/**
* Licensed to the Apache Software Foundation (ASF) under one or more
* contributor license agreements. See the NOTICE file distributed with
* this work for additional information regarding copyright ownership.
* The ASF licenses this file to You under the Apache License, Version 2.0
* (the "License"); you may not use this file except in compliance with
* the License. You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.apache.camel.converter.crypto;
import java.io.BufferedOutputStream;
import java.io.ByteArrayInputStream;
import java.io.ByteArrayOutputStream;
import java.io.IOException;
import java.io.InputStream;
import java.io.OutputStream;
import java.io.PrintWriter;
import java.io.UnsupportedEncodingException;
import java.security.SecureRandom;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collections;
import java.util.Date;
import java.util.HashMap;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import org.apache.camel.Exchange;
import org.apache.camel.Message;
import org.apache.camel.builder.RouteBuilder;
import org.apache.camel.component.mock.MockEndpoint;
import org.apache.camel.util.IOHelper;
import org.bouncycastle.bcpg.BCPGOutputStream;
import org.bouncycastle.bcpg.CompressionAlgorithmTags;
import org.bouncycastle.bcpg.HashAlgorithmTags;
import org.bouncycastle.bcpg.SymmetricKeyAlgorithmTags;
import org.bouncycastle.bcpg.sig.KeyFlags;
import org.bouncycastle.openpgp.PGPCompressedDataGenerator;
import org.bouncycastle.openpgp.PGPEncryptedDataGenerator;
import org.bouncycastle.openpgp.PGPException;
import org.bouncycastle.openpgp.PGPLiteralData;
import org.bouncycastle.openpgp.PGPLiteralDataGenerator;
import org.bouncycastle.openpgp.PGPPrivateKey;
import org.bouncycastle.openpgp.PGPPublicKey;
import org.bouncycastle.openpgp.PGPPublicKeyRing;
import org.bouncycastle.openpgp.PGPPublicKeyRingCollection;
import org.bouncycastle.openpgp.PGPSecretKey;
import org.bouncycastle.openpgp.PGPSecretKeyRing;
import org.bouncycastle.openpgp.PGPSecretKeyRingCollection;
import org.bouncycastle.openpgp.PGPSignature;
import org.bouncycastle.openpgp.PGPSignatureGenerator;
import org.bouncycastle.openpgp.PGPUtil;
import org.bouncycastle.openpgp.operator.bc.BcKeyFingerprintCalculator;
import org.bouncycastle.openpgp.operator.jcajce.JcaPGPContentSignerBuilder;
import org.bouncycastle.openpgp.operator.jcajce.JcePBEKeyEncryptionMethodGenerator;
import org.bouncycastle.openpgp.operator.jcajce.JcePBESecretKeyDecryptorBuilder;
import org.bouncycastle.openpgp.operator.jcajce.JcePGPDataEncryptorBuilder;
import org.bouncycastle.openpgp.operator.jcajce.JcePublicKeyKeyEncryptionMethodGenerator;
import org.junit.Before;
import org.junit.Test;
public class PGPDataFormatTest extends AbstractPGPDataFormatTest {
private static final String PUB_KEY_RING_SUBKEYS_FILE_NAME = "org/apache/camel/component/crypto/pubringSubKeys.gpg";
private static final String SEC_KEY_RING_FILE_NAME = "org/apache/camel/component/crypto/secring.gpg";
private static final String PUB_KEY_RING_FILE_NAME = "org/apache/camel/component/crypto/pubring.gpg";
PGPDataFormat encryptor = new PGPDataFormat();
PGPDataFormat decryptor = new PGPDataFormat();
@Before
public void setUpEncryptorAndDecryptor() {
// the following keyring contains a primary key with KeyFlag "Certify" and a subkey for signing and a subkey for encryption
encryptor.setKeyFileName(PUB_KEY_RING_SUBKEYS_FILE_NAME);
encryptor.setSignatureKeyFileName("org/apache/camel/component/crypto/secringSubKeys.gpg");
encryptor.setSignaturePassword("Abcd1234");
encryptor.setKeyUserid("keyflag");
encryptor.setSignatureKeyUserid("keyflag");
encryptor.setIntegrity(false);
encryptor.setFileName("fileNameABC");
// the following keyring contains a primary key with KeyFlag "Certify" and a subkey for signing and a subkey for encryption
decryptor.setKeyFileName("org/apache/camel/component/crypto/secringSubKeys.gpg");
decryptor.setSignatureKeyFileName(PUB_KEY_RING_SUBKEYS_FILE_NAME);
decryptor.setPassword("Abcd1234");
decryptor.setSignatureKeyUserid("keyflag");
}
protected String getKeyFileName() {
return PUB_KEY_RING_FILE_NAME;
}
protected String getKeyFileNameSec() {
return SEC_KEY_RING_FILE_NAME;
}
protected String getKeyUserId() {
return "sdude@nowhere.net";
}
protected List<String> getKeyUserIds() {
List<String> userids = new ArrayList<String>(2);
userids.add("second");
userids.add(getKeyUserId());
return userids;
}
protected List<String> getSignatureKeyUserIds() {
List<String> userids = new ArrayList<String>(2);
userids.add("second");
userids.add(getKeyUserId());
return userids;
}
protected String getKeyPassword() {
return "sdude";
}
protected String getProvider() {
return "BC";
}
protected int getAlgorithm() {
return SymmetricKeyAlgorithmTags.TRIPLE_DES;
}
protected int getHashAlgorithm() {
return HashAlgorithmTags.SHA256;
}
protected int getCompressionAlgorithm() {
return CompressionAlgorithmTags.BZIP2;
}
@Test
public void testEncryption() throws Exception {
doRoundTripEncryptionTests("direct:inline");
}
@Test
public void testEncryption2() throws Exception {
doRoundTripEncryptionTests("direct:inline2");
}
@Test
public void testEncryptionArmor() throws Exception {
doRoundTripEncryptionTests("direct:inline-armor");
}
@Test
public void testEncryptionSigned() throws Exception {
doRoundTripEncryptionTests("direct:inline-sign");
}
@Test
public void testEncryptionKeyRingByteArray() throws Exception {
doRoundTripEncryptionTests("direct:key-ring-byte-array");
}
@Test
public void testEncryptionSignedKeyRingByteArray() throws Exception {
doRoundTripEncryptionTests("direct:sign-key-ring-byte-array");
}
@Test
public void testSeveralSignerKeys() throws Exception {
doRoundTripEncryptionTests("direct:several-signer-keys");
}
@Test
public void testOneUserIdWithServeralKeys() throws Exception {
doRoundTripEncryptionTests("direct:one-userid-several-keys");
}
@Test
public void testKeyAccess() throws Exception {
doRoundTripEncryptionTests("direct:key_access");
}
@Test
public void testVerifyExceptionNoPublicKeyFoundCorrespondingToSignatureUserIds() throws Exception {
setupExpectations(context, 1, "mock:encrypted");
MockEndpoint exception = setupExpectations(context, 1, "mock:exception");
String payload = "Hi Alice, Be careful Eve is listening, signed Bob";
Map<String, Object> headers = getHeaders();
template.sendBodyAndHeaders("direct:verify_exception_sig_userids", payload, headers);
assertMockEndpointsSatisfied();
checkThrownException(exception, IllegalArgumentException.class, null, "No public key found for the key ID(s)");
}
@Test
public void testVerifyExceptionNoPassphraseSpecifiedForSignatureKeyUserId() throws Exception {
MockEndpoint exception = setupExpectations(context, 1, "mock:exception");
String payload = "Hi Alice, Be careful Eve is listening, signed Bob";
Map<String, Object> headers = new HashMap<String, Object>();
// add signature user id which does not have a passphrase
headers.put(PGPKeyAccessDataFormat.SIGNATURE_KEY_USERID, "userIDWithNoPassphrase");
// the following entry is necessary for the dynamic test
headers.put(PGPKeyAccessDataFormat.KEY_USERID, "second");
template.sendBodyAndHeaders("direct:several-signer-keys", payload, headers);
assertMockEndpointsSatisfied();
checkThrownException(exception, IllegalArgumentException.class, null, "No passphrase specified for signature key user ID");
}
/**
* You get three keys with the UserId "keyflag", a primary key and its two
* sub-keys. The sub-key with KeyFlag {@link KeyFlags#SIGN_DATA} should be
* used for signing and the sub-key with KeyFlag
* {@link KeyFlags#ENCRYPT_COMMS} or {@link KeyFlags#ENCRYPT_COMMS} or
* {@link KeyFlags#ENCRYPT_STORAGE} should be used for decryption.
*
* @throws Exception
*/
@Test
public void testKeyFlagSelectsCorrectKey() throws Exception {
MockEndpoint mockKeyFlag = getMockEndpoint("mock:encrypted_keyflag");
mockKeyFlag.setExpectedMessageCount(1);
template.sendBody("direct:keyflag", "Test Message");
assertMockEndpointsSatisfied();
List<Exchange> exchanges = mockKeyFlag.getExchanges();
assertEquals(1, exchanges.size());
Exchange exchange = exchanges.get(0);
Message inMess = exchange.getIn();
assertNotNull(inMess);
// must contain exactly one encryption key and one signature
assertEquals(1, inMess.getHeader(PGPKeyAccessDataFormat.NUMBER_OF_ENCRYPTION_KEYS));
assertEquals(1, inMess.getHeader(PGPKeyAccessDataFormat.NUMBER_OF_SIGNING_KEYS));
}
/**
* You get three keys with the UserId "keyflag", a primary key and its two
* sub-keys. The sub-key with KeyFlag {@link KeyFlags#SIGN_DATA} should be
* used for signing and the sub-key with KeyFlag
* {@link KeyFlags#ENCRYPT_COMMS} or {@link KeyFlags#ENCRYPT_COMMS} or
* {@link KeyFlags#ENCRYPT_STORAGE} should be used for decryption.
* <p>
* Tests also the decryption and verifying part with the subkeys.
*
* @throws Exception
*/
@Test
public void testDecryptVerifyWithSubkey() throws Exception {
// do not use doRoundTripEncryptionTests("direct:subkey"); because otherwise you get an error in the dynamic test
String payload = "Test Message";
MockEndpoint mockSubkey = getMockEndpoint("mock:unencrypted");
mockSubkey.expectedBodiesReceived(payload);
template.sendBody("direct:subkey", payload);
assertMockEndpointsSatisfied();
}
@Test
public void testEmptyBody() throws Exception {
String payload = "";
MockEndpoint mockSubkey = getMockEndpoint("mock:unencrypted");
mockSubkey.expectedBodiesReceived(payload);
template.sendBody("direct:subkey", payload);
assertMockEndpointsSatisfied();
}
@Test
public void testExceptionDecryptorIncorrectInputFormatNoPGPMessage() throws Exception {
String payload = "Not Correct Format";
MockEndpoint mock = getMockEndpoint("mock:exception");
mock.expectedMessageCount(1);
template.sendBody("direct:subkeyUnmarshal", payload);
assertMockEndpointsSatisfied();
checkThrownException(mock, IllegalArgumentException.class, null, "The input message body has an invalid format.");
}
@Test
public void testExceptionDecryptorIncorrectInputFormatPGPSignedData() throws Exception {
ByteArrayOutputStream bos = new ByteArrayOutputStream();
createSignature(bos);
MockEndpoint mock = getMockEndpoint("mock:exception");
mock.expectedMessageCount(1);
template.sendBody("direct:subkeyUnmarshal", bos.toByteArray());
assertMockEndpointsSatisfied();
checkThrownException(mock, IllegalArgumentException.class, null, "The input message body has an invalid format.");
}
@Test
public void testEncryptSignWithoutCompressedDataPacket() throws Exception {
doRoundTripEncryptionTests("direct:encrypt-sign-without-compressed-data-packet");
// ByteArrayOutputStream bos = new ByteArrayOutputStream();
//
//// createEncryptedNonCompressedData(bos, PUB_KEY_RING_SUBKEYS_FILE_NAME);
//
// MockEndpoint mock = getMockEndpoint("mock:exception");
// mock.expectedMessageCount(1);
// template.sendBody("direct:encrypt-sign-without-compressed-data-packet", bos.toByteArray());
// assertMockEndpointsSatisfied();
//
// //checkThrownException(mock, IllegalArgumentException.class, null, "The input message body has an invalid format.");
}
@Test
public void testExceptionDecryptorNoKeyFound() throws Exception {
ByteArrayOutputStream bos = new ByteArrayOutputStream();
createEncryptedNonCompressedData(bos, PUB_KEY_RING_FILE_NAME);
MockEndpoint mock = getMockEndpoint("mock:exception");
mock.expectedMessageCount(1);
template.sendBody("direct:subkeyUnmarshal", bos.toByteArray());
assertMockEndpointsSatisfied();
checkThrownException(mock, PGPException.class, null,
"PGP message is encrypted with a key which could not be found in the Secret Keyring");
}
void createEncryptedNonCompressedData(ByteArrayOutputStream bos, String keyringPath) throws Exception, IOException, PGPException,
UnsupportedEncodingException {
PGPEncryptedDataGenerator encGen = new PGPEncryptedDataGenerator(new JcePGPDataEncryptorBuilder(SymmetricKeyAlgorithmTags.CAST5)
.setSecureRandom(new SecureRandom()).setProvider(getProvider()));
encGen.addMethod(new JcePublicKeyKeyEncryptionMethodGenerator(readPublicKey(keyringPath)));
OutputStream encOut = encGen.open(bos, new byte[512]);
PGPLiteralDataGenerator litData = new PGPLiteralDataGenerator();
OutputStream litOut = litData.open(encOut, PGPLiteralData.BINARY, PGPLiteralData.CONSOLE, new Date(), new byte[512]);
try {
litOut.write("Test Message Without Compression".getBytes("UTF-8"));
litOut.flush();
} finally {
IOHelper.close(litOut);
IOHelper.close(encOut, bos);
}
}
private void createSignature(OutputStream out) throws Exception {
PGPSecretKey pgpSec = readSecretKey();
PGPPrivateKey pgpPrivKey = pgpSec.extractPrivateKey(new JcePBESecretKeyDecryptorBuilder().setProvider(getProvider()).build(
"sdude".toCharArray()));
PGPSignatureGenerator sGen = new PGPSignatureGenerator(new JcaPGPContentSignerBuilder(pgpSec.getPublicKey().getAlgorithm(),
HashAlgorithmTags.SHA1).setProvider(getProvider()));
sGen.init(PGPSignature.BINARY_DOCUMENT, pgpPrivKey);
BCPGOutputStream bOut = new BCPGOutputStream(out);
InputStream fIn = new ByteArrayInputStream("Test Signature".getBytes("UTF-8"));
int ch;
while ((ch = fIn.read()) >= 0) {
sGen.update((byte) ch);
}
fIn.close();
sGen.generate().encode(bOut);
}
static PGPSecretKey readSecretKey() throws Exception {
InputStream input = new ByteArrayInputStream(getSecKeyRing());
PGPSecretKeyRingCollection pgpSec = new PGPSecretKeyRingCollection(PGPUtil.getDecoderStream(input),
new BcKeyFingerprintCalculator());
@SuppressWarnings("rawtypes")
Iterator keyRingIter = pgpSec.getKeyRings();
while (keyRingIter.hasNext()) {
PGPSecretKeyRing keyRing = (PGPSecretKeyRing) keyRingIter.next();
@SuppressWarnings("rawtypes")
Iterator keyIter = keyRing.getSecretKeys();
while (keyIter.hasNext()) {
PGPSecretKey key = (PGPSecretKey) keyIter.next();
if (key.isSigningKey()) {
return key;
}
}
}
throw new IllegalArgumentException("Can't find signing key in key ring.");
}
static PGPPublicKey readPublicKey(String keyringPath) throws Exception {
InputStream input = new ByteArrayInputStream(getKeyRing(keyringPath));
PGPPublicKeyRingCollection pgpPub = new PGPPublicKeyRingCollection(PGPUtil.getDecoderStream(input),
new BcKeyFingerprintCalculator());
@SuppressWarnings("rawtypes")
Iterator keyRingIter = pgpPub.getKeyRings();
while (keyRingIter.hasNext()) {
PGPPublicKeyRing keyRing = (PGPPublicKeyRing) keyRingIter.next();
@SuppressWarnings("rawtypes")
Iterator keyIter = keyRing.getPublicKeys();
while (keyIter.hasNext()) {
PGPPublicKey key = (PGPPublicKey) keyIter.next();
if (key.isEncryptionKey()) {
return key;
}
}
}
throw new IllegalArgumentException("Can't find encryption key in key ring.");
}
@Test
public void testExceptionDecryptorIncorrectInputFormatSymmetricEncryptedData() throws Exception {
byte[] payload = "Not Correct Format".getBytes("UTF-8");
ByteArrayOutputStream bos = new ByteArrayOutputStream();
PGPEncryptedDataGenerator encGen = new PGPEncryptedDataGenerator(new JcePGPDataEncryptorBuilder(SymmetricKeyAlgorithmTags.CAST5)
.setSecureRandom(new SecureRandom()).setProvider(getProvider()));
encGen.addMethod(new JcePBEKeyEncryptionMethodGenerator("pw".toCharArray()));
OutputStream encOut = encGen.open(bos, new byte[1024]);
PGPCompressedDataGenerator comData = new PGPCompressedDataGenerator(CompressionAlgorithmTags.ZIP);
OutputStream comOut = new BufferedOutputStream(comData.open(encOut));
PGPLiteralDataGenerator litData = new PGPLiteralDataGenerator();
OutputStream litOut = litData.open(comOut, PGPLiteralData.BINARY, PGPLiteralData.CONSOLE, new Date(), new byte[1024]);
litOut.write(payload);
litOut.flush();
litOut.close();
comOut.close();
encOut.close();
MockEndpoint mock = getMockEndpoint("mock:exception");
mock.expectedMessageCount(1);
template.sendBody("direct:subkeyUnmarshal", bos.toByteArray());
assertMockEndpointsSatisfied();
checkThrownException(mock, IllegalArgumentException.class, null, "The input message body has an invalid format.");
}
@Test
public void testExceptionForSignatureVerificationOptionNoSignatureAllowed() throws Exception {
decryptor.setSignatureVerificationOption(PGPKeyAccessDataFormat.SIGNATURE_VERIFICATION_OPTION_NO_SIGNATURE_ALLOWED);
MockEndpoint mock = getMockEndpoint("mock:exception");
mock.expectedMessageCount(1);
template.sendBody("direct:subkey", "Test Message");
assertMockEndpointsSatisfied();
checkThrownException(mock, PGPException.class, null, "PGP message contains a signature although a signature is not expected");
}
@Test
public void testExceptionForSignatureVerificationOptionRequired() throws Exception {
encryptor.setSignatureKeyUserid(null); // no signature
decryptor.setSignatureVerificationOption(PGPKeyAccessDataFormat.SIGNATURE_VERIFICATION_OPTION_REQUIRED);
MockEndpoint mock = getMockEndpoint("mock:exception");
mock.expectedMessageCount(1);
template.sendBody("direct:subkey", "Test Message");
assertMockEndpointsSatisfied();
checkThrownException(mock, PGPException.class, null, "PGP message does not contain any signatures although a signature is expected");
}
@Test
public void testSignatureVerificationOptionIgnore() throws Exception {
// encryptor is sending a PGP message with signature! Decryptor is ignoreing the signature
decryptor.setSignatureVerificationOption(PGPKeyAccessDataFormat.SIGNATURE_VERIFICATION_OPTION_IGNORE);
decryptor.setSignatureKeyUserids(null);
decryptor.setSignatureKeyFileName(null); // no public keyring! --> no signature validation possible
String payload = "Test Message";
MockEndpoint mock = getMockEndpoint("mock:unencrypted");
mock.expectedBodiesReceived(payload);
template.sendBody("direct:subkey", payload);
assertMockEndpointsSatisfied();
}
protected RouteBuilder[] createRouteBuilders() {
return new RouteBuilder[] {new RouteBuilder() {
public void configure() throws Exception {
onException(Exception.class).handled(true).to("mock:exception");
// START SNIPPET: pgp-format
// Public Key FileName
String keyFileName = getKeyFileName();
// Private Key FileName
String keyFileNameSec = getKeyFileNameSec();
// Keyring Userid Used to Encrypt
String keyUserid = getKeyUserId();
// Private key password
String keyPassword = getKeyPassword();
from("direct:inline").marshal().pgp(keyFileName, keyUserid).to("mock:encrypted").unmarshal()
.pgp(keyFileNameSec, null, keyPassword).to("mock:unencrypted");
// END SNIPPET: pgp-format
// START SNIPPET: pgp-format-header
PGPDataFormat pgpEncrypt = new PGPDataFormat();
pgpEncrypt.setKeyFileName(keyFileName);
pgpEncrypt.setKeyUserid(keyUserid);
pgpEncrypt.setProvider(getProvider());
pgpEncrypt.setAlgorithm(getAlgorithm());
pgpEncrypt.setCompressionAlgorithm(getCompressionAlgorithm());
PGPDataFormat pgpDecrypt = new PGPDataFormat();
pgpDecrypt.setKeyFileName(keyFileNameSec);
pgpDecrypt.setPassword(keyPassword);
pgpDecrypt.setProvider(getProvider());
pgpDecrypt.setSignatureVerificationOption(PGPKeyAccessDataFormat.SIGNATURE_VERIFICATION_OPTION_NO_SIGNATURE_ALLOWED);
from("direct:inline2").marshal(pgpEncrypt).to("mock:encrypted").unmarshal(pgpDecrypt).to("mock:unencrypted");
from("direct:inline-armor").marshal().pgp(keyFileName, keyUserid, null, true, true).to("mock:encrypted").unmarshal()
.pgp(keyFileNameSec, null, keyPassword, true, true).to("mock:unencrypted");
// END SNIPPET: pgp-format-header
// START SNIPPET: pgp-format-signature
PGPDataFormat pgpSignAndEncrypt = new PGPDataFormat();
pgpSignAndEncrypt.setKeyFileName(keyFileName);
pgpSignAndEncrypt.setKeyUserid(keyUserid);
pgpSignAndEncrypt.setSignatureKeyFileName(keyFileNameSec);
PGPPassphraseAccessor passphraseAccessor = getPassphraseAccessor();
pgpSignAndEncrypt.setSignatureKeyUserid("Super <sdude@nowhere.net>"); // must be the exact user Id because passphrase is searched in accessor
pgpSignAndEncrypt.setPassphraseAccessor(passphraseAccessor);
pgpSignAndEncrypt.setProvider(getProvider());
pgpSignAndEncrypt.setAlgorithm(getAlgorithm());
pgpSignAndEncrypt.setHashAlgorithm(getHashAlgorithm());
pgpSignAndEncrypt.setCompressionAlgorithm(getCompressionAlgorithm());
PGPDataFormat pgpVerifyAndDecrypt = new PGPDataFormat();
pgpVerifyAndDecrypt.setKeyFileName(keyFileNameSec);
pgpVerifyAndDecrypt.setPassword(keyPassword);
pgpVerifyAndDecrypt.setSignatureKeyFileName(keyFileName);
pgpVerifyAndDecrypt.setProvider(getProvider());
pgpVerifyAndDecrypt.setSignatureKeyUserid(keyUserid); // restrict verification to public keys with certain User ID
from("direct:inline-sign").marshal(pgpSignAndEncrypt).to("mock:encrypted").unmarshal(pgpVerifyAndDecrypt)
.to("mock:unencrypted");
// END SNIPPET: pgp-format-signature
// test verifying exception, no public key found corresponding to signature key userIds
from("direct:verify_exception_sig_userids").marshal(pgpSignAndEncrypt).to("mock:encrypted")
.setHeader(PGPKeyAccessDataFormat.SIGNATURE_KEY_USERIDS).constant(Arrays.asList(new String[] {"wrong1", "wrong2" }))
.setHeader(PGPKeyAccessDataFormat.SIGNATURE_KEY_USERID).constant("wrongUserID").unmarshal(pgpVerifyAndDecrypt)
.to("mock:unencrypted");
/* ---- key ring as byte array -- */
// START SNIPPET: pgp-format-key-ring-byte-array
PGPDataFormat pgpEncryptByteArray = new PGPDataFormat();
pgpEncryptByteArray.setEncryptionKeyRing(getPublicKeyRing());
pgpEncryptByteArray.setKeyUserids(getKeyUserIds());
pgpEncryptByteArray.setProvider(getProvider());
pgpEncryptByteArray.setAlgorithm(SymmetricKeyAlgorithmTags.DES);
pgpEncryptByteArray.setCompressionAlgorithm(CompressionAlgorithmTags.UNCOMPRESSED);
PGPDataFormat pgpDecryptByteArray = new PGPDataFormat();
pgpDecryptByteArray.setEncryptionKeyRing(getSecKeyRing());
pgpDecryptByteArray.setPassphraseAccessor(passphraseAccessor);
pgpDecryptByteArray.setProvider(getProvider());
from("direct:key-ring-byte-array").streamCaching().marshal(pgpEncryptByteArray).to("mock:encrypted")
.unmarshal(pgpDecryptByteArray).to("mock:unencrypted");
// END SNIPPET: pgp-format-key-ring-byte-array
// START SNIPPET: pgp-format-signature-key-ring-byte-array
PGPDataFormat pgpSignAndEncryptByteArray = new PGPDataFormat();
pgpSignAndEncryptByteArray.setKeyUserid(keyUserid);
pgpSignAndEncryptByteArray.setSignatureKeyRing(getSecKeyRing());
pgpSignAndEncryptByteArray.setSignatureKeyUserid(keyUserid);
pgpSignAndEncryptByteArray.setSignaturePassword(keyPassword);
pgpSignAndEncryptByteArray.setProvider(getProvider());
pgpSignAndEncryptByteArray.setAlgorithm(SymmetricKeyAlgorithmTags.BLOWFISH);
pgpSignAndEncryptByteArray.setHashAlgorithm(HashAlgorithmTags.RIPEMD160);
pgpSignAndEncryptByteArray.setCompressionAlgorithm(CompressionAlgorithmTags.ZLIB);
PGPDataFormat pgpVerifyAndDecryptByteArray = new PGPDataFormat();
pgpVerifyAndDecryptByteArray.setPassphraseAccessor(passphraseAccessor);
pgpVerifyAndDecryptByteArray.setEncryptionKeyRing(getSecKeyRing());
pgpVerifyAndDecryptByteArray.setProvider(getProvider());
// restrict verification to public keys with certain User ID
pgpVerifyAndDecryptByteArray.setSignatureKeyUserids(getSignatureKeyUserIds());
pgpVerifyAndDecryptByteArray.setSignatureVerificationOption(PGPKeyAccessDataFormat.SIGNATURE_VERIFICATION_OPTION_REQUIRED);
from("direct:sign-key-ring-byte-array").streamCaching()
// encryption key ring can also be set as header
.setHeader(PGPDataFormat.ENCRYPTION_KEY_RING).constant(getPublicKeyRing()).marshal(pgpSignAndEncryptByteArray)
// it is recommended to remove the header immediately when it is no longer needed
.removeHeader(PGPDataFormat.ENCRYPTION_KEY_RING).to("mock:encrypted")
// signature key ring can also be set as header
.setHeader(PGPDataFormat.SIGNATURE_KEY_RING).constant(getPublicKeyRing()).unmarshal(pgpVerifyAndDecryptByteArray)
// it is recommended to remove the header immediately when it is no longer needed
.removeHeader(PGPDataFormat.SIGNATURE_KEY_RING).to("mock:unencrypted");
// END SNIPPET: pgp-format-signature-key-ring-byte-array
// START SNIPPET: pgp-format-several-signer-keys
PGPDataFormat pgpSignAndEncryptSeveralSignerKeys = new PGPDataFormat();
pgpSignAndEncryptSeveralSignerKeys.setKeyUserid(keyUserid);
pgpSignAndEncryptSeveralSignerKeys.setEncryptionKeyRing(getPublicKeyRing());
pgpSignAndEncryptSeveralSignerKeys.setSignatureKeyRing(getSecKeyRing());
List<String> signerUserIds = new ArrayList<String>();
signerUserIds.add("Third (comment third) <email@third.com>");
signerUserIds.add("Second <email@second.com>");
pgpSignAndEncryptSeveralSignerKeys.setSignatureKeyUserids(signerUserIds);
Map<String, String> userId2Passphrase = new HashMap<String, String>();
userId2Passphrase.put("Third (comment third) <email@third.com>", "sdude");
userId2Passphrase.put("Second <email@second.com>", "sdude");
PGPPassphraseAccessor passphraseAccessorSeveralKeys = new DefaultPGPPassphraseAccessor(userId2Passphrase);
pgpSignAndEncryptSeveralSignerKeys.setPassphraseAccessor(passphraseAccessorSeveralKeys);
PGPDataFormat pgpVerifyAndDecryptSeveralSignerKeys = new PGPDataFormat();
pgpVerifyAndDecryptSeveralSignerKeys.setPassphraseAccessor(passphraseAccessor);
pgpVerifyAndDecryptSeveralSignerKeys.setEncryptionKeyRing(getSecKeyRing());
pgpVerifyAndDecryptSeveralSignerKeys.setSignatureKeyRing(getPublicKeyRing());
pgpVerifyAndDecryptSeveralSignerKeys.setProvider(getProvider());
// only specify one expected signature
List<String> expectedSigUserIds = new ArrayList<String>();
expectedSigUserIds.add("Second <email@second.com>");
pgpVerifyAndDecryptSeveralSignerKeys.setSignatureKeyUserids(expectedSigUserIds);
from("direct:several-signer-keys").streamCaching().marshal(pgpSignAndEncryptSeveralSignerKeys).to("mock:encrypted")
.unmarshal(pgpVerifyAndDecryptSeveralSignerKeys).to("mock:unencrypted");
// END SNIPPET: pgp-format-several-signer-keys
// test encryption by several key and signing by serveral keys where the keys are specified by one User ID part
PGPDataFormat pgpSignAndEncryptOneUserIdWithServeralKeys = new PGPDataFormat();
pgpSignAndEncryptOneUserIdWithServeralKeys.setEncryptionKeyRing(getPublicKeyRing());
pgpSignAndEncryptOneUserIdWithServeralKeys.setSignatureKeyRing(getSecKeyRing());
// the two private keys have the same password therefore we do not need a passphrase accessor
pgpSignAndEncryptOneUserIdWithServeralKeys.setPassword(getKeyPassword());
PGPDataFormat pgpVerifyAndDecryptOneUserIdWithServeralKeys = new PGPDataFormat();
pgpVerifyAndDecryptOneUserIdWithServeralKeys.setPassword(getKeyPassword());
pgpVerifyAndDecryptOneUserIdWithServeralKeys.setEncryptionKeyRing(getSecKeyRing());
pgpVerifyAndDecryptOneUserIdWithServeralKeys.setSignatureKeyRing(getPublicKeyRing());
pgpVerifyAndDecryptOneUserIdWithServeralKeys.setProvider(getProvider());
pgpVerifyAndDecryptOneUserIdWithServeralKeys.setSignatureKeyUserids(expectedSigUserIds);
from("direct:one-userid-several-keys")
// there are two keys which have a User ID which contains the string "econd"
.setHeader(PGPKeyAccessDataFormat.KEY_USERID)
.constant("econd")
.setHeader(PGPKeyAccessDataFormat.SIGNATURE_KEY_USERID)
.constant("econd")
.marshal(pgpSignAndEncryptOneUserIdWithServeralKeys)
// it is recommended to remove the header immediately when it is no longer needed
.removeHeader(PGPKeyAccessDataFormat.KEY_USERID)
.removeHeader(PGPKeyAccessDataFormat.SIGNATURE_KEY_USERID)
.to("mock:encrypted")
// only specify one expected signature key, to check the first signature
.setHeader(PGPKeyAccessDataFormat.SIGNATURE_KEY_USERID)
.constant("Second <email@second.com>")
.unmarshal(pgpVerifyAndDecryptOneUserIdWithServeralKeys)
// do it again but now check the second signature key
// there are two keys which have a User ID which contains the string "econd"
.setHeader(PGPKeyAccessDataFormat.KEY_USERID).constant("econd").setHeader(PGPKeyAccessDataFormat.SIGNATURE_KEY_USERID)
.constant("econd").marshal(pgpSignAndEncryptOneUserIdWithServeralKeys)
// it is recommended to remove the header immediately when it is no longer needed
.removeHeader(PGPKeyAccessDataFormat.KEY_USERID).removeHeader(PGPKeyAccessDataFormat.SIGNATURE_KEY_USERID)
// only specify one expected signature key, to check the second signature
.setHeader(PGPKeyAccessDataFormat.SIGNATURE_KEY_USERID).constant("Third (comment third) <email@third.com>")
.unmarshal(pgpVerifyAndDecryptOneUserIdWithServeralKeys).to("mock:unencrypted");
}
}, new RouteBuilder() {
public void configure() throws Exception {
onException(Exception.class).handled(true).to("mock:exception");
from("direct:keyflag").marshal(encryptor).to("mock:encrypted_keyflag");
// test that the correct subkey is selected during decrypt and verify
from("direct:subkey").marshal(encryptor).to("mock:encrypted").unmarshal(decryptor).to("mock:unencrypted");
from("direct:subkeyUnmarshal").unmarshal(decryptor).to("mock:unencrypted");
}
}, new RouteBuilder() {
public void configure() throws Exception {
PGPPublicKeyAccessor publicKeyAccessor = new DefaultPGPPublicKeyAccessor(getPublicKeyRing());
//password cannot be set dynamically!
PGPSecretKeyAccessor secretKeyAccessor = new DefaultPGPSecretKeyAccessor(getSecKeyRing(), "sdude", getProvider());
PGPKeyAccessDataFormat dfEncryptSignKeyAccess = new PGPKeyAccessDataFormat();
dfEncryptSignKeyAccess.setPublicKeyAccessor(publicKeyAccessor);
dfEncryptSignKeyAccess.setSecretKeyAccessor(secretKeyAccessor);
dfEncryptSignKeyAccess.setKeyUserid(getKeyUserId());
dfEncryptSignKeyAccess.setSignatureKeyUserid(getKeyUserId());
PGPKeyAccessDataFormat dfDecryptVerifyKeyAccess = new PGPKeyAccessDataFormat();
dfDecryptVerifyKeyAccess.setPublicKeyAccessor(publicKeyAccessor);
dfDecryptVerifyKeyAccess.setSecretKeyAccessor(secretKeyAccessor);
dfDecryptVerifyKeyAccess.setSignatureKeyUserid(getKeyUserId());
from("direct:key_access").marshal(dfEncryptSignKeyAccess).to("mock:encrypted").unmarshal(dfDecryptVerifyKeyAccess)
.to("mock:unencrypted");
}
}, new RouteBuilder() {
public void configure() throws Exception {
// START SNIPPET: pgp-encrypt-sign-without-compressed-data-packet
PGPDataFormat pgpEncryptSign = new PGPDataFormat();
pgpEncryptSign.setKeyUserid(getKeyUserId());
pgpEncryptSign.setSignatureKeyRing(getSecKeyRing());
pgpEncryptSign.setSignatureKeyUserid(getKeyUserId());
pgpEncryptSign.setSignaturePassword(getKeyPassword());
pgpEncryptSign.setProvider(getProvider());
pgpEncryptSign.setAlgorithm(SymmetricKeyAlgorithmTags.BLOWFISH);
pgpEncryptSign.setHashAlgorithm(HashAlgorithmTags.RIPEMD160);
// without compressed data packet
pgpEncryptSign.setWithCompressedDataPacket(false);
PGPDataFormat pgpVerifyAndDecryptByteArray = new PGPDataFormat();
pgpVerifyAndDecryptByteArray.setPassphraseAccessor(getPassphraseAccessor());
pgpVerifyAndDecryptByteArray.setEncryptionKeyRing(getSecKeyRing());
pgpVerifyAndDecryptByteArray.setProvider(getProvider());
// restrict verification to public keys with certain User ID
pgpVerifyAndDecryptByteArray.setSignatureKeyUserids(getSignatureKeyUserIds());
pgpVerifyAndDecryptByteArray.setSignatureVerificationOption(PGPKeyAccessDataFormat.SIGNATURE_VERIFICATION_OPTION_REQUIRED);
from("direct:encrypt-sign-without-compressed-data-packet").streamCaching()
// encryption key ring can also be set as header
.setHeader(PGPDataFormat.ENCRYPTION_KEY_RING).constant(getPublicKeyRing()).marshal(pgpEncryptSign)
// it is recommended to remove the header immediately when it is no longer needed
.removeHeader(PGPDataFormat.ENCRYPTION_KEY_RING).to("mock:encrypted")
// signature key ring can also be set as header
.setHeader(PGPDataFormat.SIGNATURE_KEY_RING).constant(getPublicKeyRing()).unmarshal(pgpVerifyAndDecryptByteArray)
// it is recommended to remove the header immediately when it is no longer needed
.removeHeader(PGPDataFormat.SIGNATURE_KEY_RING).to("mock:unencrypted");
// END SNIPPET: pgp-encrypt-sign-without-compressed-data-packet
}
}};
}
public static byte[] getPublicKeyRing() throws Exception {
return getKeyRing(PUB_KEY_RING_FILE_NAME);
}
public static byte[] getSecKeyRing() throws Exception {
return getKeyRing(SEC_KEY_RING_FILE_NAME);
}
private static byte[] getKeyRing(String fileName) throws IOException {
InputStream is = PGPDataFormatTest.class.getClassLoader().getResourceAsStream(fileName);
ByteArrayOutputStream output = new ByteArrayOutputStream();
IOHelper.copyAndCloseInput(is, output);
output.close();
return output.toByteArray();
}
public static PGPPassphraseAccessor getPassphraseAccessor() {
Map<String, String> userId2Passphrase = Collections.singletonMap("Super <sdude@nowhere.net>", "sdude");
PGPPassphraseAccessor passphraseAccessor = new DefaultPGPPassphraseAccessor(userId2Passphrase);
return passphraseAccessor;
}
public static void checkThrownException(MockEndpoint mock, Class<? extends Exception> cl,
Class<? extends Exception> expectedCauseClass, String expectedMessagePart) throws Exception {
Exception e = (Exception) mock.getExchanges().get(0).getProperty(Exchange.EXCEPTION_CAUGHT);
assertNotNull("Expected excpetion " + cl.getName() + " missing", e);
if (e.getClass() != cl) {
String stackTrace = getStrackTrace(e);
fail("Exception " + cl.getName() + " excpected, but was " + e.getClass().getName() + ": " + stackTrace);
}
if (expectedMessagePart != null) {
if (e.getMessage() == null) {
fail("Expected excption does not contain a message. Stack trace: " + getStrackTrace(e));
} else {
if (!e.getMessage().contains(expectedMessagePart)) {
fail("Expected excption message does not contain a expected message part " + expectedMessagePart + ". Stack trace: "
+ getStrackTrace(e));
}
}
}
if (expectedCauseClass != null) {
Throwable cause = e.getCause();
assertNotNull("Expected cause exception" + expectedCauseClass.getName() + " missing", cause);
if (expectedCauseClass != cause.getClass()) {
fail("Cause exception " + expectedCauseClass.getName() + " expected, but was " + cause.getClass().getName() + ": "
+ getStrackTrace(e));
}
}
}
public static String getStrackTrace(Exception e) throws UnsupportedEncodingException {
ByteArrayOutputStream os = new ByteArrayOutputStream();
PrintWriter w = new PrintWriter(os);
e.printStackTrace(w);
w.close();
String stackTrace = new String(os.toByteArray(), "UTF-8");
return stackTrace;
}
}