问题
We use the Bouncy.Castle C# API to do PGP encryption. I am by no means an expert on PGP encryption and the various options available.
The encryption seems to run fine, however, when the client tries to decrypt it, he says that PGP won't output to file but only output to screen because it is marked "For your eyes only." This is the --verbose message:
pgp --decrypt Client_FileExport_20110510_020011.zip.pgp
Client_FileExport_20110511_132203.zip.pgp --info verbose
McAfee E-Business Server v8.5 - Full License
(c) 1991-2006 McAfee, Inc. All Rights Reserved.
Setting temporary directory to C:\DOCUME~1\$963\LOCALS~1\Temp\
Decoding data....
event 1: initial
event 13: BeginLex
event 8: Analyze
File is encrypted. event 9: Recipients
Secret key is required to read it.
Key for user ID "Client_RSAv4_Key <Bob.Smith@Client.com>"
event 6: Passphrase
You need a pass phrase to unlock your secret key.
Enter pass phrase:
event 23: Decryption
symmetric cipher used: CAST5
event 11: Output options
typecode: 0062
for your eyes only
This message is marked "For your eyes only". Display now (Y/n)?
I have no clue as to how to go about debugging this. Anybody know?
Here is the general code we use to encrypt data. In this scenario we are not signing the document, so that portion of the code can be ignored.
private void EncryptImpl(Stream inputStream, Stream outputStream, bool signOutput)
{
const int BUFFER_SIZE = 1 << 16; // should always be power of 2
bool armor = true;
bool withIntegrityCheck = true;
if (armor)
outputStream = new ArmoredOutputStream(outputStream);
var encKey = PgpHelper.ReadPublicKey(this.EncryptionPublicKey);
// Init encrypted data generator
PgpEncryptedDataGenerator encryptedDataGenerator =
new PgpEncryptedDataGenerator(SymmetricKeyAlgorithmTag.Cast5, withIntegrityCheck, new SecureRandom());
encryptedDataGenerator.AddMethod(encKey);
Stream encryptedOut = encryptedDataGenerator.Open(outputStream, new byte[BUFFER_SIZE]);
// Init compression
PgpCompressedDataGenerator compressedDataGenerator = new PgpCompressedDataGenerator(CompressionAlgorithmTag.Zip);
Stream compressedOut = compressedDataGenerator.Open(encryptedOut);
PgpSignatureGenerator signatureGenerator = null;
if (signOutput)
{
// Init signature
var pgpSecKey = PgpHelper.ReadSecretKey(this.OrigamiSecretKey);
PgpPrivateKey pgpPrivKey = pgpSecKey.ExtractPrivateKey(this.PassPhrase.ToCharArray());
signatureGenerator = new PgpSignatureGenerator(pgpSecKey.PublicKey.Algorithm, HashAlgorithmTag.Sha1);
signatureGenerator.InitSign(PgpSignature.BinaryDocument, pgpPrivKey);
foreach (string userId in pgpSecKey.PublicKey.GetUserIds())
{
PgpSignatureSubpacketGenerator spGen = new PgpSignatureSubpacketGenerator();
spGen.SetSignerUserId(false, userId);
signatureGenerator.SetHashedSubpackets(spGen.Generate());
// Just the first one!
break;
}
signatureGenerator.GenerateOnePassVersion(false).Encode(compressedOut);
}
// Create the Literal Data generator output stream
PgpLiteralDataGenerator literalDataGenerator = new PgpLiteralDataGenerator();
// TODO: Use lastwritetime from source file
Stream literalOut = literalDataGenerator.Open(compressedOut, PgpLiteralData.Binary,
PgpLiteralDataGenerator.Console, DateTime.Now, new byte[BUFFER_SIZE]);
// Open the input file
byte[] buf = new byte[BUFFER_SIZE];
int len;
while ((len = inputStream.Read(buf, 0, buf.Length)) > 0)
{
literalOut.Write(buf, 0, len);
if (signOutput)
signatureGenerator.Update(buf, 0, len);
}
literalOut.Close();
literalDataGenerator.Close();
if (signOutput)
signatureGenerator.Generate().Encode(compressedOut);
compressedOut.Close();
compressedDataGenerator.Close();
encryptedOut.Close();
encryptedDataGenerator.Close();
inputStream.Close();
if (armor)
outputStream.Close();
}
回答1:
I'm guessing that PgpLiteralDataGenerator.Console is what is causing it to show up only in the console of the client machine.
Stream literalOut = literalDataGenerator.Open(
compressedOut,
PgpLiteralData.Binary,
PgpLiteralDataGenerator.Console,
DateTime.Now,
new byte[BUFFER_SIZE]);
回答2:
This message is shown when the encrypted file doesn't include a name of the original file. If you are not encrypting the file, you can put almost anything to that field (given that it constitutes a file name, valid for the target system).
来源:https://stackoverflow.com/questions/6036050/we-encrypt-a-file-for-a-client-using-bouncycastle-api-he-gets-a-for-your-eyes