Package org.pgpainless.decryption_verification

Class ConsumerOptions

java.lang.Object

org.pgpainless.decryption_verification.ConsumerOptions

public class ConsumerOptions
extends Object

Options for decryption and signature verification.

Constructor Summary

Constructors

Constructor	Description
ConsumerOptions()

Method Summary

Modifier and Type	Method	Description
ConsumerOptions	addDecryptionKey(org.bouncycastle.openpgp.PGPSecretKeyRing key)	Add a key for message decryption.
ConsumerOptions	addDecryptionKey(org.bouncycastle.openpgp.PGPSecretKeyRing key, SecretKeyRingProtector keyRingProtector)	Add a key for message decryption.
ConsumerOptions	addDecryptionKeys(org.bouncycastle.openpgp.PGPSecretKeyRingCollection keys, SecretKeyRingProtector keyRingProtector)	Add the keys in the provided key collection for message decryption.
ConsumerOptions	addDecryptionPassphrase(Passphrase passphrase)	Add a passphrase for message decryption.
ConsumerOptions	addVerificationCert(org.bouncycastle.openpgp.PGPPublicKeyRing verificationCert)	Add a certificate (public key ring) for signature verification.
ConsumerOptions	addVerificationCerts(org.bouncycastle.openpgp.PGPPublicKeyRingCollection verificationCerts)	Add a set of certificates (public key rings) for signature verification.
ConsumerOptions	addVerificationOfDetachedSignature(org.bouncycastle.openpgp.PGPSignature detachedSignature)	Add a detached signature for the signature verification process.
ConsumerOptions	addVerificationOfDetachedSignatures(InputStream signatureInputStream)
ConsumerOptions	addVerificationOfDetachedSignatures(List<org.bouncycastle.openpgp.PGPSignature> detachedSignatures)
Set<org.bouncycastle.openpgp.PGPPublicKeyRing>	getCertificates()
Set<org.bouncycastle.openpgp.PGPSecretKeyRing>	getDecryptionKeys()
Set<Passphrase>	getDecryptionPassphrases()
Set<org.bouncycastle.openpgp.PGPSignature>	getDetachedSignatures()
MissingPublicKeyCallback	getMissingCertificateCallback()
MultiPassStrategy	getMultiPassStrategy()	Return the currently configured MultiPassStrategy.
SecretKeyRingProtector	getSecretKeyProtector(org.bouncycastle.openpgp.PGPSecretKeyRing decryptionKeyRing)
SessionKey	getSessionKey()	Return the session key.
Date	getVerifyNotAfter()	Return the latest possible creation date on which signatures made on the message are considered valid.
Date	getVerifyNotBefore()	Return the earliest creation date on which signatures on the message are considered valid.
boolean	isCleartextSigned()	Return true if the message is cleartext signed.
ConsumerOptions	setIgnoreMDCErrors(boolean ignoreMDCErrors)	Deprecated.
void	setIsCleartextSigned()	INTERNAL method to mark cleartext signed messages.
ConsumerOptions	setMissingCertificateCallback(MissingPublicKeyCallback callback)	Set a callback that's used when a certificate (public key) is missing for signature verification.
ConsumerOptions	setMissingKeyPassphraseStrategy(MissingKeyPassphraseStrategy strategy)	Specify the MissingKeyPassphraseStrategy.
ConsumerOptions	setMultiPassStrategy(MultiPassStrategy multiPassStrategy)	Set a custom multi-pass strategy for processing cleartext-signed messages.
ConsumerOptions	setSessionKey(SessionKey sessionKey)	Attempt decryption using a session key.
ConsumerOptions	verifyNotAfter(Date timestamp)	Consider signatures on the message made after the given timestamp invalid.
ConsumerOptions	verifyNotBefore(Date timestamp)	Consider signatures on the message made before the given timestamp invalid.

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Constructor Detail

ConsumerOptions

public ConsumerOptions()

Method Detail

verifyNotBefore

public ConsumerOptions verifyNotBefore(Date timestamp)

Consider signatures on the message made before the given timestamp invalid. Null means no limitation.

Parameters:

timestamp - timestamp

Returns:

options

getVerifyNotBefore

@Nullable
public Date getVerifyNotBefore()

Return the earliest creation date on which signatures on the message are considered valid. Signatures made earlier than this date are considered invalid.

Returns:

earliest allowed signature creation date or null

verifyNotAfter

public ConsumerOptions verifyNotAfter(Date timestamp)

Consider signatures on the message made after the given timestamp invalid. Null means no limitation.

Parameters:

timestamp - timestamp

Returns:

options

getVerifyNotAfter

public Date getVerifyNotAfter()

Return the latest possible creation date on which signatures made on the message are considered valid. Signatures made later than this date are considered invalid.

Returns:

Latest possible creation date or null.

addVerificationCert

public ConsumerOptions addVerificationCert(org.bouncycastle.openpgp.PGPPublicKeyRing verificationCert)

Add a certificate (public key ring) for signature verification.

Parameters:

verificationCert - certificate for signature verification

Returns:

options

addVerificationCerts

public ConsumerOptions addVerificationCerts(org.bouncycastle.openpgp.PGPPublicKeyRingCollection verificationCerts)

Add a set of certificates (public key rings) for signature verification.

Parameters:

verificationCerts - certificates for signature verification

Returns:

options

addVerificationOfDetachedSignatures

public ConsumerOptions addVerificationOfDetachedSignatures(InputStream signatureInputStream)
                                                    throws IOException,
                                                           org.bouncycastle.openpgp.PGPException

Throws:

IOException

org.bouncycastle.openpgp.PGPException

addVerificationOfDetachedSignatures

public ConsumerOptions addVerificationOfDetachedSignatures(List<org.bouncycastle.openpgp.PGPSignature> detachedSignatures)

addVerificationOfDetachedSignature

public ConsumerOptions addVerificationOfDetachedSignature(org.bouncycastle.openpgp.PGPSignature detachedSignature)

Add a detached signature for the signature verification process.

Parameters:

detachedSignature - detached signature

Returns:

options

setMissingCertificateCallback

public ConsumerOptions setMissingCertificateCallback(MissingPublicKeyCallback callback)

Set a callback that's used when a certificate (public key) is missing for signature verification.

Parameters:

callback - callback

Returns:

options

setSessionKey

public ConsumerOptions setSessionKey(@Nonnull
                                     SessionKey sessionKey)

Attempt decryption using a session key. Note: PGPainless does not yet support decryption with session keys.

Parameters:

sessionKey - session key

Returns:

options

See Also:

RFC4880 on Session Keys

getSessionKey

@Nullable
public SessionKey getSessionKey()

Return the session key.

Returns:

session key or null

addDecryptionKey

public ConsumerOptions addDecryptionKey(@Nonnull
                                        org.bouncycastle.openpgp.PGPSecretKeyRing key)

Add a key for message decryption. The key is expected to be unencrypted.

Parameters:

key - unencrypted key

Returns:

options

addDecryptionKey

public ConsumerOptions addDecryptionKey(@Nonnull
                                        org.bouncycastle.openpgp.PGPSecretKeyRing key,
                                        @Nonnull
                                        SecretKeyRingProtector keyRingProtector)

Add a key for message decryption. If the key is encrypted, the SecretKeyRingProtector is used to decrypt it when needed.

Parameters:

key - key

keyRingProtector - protector for the secret key

Returns:

options

addDecryptionKeys

public ConsumerOptions addDecryptionKeys(@Nonnull
                                         org.bouncycastle.openpgp.PGPSecretKeyRingCollection keys,
                                         @Nonnull
                                         SecretKeyRingProtector keyRingProtector)

Add the keys in the provided key collection for message decryption.

Parameters:

keys - key collection

keyRingProtector - protector for encrypted secret keys

Returns:

options

addDecryptionPassphrase

public ConsumerOptions addDecryptionPassphrase(@Nonnull
                                               Passphrase passphrase)

Add a passphrase for message decryption. This passphrase will be used to try to decrypt messages which were symmetrically encrypted for a passphrase.

Parameters:

passphrase - passphrase

Returns:

options

See Also:

Symmetrically Encrypted Data Packet

getDecryptionKeys

@Nonnull
public Set<org.bouncycastle.openpgp.PGPSecretKeyRing> getDecryptionKeys()

getDecryptionPassphrases

@Nonnull
public Set<Passphrase> getDecryptionPassphrases()

getCertificates

@Nonnull
public Set<org.bouncycastle.openpgp.PGPPublicKeyRing> getCertificates()

getMissingCertificateCallback

@Nullable
public MissingPublicKeyCallback getMissingCertificateCallback()

getSecretKeyProtector

@Nonnull
public SecretKeyRingProtector getSecretKeyProtector(org.bouncycastle.openpgp.PGPSecretKeyRing decryptionKeyRing)

getDetachedSignatures

@Nonnull
public Set<org.bouncycastle.openpgp.PGPSignature> getDetachedSignatures()

setIgnoreMDCErrors

@Deprecated
public ConsumerOptions setIgnoreMDCErrors(boolean ignoreMDCErrors)

Deprecated.

By default, PGPainless will require encrypted messages to make use of SEIP data packets. Those are Symmetrically Encrypted Integrity Protected Data packets. Symmetrically Encrypted Data Packets without integrity protection are rejected by default. Furthermore, PGPainless will throw an exception if verification of the MDC error detection code of the SEIP packet fails. Failure of MDC verification indicates a tampered ciphertext, which might be the cause of an attack or data corruption. This method can be used to ignore MDC errors and allow PGPainless to consume encrypted data without integrity protection. If the flag

ignoreMDCErrors

is set to true, PGPainless will

• not throw exceptions for SEIP packets with tampered ciphertext
• not throw exceptions for SEIP packets with tampered MDC
• not throw exceptions for MDCs with bad CTB
• not throw exceptions for MDCs with bad length

It will however still throw an exception if it encounters a SEIP packet with missing or truncated MDC

Parameters:

ignoreMDCErrors - true if MDC errors or missing MDCs shall be ignored, false otherwise.

Returns:

options

See Also:

Sym. Encrypted Integrity Protected Data Packet

setMissingKeyPassphraseStrategy

public ConsumerOptions setMissingKeyPassphraseStrategy(MissingKeyPassphraseStrategy strategy)

Specify the MissingKeyPassphraseStrategy. This strategy defines, how missing passphrases for unlocking secret keys are handled. In interactive mode (MissingKeyPassphraseStrategy.INTERACTIVE) PGPainless will try to obtain missing passphrases for secret keys via the SecretKeyRingProtectors SecretKeyPassphraseProvider callback. In non-interactice mode (MissingKeyPassphraseStrategy.THROW_EXCEPTION, PGPainless will instead throw a MissingPassphraseException containing the ids of all keys for which there are missing passphrases.

Parameters:

strategy - strategy

Returns:

options

setMultiPassStrategy

public ConsumerOptions setMultiPassStrategy(@Nonnull
                                            MultiPassStrategy multiPassStrategy)

Set a custom multi-pass strategy for processing cleartext-signed messages. Uses InMemoryMultiPassStrategy by default.

Parameters:

multiPassStrategy - multi-pass caching strategy

Returns:

builder

getMultiPassStrategy

public MultiPassStrategy getMultiPassStrategy()

Return the currently configured MultiPassStrategy. Defaults to InMemoryMultiPassStrategy.

Returns:

multi-pass strategy

setIsCleartextSigned

public void setIsCleartextSigned()

INTERNAL method to mark cleartext signed messages. Do not call this manually.

isCleartextSigned

public boolean isCleartextSigned()

Return true if the message is cleartext signed.

Returns:

cleartext signed