iaik.security.ssl

Class IaikEccProvider

java.lang.Object

iaik.security.ssl.SecurityProvider

iaik.security.ssl.IaikProvider

iaik.security.ssl.IaikEccProvider

Deprecated.

use IAIK ECCelerate^TM

public class IaikEccProvider
extends IaikProvider

This class implements an iSaSiLk SecurityProvider for the old IAIK-ECC cryptographic provider "IAIK_ECC".
Usage of the old IAIK_ECC library is deprecated. You should use the new IAIK ECCelerate^TM library instead. An ECC enabling iSaSiLk SecurityProvider (iaik.security.ssl.ECCelerateProvider) is included within the iaik_ssl.jar file.

This iSaSiLk SecurityProvider implements some methods that are required for supporting elliptic curve cipher suites according to RFC 4492.

To install this security provider call:

 // register IAIK-ECC provider 
 iaik.security.ecc.provider.ECCProvider.addAsProvider();
 // install security provider
 SecurityProvider.setSecurityProvider(new IaikEccProvider());
 

Version:

File Revision 28

See Also:

SecurityProvider, IaikProvider

Field Summary

Fields

Modifier and Type	Field and Description
static java.lang.String	EC_DEFAULT_BINARY Deprecated. Default binary curve to be used if arbitrary char2 curves are suggested by the client.
static java.lang.String	EC_DEFAULT_PRIME Deprecated. Default prime curve to be used if arbitrary prime curves are suggested by the client.

Fields inherited from class iaik.security.ssl.SecurityProvider

ALG_CIPHER_3DES, ALG_CIPHER_AES, ALG_CIPHER_AES_CCM, ALG_CIPHER_AES_GCM, ALG_CIPHER_AES_PKCS5, ALG_CIPHER_CAMELLIA, ALG_CIPHER_CAMELLIA_GCM, ALG_CIPHER_CHACHA20_POLY1305, ALG_CIPHER_DES, ALG_CIPHER_IDEA, ALG_CIPHER_RC2, ALG_CIPHER_RC4, ALG_CIPHER_RSA, ALG_CIPHER_RSA_DECRYPT, ALG_CIPHER_RSA_ENCRYPT, ALG_CIPHER_RSA_ENCRYPT_SSL2, ALG_CIPHER_RSA_SIGN, ALG_CIPHER_RSA_VERIFY, ALG_DIGEST_MD5, ALG_DIGEST_SHA, ALG_DIGEST_SHA1, ALG_DIGEST_SHA224, ALG_DIGEST_SHA256, ALG_DIGEST_SHA384, ALG_DIGEST_SHA512, ALG_HMAC_MD5, ALG_HMAC_SHA, ALG_HMAC_SHA256, ALG_HMAC_SHA384, ALG_HMAC_SHA512, ALG_KEM_MLKEM1024, ALG_KEM_MLKEM512, ALG_KEM_MLKEM768, ALG_KEYEX_DH, ALG_KEYEX_DSA, ALG_KEYEX_DSA_CLIENT, ALG_KEYEX_ECDH, ALG_KEYEX_ECDSA, ALG_KEYEX_ECDSA_CLIENT, ALG_KEYEX_RSA, ALG_KEYGEN_AES, ALG_KEYGEN_HMAC_SHA, ALG_KEYGEN_HMAC_SHA256, ALG_KEYGEN_PBKDF2, ALG_KEYPAIR_RSA, ALG_SIGNATURE_MD5RSA, ALG_SIGNATURE_RAWDSA, ALG_SIGNATURE_RAWECDSA, ALG_SIGNATURE_RAWRSAPSS, ALG_SIGNATURE_SHA1ECDSA, ALG_SIGNATURE_SHA1RSA, ALG_SIGNATURE_SHA224ECDSA, ALG_SIGNATURE_SHA224RSA, ALG_SIGNATURE_SHA256ECDSA, ALG_SIGNATURE_SHA256RSA, ALG_SIGNATURE_SHA384ECDSA, ALG_SIGNATURE_SHA384RSA, ALG_SIGNATURE_SHA512ECDSA, ALG_SIGNATURE_SHA512RSA, ALG_SIGNATURE_SHADSA, ALG_SIGNATURE_SHAECDSA, CIPHER_DECRYPT, CIPHER_ENCRYPT, CIPHER_NONE, configuration_, CONFIGURATION_PROPERTIES, KEYAGREEMENT_INIT, KEYAGREEMENT_NONE, provider, providerName, SIGNATURE_NONE, SIGNATURE_SIGN, SIGNATURE_VERIFY

Constructor Summary

Constructors

Constructor and Description
IaikEccProvider() Deprecated. Default constructor.

Method Summary

Modifier and Type	Method and Description
boolean	checkIfOnSameCurve(java.security.PublicKey ecdhServerPublicKey, java.security.PublicKey ecdhClientPublicKey) Deprecated. Checks if the given public server and client key are on the same elliptic curve.
boolean	checkKeyECPointFormat(java.security.PublicKey publicKey, SupportedPointFormats supportedPointFormats) Deprecated. Checks if the given public key complies with the given SupportedPointFormats extension.
boolean	checkKeyEllipticCurve(java.security.PublicKey publicKey, SupportedEllipticCurves supportedEllipticCurves) Deprecated. Checks if the given public key complies with the given SupportedEllipticCurves extension.
java.security.PublicKey	decodeECPublicKey(byte[] ecPoint, java.security.PrivateKey privateKey, SupportedPointFormats supportedPointFormats) Deprecated. Decodes the given encoded EC PublicKey according to the Octet-String-to-Point conversion of ANSI X9.62 (1998), section 4.3.7.
java.security.PublicKey	decodeECPublicKey(byte[] ecPoint, SupportedEllipticCurves.NamedCurve curve, SupportedPointFormats supportedPointFormats, SupportedEllipticCurves supportedEllipticCurves) Deprecated. Decodes the given encoded EC PublicKey according to the Octet-String-to-Point conversion of ANSI X9.62 (1998), section 4.3.7.
byte[]	encodeECPublicKey(java.security.PublicKey publicKey, SupportedPointFormats supportedPointFormats) Deprecated. Encodes the given EC PublicKey according to the Point-To-Octet-String conversion of ANSI X9.62 (1998), section 4.3.6.
java.security.KeyPair	generateECKeyPair(java.security.PublicKey serverKey) Deprecated. Generates a key pair with same domain parameters as the given public key for the given key agreement method.
java.security.KeyPair	generateECKeyPair(SupportedEllipticCurves supportedEllipticCurves, SupportedPointFormats supportedPointFormats) Deprecated. Generates a EC key pair according to the given list of supported curves.
SupportedEllipticCurves.NamedCurve	getCurve(java.security.PrivateKey ecPrivateKey) Deprecated. Gets the NamedCurve belonging to the given private EC key.
SupportedEllipticCurves.NamedCurve	getCurve(java.security.PublicKey ecPublicKey) Deprecated. Gets the NamedCurve belonging to the given public EC key.
java.lang.String	getCurveName(java.security.PrivateKey ecPrivateKey) Deprecated. Gets the curve name belonging to the given private EC key.
java.lang.String	getCurveName(java.security.PublicKey ecPublicKey) Deprecated. Gets the curve name belonging to the given public EC key.
SupportedPointFormats.ECPointFormat	getECPointFormat(java.security.PublicKey ecPublicKey) Deprecated. Gets the ECPointFormat (uncompressed, compressed prime, compressed char2) of the given public EC key.
javax.crypto.KeyAgreement	getKeyAgreement(java.lang.String algorithm, int mode, java.security.Key key, java.security.spec.AlgorithmParameterSpec params, java.security.SecureRandom random) Deprecated. Gets a KeyAgreement object for the given algorithm.
int	getKeyLength(java.security.PrivateKey privKey) Deprecated. Calculates the length of the given private key.
int	getKeyLength(java.security.PublicKey pubKey) Deprecated. Calculates the length of the given public key.
protected java.security.Signature	getSignature(java.lang.String algorithm, int mode, java.security.Key key, java.security.SecureRandom random) Deprecated. Return a Signature implementation for the requested algorithm from the IAIK_ECC provider.
boolean	isBinary(java.security.PublicKey ecPublicKey) Deprecated. Checks if the curve of the given EC Public Key is binary or prime.
boolean	isNamedCurveSupported(SupportedEllipticCurves.NamedCurve curve) Deprecated. Checks if the given NamedCurve is supported by this SecurityProvider.
boolean	isPointFormatSupported(SupportedPointFormats.ECPointFormat pointFormat) Deprecated. Checks if the given ECPointFormat is supported by this SecurityProvider.

Methods inherited from class iaik.security.ssl.IaikProvider

aeadDecrypt, aeadEncrypt, calculateTrustedAuthorityIdentifier, canBeUsedWithKey, checkCreatedRSAServerKeyExchangeSignature, checkExtendedKeyUsage, createCertStatusRequest, createPkiPath, deriveKey, getCipher, getDHPrivateKey, getDHPublicKey, getEncodedPrincipal, getMessageDigest, getPrincipal, getRSAPssParameterSpec, getRSAPublicKey, getSecureRandom, getTLSServerName, getTLSServerName, getX509Certificate, getX509Certificate, getX509Certificates, loadKeyStore, loadKeyStore

Methods inherited from class iaik.security.ssl.SecurityProvider

calculateRawSignature, calculateRawSignature, canBeUsedWithKey, canBeUsedWithKey, canBeUsedWithKey, canBeUsedWithVersion, checkCertSignatureAlgorithm, checkCertSignatureAlgorithm, checkCertSignatureAlgorithm, checkKeyLength, checkKeyLength, continueIfPeerDoesNotSupportSecureRenegotiation, createSharedECDHSecret, decapsulate, decodePqcPublicKey, decodeURL, encapsulate, encodePqcPublicKey, encodeURL, generateECKeyPair, generateExtendedMasterSecret, generateMasterSecret, generateMasterSecret, generatePqcKeyPair, getAlgorithmParameterGenerator, getCurve, getDefaultCurve, getKeyGenerator, getKeyLength, getKeyPairGenerator, getMac, getMacLength, getNamedCurve, getSecurityProvider, getSignature, getSignatureAlgorithms, getSignatureAlgorithms, getSignatureScheme, getTLSServerName, getTLSServerName, isImplemented, isImplemented, isImplementedSignatureAlgorithm, isNamedGroupSupported, setImplementationCheckDebugStream, setSecurityProvider, validateDHPublicKey, verifyRawSignature

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Detail

EC_DEFAULT_PRIME

public static final java.lang.String EC_DEFAULT_PRIME

Deprecated.

Default prime curve to be used if arbitrary prime curves are suggested by the client.

See Also:

Constant Field Values

EC_DEFAULT_BINARY

public static final java.lang.String EC_DEFAULT_BINARY

Deprecated.

Default binary curve to be used if arbitrary char2 curves are suggested by the client.

See Also:

Constant Field Values

Constructor Detail

IaikEccProvider

public IaikEccProvider()

Deprecated.

Default constructor.

Method Detail

getSignature

protected java.security.Signature getSignature(java.lang.String algorithm,
                                               int mode,
                                               java.security.Key key,
                                               java.security.SecureRandom random)
                                        throws java.lang.Exception

Deprecated.

Return a Signature implementation for the requested algorithm from the IAIK_ECC provider.

Overrides:

getSignature in class IaikProvider

Parameters:

algorithm - the name of the signature algorithm

mode - the mode deciding whether to initialize the Signature engine for signing (SIGNATURE_SIGN), for verification (SIGNATURE_VERIFY) or whether to do not initialize the engine at all (SIGNATURE_NONE)

key - the key with which to -- if requested -- init the Signature object (if not null)

random - the random generator with which to -- if requested -- init the Signature object (if not null) (ignored because of JDK 1.1 compatibility; an application may override this method to use signature.initSign(privateKey, random);)

Returns:

the (maybe initialized) Signature engine

Throws:

java.lang.Exception

getKeyAgreement

public javax.crypto.KeyAgreement getKeyAgreement(java.lang.String algorithm,
                                                 int mode,
                                                 java.security.Key key,
                                                 java.security.spec.AlgorithmParameterSpec params,
                                                 java.security.SecureRandom random)
                                          throws java.lang.Exception

Deprecated.

Gets a KeyAgreement object for the given algorithm. iSaSiLk uses a KeyAgreement engine for ECDH based cipher suites.

If the mode parameter is KEYAGREEMENT_INIT the KeyAgreement object is to be initialized with the provided key, parameters (if not null) and random number generator (if not null).

Overrides:

getKeyAgreement in class SecurityProvider

Parameters:

algorithm - the name of the KeyAgreement algorithm (e.g. "ECDH")

mode - the mode deciding whether to initialize (KEYAGREEMENT_INIT) the KeyAgreement or not (KEYAGREEMENT_NONE)

key - the key with which to -- if requested -- init the KeyAgreement object (if not null)

params - the parameters with which to (-- if requested -- init the KeyAgreement object (if not null)

random - the random generator with which to -- if requested -- init the KeyAgreement object (if not null)

Returns:

the KeyAgreement instance

Throws:

java.lang.Exception - if no KeyAgreement instance for the required algorithm is available or initialization of the KeyAgreement object fails

getKeyLength

public int getKeyLength(java.security.PublicKey pubKey)

Deprecated.

Calculates the length of the given public key.

Overrides:

getKeyLength in class SecurityProvider

Parameters:

pubKey - the public key for which to calculate the length

Returns:

the length (in bits) of the public key

Throws:

java.lang.IllegalArgumentException - if the public key algorithm is not supported

getKeyLength

public int getKeyLength(java.security.PrivateKey privKey)

Deprecated.

Calculates the length of the given private key.

Overrides:

getKeyLength in class SecurityProvider

Parameters:

privKey - the public key for which to calculate the length

Returns:

the length (in bits) of the private key

Throws:

java.lang.IllegalArgumentException - if the private key algorithm is not supported

encodeECPublicKey

public byte[] encodeECPublicKey(java.security.PublicKey publicKey,
                                SupportedPointFormats supportedPointFormats)
                         throws java.lang.Exception

Deprecated.

Encodes the given EC PublicKey according to the Point-To-Octet-String conversion of ANSI X9.62 (1998), section 4.3.6.

Overrides:

encodeECPublicKey in class SecurityProvider

Parameters:

publicKey - the public EC key to be encoded

supportedPointFormats - the supported point formats of the peer; or null if the peer did not send a SupportedPointFormats extension (in this case the uncompressed format has to be used)

Returns:

the encoded EC key

Throws:

java.lang.Exception - if an error occurs when encoding the key

decodeECPublicKey

public java.security.PublicKey decodeECPublicKey(byte[] ecPoint,
                                                 SupportedEllipticCurves.NamedCurve curve,
                                                 SupportedPointFormats supportedPointFormats,
                                                 SupportedEllipticCurves supportedEllipticCurves)
                                          throws java.lang.Exception

Deprecated.

Decodes the given encoded EC PublicKey according to the Octet-String-to-Point conversion of ANSI X9.62 (1998), section 4.3.7.

This method is called on the client side to decode the public server key contained in an ECDH ServerKeyExchange message received from the server.

Overrides:

decodeECPublicKey in class SecurityProvider

Parameters:

ecPoint - the (client) public key ECPoint, encoded according to ANSI X9.62 (1998), section 4.3.6

curve - the curve of the key

supportedPointFormats - the supported point formats sent to the server within the SupportedPointFormats extension; if not null check if the received key corresponds with the supported point formats

supportedEllipticCurves - the supported elliptic curves sent to the server within the SupportedEllipticCurves extension; if not null check if the received curve corresponds with the supported curve list

Returns:

the decoded public EC key

Throws:

java.lang.Exception - if an error occurs when decoding the key

decodeECPublicKey

public java.security.PublicKey decodeECPublicKey(byte[] ecPoint,
                                                 java.security.PrivateKey privateKey,
                                                 SupportedPointFormats supportedPointFormats)
                                          throws java.lang.Exception

Deprecated.

Decodes the given encoded EC PublicKey according to the Octet-String-to-Point conversion of ANSI X9.62 (1998), section 4.3.7.

This method is called on the server side to decode the public client key contained in an ECDH ClientKeyExchange message received from the client.

Overrides:

decodeECPublicKey in class SecurityProvider

Parameters:

ecPoint - the (client) public key ECPoint, encoded according to ANSI X9.62 (1998), section 4.3.6

privateKey - the private (server) key containing the required domain parameters

supportedPointFormats - the SupportedPointFormats extension sent to the client; if not null check if the received key corresponds with the supported point formats

Returns:

the decoded public EC key

Throws:

java.lang.Exception - if an error occurs when decoding the key

generateECKeyPair

public java.security.KeyPair generateECKeyPair(java.security.PublicKey serverKey)
                                        throws java.lang.Exception

Deprecated.

Generates a key pair with same domain parameters as the given public key for the given key agreement method.

This method is called by the library for creating the client key pair if ECDH or ECDHE ephemeral key exchange is used without fixed client authentication.

Overrides:

generateECKeyPair in class SecurityProvider

Parameters:

serverKey - the public key of the server

Returns:

the client key pair with domain parameters matching to those of the supplied server key;

Throws:

java.lang.Exception - if an error occurs when creating the key pair

generateECKeyPair

public java.security.KeyPair generateECKeyPair(SupportedEllipticCurves supportedEllipticCurves,
                                               SupportedPointFormats supportedPointFormats)
                                        throws java.lang.Exception

Deprecated.

Generates a EC key pair according to the given list of supported curves.

Overrides:

generateECKeyPair in class SecurityProvider

Parameters:

supportedEllipticCurves - the supported elliptic curves, maybe null if the client has not sent a SupportedEllipticCurves extension

supportedPointFormats - the supported point formats; if not null maybe used to check if the peer may prefer a char2 curve (if no SupportedEllipticCurves extension has been sent)

Returns:

the new EC KeyPair

Throws:

java.lang.Exception - if an error occurs when generating the EC KeyPair

getCurve

public SupportedEllipticCurves.NamedCurve getCurve(java.security.PublicKey ecPublicKey)

Deprecated.

Gets the NamedCurve belonging to the given public EC key.

Overrides:

getCurve in class SecurityProvider

Parameters:

ecPublicKey - the public EC

Returns:

the NamedCurve of the public EC key or null if the curve of the key is not supported

getCurveName

public java.lang.String getCurveName(java.security.PublicKey ecPublicKey)

Deprecated.

Gets the curve name belonging to the given public EC key.

Overrides:

getCurveName in class SecurityProvider

Parameters:

ecPublicKey - the public EC key for which to get the NamedCurve

Returns:

the curve name of the public EC key or null if the curve of the key is not supported

getCurve

public SupportedEllipticCurves.NamedCurve getCurve(java.security.PrivateKey ecPrivateKey)

Deprecated.

Gets the NamedCurve belonging to the given private EC key.

Overrides:

getCurve in class SecurityProvider

Parameters:

ecPrivateKey - the private EC key

Returns:

the NamedCurve of the public EC key or null if the curve of the key is not supported

getCurveName

public java.lang.String getCurveName(java.security.PrivateKey ecPrivateKey)

Deprecated.

Gets the curve name belonging to the given private EC key.

Overrides:

getCurveName in class SecurityProvider

Parameters:

ecPrivateKey - the private EC key for which to get the NamedCurve

Returns:

the curve name of the private EC key or null if the curve of the key is not supported

getECPointFormat

public SupportedPointFormats.ECPointFormat getECPointFormat(java.security.PublicKey ecPublicKey)

Deprecated.

Gets the ECPointFormat (uncompressed, compressed prime, compressed char2) of the given public EC key.

Overrides:

getECPointFormat in class SecurityProvider

Parameters:

ecPublicKey - the public EC key for which to get the EC point format

Returns:

the ECPointFormat of the public EC key or null if the point format cannot be checked

isBinary

public boolean isBinary(java.security.PublicKey ecPublicKey)
                 throws java.lang.Exception

Deprecated.

Checks if the curve of the given EC Public Key is binary or prime.

Overrides:

isBinary in class SecurityProvider

Parameters:

ecPublicKey - the EC public key

Throws:

java.lang.Exception - if the key does not represent an EC key or it cannot be determined if the underlying field is prime or binary

checkIfOnSameCurve

public boolean checkIfOnSameCurve(java.security.PublicKey ecdhServerPublicKey,
                                  java.security.PublicKey ecdhClientPublicKey)

Deprecated.

Checks if the given public server and client key are on the same elliptic curve. Required for client authentication schemes ECDSA_fixed_ECDH and RSA_fixed_ECDH.

Overrides:

checkIfOnSameCurve in class SecurityProvider

Parameters:

ecdhServerPublicKey - the ECDH public key of the server

ecdhClientPublicKey - the ECDH public key of the client

Returns:

true if the two keys are on the same curve, false if not

isPointFormatSupported

public boolean isPointFormatSupported(SupportedPointFormats.ECPointFormat pointFormat)

Deprecated.

Checks if the given ECPointFormat is supported by this SecurityProvider.

Overrides:

isPointFormatSupported in class SecurityProvider

Parameters:

pointFormat - the ECPointFormat to be checked

Returns:

true if the given ECPointFormat is supported, false if it is not supported.

isNamedCurveSupported

public boolean isNamedCurveSupported(SupportedEllipticCurves.NamedCurve curve)

Deprecated.

Checks if the given NamedCurve is supported by this SecurityProvider.

Overrides:

isNamedCurveSupported in class SecurityProvider

Parameters:

curve - the NamedCurve to be checked

Returns:

true if the given NamedCurve is supported, false if it is not supported.

checkKeyEllipticCurve

public boolean checkKeyEllipticCurve(java.security.PublicKey publicKey,
                                     SupportedEllipticCurves supportedEllipticCurves)

Deprecated.

Checks if the given public key complies with the given SupportedEllipticCurves extension.
This method is used to check if the server uses an EC key that complies with the curves contained in the SupportedEllipticCurves extension that has been sent to the server.

Overrides:

checkKeyEllipticCurve in class SecurityProvider

Parameters:

publicKey - the public key used by the server

supportedEllipticCurves - the SupportedEllipticCurves extension sent by the client; maybe null if the client has not sent a SupportedEllipticCurves extension

Returns:

true if the public key complies with the SupportedEllipticCurves extension, false if it is does not comply with it.

checkKeyECPointFormat

public boolean checkKeyECPointFormat(java.security.PublicKey publicKey,
                                     SupportedPointFormats supportedPointFormats)

Deprecated.

Checks if the given public key complies with the given SupportedPointFormats extension.
This method is used to check if the peer uses an EC key that complies with the point formats contained in the SupportedPointFormats extension that has been sent to the peer within the Hello message.
By default this method returns false (since EC point format check is not supported JDK- and provider independently).

Overrides:

checkKeyECPointFormat in class SecurityProvider

Parameters:

publicKey - the public key used by the server

supportedPointFormats - the SupportedPointFormats extension sent within the Hello message; maybe null if no SupportedPointFormats extension has been sent to the peer (in this case the uncompressed format has to be used!)

Returns:

true if the public key complies with the SupportedPointFormats extension, false if it is does not comply with it. By default this method returns false (since EC point format is not supported JDK- and provider independently)