Why does the Java KeyStore fail at loading an OpenPGP key?

3
votes

I am willing to spend some amount of time developing yet another license manager for desktop Java application. After some looking around I discovered JCPUID by Iakin that is free to use and should work at most operating systems with native libs that I found here.

My idea is to do two modules: main application that will show popup window with CPU ID and verification text field and key generator app. User will pass CPU ID to keygen owner, who will return verification code (generated with keygen) to user. After user submits correct verification code, license file with that code will be created at filesystem. Every time the application starts up, it will check the existence and correctness of that file and load main application screen after that.

What about code verification, I think the best option will be to use asymmetric cryptography, in particular RSA. The public key will be built-in into application and secret will be built-in into key generator. So CPUID will be passed to key generator owner and then signed with RSA. That signature will be transferred back to user, who will verify its validity with built-in public key.

I generated gpg key pairs using Kleopatra and gpg Linux command line tool itself. Then I tried to sign something using this method:

    private byte[] createSignature(byte[] file) {
    byte[] signature = null;

    try {
        java.security.KeyStore keyStoreFile = java.security.KeyStore
                .getInstance("PKCS12");
        keyStoreFile.load(getClass().getClassLoader().getResourceAsStream("/secret.asc"),
        "******".toCharArray());

        PrivateKey privateKey = (PrivateKey) keyStoreFile.getKey(
                "My Name Here", "******".toCharArray());

        Signature dsa = Signature.getInstance("SHA1withRSA");
        dsa.initSign(privateKey);
        dsa.update(file, 0, file.length);
        signature = dsa.sign();

    } catch (Exception e) {
        // TODO Auto-generated catch block
        e.printStackTrace();
    }
    return signature;
}

But the privateKey initialization throws exception:

java.security.InvalidKeyException: Key must not be null

I guess it's because of wrong instance format here:

java.security.KeyStore keyStoreFile = java.security.KeyStore
            .getInstance("PKCS12");

I would like to know:

  1. How good is this approach at all?

  2. What difference exists between different OpenPGP key formats and which will be the best to use at this case? How to know the format of existing OpenPGP file?

1
javaencryptionrsapublic-keyopenpgp

1 Answers

1
votes

The Java crypto framework does not support OpenPGP. X.509 keys, for example in the PKCS12 format, are incompatible with OpenPGP -- although they rely on (mostly) the same cryptographic algorithms.

Either use X.509 certificates (you could also create your own CA for this purpose), or rely on an implementation of OpenPGP for Java. In terms of open source libraries, you can choose between the native Java implementation BouncyCastle (MIT license), or interface GnuPG (GPL) through the Java GPGME binding (LGPL).

BouncyCastle is probably the better way to go, as all you need to do is add another Java library, not install another software into the system.