iaik.pkcs.pkcs12

Class PKCS12Algorithms

java.lang.Object

iaik.pkcs.pkcs12.PKCS12Algorithms

All Implemented Interfaces:

java.lang.Cloneable

public class PKCS12Algorithms
extends java.lang.Object
implements java.lang.Cloneable

Algorithm set used for protecting PKCS#12 KeyStore.

An algorithm set consists of one MAC algorithm used for integrity protection of the PKCS#12 KeyStore and two PBE (password based encryption) algorithms for encrypting (Shrouded)KeyBags contained in unencrypted AuthenticatedSafe objects and/or CertBags contained in encrypted AuthenticatedSafe objects.

The default algorithm set of the IAIK PKCS#12 KeyStore implementation uses HMAC_SHA256 as mac algorithm and the PKCS#5 PBES2 scheme PBES2WithHmacSHA256AndAES256 for both encrypted (Shrouded)KeyBags contained in unencrypted AuthenticatedSafe objects and CertBags contained in encrypted AuthenticatedSafe objects.

If your PKCS#12 KeyStore(s) must be readable with other PKCS#12 applications, too, be careful when changing the default algorithm set. Although we have tested the algorithms to work with well established PKCS#12 applications, it even might happen that an application may only be able to read PKCS#12 KeyStores protected with the legacy algorithm set that uses HMAC_SHA1 as mac algorithm, and the PKCS#5 PBES1 schemes PBEWithSHAAnd40BitRC2_CBC for encrypting CertBags contained in encrypted AuthenticatedSafe objects and PBEWithSHAAnd3_KeyTripleDES_CBC for encrypting (Shrouded)KeyBags contained in unencrypted AuthenticatedSafe objects. Of course the legacy set should be used with care because it provides less security than the default algorithm set. For interoperability reasons the legacy algorithm set has been used as default algorithm set until IAIK-JCE version 5.62.

See Also:

PKCS12KeyStore, PKCS12

Field Summary

Fields

Modifier and Type	Field and Description
static PKCS12Algorithms	PBES1 Legacy algorithm set using HMAC_SHA1 as mac algorithm, and the PKCS#5 PBES1 schemes PBEWithSHAAnd40BitRC2_CBC for encrypting CertBags contained in encrypted AuthenticatedSafe objects and PBEWithSHAAnd3_KeyTripleDES_CBC for encrypting (Shrouded)KeyBags contained in unencrypted AuthenticatedSafe objects.
static PKCS12Algorithms	PBES2 Default algorithm set using HMAC_SHA256 as mac algorithm and the PKCS#5 PBES2 scheme PBES2WithHmacSHA256AndAES256 for both encrypted (Shrouded)KeyBags contained in unencrypted AuthenticatedSafe objects and CertBags contained in encrypted AuthenticatedSafe objects.

Constructor Summary

Constructors

Constructor and Description
PKCS12Algorithms(PKCS12MacAlgorithm macAlg, PKCS12PbeAlgorithm authSafesCipherAlg, PKCS12PbeAlgorithm keyBagCipherAlg) Creates a PKCS12Algorithm set for the given mac and PBE algorithms.

Method Summary

Methods

Modifier and Type	Method and Description
java.lang.Object	clone() Gets a clone of this object.
PKCS12PbeAlgorithm	getAuthSafesCipherAlg() Gets the PBE algorithm to be used for password based encrypting CertBags contained in encrypted AuthenticatedSafe objects.
static PKCS12Algorithms	getDefault() Gets the default algorithm set.
PKCS12PbeAlgorithm	getKeyBagCipherAlg() Gets the PBE algorithm to be used for password based encrypting (Shrouded)KeyBags contained in unencrypted AuthenticatedSafe objects.
static PKCS12Algorithms	getLegacy() Gets the legacy algorithm set.
PKCS12MacAlgorithm	getMacAlg() Gets the mac algorithm.
void	setAuthSafesCipherAlg(PKCS12PbeAlgorithm authSafesCipherAlg) Sets the PBE algorithm to be used for password based encrypting CertBags contained in encrypted AuthenticatedSafe objects.
static void	setDefault(PKCS12Algorithms pkcs12Algs) Sets the default algorithm set.
static void	setEnforceDefault(boolean enforceDefault) Decides whether to enforce the configured default algorithm set when storing a parsed PKCS#12 KeyStore anew.
void	setKeyBagCipherAlg(PKCS12PbeAlgorithm keyBagCipherAlg) Sets the PBE algorithm to be used for password based encrypting (Shrouded)KeyBags contained in unencrypted AuthenticatedSafe objects.
void	setMacAlg(PKCS12MacAlgorithm macAlg) Sets the mac algorithm.
java.lang.String	toString() Gets a String representation of this PKCS12Algorithms.

Methods inherited from class java.lang.Object

equals, finalize, getClass, hashCode, notify, notifyAll, wait, wait, wait

Field Detail

PBES1

public static final PKCS12Algorithms PBES1

Legacy algorithm set using HMAC_SHA1 as mac algorithm, and the PKCS#5 PBES1 schemes PBEWithSHAAnd40BitRC2_CBC for encrypting CertBags contained in encrypted AuthenticatedSafe objects and PBEWithSHAAnd3_KeyTripleDES_CBC for encrypting (Shrouded)KeyBags contained in unencrypted AuthenticatedSafe objects.

PBES2

public static final PKCS12Algorithms PBES2

Default algorithm set using HMAC_SHA256 as mac algorithm and the PKCS#5 PBES2 scheme PBES2WithHmacSHA256AndAES256 for both encrypted (Shrouded)KeyBags contained in unencrypted AuthenticatedSafe objects and CertBags contained in encrypted AuthenticatedSafe objects.

Constructor Detail

PKCS12Algorithms

public PKCS12Algorithms(PKCS12MacAlgorithm macAlg,
                PKCS12PbeAlgorithm authSafesCipherAlg,
                PKCS12PbeAlgorithm keyBagCipherAlg)

Creates a PKCS12Algorithm set for the given mac and PBE algorithms.

Parameters:

macAlg - the mac algorithm to be used

authSafesCipherAlg - the PBE algorithm to be used for password based encrypting CertBags contained in encrypted AuthenticatedSafe objects

keyBagCipherAlg - the PBE algorithm to be used for password based encrypting (Shrouded)KeyBags contained in unencrypted AuthenticatedSafe objects

Method Detail

setDefault

public static final void setDefault(PKCS12Algorithms pkcs12Algs)

Sets the default algorithm set.

The library default set is PBES2 using HMAC_SHA256 as mac algorithm and the PKCS#5 PBES2 scheme PBES2WithHmacSHA256AndAES256 for both encrypted (Shrouded)KeyBags contained in unencrypted AuthenticatedSafe objects and CertBags contained in encrypted AuthenticatedSafe objects.

Parameters:

pkcs12Algs - the new default algorithm set

getDefault

public static final PKCS12Algorithms getDefault()

Gets the default algorithm set.

The library default set is PBES2 using HMAC_SHA256 as mac algorithm and the PKCS#5 PBES2 scheme PBES2WithHmacSHA256AndAES256 for both encrypted (Shrouded)KeyBags contained in unencrypted AuthenticatedSafe objects and CertBags contained in encrypted AuthenticatedSafe objects.

Returns:

the default algorithm set

getLegacy

public static final PKCS12Algorithms getLegacy()

Gets the legacy algorithm set.

The legacy set is PBES1 using HMAC_SHA1 as mac algorithm, and the PKCS#5 PBES1 schemes PBEWithSHAAnd40BitRC2_CBC for encrypting CertBags contained in encrypted AuthenticatedSafe objects and PBEWithSHAAnd3_KeyTripleDES_CBC for encrypting (Shrouded)KeyBags contained in unencrypted AuthenticatedSafe objects.

Returns:

the legacy algorithm set

setEnforceDefault

public static final void setEnforceDefault(boolean enforceDefault)

Decides whether to enforce the configured default algorithm set when storing a parsed PKCS#12 KeyStore anew. If set to false (default) the same algorithms will be used that have been used when storing the PKCS#12 KeyStore the first time. If set to true, the KeyStore will be protected with the configured default algorithms when storing it anew. This may be useful when wishing to change the algorithms that have been used to protect a PKCS#12 KeyStore.

Parameters:

enforceDefault - whether to enforce the configured default algorithm set when storing a parsed PKCS#12 KeyStore anew; default: false

getMacAlg

public PKCS12MacAlgorithm getMacAlg()

Gets the mac algorithm.
If no one has been set, the default one (HMAC_SHA256) is returned.

Returns:

the mac algorithm

setMacAlg

public void setMacAlg(PKCS12MacAlgorithm macAlg)

Sets the mac algorithm.

Parameters:

macAlg - the mac algorithm

getAuthSafesCipherAlg

public PKCS12PbeAlgorithm getAuthSafesCipherAlg()

Gets the PBE algorithm to be used for password based encrypting CertBags contained in encrypted AuthenticatedSafe objects.
If no one has been set, the default one (PBES2WithHmacSHA256AndAES256) is returned.

Returns:

the PBE algorithm to be used for password based encrypting CertBags contained in encrypted AuthenticatedSafe objects

setAuthSafesCipherAlg

public void setAuthSafesCipherAlg(PKCS12PbeAlgorithm authSafesCipherAlg)

Sets the PBE algorithm to be used for password based encrypting CertBags contained in encrypted AuthenticatedSafe objects.

Parameters:

authSafesCipherAlg - the PBE algorithm to be used for password based encrypting CertBags contained in encrypted AuthenticatedSafe objects

getKeyBagCipherAlg

public PKCS12PbeAlgorithm getKeyBagCipherAlg()

Gets the PBE algorithm to be used for password based encrypting (Shrouded)KeyBags contained in unencrypted AuthenticatedSafe objects.
If no one has been set, the default one (PBES2WithHmacSHA256AndAES256) is returned.

Returns:

the PBE algorithm to be used for password based encrypting (Shrouded)KeyBags contained in unencrypted AuthenticatedSafe objects

setKeyBagCipherAlg

public void setKeyBagCipherAlg(PKCS12PbeAlgorithm keyBagCipherAlg)

Sets the PBE algorithm to be used for password based encrypting (Shrouded)KeyBags contained in unencrypted AuthenticatedSafe objects.

Parameters:

keyBagCipherAlg - the PBE algorithm to be used for password based encrypting (Shrouded)KeyBags contained in unencrypted AuthenticatedSafe objects

clone

public java.lang.Object clone()

Gets a clone of this object.

Overrides:

clone in class java.lang.Object

Returns:

a clone of this object

toString

public java.lang.String toString()

Gets a String representation of this PKCS12Algorithms.

Overrides:

toString in class java.lang.Object

Returns:

a String representation