public class CAST128KeyWrap
extends javax.crypto.CipherSpi
RFC 2984 (Use of the CAST-128 algorithm in CMS) specifies the CAST128 key wrap algorithm for wrapping CAST128 content encryption keys with CAST128 key encryption keys when using the KeyAgreeRecipientInfo or KEKRecipientInfo choice for providing recipient specific information when encrypting data using the EnvelopedData type.
Since this class only can be used for wrapping/unwrapping secret content
encryption keys an application only can call methods wrap
and
unwrap
of the corresponding Cipher object. Any attempt to call a
update
or doFinal
method will cause a
RuntimeException to be thrown. A CMS key wrap (unwrap) procedure involves two
encryption (decryption) operations, both run in CBC mode. The first
encryption step uses a random IV and the second encryption step uses a fixed
IV of 0x4adda22c79e82105. Correspondingly the first decryption step uses a
fixed IV (0x4adda22c79e82105) and the second decryption step uses the random
IV recovered from the first decryption. When calling an
engineInit
method the supplied parameters only may specify the key
length to be used by CAST128WrapParameterSpec
or
CAST128Parameters
; this
CMS CAST128 key wrap cipher implementation itself takes care for using the
right IV for the right en/decryption step. When calling method
getIV
this class always returns null
; when calling
method getParameters
this class returns the
key length
to be included
in the parameters field of the algorithm id.
When creating a new CMS CAST128 key wrap Cipher object you only may provide the name of the key wrap cipher ("CAST128WrapCAST128"). Any cipher mode (always uses CBC) or padding (does the padding itself) specification is ignored.
For example, wrapping a CAST128 content encryption key using a CAST128 key encryption key typically may be done as follows:
// the content encryption key to be wrapped: SecretKey cek = ...; // the key encryption key to be used: SecretKey kek = ...; // get a CAST128 key wrap cipher: Cipher c = Cipher.getInstance("CAST128WrapCAST128"); // init with the key encryption key c.init(Cipher.WRAP_MODE, kek); // wrap the content encryption key: byte[] wrappedCek = c.wrap(cek); // get the parameters: CAST128WrapParameters cast128WrapParameters = (CAST128WrapParameters)c.getParameters();For unwrapping the key init the Cipher in unwrap mode:
Cipher c = Cipher.getInstance("CAST128WrapCAST128"); // init with the key encryption key c.init(Cipher.UNWRAP_MODE, kek, cast128WrapParameters, random); // unwrap the wrapped content encryption key: Key unwrappedCek = c.unwrap(wrappedCek, "CAST128", Cipher.SECRET_KEY);
Modifier and Type | Field and Description |
---|---|
protected int |
cipherTextLength
The expected cipher text length, may be required to be checked.
|
static byte[] |
CMS_KEY_WRAP_IV
The IV for the last encryption step of CMS key wrap.
|
protected java.security.Key |
kek
The key encryption key (used for en/decrypting the content encryption key).
|
protected byte[] |
keyWrapIV
The IV to be used for the second encryption step.
|
protected java.security.SecureRandom |
random
The SecureRandom.
|
Constructor and Description |
---|
CAST128KeyWrap()
Creates a CAST128KeyWrap object.
|
Modifier and Type | Method and Description |
---|---|
protected byte[] |
computeLCEKPAD(java.security.Key contentEncryptionKey)
Calculates the LCEKPAD value (RFC 2630, Section 12.6.4) from the given
content encryption key.
|
protected byte[] |
decomposeLCEKPAD(byte[] LCEKPAD)
Decomposes the LCEKPAD value (RFC 2630, Section 12.6.5, 8.) into LENGTH CEK
and PAD and returns the CEK
|
byte[] |
engineDoFinal(byte[] in,
int inOff,
int inLen)
Throws a RuntimeException since not supported by this key wrap cipher.
|
int |
engineDoFinal(byte[] in,
int inOff,
int inLen,
byte[] out,
int outOff)
Throws a RuntimeException since not supported by this key wrap cipher.
|
int |
engineGetBlockSize()
Returns the block size corresponding to this cipher.
|
byte[] |
engineGetIV()
Returns null.
|
protected int |
engineGetKeySize(java.security.Key key) |
int |
engineGetOutputSize(int inLen)
Returns the output buffer size necessary for capturing the data resulting
from the next
update or doFinal operation
including any data currently being buffered. |
java.security.AlgorithmParameters |
engineGetParameters()
Returns the algorithm parameters of this CAST128KeyWrap cipher.
|
void |
engineInit(int opmode,
java.security.Key key,
java.security.spec.AlgorithmParameterSpec params,
java.security.SecureRandom random)
Initializes this cipher object.
|
void |
engineInit(int opmode,
java.security.Key key,
java.security.AlgorithmParameters params,
java.security.SecureRandom random)
Initializes this cipher object.
|
protected void |
engineInit(int opmode,
java.security.Key key,
byte[] iv,
java.security.SecureRandom random)
Internal inits the underlying CAST128 cipher for the second en/decryption
step.
|
void |
engineInit(int opmode,
java.security.Key key,
java.security.SecureRandom random)
Initializes this cipher object.
|
void |
engineSetMode(java.lang.String mode)
Sets the mode of this cipher to "CBC".
|
void |
engineSetPadding(java.lang.String paddingName)
Sets the padding scheme of this cipher.
|
protected java.security.Key |
engineUnwrap(byte[] wrappedKey,
java.lang.String wrappedKeyAlgorithm,
int wrappedKeyType)
Unwraps the given wrapped key to recover the content encryption key.
|
byte[] |
engineUpdate(byte[] in,
int inOff,
int inLen)
Throws a RuntimeException since not supported by this key wrap cipher.
|
int |
engineUpdate(byte[] in,
int inOff,
int inLen,
byte[] out,
int outOff)
Throws a RuntimeException since not supported by this key wrap cipher.
|
protected void |
engineUpdateAAD(byte[] src,
int offset,
int len) |
protected byte[] |
engineWrap(java.security.Key key) |
protected java.security.Key |
finishUnWrap(byte[] decryptedCek,
java.lang.String wrappedKeyAlgorithm,
int wrappedKeyType)
Finishes the unwrapping process by decomposing the LCEKPAD value (RFC 2630,
Section 12.6.5, 8.) into LENGTH CEK and PAD and returns the CEK
|
int |
getModeBlockSize()
Returns the block size corresponding to the actual cipher mode.
|
protected java.security.SecureRandom |
getRandom()
Gets the SecureRandom.
|
protected byte[] |
prepareWrap(java.security.Key contentEncryptionKey)
Prepares the given content encryption CAST128 key for being wrapped.
|
java.lang.String |
toString()
Returns a string representation of this Cipher.
|
protected java.security.Key kek
protected int cipherTextLength
protected java.security.SecureRandom random
protected byte[] keyWrapIV
public static final byte[] CMS_KEY_WRAP_IV
IV = 0x4adda22c79e82105.
public CAST128KeyWrap()
Cipher.getInstance
factory methods instead, e.g.:
Cipher cast128KeyWrap = Cipher.getInstance("CAST128WrapCAST128");Since the CAST128KeyWrap cipher only runs in CBC mode and itself takes care for padding, any mode or padding specification as part of the transformation string supplied when creating the Cipher object is ignored.
public void engineInit(int opmode, java.security.Key key, java.security.spec.AlgorithmParameterSpec params, java.security.SecureRandom random) throws java.security.InvalidKeyException, java.security.InvalidAlgorithmParameterException
Any parameters to be set have to be supplied as instances of
CAST128WrapParameterSpec
giving key length.
If the cipher has to be initialized for key wrap, a random IV is used. If the cipher has to be initialized for key unwrap, a fixed CMS key wrap IV is used.
opmode
- the operation mode for which this cipher is used (WRAP_MODE or
UNWRAP_MODE)key
- the key encryption key to be usedparams
- the algorithm parametersrandom
- the random seedjava.security.InvalidKeyException
- if the given key cannot be used for initializing this cipherjava.security.InvalidAlgorithmParameterException
- if the given algorithm parameters don't match to this cipherCipher.init(int, java.security.Key)
,
CipherSpi.engineInit(int, java.security.Key, java.security.SecureRandom)
public void engineInit(int opmode, java.security.Key key, java.security.AlgorithmParameters params, java.security.SecureRandom random) throws java.security.InvalidKeyException, java.security.InvalidAlgorithmParameterException
Any parameters to be set have to be supplied as instances of
CAST128WrapParameters
giving the key length.
If the cipher has to be initialized for key wrap, a random IV is used. If the cipher has to be initialized for key unwrap, a fixed CMS key wrap IV is used.
opmode
- the operation mode for which this cipher is used (WRAP_MODE or
UNWRAP_MODE)key
- the key encryption keyparams
- the algorithm parametersrandom
- the random seedjava.security.InvalidKeyException
- if the given key cannot be used for initializing this cipherjava.security.InvalidAlgorithmParameterException
- if the given algorithm parameters don't match to this cipherCipher.init(int, java.security.Key)
,
CipherSpi.engineInit(int, java.security.Key, java.security.SecureRandom)
protected void engineInit(int opmode, java.security.Key key, byte[] iv, java.security.SecureRandom random) throws java.security.InvalidKeyException, java.security.InvalidAlgorithmParameterException
A CMS key wrap (unwrap) procedure involves two encryption (decryption) operations, both run in CBC mode. The first encryption step uses a random IV and the second encryption step uses a fixed IV of default 0x4adda22c79e82105. Correspondingly the first decryption step uses a fixed IV (default 0x4adda22c79e82105) and the second decryption step uses the random IV recovered from the first decryption. This method is called during the wrapping/unwrapping to init the underlying CAST128 cipher for the second en/decryption step. The given iv is used to be included in CAST128 parameters for initializing the underlying cipher.
opmode
- the operation modekey
- the key encryption keyiv
- the initialization vector, either fixed (for second encryption
step) or recovered random (for second decryption step)random
- the random seedjava.security.InvalidKeyException
- if something is wrong with the keyjava.security.InvalidAlgorithmParameterException
- if an error occurs when creating the parameters from the ivpublic java.security.AlgorithmParameters engineGetParameters()
The parameters are returned as
CAST128WrapParameters
giving the key length:
cast5CMSkeywrapParameter ::= INTEGER -- key length in bits
protected byte[] prepareWrap(java.security.Key contentEncryptionKey) throws java.security.InvalidKeyException
This method calculates the LCEKPAD value (RFC 2630, Section 12.6.4) from the given content encryption key.
As first step of the CAST128 Key Wrap algorithm (equivalent to RC2 key wrap described in RFC2630), the content-encryption key is concatenated with its length and padded to a multiple of 8, if required:
contentEncryptionKey
- the content encryption key for which to calculate the LCEKPAD
valuejava.security.InvalidKeyException
- if the cek cannot be prepared for some reasonprotected java.security.Key finishUnWrap(byte[] decryptedCek, java.lang.String wrappedKeyAlgorithm, int wrappedKeyType) throws java.security.InvalidKeyException
As last step of CAST128 Key UnWrap algorithm (equivalent to RC2 key unwrap described in RFC2630, the LCEKPAD (composed of cek-length, decrypted content-encryption key and optional padding) has to be decomposed for getting the cek.
decryptedCek
- the LCEKPAD value (LENGTH || CEK || PAD)wrappedKeyAlgorithm
- the content encryption key algorithmwrappedKeyType
- the key type, Cipher.SECRET_KEYjava.security.InvalidKeyException
- if the key cannot be unwrapped because the PAD value of the
LCEKPAD is invalid (has a length not shorter than 8public void engineInit(int opmode, java.security.Key key, java.security.SecureRandom random) throws java.security.InvalidKeyException
If the cipher has to be initialized for key wrap, a random IV is used. If the cipher has to be initialized for key unwrap, a fixed CMS key wrap IV is used.
opmode
- the operation mode for which this cipher is used (WRAP_MODE or
UNWRAP_MODE)key
- the key encryption key to be usedrandom
- the random seedjava.security.InvalidKeyException
- if the given key cannot be used for initializing this cipherCipher.init(int, java.security.Key)
,
CipherSpi.engineInit(int, java.security.Key, java.security.SecureRandom)
public void engineSetPadding(java.lang.String paddingName) throws javax.crypto.NoSuchPaddingException
This method only overrides engineSetPadding
for not allowing
an application to request a specific padding scheme (this key wrap cipher
itself takes care for padding).
paddingName
- the name of the padding scheme; ignoredjavax.crypto.NoSuchPaddingException
- if this padding scheme is not supportedCipherSpi.engineSetPadding(java.lang.String)
public void engineSetMode(java.lang.String mode) throws java.security.NoSuchAlgorithmException
This method only overrides engineSetMode
for not allowing an
application to request a specific cipher mode (this key wrap cipher always
uses "CBC").
mode
- the cipher modejava.security.NoSuchAlgorithmException
- if this cipher mode is not supportedCipherSpi.engineSetMode(java.lang.String)
public byte[] engineUpdate(byte[] in, int inOff, int inLen)
wrap
/unwrap
for wrapping/unwrapping a key.in
- the input data.inOff
- the offset indicating where the subarray starts in the
in
array.inLen
- the length of the subarray.BufferedCipher.engineDoFinal(byte[], int, int, byte[], int)
,
Cipher.doFinal()
,
Cipher.update(byte[])
,
CipherSpi.engineUpdate(byte[], int, int)
public int engineUpdate(byte[] in, int inOff, int inLen, byte[] out, int outOff) throws javax.crypto.ShortBufferException
wrap
/unwrap
for wrapping/unwrapping a key.in
- the input data.inOff
- the offset indicating where the subarray starts in the
in
array.inLen
- the length of the subarray.out
- the output buffer.outOff
- the offset indicating where to start writing the result into the
output buffer.out
array.javax.crypto.ShortBufferException
- if the buffer size is to shortBufferedCipher.engineDoFinal(byte[], int, int, byte[], int)
,
Cipher.doFinal()
,
Cipher.update(byte[])
,
CipherSpi.engineUpdate(byte[], int, int)
public int engineDoFinal(byte[] in, int inOff, int inLen, byte[] out, int outOff) throws javax.crypto.ShortBufferException, javax.crypto.IllegalBlockSizeException, javax.crypto.BadPaddingException
wrap
/unwrap
for wrapping/unwrapping a key.in
- the byte array holding the data to be processedinOff
- the offset indicating the start position within the input byte
arrayinLen
- the number of bytes to be processedout
- the byte array for holding the resultoutOff
- the offset indicating the start position within the output byte
array to which the en/decrypted data is writtenjavax.crypto.ShortBufferException
- if the given output buffer is too small for holding the resultjavax.crypto.IllegalBlockSizeException
- if the total length of the processed data is not a multiple of
the block size for a (no padding performing) block cipherjavax.crypto.BadPaddingException
- if the decrypted data is not bounded by the proper padding
bytes after data decryption including (un)paddingCipher.doFinal()
,
CipherSpi.engineDoFinal(byte[], int, int)
public byte[] engineDoFinal(byte[] in, int inOff, int inLen) throws javax.crypto.IllegalBlockSizeException, javax.crypto.BadPaddingException
wrap
/unwrap
for wrapping/unwrapping a key.in
- the byte array holding the data to be processedinOff
- the offset indicating the start position within the input byte
arrayinLen
- the number of bytes to be processedjavax.crypto.IllegalBlockSizeException
- if the total length of the processed data is not a multiple of
the block size for a (no padding performing) block cipherjavax.crypto.BadPaddingException
- if the decrypted data is not bounded by the proper padding
bytes after data decryption including (un)paddingCipher.doFinal()
,
CipherSpi.engineDoFinal(byte[], int, int)
public byte[] engineGetIV()
Cipher.getIV()
,
CipherSpi.engineGetIV()
public java.lang.String toString()
protected byte[] engineWrap(java.security.Key key) throws javax.crypto.IllegalBlockSizeException, java.security.InvalidKeyException
javax.crypto.IllegalBlockSizeException
java.security.InvalidKeyException
protected java.security.Key engineUnwrap(byte[] wrappedKey, java.lang.String wrappedKeyAlgorithm, int wrappedKeyType) throws java.security.InvalidKeyException, java.security.NoSuchAlgorithmException
This method implements the core operations common to the Triple-DES and RC2
Key Wrap algorithms of RFC 2630, in particular the equivalent steps 1 to 7
of Triple-DES Key Unwrap (section 12.6.3 of RFC 2630) respectively steps 1
to 7 of RC2 Key Unwrap (section 12.6.5 of RFC 2630). Any key wrap algorithm
specific operations required to finish the unwrap procedure may be done by
implementing the abstract method finishUnWrap
for the specific key wrap algorithm in mind. Triple-DES Key
wrap, for instance, requires the content encryption key to be (odd) parity
adjusted before being wrapped. Triple-DES Key Wrap is implemented by class
TripleDESKeyWrap
which
implements method finishUnWrap
to check odd parity at the end of the unwrapping procedure.
wrappedKey
- the wrapped content encryption key to be unwrappedwrappedKeyAlgorithm
- the content encryption key algorithmwrappedKeyType
- the key type, Cipher.SECRET_KEYjava.security.InvalidKeyException
- if an error occurs while unwrapping the keyjava.security.NoSuchAlgorithmException
- if the algorithm used is not supported by the installed
providersprotected java.security.SecureRandom getRandom()
If no SecureRandom has been set, a new one is created.
protected byte[] computeLCEKPAD(java.security.Key contentEncryptionKey)
As first step of the RC2 Key Wrap algorithm described in RFC2630, the content-encryption key is concatenated with its length and padded to a multiple of 8, if required:
preparing
the content
encryption key for the wrapping procedure.contentEncryptionKey
- the content encryption key for which to calculate the LCEKPAD
valueprotected byte[] decomposeLCEKPAD(byte[] LCEKPAD) throws javax.crypto.BadPaddingException
As last step of the RC2 Key UnWrap algorithm described in RFC2630, the
LCEKPAD (composed of cek-length, decrypted content-encryption key and
optional padding) has to be decomposed for getting the cek. Since LCEKPAD
also may be used by other key wrap algorithms than RC2 (e.g. CAST-128 Key
Wrap; RFC2984) this method may be used for decomposing the LCEKPAD value
when finishing
the unwrapping
procedure.
LCEKPAD
- the LCEKPAD value (LENGTH || CEK || PAD)javax.crypto.BadPaddingException
- if the PAD value of the LCEKPAD has a length not shorter than
8protected void engineUpdateAAD(byte[] src, int offset, int len)
engineUpdateAAD
in class javax.crypto.CipherSpi
public int engineGetOutputSize(int inLen)
update
or doFinal
operation
including any data currently being buffered.engineGetOutputSize
in class javax.crypto.CipherSpi
inLen
- the number of bytes to processCipher.getOutputSize(int)
,
CipherSpi.engineGetOutputSize(int)
public int getModeBlockSize()
public int engineGetBlockSize()
engineGetBlockSize
in class javax.crypto.CipherSpi
Cipher.getBlockSize()
,
CipherSpi.engineGetBlockSize()
protected int engineGetKeySize(java.security.Key key) throws java.security.InvalidKeyException
engineGetKeySize
in class javax.crypto.CipherSpi
java.security.InvalidKeyException
6.0 (c) 2002 IAIK, (c) 2003 - 2022 SIC |