iaik.cms.ecc

Class IaikEccProvider

java.lang.Object

iaik.cms.SecurityProvider

iaik.cms.IaikProvider

iaik.cms.ecc.IaikEccProvider

Deprecated.

for ECC the new IAIK ECCelerate™ toolkit shall be used; see installation guidelines (Install.html)

public class IaikEccProvider
extends IaikProvider

This class implements a CMS SecurityProvider for the (deprecated) IAIK-ECC cryptographic provider "IAIK_ECC", version 2.0 or later.

This CMS SecurityProvider implements some methods that are required for supporting Ephemeral-Static ECDH according to RFC 3278.

To install this security provider call:

 // register IAIK-ECC provider 
 iaik.security.ecc.provider.ECCProvider.addAsProvider();
 // install security provider
 SecurityProvider.setSecurityProvider(new IaikEccProvider());
 

See Also:

SecurityProvider, IaikProvider

Field Summary

Fields

Modifier and Type	Field and Description
static iaik.asn1.structures.AlgorithmID	ecka_eg_X963KDF_SHA256 Deprecated. AlgorithmID for ECKA-EG ECC Key Agreement according to BSI TR-03111, BSI TR-03109-1 using ANSI X9.63 KDF with SHA-256.
static iaik.asn1.structures.AlgorithmID	ecka_eg_X963KDF_SHA384 Deprecated. AlgorithmID for ECKA-EG ECC Key Agreement according to BSI TR-03111, BSI TR-03109-1 using ANSI X9.63 KDF with SHA-384.
static iaik.asn1.structures.AlgorithmID	ecka_eg_X963KDF_SHA512 Deprecated. AlgorithmID for ECKA-EG ECC Key Agreement according to BSI TR-03111, BSI TR-03109-1 sing ANSI X9.63 KDF with SHA-512.

Fields inherited from class iaik.cms.IaikProvider

ALG_SIGNATURE_RAWRSA, ALG_SIGNATURE_RAWRSASSA_PKCS1_V15

Fields inherited from class iaik.cms.SecurityProvider

ALG_CIPHER_RSA, ALG_CIPHER_RSA_DECRYPT, ALG_CIPHER_RSA_ENCRYPT, ALG_CIPHER_RSA_SIGN, ALG_CIPHER_RSA_VERIFY, ALG_DIGEST_MD5, ALG_DIGEST_SHA, ALG_HMAC_MD5, ALG_HMAC_SHA, ALG_KEYEX_DH, ALG_KEYEX_ESDH, ALG_KEYEX_SSDH, ALG_SIGNATURE_RAWDSA, ALG_SIGNATURE_RAWECDSA, ALG_SIGNATURE_RAWECDSA_PLAIN, ALG_SIGNATURE_RAWRSAPSS, ALG_SIGNATURE_SHADSA, CIPHER_DECRYPT, CIPHER_ENCRYPT, CIPHER_NONE, CIPHER_UNWRAP, CIPHER_WRAP, COMPRESS, DECOMPRESS, IMPLEMENTATION_NAME_DSA, IMPLEMENTATION_NAME_ECDSA, IMPLEMENTATION_NAME_ECDSA_PLAIN, IMPLEMENTATION_NAME_PBKDF2, IMPLEMENTATION_NAME_PWRI_KEK, IMPLEMENTATION_NAME_RSA, IMPLEMENTATION_NAME_RSA_OAEP, IMPLEMENTATION_NAME_RSA_PSS, provider_, providerName_, random_, SIGNATURE_NONE, SIGNATURE_SIGN, SIGNATURE_VERIFY

Constructor Summary

Constructors

Constructor and Description
IaikEccProvider() Deprecated. Default Constructor.
IaikEccProvider(boolean installProvider) Deprecated. Creates an IaikEccProvider.

Method Summary

Modifier and Type	Method and Description
byte[]	calculateSharedSecret(iaik.asn1.structures.AlgorithmID keyAgreementAlgorithm, java.security.Key key, java.security.Key otherKey, java.security.spec.AlgorithmParameterSpec paramSpec) Deprecated. This method uses the specified KeyAgreement algorithm to calculate a shared secret between the owners of the given private and public key.
void	checkDomainParameters(java.security.PrivateKey myKey, java.security.PublicKey otherKey) Deprecated. Checks if the given private and public key agreement keys have the same domain parameters.
javax.crypto.SecretKey	createSharedKeyEncryptionKey(iaik.asn1.structures.AlgorithmID keyAgreeAlg, java.security.PrivateKey myKey, java.security.PublicKey otherKey, iaik.asn1.structures.AlgorithmID kea, int kekLength, byte[] ukm, java.lang.String kekName) Deprecated. Creates a shared secret key encryption key for the given key agreement algorithm.
static void	encodeX963KdfKeyEncryptionAlgorithmParametersAsNull(boolean encodeParameterAsNull) Deprecated. Whether to encode the parameters field of the key-encryption algorithm as ASN.1 NULL (if no parameters are present) when creating the ECC-CMS-SharedInfo for the ASN1-X9.63-KDF key derivation function.
java.security.KeyPair	generateKeyAgreementKeyPair(iaik.asn1.structures.AlgorithmID keyAgreeAlgorithm, java.security.PublicKey otherKey) Deprecated. Generates a ECDH key pair with same domain parameters of the given ECDH public key for the ECDH key agreement method.
iaik.asn1.ASN1Object	getASN1OriginatorPublicKey(java.security.PublicKey originatorPublicKey) Deprecated. Gets an ASN.1 representation of the provided originator ECDH public key.
java.security.spec.AlgorithmParameterSpec	getEllipticCurveParameterSpec(java.lang.String curveName) Deprecated. Creates an EC AlgorithmParameterSpec for the given curve name.
javax.crypto.KeyAgreement	getKeyAgreement(iaik.asn1.structures.AlgorithmID keyAgreementAlgorithm, java.security.Key key, java.security.spec.AlgorithmParameterSpec paramSpec) Deprecated. This method returns the desired KeyAgreement object.
int	getKeyLength(java.security.PrivateKey privKey) Deprecated. Calculates the length of the given private key.
int	getKeyLength(java.security.PublicKey pubKey) Deprecated. Calculates the length of the given public key.
java.security.PublicKey	getOriginatorPublicKey(iaik.asn1.ASN1Object obj) Deprecated. Decodes the OriginatorPublicKey from the given ASN1Object.
java.lang.String	getProviderName() Deprecated. Gets the name of the underlying cryptographic provider.
java.security.Signature	getSignature(iaik.asn1.structures.AlgorithmID signatureAlgorithm, int mode, java.security.Key key, java.security.spec.AlgorithmParameterSpec paramSpec) Deprecated. This method returns the desired Signature object.
java.security.Signature	getSignature(java.lang.String signatureAlgorithm, int mode, java.security.Key key, java.security.spec.AlgorithmParameterSpec paramSpec) Deprecated. This method returns the desired Signature object.

Methods inherited from class iaik.cms.IaikProvider

calculateSignatureFromHash, calculateSignatureFromSignedAttributes, decryptKey, deriveKey, generateAEADParamSpec, generateAEADParamSpec, generateKey, getAlgorithmParameterSpec, getPBEKey, getSecureRandom, setAEADMac, setIv, turnOffIAIKProviderVersionCheck, unwrapKey, verifySignatureFromHash, verifySignatureFromSignedAttributes, wrapKey

Methods inherited from class iaik.cms.SecurityProvider

calculateMac, compress, convertCipherMode, decryptKey, encryptKey, generateGCMParamSpec, generateKey, getAlgorithmParameters, getAlgorithmParameters, getAlgorithmParameters, getAuthCipherEngine, getAuthCipherEngine, getByteArrayAuthCipherEngine, getByteArrayAuthCipherEngine, getByteArrayCipherEngine, getByteArrayCipherEngine, getCipher, getCipher, getCipher, getCipher, getHash, getInputStreamAuthCipherEngine, getInputStreamAuthCipherEngine, getInputStreamCipherEngine, getInputStreamCipherEngine, getInputStreamCompressEngine, getInputStreamHashEngine, getInputStreamMacEngine, getKeyAlgorithmID, getKeyFactory, getKeyGenerator, getKeyGenerator, getKeyGenerator, getKeyLength, getKeyPairGenerator, getKeyStore, getMac, getMac, getMaskGenerationAlgorithm, getMessageDigest, getMessageDigest, getMicAlgs, getOutputStreamCompressEngine, getOutputStreamHashEngine, getOutputStreamMacEngine, getSecretKeyFactory, getSecretKeyFactory, getSecurityProvider, getSignature, getSignature, getSignatureParameters, setSecureRandom, setSecurityProvider, setSignatureParameters, validateDHPublicKey, validateKeyAgreementKey

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Detail

ecka_eg_X963KDF_SHA256

public static final iaik.asn1.structures.AlgorithmID ecka_eg_X963KDF_SHA256

Deprecated.

AlgorithmID for ECKA-EG ECC Key Agreement according to BSI TR-03111, BSI TR-03109-1 using ANSI X9.63 KDF with SHA-256.

• ObjectID = "0.4.0.127.0.7.1.1.5.1.1.3"
• name = "ECKA-EG"
• implementationName = "ECDH"

ecka_eg_X963KDF_SHA384

public static final iaik.asn1.structures.AlgorithmID ecka_eg_X963KDF_SHA384

Deprecated.

AlgorithmID for ECKA-EG ECC Key Agreement according to BSI TR-03111, BSI TR-03109-1 using ANSI X9.63 KDF with SHA-384.

• ObjectID = "0.4.0.127.0.7.1.1.5.1.1.4"
• name = "ECKA-EG"
• implementationName = "ECDH"

ecka_eg_X963KDF_SHA512

public static final iaik.asn1.structures.AlgorithmID ecka_eg_X963KDF_SHA512

Deprecated.

AlgorithmID for ECKA-EG ECC Key Agreement according to BSI TR-03111, BSI TR-03109-1 sing ANSI X9.63 KDF with SHA-512.

• ObjectID = "0.4.0.127.0.7.1.1.5.1.1.5"
• name = "ECKA-EG"
• implementationName = "ECDH"

Constructor Detail

IaikEccProvider

public IaikEccProvider()

Deprecated.

Default Constructor. Tries to install the IAIK and IAIK-ECC providers within the JCA framework.

IaikEccProvider

public IaikEccProvider(boolean installProvider)

Deprecated.

Creates an IaikEccProvider.

Parameters:

installProvider - whether to install the IAIK and IAIK-ECC providers within the JCA framework or to use them without installing them within the JCA framework

Method Detail

encodeX963KdfKeyEncryptionAlgorithmParametersAsNull

public static final void encodeX963KdfKeyEncryptionAlgorithmParametersAsNull(boolean encodeParameterAsNull)

Deprecated.

Whether to encode the parameters field of the key-encryption algorithm as ASN.1 NULL (if no parameters are present) when creating the ECC-CMS-SharedInfo for the ASN1-X9.63-KDF key derivation function.

RFC 3278 has required to encode missing parameters as NULL:

 ECC-CMS-SharedInfo ::= SEQUENCE {
   keyInfo AlgorithmIdentifier,
   entityUInfo [0] EXPLICIT OCTET STRING OPTIONAL,
   suppPubInfo [2] EXPLICIT OCTET STRING   }
 
 where keyInfo is the key encryption algorithm with NULL parameters...
 

However, the successor of RFC 3278, RFC 5753 has changed this requirement to make the encoding of absent parameters dependent of the key-encryption algorithm in use:

 ECC-CMS-SharedInfo ::= SEQUENCE {
    keyInfo         AlgorithmIdentifier,
    entityUInfo [0] EXPLICIT OCTET STRING OPTIONAL,
    suppPubInfo [2] EXPLICIT OCTET STRING  }

 The fields of ECC-CMS-SharedInfo are as follows:

 keyInfo contains the object identifier of the key-encryption
 algorithm (used to wrap the CEK) and associated parameters.  In
 this specification, 3DES wrap has NULL parameters while the AES
 wraps have absent parameters.
 

If required to be compatible with RFC 3278 this method can be called to enforce to encode missing parameters of the key-encryption algorithm as NULL when creating the ECC-CMS-SharedInfo for the ASN1-X9.63-KDF key derivation function.

Parameters:

encodeParameterAsNull - whether to encode absent key encryption algorithm parameters as NULL when creating the ECC-CMS-SharedInfo for the ASN1-X9.63-KDF key derivation function (default: false).

getProviderName

public java.lang.String getProviderName()

Deprecated.

Gets the name of the underlying cryptographic provider.

Overrides:

getProviderName in class SecurityProvider

Returns:

the name of the underlying IAIK-ECC provider

getSignature

public java.security.Signature getSignature(iaik.asn1.structures.AlgorithmID signatureAlgorithm,
                                            int mode,
                                            java.security.Key key,
                                            java.security.spec.AlgorithmParameterSpec paramSpec)
                                     throws java.security.InvalidKeyException,
                                            java.security.NoSuchAlgorithmException

Deprecated.

This method returns the desired Signature object. If the mode parameter is SIGNATURE_SIGN or SIGNATURE_VERIFY the signature object is to be initialized with the provided key in the respective mode. If algorithm parameters are specified they are set for the Signature engine.

Overrides:

getSignature in class SecurityProvider

Parameters:

signatureAlgorithm - the AlgorithmID of the Signature algorithm

mode - the mode indicating if the engine has to be initialized

key - the key for initializing the Signature engine

paramSpec - any parameters to be set for the Signature engine, if not null

Returns:

the (if requested initialized) Signature engine

Throws:

java.security.InvalidKeyException - if the key is not valid

java.security.NoSuchAlgorithmException - if no Signature engine is available for the requested algorithm

getSignature

public java.security.Signature getSignature(java.lang.String signatureAlgorithm,
                                            int mode,
                                            java.security.Key key,
                                            java.security.spec.AlgorithmParameterSpec paramSpec)
                                     throws java.security.InvalidKeyException,
                                            java.security.NoSuchAlgorithmException

Deprecated.

This method returns the desired Signature object. If the mode parameter is SIGNATURE_SIGN or SIGNATURE_VERIFY the signature object is to be initialized with the provided key in the respective mode. If algorithm parameters are specified they are set for the Signature engine.

Overrides:

getSignature in class SecurityProvider

Parameters:

signatureAlgorithm - the name of the Signature algorithm

mode - the mode indicating if the engine has to be initialized

key - the key for initializing the Signature engine

paramSpec - any parameters to be set for the Signature engine, if not null

Returns:

the (if requested initialized) Signature engine

Throws:

java.security.InvalidKeyException - if the key is not valid

java.security.NoSuchAlgorithmException - if no Signature engine is available for the requested algorithm

getKeyLength

public int getKeyLength(java.security.PublicKey pubKey)

Deprecated.

Calculates the length of the given public key.

Overrides:

getKeyLength in class SecurityProvider

Parameters:

pubKey - the public key for which to calculate the length

Returns:

the length (in bits) of the public key

Throws:

java.lang.IllegalArgumentException - if the public key algorithm is not supported

getKeyLength

public int getKeyLength(java.security.PrivateKey privKey)

Deprecated.

Calculates the length of the given private key.

Overrides:

getKeyLength in class SecurityProvider

Parameters:

privKey - the public key for which to calculate the length

Returns:

the length (in bits) of the private key

Throws:

java.lang.IllegalArgumentException - if the private key algorithm is not supported

generateKeyAgreementKeyPair

public java.security.KeyPair generateKeyAgreementKeyPair(iaik.asn1.structures.AlgorithmID keyAgreeAlgorithm,
                                                         java.security.PublicKey otherKey)
                                                  throws java.security.NoSuchAlgorithmException,
                                                         java.security.InvalidKeyException,
                                                         java.security.InvalidAlgorithmParameterException

Deprecated.

Generates a ECDH key pair with same domain parameters of the given ECDH public key for the ECDH key agreement method.

This method is called by the library for creating the originator key pair if the OriginatorPublicKey alternative is used for representing the public key of the originator within a KeyAgreeRecipientInfo. The public key supplied to this method is the one of the recipient and the key pair returned by this method must have domain parameters matching to those of the given recipient public key. According RFC 3278 the OriginatorPublicKey has to be used for representing the public key of the originator if ECDH is used as key agreement algorithm.

Overrides:

generateKeyAgreementKeyPair in class IaikProvider

Parameters:

keyAgreeAlgorithm - the key agreement algorithm to be used

otherKey - the public key of the other party

Returns:

the originator key pair with domain parameters matching to those of the supplied key of the other party

Throws:

java.security.NoSuchAlgorithmException - if the requested algorithm is not available

java.security.InvalidKeyException - if the key is not appropriate for the key agreement algorithm

java.security.InvalidAlgorithmParameterException - if the parameters are invalid

getASN1OriginatorPublicKey

public iaik.asn1.ASN1Object getASN1OriginatorPublicKey(java.security.PublicKey originatorPublicKey)
                                                throws CMSException

Deprecated.

Gets an ASN.1 representation of the provided originator ECDH public key.

Ephemeral-Static ECDH according to RFC 3278 requires that the originatorKey algorithm field of a KeyAgreeRecipientInfo must contain the id-ecPublicKey oid with NULL parameters, and the originatorKey publicKey field must contain the DER encoding of the sending agent's public key (ECPoint) value.

If the supplied key is an ECDH key this method returns an ASN.1 representation of the ECDH originator public key. Otherwise it simply calls super.getASN1OriginatorPublicKey.

Overrides:

getASN1OriginatorPublicKey in class IaikProvider

Parameters:

originatorPublicKey - the originator public key from which to get an ASN.1 representation

Returns:

the ASN.1 representation of the originator public key

Throws:

CMSException - if the key cannot be ASN.1 represented

getOriginatorPublicKey

public java.security.PublicKey getOriginatorPublicKey(iaik.asn1.ASN1Object obj)
                                               throws CMSException

Deprecated.

Decodes the OriginatorPublicKey from the given ASN1Object.

Ephemeral-Static ECDH according to RFC 3278 requires that the originatorKey algorithm field of a KeyAgreeRecipientInfo must contain the id-ecPublicKey oid with NULL parameters, and the originatorKey publicKey field must contain the DER encoding of the sending agent's public key (ECPoint) value.

If the supplied ASN1Object represents an ECDH key this method returns an internal ECPublicKey only containing the public key value (ECPoint) but no parameters, otherwise this method calls super.getOriginatorPublicKey.

Overrides:

getOriginatorPublicKey in class SecurityProvider

Parameters:

obj - the OriginatorPublicKey as ASN1Object

Returns:

the originator public key

Throws:

CMSException - if the ASN1Object cannot be decoded or is invalid structured

checkDomainParameters

public void checkDomainParameters(java.security.PrivateKey myKey,
                                  java.security.PublicKey otherKey)
                           throws java.security.InvalidParameterException

Deprecated.

Checks if the given private and public key agreement keys have the same domain parameters.

If the supplied keys are ECDH keys the parameters are checked. Otherwise super.checkDomainParameters is called.

Overrides:

checkDomainParameters in class IaikProvider

Parameters:

myKey - the private key of the first party

otherKey - the public key of the other party

Throws:

java.security.InvalidParameterException - if the domain parameters do not match

getKeyAgreement

public javax.crypto.KeyAgreement getKeyAgreement(iaik.asn1.structures.AlgorithmID keyAgreementAlgorithm,
                                                 java.security.Key key,
                                                 java.security.spec.AlgorithmParameterSpec paramSpec)
                                          throws java.security.InvalidKeyException,
                                                 java.security.InvalidAlgorithmParameterException,
                                                 java.security.NoSuchAlgorithmException

Deprecated.

This method returns the desired KeyAgreement object.

Overrides:

getKeyAgreement in class SecurityProvider

Parameters:

keyAgreementAlgorithm - the algorithmID of the key agreement algorithm requested

key - the (private) key for initializing the KeyAgreement

paramSpec - any parameters used for intializing the key agreement

Returns:

the initialized KeyAgreement engine

Throws:

java.security.InvalidKeyException - if the key is not valid

java.security.InvalidAlgorithmParameterException - if the parameters are not valid

java.security.NoSuchAlgorithmException - if no KeyAgreement engine is available for the requested algorithm

calculateSharedSecret

public byte[] calculateSharedSecret(iaik.asn1.structures.AlgorithmID keyAgreementAlgorithm,
                                    java.security.Key key,
                                    java.security.Key otherKey,
                                    java.security.spec.AlgorithmParameterSpec paramSpec)
                             throws java.security.InvalidKeyException,
                                    java.security.InvalidAlgorithmParameterException,
                                    java.security.NoSuchAlgorithmException

Deprecated.

This method uses the specified KeyAgreement algorithm to calculate a shared secret between the owners of the given private and public key.

Overrides:

calculateSharedSecret in class SecurityProvider

Parameters:

keyAgreementAlgorithm - the algorithmID of the key agreement algorithm requested

key - the (private) key for initializing the KeyAgreement

otherKey - the (public) key from the other party

paramSpec - any parameters used for initializing the key agreement

Returns:

the shared secret

Throws:

java.security.InvalidKeyException - if the key is not valid

java.security.InvalidAlgorithmParameterException - if the parameters are not valid

java.security.NoSuchAlgorithmException - if no KeyAgreement engine is available for the requested algorithm

createSharedKeyEncryptionKey

public javax.crypto.SecretKey createSharedKeyEncryptionKey(iaik.asn1.structures.AlgorithmID keyAgreeAlg,
                                                           java.security.PrivateKey myKey,
                                                           java.security.PublicKey otherKey,
                                                           iaik.asn1.structures.AlgorithmID kea,
                                                           int kekLength,
                                                           byte[] ukm,
                                                           java.lang.String kekName)
                                                    throws java.security.NoSuchAlgorithmException,
                                                           java.security.InvalidKeyException,
                                                           java.security.InvalidAlgorithmParameterException

Deprecated.

Creates a shared secret key encryption key for the given key agreement algorithm.

Creating a shared key encryption key is required when a key agreement algorithm is used as key management protocol for the recipient of an EnvelopedData or AuthenticatedData object. The shared key encryption key will be used by an KeyAgreeRecipientInfo to encrypt the secret content encryption key or Mac key.

This method only works for Ephemeral-Static ECDH according to RFC 3278. If another key agreement method is requested, this method simply calls super.createSharedKeyEncryptionKey.

Overrides:

createSharedKeyEncryptionKey in class IaikProvider

Parameters:

keyAgreeAlg - the key agreement algorithm

myKey - the private key agreement key of the one party

otherKey - the public key agreement key of the other party

kea - the key ancryption algorithm (may be required for kek generation)

kekLength - the length of the shared key encryption key to be generated

ukm - any user keying material that may be required for kek generation

kekName - the name of the key encryption algorithm

Returns:

the shared key encryption key generated

Throws:

java.security.NoSuchAlgorithmException - if the requested algorithm is not available

java.security.InvalidKeyException - if there is a key related problem

java.security.InvalidAlgorithmParameterException - if the parameters are invalid

getEllipticCurveParameterSpec

public java.security.spec.AlgorithmParameterSpec getEllipticCurveParameterSpec(java.lang.String curveName)
                                                                        throws java.security.spec.InvalidParameterSpecException

Deprecated.

Creates an EC AlgorithmParameterSpec for the given curve name.

Overrides:

getEllipticCurveParameterSpec in class SecurityProvider

Parameters:

curveName - the name of the curve

Returns:

the AlgorithmParameterSpec

Throws:

java.security.spec.InvalidParameterSpecException - if no AlgorithmParameterSpec for the given curve name is available or cannot be created