PGP/GPG PHP encrypt-sign (using GnuPG) and Java decrypt-verify (using Bouncy Castle)

360 views Asked by At

I have a client who is expecting PGP signed and encrypted data. When I use Java code (uses bouncycastle openpgp), it is able to decrypt and verify the sent data on his end (client end is Java).

Problem is my software is in PHP and I want to use GnuPG to sign and encrypt data, if I use GnuPG my client is not able to decrypt the data.

If I just encrypt the data in PHP, Java is able to decrypt without any problem. The issue is when I sign the data in PHP, Java is not able to decrypt and verify.

Is there any know problem with signing between PHP and Java?

I even tried Crypt_GPG, having exact same problem there too.

1

There are 1 answers

0
karmendra On

After deep investigation, interesting fact came out.

It turns out that the private key I was using was the culprit. I got that key from somewhere apparently was generated online at https://pgpkeygen.com/ (Never use keys generated online in production environments)

That key contained a primary RSA key and two subkeys (I am not sure why PGP allows subkeys and where it is useful)

Anyways, the issue was When Java was signing the data it used the primary key. but PHP used one of the subkeys, the decryption logic at java client end was trying to verify the signature was using primary key, hence it was not able to successfully verify.

I used command line gpg tool to edit the private key and removed the additional subkeys and after that PHP code used the primary key as that was the only available key in that private key, and everything seemed to work fine.