6 Replies Latest reply on Feb 8, 2010 9:52 AM by kylemurphy2009

    GPG, CFEXECUTE and cfGnuPG

    jarviswabi Level 1
      I'm building an application in CFMX 6.1 (on Windows 2000 Server) that needs to take a file or files encrypted with our GPG public key and decrypt them to produce XML files. I'm using GnuPG, and have worked out all the encrypt/decrypt stuff on the command line of the server. I then was using the cfGnuPG CFC with the gpg.jar Java wrapper to encrypt and decrypt data streams, which worked great, but the gpgDecrypt function in that CFC doesn't seem to handle full files, and if I read the file contents into a variable and then try to decrypt it, it fails.

      So what I'm now back to trying is to use CFEXECUTE to call the decryption function. This command works from the command prompt on the server:

      > C:\Progra~1\GNU\GnuPG\gpg.exe --passphrase-fd 0 < c:\gnupg\pp.txt -o E:\devroot\iqvc\input\\neworders.xml -d e:\devroot\iqvc\input\\128391924.neworders

      I put my passphrase in a text file and pass it into the passphrase-fd parameter as suggested, and the file designated is decrypted and saved as the new filename.

      However, executing this command from CFEXECUTE just hangs--I see a new gpg.exe process spawn on the server, but no output is returned (see attached code). The outputfile is created, but remains empty, and the CF page times out after the 120 seconds. I can do a simple CFEXECUTE of gpg.exe with the "--list-keys" argument, and it returns the correct output. So what's different about this decrypt command? If the command were producing a response prompt, shouldn't that write to the outputfile?

      I gather that the CFEXEXCUTE process runs GPG under the "Default User" profile, since when I used it to create keys, that's where they went. Is that correct?

      If anybody has any ideas, or a better way to do this, please let me know.
        • 1. Re: GPG, CFEXECUTE and cfGnuPG
          Mr Black Level 1
          Most likely this is a account/user profile issue. If I remember correctly, the current profile is the profile of currently logged-in interactive user, which may or may not be "default profile". Also, to access other user profile the account must have a permission, which is not the case for the SYSTEM account. Therefore, even a necessary profile is loaded, the CF might not be able to access it.

          If you set CF service to run under the same interactive account under which the command line works, and after that CFEXECUTE works - this is it. You also can try to enable "Allow service to interact with desktop" for debugging purposes. So, you would actually see that DOS window that might contain error message and/or prompt for something.

          You also may try this tag that allows some of the above, if you cannot change settings on the server.
          • 2. Re: GPG, CFEXECUTE and cfGnuPG
            jarviswabi Level 1
            I found my own solution. I think Mr Black is probably right about the user profile deal with CFEXECUTE, but it just seemed like a kludgey solution anyway. What the cfGnuPG CFC/wrapper was missing was a way to invoke GPG to decrypt a FILE, rather than a data stream. So I added a new method to the gnuPG.class file originally provided by Wayne Graham in his CFDJ article to do "decryptFile"--basically, you just pass it a filename instead of a data stream and it works the same way. I also added an optional parameter to it for the output file (GPG option -o), since I found that decrypting the file to output the results was inconsistent (sometimes it would work, other times it would hang). By telling GPG to write the decrypted content to a file, it worked perfect everytime.

            If anyone would like the revised gpg.jar file with the additional method, feel free to email me.
            • 3. Re: GPG, CFEXECUTE and cfGnuPG
              I would love to get the revised code this is exactly what i am working on for a client.

              • 4. Re: GPG, CFEXECUTE and cfGnuPG

                I am having the same gnupg hang problem when decrypting. Can I get the revised code from you?


                • 5. Re: GPG, CFEXECUTE and cfGnuPG
                  jarviswabi Level 1
                  John, I'd be happy to send you the code, but I need your email.
                  • 6. Re: GPG, CFEXECUTE and cfGnuPG
                    kylemurphy2009 Level 1

                    I could use the modified gpg.jar file, too, if anyone has it.  If not, some insight as to how to modify the existing one would be very helpful.




                    Thank you,