGP emails.

Q4

Support for customizing the KeyStore

As usual this is only a highlight of our plans. We are always open for new feature requests.

The DidiSoft team.

Read more...