iaik.cms.RecipientInfo
iaik.cms.PasswordRecipientInfo
|
IAIK CMS/SMIME Toolkit API Documentation
Version 6.1 |
||||||||
| PREV CLASS NEXT CLASS | FRAMES NO FRAMES | ||||||||
| SUMMARY: NESTED | FIELD | CONSTR | METHOD | DETAIL: FIELD | CONSTR | METHOD | ||||||||
java.lang.Object
public class PasswordRecipientInfo
This class implements the CMS PasswordRecipientInfo type.
The RFC 3211 (Password-based
Encryption for CMS) specifies the PasswordRecipientInfo type as
RecipientInfo choice for encrypting the secret
content-encryption key with a key encryption key derived from a password:
PasswordRecipientInfo ::= SEQUENCE {
version CMSVersion, -- Always set to 0
keyDerivationAlgorithm
[0] KeyDerivationAlgorithmIdentifier OPTIONAL,
keyEncryptionAlgorithm KeyEncryptionAlgorithmIdentifier,
encryptedKey EncryptedKey }
The keyDerivationAlgorithm field specifies the algorithm to be
used for deriving the key encryption key (kek) from a password. The
reference key derivation algorithm is PBKDF2 as specified
by RFC 2898 (PKCS#5).
If no key derivation algorithm is specified the kek may be not derived
from a password; rather it may be supplied by other means (e.g. by a
smartcard).
The keyEncryptionAlgorithm field identifies the key encryption algorithm
(e.g. PWRI-KEK, see RFC 3211)
used for encrypting the randomly generated content-encryption key with
a secret key encryption key. The encrypted content-encryption
key (used for encrypting the content) is stored in the encryptedKey
field.
This class provides several constructors and methods for creating a
PasswordRecipientInfo object, obtaining the component values,
and encrypting (respectively decrypting) the content-encryption key.
When creating a new PasswordRecipientInfo you
may supply the password, key derivation function and key encryption algorithm
and any associated parameters to be used, e.g.:
// the password:
char[] password = ...;
// use PBKDF2 as key derivation function for deriving the kek from a password:
AlgorithmID pbkdf2 = (AlgorithmID)AlgorithmID.pbkdf2.clone();
// PBKDF2 parameters
int kekLen = 32; // we use AES as kek algorithm
int iterationCount = ...;
byte[] salt = ...;
PBEKeyAndParameterSpec pbkdf2ParamSpec =
new PBEKeyAndParameterSpec(UTF8String.getUTF8EncodingFromCharArray(password),
salt,
iterationCount,
kekLen);
// use PWRI-KEK for encrypting (wrapping) the content encryption key:
AlgorithmID pwriKek = (CMSAlgorithmID)CMSAlgorithmID.pwri_kek.clone();
// for PWRI-KEK set the kek encryption algorithm parameter
AlgorithmID kekEncryptionAlg = (AlgorithmID)AlgorithmID.aes256_CBC.clone();
pwriKek.setParameter(kekEncryptionAlg.toASN1Object());
// create the PasswordRecipientInfo:
PasswordRecipientInfo recipient = new PasswordRecipientInfo(password, pbkdf2, pbkdf2ParamSpec, pwriKek, null);
The following example shows the typical usage for including a PasswordRecipientInfo
into a EnvelopedData object, encoding it, decoding it at the recipient side
and decrypt the content (we use the stream-based EnvelopedData implementation
for this sample):
// the password:
char[] password = ...;
// use PBKDF2 as key derivation function for deriving the kek from a password:
AlgorithmID pbkdf2 = (AlgorithmID)AlgorithmID.pbkdf2.clone();
// use PWRI-KEK for encrypting (wrapping) the content encryption key:
AlgorithmID pwriKek = (CMSAlgorithmID)CMSAlgorithmID.pwri_kek.clone();
// create the PasswordRecipientInfo:
PasswordRecipientInfo recipient = new PasswordRecipientInfo(password, pwriKek, null, pwriKek, null);
// create an EnvelopedData for the content to be encrypted:
EnvelopedDataStream envelopedData = new EnvelopedDataStream(is, (AlgorithmID)AlgorithmID.aes256_CBC.clone());
// add the recipient information:
envelopedData.addRecipientInfo(recipient);
// write the EnvelopedData to a stream thereby performing the content encryption:
int blockSize = ...;
OutputStream encoded_stream = ...;
envelopedData.writeTo(encoded_stream, blockSize);
...
// on the recipient side decode the EnvelopedData:
InputStream encodedStream = ...;
EnvelopedDataStream envelopedData = new EnvelopedData(encodedStream);
// Get information about the inherent EncryptedContentInfo:
EncryptedContentInfoStream eci = (EncryptedContentInfoStream)enveloped_data.getEncryptedContentInfo();
System.out.println("Content type: "+eci.getContentType().getName());
System.out.println("Content encryption algorithm: "+eci.getContentEncryptionAlgorithm().getName());
// get the PasswordRecipientInfo:
PasswordRecipientInfo recipient = (PasswordRecipientInfo)envelopedData.getRecipientInfos()[0];
// decrypt the encrypted cek:
String cekAlgName = "AES-256";
SecretKey cek = recipient.decryptKey(password, cekAlgName);
// setup the cipher for decryption:
envelopedData.setupCipher(cek);
// read the content thereby performing the content decryption:
InputStream data_is = enveloped_data.getInputStream();
byte[] buf = new byte[2048];
int r;
while ((r = data_is.read(buf)) > 0) {
// do something useful
}
RecipientInfo,
EnvelopedDataStream,
EnvelopedData| Field Summary |
|---|
| Fields inherited from class iaik.cms.RecipientInfo |
|---|
KEK_RECIPIENT_INFO, KEY_AGREE_RECIPIENT_INFO, KEY_TRANSPORT_RECIPIENT_INFO, keyEncryptionAlgorithm_, OTHER_RECIPIENT_INFO, PASSWORD_RECIPIENT_INFO, securityProvider_, version_ |
| Constructor Summary | |
|---|---|
PasswordRecipientInfo()
Default Constructor. |
|
PasswordRecipientInfo(iaik.asn1.structures.AlgorithmID keyDerivationAlg,
iaik.asn1.structures.AlgorithmID keyEncrAlg,
byte[] encryptedKey)
Creates a PasswordRecipientInfo object for the given
key derivation function, key-encryption algorithm, and already
encrypted content encryption key. |
|
PasswordRecipientInfo(iaik.asn1.structures.AlgorithmID keyEncrAlg,
byte[] encryptedKey)
Creates a PasswordRecipientInfo object for the given
key-encryption algorithm, and already encrypted content encryption key. |
|
PasswordRecipientInfo(iaik.asn1.structures.AlgorithmID keyEncrAlg,
java.security.Key kek)
Creates a PasswordRecipientInfo object for the given
key-encryption algorithm and key encryption key. |
|
PasswordRecipientInfo(iaik.asn1.structures.AlgorithmID keyEncrAlg,
java.security.Key kek,
java.security.AlgorithmParameters params)
Creates a PasswordRecipientInfo object for the given
key-encryption algorithm and key encryption key. |
|
PasswordRecipientInfo(iaik.asn1.ASN1Object obj)
Creates a PasswordRecipientInfo from an ASN1Object. |
|
PasswordRecipientInfo(iaik.asn1.ASN1Object obj,
SecurityProvider securityProvider)
Creates a PasswordRecipientInfo from an ASN1Object. |
|
PasswordRecipientInfo(char[] password,
iaik.asn1.structures.AlgorithmID keyDerivationAlg,
java.security.spec.AlgorithmParameterSpec keyDerivatoinParamSpec,
iaik.asn1.structures.AlgorithmID keyEncrAlg,
java.security.AlgorithmParameters keyEncrParams)
Creates a PasswordRecipientInfo object for deriving
key encryption key (kek) from the supplied password. |
|
PasswordRecipientInfo(char[] password,
iaik.asn1.structures.AlgorithmID keyDerivationAlg,
java.security.spec.AlgorithmParameterSpec keyDerivatoinParamSpec,
iaik.asn1.structures.AlgorithmID keyEncrAlg,
java.security.AlgorithmParameters keyEncrParams,
SecurityProvider securityProvider)
Creates a PasswordRecipientInfo object for deriving
key encryption key (kek) from the supplied password. |
|
| Method Summary | |
|---|---|
void |
decode(iaik.asn1.ASN1Object obj)
Decodes the given ASN.1 PasswordRecipientInfo object for parsing
the internal structure. |
javax.crypto.SecretKey |
decryptKey(char[] password)
Derives a key encryption key from the given password to decrypt (unwrap) the encrypted (wrapped) content-encryption key. |
javax.crypto.SecretKey |
decryptKey(char[] password,
iaik.asn1.structures.AlgorithmID keyDerivationAlg,
java.security.spec.AlgorithmParameterSpec keyDerivatoinParamSpec,
java.lang.String cekAlgName)
Derives a key encryption key from the given password to decrypt (unwrap) the encrypted (wrapped) content-encryption key. |
javax.crypto.SecretKey |
decryptKey(char[] password,
java.lang.String cekAlgName)
Derives a key encryption key from the given password to decrypt (unwrap) the encrypted (wrapped) content-encryption key. |
javax.crypto.SecretKey |
decryptKey(java.security.Key kek,
KeyIdentifier recipientIdentifier,
java.lang.String cekAlgName)
Uses the given key encryption key to decrypt (unwrap) the encrypted (wrapped) content-encryption key. |
void |
encryptKey(javax.crypto.SecretKey cek)
Encrypts (wraps) the given secret content-encryption key. |
byte[] |
getEncryptedKey()
Returns the encrypted content-encryption key. |
byte[] |
getEncryptedKey(KeyIdentifier recipientIdentifier)
Returns the encrypted content-encryption key. |
iaik.asn1.structures.AlgorithmID |
getKeyDerivationAlgorithm()
Returns the key derivation algorithm used for deriving the key encryption key (kek) from a password. |
KeyIdentifier[] |
getRecipientIdentifiers()
Returns an empty KeyIdentifier array. |
boolean |
isRecipientInfoFor(KeyIdentifier recipientIdentifier)
Always returns false indicating that a PasswordRecipientInfo does not use
certificates. |
CertificateIdentifier |
isRecipientInfoFor(iaik.x509.X509Certificate recipientCertificate)
Always returns null indicating that a PasswordRecipientInfo does not use
certificates. |
iaik.asn1.ASN1Object |
toASN1Object()
Returns this PasswordRecipientInfo as ASN1Object. |
java.lang.String |
toString()
Returns a string giving some information about this PasswordRecipientInfo object. |
| Methods inherited from class iaik.cms.RecipientInfo |
|---|
createRecipientInfos, decryptKey, decryptKey, decryptKey, getKeyEncryptionAlgorithm, getRecipientInfoType, getSecurityProvider, getVersion, parseRecipientInfo, parseRecipientInfo, parseRecipientInfo, parseRecipientInfo, parseRecipientInfos, parseRecipientInfos, setSecurityProvider |
| Methods inherited from class java.lang.Object |
|---|
clone, equals, finalize, getClass, hashCode, notify, notifyAll, wait, wait, wait |
| Constructor Detail |
|---|
public PasswordRecipientInfo()
PasswordRecipientInfo
object and sets the version number to 0.
public PasswordRecipientInfo(iaik.asn1.structures.AlgorithmID keyEncrAlg,
byte[] encryptedKey)
PasswordRecipientInfo object for the given
key-encryption algorithm, and already encrypted content encryption key.
The already encrypted secret key is supplied as byte array and has been
encrypted using the given key-encryption algorithm.
keyEncrAlg - the ID of the key-encryption (key-wrap) algorithm that has been
used for encrypting the content-encryption keyencryptedKey - the already encrypted secret content-encryption key
public PasswordRecipientInfo(iaik.asn1.structures.AlgorithmID keyDerivationAlg,
iaik.asn1.structures.AlgorithmID keyEncrAlg,
byte[] encryptedKey)
PasswordRecipientInfo object for the given
key derivation function, key-encryption algorithm, and already
encrypted content encryption key. The already encrypted secret key
is supplied as byte array and has been encrypted using the given
key-encryption algorithm with a key encryption key (kek) that has
been derived from a password according to the given key derivation
algorithm.
keyDerivationAlg - the key derivation algorithm (may be null if the kek has not been derived from a password)keyEncrAlg - the ID of the key-encryption (key-wrap) algorithm that has been
used for encrypting the content-encryption keyencryptedKey - the already encrypted secret content-encryption key
public PasswordRecipientInfo(iaik.asn1.structures.AlgorithmID keyEncrAlg,
java.security.Key kek,
java.security.AlgorithmParameters params)
PasswordRecipientInfo object for the given
key-encryption algorithm and key encryption key. When later
calling encryptKey the supplied kek and
parameters are used to encrypt the content encryption key (cek).
Note: this constructor internally creates a clone of the supplied key-encryption AlgorithmID.
keyEncrAlg - the ID of the key-encryption (key-wrap) algorithm to be used
for encrypting the content-encryption keykek - the secret key encryption key to be used for
encrypting the content-encryption keyparams - any algorithm parameters to be used for intializing the
key wrap cipher
public PasswordRecipientInfo(iaik.asn1.structures.AlgorithmID keyEncrAlg,
java.security.Key kek)
PasswordRecipientInfo object for the given
key-encryption algorithm and key encryption key. When later
calling encryptKey the supplied kek is used
to encrypt the content encryption key (cek).
Note: this constructor internally creates a clone of the supplied key-encryption AlgorithmID.
keyEncrAlg - the ID of the key-encryption (key-wrap) algorithm to be used
for encrypting the content-encryption keykek - the secret key encryption key to be used for
encrypting the content-encryption key
public PasswordRecipientInfo(char[] password,
iaik.asn1.structures.AlgorithmID keyDerivationAlg,
java.security.spec.AlgorithmParameterSpec keyDerivatoinParamSpec,
iaik.asn1.structures.AlgorithmID keyEncrAlg,
java.security.AlgorithmParameters keyEncrParams)
throws java.security.NoSuchAlgorithmException,
java.security.InvalidAlgorithmParameterException
PasswordRecipientInfo object for deriving
key encryption key (kek) from the supplied password. When later
calling encryptKey the derived kek is used
to encrypt the content encryption key (cek).
Note: this constructor internally creates cloned of the supplied Algorithm IDs.
password - the password from which to derive the key encryption key (kek)keyDerivationAlg - the key derivation function to be used for deriving the kekkeyDerivatoinParamSpec - any parameters required by the key derivation functionkeyEncrAlg - the ID of the key-encryption (key-wrap) algorithm to be used
for encrypting the content-encryption keykeyEncrParams - any algorithm parameters to be used for intializing the
key wrap cipher
java.security.NoSuchAlgorithmException
java.security.InvalidAlgorithmParameterException
public PasswordRecipientInfo(char[] password,
iaik.asn1.structures.AlgorithmID keyDerivationAlg,
java.security.spec.AlgorithmParameterSpec keyDerivatoinParamSpec,
iaik.asn1.structures.AlgorithmID keyEncrAlg,
java.security.AlgorithmParameters keyEncrParams,
SecurityProvider securityProvider)
throws java.security.NoSuchAlgorithmException,
java.security.InvalidAlgorithmParameterException
PasswordRecipientInfo object for deriving
key encryption key (kek) from the supplied password. When later
calling encryptKey the derived kek is used
to encrypt the content encryption key (cek).
Note: this constructor internally creates cloned of the supplied Algorithm IDs.
password - the password from which to derive the key encryption key (kek)keyDerivationAlg - the key derivation function to be used for deriving the kekkeyDerivatoinParamSpec - any parameters required by the key derivation functionkeyEncrAlg - the ID of the key-encryption (key-wrap) algorithm to be used
for encrypting the content-encryption keykeyEncrParams - any algorithm parameters to be used for intializing the
key wrap ciphersecurityProvider - the SecurityProvider to be used
java.security.NoSuchAlgorithmException
java.security.InvalidAlgorithmParameterException
public PasswordRecipientInfo(iaik.asn1.ASN1Object obj)
throws iaik.asn1.CodingException
PasswordRecipientInfo from an ASN1Object.
The ASN1Object supplied to this constructor represents an
already exisiting PasswordRecipientInfo object that may
have been created by calling toASN1Object.
obj - the PasswordRecipientInfo as ASN1Object
iaik.asn1.CodingException - if the object can not be parsed
public PasswordRecipientInfo(iaik.asn1.ASN1Object obj,
SecurityProvider securityProvider)
throws iaik.asn1.CodingException
PasswordRecipientInfo from an ASN1Object.
The ASN1Object supplied to this constructor represents an
already exisiting PasswordRecipientInfo object that may
have been created by calling toASN1Object.
obj - the PasswordRecipientInfo as ASN1ObjectsecurityProvider - the SecurityProvider to be used by this object, if null use the
default system-wide installed SecurityProvider
iaik.asn1.CodingException - if the object can not be parsed| Method Detail |
|---|
public void decode(iaik.asn1.ASN1Object obj)
throws iaik.asn1.CodingException
PasswordRecipientInfo object for parsing
the internal structure.
This method internally is called when creating a CMS PasswordRecipientInfo
object from an already existing PasswordRecipientInfo object,
supplied as ASN1Object.
obj - the CMS PasswordRecipientInfo as ASN1Object
iaik.asn1.CodingException - if the object can not be parsedpublic iaik.asn1.ASN1Object toASN1Object()
PasswordRecipientInfo as ASN1Object.
The ASN1Object returned by this method represents the ASN.1 structure of a PasswordRecipientInfo according to RFC 3211 (Password-based Encryption for CMS):
PasswordRecipientInfo ::= SEQUENCE {
version CMSVersion, -- Always set to 0
keyDerivationAlgorithm
[0] KeyDerivationAlgorithmIdentifier OPTIONAL,
keyEncryptionAlgorithm KeyEncryptionAlgorithmIdentifier,
encryptedKey EncryptedKey }
PasswordRecipientInfo as ASN1Object.
public javax.crypto.SecretKey decryptKey(java.security.Key kek,
KeyIdentifier recipientIdentifier,
java.lang.String cekAlgName)
throws CMSException,
java.security.InvalidKeyException
SecretKey.
This method implements the same named method of the abstract parent RecipientInfo class. Since a PasswordRecipientInfo does not contain recipient identification
information, any supplied recipientIdentifier is ignored.
decryptKey in class RecipientInfokek - the secret key encryption key to be used for decrypting (unwrapping)
the encrypted (wrapped) content-encryption key.recipientIdentifier - recipient identification information; ignoredcekAlgName - the name of the content encryption key (e.g. "AES") to be set for the
SecretKey object created by this method
CMSException - if the key-decryption process fails for some reason (e.g. the
key-encryption algorithm used by this PasswordRecipientInfo
is not implemented, a padding error occurs,...)
java.security.InvalidKeyException - if the specified key encryption key (kek) is not valid
public javax.crypto.SecretKey decryptKey(char[] password,
iaik.asn1.structures.AlgorithmID keyDerivationAlg,
java.security.spec.AlgorithmParameterSpec keyDerivatoinParamSpec,
java.lang.String cekAlgName)
throws CMSException,
java.security.InvalidKeyException,
java.security.NoSuchAlgorithmException,
java.security.InvalidAlgorithmParameterException
SecretKey.
password - the password from which to derive the key encryption key used
for decrypting (unwrapping) the encrypted (wrapped) content-encryption key.keyDerivationAlg - the key derivation algorithm to be used for deriving the
key encryption key from the given passwordkeyDerivatoinParamSpec - any paramters required by the key derivation algorithmcekAlgName - the name of the content encryption key (e.g. "AES") to be set for the
SecretKey object created by this method
CMSException - if the key-decryption process fails for some reason (e.g. the requested key
derivation algorithm or the key-encryption algorithm used by this
PasswordRecipientInfo is not implemented, a padding error occurs,...)
java.security.InvalidKeyException - if the key encryption key (kek) cannot be derived or is not valid
java.security.NoSuchAlgorithmException - if the requested key derivation function is not supported
java.security.InvalidAlgorithmParameterException - if the key derivation parameters are invalid
public javax.crypto.SecretKey decryptKey(char[] password)
throws CMSException,
java.security.InvalidKeyException,
java.security.NoSuchAlgorithmException,
java.security.InvalidAlgorithmParameterException
SecretKey.
password - the password from which to derive the key encryption key used
for decrypting (unwrapping) the encrypted (wrapped) content-encryption key.
CMSException - if the key-decryption process fails for some reason (e.g. the key
derivation algorithm or key-encryption algorithm used by this
PasswordRecipientInfo is not implemented, a padding error occurs,...)
java.security.InvalidKeyException - if the key encryption key (kek) cannot be derived or is not valid
java.security.NoSuchAlgorithmException - if the requested key derivation function is not supported
java.security.InvalidAlgorithmParameterException - if the key derivation parameters are invalid
public javax.crypto.SecretKey decryptKey(char[] password,
java.lang.String cekAlgName)
throws CMSException,
java.security.InvalidKeyException,
java.security.NoSuchAlgorithmException,
java.security.InvalidAlgorithmParameterException
SecretKey.
password - the password from which to derive the key encryption key used
for decrypting (unwrapping) the encrypted (wrapped) content-encryption key.
CMSException - if the key-decryption process fails for some reason (e.g. the key
derivation algorithm or key-encryption algorithm used by this
PasswordRecipientInfo is not implemented, a padding error occurs,...)
java.security.InvalidKeyException - if the key encryption key (kek) cannot be derived or is not valid
java.security.NoSuchAlgorithmException - if the requested key derivation function is not supported
java.security.InvalidAlgorithmParameterException - if the key derivation parameters are invalid
public void encryptKey(javax.crypto.SecretKey cek)
throws CMSException
All required information (key encryption algorithm, key encryption key (or password from which to derive the kek),...) has been supplied when creating this PasswordRecipientInfo object.
encryptKey in class RecipientInfocek - the symmetric content-encryption key to encrypt
CMSException - if the key encryption process fails for some
reason (e.g. the key-encryption algortihm used
by this PasswordRecipientInfo is not implemented,
the key encryption key is invalid, a padding
error occurs,...)public KeyIdentifier[] getRecipientIdentifiers()
This method only implements the same-name abstract method of the parent abstract
class RecipientInfo. Since a PasswordRecipientInfo
generally does not contain recipient identification information this method
always return an empty KeyIdentifier array indicating that there are no
KeyIdentifiers used.
getRecipientIdentifiers in class RecipientInfoKeyIdentifier arraypublic boolean isRecipientInfoFor(KeyIdentifier recipientIdentifier)
false indicating that a PasswordRecipientInfo does not use
certificates.
This method only implements the same-name abstract method of the parent abstract
class RecipientInfo. Since a PasswordRecipientInfo
generally does not contain recipient identification information this method
always return false indicating that this PasswordRecipientInfo may not
belong to the recipient with the given recipient identifier.
isRecipientInfoFor in class RecipientInforecipientIdentifier - the key identifier belonging to the recipient
we are searching for
false indicating that this PasswordRecipientInfo may not
belong to the recipient with the given idpublic CertificateIdentifier isRecipientInfoFor(iaik.x509.X509Certificate recipientCertificate)
null indicating that a PasswordRecipientInfo does not use
certificates.
This method only implements the same-name abstract method of the parent abstract
class RecipientInfo. Since a PasswordRecipientInfo
generally does not contain recipient identification information this method
always return null indicating that this PasswordRecipientInfo may not
belong to the recipient with the given recipient certificate.
isRecipientInfoFor in class RecipientInforecipientCertificate - the certificate of the recipient in mind
null indicating that this PasswordRecipientInfo may not
belong to the recipient with the given certificatepublic iaik.asn1.structures.AlgorithmID getKeyDerivationAlgorithm()
null
if PBE is not usedpublic byte[] getEncryptedKey()
public byte[] getEncryptedKey(KeyIdentifier recipientIdentifier)
throws CMSException
Since a PasswordRecipientInfo only represents one single recipient the supplied recipientIdentifier is ignored.
getEncryptedKey in class RecipientInforecipientIdentifier - recipient identification information; ignored
CMSException - never thrownpublic java.lang.String toString()
PasswordRecipientInfo object.
toString in class RecipientInfo
|
IAIK CMS/SMIME Toolkit API Documentation
Version 6.1 |
||||||||
| PREV CLASS NEXT CLASS | FRAMES NO FRAMES | ||||||||
| SUMMARY: NESTED | FIELD | CONSTR | METHOD | DETAIL: FIELD | CONSTR | METHOD | ||||||||
|
v6.1 (c) 2002 IAIK, (c) 2003 - 2025 SIC |
|