Monday, December 26, 2011

CF: New version of BonCode PGP library released

I had a few request to look into the PGP library I released for ColdFusion and Railo last year. It took me a while to understand my own code, then, a while longer to implement the features that I wanted to add ;o)

The main add on this time is the ability to create single pass signed files. This allows you to create a file where you are assured that only the authorized receiver can read them, while the receiver is assured that the sender is authentic as well.  Yep, I know sound like cold-war stuff, but it is quite common scenario in financial exchanges to assure both sides that everything is the way it should be.

To a lesser level some other additions and bug fixes were completed as well.
All this, as usual is open source.

You can download code, examples, and implementation from here:

http://pgp.riaforge.org

Best,
B.

14 comments:

Eric said...

Hi Bilal,
I was hoping you could help me to migrate to using your cfc. I have been using com (nsdpgp3.dll) and PGP Desktop for years to simply decrypt files on my cf server.

I have always had trouble understanding how to add new keys/keyrings and portability has always been an issue for me with the PGP Desktop software so I needed to move over to another simpler platform.

For the last 2 days, I've been trying to get the BonCode PGP library to work for me and I need some help.

Essentially, I have performed the following steps.

First) Made sure the examples of decrypting are working to make sure the environment is set up correctly and they are. Then I:

1) exported my key pair (public and private) out of PGP Desktop
2) Separated the keys into separate files called Public_1.asc and Private_1.asc and placed them in the BonCodePGP\keys folder.
3) Try and decrypt the file and I get an "Error Occured
File could not be decrypted, please check your private key pass phrase. " error.
3) After that I'm stuck so I tried doing the following other things.
a) Encrypt a file using my Private_1.asc key and
b) Decrypt that same file and that worked.

The only difference is that the pgp file I'm trying to decrypt was created by a different machine.

Interestingly enough I was able to add a new key and decrypt the file using only PGP Desktop very easily.

Other questions that loom are: a) If i create a new key using BonCode, how to I modify the passphrase away from the default. I don't really see a way of doing that.

I thank you many times in advance.

bman said...

@Eric:
Eric PGP Desktop and BonCode PGP serve different audiences. The connector is meant for scripted system to system exchanges of messages and automation of processes, the Desktop is meant for single user to exchange documents and messages. As such it is expected that you will write code to make use of the BonCode PGP library.
You, can however, exchange keys between them and it should work. E.g. you can generate the keys to use for BonCode using the PGP desktop if this is more convenient and vice versa.
If understand this correctly you have not looked into the library component but derived capability from the sample implementation. The example only shows you a small piece of options; please review the PGPController.cfc for the full range of arguments and functions you can call. This also shows how to set different secret key passwords.
If you have any issues with coding the calls, you can contact me via project home: pgp.riaforge.org.
A good primer and more background on PGP: http://en.wikipedia.org/wiki/Pretty_Good_Privacy

Alex Finbow said...

Hey B,

Is it possible to be able to implement something along these lines to a Flex site? I need to be able to encrypt files when they get updates so need to reconfigure flex to point to PGP CommandLine or something?

bman said...

@Alex:
With Flex you have to use a method that gives you access to Server File system. You can use any number of Application Servers. This library is meant for ColdFusion/Railo application server. If you use either Adobe CF or Railo, it should be very easy to setup a Directory Monitor that encrypts files as they are dropped into it. You can then use polling or LCS to communicate this back to Flex clients. The detail of the implementation you probably want to check appropriate ColdFusion and Flex documentation.

yasi said...

Bilal,

Thank you very much for the work you put into this.

I am hoping you can help. My output files are empty. I have tried to encrypt a file and generate a new key.. both result in an empty file. But the file is being created with the correct file name.

Please tell me I am just missing something obvious.

Thanks!

bman said...

@Yasi:
An empty file is better than error normally. Probably just a pointer or argument issue .
If you use the sample "mini" site in the package does everything work or do you see errors in encryption/empty files there as well.
If things work in the sample, you might want to consider following the pattern of the calls.
If you need more info, please use the "Contact Project" link on RiaForge so we can exchange the details.

Eric said...

Hi Bilal,
I finally was able to come back and revisit BonCodePGP (taking into consideration your comments from 1/20/12 that I am now thanking you for).

I put together a very simple decrypt function that was able to successfully decode my file (using CF8 x32 on Windows 7 x64). I was very encouraged by this, I might add.

Since it appears that COM is not going to be supported on x64 bit platforms, my consumption of pgp.cfc (based on 2003 Asif Tamuri adaptation of Nsdpgp3Lib) is slated for re-engineering.

My goal is to be able to port this logic (simple decrypt of a pgg encrypted file) over to the CF x64 bit platform (ideally CF10).

Do you know if this libarary will work with CF10 on x64?

I tried, but I am getting a

"File could not be decrypted, please check your private key pass phrase." and no decrypted file is output.

I tried mahking sure the objects are being instantiated (and they are. But beyond this, I don't know what else to try.

Any help you provide is greatly appreciated...

Eric said...

Bilal,
Never mind my last post.
BonCodePGP works great!

I forgot to apply the Java Cryptography (JCE) Unlimited Strength Policy Files 6 files to my new CF10x64. When I did that, it began to work.

Thank you so so so much.

bman said...

@Eric
Glad it worked for you.

bman said...

Updated installer for ColdFusion 10. This should be a smoother process than manual copy of files.

Hasans Hazzuri said...

Hi,
Do you have any idea how to set the change the path of the resource directory to use the validation .properties for customised for my application on a shared server. Now I use this instruction but it doesn't work:

esapi.securityConfiguration().setResourceDirectory(myPath);

Thanks

bman said...

@Hassans:
Seems like and ESAPI question.
I would recommend you try posting your question on one of the ESAPI community mailing lists found here (lower part of page):
https://www.owasp.org/index.php/Esapi

Eric said...

Hi Bilal,
Long time no speak. I hope you are well. I was hoping you can help me to diagnose the following problem.

I'm running into some trouble implementing bonCodePGP on a few on my machines. I'm getting a "File could not be decrypted, please check your private key pass phrase." and have re-traced my steps and can't seem to figure it out. I know the code I wrote works and it's likely something in the environment.

The only thing I can think of is that the private / public keyrings have multiple keys in them.

Do you know if that would cause me to have a problem.

Also I know the files work becuase the original code that uses the nsdpgp3.dll successfully decrypts the files.

Thanks in advance...

bman said...

@Eric
It is faster if you contact me via the RiaForge site (contact project link).
The error normally indicates some sort of problem exists with the private key file you are referencing.
Check the path on the new server, Is it accurate?, i.e. does the file really contain a private key?

If there are multiple keys in that file, we will use the first private key. To make certain, create a file that only contains your private key to test. If this works add a suggestion to RiaForge site to add a feature for the next version to search (use) a key by name.