using bouncy castle to create public PGP key usable by Thunderbird

Question

I created public and private PGP keys using org.bouncycastle.openpgp.PGPKeyRingGenerator. After making a change suggested by GregS, the public key is a .asc file, and the private key is a .skr file. I need to distribute the public key at first to Thunderbird users, and then later to users of Outlook and other email clients. I read these instructions for receiving a public key in thunderbird, but the instructions merely specify a .asc extension without specifying the contents/structure of the .asc file.

How do set things up so that my (modified?) code below creates a public key that can be used by remote users of Thunderbird to send encrypted emails which can then be decrypted by my private key, also created by the (modified?) code below? The accepted answer will include step by step instructions, not only for making any necessary changes to the code below, but also for setting up each remote Thunderbird user to utilize the below-generated-public-key to send emails which can be decrypted by the private key in my app, created by the (modified?) code below.

Here is my first draft of the key-generating code:

import java.io.BufferedOutputStream;
import java.io.FileOutputStream;
import java.math.BigInteger;
import java.security.SecureRandom;
import java.util.Date;

import org.bouncycastle.bcpg.ArmoredOutputStream;
import org.bouncycastle.bcpg.HashAlgorithmTags;
import org.bouncycastle.bcpg.SymmetricKeyAlgorithmTags;
import org.bouncycastle.bcpg.sig.Features;
import org.bouncycastle.bcpg.sig.KeyFlags;
import org.bouncycastle.crypto.generators.RSAKeyPairGenerator;
import org.bouncycastle.crypto.params.RSAKeyGenerationParameters;
import org.bouncycastle.openpgp.PGPEncryptedData;
import org.bouncycastle.openpgp.PGPKeyPair;
import org.bouncycastle.openpgp.PGPPublicKeyRing;
import org.bouncycastle.openpgp.PGPKeyRingGenerator;
import org.bouncycastle.openpgp.PGPPublicKey;
import org.bouncycastle.openpgp.PGPSecretKeyRing;
import org.bouncycastle.openpgp.PGPSignature;
import org.bouncycastle.openpgp.PGPSignatureSubpacketGenerator;
import org.bouncycastle.openpgp.operator.PBESecretKeyEncryptor;
import org.bouncycastle.openpgp.operator.PGPDigestCalculator;
import org.bouncycastle.openpgp.operator.bc.BcPBESecretKeyEncryptorBuilder;
import org.bouncycastle.openpgp.operator.bc.BcPGPContentSignerBuilder;
import org.bouncycastle.openpgp.operator.bc.BcPGPDigestCalculatorProvider;
import org.bouncycastle.openpgp.operator.bc.BcPGPKeyPair;  

public class RSAGen {
    public static void main(String args[]) throws Exception {
        char pass[] = {'h', 'e', 'l', 'l', 'o'};
        PGPKeyRingGenerator krgen = generateKeyRingGenerator("alice@example.com", pass);

        // Generate public key ring, dump to file.
        PGPPublicKeyRing pkr = krgen.generatePublicKeyRing();
        ArmoredOutputStream pubout = new ArmoredOutputStream(new BufferedOutputStream(new FileOutputStream("/home/user/dummy.asc")));
        pkr.encode(pubout);
        pubout.close();

        // Generate private key, dump to file.
        PGPSecretKeyRing skr = krgen.generateSecretKeyRing();
        BufferedOutputStream secout = new BufferedOutputStream(new FileOutputStream("/home/user/dummy.skr"));
        skr.encode(secout);
        secout.close();
    }

    public final static PGPKeyRingGenerator generateKeyRingGenerator(String id, char[] pass) throws Exception{
        return generateKeyRingGenerator(id, pass, 0xc0); 
    }

    // Note: s2kcount is a number between 0 and 0xff that controls the number of times to iterate the password hash before use. More
    // iterations are useful against offline attacks, as it takes more time to check each password. The actual number of iterations is
    // rather complex, and also depends on the hash function in use. Refer to Section 3.7.1.3 in rfc4880.txt. Bigger numbers give
    // you more iterations.  As a rough rule of thumb, when using SHA256 as the hashing function, 0x10 gives you about 64
    // iterations, 0x20 about 128, 0x30 about 256 and so on till 0xf0, or about 1 million iterations. The maximum you can go to is
    // 0xff, or about 2 million iterations.  I'll use 0xc0 as a default -- about 130,000 iterations.

    public final static PGPKeyRingGenerator generateKeyRingGenerator(String id, char[] pass, int s2kcount) throws Exception {
        // This object generates individual key-pairs.
        RSAKeyPairGenerator  kpg = new RSAKeyPairGenerator();

        // Boilerplate RSA parameters, no need to change anything
        // except for the RSA key-size (2048). You can use whatever key-size makes sense for you -- 4096, etc.
        kpg.init(new RSAKeyGenerationParameters(BigInteger.valueOf(0x10001), new SecureRandom(), 2048, 12));

        // First create the master (signing) key with the generator.
        PGPKeyPair rsakp_sign = new BcPGPKeyPair(PGPPublicKey.RSA_SIGN, kpg.generateKeyPair(), new Date());
        // Then an encryption subkey.
        PGPKeyPair rsakp_enc = new BcPGPKeyPair(PGPPublicKey.RSA_ENCRYPT, kpg.generateKeyPair(), new Date());

        // Add a self-signature on the id
        PGPSignatureSubpacketGenerator signhashgen = new PGPSignatureSubpacketGenerator();

        // Add signed metadata on the signature.
        // 1) Declare its purpose
        signhashgen.setKeyFlags(false, KeyFlags.SIGN_DATA|KeyFlags.CERTIFY_OTHER);
        // 2) Set preferences for secondary crypto algorithms to use when sending messages to this key.
        signhashgen.setPreferredSymmetricAlgorithms
            (false, new int[] {
                SymmetricKeyAlgorithmTags.AES_256,
                SymmetricKeyAlgorithmTags.AES_192,
                SymmetricKeyAlgorithmTags.AES_128
            });
        signhashgen.setPreferredHashAlgorithms
            (false, new int[] {
                HashAlgorithmTags.SHA256,
                HashAlgorithmTags.SHA1,
                HashAlgorithmTags.SHA384,
                HashAlgorithmTags.SHA512,
                HashAlgorithmTags.SHA224,
            });
        // 3) Request senders add additional checksums to the message (useful when verifying unsigned messages.)
        signhashgen.setFeature(false, Features.FEATURE_MODIFICATION_DETECTION);

        // Create a signature on the encryption subkey.
        PGPSignatureSubpacketGenerator enchashgen = new PGPSignatureSubpacketGenerator();
        // Add metadata to declare its purpose
        enchashgen.setKeyFlags(false, KeyFlags.ENCRYPT_COMMS|KeyFlags.ENCRYPT_STORAGE);

        // Objects used to encrypt the secret key.
        PGPDigestCalculator sha1Calc = new BcPGPDigestCalculatorProvider().get(HashAlgorithmTags.SHA1);
        PGPDigestCalculator sha256Calc = new BcPGPDigestCalculatorProvider().get(HashAlgorithmTags.SHA256);

        // bcpg 1.48 exposes this API that includes s2kcount. Earlier versions use a default of 0x60.
        PBESecretKeyEncryptor pske = (new BcPBESecretKeyEncryptorBuilder(PGPEncryptedData.AES_256, sha256Calc, s2kcount)).build(pass);

        // Finally, create the keyring itself. The constructor takes parameters that allow it to generate the self signature.
        PGPKeyRingGenerator keyRingGen =
            new PGPKeyRingGenerator(PGPSignature.POSITIVE_CERTIFICATION, rsakp_sign,
         id, sha1Calc, signhashgen.generate(), null,
             new BcPGPContentSignerBuilder(rsakp_sign.getPublicKey().getAlgorithm(), HashAlgorithmTags.SHA1), pske);

        // Add our encryption subkey, together with its signature.
        keyRingGen.addSubKey(rsakp_enc, enchashgen.generate(), null);
        return keyRingGen;
    }
}

When I run the code above to generate the .asc file, and then try to import the .asc file into Thunderbird, I get the following error screen:

Note that I did not install GnuPG on my CentOS 7 machine.

Also, you can recreate this problem on your own machine easily because Thunderbird is free. You can download thunderbird for free using this link. Alternatively, on my CentOS 7 machine, I downloaded Thunderbird with yum install thunderbird. You can download bouncy castle by adding the following to your pom.xml:

<dependency>
    <groupId>org.bouncycastle</groupId>
    <artifactId>bcpg-jdk15on</artifactId>
    <version>1.51</version>
</dependency>

---

EDIT#1:

To address JRichardSnape's questions, I found that maven must also be automatically downloading the org.bouncycastle.crypto library because it is a dependency of bcpg-jdk15on. JRichardSnape is correct that RSAKeyGenerationParameters and RSAKeyPairGenerator are not in the bcpg-jdk15on.jar manual download. (Note: the versions in the links may not be current.) However, both classes are in the automated maven download that results from the single dependency snippet from pom.xml shown above. I say this because there are no other bouncycastle dependencies in my pom.xml. I am using Java 7.

Eclipse describes the two classes imported as:

import org.bouncycastle.crypto.params.RSAKeyGenerationParameters;
import org.bouncycastle.crypto.generators.RSAKeyPairGenerator;  

I added all of the import statements from RSAGen.java to the code segment in my OP above. I think the problem might to do with the need for a name/signature for the key.

Googling this error results in the following links, among others:

Convert userId to UTF8 before generating signature #96
non-ascii characters in Name field #92
Unable to import PGP certificate into Keychain

EDIT#2

As per @JRichardSnape's advice, I tried Enigmail->Key management ->File ->Import keys from file. This resulted in the following dialog box, which seems to indicate that, while the key was imported, the key was not signed. Thus, it seems that there is no name or no email address associated with the .asc file that was imported. The key also does not show up in EnigMail's list of keys afterwards.

EDIT#3

Using gpg --gen-key, I was able to get the CentOS 7 terminal to create a keypair, including a public key, which I was able to successfully import into Thunderbird, so that Thunderbird can now associate the terminal-gpg-generated public key with the intended email recipient. But when I take all the steps to send an encrypted email from Thunderbird using the public key, the email and its attachments nonetheless arrive unencrypted. The steps I took to send encrypted email with the public key from remote Thunderbird to the server that has the private key are described in this SuperUser posting.

Given that gpg --gen-key seems to work, the major remaining problem at the moment, seems to be the Thunderbird part of this bounty question. I have posted a lot of progress towards solving the Thunderbird part in the SuperUser question in the preceding paragraph. Your help answering it would go a long way towards answering this question as well.

EDIT#4

I am still not able to get the BouncyCastle-created key to import into Thunderbird. However, when I use keys created on the CentOS 7 terminal using gpg --gen-key, I am able to complete the following steps:

1.) I configured my Thunderbird to manage another (second) 
    email account I have not been using.  
2.) I then created a gpg key for that second account and 
    configured encryption for that second account in Thunderbird.  
3.) I sent an encrypted email containing an attachment from the  
    first Thunderbird account to the second Thunderbird account.
4.) I was able to see that the attachment remained encrypted in  
    the second account's inbox until I used the recipient key's  
    passphrase to decrypt it.

My CentOS 7 server is still producing un-encrypted attachments when I send an email to it from the same "first" Thunderbird account as described in this edit. I am trying to determine whether this is due to some "auto-decryption" in dovecot/postfix/mailx/gpg in the CentOS 7 server, or whether it is due to some settings in the Thunderbird sender. I am researching this.

Answer 1

I'll try to address these points one by one:

Java bouncycastle keyring generation

The Java code does work and produces a usable keyring pair. I have tested it with different emails and different pass codes with no problems. I have had a 3rd party send me an email using the public key and successfully decrypted it with the private key both generated by this Java code. The key has worked with the following combinations

• Thunderbird (31.4.0) + Enigmail (1.7.2) + gpg (Gpg4win) on Windows 8
• Thunderbird + Enigmail on ubuntu 14.10 (with the xfer desktop manager)

however

The OP finds a problem importing the keys with a failure implying there is no user ID in a CentOS / Thunderbird / pgp combination. Similarly, it has failed to be imported with an error saying no User ID on Windows / Outlook / Kleopatra plugin (tested although the question specifically cites Thunderbird).

I am unable to reproduce the error - strongly suspect it is due to either configuration differences or version differences in GNU PG. My setup shows the following for gpg --version

gpg (GnuPG) 2.0.26 (Gpg4win 2.2.3)
libgcrypt 1.6.2

---

Testing Java generated key with gpg directly

You can generate the keys with your java code, go to command line and execute

gpg --import dummy.asc

Then test is by executing

gpg --edit-key alice@example.com

check it has a user id by typing check at the gpg> prompt. Sample output:

uid  alice@example.com
sig!3        14AEE94A 2015-02-05  [self-signature]

If this works - you have eliminated a gpg problem with your key import - check the Thunderbird / Enigmail versions.

Using Thunderbird

It seems that the majority of issues have been solved by my comment recommending key import via Enigmail->Key management ->File ->Import keys from file in combination with this related question from the OP on superuser.

Note also - there is a "generate" option in Key Management dialogue for Enigmail. If the Java generation is not required, this can be used to generate key pairs - it is basically the same as generating directly via gpg to the best of my knowledge.

---

The remaining issue with use of Thunderbird appears to be a lack of confidence in the encryption as the message appears in plain text on the OP's server (it appears that the key is to be used in a server/client combination where clients send encrypted emails to a server).

To gain confidence that the message is indeed being encrypted - I suggest altering an Enigmail setting:

• Enigmail -> Preference -> Sending tab
• select "Manual encryption settings"
• select "Always" in the "confirm before sending" box

You will then see the encrypted mail along with a confimation box before it is sent.

I can't speak as to how to stop your server automatically decrypting incoming mail, as it depends on your server configuration and would be better asked as a separate question, quite possibly on either superuser or serverfault StackExchange sites.

Testing PGP email

You might also consider following the advice from the Enigmail tutorial and sending an encrypted mail to

Adele, the "Friendly OpenPGP Email Robot". Adele accepts OpenPGP messages and replies in an explanatory way to any kind of OpenPGP messages.

The address is adele <at> gnupp <dot> de