iaik.pkcs.pkcs11.provider.ciphers

Class PKCS11Cipher

java.lang.Object

javax.crypto.CipherSpi

iaik.pkcs.pkcs11.provider.ciphers.PKCS11Cipher

All Implemented Interfaces:

PKCS11EngineClass

Direct Known Subclasses:

BlockCipher, EciesCipher, Rc4Cipher, RsaCipher

public abstract class PKCS11Cipher
extends javax.crypto.CipherSpi
implements PKCS11EngineClass

This is an implementation of a Cipher class that uses the IAIK PKCS#11 wrapper to access the token. With IAIKPKCS11PrivateKey, IAIKPKCS11PublicKey and IAIKPKCS11SecretKey it works with the underlying PKCS#11 module. If it is used with non-PKCS#11 keys, keys which are not of the aforementioned classes, it uses a software cipher of the configured delegate provider. It is the base class for the implementations of the various algorithms.

Author:

Karl Scheibelhofer

Field Summary

Fields

Modifier and Type	Field and Description
protected boolean	currentKeyIsSoftwareKey_ Indiecates that the currently used key is a software key.
protected static byte[]	DUMMY_DATA Dummy data that we
protected boolean	initialized_ Indicates, if this object is initialized and ready for encryption or decryption.
protected IAIKPKCS11Key	key_ The key to use for encryption/decryption.
protected iaik.pkcs.pkcs11.objects.Key	keyObject_ The PKCS#11 key object of the current key.
protected iaik.pkcs.pkcs11.Mechanism	mechanism_ The current cryptoki mechanism to use.
protected java.lang.String	mode_ The name of the current mode.
protected boolean	modeChanged_ Indicates that the mode has been changed.
protected int	operationMode_ The state of this object; DECRYPT_MODE, ENCRYPT_MODE, UNWRAP_MODE or WRAP_MODE.
protected java.lang.String	padding_ The name of the current padding.
protected boolean	paddingChanged_ Indicates that the padding has been changed.
protected java.security.AlgorithmParameters	parameters_ Any currently used parameter.
protected PKCS11Spec	parameterSpecs_ The parameter specs.
protected boolean	pkcs11OperationInitialized_ Indicates, if the PKCS#11 cipher is already initialized for the next cipher operation round.
protected iaik.pkcs.pkcs11.Session	session_ The session this object works with.
protected javax.crypto.Cipher	softwareDelegate_ The software implementation, if the currently used key is not a PKCS#11 key.
protected TokenManager	tokenManager_ Token manager used to login session, if required.
protected iaik.pkcs.pkcs11.objects.Key	unwrapTemplate_ The unwrap template for an unwrap operation.
protected boolean	updateUsed_ Indicates, if the currently active operation has already used any update function.
protected iaik.pkcs.pkcs11.MechanismInfo[][]	usedMechanismInfos_ The mechanism info is the same for all digest mechanisms.
protected iaik.pkcs.pkcs11.Mechanism[]	usedMechanisms_ The list of used mechanisms.

Constructor Summary

Constructors

Modifier	Constructor and Description
protected	PKCS11Cipher() Default constructor.

Method Summary

Modifier and Type	Method and Description
protected abstract void	checkKeyObject(iaik.pkcs.pkcs11.objects.Key key) Check the given key object, if it is acceptable for this cipher.
protected byte[]	engineDoFinal(byte[] input, int inputOffset, int inputLength) Update the currently running cipher operation with the given data and finish the current operation.
protected int	engineDoFinal(byte[] input, int inputOffset, int inputLen, byte[] output, int outputOffset) Update the currently running cipher operation with the given data and finish the current operation.
protected int	engineGetBlockSize() If initialized with a PKCS#11 key, this method returns -1 by default.
protected byte[]	engineGetIV() If initialized with a PKCS#11 key, this method returns null by default.
protected int	engineGetKeySize(java.security.Key key) If initialized with a PKCS#11 key, this method returns -1 by default.
protected int	engineGetOutputSize(int inputLength) If initialized with a PKCS#11 key, this method returns -1 by default.
protected java.security.AlgorithmParameters	engineGetParameters() Returns the parameters used with this cipher.
protected void	engineInit(int operationMode, java.security.Key key, java.security.spec.AlgorithmParameterSpec parameterSpecs, java.security.SecureRandom randomSource) Initialize this cipher for an operation.
protected void	engineInit(int operationMode, java.security.Key key, java.security.AlgorithmParameters parameters, java.security.SecureRandom random) Initialize this cipher for an operation.
protected void	engineInit(int operationMode, java.security.Key key, java.security.SecureRandom randomSource) Initialize this cipher for an operation.
protected void	engineSetMode(java.lang.String mode) Set the mode of operation.
protected void	engineSetPadding(java.lang.String padding) Set the padding scheme.
protected java.security.Key	engineUnwrap(byte[] wrappedKey, java.lang.String wrappedKeyAlgorithm, int wrappedKeyType) Unwrap (decrypt) the given wrapped (encrypted) key.
protected byte[]	engineUpdate(byte[] data, int offset, int length) Update the currently running cipher operation with the given data.
protected int	engineUpdate(byte[] input, int inputOffset, int inputLength, byte[] output, int outputOffset) Update the currently running cipher operation with the given data and write the intermediate result (if any) to the given buffer.
protected void	engineUpdateAAD(byte[] src, int offset, int len) Updates the Additional Authentication Data (AAD) with the given data.
protected byte[]	engineWrap(java.security.Key key) Wrap (encrypt) the given key.
protected void	finalize() Tries to close the used session.
protected void	finalizePkcs11Operation() The internal session finalization method, if the current operation has been finished.
protected abstract java.lang.String	getAlgorithmName() Get the JCE name of this cipher algorithm.
protected abstract iaik.pkcs.pkcs11.Mechanism	getDefaultMechanism() Get the default mechanism of this cipher.
protected java.lang.String	getFullAlgorithmName() Get the JCE name of this cipher algorithm including mode and padding.
protected abstract iaik.pkcs.pkcs11.Mechanism	getMechanism() Get the current mechanism of this cipher object.
protected iaik.pkcs.pkcs11.MechanismInfo[][]	getUsedMechanismFeatures() Returns an two-dimensional array of MechanismInfos that this engine class uses.
protected iaik.pkcs.pkcs11.Mechanism[]	getUsedMechanisms() Returns an array of Mechanisms that this engine class uses.
protected void	initialize() The internal initialization method, if all necessary member variables are set.
protected void	initializePkcs11Operation() The internal session initialization method, if all necessary member variables are set.
protected void	initializeSession() Sets up an appropriate session.
protected void	initializeSoftwareDelegate() Instantiate a new software cipher to delegate software keys operations.
protected abstract boolean	isModeSupported(java.lang.String mode) Check, if the given mode of operation is supported by this cipher.
protected abstract boolean	isPaddingSupported(java.lang.String padding) Check, if the given padding scheme is supported by this cipher.
boolean	isSupportedBy(TokenManager tokenManager) Check, if the current token of the given token manager supports the required features for this engine class.
protected byte[]	pkcs11DoFinal(byte[] input, int inputOffset, int inputLength) Update the currently running cipher operation with the given data and finish the current operation.
protected int	pkcs11DoFinal(byte[] input, int inputOffset, int inputLen, byte[] output, int outputOffset) Update the currently running cipher operation with the given data and finish the current operation.
protected int	pkcs11GetBlockSize() Get the block size of this cipher algorithm.
protected byte[]	pkcs11GetIV() Get the currently set initialization vector.
protected int	pkcs11GetKeySize(java.security.Key key) Determines the key size in bits.
protected int	pkcs11GetOutputSize(int inputLength) Returns the length in bytes that an output buffer would need to be in order to hold the result of the next update or doFinal operation, given the input length inputLen (in bytes).
protected java.security.AlgorithmParameters	pkcs11GetParameters() Returns the parameters used with this cipher.
protected void	pkcs11Init(int operationMode, java.security.Key key, java.security.spec.AlgorithmParameterSpec parameterSpecs, java.security.SecureRandom randomSource) Initialize this cipher for an operation.
protected void	pkcs11Init(int operationMode, java.security.Key key, java.security.AlgorithmParameters parameters, java.security.SecureRandom random) Initialize this cipher for an operation.
protected void	pkcs11Init(int operationMode, java.security.Key key, java.security.SecureRandom randomSource) Initialize this cipher for an operation.
protected java.security.Key	pkcs11Unwrap(byte[] wrappedKey, java.lang.String wrappedKeyAlgorithm, int wrappedKeyType) Unwrap (decrypt) the given wrapped (encrypted) key.
protected byte[]	pkcs11Update(byte[] data, int offset, int length) Update the currently running cipher operation with the given data.
protected int	pkcs11Update(byte[] input, int inputOffset, int inputLength, byte[] output, int outputOffset) Update the currently running cipher operation with the given data and write
protected byte[]	pkcs11Wrap(java.security.Key key) Wrap (encrypt) the given key.
protected void	updateAAD(byte[] src)
protected void	updateAAD(byte[] src, int offset, int len)
protected void	updateAAD(java.nio.ByteBuffer src)

Methods inherited from class javax.crypto.CipherSpi

engineDoFinal, engineUpdate, engineUpdateAAD

Methods inherited from class java.lang.Object

clone, equals, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Detail

DUMMY_DATA

protected static final byte[] DUMMY_DATA

Dummy data that we

session_

protected iaik.pkcs.pkcs11.Session session_

The session this object works with.

tokenManager_

protected TokenManager tokenManager_

Token manager used to login session, if required.

key_

protected IAIKPKCS11Key key_

The key to use for encryption/decryption.

keyObject_

protected iaik.pkcs.pkcs11.objects.Key keyObject_

The PKCS#11 key object of the current key.

operationMode_

protected int operationMode_

The state of this object; DECRYPT_MODE, ENCRYPT_MODE, UNWRAP_MODE or WRAP_MODE.

mechanism_

protected iaik.pkcs.pkcs11.Mechanism mechanism_

The current cryptoki mechanism to use.

initialized_

protected boolean initialized_

Indicates, if this object is initialized and ready for encryption or decryption.

pkcs11OperationInitialized_

protected boolean pkcs11OperationInitialized_

Indicates, if the PKCS#11 cipher is already initialized for the next cipher operation round.

updateUsed_

protected boolean updateUsed_

Indicates, if the currently active operation has already used any update function.

currentKeyIsSoftwareKey_

protected boolean currentKeyIsSoftwareKey_

Indiecates that the currently used key is a software key.

softwareDelegate_

protected javax.crypto.Cipher softwareDelegate_

The software implementation, if the currently used key is not a PKCS#11 key.

mode_

protected java.lang.String mode_

The name of the current mode.

padding_

protected java.lang.String padding_

The name of the current padding.

parameters_

protected java.security.AlgorithmParameters parameters_

Any currently used parameter.

modeChanged_

protected boolean modeChanged_

Indicates that the mode has been changed. The mechanism needs to be updated.

paddingChanged_

protected boolean paddingChanged_

Indicates that the padding has been changed. The mechanism needs to be updated.

usedMechanisms_

protected iaik.pkcs.pkcs11.Mechanism[] usedMechanisms_

The list of used mechanisms.

usedMechanismInfos_

protected iaik.pkcs.pkcs11.MechanismInfo[][] usedMechanismInfos_

The mechanism info is the same for all digest mechanisms.

unwrapTemplate_

protected iaik.pkcs.pkcs11.objects.Key unwrapTemplate_

The unwrap template for an unwrap operation.

parameterSpecs_

protected PKCS11Spec parameterSpecs_

The parameter specs.

Constructor Detail

PKCS11Cipher

protected PKCS11Cipher()

Default constructor.

Method Detail

getUsedMechanisms

protected iaik.pkcs.pkcs11.Mechanism[] getUsedMechanisms()

Returns an array of Mechanisms that this engine class uses. For each of this mechanisms, the engine must provide at least one MechanismInfo via the getRequiredMechanismFeatures() method.

Returns:

An array that includes all used pkcs#11 mechanisms. The token must support at least one of these mechanisms. The dimension is equal to the first array dimension of getUsedMechanismFeatures(). May be empty, but must not be null.

Postconditions:

(result <> null) and (result.length == getUsedMechanismFeatures().length)

getUsedMechanismFeatures

protected iaik.pkcs.pkcs11.MechanismInfo[][] getUsedMechanismFeatures()

Returns an two-dimensional array of MechanismInfos that this engine class uses. For each mechanism used by this engine, the engine must provide at least one MechanismInfo. The first dimension (index) of the returned array corresponds to the used mechanism as returned by getUsedMechanisms(). The array at this index is the list of used feature combinations used by this engine. The current token must at least support one mechanism and one of the feature combinations (expressed as a MechanismInfo) of the same mechanism.

Returns:

An two-dimensional array that includes MechanismInfo objects. The first dimension is equal to the array dimension of getUsedMechanisms(). The token must at least support one of these features.

Postconditions:

(result <> null) and (result.length > 0) and (result.length == getUsedMechanisms().length)

isSupportedBy

public boolean isSupportedBy(TokenManager tokenManager)

Check, if the current token of the given token manager supports the required features for this engine class.

Specified by:

isSupportedBy in interface PKCS11EngineClass

Parameters:

tokenManager - The token manager. Used to get information about the current token.

Returns:

True, if this engine class can be used with the currently present token of the given token manager.

Preconditions:

(tokenManager <> null)

checkKeyObject

protected abstract void checkKeyObject(iaik.pkcs.pkcs11.objects.Key key)
                                throws java.security.InvalidKeyException

Check the given key object, if it is acceptable for this cipher. Throw an exception, if not.

Parameters:

key - The key object to check.

Throws:

java.security.InvalidKeyException - If this cipher cannot work with this type of key object.

Preconditions:

(key <> null)

engineDoFinal

protected int engineDoFinal(byte[] input,
                            int inputOffset,
                            int inputLen,
                            byte[] output,
                            int outputOffset)
                     throws javax.crypto.BadPaddingException,
                            javax.crypto.IllegalBlockSizeException,
                            javax.crypto.ShortBufferException

Update the currently running cipher operation with the given data and finish the current operation. This may include padding before processing the last data block or unpadding after the processing of the last block. This implementation delegates this call to the software provider, if the current key is a software key. If the key is a key of this provider, it delegates the call to the corresponding pkcs11 method with prefix pkcs11 instead of engine.

Specified by:

engineDoFinal in class javax.crypto.CipherSpi

Parameters:

input - The byte array that holds the input data.

inputOffset - The offset in the input byte array that indicates the first input data byte to read.

inputLen - The number of bytes to read starting from offset.

output - The byte array that receives the final output data.

outputOffset - The offset in the output byte array where to start writing the output.

Returns:

The actual number of bytes written to the output buffer.

Throws:

javax.crypto.BadPaddingException - If the padding of the decrypted data is bad or if the padding of the input data failed.

javax.crypto.IllegalBlockSizeException - If the input data size does not match the required block size.

javax.crypto.ShortBufferException - If the provided output buffer is too small.

Postconditions:

(result > 0)

Preconditions:

(input <> null) and ((inputOffset + inputLength) <= input.length)

pkcs11DoFinal

protected int pkcs11DoFinal(byte[] input,
                            int inputOffset,
                            int inputLen,
                            byte[] output,
                            int outputOffset)
                     throws javax.crypto.BadPaddingException,
                            javax.crypto.IllegalBlockSizeException,
                            javax.crypto.ShortBufferException

Update the currently running cipher operation with the given data and finish the current operation. This may include padding before processing the last data block or unpadding after the processing of the last block.

Parameters:

input - The byte array that holds the input data.

inputOffset - The offset in the input byte array that indicates the first input data byte to read.

inputLen - The number of bytes to read starting from offset.

output - The byte array that receives the final output data.

outputOffset - The offset in the output byte array where to start writing the output.

Returns:

The actual number of bytes written to the output buffer.

Throws:

javax.crypto.BadPaddingException - If the padding of the decrypted data is bad or if the padding of the input data failed.

javax.crypto.IllegalBlockSizeException - If the input data size does not match the required block size.

javax.crypto.ShortBufferException - If the provided output buffer is too small.

Postconditions:

(result > 0)

Preconditions:

(input <> null) implies ((inputOffset + inputLength) <= input.length)

engineDoFinal

protected byte[] engineDoFinal(byte[] input,
                               int inputOffset,
                               int inputLength)
                        throws javax.crypto.BadPaddingException,
                               javax.crypto.IllegalBlockSizeException

Update the currently running cipher operation with the given data and finish the current operation. This may include padding before processing the last data block or unpadding after the processing of the last block. This implementation delegates this call to the software provider, if the current key is a software key. If the key is a key of this provider, it delegates the call to the corresponding pkcs11 method with prefix pkcs11 instead of engine.

Specified by:

engineDoFinal in class javax.crypto.CipherSpi

Parameters:

input - The byte array that holds the input data.

inputOffset - The offset in the input byte array that indicates the first input data byte to read.

inputLength - The number of bytes to read starting from offset.

Returns:

The final operation result; i.e. cipher text or plain text.

Throws:

javax.crypto.BadPaddingException - If the padding of the decrypted data is bad or if the padding of the input data failed.

javax.crypto.IllegalBlockSizeException - If the input data size does not match the required block size.

Postconditions:

(result <> null)

Preconditions:

(input <> null) implies ((inputOffset + inputLength) <= input.length)

pkcs11DoFinal

protected byte[] pkcs11DoFinal(byte[] input,
                               int inputOffset,
                               int inputLength)
                        throws javax.crypto.BadPaddingException,
                               javax.crypto.IllegalBlockSizeException

Update the currently running cipher operation with the given data and finish the current operation. This may include padding before processing the last data block or unpadding after the processing of the last block.

Parameters:

input - The byte array that holds the input data.

inputOffset - The offset in the input byte array that indicates the first input data byte to read.

inputLength - The number of bytes to read starting from offset.

Returns:

The final operation result; i.e. cipher text or plain text.

Throws:

javax.crypto.BadPaddingException - If the padding of the decrypted data is bad or if the padding of the input data failed.

javax.crypto.IllegalBlockSizeException - If the input data size does not match the required block size.

Postconditions:

(result <> null)

Preconditions:

(input <> null) and ((inputOffset + inputLength) <= input.length)

engineGetBlockSize

protected int engineGetBlockSize()

If initialized with a PKCS#11 key, this method returns -1 by default. If initialized with a software key, it delegates the call to the underlying software provider. This implementation delegates this call to the software provider, if the current key is a software key. If the key is a key of this provider, it delegates the call to the corresponding pkcs11 method with prefix pkcs11 instead of engine.

Specified by:

engineGetBlockSize in class javax.crypto.CipherSpi

Returns:

-1 in PKCS#11 mode, the result of the delegate Cipher in software mode.

pkcs11GetBlockSize

protected int pkcs11GetBlockSize()

Get the block size of this cipher algorithm. This is the same as the current key size, but in bytes.

Returns:

The block size in bytes or -1, if unknown.

engineGetIV

protected byte[] engineGetIV()

If initialized with a PKCS#11 key, this method returns null by default. If initialized with a software key, it delegates the call to the underlying software provider. This implementation delegates this call to the software provider, if the current key is a software key. If the key is a key of this provider, it delegates the call to the corresponding pkcs11 method with prefix pkcs11 instead of engine.

Specified by:

engineGetIV in class javax.crypto.CipherSpi

Returns:

null in PKCS#11 mode, the result of the delegate Cipher in software mode.

pkcs11GetIV

protected byte[] pkcs11GetIV()

Get the currently set initialization vector.

Returns:

The currently set initialization vector or null, if there is none set.

engineGetKeySize

protected int engineGetKeySize(java.security.Key key)
                        throws java.security.InvalidKeyException

If initialized with a PKCS#11 key, this method returns -1 by default. If the key is a key of this provider, it delegates the call to the corresponding pkcs11 method with prefix pkcs11 instead of engine. If the key is not a key of this provider but is a secret key, it tries to determine the key's length by getting the key's encoding.

Overrides:

engineGetKeySize in class javax.crypto.CipherSpi

Parameters:

key - The key to check.

Returns:

-1 if the key is a PKCS#11 key, the bit-length of the encoding if the key is a software secrete key.

Throws:

java.security.InvalidKeyException - If the given key is not supported by this class; e.g. public and private keys that are not keys of this provider or secret keys no of this provider which do not provide an encoding.

pkcs11GetKeySize

protected int pkcs11GetKeySize(java.security.Key key)
                        throws java.security.InvalidKeyException

Determines the key size in bits.

Parameters:

key - The key to get the length for.

Returns:

The key's length in bits.

Throws:

java.security.InvalidKeyException - If the given key is not supported by this class.

Preconditions:

(key <> null)

engineGetOutputSize

protected int engineGetOutputSize(int inputLength)

If initialized with a PKCS#11 key, this method returns -1 by default. If initialized with a software key, it delegates the call to the underlying software provider. This implementation delegates this call to the software provider, if the current key is a software key. If the key is a key of this provider, it delegates the call to the corresponding pkcs11 method with prefix pkcs11 instead of engine.

Specified by:

engineGetOutputSize in class javax.crypto.CipherSpi

Parameters:

inputLength - The input data length.

Returns:

-1 in PKCS#11 mode, the result of the delegate Cipher in software mode.

pkcs11GetOutputSize

protected int pkcs11GetOutputSize(int inputLength)

Returns the length in bytes that an output buffer would need to be in order to hold the result of the next update or doFinal operation, given the input length inputLen (in bytes). This call takes into account any unprocessed (buffered) data from a previous update call, and padding. The actual output length of the next update or doFinal call may be smaller than the length returned by this method.

Parameters:

inputLength - The length of the input data in bytes.

Returns:

The (maximum) length of the output in bytes or -1, if unknown.

engineGetParameters

protected java.security.AlgorithmParameters engineGetParameters()

Returns the parameters used with this cipher. The returned parameters may be the same that were used to initialize this cipher, or may contain a combination of default and random parameter values used by the underlying cipher implementation if this cipher requires algorithm parameters but was not initialized with any. This implementation delegates this call to the software provider, if the current key is a software key. If the key is a key of this provider, it delegates the call to the corresponding pkcs11 method with prefix pkcs11 instead of engine.

Specified by:

engineGetParameters in class javax.crypto.CipherSpi

Returns:

The parameters used with this cipher, or null if this cipher does not use any parameters.

pkcs11GetParameters

protected java.security.AlgorithmParameters pkcs11GetParameters()

Returns the parameters used with this cipher. The returned parameters may be the same that were used to initialize this cipher, or may contain a combination of default and random parameter values used by the underlying cipher implementation if this cipher requires algorithm parameters but was not initialized with any.

Returns:

The parameters used with this cipher, or null if this cipher does not use any parameters.

engineInit

protected void engineInit(int operationMode,
                          java.security.Key key,
                          java.security.SecureRandom randomSource)
                   throws java.security.InvalidKeyException

Initialize this cipher for an operation. This implementation delegates this call to the software provider, if the key is a software key. If the key is a key of this provider, it delegates the call to the corresponding pkcs11 method with prefix pkcs11 instead of engine.

Specified by:

engineInit in class javax.crypto.CipherSpi

Parameters:

operationMode - The operation to initialize; Cipher.ENCRYPT_MODE, Cipher.DECRYPT_MODE, Cipher.UNWRAP_MODE or Cipher.WRAP_MODE.

key - The key to use for the operation.

randomSource - Optional random source to use.

Throws:

java.security.InvalidKeyException - If the key is invalid for this operation.

Preconditions:

((operationMode == Cipher.ENCRYPT_MODE) or (operationMode == Cipher.DECRYPT_MODE) or (operationMode == Cipher.UNWRAP_MODE) or (operationMode == Cipher.WRAP_MODE)) and (key <> null)

pkcs11Init

protected void pkcs11Init(int operationMode,
                          java.security.Key key,
                          java.security.SecureRandom randomSource)
                   throws java.security.InvalidKeyException

Initialize this cipher for an operation.

Parameters:

operationMode - The operation to initialize; Cipher.ENCRYPT_MODE, Cipher.DECRYPT_MODE, Cipher.UNWRAP_MODE or Cipher.WRAP_MODE.

key - The key to use for the operation.

randomSource - Optional random source to use.

Throws:

java.security.InvalidKeyException - If the key is invalid for this operation.

Preconditions:

((operationMode == Cipher.ENCRYPT_MODE) or (operationMode == Cipher.DECRYPT_MODE) or (operationMode == Cipher.UNWRAP_MODE) or (operationMode == Cipher.WRAP_MODE)) and (key <> null) and (key instanceof IAIKPKCS11Key)

engineInit

protected void engineInit(int operationMode,
                          java.security.Key key,
                          java.security.AlgorithmParameters parameters,
                          java.security.SecureRandom random)
                   throws java.security.InvalidAlgorithmParameterException,
                          java.security.InvalidKeyException

Initialize this cipher for an operation. This implementation delegates this call to the software provider, if the key is a software key. If the key is a key of this provider, it delegates the call to the corresponding pkcs11 method with prefix pkcs11 instead of engine.

Specified by:

engineInit in class javax.crypto.CipherSpi

Parameters:

operationMode - The operation to initialize; Cipher.ENCRYPT_MODE, Cipher.DECRYPT_MODE, Cipher.UNWRAP_MODE or Cipher.WRAP_MODE.

key - The key to use for the operation.

parameters - The parameters to use. Some cipher do not support parameters, they require null.

random - Optional random source to use.

Throws:

java.security.InvalidAlgorithmParameterException - If the parameters are invalid.

java.security.InvalidKeyException - If the key is invalid for this operation.

Preconditions:

((operationMode == Cipher.ENCRYPT_MODE) or (operationMode == Cipher.DECRYPT_MODE) or (operationMode == Cipher.UNWRAP_MODE) or (operationMode == Cipher.WRAP_MODE)) and (key <> null)

pkcs11Init

protected void pkcs11Init(int operationMode,
                          java.security.Key key,
                          java.security.AlgorithmParameters parameters,
                          java.security.SecureRandom random)
                   throws java.security.InvalidAlgorithmParameterException,
                          java.security.InvalidKeyException

Initialize this cipher for an operation. This implementation delegates this call to the software provider, if the key is a software key. If the key is a key of this provider, it delegates the call to the corresponding pkcs11 method with prefix pkcs11 instead of engine.

Parameters:

operationMode - The operation to initialize; Cipher.ENCRYPT_MODE, Cipher.DECRYPT_MODE, Cipher.UNWRAP_MODE or Cipher.WRAP_MODE.

key - The key to use for the operation.

parameters - The parameters to use. Some cipher do not support parameters, they require null. This implementation ignores the parameter.

random - Optional random source to use.

Throws:

java.security.InvalidAlgorithmParameterException - If the parameters are invalid.

java.security.InvalidKeyException - If the key is invalid for this operation.

Preconditions:

((operationMode == Cipher.ENCRYPT_MODE) or (operationMode == Cipher.DECRYPT_MODE) or (operationMode == Cipher.UNWRAP_MODE) or (operationMode == Cipher.WRAP_MODE)) and (key <> null) and (key instanceof IAIKPKCS11Key)

engineInit

protected void engineInit(int operationMode,
                          java.security.Key key,
                          java.security.spec.AlgorithmParameterSpec parameterSpecs,
                          java.security.SecureRandom randomSource)
                   throws java.security.InvalidAlgorithmParameterException,
                          java.security.InvalidKeyException

Initialize this cipher for an operation. This implementation delegates this call to the software provider, if the key is a software key. If the key is a key of this provider, it delegates the call to the corresponding pkcs11 method with prefix pkcs11 instead of engine.

Specified by:

engineInit in class javax.crypto.CipherSpi

Parameters:

operationMode - The operation to initialize; Cipher.ENCRYPT_MODE, Cipher.DECRYPT_MODE, Cipher.UNWRAP_MODE or Cipher.WRAP_MODE.

key - The key to use for the operation.

parameterSpecs - The parameter specs to use. Some cipher do not support parameter specs, they require null.

randomSource - Optional random source to use.

Throws:

java.security.InvalidAlgorithmParameterException - If the parameter specs are invalid.

java.security.InvalidKeyException - If the key is invalid for this operation.

Preconditions:

((operationMode == Cipher.ENCRYPT_MODE) or (operationMode == Cipher.DECRYPT_MODE) or (operationMode == Cipher.UNWRAP_MODE) or (operationMode == Cipher.WRAP_MODE)) and (key <> null)

pkcs11Init

protected void pkcs11Init(int operationMode,
                          java.security.Key key,
                          java.security.spec.AlgorithmParameterSpec parameterSpecs,
                          java.security.SecureRandom randomSource)
                   throws java.security.InvalidAlgorithmParameterException,
                          java.security.InvalidKeyException

Initialize this cipher for an operation.

Parameters:

operationMode - The operation to initialize; Cipher.ENCRYPT_MODE, Cipher.DECRYPT_MODE, Cipher.UNWRAP_MODE or Cipher.WRAP_MODE.

key - The key to use for the operation.

parameterSpecs - The parameter specs to use. Some cipher do not support parameter specs, they require null.

randomSource - Optional random source to use.

Throws:

java.security.InvalidAlgorithmParameterException - If the parameter specs are invalid.

java.security.InvalidKeyException - If the key is invalid for this operation.

Preconditions:

((operationMode == Cipher.ENCRYPT_MODE) or (operationMode == Cipher.DECRYPT_MODE) or (operationMode == Cipher.UNWRAP_MODE) or (operationMode == Cipher.WRAP_MODE)) and (key <> null) and (key instanceof IAIKPKCS11Key)

initializeSoftwareDelegate

protected void initializeSoftwareDelegate()

Instantiate a new software cipher to delegate software keys operations.

getAlgorithmName

protected abstract java.lang.String getAlgorithmName()

Get the JCE name of this cipher algorithm.

Returns:

The JCE name of this cipher algorithm; e.g. RSA.

Postconditions:

(result <> null)

getFullAlgorithmName

protected java.lang.String getFullAlgorithmName()

Get the JCE name of this cipher algorithm including mode and padding.

Returns:

The full JCE name of this cipher algorithm; e.g. RSA/ecb/pkcs1padding

Postconditions:

(result <> null)

initializeSession

protected void initializeSession()

Sets up an appropriate session. The key must be set before.

initializePkcs11Operation

protected void initializePkcs11Operation()
                                  throws java.security.InvalidAlgorithmParameterException,
                                         java.security.InvalidKeyException

The internal session initialization method, if all necessary member variables are set.

Throws:

java.security.InvalidAlgorithmParameterException - If the parameter specs are invalid.

java.security.InvalidKeyException - If the key is invalid for this operation.

finalizePkcs11Operation

protected void finalizePkcs11Operation()

The internal session finalization method, if the current operation has been finished.

initialize

protected void initialize()
                   throws java.security.InvalidAlgorithmParameterException,
                          java.security.InvalidKeyException

The internal initialization method, if all necessary member variables are set.

Throws:

java.security.InvalidAlgorithmParameterException - If the parameter specs are invalid.

java.security.InvalidKeyException - If the key is invalid for this operation.

engineSetMode

protected void engineSetMode(java.lang.String mode)
                      throws java.security.NoSuchAlgorithmException

Set the mode of operation. This implementation jsut supports "ECB".

Specified by:

engineSetMode in class javax.crypto.CipherSpi

Parameters:

mode - The mode of operation.

Throws:

java.security.NoSuchAlgorithmException - If the mode is unsupported.

isModeSupported

protected abstract boolean isModeSupported(java.lang.String mode)

Check, if the given mode of operation is supported by this cipher.

Parameters:

mode - The mode to check.

Returns:

True, if the mode is supported, false otherwise.

engineSetPadding

protected void engineSetPadding(java.lang.String padding)
                         throws javax.crypto.NoSuchPaddingException

Set the padding scheme. This implementation supports (depending on the token): NoPadding, PKCS1Padding, OAEPPadding, ISO9796Padding and RawX509. NoPadding and RawX509 are the same. Default is PKCS1Padding.

Specified by:

engineSetPadding in class javax.crypto.CipherSpi

Parameters:

padding - The padding scheme.

Throws:

javax.crypto.NoSuchPaddingException - If the padding is unsupported.

isPaddingSupported

protected abstract boolean isPaddingSupported(java.lang.String padding)

Check, if the given padding scheme is supported by this cipher.

Parameters:

padding - The padding scheme to check.

Returns:

True, if the padding scheme is supported, false otherwise.

engineUpdate

protected byte[] engineUpdate(byte[] data,
                              int offset,
                              int length)

Update the currently running cipher operation with the given data. This implementation delegates this call to the software provider, if the current key is a software key. If the key is a key of this provider, it delegates the call to the corresponding pkcs11 method with prefix pkcs11 instead of engine.

Specified by:

engineUpdate in class javax.crypto.CipherSpi

Parameters:

data - The byte array that holds the data.

offset - The offset in the byte array that indicates the first data byte to read.

length - The number of bytes to read starting from offset.

Returns:

The current intermediate result, if any. May be null.

Preconditions:

(data <> null) and ((offset + length) <= data.length)

pkcs11Update

protected byte[] pkcs11Update(byte[] data,
                              int offset,
                              int length)

Update the currently running cipher operation with the given data.

Parameters:

data - The byte array that holds the data.

offset - The offset in the byte array that indicates the first data byte to read.

length - The number of bytes to read starting from offset.

Returns:

The current intermediate result, if any. May be null.

Preconditions:

(data <> null) and ((offset + length) <= data.length)

engineUpdate

protected int engineUpdate(byte[] input,
                           int inputOffset,
                           int inputLength,
                           byte[] output,
                           int outputOffset)
                    throws javax.crypto.ShortBufferException

Update the currently running cipher operation with the given data and write the intermediate result (if any) to the given buffer. This implementation delegates this call to the software provider, if the current key is a software key. If the key is a key of this provider, it delegates the call to the corresponding pkcs11 method with prefix pkcs11 instead of engine.

Specified by:

engineUpdate in class javax.crypto.CipherSpi

Parameters:

input - The byte array that holds the input data.

inputOffset - The offset in the input byte array that indicates the first input data byte to read.

inputLength - The number of bytes to read starting from offset.

output - The byte array that receives the output data.

outputOffset - The offset in the output byte array where to start writing the output.

Returns:

The actual number of bytes written to the output buffer.

Throws:

javax.crypto.ShortBufferException - If the given output buffer does not have enough space left for the produced output.

Preconditions:

(input <> null) and ((inputOffset + inputLength) <= input.length) and (output <> null) and ((outputOffset + result) <= output.length)

engineUpdateAAD

protected void engineUpdateAAD(byte[] src,
                               int offset,
                               int len)

Updates the Additional Authentication Data (AAD) with the given data.

Only meaningful for AEAD cipher modes like GCM or CCM. Currently only supported for software delegation providers.

Overrides:

engineUpdateAAD in class javax.crypto.CipherSpi

Parameters:

src - the data to update the AAD with

offset - the start offset

len - the number AAD bytes

pkcs11Update

protected int pkcs11Update(byte[] input,
                           int inputOffset,
                           int inputLength,
                           byte[] output,
                           int outputOffset)
                    throws javax.crypto.ShortBufferException

Update the currently running cipher operation with the given data and write

Parameters:

input - The byte array that holds the input data.

inputOffset - The offset in the input byte array that indicates the first input data byte to read.

inputLength - The number of bytes to read starting from offset.

output - The byte array that receives the output data.

outputOffset - The offset in the output byte array where to start writing the output.

Returns:

The actual number of bytes written to the output buffer.

Throws:

javax.crypto.ShortBufferException - If the given output buffer does not have enough space left for the produced output.

Preconditions:

(input <> null) and ((inputOffset + inputLength) <= input.length) and (output <> null) and ((outputOffset + result) <= output.length)

updateAAD

protected void updateAAD(byte[] src)

updateAAD

protected void updateAAD(byte[] src,
                         int offset,
                         int len)

updateAAD

protected void updateAAD(java.nio.ByteBuffer src)

engineUnwrap

protected java.security.Key engineUnwrap(byte[] wrappedKey,
                                         java.lang.String wrappedKeyAlgorithm,
                                         int wrappedKeyType)
                                  throws java.security.NoSuchAlgorithmException,
                                         java.security.InvalidKeyException

Unwrap (decrypt) the given wrapped (encrypted) key. The decryption key is the key used to initialize the operation. the intermediate result (if any) to the given buffer. This implementation delegates this call to the software provider, if the current key is a software key. If the key is a key of this provider, it delegates the call to the corresponding pkcs11 method with prefix pkcs11 instead of engine.

Overrides:

engineUnwrap in class javax.crypto.CipherSpi

Parameters:

wrappedKey - The wrapped (encrypted) key to be unwrapped (decrypted).

wrappedKeyAlgorithm - Ignored in this implementation.

wrappedKeyType - Ignored in this implementation.

Returns:

The unwrapped (decrypted) key.

Throws:

java.security.NoSuchAlgorithmException - If keys of the specified algorithm are unsupported.

java.security.InvalidKeyException - If the given wrapped key is invalid.

Postconditions:

(result <> null)

Preconditions:

(wrappedKey <> null)

pkcs11Unwrap

protected java.security.Key pkcs11Unwrap(byte[] wrappedKey,
                                         java.lang.String wrappedKeyAlgorithm,
                                         int wrappedKeyType)
                                  throws java.security.NoSuchAlgorithmException,
                                         java.security.InvalidKeyException

Unwrap (decrypt) the given wrapped (encrypted) key. The decryption key is the key used to initialize the operation. the intermediate result (if any) to the given buffer.

Parameters:

wrappedKey - The wrapped (encrypted) key to be unwrapped (decrypted).

wrappedKeyAlgorithm - This may be any key type name of the ones defined in the IAIKPKCS11Key class.

wrappedKeyType - This may be Cipher.SECRET_KEY, Cipher.PRIVATE_KEY or Cipher.PUBLIC_KEY. If this is -1, no key template will be passed to the PKCS#11 library.

Returns:

The unwrapped (decrypted) key.

Throws:

java.security.NoSuchAlgorithmException - If keys of the specified algorithm are unsupported.

java.security.InvalidKeyException - If the given wrapped key is invalid.

Postconditions:

(result <> null)

Preconditions:

(wrappedKey <> null)

engineWrap

protected byte[] engineWrap(java.security.Key key)
                     throws java.security.InvalidKeyException,
                            javax.crypto.IllegalBlockSizeException

Wrap (encrypt) the given key. The encryption key is the key used to initialize the operation. This implementation delegates this call to the software provider, if the current key is a software key. If the key is a key of this provider, it delegates the call to the corresponding pkcs11 method with prefix pkcs11 instead of engine.

Overrides:

engineWrap in class javax.crypto.CipherSpi

Parameters:

key - The key to wrap (encrypt).

Returns:

The wrapped (encrypted) key.

Throws:

java.security.InvalidKeyException - If the given key is invalid.

javax.crypto.IllegalBlockSizeException - If the key cannot be wrapper due to block size restriction of the wrapping cipher.

Preconditions:

(key <> null)

pkcs11Wrap

protected byte[] pkcs11Wrap(java.security.Key key)
                     throws java.security.InvalidKeyException,
                            javax.crypto.IllegalBlockSizeException

Wrap (encrypt) the given key. The encryption key is the key used to initialize the operation.

Parameters:

key - The key to wrap (encrypt).

Returns:

The wrapped (encrypted) key.

Throws:

java.security.InvalidKeyException - If the given key is invalid.

javax.crypto.IllegalBlockSizeException - If the key cannot be wrapper due to block size restriction of the wrapping cipher.

Preconditions:

(key <> null) and (key instanceof IAIKPKCS11Key)

getDefaultMechanism

protected abstract iaik.pkcs.pkcs11.Mechanism getDefaultMechanism()

Get the default mechanism of this cipher. This must work with the default mode of operation and padding

Returns:

The default mechanism; e.g. Mechanism.RSA_PKCS.

Postconditions:

(result <> null)

getMechanism

protected abstract iaik.pkcs.pkcs11.Mechanism getMechanism()

Get the current mechanism of this cipher object. This may change with the mode of operation and padding. This mechanism must also include any required parameter objects. This method can expect that the key_ object is already correctly set. For this key the method must return an appropriate mechanism.

Returns:

The mechanism this object uses for encryption and decryption. If the currently set combination of mode and padding is unsupported, this method returns null.

finalize

protected void finalize()
                 throws java.lang.Throwable

Tries to close the used session.

Overrides:

finalize in class java.lang.Object

Throws:

java.lang.Throwable - If finalization fails.