- java.lang.Object
-
- javax.crypto.CipherSpi
-
- com.ibm.crypto.hdwrCCA.provider.DESedeTR31KeyWrap
-
public final class DESedeTR31KeyWrap extends javax.crypto.CipherSpi
This class implements hardware TR-31 KeyBlock DESede key wrapping. This function enables secure key exchange between dissimilar platforms, such as z/OS and a non-z/OS system. It allows a DESede EXPORTER Key Encrypting Key (KEK) to wrap a DES or DESede CKDSLabel or ICSFToken key to an ANSI TR-31 KeyBlock and allows a DESede IMPORTER KEK to unwrap a DES or DESede key from an ANSI TR-31 KeyBlock to a CKDSLabel or ICSFToken key.
-
-
Constructor Summary
Constructors Constructor Description DESedeTR31KeyWrap()
Creates an instance of hardware DESede TR-31 KeyBlock key wrapping cipher.
-
Method Summary
All Methods Instance Methods Concrete Methods Modifier and Type Method Description protected byte[]
engineDoFinal(byte[] input, int inputOffset, int inputLen)
Encrypting or decrypting data in a single-part operation, or finishing a multiple-part operation is not supported.protected int
engineDoFinal(byte[] input, int inputOffset, int inputLen, byte[] output, int outputOffset)
Encrypting or decrypting data in a single-part operation, or finishing a multiple-part operation is not supported.protected int
engineGetBlockSize()
This operation is not supported.protected byte[]
engineGetIV()
Returns the initialization vector (IV) used with this cipher.protected int
engineGetKeySize(java.security.Key key)
Returns the key size of the given key object.protected int
engineGetOutputSize(int inputLen)
Returns the length in bytes of the required output buffer.protected java.security.AlgorithmParameters
engineGetParameters()
Returns the parameters used with this cipher.protected void
engineInit(int opmode, java.security.Key key, java.security.AlgorithmParameters params, java.security.SecureRandom random)
protected void
engineInit(int opmode, java.security.Key key, java.security.SecureRandom random)
Initializes this cipher with a key and a source of randomness.protected void
engineInit(int opmode, java.security.Key key, java.security.spec.AlgorithmParameterSpec params, java.security.SecureRandom random)
Initializes this cipher with a key, operation-specific parameters, and a source of randomness.protected void
engineSetMode(java.lang.String mode)
Setting the cipher mode is not supported.protected void
engineSetPadding(java.lang.String paddingScheme)
Setting the cipher padding mechanism is not supported.protected java.security.Key
engineUnwrap(byte[] TR31KeyBlock, java.lang.String wrappedKeyAlgorithm, int wrappedKeyType)
Unwrap a DES or DESede key that was previously wrapped in a TR-31 KeyBlock.protected byte[]
engineUpdate(byte[] input, int inputOffset, int inputLen)
Continuing a multiple-part encryption or decryption operation is not supported.protected int
engineUpdate(byte[] input, int inputOffset, int inputLen, byte[] output, int outputOffset)
Continuing a multiple-part encryption or decryption operation is not supported.protected byte[]
engineWrap(java.security.Key key)
Wrap a CCA hardware DES or DESede key.
-
-
-
Method Detail
-
engineGetBlockSize
protected int engineGetBlockSize()
This operation is not supported.- Specified by:
engineGetBlockSize
in classjavax.crypto.CipherSpi
- Throws:
java.lang.UnsupportedOperationException
- always.
-
engineGetOutputSize
protected int engineGetOutputSize(int inputLen)
Returns the length in bytes of the required output buffer.- Specified by:
engineGetOutputSize
in classjavax.crypto.CipherSpi
- Parameters:
inputLen
- the input length in bytes, which will be ignored- Returns:
- the required output buffer size in bytes, as follows:
- if the cipher is initialized for wrap, MAX_TR31_LENGTH (9992).
- if the cipher is initialized for unwrap, 64.
-
engineGetKeySize
protected int engineGetKeySize(java.security.Key key)
Returns the key size of the given key object. This method is called by the JCE framework to ensure that the size of the key to be used does not exceed the maximum allowable key size specified in the Java restricted policy files.Cipher operations done at the hardware level should bypass the Java restricted policy files check because the cryptographic hardware enforces the US export restrictions relating to cryptographic keys. If a hardware key is used for a DES or DESede cipher operation, we can bypass the restricted policy files checking by returning a key size that conforms to the policy files.
- Overrides:
engineGetKeySize
in classjavax.crypto.CipherSpi
- Parameters:
key
- the key object- Returns:
- a key size that will pass the restricted policy files check done by the JCE framework.
-
engineInit
protected void engineInit(int opmode, java.security.Key key, java.security.SecureRandom random) throws java.security.InvalidKeyException
Initializes this cipher with a key and a source of randomness. This cipher may be initialized for key wrapping or key unwrapping operations only, depending on the value ofopmode
. Encryption and decryption operations are not supported by this cipher.This cipher does not require an initialization vector (IV), so the source of randomness provided by
random
will be ignored.This method should be used to initialize this cipher for
Cipher.WRAP_MODE
only when both of the following are true:- the key to wrap is a data encryption key (not a Key Encrypting key)
- no optional data blocks are required by the system that will unwrap the key.
This method should be used to initialize this cipher for
Cipher.UNWRAP_MODE
only when all of the following are true:- the key to unwrap is a data encryption key (not a Key Encrypting key)
- the key will be unwrapped as a
CCAAlgorithmParameterSpec.CKDS
key - the CKDS label will be created automatically by the unwrap service
This method resets any existing state information.
- Specified by:
engineInit
in classjavax.crypto.CipherSpi
- Parameters:
opmode
- the operation mode of this cipher. This is one ofCipher.WRAP_MODE
orCipher.UNWRAP_MODE
. Please note thatCipher.ENCRYPT_MODE
andCipher.DECRYPT_MODE
operation modes are not supported.key
- the IBMJCECCA hardware DESede key encrypting keyrandom
- the source of randomness (will be ignored)- Throws:
java.lang.UnsupportedOperationException
- if theopmode
is eitherCipher.ENCRYPT_MODE
orCipher.DECRYPT_MODE
, which is not supported by this cipher.java.security.InvalidParameterException
- if theopmode
is not a valid cipher operation mode.java.lang.NullPointerException
- if the key is null.java.security.InvalidKeyException
- if the given key not a CCA hardware DESede key.
-
engineInit
protected void engineInit(int opmode, java.security.Key key, java.security.spec.AlgorithmParameterSpec params, java.security.SecureRandom random) throws java.security.InvalidKeyException, java.security.InvalidAlgorithmParameterException
Initializes this cipher with a key, operation-specific parameters, and a source of randomness. This cipher may be initialized for key wrapping or key unwrapping operations only, depending on the value ofopmode
. Encryption and decryption operations are not supported by this cipher. This cipher does not require an initialization vector (IV), so the source of randomness provided byrandom
will be ignored. This method must be used to initialize this cipher when any of the following are true:- the key to wrap or unwrap is an IBMJCECCA Key Encrypting Key (KEK), either IMPORTER or EXPORTER
- the key to unwrap will be a
CCAAlgorithmParameterSpec.SECURE_INTERNAL_TOKEN
key - the wrap operation requires additional information in optional data blocks
- Specified by:
engineInit
in classjavax.crypto.CipherSpi
- Parameters:
opmode
- the operation mode of this cipher. This is one ofCipher.WRAP_MODE
orCipher.UNWRAP_MODE
. Please note thatCipher.ENCRYPT_MODE
andCipher.DECRYPT_MODE
operation modes are not supported.key
- the IBMJCECCA hardware DESede key encrypting key (KEK)params
- algorithm parameters in (@link CCAAlgorithmParameterSpec} that specifies information required for the requested operation.- For
Cipher.WRAP_MODE
, if the key to be wrapped is not a data encrypting key, then the key usage of the key being wrapped must be specified. The parameter may also include optional data blocks required by the system that will unwrap the key. - For
Cipher.UNWRAP_MODE
, if the key to be unwrapped is not a data encrypting key, then the key usage of the key being unwrapped must be specified. The parameter may also include the type of key to unwrap to, eitherCCAAlgorithmParameterSpec.SECURE_INTERNAL_TOKEN
orCCAAlgorithmParameterSpec.CKDS
. The default isCCAAlgorithmParameterSpec.CKDS
.
- For
random
- the source of randomness (will be ignored)- Throws:
java.lang.UnsupportedOperationException
- if theopmode
is eitherCipher.ENCRYPT_MODE
orCipher.DECRYPT_MODE
, which is not supported by this cipher.java.security.InvalidParameterException
- if theopmode
is not a valid cipher operation mode.java.security.InvalidParameterException
- ifSymmetricKeyConstants.KeyUsage
is specified inCCAAlgorithmParameterSpec
but is not one ofSymmetricKeyConstants.KeyUsage.OP_DATA
,SymmetricKeyConstants.KeyUsage.OP_CIPHER
,SymmetricKeyConstants.KeyUsage.OP_IMPORTER
, orSymmetricKeyConstants.KeyUsage.OP_EXPORTER
.java.lang.NullPointerException
- if the key is null.java.security.InvalidKeyException
- if the given key is not a CCA hardware DESede key.java.security.InvalidAlgorithmParameterException
- ifparams
is not null and eitherparams
is not an instance ofCCAAlgorithmParameterSpec
or the algorithm parameters specify to unwrap keys asCCAAlgorithmParameterSpec.CLEAR
keys.
-
engineInit
protected void engineInit(int opmode, java.security.Key key, java.security.AlgorithmParameters params, java.security.SecureRandom random) throws java.security.InvalidKeyException, java.security.InvalidAlgorithmParameterException
- Specified by:
engineInit
in classjavax.crypto.CipherSpi
- Throws:
java.security.InvalidKeyException
java.security.InvalidAlgorithmParameterException
- See Also:
engineInit(int, Key, AlgorithmParameterSpec, SecureRandom)
-
engineWrap
protected byte[] engineWrap(java.security.Key key) throws java.security.InvalidKeyException
Wrap a CCA hardware DES or DESede key. The wrapped key will be formatted as an ANSI TR-31 KeyBlock.- Overrides:
engineWrap
in classjavax.crypto.CipherSpi
- Parameters:
key
- the CCA hardware DES or DESede key to be wrapped- Returns:
- the wrapped key formatted as an ANSI TR-31 KeyBlock.
- Throws:
java.lang.NullPointerException
- ifkey
is null.java.security.InvalidKeyException
- if the provided key is not a CCA hardware DES or DESede key.java.lang.IllegalStateException
- if this cipher is not initialized for theCipher.WRAP_MODE
operational mode.
-
engineUnwrap
protected java.security.Key engineUnwrap(byte[] TR31KeyBlock, java.lang.String wrappedKeyAlgorithm, int wrappedKeyType) throws java.security.InvalidKeyException
Unwrap a DES or DESede key that was previously wrapped in a TR-31 KeyBlock. The unwrapped key will use the default wrapping method that ICSF has been setup to use for internal key tokens. This can be either the original ECB wrapping method or the enhanced CBC wrapping method which is ANSI X9.24 compliant. By default, all unwrapped keys will be CKDS keys stored in the CKDS, unless otherwise specified through algorithm parameter specs during cipher initialization.- Overrides:
engineUnwrap
in classjavax.crypto.CipherSpi
- Parameters:
TR31KeyBlock
- the previously wrapped CCA hardware DES or DESede key to be unwrapped.wrappedKeyAlgorithm
- the key algorithm of the original keywrappedKeyType
- the type of wrapped key, this must beCipher.SECRET_KEY
- Returns:
- the unwrapped CCA hardware DES or DESede key.
- Throws:
java.lang.NullPointerException
- ifTR31KeyBlock
is null.java.security.NoSuchAlgorithmException
- ifwrappedKeyAlgorithm
is not"DES"
,"DESede"
,"TripleDES"
, or"3DES"
.java.security.InvalidKeyException
- ifTR31KeyBlock
is not 64 bytes in length,wrappedKeyType
is notCipher.SECRET_KEY
, or there is an issue creating the unwrapped CCA hardware key.java.lang.IllegalStateException
- if this cipher is not initialized for theCipher.UNWRAP_MODE
operational mode.
-
engineSetMode
protected void engineSetMode(java.lang.String mode)
Setting the cipher mode is not supported.- Specified by:
engineSetMode
in classjavax.crypto.CipherSpi
- Parameters:
mode
- the cipher mode- Throws:
java.lang.UnsupportedOperationException
- always.
-
engineSetPadding
protected void engineSetPadding(java.lang.String paddingScheme)
Setting the cipher padding mechanism is not supported.- Specified by:
engineSetPadding
in classjavax.crypto.CipherSpi
- Parameters:
paddingScheme
- the padding mechanism- Throws:
java.lang.UnsupportedOperationException
- always.
-
engineGetIV
protected byte[] engineGetIV()
Returns the initialization vector (IV) used with this cipher.- Specified by:
engineGetIV
in classjavax.crypto.CipherSpi
- Returns:
- null, because this cipher does not use any IV.
-
engineGetParameters
protected java.security.AlgorithmParameters engineGetParameters()
Returns the parameters used with this cipher.- Specified by:
engineGetParameters
in classjavax.crypto.CipherSpi
- Returns:
- null, because this cipher does not return any parameters.
-
engineUpdate
protected byte[] engineUpdate(byte[] input, int inputOffset, int inputLen)
Continuing a multiple-part encryption or decryption operation is not supported.- Specified by:
engineUpdate
in classjavax.crypto.CipherSpi
- Throws:
java.lang.UnsupportedOperationException
- always.
-
engineUpdate
protected int engineUpdate(byte[] input, int inputOffset, int inputLen, byte[] output, int outputOffset)
Continuing a multiple-part encryption or decryption operation is not supported.- Specified by:
engineUpdate
in classjavax.crypto.CipherSpi
- Throws:
java.lang.UnsupportedOperationException
- always.
-
engineDoFinal
protected byte[] engineDoFinal(byte[] input, int inputOffset, int inputLen)
Encrypting or decrypting data in a single-part operation, or finishing a multiple-part operation is not supported.- Specified by:
engineDoFinal
in classjavax.crypto.CipherSpi
- Throws:
java.lang.UnsupportedOperationException
- always.
-
engineDoFinal
protected int engineDoFinal(byte[] input, int inputOffset, int inputLen, byte[] output, int outputOffset)
Encrypting or decrypting data in a single-part operation, or finishing a multiple-part operation is not supported.- Specified by:
engineDoFinal
in classjavax.crypto.CipherSpi
- Throws:
java.lang.UnsupportedOperationException
- always.
-
-