Package org.pgpainless.decryption_verification

Class ConsumerOptions

  • public class ConsumerOptions
extends java.lang.Object
    Options for decryption and signature verification.

    • Constructor Detail

      • ConsumerOptions

        public ConsumerOptions()

    • Method Detail

      • verifyNotBefore

        public ConsumerOptions verifyNotBefore​(java.util.Date timestamp)
        Consider signatures on the message made before the given timestamp invalid. Null means no limitation.
        Parameters:
        timestamp - timestamp
        Returns:
        options

      • getVerifyNotBefore

        @Nullable
public java.util.Date getVerifyNotBefore()
        Return the earliest creation date on which signatures on the message are considered valid. Signatures made earlier than this date are considered invalid.
        Returns:
        earliest allowed signature creation date or null

      • verifyNotAfter

        public ConsumerOptions verifyNotAfter​(java.util.Date timestamp)
        Consider signatures on the message made after the given timestamp invalid. Null means no limitation.
        Parameters:
        timestamp - timestamp
        Returns:
        options

      • getVerifyNotAfter

        public java.util.Date getVerifyNotAfter()
        Return the latest possible creation date on which signatures made on the message are considered valid. Signatures made later than this date are considered invalid.
        Returns:
        Latest possible creation date or null.

      • addVerificationCert

        public ConsumerOptions addVerificationCert​(org.bouncycastle.openpgp.PGPPublicKeyRing verificationCert)
        Add a certificate (public key ring) for signature verification.
        Parameters:
        verificationCert - certificate for signature verification
        Returns:
        options

      • addVerificationCerts

        public ConsumerOptions addVerificationCerts​(org.bouncycastle.openpgp.PGPPublicKeyRingCollection verificationCerts)
        Add a set of certificates (public key rings) for signature verification.
        Parameters:
        verificationCerts - certificates for signature verification
        Returns:
        options

      • addVerificationOfDetachedSignatures

        public ConsumerOptions addVerificationOfDetachedSignatures​(java.io.InputStream signatureInputStream)
                                                    throws java.io.IOException,
                                                           org.bouncycastle.openpgp.PGPException
        Throws:
        java.io.IOException
        org.bouncycastle.openpgp.PGPException

      • addVerificationOfDetachedSignatures

        public ConsumerOptions addVerificationOfDetachedSignatures​(java.util.List<org.bouncycastle.openpgp.PGPSignature> detachedSignatures)

      • addVerificationOfDetachedSignature

        public ConsumerOptions addVerificationOfDetachedSignature​(org.bouncycastle.openpgp.PGPSignature detachedSignature)
        Add a detached signature for the signature verification process.
        Parameters:
        detachedSignature - detached signature
        Returns:
        options

      • setMissingCertificateCallback

        public ConsumerOptions setMissingCertificateCallback​(MissingPublicKeyCallback callback)
        Set a callback that's used when a certificate (public key) is missing for signature verification.
        Parameters:
        callback - callback
        Returns:
        options

      • setSessionKey

        public ConsumerOptions setSessionKey​(@Nonnull
                                     byte[] sessionKey)
        Attempt decryption using a session key. Note: PGPainless does not yet support decryption with session keys. TODO: Add support for decryption using session key.
        Parameters:
        sessionKey - session key
        Returns:
        options
        See Also:
        RFC4880 on Session Keys

      • getSessionKey

        @Nullable
public byte[] getSessionKey()
        Return the session key.
        Returns:
        session key or null

      • addDecryptionKey

        public ConsumerOptions addDecryptionKey​(@Nonnull
                                        org.bouncycastle.openpgp.PGPSecretKeyRing key)
        Add a key for message decryption. The key is expected to be unencrypted.
        Parameters:
        key - unencrypted key
        Returns:
        options

      • addDecryptionKey

        public ConsumerOptions addDecryptionKey​(@Nonnull
                                        org.bouncycastle.openpgp.PGPSecretKeyRing key,
                                        @Nonnull
                                        SecretKeyRingProtector keyRingProtector)
        Add a key for message decryption. If the key is encrypted, the SecretKeyRingProtector is used to decrypt it when needed.
        Parameters:
        key - key
        keyRingProtector - protector for the secret key
        Returns:
        options

      • addDecryptionKeys

        public ConsumerOptions addDecryptionKeys​(@Nonnull
                                         org.bouncycastle.openpgp.PGPSecretKeyRingCollection keys,
                                         @Nonnull
                                         SecretKeyRingProtector keyRingProtector)
        Add the keys in the provided key collection for message decryption.
        Parameters:
        keys - key collection
        keyRingProtector - protector for encrypted secret keys
        Returns:
        options

      • addDecryptionPassphrase

        public ConsumerOptions addDecryptionPassphrase​(@Nonnull
                                               Passphrase passphrase)
        Add a passphrase for message decryption. This passphrase will be used to try to decrypt messages which were symmetrically encrypted for a passphrase.
        Parameters:
        passphrase - passphrase
        Returns:
        options
        See Also:
        Symmetrically Encrypted Data Packet

      • getDecryptionKeys

        @Nonnull
public java.util.Set<org.bouncycastle.openpgp.PGPSecretKeyRing> getDecryptionKeys()

      • getDecryptionPassphrases

        @Nonnull
public java.util.Set<Passphrase> getDecryptionPassphrases()

      • getCertificates

        @Nonnull
public java.util.Set<org.bouncycastle.openpgp.PGPPublicKeyRing> getCertificates()

      • getSecretKeyProtector

        @Nonnull
public SecretKeyRingProtector getSecretKeyProtector​(org.bouncycastle.openpgp.PGPSecretKeyRing decryptionKeyRing)

      • getDetachedSignatures

        @Nonnull
public java.util.Set<org.bouncycastle.openpgp.PGPSignature> getDetachedSignatures()

      • setIgnoreMDCErrors

        @Deprecated
public ConsumerOptions setIgnoreMDCErrors​(boolean ignoreMDCErrors)
        Deprecated.
        By default, PGPainless will require encrypted messages to make use of SEIP data packets. Those are Symmetrically Encrypted Integrity Protected Data packets. Symmetrically Encrypted Data Packets without integrity protection are rejected by default. Furthermore, PGPainless will throw an exception if verification of the MDC error detection code of the SEIP packet fails. Failure of MDC verification indicates a tampered ciphertext, which might be the cause of an attack or data corruption. This method can be used to ignore MDC errors and allow PGPainless to consume encrypted data without integrity protection. If the flag 
        ignoreMDCErrors
        is set to true, PGPainless will
        • not throw exceptions for SEIP packets with tampered ciphertext
        • not throw exceptions for SEIP packets with tampered MDC
        • not throw exceptions for MDCs with bad CTB
        • not throw exceptions for MDCs with bad length
        It will however still throw an exception if it encounters a SEIP packet with missing or truncated MDC
        Parameters:
        ignoreMDCErrors - true if MDC errors or missing MDCs shall be ignored, false otherwise.
        Returns:
        options
        See Also:
        Sym. Encrypted Integrity Protected Data Packet

      • setMultiPassStrategy

        public ConsumerOptions setMultiPassStrategy​(@Nonnull
                                            MultiPassStrategy multiPassStrategy)
        Set a custom multi-pass strategy for processing cleartext-signed messages. Uses InMemoryMultiPassStrategy by default.
        Parameters:
        multiPassStrategy - multi-pass caching strategy
        Returns:
        builder