public class EncryptedContentInfoStream
extends java.lang.Object
EncryptedContentInfo
.
The Cryptographic Message Syntax (CMS) (RFC 5652)
defines the EncryptedContentInfo
type for specifying the content type, the content encryption
algorithm and the encrypted content of an EnvelopedData
,
or EncryptedData
structure:
EncryptedContentInfo ::= SEQUENCE { contentType ContentType, contentEncryptionAlgorithm ContentEncryptionAlgorithmIdentifier, encryptedContent [0] IMPLICIT EncryptedContent OPTIONAL }
EncryptedContent ::= OCTET STRING
This class provides several constructors and methods for creating an
EncryptedContentInfoStream
, encrypting its content (thereby optionally
creating a secret content-encryption key in accordance with the specified
content-encryption algorithm), and "re-decrypting" the encrypted content
again.
This class - as in common with all IAIK CMS content type implementations - provides mechanisms for encoding the inherent encrypted content data as indefinite constructed octet string instead of using the default primitive definite encoding scheme:
0x24 0x80 0x04 <blocksize> <first encrypted content block> 0x04 <blocksize> <second encrypted content block> 0x04 <blocksize> <third encrypted content block> ... 0x00 0x00instead of:
0x04 <length> <encrypted content>The indefinite constructed encoding scheme may be preferable for properly handling large amounts of data.
setBlockSize
method has to be used for defining
the length of each primitive definite encoded octet string component before actually
performing the encoding by means of the writeTo
method, e.g.:
//create a EncryptedContentInfoStream for the data to be encrypted, supplied from an input stream: InputStream dataStream = ...; EncryptedContentInfoStream eci = new EncryptedContentInfoStream(ObjectID.cms_data, dataStream); //generate secret key and set up the cipher for encryption: SecretKey key = eci.setupCipher((AlgorithmID)AlgorithmID.aes256_CBC.clone()); //optionally set the block size for splitting the encoding: eci.setBlockSize(2048); //perform the content encryption and encode the EncryptedContentInfo to an output stream eci.writeTo(output_stream);Note: in contrast to the equivalent non-stream supporting
EncryptedContentInfo
class, where the content encryption already is performed when calling a proper
setupCipher
method, this class performs the content encryption actually
during the encoding by piping the data through a cipher stream when executing the
writeTo
method. The corresponding
setupCipher
method only initializes the cipher for the cipher stream
pipe.
In the same way, when parsing an already existing EncryptedContentInfoStream
object a proper setupCipher
method has to be used for initializing the
cipher stream pipe for decryption. The decryption actually is performed when reading
the data previously obtained by means of the getInputstream
method:
//create an EncryptedContentInfoStream from the input stream supplying the encoding: EncryptedContentInfoStream eci = new EncryptedContentInfoStream(encoded_stream); //setup the cipher for decryption using the right secret key: eci.setupCipher(key); //get and read the data thereby actually performing the decryption InputStream data_is = eci.getInputStream(); byte[] buf = new byte[2048]; int r; while ((r = data_is.read(buf)) > 0) { // do something useful }
EnvelopedDataStream
,
EncryptedDataStream
Modifier and Type | Field and Description |
---|---|
protected int |
blockSize_
The block size.
|
protected CipherEngine |
cipher_
The Cipher engine used for en/decryption.
|
protected iaik.asn1.structures.AlgorithmID |
contentEncryptionAlgorithm_
The content-encryption algorithm
|
protected iaik.asn1.ObjectID |
contentType_
The type of the content.
|
static int |
EXPLICIT
Denotes a mode where the encrypted message is not transported within the EncryptedContentInfo.
|
static int |
IMPLICIT
Denotes a mode where the encrypted message is included in the EncryptedContentInfo.
|
protected SecurityProvider |
securityProvider_
The SeucrityProvider used for cryptographic tasks.
|
Modifier | Constructor and Description |
---|---|
protected |
EncryptedContentInfoStream()
Default constructor.
|
|
EncryptedContentInfoStream(java.io.InputStream is)
Creates a new EncryptedContentInfoStream where the BER encoded data
is read from the given InputStream.
|
|
EncryptedContentInfoStream(iaik.asn1.ObjectID contentType,
iaik.asn1.structures.AlgorithmID contentEncAlg)
Creates an EncryptedContentInfoStream with given content type and
content-encryption algorithm ID.
|
|
EncryptedContentInfoStream(iaik.asn1.ObjectID contentType,
java.io.InputStream is)
Creates a new EncryptedContentInfoStream for the given content type where the
content data to be encrypted is read from the provided InputStream.
|
Modifier and Type | Method and Description |
---|---|
protected void |
decode(java.io.InputStream is)
Reads and decodes an encoded EncryptedContentInfoStream from an input stream.
|
int |
getBlockSize()
Gets the block size defining the length of each definite primitive
encoded octet string component.
|
iaik.asn1.structures.AlgorithmID |
getContentEncryptionAlgorithm()
Returns the content-encryption algorithm (including any associated
parameters) of this EncryptedContentInfoStream.
|
iaik.asn1.ObjectID |
getContentType()
Returns the type of the content encrypted by this EncryptedContentInfoStream.
|
java.io.InputStream |
getInputStream()
Returns an InputStream for reading the decrypted content.
|
int |
getMode()
Gets the mode of this EncryptedContentInfoStream.
|
SecurityProvider |
getSecurityProvider()
Gets the SecurityProvider installed for this EncryptedContentInfoStream.
|
boolean |
hasContent()
Returns
true if there is a content. |
void |
setAdditionalAuthData(byte[] aad)
Sets the additional authenticated data which shall be authenticated
but not encrypted.
|
void |
setAuthEnveloped(boolean authEnveloped)
Sets whether this EncryptedContentInfo is used for
authenticated encryption.
|
void |
setBlockSize(int blockSize)
Sets the block size for encoding the encrypted content.
|
void |
setInputStream(java.io.InputStream is)
Sets the input stream that supplies the content data to be encrypted.
|
void |
setMode(int mode)
Sets the mode for this EncryptedContentInfoStream.
|
void |
setSecurityProvider(SecurityProvider securityProvider)
Sets the SecurityProvider for this EncryptedContentInfoStream.
|
javax.crypto.SecretKey |
setupCipher(iaik.asn1.structures.AlgorithmID contentEA)
Setups the cipher and generates a secret key for encrypting the content.
|
javax.crypto.SecretKey |
setupCipher(iaik.asn1.structures.AlgorithmID contentEA,
int keyLength)
Setups the cipher and generates a secret key for encrypting the content.
|
javax.crypto.SecretKey |
setupCipher(iaik.asn1.structures.AlgorithmID contentEA,
int keyLength,
java.security.AlgorithmParameters params)
Setups the cipher and generates a secret key for encrypting the content.
|
javax.crypto.SecretKey |
setupCipher(iaik.asn1.structures.AlgorithmID contentEA,
int keyLength,
java.security.spec.AlgorithmParameterSpec params)
Setups the cipher and generates a secret key for encrypting the content.
|
void |
setupCipher(iaik.asn1.structures.AlgorithmID contentEA,
java.security.Key key,
java.security.AlgorithmParameters params)
Setups the cipher for encrypting the content.
|
void |
setupCipher(iaik.asn1.structures.AlgorithmID contentEA,
java.security.Key key,
java.security.spec.AlgorithmParameterSpec params)
Setups the cipher for encrypting the content.
|
void |
setupCipher(java.security.Key key)
Uses the specified content-encryption key to setup the cipher for
decrypting the content.
|
void |
setupCipher(java.security.Key key,
java.security.AlgorithmParameters params)
Uses the specified key and parameters to setup the cipher for
decrypting the content.
|
void |
setupCipher(java.security.Key key,
java.security.spec.AlgorithmParameterSpec params)
Uses the specified key and parameters to setup the cipher for
decrypting the content.
|
iaik.asn1.ASN1Object |
toASN1Object()
Returns this EncryptedContentInfoStream as ASN1Object.
|
java.lang.String |
toString()
Returns a string giving some information about this
EncryptedContentInfoStream object. |
void |
writeTo(java.io.OutputStream os)
Writes the BER encoding of this object to the given OutputStream.
|
public static final int IMPLICIT
public static final int EXPLICIT
protected iaik.asn1.ObjectID contentType_
protected iaik.asn1.structures.AlgorithmID contentEncryptionAlgorithm_
protected CipherEngine cipher_
protected int blockSize_
protected SecurityProvider securityProvider_
protected EncryptedContentInfoStream()
public EncryptedContentInfoStream(iaik.asn1.ObjectID contentType, java.io.InputStream is)
contentType
- the CMS content typeis
- the input stream holding the content data to encryptpublic EncryptedContentInfoStream(iaik.asn1.ObjectID contentType, iaik.asn1.structures.AlgorithmID contentEncAlg)
contentType
- the type of the encrypted contentcontentEncAlg
- the algorithm used to encrypt the contentpublic EncryptedContentInfoStream(java.io.InputStream is) throws java.io.IOException, CMSParsingException
The given input stream supplies the BER encoding of an already
exisiting EncryptedContentInfoStream
object that may have
been created by calling writeTo
.
Use the EncryptedContentInfoStream(ObjectID contentType, InputStream is)
constructor
for supplying the content to be encrypted when creating an
EncryptedContentInfoStream
object.
is
- the InputStream holding a BER encoded EncryptedContentInfoStream objectjava.io.IOException
- if an I/O error occurs during reading from the InputStreamCMSParsingException
- if an error occurs while parsing the objectpublic void setMode(int mode)
This method may be only called to set the mode to EXPLICIT
for creating a new EncryptedContentInfoStream in EXPLICIT
mode where the
encrypted content shall not be included in the EncryptedContentInfo. In this case
the encrypted content has to be transmitted by other means. This method may not
be called in IMPLICIT
mode (default) where
the encrypted content is included in the EncryptedContentInfo. This method MUST
not be called when parsing an EncryptedContentInfo where the mode is automatically
detected and cannot be changed.
public int getMode()
public void setSecurityProvider(SecurityProvider securityProvider)
This method allows to explicitly set a SecurityProvider for this EncryptedContentInfoStream. If no explicit SecurityProvider is set, the default system wide installed SecurityProvider will be used for the required cryptographic operations.
This class uses the following method(s) of the SecurityProvider
, which may be overriden by an application, if required:
getInputStreamCipherEngine
methods to get an InputStreamCipherEngine
for stream based content en/decryption
getByteArrayCipherEngine
methods to get a ByteArrayCipherEngine
for content en/decryption for non-stream EncryptedContentInfo
objects
generateKey
to generate the symmetric content encryption key
getAlgorithmParameters
to parse algorithm parameters from an AlgorithmID
securityProvider
- the SecurityProvider to be setpublic SecurityProvider getSecurityProvider()
This class uses the following method(s) of the SecurityProvider
, which may be overriden by an application, if required:
getInputStreamCipherEngine
methods to get an InputStreamCipherEngine
for stream based content en/decryption
getByteArrayCipherEngine
methods to get a ByteArrayCipherEngine
for content en/decryption for non-stream EncryptedContentInfo
objects
generateKey
to generate the symmetric content encryption key
getAlgorithmParameters
to parse algorithm parameters from an AlgorithmID
set
for this object,
the default system wide installed SecurityProvider will be used for the required cryptographic
operations. However, this method will return null
if it does not have its own
SecurityProvider.null
if
this object does not have its own SecurityProviderprotected void decode(java.io.InputStream is) throws java.io.IOException, CMSParsingException
is
- the InputStream holding a BER encoded EncryptedContentInfoStream objectjava.io.IOException
- if an I/O error occurs during reading from the InputStreamCMSParsingException
- if an error occurs while parsing the objectpublic void setupCipher(iaik.asn1.structures.AlgorithmID contentEA, java.security.Key key, java.security.AlgorithmParameters params) throws java.security.NoSuchAlgorithmException, java.security.InvalidKeyException, java.security.InvalidAlgorithmParameterException
If parameters are specified they are set for the given content encryption
algorithm.
This method creates a cipher for the specified content-encryption algorithm
and initializes it with given key and parameters. The content encryption actually
is performed during the encoding when writing this EncyrptedContentInfo to a stream
by calling the writeTo
method. So it is important
to setup the cipher before writing to the stream!
Note: This method internaly creates a clone of the supplied AlgorithmID.
If parameters are supplied they are used for initializing the Cipher engine.
After initializing the Cipher engine, method Cipher.getParameters() is called
to get (back) the parameters the Cipher has been initialized with (respectively
the Cipher has created itsself) for including them into the AlgorithmID to be sent
to the recipient. This may override any parameters that have been included in
the AlgorithmID by the user. So, if you have included parameters in the
AlgorithmID, take care to supply them as params
for initializing
the Cipher, too.
If params
is null, the Cipher will create and use (and send in
the AlgorithmID) its own parameters.
contentEA
- the algorithm to use for encrypting the contentkey
- the key to useparams
- the parameters to initialize the cipherjava.security.NoSuchAlgorithmException
- if there is no implementation for the specified algorithmjava.security.InvalidKeyException
- if the key is inappropriate for the content-encryption algorithmjava.security.InvalidAlgorithmParameterException
- if the provided parameters are not appropriate for the algorithmpublic void setupCipher(iaik.asn1.structures.AlgorithmID contentEA, java.security.Key key, java.security.spec.AlgorithmParameterSpec params) throws java.security.NoSuchAlgorithmException, java.security.InvalidKeyException, java.security.InvalidAlgorithmParameterException
writeTo
method. So it is important
to setup the cipher before writing to the stream!
Note: This method internaly creates a clone of the supplied AlgorithmID.
If parameters are supplied they are used for initializing the Cipher engine.
After initializing the Cipher engine, method Cipher.getParameters() is called
to get (back) the parameters the Cipher has been initialized with (respectively
the Cipher has created itsself) for including them into the AlgorithmID to be sent
to the recipient. This may override any parameters that have been included in
the AlgorithmID by the user. So, if you have included parameters in the
AlgorithmID, take care to supply them as params
for initializing
the Cipher, too.
If params
is null, the Cipher will create and use (and send in
the AlgorithmID) its own parameters.
contentEA
- the algorithm to use for encrypting the contentkey
- the key to useparams
- the parameters to initialize the cipherjava.security.NoSuchAlgorithmException
- if there is no implementation for the specified algorithmjava.security.InvalidKeyException
- if the key is inappropriate for the content-encryption algorithmjava.security.InvalidAlgorithmParameterException
- if the provided parameters are not appropriate for the algorithmpublic javax.crypto.SecretKey setupCipher(iaik.asn1.structures.AlgorithmID contentEA) throws java.security.NoSuchAlgorithmException
This method creates a cipher for the specified content-encryption algorithm
and initializes it with a newly generated secret key. The content encryption
actually is performed during the encoding when writing this EncyrptedContentInfo
to a stream by calling the writeTo
method. So it
is important to setup the cipher before writing to the stream!
Attention! This method only shall be used for cipher setup if the secret key to be generated has a predefined length or default setting, since no key length parameter is offered. For generating a Key of specific length to be used for encrypting the content call method {#setupCipher(AlgorithmID, int) setupCipher(AlgorithmID contentEA, int keyLength)}.
Note: This method internaly creates a clone of the supplied AlgorithmID.
contentEA
- the algorithm to use for encrypting the contentjava.security.NoSuchAlgorithmException
- if there is no implementation for the specified algorithmpublic javax.crypto.SecretKey setupCipher(iaik.asn1.structures.AlgorithmID contentEA, int keyLength) throws java.security.NoSuchAlgorithmException
If the specified content encryption algorithm supports variable key lengths, a
particular key length may be set by means of the keyLength
parameter.
If no length is specified, the defined default key length will be used. If the
algorithm only works with keys of fixed-size length, the keyLength parameter
may be set to -1 or the setupCipher(AlgorithmID)
method may be used.
This method creates a cipher for the specified content-encryption algorithm
and initializes it with the newly generated secret key. The content encryption
actually is performed during the encoding when writing this EncyrptedContentInfo
to a stream by calling the writeTo
method. So it
is important to setup the cipher before writing to the stream!
contentEA
- the algorithm to use for encrypting the contentkeyLength
- the key length that may be set when using a content
encryption algorithm that supports variable key lengthsjava.security.NoSuchAlgorithmException
- if there is no implementation for the specified algorithmpublic javax.crypto.SecretKey setupCipher(iaik.asn1.structures.AlgorithmID contentEA, int keyLength, java.security.spec.AlgorithmParameterSpec params) throws java.security.NoSuchAlgorithmException
If the specified content encryption algorithm supports variable key lengths, a
particular key length may be set by means of the keyLength
parameter.
If no length is specified, the defined default key length will be used. If the
algorithm only works with keys of fixed-size length, the keyLength parameter
may be set to -1 or the setupCipher(AlgorithmID)
method may be used.
This method creates a cipher for the specified content-encryption algorithm
and initializes it with the newly generated secret key. The content encryption
actually is performed during the encoding when writing this EncyrptedContentInfo
to a stream by calling the writeTo
method. So it
is important to setup the cipher before writing to the stream!
contentEA
- the algorithm to use for encrypting the contentkeyLength
- the key length that may be set when using a content
encryption algorithm that supports variable key lengthsparams
- the algorithm parameters for initializing the cipherjava.security.NoSuchAlgorithmException
- if there is no implementation for the specified algorithmpublic javax.crypto.SecretKey setupCipher(iaik.asn1.structures.AlgorithmID contentEA, int keyLength, java.security.AlgorithmParameters params) throws java.security.NoSuchAlgorithmException
If the specified content encryption algorithm supports variable key lengths, a
particular key length may be set by means of the keyLength
parameter.
If no length is specified, the defined default key length will be used. If the
algorithm only works with keys of fixed-size length, the keyLength parameter
may be set to -1 or the setupCipher(AlgorithmID)
method may be used.
This method creates a cipher for the specified content-encryption algorithm
and initializes it with the newly generated secret key. The content encryption
actually is performed during the encoding when writing this EncyrptedContentInfo
to a stream by calling the writeTo
method. So it
is important to setup the cipher before writing to the stream!
contentEA
- the algorithm to use for encrypting the contentkeyLength
- the key length that may be set when using a content
encryption algorithm that supports variable key lengthsparams
- the algorithm parameters for initializing the cipherjava.security.NoSuchAlgorithmException
- if there is no implementation for the specified algorithmpublic void setupCipher(java.security.Key key, java.security.spec.AlgorithmParameterSpec params) throws java.security.NoSuchAlgorithmException, java.security.InvalidKeyException, java.security.InvalidAlgorithmParameterException
The decryption actually is performed when subsequently getting and reading
the content by means of the getInputStream
method. So the content should not be read before setting
up the cipher!
key
- the (secret) key to decrypt the contentparams
- the algorithm parameters needed to decrypt the contentjava.security.NoSuchAlgorithmException
- if there is no implementation for the content-encryption-algorithm to be usedjava.security.InvalidKeyException
- if the key is inappropriate for the content-encryption algorithmjava.security.InvalidAlgorithmParameterException
- if the provided parameters are not appropriate for the created cipherpublic void setupCipher(java.security.Key key, java.security.AlgorithmParameters params) throws java.security.NoSuchAlgorithmException, java.security.InvalidKeyException, java.security.InvalidAlgorithmParameterException
The decryption actually is performed when subsequently getting and reading
the content by means of the getInputStream
method. So the content should not be read before setting
up the cipher!
key
- the (secret) key to decrypt the contentparams
- the algorithm parameters needed to decrypt the contentjava.security.NoSuchAlgorithmException
- if there is no implementation for the content-encryption-algorithm to be usedjava.security.InvalidKeyException
- if the key is inappropriate for the content-encryption algorithmjava.security.InvalidAlgorithmParameterException
- if the provided parameters are not appropriate for the created cipherpublic void setupCipher(java.security.Key key) throws java.security.NoSuchAlgorithmException, java.security.InvalidKeyException, CMSException
The decryption actually is performed when subsequently getting and reading
the content by means of the getInputStream
method. So the content should not be read before setting
up the cipher!
key
- the (secret) key to decrypt the contentjava.security.NoSuchAlgorithmException
- if there is no implementation for the content-encryption-algorithm to be usedjava.security.InvalidKeyException
- if the key is inappropriate for the content-encryption algorithmCMSException
- if the algorithm parameter cannot be retrieved from the algorithmpublic void setBlockSize(int blockSize)
blockSize
is positive, the encrypted content is encoded
as indefinite constructed octet string being composed of a certain number
of definite primitive encoded octet strings of blockSize
length:
0x24 0x80 0x04 <blocksize> <first encrypted content block> 0x04 <blocksize> <second encrypted content block> 0x04 <blocksize> <third encrypted content block> ... 0x00 0x00If
blockSize
is not positive, whole the encrypted content is encoded
as definite primitive octet string when calling the writeTo
method:
0x04 <length> <encrypted content>
blockSize
- the block size defining the encoding scheme - and specifying the
length of each primitive encoded octet string component, if positivepublic int getBlockSize()
If the value of blockSize
is smaller or equal to zero the
whole data is encoded as definite primitive octet string.
This method may be used for enforcing block encoding when wrapping the
EncryptedData into a ContentInfo.
public iaik.asn1.ASN1Object toASN1Object() throws CMSException
EncryptedContentInfoStream
as ASN1Object.CMSException
public void writeTo(java.io.OutputStream os) throws java.io.IOException, CMSException
When encoding the content data to the given stream it is piped through a cipher stream thereby performing the content encryption.
If the setBlockSize
method has been
utilized for defining a positive blockSize
value, the encrypted content
is encoded as indefinite constructed octet string being composed of a certain number
of definite primitive encoded octet strings of blockSize
length:
0x24 0x80 0x04 <blocksize> <first encrypted content block> 0x04 <blocksize> <second encrypted content block> 0x04 <blocksize> <third encrypted content block> ... 0x00 0x00Otherwise, whole the encrypted content is encoded as definite primitive octet string:
0x04 <length> <encrypted content>
os
- the OutputStream to which the encoding shall be written tojava.io.IOException
- if an I/O error occurs during writing to the OutputStreamCMSException
- if an error occurs while encoding the objectpublic iaik.asn1.ObjectID getContentType()
public iaik.asn1.structures.AlgorithmID getContentEncryptionAlgorithm()
public java.io.InputStream getInputStream()
When having created a new EncryptedContentInfoStream
object to
be encoded to a stream, this method should not be utilized at all, since the stream
automatically will be read during performing the encoding (which is done
when calling the writeTo
method).
When having decoded and parsed a received EncryptedContentInfoStream
object
coming from some stream, this method may be used for obtaining the raw (decrypted) data
after having done the cipher setup.
public void setInputStream(java.io.InputStream is)
is
- the input stream holding the content data to encryptpublic boolean hasContent()
true
if there is a content.true
if there is a contentpublic java.lang.String toString()
EncryptedContentInfoStream
object.toString
in class java.lang.Object
public void setAuthEnveloped(boolean authEnveloped)
authEnveloped
- whether to use this EncryptedContentInfo for
authenticated encryption (default: false)public void setAdditionalAuthData(byte[] aad)
Only meaningful for CMS content type AuthEnvelopedData.
aad
- the additional authenticated data (DER encoded authenticated
attributes from AuthEnvelopedData content type according to
RFC 5083), or null
if there are no authenticated
attributes