Verify

Examples ›› Programs ››
Parent Previous Next

When we receive signed only OpenPGP file from our partners we can decrypt it with arbitrary key, ignoring this way the digital signature or we can verify and extract the data.


The examples below show how to verify the digital signature and extract the data in one pass with OpenPGP Library for Java. For the verification we use the public key of the sender.


1) Verify signed file with sender public key located in file on the disk.


This example assumes that the file signed.pgp was only signed with the private key of the sender. Note that this is different from sign and encrypt in one pass.


import com.didisoft.pgp.PGPLib;

public class VerifyFile {

public static void main(String[] args) throws Exception{

  // create an instance of the library

  PGPLib pgp = new PGPLib();

  // verify

  boolean validSignature = pgp.verifyFile("signed.pgp", "public.key", "OUTPUT.txt");

  if (validSignature) {

       System.out.println("Signature is valid .");

  } else {

       System.out.println("!Signature is invalid!");

  }

}

}


2) Verify signed file with sender public key located in a KeyStore.


In this example the digital signature in the signed file we have received is tried to be verified with the public keys we have imported previously in our KeyStore file. If the public key of the sender is not present in this KeyStore the verification will fail, but anyway the embedded file will be extracted.


import com.didisoft.pgp.KeyStore;

import com.didisoft.pgp.PGPLib;

public class KeyStoreVerifyFile {

public static void main(String[] args) throws Exception{

  // create an instance of the KeyStore

  KeyStore keyStore = new KeyStore("pgp.keystore", "changeit");

  // initialize the library

  PGPLib pgp = new PGPLib();

  // verify

  boolean validSignature = pgp.verifyFile("signed.pgp",

                                         keyStore,

                                         "OUTPUT.txt");

  if (validSignature) {

       System.out.println("Signature is valid.");

  } else {

       System.out.println("Signature is invalid!");

  }

}

}


3) Verify signed stream data with sender public key located in file on the disk.


In the example below the signed data is supplied as a file stream but it can be any kind of input stream.


import java.io.FileInputStream;

import java.io.FileOutputStream;

import java.io.InputStream;

import java.io.OutputStream;

import com.didisoft.pgp.PGPLib;

public class VerifyStream {

public static void main(String[] args) throws Exception {

  PGPLib pgp = new PGPLib();

  InputStream signedStream = new FileInputStream("signed.pgp");

  InputStream senderPublicKeyStream = new FileInputStream("public.key");

  OutputStream outputStream = new FileOutputStream("OUTPUT.txt");

  boolean validSignature = pgp.verifyStream(signedStream, senderPublicKeyStream, outputStream);

  if (validSignature) {

       System.out.println("Signature is valid.");

  } else {

       System.out.println("Signature is invalid!");

  }

}

}


4) Verify signed stream data with sender public key located in a KeyStore.


The example below checks a signed only stream data against the public keys located in a KeyStore file. Even if none of the public keys can decode the OpenPGP digital signature packet the content of the signed input stream is extracted into a destination decrypted output stream.


import java.io.FileInputStream;

import java.io.FileOutputStream;

import java.io.InputStream;

import java.io.OutputStream;

import com.didisoft.pgp.KeyStore;

import com.didisoft.pgp.PGPLib;

public class KeyStoreVerifyStream {

public static void main(String[] args) throws Exception{

  // create an instance of the KeyStore

  KeyStore keyStore = new KeyStore("pgp.keystore", "changeit");

  // initialize the library

  PGPLib pgp = new PGPLib();

  // obtain the signed stream

  InputStream signedStream = new FileInputStream("signed.pgp");

  // specify the decrypted output stream

  OutputStream decryptedStream = new FileOutputStream("OUTPUT.txt");

  boolean validSignature = pgp.verifyStream(signedStream,

                                               keyStore,

                                               decryptedStream);

  if (validSignature) {

       System.out.println("Signature is valid.");

  } else {

       System.out.println("Signature is invalid!");

  }

}

}


5) Exception Handling


When verifying a signed OpenPGP data we can simply catch java.io.IOException and com.didisoft.pgp.PGPException.


We can also catch a number of PGPException sub classes located in the com.didisoft.pgp.exceptions package. They must be caught before PGPException.


Below is an example code snippet that shows this extended error handling:


import java.io.IOException;

import com.didisoft.pgp.*;

import com.didisoft.pgp.exceptions.*;

public class ExceptionHandlingDemo {

public static void main(String[] a) {

  PGPLib pgp = new PGPLib();

  try {

   pgp.verify...

  } catch (IOException e) {

   // error reading input or writing output

  } catch (NonPGPDataException e) {

   // the passed encrypted input is not a valid OpenPGP archive

  } catch (NoPublicKeyFoundException e) {

   // if the passed public key file does not contain a public key or is corrupted

  } catch (FileIsEncryptedException e) {

   // if the passed input is OpenPGP encrypted, it should either be extracted with

   // decrypt method call or decrypted and verified in one pass

   // with decryptAndVerify method call

  } catch (DetachedSignatureException e) {

   // the input is not an encrypted message, but a detached OpenPGP signature

  } catch (PGPException e) {

   // general decryption error not among the above ones

  }

}

}