NAME
Crypt::OpenPGP - Pure-Perl OpenPGP implementation
SYNOPSIS
my $pgp = Crypt::OpenPGP->new;
my $signature = $pgp->sign(
Filename => $file,
KeyID => $key_id,
Passphrase => $pass,
Detach => 1,
Armour => 1,
);
my $valid = $pgp->verify(
Signature => $signature,
Files => [ $file ],
);
my $ciphertext = $pgp->encrypt(
Filename => $file,
KeyID => $key_id,
Armour => 1,
);
my $plaintext = $pgp->decrypt(
Data => $ciphertext,
Passphrase => $pass,
);DESCRIPTION
Crypt::OpenPGP is a pure-Perl implementation of the OpenPGP standard; its intention is compatibility with all other implementations of PGP that support the standard.
Crypt::OpenPGP provides signing/verification, encryption/decryption, keyring management, and keypair generation; in short it should provide you with everything you need to PGP-enable yourself. Alternatively it can be used as part of a larger system; for example, perhaps you have a web-form-to-email generator written in Perl, and you'd like to encrypt outgoing messages, because they contain sensitive information. Crypt::OpenPGP can be plugged into such a scenario, given your public key, and told to encrypt all messages; they will then be readable only by you.
This module currently supports RSA and DSA for signing/verification, and RSA and ElGamal for encryption/decryption. It supports the symmetric ciphers 3DES, Blowfish, and IDEA.
USAGE
Crypt::OpenPGP has the following high-level interface. On failure, all methods will return undef and set the errstr for the object; look below at the ERROR HANDLING section for more information.
Crypt::OpenPGP->new( %args )
Constructs a new Crypt::OpenPGP instance and returns that object. Returns undef on failure.
%args can contain:
SecRing
Path to your secret keyring. If unspecified, Crypt::OpenPGP will look for your keyring in a number of default places.
PubRing
Path to your public keyring. If unspecified, Crypt::OpenPGP will look for your keyring in a number of default places.
$pgp->encrypt( %args )
Encrypts a block of data. The encryption is actually done with a symmetric cipher; the key for the symmetric cipher is encrypted with the public key that you specify, and thus can only be unlocked by the related secret key.
Returns a block of data containing two PGP packets: the encrypted symmetric key and the encrypted data.
On failure returns undef.
%args can contain:
Data
The plaintext to be encrypted. This should be a simple scalar containing an arbitrary amount of data.
Data is optional; if unspecified, you should specify a filename (see Filename, below).
Filename
The path to a file to encrypt.
Filename is optional; if unspecified, you should specify the data in Data, above. If both Data and Filename are specified, the data in Data overrides that in Filename.
KeyID
The ID of the public key that should be used to decrypt the symmetric key. In other words, the ID of the key with which the message should be encrypted. The value of the key ID should be specified as a 16-digit hexadecimal number.
This argument is mandatory.
Cipher
The name of a symmetric cipher with which the plaintext will be encrypted. Valid arguments are
DES3,Blowfish, andIDEA.This argument is optional; Crypt::OpenPGP currently defaults to
DES3, but this could change in the future.Compress
If true, the plaintext will be compressed before it is encrypted.
By default Compress is 0, so the text is not compressed.
Armour
If true, the data returned from encrypt will be ASCII-armoured. This can be useful when you need to send data through email, for example.
By default the returned data is not armoured.
$pgp->decrypt( %args )
Decrypts a block of ciphertext. The ciphertext should be of the sort returned from encrypt, in either armoured or non-armoured form. This is compatible with all other implementations of PGP: the output of their encryption should serves as the input to this method.
Returns the plaintext (that is, the decrypted ciphertext).
On failure returns undef.
%args can contain:
Data
The ciphertext to be decrypted. This should be a simple scalar containing an arbitrary amount of data.
Data is optional; if unspecified, you should specify a filename (see Filename, below).
Filename
The path to a file to decrypt.
Filename is optional; if unspecified, you should specify the data in Data, above. If both Data and Filename are specified, the data in Data overrides that in Filename.
Passphrase
The passphrase to unlock your secret key.
This argument is mandatory if your secret key is protected.
$pgp->sign( %args )
Creates and returns a digital signature on a block of data.
On failure returns undef.
%args can contain:
Data
The text to be signed. This should be a simple scalar containing an arbitrary amount of data.
Data is optional; if unspecified, you should specify a filename (see Filename, below).
Filename
The path to a file to sign.
Filename is optional; if unspecified, you should specify the data in Data, above. If both Data and Filename are specified, the data in Data overrides that in Filename.
Detach
If set to a true value the signature created will be a detached signature; that is, a signature that does not contain the original text. This assumes that the person who will be verifying the signature can somehow obtain the original text (for example, if you sign the text of an email message, the original text is the message).
By default signatures are not detached.
Armour
If true, the data returned from sign will be ASCII-armoured. This can be useful when you need to send data through email, for example.
By default the returned signature is not armoured.
KeyID
The ID of the secret key that should be used to sign the message. The value of the key ID should be specified as a 16-digit hexadecimal number.
This argument is mandatory.
Passphrase
The passphrase to unlock your secret key.
This argument is mandatory if your secret key is protected.
Version
The format version of the created signature. The two possible values are
3and4; version 4 signatures will not be compatible with older PGP implementations.The default value is
4, although this could change in the future.
$pgp->verify( %args )
Verifies a digital signature. Returns true on success, undef on failure. The 'true' value returned on success will be, if available, the PGP User ID of the person who created the signature. If that value is unavailable, the return value will be 1.
%args can contain:
Signature
The signature data, as returned from sign. This data can be either a detached signature or a non-detached signature. If the former, you will need to specify the list of files comprising the original signed data (see Data or Files, below).
Either this argument or SigFile is required.
SigFile
The path to a file containing the signature data. This data can be either a detached signature or a non-detached signature. If the former, you will need to specify the list of files comprising the original signed data (see Data or Files, below).
Either this argument or SigFile is required.
Data
Specifies the original signed data.
If the signature (in either Signature or SigFile) is a detached signature, either Data or Files is a mandatory argument.
Files
Specifies a list of files comprising the original signed data. The value should be a reference to a list of file paths; if there is only one file, the value can be specified as a scalar string, rather than a reference to a list.
If the signature (in either Signature or SigFile) is a detached signature, either Data or Files is a mandatory argument.
$pgp->keygen( %args )
NOTE: this interface is alpha and could change in future releases!
Generates a public/secret PGP keypair. Returns two keyblocks (objects of type Crypt::OpenPGP::KeyBlock), a public and a secret keyblock, respectively. A keyblock is essentially a block of keys, subkeys, signatures, and user ID PGP packets.
%args can contain:
Type
The type of key to generate. Currently there are two valid values:
RSAandDSA.ElGamalkey generation is not supported at the moment.This is a required argument.
Size
Bitsize of the key to be generated. This should be an even integer; there is no low end currently implemented in Crypt::OpenPGP, but for the sake of security Size should be at least 1024 bits.
This is a required argument.
Identity
A string that identifies the owner of the key. Typically this is the combination of the user's name and an email address; for example,
Foo Bar <foo@bar.com>The Identity is used to build a User ID packet that is stored in each of the returned keyblocks.
This is a required argument.
Passphrase
String with which the secret key will be encrypted. When read in from disk, the key can then only be unlocked using this string.
This is a required argument.
Version
Specifies the key version; defaults to version
4keys. You should only set this to version3if you know why you are doing so (for backwards compatibility, most likely). Version3keys only support RSA.Verbosity
Set to a true value to enable a status display during key generation; since key generation is a relatively lengthy process, it is helpful to have an indication that some action is occurring.
Verbosity is 0 by default.
ERROR HANDLING
If an error occurs in any of the above methods, the method will return undef. You should then call the method errstr to determine the source of the error:
$pgp->errstrIn the case that you do not yet have a Crypt::OpenPGP object (that is, if an error occurs while creating a Crypt::OpenPGP object), the error can be obtained as a class method:
Crypt::OpenPGP->errstrFor example, if you try to decrypt some encrypted text, and you do not give a passphrase to unlock your secret key:
my $pt = $pgp->decrypt( Filename => "encrypted_data" )
or die "Decryption failed: ", $pgp->errstr;LICENSE
Crypt::OpenPGP is free software; you may redistribute it and/or modify it under the same terms as Perl itself.
AUTHOR & COPYRIGHT
Except where otherwise noted, Crypt::OpenPGP is Copyright 2001 Benjamin Trott, ben@rhumba.pair.com. All rights reserved.