iaik.cms

Class IaikProvider

java.lang.Object

iaik.cms.SecurityProvider

iaik.cms.IaikProvider

Direct Known Subclasses:

EntrustProvider

public class IaikProvider
extends SecurityProvider

This class implements the SecurityProvider for the provider IAIK cryptographic provider of IAIK-JCE.

See Also:

SecurityProvider

Field Summary

Fields inherited from class iaik.cms.SecurityProvider

ALG_CIPHER_RSA, ALG_CIPHER_RSA_DECRYPT, ALG_CIPHER_RSA_ENCRYPT, ALG_CIPHER_RSA_SIGN, ALG_CIPHER_RSA_VERIFY, ALG_DIGEST_MD5, ALG_DIGEST_SHA, ALG_HMAC_MD5, ALG_HMAC_SHA, ALG_KEY_EC, ALG_KEY_ECDSA, ALG_KEYEX_COFACTOR_ECDH, ALG_KEYEX_DH, ALG_KEYEX_ESDH, ALG_KEYEX_STD_ECDH, ALG_SIGNATURE_MD5RSA, ALG_SIGNATURE_RAWDSA, ALG_SIGNATURE_RAWECDSA, ALG_SIGNATURE_RAWRSA, ALG_SIGNATURE_RAWRSAPSS, ALG_SIGNATURE_SHADSA, CIPHER_DECRYPT, CIPHER_ENCRYPT, CIPHER_NONE, CIPHER_UNWRAP, CIPHER_WRAP, IMPLEMENTATION_NAME_DSA, IMPLEMENTATION_NAME_ECDSA, IMPLEMENTATION_NAME_RSA, providerName, providerNames, random, SIGNATURE_NONE, SIGNATURE_SIGN, SIGNATURE_VERIFY

Constructor Summary

Constructors

Constructor and Description
IaikProvider() Default Constructor.

Method Summary

Methods

Modifier and Type	Method and Description
protected byte[]	calculateSignatureFromSignedAttributes(AlgorithmID signatureAlgorithm, AlgorithmID digestAlgorithm, java.security.PrivateKey privateKey, byte[] signedAttributes) Calculates the signature value for a CMS SignerInfo over the given signed attributes with the given algorithm using the supplied private key.
protected void	checkDomainParameters(java.security.PrivateKey myKey, java.security.PublicKey otherKey) Checks if the given private and public key agreement keya have the same domain parameters.
javax.crypto.SecretKey	decryptKey(byte[] encryptedKey, AlgorithmID kea, java.security.PrivateKey recipientKey) Decrypts the given encrypted content encryption key for a KeyTransRecipientInfo.
protected java.security.KeyPair	generateKeyAgreementKeyPair(AlgorithmID keyAgreeAlgorithm, java.security.PublicKey otherKey) Generates a key pair with same domain parameters of the given public key for the given key agreement method.
java.security.Key	getPBEKey(char[] password, AlgorithmID pbeAlg) Creates secret key from the supplied password using the specified PBE algorithm.
java.security.SecureRandom	getSecureRandom() Returns a new instance of the default SecureRandom class set in the Entrust provider.
protected boolean	verifySignatureFromSignedAttributes(AlgorithmID signatureAlgorithm, AlgorithmID digestAlgorithm, java.security.PublicKey publicKey, byte[] signedAttributes, byte[] signatureValue) Verifies the signature value of a CMS SignerInfo caclculated over the given signed attributes with the given algorithm using the supplied public key.

Methods inherited from class iaik.cms.SecurityProvider

calculateSignatureFromHash, convertCipherMode, createSharedKeyEncryptionKey, encryptKey, getAlgorithmParameters, getCipher, getCipher, getCipher, getKeyAgreement, getKeyFactory, getKeyGenerator, getKeyPairGenerator, getMac, getMessageDigest, getMicAlgs, getSecretKeyFactory, getSecurityProvider, getSignature, getSignature, setSecureRandom, setSecurityProvider, unwrapKey, verifySignatureFromHash, wrapKey

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Constructor Detail

IaikProvider

public IaikProvider()

Default Constructor. Tries to add the provider IAIK.

Method Detail

calculateSignatureFromSignedAttributes

protected byte[] calculateSignatureFromSignedAttributes(AlgorithmID signatureAlgorithm,
                                            AlgorithmID digestAlgorithm,
                                            java.security.PrivateKey privateKey,
                                            byte[] signedAttributes)
                                                 throws java.lang.Exception

Calculates the signature value for a CMS SignerInfo over the given signed attributes with the given algorithm using the supplied private key.

Each SignerInfo included in a CMS SignedData object may calculate the signature value differently depending on the presence of signed attributes:

• If signed attributes are present the signature is calculated over the DER encoding of the signed attributes.
• If signed attributes are NOT present, the signature is calculated over the content data itsself.

This method is called by class SignerInfo for calculating the signature when signed attributes are present.

This method uses the supplied digest algorithm to calculate a hash from the given signed attributes and then forwards this hash to method calculateSignatureFromHash for calculating the signature value (respectively doing the digest encryption).

Overrides:

calculateSignatureFromSignedAttributes in class SecurityProvider

Parameters:

signatureAlgorithm - signatureAlgorithm the signature algorithm to be used, e.g. rsaEncryption, DSA

digestAlgorithm - the digest algorithm used for hash computation (e.g. SHA-1 or MD5); may be necessary for some signature schemes (e.g. to be included as a DigestInfo in a PKCS#1 RSA signature)

privateKey - the private key of the signer (i.e. the one supplied when creating a SignerInfo object; may be some kind of "dummy" key when used for smartcards

signedAttributes - the DER encoding of the signed attributes over which the signature shall be calculated

Returns:

the signature value calculated from the given DER encoded signed attributes

Throws:

java.lang.Exception - if any kind of exception occurs during signature calculation (e.g. NoSuchProviderException, NoSuchAlgorithmException (if another signature algorithm than PKCS#1 RSA, DSA or ECDSA is requested), BadPaddingException, InvalidKeyException, SignatureException)

verifySignatureFromSignedAttributes

protected boolean verifySignatureFromSignedAttributes(AlgorithmID signatureAlgorithm,
                                          AlgorithmID digestAlgorithm,
                                          java.security.PublicKey publicKey,
                                          byte[] signedAttributes,
                                          byte[] signatureValue)
                                               throws java.lang.Exception

Verifies the signature value of a CMS SignerInfo caclculated over the given signed attributes with the given algorithm using the supplied public key.

Each SignerInfo included in a CMS SignedData object may calculate the signature value differently depending on the presence of signed attributes:

• If signed attributes are present the signature is calculated over the DER encoding of the signed attributes. For verifying the signature first a hash over the data content has to be compared with the signed MessageDigest attribute. Second the signature value verified against a hash independently computed over the DER encoding of the signed attributes.
• If signed attributes are NOT present, the signature is calculated over the content data itsself. For verifying the signature the signature value verified against a hash independently computed over the content data.

This method is called by class SignerInfo for verifying the signature when no signed attributes are present.

This method uses the supplied digest algorithm to calculate a hash from the given signed attributes and then forwards this hash to method verifySignatureFromHash for verifying the signature value (respectively doing the digest decryption).

Overrides:

verifySignatureFromSignedAttributes in class SecurityProvider

Parameters:

signatureAlgorithm - signatureAlgorithm the signature algorithm, e.g. rsaEncryption, DSA

digestAlgorithm - the digest algorithm used for hash computation (e.g. SHA-1 or MD5);

publicKey - the public key of the signer

signedAttributes - the DER encoding of the signed attributes over which the signature has been calculated

Returns:

true if the signature is ok, false if not

Throws:

java.lang.Exception - if any kind of exception occurs during signature verification (e.g. NoSuchProviderException, NoSuchAlgorithmException (if another signature algorithm than PKCS#1 RSA, DSA or ECDSA is requested), BadPaddingException, InvalidKeyException, SignatureException)

decryptKey

public javax.crypto.SecretKey decryptKey(byte[] encryptedKey,
                                AlgorithmID kea,
                                java.security.PrivateKey recipientKey)
                                  throws java.lang.Exception

Decrypts the given encrypted content encryption key for a KeyTransRecipientInfo.

CMS EnvelopedData uses the KeyTransRecipientInfo type for encrypting the secret content encryption key with the public key of the recipient. Currently in general RSA PKCS#1v1.5 is used for key transport. If rsaEncryption is requested as key encryption algorithm this method uses a RSA Cipher ("RSA/ECB/PKCS1Padding/Encrypt") for decrypting the encrypted content encryption key with the supplied private key of the recipient. If another algorithm than RSA is requested, this method throws a NoSuchAlgorithmException. An application wishing to support another algorithm may override this method.

Overrides:

decryptKey in class SecurityProvider

Parameters:

encryptedKey - the encrypted content encryption key to be decrypted

kea - the key encryption alglorithm to be used, e.g. rsaEncryption

recipientKey - the private key of the recipient to be used for decrypting the encrypted content encryption key

Returns:

the decrypted content encryption key

Throws:

java.lang.Exception - if any kind of exception occurs during cek encryption (e.g. NoSuchProviderException, NoSuchAlgorithmException, BadPaddingException, InvalidKeyException)

checkDomainParameters

protected void checkDomainParameters(java.security.PrivateKey myKey,
                         java.security.PublicKey otherKey)
                              throws java.security.InvalidParameterException

Checks if the given private and public key agreement keya have the same domain parameters.

Currently, the key types that are supported are: DH, ESDH, and EC.

Overrides:

checkDomainParameters in class SecurityProvider

Parameters:

myKey - the private key of the first party

otherKey - the public key of the other party

Throws:

InvalidParameterEyception - if the domain parameters do not match

java.security.InvalidParameterException

generateKeyAgreementKeyPair

protected java.security.KeyPair generateKeyAgreementKeyPair(AlgorithmID keyAgreeAlgorithm,
                                                java.security.PublicKey otherKey)
                                                     throws java.lang.Exception

Generates a key pair with same domain parameters of the given public key for the given key agreement method.

This method is called by the library for creating the originator key pair if the OriginatorPublicKey alternative is used for representing the public key of the originator within a KeyAgreeRecipientInfo. The public key supplied to this method is the one of the recipient and the key pair returned by this method must have domain parameters matching to those of the given recipient public key. Note that ephemeral static Diffie Hellmean (ESDH) is the default key agreement method used by the CMS types EnvelopedData and AuthenticatedData. According RFC 2630 the OriginatorPublicKey has to be used for representing the public key of the originator if ESDH is used as key agreement algorithm.

Overrides:

generateKeyAgreementKeyPair in class SecurityProvider

Parameters:

keyAgreeAlgorithm - the key agreement algorithm to be used

otherKey - the public key of the other party

Returns:

the originator key pair with domain parameters matching to those of the supplied key of the other party

Throws:

java.lang.Exception - if another key agreement method than (ES)DH is requested, key agreement and public key algorithm do not match, or an error occurs during key pair generator initialization or key pair generation

getPBEKey

public java.security.Key getPBEKey(char[] password,
                          AlgorithmID pbeAlg)
                            throws java.lang.Exception

Creates secret key from the supplied password using the specified PBE algorithm. If a PKCS#5 PBE algorithm is used, a PBEKey is created, otherwise (for PKCS#12 PBE algorithms) a PBEKeyBMP. (pbeWithMD5AndDES_CBC (PKCS#5) needs a PBEKey and all the pbe ciphers defined in PKCS#12 need a PBEKeyBMP).

Overrides:

getPBEKey in class SecurityProvider

Parameters:

password - the password for creating the secret key

pbeAlg - the PBE algorithm to be used

Returns:

the secret key as instance of PBEKey or PBEKeyBMP

Throws:

java.lang.Exception - if the PBE key cannot be created

getSecureRandom

public java.security.SecureRandom getSecureRandom()

Returns a new instance of the default SecureRandom class set in the Entrust provider.

For more documentation see the superclass SecurityProvider.

Overrides:

getSecureRandom in class SecurityProvider