Any more thoughts on this?
Brett Porter wrote:
Thanks Stefan - feedback inline.
Stefan Bodewig wrote:
> /** @param keyId may be null to specify the default key */
> void sign(InputStream data, OutputStream signedOutput,
> String keyId, KeyRing keyRing, boolean asciiArmor)
> throws PGPException;
>
> /** @param keyId may be null to specify the default key */
> void detachedSign(InputStream data, OutputStream signature,
> String keyId, KeyRing keyRing, boolean asciiArmor)
> throws PGPException;
>
> SignatureStatus verifySignature(InputStream data, KeyRing keyRing)
> throws PGPException;
>
> SignatureStatus verifyDetachedSignature(InputStream data,
> InputStream signature,
> KeyRing keyRing)
> throws PGPException;
>}
>
>
These all look fine for most uses, but I would like a default
implementation that builds on something like this:
interface PgpSignatureUpdater {
void update( byte[] data )
void update( byte[] data, int offset, int length )
byte[] finish()
}
This being used to create the detached signature (I'm assuming a
generated detached signature can be later added to the actual message,
and that byte[] is sufficient for both binary and ascii armored output),
and can be used in both signing and verifying. The implementation would
take configuration specifying the keyring, ascii armoring and anything else.
>class KeyRing {
> InputSteam getStream();
> /** @return null for a public key ring. */
> char[] getPassPhrase();
>}
>
>
>
Seems ok.
>PGPException would be a wrapper for the real exception an
>implementation could throw (but I wouldn't want to depend on
>commons-lang just for NestableException).
>
>
+1
>SignatureStatus an enum-like class with ValidSignature, UnknownKey and
>InvalidSignature. We may even include trust calculations here (if
>supported), ValidTrustedSignature and ValidUntrustedSignature or
>similar.
>
>
Yes, I think all of those would be useful.
>And finally
>
>class FooFactory {
> static FooFactory getFactory() throws PGPException;
> Foo newFoo() throws PGPException;
>}
>
>Foo is a placeholder since (1) I can't come up with a good name right
>now and (2) have a long track record of inventing bad names anyway.
>
>
PgpSigner and PgpSignatureVerifier (I can't think of a unified name
without coffee).
- Brett
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
