HMac ("Entrust Authority Security Toolkit for the Java Platform")

java.lang.Object
- javax.crypto.MacSpi
- - com.entrust.toolkit.security.crypto.mac.HMac

Direct Known Subclasses:

Md5HMac, Sha1HMac, Sha224HMac, Sha256HMac, Sha384HMac, Sha512HMac
```
public abstract class HMac
extends javax.crypto.MacSpi
```
Defines Entrust's keyed-hashing for message authentication (HMAC) architecture; it contains all the common functionality used by Entrust's HMAC algorithms.
Algorithms that provide a way to check the integrity of information based on a secret key are called message authentication codes (MAC). Typically, message authentication codes are used between two parties that share a secret key in order to validate information transmitted between these parties. An HMAC is simply a MAC algorithm based on a cryptographic hash function.

HMAC can be used in combination with any iterated cryptographic message digest algorithm (SHA-1, SHA-256, ...). It requires a secret key for the calculation and verification of the message authentication values. This key can be of any length, however, if it is longer than the block size of the underlying message digest algorithm, it is automatically internally digested using the message digest algorithm and the result is then used as the key. As a result, long keys do not significantly increase the strength of the algorithm (using longer keys may be advisable if the randomness of the key is considered weak). It is recommended that the key be at least as large as the output size of the message digest algorithm; using shorter keys will decrease the security strength of the algorithm.

An HMAC algorithm instance can be obtained using the Java Cryptography Architecture (JCA), by requesting the '<algorithm>' MAC from the Entrust cryptographic service provider. This can be done using the following call:

Mac.getInstance("<algorithm>", "Entrust");

The following key types are currently supported:
- Standard secret keys (software keys); keys with 'RAW' primary encoding format
- Secret keys that reside on a PKCS#11 device (PKCS11 keys); instance of TokenSymmetricKey.
FIPS 140-2:

This class is part of the Toolkit's FIPS 140-2 cryptographic module and contains APIs that are considered part of the logical interface to the Toolkit's FIPS 140-2 cryptographic module; refer to the API documentation for further details
Since:

7.2

See Also:
FIPS 198, The Keyed-Hash Message Authentication Code (HMAC), RFC 2104, HMAC: Keyed-Hashing for Message Authentication

Method Summary

Methods
Modifier and Type	Method and Description
`protected byte[]`	`engineDoFinal()` Completes the MAC computation and resets the MAC for further use, maintaining the secret key that the MAC was initialized with.
`protected int`	`engineGetMacLength()` Returns the length of the MAC in bytes.
`protected void`	`engineInit(java.security.Key key, java.security.spec.AlgorithmParameterSpec params)` Initializes the MAC with the given (secret) key and algorithm parameters.
`protected void`	`engineReset()` Resets the MAC for further use, maintaining the secret key that the MAC was initialized with.
`protected void`	`engineUpdate(byte input)` Processes the given byte.
`protected void`	`engineUpdate(byte[] input, int offset, int len)` Processes the first `len` bytes in `input`, starting at `offset` inclusive.

Methods inherited from class javax.crypto.MacSpi
clone, engineUpdate

Methods inherited from class java.lang.Object
equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

- Method Detail
  - engineInit
```
protected final void engineInit(java.security.Key key,
              java.security.spec.AlgorithmParameterSpec params)
                         throws java.security.InvalidKeyException,
                                java.security.InvalidAlgorithmParameterException
```
    Initializes the MAC with the given (secret) key and algorithm parameters.
    FIPS 140-2:
    
    FIPS Service: Initialization
    
    This API is part of the logical interface to the Toolkit's FIPS 140-2 cryptographic module; use of this API causes the caller to assume the FIPS 140-2 user role and accesses the following FIPS 140-2 logical interfaces:
    
    control input interface (API call)
    
    data input interface (parameters)
    
    status output interface (exceptions)
    Specified by:
    
    engineInit in class javax.crypto.MacSpi
    
    Parameters:
    key - [FIPS 140-2 data input] [FIPS 140-2 CSP] the (secret) key.
    params - [FIPS 140-2 data input] the algorithm parameters.
    
    Throws:
    
    java.security.InvalidKeyException - [FIPS 140-2 status output] if the given key is inappropriate for initializing this MAC.
    
    java.security.InvalidAlgorithmParameterException - [FIPS 140-2 status output] if the given algorithm parameters are inappropriate for this MAC.
    
    Fips140ErrorStateException - [FIPS 140-2 status output] thrown if the Toolkit is not allowed to perform cryptographic operations
  - engineDoFinal
```
protected final byte[] engineDoFinal()
```
    Completes the MAC computation and resets the MAC for further use, maintaining the secret key that the MAC was initialized with.
    FIPS 140-2:
    
    FIPS Service: MAC Generation/Verification
    
    This API is part of the logical interface to the Toolkit's FIPS 140-2 cryptographic module; use of this API causes the caller to assume the FIPS 140-2 user role and accesses the following FIPS 140-2 logical interfaces:
    
    control input interface (API call)
    
    data output interface (return value)
    
    status output interface (exceptions)
    Specified by:
    
    engineDoFinal in class javax.crypto.MacSpi
    
    Returns:
    [FIPS 140-2 data output] the MAC result.
    
    Throws:
    
    Fips140ErrorStateException - [FIPS 140-2 status output] thrown if the Toolkit is not allowed to perform cryptographic operations
  - engineUpdate
```
protected final void engineUpdate(byte[] input,
                int offset,
                int len)
```
    Processes the first len bytes in input, starting at offset inclusive.
    FIPS 140-2:
    
    FIPS Service: MAC Generation/Verification
    
    This API is part of the logical interface to the Toolkit's FIPS 140-2 cryptographic module; use of this API causes the caller to assume the FIPS 140-2 user role and accesses the following FIPS 140-2 logical interfaces:
    
    control input interface (API call)
    
    data input interface (parameters)
    
    status output interface (exceptions)
    Specified by:
    
    engineUpdate in class javax.crypto.MacSpi
    
    Parameters:
    input - [FIPS 140-2 data input] the input buffer.
    offset - [FIPS 140-2 data input] the offset in input where the input starts.
    len - [FIPS 140-2 data input] the number of bytes to process.
    
    Throws:
    
    Fips140ErrorStateException - [FIPS 140-2 status output] thrown if the Toolkit is not allowed to perform cryptographic operations
  - engineUpdate
```
protected final void engineUpdate(byte input)
```
    Processes the given byte.
    FIPS 140-2:
    
    FIPS Service: MAC Generation/Verification
    
    This API is part of the logical interface to the Toolkit's FIPS 140-2 cryptographic module; use of this API causes the caller to assume the FIPS 140-2 user role and accesses the following FIPS 140-2 logical interfaces:
    
    control input interface (API call)
    
    data input interface (parameters)
    
    status output interface (exceptions)
    Specified by:
    
    engineUpdate in class javax.crypto.MacSpi
    
    Parameters:
    input - [FIPS 140-2 data input] the input byte to be processed.
    
    Throws:
    
    Fips140ErrorStateException - [FIPS 140-2 status output] thrown if the Toolkit is not allowed to perform cryptographic operations
  - engineReset
```
protected final void engineReset()
```
    Resets the MAC for further use, maintaining the secret key that the MAC was initialized with.
    FIPS 140-2:
    
    FIPS Service: Modify Object
    
    This API is part of the logical interface to the Toolkit's FIPS 140-2 cryptographic module; use of this API causes the caller to assume the FIPS 140-2 user role and accesses the following FIPS 140-2 logical interfaces:
    
    control input interface (API call)
    
    status output interface (exceptions)
    Specified by:
    
    engineReset in class javax.crypto.MacSpi
    
    Throws:
    
    Fips140ErrorStateException - [FIPS 140-2 status output] thrown if the Toolkit is not allowed to perform cryptographic operations
  - engineGetMacLength
```
protected final int engineGetMacLength()
```
    Returns the length of the MAC in bytes.
    FIPS 140-2:
    
    FIPS Service: Query Object
    
    This API is part of the logical interface to the Toolkit's FIPS 140-2 cryptographic module; use of this API causes the caller to assume the FIPS 140-2 user role and accesses the following FIPS 140-2 logical interfaces:
    
    control input interface (API call)
    
    data output interface (return value)
    
    status output interface (exceptions)
    Specified by:
    
    engineGetMacLength in class javax.crypto.MacSpi
    
    Returns:
    [FIPS 140-2 data output] the MAC length in bytes.
    
    Throws:
    
    Fips140ErrorStateException - [FIPS 140-2 status output] thrown if the Toolkit is not allowed to perform cryptographic operations

Class HMac

Method Summary

Methods inherited from class javax.crypto.MacSpi

Methods inherited from class java.lang.Object

Method Detail

engineInit

engineDoFinal

engineUpdate

engineUpdate

engineReset

engineGetMacLength