Class DESedeKeyWrap


  • public final class DESedeKeyWrap
    extends javax.crypto.CipherSpi
    This class implements hardware DESede key wrapping. It allows a DESede key encrypting key to wrap other hardware DES and Triple-DES keys.
    • Constructor Summary

      Constructors 
      Constructor Description
      DESedeKeyWrap()
      Creates an instance of hardware DESede key wrap.
    • Method Summary

      All Methods Instance Methods Concrete Methods 
      Modifier and Type Method Description
      protected byte[] engineDoFinal​(byte[] input, int inputOffset, int inputLen)
      Encrypting or decrypting data in a single-part operation, or finishing a multiple-part operation is not supported.
      protected int engineDoFinal​(byte[] input, int inputOffset, int inputLen, byte[] output, int outputOffset)
      Encrypting or decrypting data in a single-part operation, or finishing a multiple-part operation is not supported.
      protected int engineGetBlockSize()
      Returns cipher block size in bytes.
      protected byte[] engineGetIV()
      Returns the initialization vector (IV) used with this cipher.
      protected int engineGetKeySize​(java.security.Key key)
      Returns the key size of the given key object.
      protected int engineGetOutputSize​(int inputLen)
      Returns the length in bytes that an output buffer would need.
      protected java.security.AlgorithmParameters engineGetParameters()
      Returns the parameters used with this cipher.
      protected void engineInit​(int opmode, java.security.Key key, java.security.AlgorithmParameters params, java.security.SecureRandom random)  
      protected void engineInit​(int opmode, java.security.Key key, java.security.SecureRandom random)
      Initializes this cipher with a key and a source of randomness.
      protected void engineInit​(int opmode, java.security.Key key, java.security.spec.AlgorithmParameterSpec params, java.security.SecureRandom random)
      Initializes this cipher with a key and a source of randomness.
      protected void engineSetMode​(java.lang.String mode)
      Setting the cipher mode is not supported.
      protected void engineSetPadding​(java.lang.String paddingScheme)
      Setting the cipher padding mechanism is not supported.
      protected java.security.Key engineUnwrap​(byte[] wrappedKey, java.lang.String wrappedKeyAlgorithm, int wrappedKeyType)
      Unwrap a previously wrapped CCA hardware DES or DESede key.
      protected byte[] engineUpdate​(byte[] input, int inputOffset, int inputLen)
      Continuing a multiple-part encryption or decryption operation is not supported.
      protected int engineUpdate​(byte[] input, int inputOffset, int inputLen, byte[] output, int outputOffset)
      Continuing a multiple-part encryption or decryption operation is not supported.
      protected byte[] engineWrap​(java.security.Key key)
      Wrap a CCA hardware DES or DESede key.
      • Methods inherited from class javax.crypto.CipherSpi

        engineDoFinal, engineUpdate, engineUpdateAAD, engineUpdateAAD
      • Methods inherited from class java.lang.Object

        clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
    • Constructor Detail

      • DESedeKeyWrap

        public DESedeKeyWrap()
        Creates an instance of hardware DESede key wrap.
        Throws:
        java.lang.SecurityException - if this constructor fails to authenticate the JCE framework.
    • Method Detail

      • engineGetBlockSize

        protected int engineGetBlockSize()
        Returns cipher block size in bytes.
        Specified by:
        engineGetBlockSize in class javax.crypto.CipherSpi
        Returns:
        cipher block size in bytes.
      • engineGetOutputSize

        protected int engineGetOutputSize​(int inputLen)
        Returns the length in bytes that an output buffer would need.
        Specified by:
        engineGetOutputSize in class javax.crypto.CipherSpi
        Parameters:
        inputLen - the input length in bytes, which will be ignored
        Returns:
        the required output buffer size in bytes.
      • engineGetKeySize

        protected int engineGetKeySize​(java.security.Key key)
        Returns the key size of the given key object. This method is called by the JCE framework to ensure that the size of the key to be used does not exceed the maximum allowable key size specified in the Java restricted policy files.

        Cipher operations done at the hardware level should bypass the Java restricted policy files check because the cryptographic hardware enforces the US export restrictions relating to cryptographic keys. If a hardware key is used for a DES or DESede cipher operation, we can bypass the restricted policy files checking by returning a key size that conforms to the policy files.

        Overrides:
        engineGetKeySize in class javax.crypto.CipherSpi
        Parameters:
        key - the key object
        Returns:
        a key size that will pass the restricted policy files check done by the JCE framework.
      • engineInit

        protected void engineInit​(int opmode,
                                  java.security.Key key,
                                  java.security.SecureRandom random)
                           throws java.security.InvalidKeyException
        Initializes this cipher with a key and a source of randomness. This cipher may be initialized for key wrapping or key unwrapping operations only, depending on the value of opmode. Encryption and decryption operations are not supported by this cipher.

        This cipher does not require an initialization vector (IV), so the source of randomness provided by random must be null. This method resets any existing state information.

        By default, keys are unwrapped as SymmetricKeyConstants.KeyType.CKDS keys.

        Specified by:
        engineInit in class javax.crypto.CipherSpi
        Parameters:
        opmode - the operation mode of this cipher. This is one of WRAP_MODE or UNWRAP_MODE. Please note that ENCRYPT_MODE and DECRYPT_MODE operation modes are not supported
        key - the CCA hardware DESede key encrypting key
        random - the source of randomness, which must be null
        Throws:
        java.lang.UnsupportedOperationException - if the opmode is either ENCRYPT_MODE or DECRYPT_MODE, which is not supported by this cipher.
        java.security.InvalidParameterException - if the opmode is not a valid cipher operation mode or if a source of randomness is specified.
        java.lang.NullPointerException - if the key is null.
        java.security.InvalidKeyException - if the given key not a CCA hardware DESede key.
      • engineInit

        protected void engineInit​(int opmode,
                                  java.security.Key key,
                                  java.security.spec.AlgorithmParameterSpec params,
                                  java.security.SecureRandom random)
                           throws java.security.InvalidKeyException,
                                  java.security.InvalidAlgorithmParameterException
        Initializes this cipher with a key and a source of randomness. This cipher may be initialized for key wrapping or key unwrapping operations only, depending on the value of opmode. Encryption and decryption operations are not supported by this cipher.

        This cipher does not require an initialization vector (IV), so the source of randomness provided by random must be null. This method resets any existing state information.

        By default, keys are unwrapped as SymmetricKeyConstants.KeyType.CKDS keys.

        Specified by:
        engineInit in class javax.crypto.CipherSpi
        Parameters:
        opmode - the operation mode of this cipher. This is one of WRAP_MODE or UNWRAP_MODE. Please note that ENCRYPT_MODE and DECRYPT_MODE operation modes are not supported
        key - the CCA hardware DESede key encrypting key
        params - algorithm parameters that specify whether to unwrap keys as SymmetricKeyConstants.KeyType.SECURE_INTERNAL_TOKEN keys or as SymmetricKeyConstants.KeyType.CKDS keys. Unwrapping to SymmetricKeyConstants.KeyType.CLEAR keys is not supported. This algorithm parameters is only supported in UNWRAP_MODE
        random - the source of randomness, which must be null
        Throws:
        java.lang.UnsupportedOperationException - if the opmode is either ENCRYPT_MODE or DECRYPT_MODE, which is not supported by this cipher.
        java.security.InvalidParameterException - if the opmode is not a valid cipher operation mode or if a source of randomness is specified.
        java.lang.NullPointerException - if the key is null.
        java.security.InvalidKeyException - if the given key not a CCA hardware DESede key.
        java.security.InvalidAlgorithmParameterException - if params is not null and opmode is WRAP_MODE, or if params is not an instance of CCAAlgorithmParameterSpec, or if the algorithm parameters specify to unwrap keys as CLEAR keys.
      • engineInit

        protected void engineInit​(int opmode,
                                  java.security.Key key,
                                  java.security.AlgorithmParameters params,
                                  java.security.SecureRandom random)
                           throws java.security.InvalidKeyException,
                                  java.security.InvalidAlgorithmParameterException
        Specified by:
        engineInit in class javax.crypto.CipherSpi
        Throws:
        java.security.InvalidKeyException
        java.security.InvalidAlgorithmParameterException
        See Also:
        engineInit(int, Key, AlgorithmParameterSpec, SecureRandom)
      • engineWrap

        protected byte[] engineWrap​(java.security.Key key)
                             throws java.security.InvalidKeyException
        Wrap a CCA hardware DES or DESede key. The wrapped key will be formatted as a CCA external key token. The wrapped key will use the same key wrapping method as the original key. This can be either the original ECB wrapping method or the enhanced CBC wrapping method which is ANSI X9.24 compliant.
        Overrides:
        engineWrap in class javax.crypto.CipherSpi
        Parameters:
        key - the CCA hardware DES or DESede key to be wrapped
        Returns:
        the wrapped key formatted as a CCA external key token.
        Throws:
        java.lang.NullPointerException - if key is null.
        java.security.InvalidKeyException - if the provided key is not a CCA hardware DES or DESede key.
        java.lang.IllegalStateException - if this cipher is not initialized for the WRAP_MODE operational mode.
      • engineUnwrap

        protected java.security.Key engineUnwrap​(byte[] wrappedKey,
                                                 java.lang.String wrappedKeyAlgorithm,
                                                 int wrappedKeyType)
                                          throws java.security.InvalidKeyException
        Unwrap a previously wrapped CCA hardware DES or DESede key. The unwrapped key will use the default wrapping method that ICSF has been setup to use for internal key tokens. This can be either the original ECB wrapping method or the enhanced CBC wrapping method which is ANSI X9.24 compliant. By default, all unwrapped keys will be CKDS keys stored in the CKDS, unless otherwise specified through algorithm parameter specs during cipher initialization.
        Overrides:
        engineUnwrap in class javax.crypto.CipherSpi
        Parameters:
        wrappedKey - the previously wrapped CCA hardware DES or DESede key to be unwrapped
        wrappedKeyAlgorithm - the key algorithm of the original key
        wrappedKeyType - the type of wrapped key, this must be Cipher.SECRET_KEY
        Returns:
        the unwrapped CCA hardware DES or DESede key.
        Throws:
        java.lang.NullPointerException - if wrappedKey is null.
        java.security.InvalidKeyException - if wrappedKeyAlgorithm is not "DES", "DESede", "TripleDES", or "3DES". Or if wrappedKey is not 64 bytes in length, wrappedKeyType is not Cipher.SECRET_KEY, or there is an issue creating the unwrapped CCA hardware key.
        java.lang.IllegalStateException - if this cipher is not initialized for the UNWRAP_MODE operational mode.
      • engineSetMode

        protected void engineSetMode​(java.lang.String mode)
        Setting the cipher mode is not supported.
        Specified by:
        engineSetMode in class javax.crypto.CipherSpi
        Parameters:
        mode - the cipher mode
        Throws:
        java.lang.UnsupportedOperationException - always.
      • engineSetPadding

        protected void engineSetPadding​(java.lang.String paddingScheme)
        Setting the cipher padding mechanism is not supported.
        Specified by:
        engineSetPadding in class javax.crypto.CipherSpi
        Parameters:
        paddingScheme - the padding mechanism
        Throws:
        java.lang.UnsupportedOperationException - always.
      • engineGetIV

        protected byte[] engineGetIV()
        Returns the initialization vector (IV) used with this cipher.
        Specified by:
        engineGetIV in class javax.crypto.CipherSpi
        Returns:
        null, because this cipher does not use any IV.
      • engineGetParameters

        protected java.security.AlgorithmParameters engineGetParameters()
        Returns the parameters used with this cipher.
        Specified by:
        engineGetParameters in class javax.crypto.CipherSpi
        Returns:
        null, because this cipher does not return any parameters.
      • engineUpdate

        protected byte[] engineUpdate​(byte[] input,
                                      int inputOffset,
                                      int inputLen)
        Continuing a multiple-part encryption or decryption operation is not supported.
        Specified by:
        engineUpdate in class javax.crypto.CipherSpi
        Throws:
        java.lang.UnsupportedOperationException - always.
      • engineUpdate

        protected int engineUpdate​(byte[] input,
                                   int inputOffset,
                                   int inputLen,
                                   byte[] output,
                                   int outputOffset)
        Continuing a multiple-part encryption or decryption operation is not supported.
        Specified by:
        engineUpdate in class javax.crypto.CipherSpi
        Throws:
        java.lang.UnsupportedOperationException - always.
      • engineDoFinal

        protected byte[] engineDoFinal​(byte[] input,
                                       int inputOffset,
                                       int inputLen)
        Encrypting or decrypting data in a single-part operation, or finishing a multiple-part operation is not supported.
        Specified by:
        engineDoFinal in class javax.crypto.CipherSpi
        Throws:
        java.lang.UnsupportedOperationException - always.
      • engineDoFinal

        protected int engineDoFinal​(byte[] input,
                                    int inputOffset,
                                    int inputLen,
                                    byte[] output,
                                    int outputOffset)
        Encrypting or decrypting data in a single-part operation, or finishing a multiple-part operation is not supported.
        Specified by:
        engineDoFinal in class javax.crypto.CipherSpi
        Throws:
        java.lang.UnsupportedOperationException - always.