Type your name as you would like it to appear and hit the enter key. Next, type your e-mail address (and enter). The last field is an optional comment field, which allows you to add a comment to the key entry to further identify you (bet there are a lot of John Smiths out there) without necessarily knowing an e-mail address. You are then prompted to review your entry and given the opportunity to change any of the fields. If everything is okay, type the letter "O" and hit the enter key.

Finally, your Diceware passphrase needs to be typed and verified. After all this data has been entered, GnuPG generates two database files (pubring.gpg and secring.gpg) to hold your keys. GnuPG will display the keys you have just generated, along with the generated key's fingerprint:

public and secret key created and signed.
key marked as ultimately trusted.
pub 1024D/D0D63B4A 2004-08-09 cfTest (ColdFusion test account)
<test@nowhere.com>
Key fingerprint = 7894 04AD B584 2DBD AE71 3101 6FEE 8A8F D0D6 3B4A
sub 1024g/E614ABE6 2004-08-09

You do not need to write any of this information down; as long as you know your passphrase you will be able to use this key for encryption/decryption and hashing functions. With all of this done, it's time to start hooking GnuPG up to ColdFusion!

Java Wrapper
There are several options for getting GnuPG to interact with ColdFusion. A common approach to extending ColdFusion with external objects is to write COM, CORBA, or Java wrappers; in the case of GnuPG, <cfexecute> is also an option. (However, <cfexecute> may not work as desired when returning large amounts of data results to the browser using the variable attribute.) My background is in Java, so I implemented the wrapper for GnuPG in Java.

The Java implementation is relatively straightforward, consisting of two objects: GnuPG and ProcessStreamReader. The ProcessStreamReader object's purpose is to read the standard output generated by the GnuPG binaries. GnuPG.java is also very straightforward, with most of the methods simply constructing the commands to pass to the gpg executable. The main workhorse of the object is the private method runGnuPG, used for actually processing input/output.

Download GnuPG.jar from www.sys-con/coldfusion/sourcec.cfm and place the file in your classpath folder (WEB-INF/lib) or create a classpath variable in the ColdFusion Administrator. You will need to restart your ColdFusion server before you can use the classes in the GnuPG package.

CFC
The logic for executing GnuPG commands resides in the Java wrapper, so the methods contained within the cfGnuPG CFC (see Listing 1) are extremely short. In fact, after creating the Java object, each of the methods in the CFC simply call their Java counterpart in the Java archive, as shown by the following example:

<cffunction name="gpgEncrypt" access="public" displayname="Encrypt"
hint="Encrypts data streams using GnuPG." output="No">
<cfargument name="str" required="Yes" type="string" hint="Data stream to
encrypt.">
<cfargument name="keyID" required="Yes" type="string" hint="User key to
encrypt to.">

<cfscript>
return gpg.encrypt(arguments.str, arguments.keyID);
</cfscript>
</cffunction>

Usage
You're now ready to take a test drive of the GnuPG system in ColdFusion! All that is required to begin using the component on the server is knowing the absolute path to the GnuPG binaries. On Windows systems you can initialize the component like this:

<cfscript>
gpg = createObject("component", "cfGnuPG");
gpg.init("c:\gnupg\gpg.exe");
</cfscript>

After the GnuPG wrapper has been initialized, you have access to all of the methods contained in the component object. Invoking each of the methods then becomes almost effortless. To invoke the listKeys() method to display all the keys on your public key ring, you would simply create a variable that accesses the object and its method within the <cfscript> block:

keys = gpg.listKeys();

<cfoutput> can then be used to return the results of GnuPG to the browser. Encrypting a message is just as easy. Simply invoke the gpgEncrypt() method with the text you want to encrypt and the key you would like to encrypt the message to.

encrypted = gpg.gpgEncrypt("message", "recipient's key");

Decrypting a message is also simple (if you know the passphrase). Just as when using gpgEncrypt() to encrypt a message, gpgDecrypt() takes two parameters: the encrypted string and the passphrase. To decrypt the above example, you would simply code this:

decrypted = gpg.gpgDecrypt(variables.encrypted, "passphrase");

• Source Code