Verify pgp signed data (Obsolete)

Note: This article refers to the old way of extracting and verifying OpenPGP signed data. The weakness of these methods is that they don’t provide detailed information if the signature verification fails. This is why they are now marked as obsolete. Please use the new methods available as of version 3.1 of the library.

When we receive signed only OpenPGP file from our partners we can decrypt it with arbitrary key, ignoring this way the digital signature or we can verify and extract the data.

The examples below show how to verify the digital signature and extract the data in one pass with OpenPGP Library for Java. For the verification we use the public key of the sender.

Verify a signed file

1. with sender’s public key located in a file on the disk.
2. with sender’s public key located in a KeyStore.

Verify a signed Stream

3. with sender’s public key located in a file on the disk.
4. with sender’s public key located in a KeyStore.

Appendix A
Exception Handling

1. Verify a signed file with sender’s public key located in file on the disk.

This example assumes that the file signed.pgp was only signed with the private key of the sender. Note that this is different from sign and encrypt in one pass.

import com.didisoft.pgp.PGPLib;
 
public class VerifyFile {
 public static void main(String[] args) throws Exception{
   // create an instance of the library
   PGPLib pgp = new PGPLib();
 
   // verify
   boolean validSignature = pgp.verifyFile("signed.pgp", "public.key", "OUTPUT.txt");
   if (validSignature) {
	System.out.println("Signature is valid .");
   } else {
 	System.out.println("!Signature is invalid!");
   }
 }
}

2. Verify signed file with sender public key located in a KeyStore.

In this example the digital signature in the signed file we have received is tried to be verified with the public keys we have imported previously in our KeyStore file. If the public key of the sender is not present in this KeyStore the verification will fail, but anyway the embedded file will be extracted.

import com.didisoft.pgp.KeyStore;
import com.didisoft.pgp.PGPLib;
 
public class KeyStoreVerifyFile {
 public static void main(String[] args) throws Exception{
   // create an instance of the KeyStore
   KeyStore keyStore = new KeyStore("pgp.keystore", "changeit");
 
   // initialize the library
   PGPLib pgp = new PGPLib();
 
   // verify
   boolean validSignature = pgp.verifyFile("signed.pgp",
					  keyStore,
					  "OUTPUT.txt");
 
   if (validSignature) {
	System.out.println("Signature is valid.");
   } else {
	System.out.println("Signature is invalid!");
   }
 }
}

3. Verify signed stream data with sender’s public key located in a file on the disk.

In the example below the signed data is supplied as a file stream but it can be any kind of input stream.

import java.io.FileInputStream;
import java.io.FileOutputStream;
import java.io.InputStream;
import java.io.OutputStream;
 
import com.didisoft.pgp.PGPLib;
 
public class VerifyStream {
 public static void main(String[] args) throws Exception {
   PGPLib pgp = new PGPLib();
 
   InputStream signedStream = new FileInputStream("signed.pgp");
   InputStream senderPublicKeyStream = new FileInputStream("public.key");
   OutputStream outputStream = new FileOutputStream("OUTPUT.txt");
 
   boolean validSignature = pgp.verifyStream(signedStream, senderPublicKeyStream, outputStream);
   if (validSignature) {
	System.out.println("Signature is valid.");
   } else {
	System.out.println("Signature is invalid!");
   }
 }
}

4. Verify signed stream data with sender’s public key located in a KeyStore.

The example below checks a signed only stream data against the public keys located in a KeyStore file. Even if none of the public keys can decode the OpenPGP digital signature packet the content of the signed input stream is extracted into a destination decrypted output stream.

import java.io.FileInputStream;
import java.io.FileOutputStream;
import java.io.InputStream;
import java.io.OutputStream;
 
import com.didisoft.pgp.KeyStore;
import com.didisoft.pgp.PGPLib;
 
public class KeyStoreVerifyStream {
 public static void main(String[] args) throws Exception{
   // create an instance of the KeyStore
   KeyStore keyStore = new KeyStore("pgp.keystore", "changeit");
 
   // initialize the library
   PGPLib pgp = new PGPLib();
 
   // obtain the signed stream
   InputStream signedStream = new FileInputStream("signed.pgp");
   // specify the decrypted output stream
   OutputStream decryptedStream = new FileOutputStream("OUTPUT.txt");
 
   boolean validSignature = pgp.verifyStream(signedStream,
						keyStore,
						decryptedStream);
 
   if (validSignature) {
	System.out.println("Signature is valid.");
   } else {
	System.out.println("Signature is invalid!");
   }
 }
}

Exception Handling

When verifying a signed OpenPGP data we can simply catch java.io.IOException and com.didisoft.pgp.PGPException.

We can also catch a number of PGPException sub classes located in the com.didisoft.pgp.exceptions package. They must be caught before PGPException.

Below is an example code snippet that shows this extended error handling:

import java.io.IOException;
import com.didisoft.pgp.*;
import com.didisoft.pgp.exceptions.*;
 
public class ExceptionHandlingDemo {
 public static void main(String[] a) {
   PGPLib pgp = new PGPLib();
   try {
    pgp.verify...
   } catch (IOException e) {
    // error reading input or writing output
   } catch (NonPGPDataException e) {
    // the passed encrypted input is not a valid OpenPGP archive
   } catch (NoPublicKeyFoundException e) {
    // if the passed public key file does not contain a public key or is corrupted
   } catch (FileIsEncryptedException e) {
    // if the passed input is OpenPGP encrypted, it should either be extracted with 
    // decrypt method call or decrypted and verified in one pass 
    // with decryptAndVerify method call
   } catch (DetachedSignatureException e) {
    // the input is not an encrypted message, but a detached OpenPGP signature
   } catch (PGPException e) {
    // general decryption error not among the above ones 
   } 
 }
}

Summary

In this chapter we have discussed OpenPGP signed data digital signature verification with DidiSoft OpenPGP Library for Java.