Exchanging keys with OpenPGP LDAP Servers in Java

With DidiSoft OpenPGP Library for Java we can easily store and retrieve keys from OpenPGP LDAP (Lightweight directory access protocol) servers that support the pgp ldap scheme, such as Symantec Encryption Management Server (SEMS, formerly PGP Universal Server) and OpenLDAP/slapd.

The communication functionality is exposed by the class LDAPClient located in com.didisoft.pgp.net. This chapter illustrates its usage:

1 Upload a key into the LDAP server
2 Retrieving keys from the LDAP server
3 Exception handling

Store a key into the LDAP server

The key upload process consists of instantiating the LDAPClient class and invoking its submitKey method. For public key servers like keyserver.pgp.com we don’t need authentication. For private LDAP servers we shall use the LDAPClient constructor that accepts username and password parameters with values that match an LDAP user account with write access.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
import java.io.*;
 
import com.didisoft.pgp.net.LDAPClient;
import com.didisoft.pgp.KeyStore;
 
public class DemoLDAP {
  public static void demo() throws Exception {
    // connect to LDAP server that supports pgp schema
    LDAPClient ldap = new LDAPClient("keyserver.pgp.com");
 
    // read the key into a byte array
    File file = new File("c:\\Test\\public_key.asc");
    FileInputStream fIn = new FileInputStream(file);
    byte[] keyBytes = new byte[(int)file.length()];       
    fIn.read(keyBytes, 0, keyBytes.length);
 
    boolean submitted = ldap.submitKey(keyBytes);
  }
}

Retrieve a key from the LDAP server

We can retrieve a  key from an OpenPGP LDAP server by addressing the key with its User Id (whole or part of it) or its hexadecimal Key Id.

The example below will return the first key that matches part of the provided User Id (by calling setPartialMatchUserIds(true)) :

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
import java.io.ByteArrayInputStream;
import com.didisoft.pgp.net.LDAPClient;
import com.didisoft.pgp.KeyStore;
import com.didisoft.pgp.KeyPairInformation;
 
public class DemoLDAP {
  public static void demo() throws Exception {
    // connect to LDAP server that supports pgp schema
   LDAPClient ldap = new LDAPClient("keyserver.pgp.com");
   // search by part of the User Id
   ldap.setPartialMatchUserIds(true);
   KeyPairInformation key = ldap.getSingleKeyByUserId("DidiSoft");
 
   if (key != null) {
        System.out.println("Found key: " + key.getKeyID());
   } else {
        System.out.println("No such key was found");
   }
 }
}

Searching for multiple keys

In order to retrieve multiple keys matching part of a User Id, we can use the getMultipleKeysByUserId method:

1
2
3
4
5
6
   ldap.setPartialMatchUserIds(true);
   KeyPairInformation[] keys = ldap.getMultipleKeysByUserId("DidiSoft*");
 
   for (KeyPairInformation key : keys) {
        System.out.println("Found key: " + key.getKeyID());
   }

Note the wild card symbol * used in the example above. It can be placed anywhere in the searched user Id.

Searching by Key Id

Searching by Key Id is performed with getSingleKeyByKeyIdHex :

1
   KeyPairInformation[] key = ldap.getSingleKeyByKeyIdHex("A072B431");

Exception handling

All the methods that exchange data with the LDAP server throw java.io.IOException in case of a network failure.

Summary

This chapter illustrated with Java code how to exchange keys with LDAP key servers that support the pgp scheme.

You may also be interested in how to exchange OpenPGP keys with HKP key servers.

List of methods used:

LDAPClient.setPartialMatchUserIds  controls should keys be searched by the whole or part of the User ID
LDAPClient.getSingleKeyByUserId  retrieves a key from an LDAP server by whole or part of the User ID
LDAPClient.getSingleKeyByKeyIdHex  retrieves a key from an LDAP server by Key ID hexadecimal
LDAPClient.getSingleKeyByKeyId  retrieves a key from an LDAP server by Key ID
LDAPClient.getMultipleKeysByUserId  retrieves many keys from an LDAP server by whole or part of the User ID
LDAPClient.submitKey  uploads a key to an LDAP server