IAIK High-Level API
version 1.1

Class CMSSignerEncrypter

  extended by iaik.hlapi.SignerEncrypter
      extended by iaik.hlapi.CMSSignerEncrypter

public class CMSSignerEncrypter
extends SignerEncrypter

This SignerEncrypter implementation creates CMS signed and encrypted data. It employs SignedData and EnvelopedData structures.

To the signature, it automatically adds the certificate chain and signed attributes, which are: content type, signing time, message digest and signing certificate according to ETSI CAdES v1.7.3. The signature is a CAdES-BES signature. Moreover, it selects a signature algorithm automatically depending on the given signature key. If the given key is a RSA key, it will select a suitable hash algorithm depending on the key length.

The output is a DER encoded CMS ContentInfo structure.

Using setIncludeData(boolean), the application can specify if the signed data is included in the result. Per default, it is included. Notice, if the data is excluded, an encryption will only cover the signature.

Constructor Summary
          Construct a new signer/encrypter.
Method Summary
 void addRecipient(X509Certificate recipientCert)
          Add one recipient of the encrypted data.
 void clearRecipients()
          Clear the list of recipients.
 void dropSigningKey()
          Release all references to any previously set signing key.
 OutputStream process(OutputStream out)
          This method returns an OutputStream.
 void setIncludeData(boolean includeData)
          Specify if the signed data is included in the result.
 void setSigningKey(KeyAndCertificate signingKey)
          Set the signing key.
Methods inherited from class iaik.hlapi.SignerEncrypter
Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Constructor Detail


public CMSSignerEncrypter()
Construct a new signer/encrypter. It will create implicit signed data.

Method Detail


public void setSigningKey(KeyAndCertificate signingKey)
                   throws HlApiException
Description copied from class: SignerEncrypter
Set the signing key. The certificate chain should also be set. All certificates of the given chain will be included in the signature. To include one certificate only, simply provide a certificate chain of with only that certificate.

setSigningKey in class SignerEncrypter
signingKey - The signing key with the certificate chain.
HlApiException - If handling the certificate fails.


public void dropSigningKey()
Description copied from class: SignerEncrypter
Release all references to any previously set signing key.

dropSigningKey in class SignerEncrypter


public void addRecipient(X509Certificate recipientCert)
                  throws HlApiException
Add one recipient of the encrypted data.

The certificate must contain a public key which is applicable for encryption (key wrapping to be more precise). The implementation may also require that the certificate has the required key-usage bits set.

Call clearRecipients() to clear all recipients which have been added so far. An encryption operation does not clear this list.

addRecipient in class SignerEncrypter
recipientCert - The X.509 certificate of the recipient.
HlApiException - If the certificate is invalid for encryption.
See Also:
(recipientCert != null)
(result != null)


public void clearRecipients()
Clear the list of recipients.

clearRecipients in class SignerEncrypter
See Also:


public OutputStream process(OutputStream out)
                     throws IOException,
Description copied from class: SignerEncrypter
This method returns an OutputStream. The application can write to this stream all data that it wants to sign and/or encrypt. The application finishes writing data by closing the stream. The method will write the signed and/or encrypted data to out.

Note that the application must set a signing key in advance using SignerEncrypter.setSigningKey(KeyAndCertificate) to sign the data. To encrypt the data, it must have set one or more recipient certificates.

Specified by:
process in class SignerEncrypter
out - The stream which receives the signed and/or encrypted data.
The OutputStream to which the application writes the data to be signed and/or encrypted.
IOException - If writing to the given stream fails.
HlApiException - If signing fails.


public void setIncludeData(boolean includeData)
Specify if the signed data is included in the result. Default is true (included).

includeData - true to include data, false to exclude it.

IAIK High-Level API
version 1.1

Copyright © 2007, IAIK, Graz University of Technology
Copyright © 2007, Stiftung SIC