ballerina-platform · TharmiganK · Nov 18, 2024 · Oct 2, 2024 · Oct 2, 2024 · Oct 2, 2024
@@ -1,7 +1,7 @@
 [package]
 org = "ballerina"
 name = "crypto"
-version = "2.7.2"
+version = "2.8.0"
 authors = ["Ballerina"]
 keywords = ["security", "hash", "hmac", "sign", "encrypt", "decrypt", "private key", "public key"]
 repository = "https://github.com/ballerina-platform/module-ballerina-crypto"
@@ -15,8 +15,8 @@ graalvmCompatible = true
 [[platform.java17.dependency]]
 groupId = "io.ballerina.stdlib"
 artifactId = "crypto-native"
-version = "2.7.2"
-path = "../native/build/libs/crypto-native-2.7.2.jar"
+version = "2.8.0"
+path = "../native/build/libs/crypto-native-2.8.0-SNAPSHOT.jar"
 
 [[platform.java17.dependency]]
 groupId = "org.bouncycastle"

@@ -10,8 +10,9 @@ distribution-version = "2201.9.0"
 [[package]]
 org = "ballerina"
 name = "crypto"
-version = "2.7.2"
+version = "2.8.0"
 dependencies = [
+	{org = "ballerina", name = "io"},
 	{org = "ballerina", name = "jballerina.java"},
 	{org = "ballerina", name = "lang.array"},
 	{org = "ballerina", name = "test"},
@@ -21,6 +22,19 @@ modules = [
 	{org = "ballerina", packageName = "crypto", moduleName = "crypto"}
 ]
 
+[[package]]
+org = "ballerina"
+name = "io"
+version = "1.6.1"
+scope = "testOnly"
+dependencies = [
+	{org = "ballerina", name = "jballerina.java"},
+	{org = "ballerina", name = "lang.value"}
+]
+modules = [
+	{org = "ballerina", packageName = "io", moduleName = "io"}
+]
+
 [[package]]
 org = "ballerina"
 name = "jballerina.java"
@@ -67,6 +81,15 @@ name = "lang.object"
 version = "0.0.0"
 scope = "testOnly"
 
+[[package]]
+org = "ballerina"
+name = "lang.value"
+version = "0.0.0"
+scope = "testOnly"
+dependencies = [
+	{org = "ballerina", name = "jballerina.java"}
+]
+
 [[package]]
 org = "ballerina"
 name = "test"

@@ -260,7 +260,23 @@ public isolated function encryptPgp(byte[] plainText, string publicKeyPath, *Opt
     'class: "io.ballerina.stdlib.crypto.nativeimpl.Encrypt"
 } external;
 
+# Writes the PGP-encrypted value of the given data to a file specified by the output file path.
+# ```ballerina
+# check crypto:encryptPgpAsFile("input.txt", "public_key.asc", "output.txt");
+# ```
+#
+# + inputFilePath - Path to the input file
+# + publicKeyPath - Path to the public key
+# + outputFilePath - Path to the output file
+# + options - PGP encryption options
+# + return - A `crypto:Error` will be returned if the process fails
+public isolated function encryptPgpAsFile(string inputFilePath, string publicKeyPath, string outputFilePath,
+        *Options options) returns Error? = @java:Method {
+    'class: "io.ballerina.stdlib.crypto.nativeimpl.Encrypt"
+} external;
+
 # Returns the PGP-decrypted value of the given PGP-encrypted data.
+# If the output file already exists, it will be overwritten.
 # ```ballerina
 # byte[] message = "Hello Ballerina!".toBytes();
 # byte[] cipherText = check crypto:encryptPgp(message, "public_key.asc");
@@ -278,3 +294,20 @@ public isolated function decryptPgp(byte[] cipherText, string privateKeyPath, by
     name: "decryptPgp",
     'class: "io.ballerina.stdlib.crypto.nativeimpl.Decrypt"
 } external;
+
+# Writes the PGP-decrypted value of the given data to a file specified by the output file path.
+# If the output file already exists, it will be overwritten.
+# ```ballerina
+# byte[] passphrase = check io:fileReadBytes("pass_phrase.txt");
+# check crypto:decryptPgpAsFile("input.txt", "private_key.asc", passphrase, "output.txt");
+# ```
+#
+# + inputFilePath - Path to the input file
+# + privateKeyPath - Path to the private key
+# + passphrase - passphrase of the private key
+# + outputFilePath - Path to the output file
+# + return - A `crypto:Error` will be returned if the process fails
+public isolated function decryptPgpAsFile(string inputFilePath, string privateKeyPath, byte[] passphrase,
+        string outputFilePath) returns Error? = @java:Method {
+    'class: "io.ballerina.stdlib.crypto.nativeimpl.Decrypt"
+} external;
@@ -176,7 +176,7 @@ public isolated function decodeRsaPrivateKeyFromKeyFile(string keyFile, string?
 # crypto:PrivateKey privateKey = check crypto:decodeRsaPrivateKeyFromContent(keyFileContent, "keyPassword");
 # ```
 #
-# + keyFile - Private key content as a byte array
+# + content - Private key content as a byte array
 # + keyPassword - Password of the private key if it is encrypted
 # + return - Reference to the private key or else a `crypto:Error` if the private key was unreadable
 public isolated function decodeRsaPrivateKeyFromContent(byte[] content, string? keyPassword = ()) returns PrivateKey|Error = @java:Method {
@@ -311,7 +311,7 @@ public isolated function decodeRsaPublicKeyFromCertFile(string certFile) returns
 # crypto:PublicKey publicKey = check crypto:decodeRsaPublicKeyFromContent(certContent);
 # ```
 #
-# + certFile - The certificate content as a byte array
+# + content - The certificate content as a byte array
 # + return - Reference to the public key or else a `crypto:Error` if the public key was unreadable
 public isolated function decodeRsaPublicKeyFromContent(byte[] content) returns PublicKey|Error = @java:Method {
     'class: "io.ballerina.stdlib.crypto.nativeimpl.Decode"

@@ -14,6 +14,7 @@
 // specific language governing permissions and limitations
 // under the License.
 
+import ballerina/io;
 import ballerina/test;
 
 @test:Config {}
@@ -55,8 +56,63 @@ isolated function testNegativeEncryptAndDecryptWithPgpInvalidPassphrase() return
     byte[]|Error plainText = decryptPgp(cipherText, PGP_PRIVATE_KEY_PATH, passphrase);
     if plainText is Error {
         test:assertEquals(plainText.message(),
-        "Error occurred while PGP decrypt: checksum mismatch at in checksum of 20 bytes");
+                "Error occurred while PGP decrypt: checksum mismatch at in checksum of 20 bytes");
     } else {
         test:assertFail("Should return a crypto Error");
     }
 }
+
+@test:Config {
+    serialExecution: true
+}
+isolated function testEncryptAndDecryptFileWithPgp() returns error? {
+    byte[] passphrase = "qCr3bv@5mj5n4eY".toBytes();
+    check encryptPgpAsFile(SAMPLE_TEXT, PGP_PUBLIC_KEY_PATH, TARGET_ENCRYPTION_OUTPUT);
+    check decryptPgpAsFile(TARGET_ENCRYPTION_OUTPUT, PGP_PRIVATE_KEY_PATH, passphrase, TARGET_DECRYPTION_OUTPUT);
+    test:assertTrue(check isSameFileContent(SAMPLE_TEXT, TARGET_DECRYPTION_OUTPUT));
+}
+
+@test:Config {
+    serialExecution: true
+}
+isolated function testEncryptAndDecryptFileWithPgpWithOptions() returns error? {
+    byte[] passphrase = "qCr3bv@5mj5n4eY".toBytes();
+    check encryptPgpAsFile(SAMPLE_TEXT, PGP_PUBLIC_KEY_PATH, TARGET_ENCRYPTION_OUTPUT, symmetricKeyAlgorithm = AES_128, armor = false);
+    check decryptPgpAsFile(TARGET_ENCRYPTION_OUTPUT, PGP_PRIVATE_KEY_PATH, passphrase, TARGET_DECRYPTION_OUTPUT);
+    test:assertTrue(check isSameFileContent(SAMPLE_TEXT, TARGET_DECRYPTION_OUTPUT));
+}
+
+@test:Config {
+    serialExecution: true
+}
+isolated function testNegativeEncryptAndDecryptFileWithPgpInvalidPrivateKey() returns error? {
+    byte[] passphrase = "p7S5@T2MRFD9TQb".toBytes();
+    check encryptPgpAsFile(SAMPLE_TEXT, PGP_PUBLIC_KEY_PATH, TARGET_ENCRYPTION_OUTPUT);
+    error? err = decryptPgpAsFile(TARGET_ENCRYPTION_OUTPUT, PGP_INVALID_PRIVATE_KEY_PATH, passphrase, TARGET_DECRYPTION_OUTPUT);
+    if err is Error {
+        test:assertEquals(err.message(), "Error occurred while PGP decrypt: Could Not Extract private key");
+    } else {
+        test:assertFail("Should return a crypto Error");
+    }
+}
+
+@test:Config {
+    serialExecution: true
+}
+isolated function testNegativeEncryptAndDecryptFileWithPgpInvalidPassphrase() returns error? {
+    byte[] passphrase = "p7S5@T2MRFD9TQb".toBytes();
+    check encryptPgpAsFile(SAMPLE_TEXT, PGP_PUBLIC_KEY_PATH, TARGET_ENCRYPTION_OUTPUT);
+    error? err = decryptPgpAsFile(TARGET_ENCRYPTION_OUTPUT, PGP_PRIVATE_KEY_PATH, passphrase, TARGET_DECRYPTION_OUTPUT);
+    if err is Error {
+        test:assertEquals(err.message(),
+                "Error occurred while PGP decrypt: checksum mismatch at in checksum of 20 bytes");
+    } else {
+        test:assertFail("Should return a crypto Error");
+    }
+}
+
+isolated function isSameFileContent(string inputFilePath, string outputFilePath) returns boolean|error {
+    byte[] input = check io:fileReadBytes(inputFilePath);
+    byte[] output = check io:fileReadBytes(outputFilePath);
+    return input.toBase64() == output.toBase64();
+}
@@ -0,0 +1,12 @@
+
+Ballerina is an open-source programming language designed for cloud-native application development. It combines features for integration, service orchestration, and network interaction, with a focus on ease of use for building APIs, managing data, and deploying in distributed environments. Ballerina's syntax and built-in concurrency support make it well-suited for creating robust, scalable, and secure services.
+
+Ballerina adopts a developer-friendly approach by incorporating modern programming constructs, such as structural typing, flexible JSON handling, and a familiar C-style syntax, which reduces the learning curve for developers. The language has first-class support for network primitives, allowing developers to directly work with network protocols like HTTP, WebSockets, and gRPC without the need for additional libraries. This direct handling of network interactions makes Ballerina ideal for writing microservices and integrating with other systems effortlessly.
+
+Ballerina also features built-in support for distributed transactions, reliable messaging, and data transformations, making it suitable for integration-heavy applications. Its built-in observability tools, including metrics, logs, and distributed tracing, help developers monitor and debug applications efficiently. Ballerina is inherently cloud-native, with easy containerization and Kubernetes deployment support, simplifying the process of deploying services in modern cloud environments.
+
+The concurrency model in Ballerina is based on the concept of "strands," which are lightweight threads managed by the language runtime. This model allows developers to write concurrent code using simple constructs, such as asynchronous functions and workers, without worrying about low-level threading concerns. This makes it easier to develop applications that are responsive and scalable, capable of handling high loads and concurrent user interactions.
+
+Ballerina’s ecosystem includes various tools, such as the Ballerina Central registry, which provides a platform for sharing and discovering packages. The language’s visual representation of code through sequence diagrams is another unique feature, enabling both developers and non-developers to better understand program behavior, especially for integration logic. Ballerina's compiler can generate these diagrams automatically, which is beneficial for documentation and analysis of workflows.
+
+Furthermore, Ballerina's support for data-oriented programming makes it easy to transform and manipulate structured data formats like JSON, XML, and SQL. This, along with the language’s built-in type system that directly represents these data types, reduces the need for complex data mapping and serialization tasks. With support for RESTful APIs, GraphQL, and multiple database connectors, Ballerina is designed to provide seamless integration capabilities, making it an excellent choice for businesses looking to modernize their IT landscape with cloud-native services.
@@ -38,3 +38,7 @@ const string PGP_PUBLIC_KEY_PATH = "tests/resources/public_key.asc";
 const string PGP_PRIVATE_KEY_PATH = "tests/resources/private_key.asc";
 const string PGP_INVALID_PRIVATE_KEY_PATH = "tests/resources/invalid_private_key.asc";
 const string PGP_PRIVATE_KEY_PASSPHRASE_PATH = "tests/resources/pgp_private_key_passphrase.txt";
+
+const string SAMPLE_TEXT = "tests/resources/sample.txt";
+const string TARGET_ENCRYPTION_OUTPUT = "target/encrypted_output.txt";
+const string TARGET_DECRYPTION_OUTPUT = "target/decrypted_output.txt";
@@ -5,6 +5,12 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 
 ## [Unreleased]
 
+### Added
+
+- [Introduce new APIs to support PGP encryption and decryption with files](https://github.com/ballerina-platform/ballerina-library/issues/7064)
+
+## [2.7.2] - 2024-05-30
+
 ### Added
 - [Implement the support for reading private/public keys from the content](https://github.com/ballerina-platform/ballerina-library/issues/6513)
 

@@ -51,18 +51,19 @@ The conforming implementation of the specification is released and included in t
    * 4.17. [Decode ML-KEM-768 Private key using Private key and Password](#417-decode-ml-kem-768-private-key-using-private-key-and-password)
    * 4.18. [Decode ML-KEM-768 Public key from PKCS12 file](#418-decode-ml-kem-768-public-key-from-pkcs12-file)
    * 4.19. [Decode ML-KEM-768 Public key from the certificate file](#419-decode-ml-kem-768-public-key-from-the-certificate-file)
-
 5. [Encrypt-Decrypt](#5-encrypt-decrypt)   
    * 5.1. [Encryption](#51-encryption)
      * 5.1.1. [RSA](#511-rsa)
      * 5.1.2. [AES-CBC](#512-aes-cbc)
      * 5.1.3. [AES-ECB](#513-aes-ecb)
      * 5.1.4. [AES-GCM](#514-aes-gcm)
+     * 5.1.5. [PGP](#515-pgp)
    * 5.2. [Decryption](#52-decryption)
      * 5.2.1. [RSA-ECB](#521-rsa-ecb)
      * 5.2.2. [AES-CBC](#522-aes-cbc)
      * 5.2.3. [AES-ECB](#523-aes-ecb)
      * 5.2.4. [AES-GCM](#524-aes-gcm)
+     * 5.2.5. [PGP](#525-pgp)
 6. [Sign and Verify](#6-sign-and-verify)
     * 6.1. [Sign messages](#61-sign-messages)
       * 6.1.1. [RSA-MD5](#611-rsa-md5)
@@ -502,6 +503,46 @@ foreach int i in 0...15 {
 byte[] cipherText = check crypto:encryptAesGcm(data, key, initialVector);
 ```
 
+#### 5.1.5. [PGP](#515-pgp)
+
+This API can be used to create the PGP-encrypted value for the given data.
+
+```ballerina
+string input = "Hello Ballerina";
+byte[] data = input.toBytes();
+string publicKeyPath = "/path/to/publickey.asc";
+
+byte[] cipherText = check crypto:encryptPgp(data, publicKeyPath);
+```
+
+The following encryption options can be configured in the PGP encryption.
+
+| Option                | Description                                                       | Default Value |
+|-----------------------|-------------------------------------------------------------------|---------------|
+| compressionAlgorithm  | Specifies the compression algorithm used for PGP encryption       | ZIP           |
+| symmetricKeyAlgorithm | Specifies the symmetric key algorithm used for encryption         | AES_256       |
+| armor                 | Indicates whether ASCII armor is enabled for the encrypted output | true          |
+| withIntegrityCheck    | Indicates whether integrity check is included in the encryption   | true          |
+
+```ballerina
+string input = "Hello Ballerina";
+byte[] data = input.toBytes();
+string publicKeyPath = "/path/to/publickey.asc";
+
+byte[] cipherText = check crypto:encryptPgp(data, publicKeyPath, armor = false);
+```
+
+In addition to the above, the following API can be used to read a content from a file, encrypt it using the PGP public
+key and write the encrypted content to the file specified.
+
+```ballerina
+string inputFilePath = "/path/to/input.txt";
+string outputFilePath = "/path/to/output.txt";
+string publicKeyPath = "/path/to/publickey.asc";
+
+check crypto:encryptPgpAsFile(inputFilePath, publicKeyPath, outputFilePath);
+```
+
 ### 5.2. [Decryption](#52-decryption)
 
 #### 5.2.1. [RSA-ECB](#521-rsa-ecb)
@@ -574,6 +615,33 @@ byte[] cipherText = check crypto:encryptAesGcm(data, key, initialVector);
 byte[] plainText = check crypto:decryptAesGcm(cipherText, key, initialVector);
 ```
 
+#### 5.2.5. [PGP](#525-pgp)
+
+This API can be used to create the PGP-decrypted value for the given PGP-encrypted data.
+
+```ballerina
+string input = "Hello Ballerina";
+byte[] data = input.toBytes();
+string publicKeyPath = "/path/to/publickey.asc";
+string privateKeyPath = "/path/to/privatekey.asc";
+string passPhrase = "passphrase";
+
+byte[] cipherText = check crypto:encryptPgp(data, publicKeyPath);
+byte[] plainText = check crypto:decryptPgp(cipherText, privateKeyPath, passPhrase.toBytes());
+```
+
+In addition to the above, the following API can be used to read an encrypted content from a file, decrypt it using the
+PGP private key and passphrase and write the decrypted content to the file specified.
+
+```ballerina
+string inputFilePath = "/path/to/input.txt";
+string outputFilePath = "/path/to/output.txt";
+string privateKeyPath = "/path/to/privatekey.asc";
+string passPhrase = "passphrase";
+
+check crypto:decryptPgpAsFile(inputFilePath, privateKeyPath, passPhrase.toBytes(), outputFilePath);
+```
+
 ## 6. [Sign and Verify](#6-sign-and-verify)
 
 The `crypto` library supports signing data using the RSA private key and verification of the signature using the RSA public key. This supports MD5, SHA1, SHA256, SHA384, and SHA512 digesting algorithms, and ML-DSA-65 post-quantum signature algorithm as well.

@@ -1,6 +1,6 @@
 org.gradle.caching=true
 group=io.ballerina.stdlib
-version=2.7.3-SNAPSHOT
+version=2.8.0-SNAPSHOT
 puppycrawlCheckstyleVersion=10.12.0
 bouncycastleVersion=1.78
 githubSpotbugsVersion=5.0.14

@@ -43,6 +43,8 @@
 import java.io.InputStream;
 import java.io.OutputStream;
 import java.nio.charset.StandardCharsets;
+import java.nio.file.Files;
+import java.nio.file.Path;
 import java.security.Security;
 import java.util.Iterator;
 import java.util.Objects;
@@ -123,6 +125,12 @@ public Object decrypt(byte[] encryptedBytes) throws PGPException, IOException {
         }
     }
 
+    public void decrypt(InputStream encryptedIn, String outputPath) throws PGPException, IOException {
+        try (OutputStream outputStream = Files.newOutputStream(Path.of(outputPath))) {
+            decryptStream(encryptedIn, outputStream);
+        }
+    }
+
     private static void decrypt(OutputStream clearOut, Optional<PGPPrivateKey> pgpPrivateKey,
                         PGPPublicKeyEncryptedData publicKeyEncryptedData) throws IOException, PGPException {
         if (pgpPrivateKey.isPresent()) {