iaik.cms.RecipientInfo
iaik.cms.KEKRecipientInfo
|
|||||||||
| PREV CLASS NEXT CLASS | FRAMES NO FRAMES | ||||||||
| SUMMARY: NESTED | FIELD | CONSTR | METHOD | DETAIL: FIELD | CONSTR | METHOD | ||||||||
java.lang.Object
public class KEKRecipientInfo
This class implements the CMS KEKRecipientInfo type.
The Cryptographic Message Syntax (CMS) (RFC 5652)
specifies the KEKRecipientInfo type as RecipientInfo choice for collecting
all recipient-related information about some particular recipient a CMS EnvelopedData or CMS
AuthenticatedData object shall be sent to when the recipient has a secret key to be used for
encrypting the secret content-encryption key:
KEKRecipientInfo ::= SEQUENCE {
version CMSVersion, -- always set 4
kekid KEKIdentifier,
keyEncryptionAlgorithm KeyEncryptionAlgorithmIdentifier,
encryptedKey EncryptedKey }
EncryptedKey ::= OCTET STRING
KEKIdentifier ::= SEQUENCE {
keyIdentifier OCTET STRING,
date GeneralizedTime OPTIONAL,
other OtherKeyAttribute OPTIONAL }
The kekid field specifies the recipient secret key encryption key
by keyIdentifier and optional date and OtherKeyAttribute. The use of
OtherKeyAttribute should be avoided because of interoperability
reasons.
The keyEncryptionAlgorithm field identifies the key wrap algorithm
used for encrypting the randomly generated content-encryption key with
a secret key encryption key. The encrypted content-encryption
key (used for encrypting the content) is stored in the encryptedKey
field.
This class provides several constructors and methods for creating a
KEKRecipientInfo object, obtaining the component values,
and encrypting (respectively decrypting) the content-encryption key.
When creating
a new KEKRecipientInfo you have to supply the KEKIdentifier identifying
the secret key encryption key, the key encryption algorithm to be used
and the key encryption key itself:
// the KEK identifier: KEKIdentifier kekid = ...; // use AES KeyWrap for encrypting (wrapping) the content encryption key: AlgorithmID kea = (AlgorithmID)AlgorithmID.cms_aes256_wrap.clone(); // the key encryption key: SecretKey kek = ...; // create the KEKRecipientInfo: KEKRecipientInfo recipient = new KEKRecipientInfo(kekid, kea, kek);The following example shows the typical usage for including a KEKRecipientInfo into a EnvelopedData object, encoding it, decoding it at the recipient side and decrypt the content (we use the stream-based EnvelopedData implementation for this sample):
// the key encryption key:
SecretKey kek = ...;
byte[] kekid = ...;
// the KEK identifier:
KEKIdentifier kekIdentifier = new KEKIdentifier(kekid);
// use AES KeyWrap for encrypting (wrapping) the content encryption key:
AlgorithmID kea = (AlgorithmID)AlgorithmID.cms_aes256_wrap.clone();
// create the KEKRecipientInfo:
KEKRecipientInfo recipient = new KEKRecipientInfo(kekIdentifier, kea, kek);
// create an EnvelopedData for the content to be encrypted:
EnvelopedDataStream envelopedData = new EnvelopedDataStream(is, (AlgorithmID)AlgorithmID.aes256_CBC.clone());
// add the recipient information:
envelopedData.addRecipientInfo(recipient);
// write the EnvelopedData to a stream thereby performing the content encryption:
int blockSize = ...;
OutputStream encoded_stream = ...;
envelopedData.writeTo(encoded_stream, blockSize);
...
// on the recipient side decode the EnvelopedData:
InputStream encodedStream = ...;
EnvelopedDataStream envelopedData = new EnvelopedData(encodedStream);
// Get information about the inherent EncryptedContentInfo:
EncryptedContentInfoStream eci = (EncryptedContentInfoStream)enveloped_data.getEncryptedContentInfo();
System.out.println("Content type: "+eci.getContentType().getName());
System.out.println("Content encryption algorithm: "+eci.getContentEncryptionAlgorithm().getName());
// setup the cipher for decryption:
envelopedData.setupCipher(kek, kekIdentifier);
// read the content thereby performing the content decryption:
InputStream data_is = enveloped_data.getInputStream();
byte[] buf = new byte[2048];
int r;
while ((r = data_is.read(buf)) > 0) {
// do something useful
}
KEKIdentifier,
RecipientInfo| Field Summary |
|---|
| Fields inherited from class iaik.cms.RecipientInfo |
|---|
KEK_RECIPIENT_INFO, KEY_AGREE_RECIPIENT_INFO, KEY_TRANSPORT_RECIPIENT_INFO, keyEncryptionAlgorithm_, OTHER_RECIPIENT_INFO, PASSWORD_RECIPIENT_INFO, securityProvider_, version_ |
| Constructor Summary | |
|---|---|
KEKRecipientInfo()
Default Constructor. |
|
KEKRecipientInfo(ASN1Object obj)
Creates a KEKRecipientInfo from an ASN1Object. |
|
KEKRecipientInfo(ASN1Object obj,
SecurityProvider securityProvider)
Creates a KEKRecipientInfo from an ASN1Object. |
|
KEKRecipientInfo(KEKIdentifier kekid,
AlgorithmID keyEA,
byte[] encryptedKey)
Creates a KEKRecipientInfo object for the given
kek identifier, key-encryption algorithm, and already
encrypted content encryption key. |
|
KEKRecipientInfo(KEKIdentifier kekid,
AlgorithmID keyEA,
javax.crypto.SecretKey kek)
Creates a KEKRecipientInfo object for the given
kek identifier, key-encryption algorithm and secret key encryption
key. |
|
KEKRecipientInfo(KEKIdentifier kekid,
AlgorithmID keyEA,
javax.crypto.SecretKey kek,
java.security.AlgorithmParameters params)
Creates a KEKRecipientInfo object for the given
kek identifier, key-encryption algorithm and secret key encryption key. |
|
| Method Summary | |
|---|---|
void |
decode(ASN1Object obj)
Decodes the given ASN.1 KEKRecipientInfo object for parsing
the internal structure. |
javax.crypto.SecretKey |
decryptKey(java.security.Key kek,
KeyIdentifier recipientIdentifier,
java.lang.String cekAlgName)
Uses the given secret key encryption key to decrypt (unwrap) the encrypted (wrapped) content-encryption key. |
void |
encryptKey(javax.crypto.SecretKey cek)
Encrypts (wraps) the given secret content-encryption key. |
byte[] |
getEncryptedKey()
Returns the encrypted content-encryption key. |
byte[] |
getEncryptedKey(KeyIdentifier recipientIdentifier)
Returns the encrypted content-encryption key for the recipient with the given keyIdentfier. |
KeyIdentifier |
getRecipientIdentifier()
Gets the key identifier belonging to the recipient of this KEKRecipientInfo. |
KeyIdentifier[] |
getRecipientIdentifiers()
Gets the key identifier belonging to the recipient of this KEKRecipientInfo. |
boolean |
isRecipientInfoFor(KeyIdentifier recipientIdentifier)
Checks if this is a RecipientInfo for the recipient identified by the given key identifier. |
CertificateIdentifier |
isRecipientInfoFor(X509Certificate recipientCertificate)
Always returns null indicating that a KEKRecipientInfo does not use
certificates. |
ASN1Object |
toASN1Object()
Returns this KEKRecipientInfo as ASN1Object. |
java.lang.String |
toString()
Returns a string giving some information about this KEKRecipientInfo object. |
| Methods inherited from class iaik.cms.RecipientInfo |
|---|
createRecipientInfos, decryptKey, decryptKey, decryptKey, getKeyEncryptionAlgorithm, getRecipientInfoType, getSecurityProvider, getVersion, parseRecipientInfo, parseRecipientInfo, parseRecipientInfo, parseRecipientInfo, parseRecipientInfos, parseRecipientInfos, setSecurityProvider |
| Methods inherited from class java.lang.Object |
|---|
clone, equals, finalize, getClass, hashCode, notify, notifyAll, wait, wait, wait |
| Constructor Detail |
|---|
public KEKRecipientInfo()
KEKRecipientInfo
object and sets the version number to 4.
public KEKRecipientInfo(KEKIdentifier kekid,
AlgorithmID keyEA,
byte[] encryptedKey)
KEKRecipientInfo object for the given
kek identifier, key-encryption algorithm, and already
encrypted content encryption key. The already encrypted secret key
is supplied in a byte array and has been encrypted using the given
key-encryption algorithm.
kekid - the KEKIdentifier identifying the key encryption keykeyEA - the ID of the key-encryption (key-wrap) algorithm that has been
used for encrypting the content-encryption keyencryptedKey - the already encrypted secret content-encryption key
public KEKRecipientInfo(KEKIdentifier kekid,
AlgorithmID keyEA,
javax.crypto.SecretKey kek,
java.security.AlgorithmParameters params)
KEKRecipientInfo object for the given
kek identifier, key-encryption algorithm and secret key encryption key.
Note: this constructor internally creates a clone of the supplied key-encryption AlgorithmID.
kekid - the KEKIdentifier identifying the key encryption keykeyEA - the ID of the key-encryption (key-wrap) algorithm to be used
for encrypting the content-encryption keykek - the secret key encryption key to be used for
encrypting the content-encryption keyparams - any algorithm parameters to be used for intializing the
key wrap cipher
public KEKRecipientInfo(KEKIdentifier kekid,
AlgorithmID keyEA,
javax.crypto.SecretKey kek)
KEKRecipientInfo object for the given
kek identifier, key-encryption algorithm and secret key encryption
key.
Note: this constructor internally creates a clone of the supplied key-encryption AlgorithmID.
kekid - the KEKIdentifier identifying the key encryption keykeyEA - the ID of the key-encryption (key-wrap) algorithm to be used
for encrypting the content-encryption keykek - the secret key encryption key to be used for
encrypting the content-encryption key
public KEKRecipientInfo(ASN1Object obj)
throws CodingException
KEKRecipientInfo from an ASN1Object.
The ASN1Object supplied to this constructor represents an
already exisiting KEKRecipientInfo object that may
have been created by calling toASN1Object.
obj - the KEKRecipientInfo as ASN1Object
CodingException - if the object can not be parsed
public KEKRecipientInfo(ASN1Object obj,
SecurityProvider securityProvider)
throws CodingException
KEKRecipientInfo from an ASN1Object.
The ASN1Object supplied to this constructor represents an
already exisiting KEKRecipientInfo object that may
have been created by calling toASN1Object.
obj - the KEKRecipientInfo as ASN1ObjectsecurityProvider - the SecurityProvider to be used by this object, if null use the
default system-wide installed SecurityProvider
CodingException - if the object can not be parsed| Method Detail |
|---|
public void decode(ASN1Object obj)
throws CodingException
KEKRecipientInfo object for parsing
the internal structure.
This method internally is called when creating a CMS KEKRecipientInfo
object from an already existing KEKRecipientInfo object,
supplied as ASN1Object.
obj - the CMS KEKRecipientInfo as ASN1Object
CodingException - if the object can not be parsedpublic ASN1Object toASN1Object()
KEKRecipientInfo as ASN1Object.
The ASN1Object returned by this method represents the ASN.1 structure of a KEKRecipientInfo:
KEKRecipientInfo ::= SEQUENCE {
version CMSVersion, -- always set to 0 or 4
kekid KEKIdentifier,
keyEncryptionAlgorithm KeyEncryptionAlgorithmIdentifier,
encryptedKey EncryptedKey }
EncryptedKey ::= OCTET STRING
KEKIdentifier ::= SEQUENCE {
keyIdentifier OCTET STRING,
date GeneralizedTime OPTIONAL,
other OtherKeyAttribute OPTIONAL }
KEKRecipientInfo as ASN1Object.
public javax.crypto.SecretKey decryptKey(java.security.Key kek,
KeyIdentifier recipientIdentifier,
java.lang.String cekAlgName)
throws CMSException,
java.security.InvalidKeyException
SecretKey.
This method implements the same named method of the abstract parent RecipientInfo class. Since a KEKRecipientInfo only represents one single
recipient the supplied recipientIdentifier may be null.
decryptKey in class RecipientInfokek - the secret key encryption key to be used for decrypting (unwrapping)
the encrypted (wrapped) content-encryption key.recipientIdentifier - an KEKIdentifier identifying the recipient of this KEKRecipientInfocekAlgName - the name of the content encryption key (e.g. "AES") to be set for the
SecretKey object created by this method
CMSException - if the key-decryption process fails for some reason (e.g. the
key-encryption algorithm used by this KEKRecipientInfo
is not implemented, a padding error occurs,...)
java.security.InvalidKeyException - if the specified key encryption key (kek) is not valid
public void encryptKey(javax.crypto.SecretKey cek)
throws CMSException
All information (key encryption algorithm, key encryption key) required has been supplied when creating this KEKRecipientInfo object.
encryptKey in class RecipientInfocek - the symmetric content-encryption key to encrypt
CMSException - if the key encryption process fails for some
reason (e.g. the key-encryption algortihm used
by this KEKRecipientInfo is not implemented,
the key encryption key is invalid, a padding
error occurs,...)public KeyIdentifier getRecipientIdentifier()
public KeyIdentifier[] getRecipientIdentifiers()
This method implements the same named method of the abstract parent
RecipientInfo class for returning an
identifier for the recipient key encryption (decryption) key.
Since only one recipient is represented by a KEKRecipientInfo
the KeyIdentifier array returned by this method only will
contain one single KEKIdentifier object.
getRecipientIdentifiers in class RecipientInfoKeyIdentifier array holding an identifier for the recipient's key
encryption (decryption) keypublic boolean isRecipientInfoFor(KeyIdentifier recipientIdentifier)
isRecipientInfoFor in class RecipientInforecipientIdentifier - the key identifier belonging to the recipient
we are searching for
true if this RecipientInfo belongs to the particular
recipient in mind, false if notpublic CertificateIdentifier isRecipientInfoFor(X509Certificate recipientCertificate)
null indicating that a KEKRecipientInfo does not use
certificates.
This method only implements the same-name abstract method of the parent abstract
class RecipientInfo. Since a KEKRecipientInfo
uses a secret key for en/decrypting the content-ecncryption key this method
always return null indicating that this KEKRecipientInfo cannot
belong to the recipient with the given recipient certificate.
isRecipientInfoFor in class RecipientInforecipientCertificate - the certificate of the recipient in mind
null indicating that this KEKRecipientInfo cannot
belong to the recipient with the given certificatepublic byte[] getEncryptedKey()
public byte[] getEncryptedKey(KeyIdentifier recipientIdentifier)
throws CMSException
This method implements the same named method of the abstract parent
RecipientInfo class for asking if this
KEKRecipientInfo holds an encrypted key for the recipient identified
by the given key identifier.
Since a KEKRecipientInfo only represents one single recipient
the supplied recipientIdentifier may be null.
getEncryptedKey in class RecipientInforecipientIdentifier - information to be used for getting the right encrypted content
encryption key for the right recipient; may be not required for a
KEKRecipientInfo, but for KeyAgreeRecipientInfo) which may hold encrypted content encryption
keys for more than one recipient; may be null for only
getting the encrypted content-encryption key included
CMSException - if this KEKRecipientInfo does not belong to the recipient with
the given key identifier is includedpublic java.lang.String toString()
KEKRecipientInfo object.
toString in class RecipientInfo
|
This Javadoc may contain text parts from text parts from IETF Internet Standard specifications (see copyright note). | ||||||||
| PREV CLASS NEXT CLASS | FRAMES NO FRAMES | ||||||||
| SUMMARY: NESTED | FIELD | CONSTR | METHOD | DETAIL: FIELD | CONSTR | METHOD | ||||||||
IAIK-CMS 6.0, (c) 2002 IAIK, (c) 2003, 2023 SIC