问题
I've got a doubt.. I have to sign a pgp public key using bouncycastle api supposedly. Now: to my understanding signing a key with another means ultimately adding to this public key a "certificate". Thus lacking any other way, I've gone blind searching in the library. my only find so far has been method generateCertification inside PGPSignatureGenerator. But this method generate a certification between a master PgpPublicKey and another PgpPublicKey.. And this strikes me as strange: I assumed that in order to trust another public key, that has to be signed with your own private pgp key just like in regular x.509 with CA certification in a manner.. This was assumption by some methods that I saw when trying to get some ideas from other library: didisoft for example has a similar method on a keystore where you have to provide the PgpPrivatekey keyuid...
Anyone has any hint or a piece of code to propose? Thanks in advance.
回答1:
Here's a Codeexample to sign a public Key:
PGPSecretKey mySecretKey;
PGPPublicKey publicKeyToBeSigned;
PGPPrivateKey pgpPrivKey = mySecretKey
.extractPrivateKey(new JcePBESecretKeyDecryptorBuilder()
.setProvider("BC").build("password for your private key"));
PGPSignatureGenerator signatureGenerator = new PGPSignatureGenerator(
new JcaPGPContentSignerBuilder(mySecretKey.getPublicKey()
.getAlgorithm(), PGPUtil.SHA512));
signatureGenerator.init(PGPSignature.DIRECT_KEY, pgpPrivKey);
PGPSignature signature = signatureGenerator.generateCertification(
id, publicKeyToBeSigned);
This piece of code just creates the signature. You need to add it to your the public key then:
PGPPublicKey.addCertification(publicKeyToBeSigned, signature);
Hope that helps you :)
回答2:
This can be used to check that one key gave default certification to another
/**
* Signs a public key
*
* @param publicKeyRing a public key ring containing the single public key to sign
* @param id the id we are certifying against the public key
* @param secretKey the signing key
* @param secretKeyPassword the signing key password
*
* @return a public key ring with the signed public key
*/
public static PGPPublicKeyRing signPublicKey( PGPPublicKeyRing publicKeyRing, String id, PGPSecretKey secretKey,
String secretKeyPassword ) throws PGPException
{
try
{
PGPPublicKey oldKey = publicKeyRing.getPublicKey();
PGPPrivateKey pgpPrivKey = secretKey.extractPrivateKey(
new JcePBESecretKeyDecryptorBuilder().setProvider( provider )
.build( secretKeyPassword.toCharArray() ) );
PGPSignatureGenerator signatureGenerator = new PGPSignatureGenerator(
new JcaPGPContentSignerBuilder( secretKey.getPublicKey().getAlgorithm(), PGPUtil.SHA1 ) );
signatureGenerator.init( PGPSignature.DEFAULT_CERTIFICATION, pgpPrivKey );
PGPSignature signature = signatureGenerator.generateCertification( id, oldKey );
PGPPublicKey newKey = PGPPublicKey.addCertification( oldKey, signature );
PGPPublicKeyRing newPublicKeyRing = PGPPublicKeyRing.removePublicKey( publicKeyRing, oldKey );
return PGPPublicKeyRing.insertPublicKey( newPublicKeyRing, newKey );
}
catch ( Exception e )
{
//throw custom exception
throw new PGPException( "Error signing public key", e );
}
}
/**
* Verifies that a public key is signed with another public key
*
* @param keyToVerify the public key to verify
* @param id the id we are verifying against the public key
* @param keyToVerifyWith the key to verify with
*
* @return true if verified, false otherwise
*/
public static boolean verifyPublicKey( PGPPublicKey keyToVerify, String id, PGPPublicKey keyToVerifyWith )
throws PGPException
{
try
{
Iterator<PGPSignature> signIterator = keyToVerify.getSignatures();
while ( signIterator.hasNext() )
{
PGPSignature signature = signIterator.next();
signature.init( new JcaPGPContentVerifierBuilderProvider().setProvider( provider ), keyToVerifyWith );
if ( signature.verifyCertification( id.getBytes(), keyToVerify ) )
{
return true;
}
}
return false;
}
catch ( Exception e )
{
//throw custom exception
throw new PGPException( "Error verifying public key", e );
}
}
来源:https://stackoverflow.com/questions/28591684/java-sign-public-pgp-key-with-bouncycastle