The main idea behind OpenPGP designated revokers is that we trust to someone else in such an extent that we give him the right to revoke our OpenPGP public key.
Technically a special signature is appended to the public key that states that key with a specified Key Id can revoke our public key (of course the other public key can also be ours). Designated revokers are especially useful when we want to revoke a key but we have no revocation certificate and either the private key or its password are lost.
Here we are going to show how to assign a designated revoker and how to revoke a public key with DidiSoft OpenPGP Library for Java.
- Assign designated revoker for a key located in a file
- Assign designated revoker for a key located in a KeyStore
- Revoke with designated revoker located in a file
- Revoke with designated revoker located in a KeyStore
Assign designated revoker for a key located in a file
For this example we need our public and private key and the other public key (usually the key of our partner) that will be assigned as designated revoker. Our public key file must be writable.
import com.didisoft.pgp.*; public class AssignDesignatedRevokerDemo { public static void main(String[] args) throws Exception { // create an instance of the library RevocationLib lib = new RevocationLib(); String targetPublicKey = "key1_public.asc"; String targetPrivateKey = "key1_private.asc"; String targetPrivateKeyPassword = "password"; String designatedRevokerFile = "key2_public.asc"; // assign designated revoker lib.assignDesignatedRevoker(targetPublicKey, targetPrivateKey, targetPrivateKeyPassword, designatedRevokerFile); } } |
Assign designated revoker for a key located in a KeyStore
In this example we reference the keys in the KeyStore through their User Id’s but overloaded method exist that expects Key Id’s.
import com.didisoft.pgp.*; public class KeyStoreAssignDesignatedRevoker { public static void main(String[] args) throws Exception { // initialize the KeyStore KeyStore keyStore = new KeyStore("demo.keystore", "changeit"); // create an instance of the library RevocationLib lib = new RevocationLib(); // in this example we reference the keys in the KeyStore // through their User ID's, // but overloaded methods exist for Key ID's too String targetKeyUserId = "RSA_1"; String targetPrivateKeyPassword = "password"; String designatedRevokerUserId = "RSA_2"; // assign designated revoker lib.assignDesignatedRevoker(keyStore, targetKeyUserId, targetPrivateKeyPassword, designatedRevokerUserId); } } |
Revoke with designated revoker located in a file
For this example we need the private key of the designated revoker. Usually this action is performed by the party that is assigned as a designated revoker.
Also the target public key file must be writable.
import com.didisoft.pgp.RevocationLib; public class RevokeWithDesignatedRevoker { public static void main(String args[]) throws Exception { // create an instance of the library RevocationLib lib = new RevocationLib(); // public key to be revoked String targetPublicKey = path + "key1_public.asc"; // designated revoker private key String designatedRevokerPrivateKey = path + "key2_private.asc"; String designatedRevokerPrivateKeyPassword = ""; // empty password // reason and description byte revocationCode = RevocationLib.REASON_KEY_NO_LONGER_USED; String revocationDescription = "This key is no longer used"; // revoke key with revocation certificate lib.revokeKeyWithDesignatedRevoker(targetPublicKey, designatedRevokerPrivateKey, designatedRevokerPrivateKeyPassword, revocationCode, revocationDescription); } } |
Revoke with designated revoker located in a KeyStore
In this example we are going to refer the keys again through their User Id’s. Overloaded method exist with Key Id parameters. Like in the example above we must posses the private key of the designated revoker and it should be in the same KeyStore file.
import com.didisoft.pgp.KeyStore; import com.didisoft.pgp.RevocationLib; public class KeyStoreRevokeWithDesignatedRevoker { public static void main(String args[]) throws Exception { // initialize the KeyStore KeyStore keyStore = new KeyStore("revocation.keystore", "changeit"); // create an instance of the library RevocationLib lib = new RevocationLib(); String targetPublicKeyUserId = "RSA_1"; String designatedRevokerUserId = "RSA_2"; String designatedRevokerPrivateKeyPassword = "password"; // reason and description byte revocationCode = RevocationLib.REASON_KEY_NO_LONGER_USED; String revocationDescription = "This key is no longer used"; // revoke key with revocation certificate lib.revokeKeyWithDesignatedRevoker(keyStore, targetPublicKeyUserId, designatedRevokerUserId, designatedRevokerPrivateKeyPassword, revocationCode, revocationDescription); } } |
We can export afterword the public key and distribute it to our partners in order to avoid its future use.
Summary
This chapter illustrated how to assign a designated revoker key for an OpenPGP key programmatically in Java.
