GnuPG Security Disaster?

Bernard bht at actrix.gen.nz
Wed Jan 2 10:20:01 CET 2002 

Hi Dmitri,

Thanks for your helpful reply.

Today the subject has become even more interesting since I have
managed the first time to get the passphrase through stdin.
So the batch file issue for _decryption_ is gone :)

The interesting part is that in comparison, _encryption_ does not seem
to cooperate in the same way.

Are you or is anybody else aware of a significant difference between

the transmission method of the passphrase during decryption via
    --passphrase-fd n
and the transmission method of the input data during encryption via
default stdin?

You see, I cannot any longer blame Java or Win95 for the failure since
I know that 50% of GnuPG works under Java for me and 50% doesn't.

During encryption, stdout and stderr are empty after stdin was written
to and closed while gpg hangs, apparently still waiting for input on
stdin.

Everything works as expected from a Windows batch file outside Java.
No surprise, under Linux things work from within Java anyway.

Regards,
Bernard


On Tue, 1 Jan 2002 17:08:58 -0800, you wrote:

[snip]
>Quoting Bernard <bht at actrix.gen.nz>:
>
>> I am using gnupg decryption executed from within a Java application in
>> an external Win95 process.
>> 
>> Due to a bug somewhere between Win95/98 and the Java Virtual Machine,
>> Java cannot write to stdin of the external gnupg process.
[snip]
>
>Java does not have DOS loader built in (it's part of the OS), therefore it
>has to pass the executable name and parameters to the OS for loading and
>starting the process (like system() call). At this moment you lose control
>of your command line parameters, passphrase included. The OS itself, and
>any 3rd party utilities (like pview and debuggers) can get to that data.
>
>> Can anyone suggest a more civilised approach to interfacing to the
>> Windows executable from within Java?
>
>Use GPGME? JNI would be nice.
[snip]

Sounds like an interesting project.
But I am not sure whether I should start a new approach (no experience
with JNI) while it appears that what I need is indeed possible with
the GnuPG command line tool.

Regards,
Bernard

More information about the Gnupg-devel mailing list