The KeyFactory class

The KeyFactory class is an engine class that is designed to provide opaque cryptographic keys (objects of type Key) and key specifications (transparent representations of the underlying key material).

AES

The IBMJCECCA provider supports a key type for AES keys that were stored previously in CCA key storage areas such as the CKDS on z/OS®. The keys are objects of type SecretKey. The SecretKeyFactory can be used to generate a key of this type from a KeyLabelKeySpec that contains the CCA label for the key.

Other keySpec classes that are supported by the AES KeyFactory class include the AESKeySpec and the SecretKeySpec.

DES

The IBMJCECCA provider supports a key type for DES keys that were stored previously in CCA key storage areas such as the CKDS on z/OS. The keys are objects of type SecretKey. The SecretKeyFactory can be used to generate a key of this type from a KeyLabelKeySpec containing the CCA label for the key.

Other keySpec classes that are supported by the DES KeyFactory include the DESKeySpec and the SecretKeySpec.

Triple DES (also known as DESede and 3DES)

The IBMJCECCA provider supports a key type for triple DES keys that were stored previously in CCA key storage areas such as the CKDS on z/OS. The keys are objects of type SecretKey. The SecretKeyFactory can be used to generate a key of this type from a KeyLabelKeySpec containing the CCA label for the key.

Other keySpec classes that are supported by the triple DES KeyFactory include the DESedeKeySpec and the SecretKeySpec.

HMAC

The IBMJCECCA provider supports a key type for HMAC keys that were stored previously in CCA key storage areas such as the CKDS on z/OS. The keys are objects of type SecretKey. The SecretKeyFactory can be used to generate a key of this type from a KeyLabelKeySpec containing the CCA label for the key.

SecretKeyFactory HMAC algorithms that are supported by the IBMJCECCA provider are HMACSHA1, HMACSHA224, HMACSHA256, HMACSHA384, and HMACSHA512.

DSA

The IBMJCECCA provider supports a key type for DSA private hardware keys that is similar to the DSA Private keys available in software providers. DSA private hardware keys are objects of type DSAPrivateHWKey. The corresponding DSA public keys are objects of type DSAPublicKey.

The KeyFactory class can be used to generate a DSA Private hardware key from a DSAPrivateKeyHWSpec. The KeyFactory can also be used to generate a DSA public key from a DSAPublicKeySpec or an X509EncodedKeySpec.

The KeyFactory class can also derive a DSAPrivateKeyHWSpec from a DSA Private hardware key or a DSAPublicKeySpec or X509PublicKeySpec from a DSA public key.

RSA

The IBMJCECCA provider adds a new key type for RSA private hardware keys that is similar to the RSA Private keys available in software providers. RSA private hardware keys are objects of type RSAPrivateHWKey. The corresponding RSA public keys are objects of type RSAPublicKey.

The KeyFactory class can be used to generate an RSA private hardware key from a RSAPrivateHWKeySpec, RSAPrivateCrtKeySpec, RSAPrivateKeySpec, or KeyLabelKeySpec. The KeyFactory can also be used to generate an RSA public key from an RSAPublicKeySpec, X509EncodedKeySpec, or KeyLabelKeySpec. Keys that already in the CCA key storage area can also be created by passing a KeyLabelKeySpec to the RSA KeyFactory.

The KeyFactory class can also derive an RSAPrivateKeyHWSpec from an RSA private hardware key or an RSAPublicKeySpec or X509PublicKeySpec from an RSA public key.

EC

The IBMJCECCA provider adds a new key type for EC private hardware keys that is similar to the EC Private keys available in software providers. EC private hardware keys are objects of type ECPrivateHWKey. The corresponding EC public keys are objects of type ECPublicKey.

The KeyFactory class can be used to generate an EC private hardware key from an ECPrivateHWKeySpec, PKCS8EncodedKeySpec, ECPrivateKeySpec, or KeyLabelKeySpec. The KeyFactory class can also be used to generate an EC public key from an ECPublicKeySpec, X509EncodedKeySpec, or KeyLabelKeySpec. Keys that are already in the CCA key storage area can be created by passing a KeyLabelKeySpec to the EC KeyFactory class.

The KeyFactory class can also derive an ECPrivateHWKeySpec or KeyLabelKeySpec from an EC private hardware key, or an ECPublicKeySpec or X509EncodedKeySpec from an EC public key.

Note that a RSAPrivateKeyHWSpec, DSAPrivateKeyHWSpec, and ECPrivateHWKeySpec are valid only on the system where the private key was originally generated. Private hardware keys cannot be moved from the system on which they are generated to another system. This is true for all private hardware keys, including clear private keys, and is part of the security that is provided for them.