Key Specification Interfaces and Classes
Key specifications are transparent representations of the key material that constitutes a key. If the key is stored on a hardware device, its specification might contain information that helps identify the key on the device.
A transparent representation of keys means that you can access each key material
value individually, through one of the get
methods defined in the corresponding
specification class. For example, DSAPrivateKeySpec
defines getX
,
getP
, getQ
, and getG
methods, to access the
private key x
, and the DSA algorithm parameters used to calculate the key: the
prime p
, the sub-prime q
, and the base g
.
This representation is contrasted with an opaque representation, as defined by the
Key
interface, in which you have no direct
access to the key material fields. In other words, an opaque representation gives you limited access
to the key - just the three methods defined by the Key
interface:
getAlgorithm
, getFormat
, and getEncoded
.
A key can be specified in an algorithm-specific way or in an algorithm-independent
encoding format (such as ASN.1). For example, a DSA private key can
be specified by its components x
, p
, q
,
and g
(see DSAPrivateKeySpec
),
or it may be specified using its DER encoding (see PKCS8EncodedKeySpec
).
The key specification interfaces and classes in the java.security.spec
package
are:
- The
KeySpec
Interface -
This interface contains no methods or constants. Its only purpose is to group and provide type safety for all key specifications. All key specifications must implement this interface.
- The
DSAPrivateKeySpec
Class - This class (which implements the
KeySpec
interface) specifies a DSA private key with its associated parameters.DSAPrivateKeySpec
has the following methods:BigInteger getX() BigInteger getP() BigInteger getQ() BigInteger getG()
These methods return the private key
x
, and the DSA algorithm parameters used to calculate the key: the primep
, the sub-primeq
, and the baseg
. - The
DSAPublicKeySpec
Class - This class (which implements the
KeySpec
interface) specifies a DSA public key with its associated parameters.DSAPublicKeySpec
has the following methods:BigInteger getY() BigInteger getP() BigInteger getQ() BigInteger getG()
These methods return the public key
y
, and the DSA algorithm parameters used to calculate the key: the primep
, the sub-primeq
, and the baseg
. - The
RSAPrivateKeySpec
Class - This class (which implements the
KeySpec
interface) specifies an RSA private key.RSAPrivateKeySpec
has the following methods:BigInteger getModulus() BigInteger getPrivateExponent()
These methods return the RSA modulus
n
and private exponentd
values that constitute the RSA private key. - The
RSAPrivateCrtKeySpec
Class - This class (which extends the
RSAPrivateKeySpec
class) specifies an RSA private key, as defined in the PKCS #1 standard, using the Chinese Remainder Theorem (CRT) information values.RSAPrivateCrtKeySpec
has the following methods (in addition to the methods inherited from its superclassRSAPrivateKeySpec
):BigInteger getPublicExponent() BigInteger getPrimeP() BigInteger getPrimeQ() BigInteger getPrimeExponentP() BigInteger getPrimeExponentQ() BigInteger getCrtCoefficient()
These methods return the public exponent
e
and the CRT information integers: the prime factorp
of the modulusn
, the prime factorq
ofn
, the exponentd mod (p-1)
, the exponentd mod (q-1)
, and the Chinese Remainder Theorem coefficient(inverse of q) mod p
.An RSA private key logically consists of only the modulus and the private exponent. The presence of the CRT values is intended for efficiency.
- The
RSAMultiPrimePrivateCrtKeySpec
Class - This class (which extends the
RSAPrivateKeySpec
class) specifies an RSA multi-prime private key, as defined in the PKCS #1 v2.1, using the Chinese Remainder Theorem (CRT) information values.RSAMultiPrimePrivateCrtKeySpec
has the following methods (in addition to the methods inherited from its superclassRSAPrivateKeySpec
):BigInteger getPublicExponent() BigInteger getPrimeP() BigInteger getPrimeQ() BigInteger getPrimeExponentP() BigInteger getPrimeExponentQ() BigInteger getCrtCoefficient() RSAOtherPrimeInfo[] getOtherPrimeInfo()
These methods return the public exponent
e
and the CRT information integers: the prime factorp
of the modulusn
, the prime factorq
ofn
, the exponentd mod (p-1)
, the exponentd mod (q-1)
, and the Chinese Remainder Theorem coefficient(inverse of q) mod p
.Method
getOtherPrimeInfo
returns a copy of theotherPrimeInfo
(defined in PKCS #1) or null if there are only two prime factors (p
andq
).An RSA private key logically consists of only the modulus and the private exponent. The presence of the CRT values is intended for efficiency.
- The
RSAPublicKeySpec
Class - This class (which implements the
KeySpec
interface) specifies an RSA public key.RSAPublicKeySpec
has the following methods:BigInteger getModulus() BigInteger getPublicExponent()
These methods return the RSA modulus
n
and public exponente
values that constitute the RSA public key. - The
EncodedKeySpec
Class - This abstract class (which implements the
KeySpec
interface) represents a public or private key in encoded format. ItsgetEncoded
method returns the encoded key:
and itsabstract byte[] getEncoded();
getFormat
method returns the name of the encoding format:abstract String getFormat();
See the next sections for the concrete implementations
PKCS8EncodedKeySpec
,X509EncodedKeySpec
, andRFC5915ECPrivateKeyEncodedKeySpec
.- The
PKCS8EncodedKeySpec
Class This class, which is a subclass of
EncodedKeySpec
, represents the DER encoding of a private key, according to the format specified in the PKCS #8 standard. ItsgetEncoded
method returns the key bytes, encoded according to the PKCS #8 standard. ItsgetFormat
method returns the string PKCS#8.- The
X509EncodedKeySpec
Class This class, which is a subclass of
EncodedKeySpec
, represents the DER encoding of a public key, according to the format specified in the X.509 standard. ItsgetEncoded
method returns the key bytes, encoded according to the X.509 standard. ItsgetFormat
method returns the string X.509.- The
ibm.security.internal.spec.RFC5915ECPrivateKeyEncodedKeySpec
Class - This class, which is a subclass of
EncodedKeySpec
, represents the DER encoding of an EC private key, according to the format specified in the RFC5915 document. ItsgetEncoded
method returns the key bytes, encoded according to the RFC5915 document. ItsgetFormat
method returns the string RFC5915.
- The