Package org.bouncycastle.tls.crypto.impl.jcajce

Class JcaTlsCrypto

  • All Implemented Interfaces:
    TlsCrypto
    public class JcaTlsCrypto
extends AbstractTlsCrypto
    Class for providing cryptographic services for TLS based on implementations in the JCA/JCE.

    This class provides default implementations for everything. If you need to customise it, extend the class and override the appropriate methods.

    • Constructor Detail

      • JcaTlsCrypto

        protected JcaTlsCrypto​(org.bouncycastle.jcajce.util.JcaJceHelper helper,
                       java.security.SecureRandom entropySource,
                       java.security.SecureRandom nonceEntropySource)
        Base constructor.
        Parameters:
        helper - a JCA/JCE helper configured for the class's default provider.
        entropySource - primary entropy source, used for key generation.
        nonceEntropySource - secondary entropy source, used for nonce and IV generation.

    • Method Detail

      • createNonceGenerator

        public TlsNonceGenerator createNonceGenerator​(byte[] additionalSeedMaterial)
        Description copied from interface: TlsCrypto
        Create a nonce generator. Each call should construct a new generator, and the generator should be returned from this call only after automatically seeding from this TlsCrypto's entropy source, and from the provided additional seed material. The output of each returned generator must be completely independent of the others.
        Parameters:
        additionalSeedMaterial - context-specific seed material
        Returns:
        a TlsNonceGenerator

      • getSecureRandom

        public java.security.SecureRandom getSecureRandom()
        Description copied from interface: TlsCrypto
        Return the primary (safest) SecureRandom for this crypto.
        Returns:
        a SecureRandom suitable for key generation.

      • calculateKeyAgreement

        public byte[] calculateKeyAgreement​(java.lang.String agreementAlgorithm,
                                    java.security.PrivateKey privateKey,
                                    java.security.PublicKey publicKey,
                                    java.lang.String secretAlgorithm)
                             throws java.security.GeneralSecurityException
        Throws:
        java.security.GeneralSecurityException

      • createCertificate

        public TlsCertificate createCertificate​(byte[] encoding)
                                 throws java.io.IOException
        Description copied from interface: TlsCrypto
        Create a TlsCertificate from an ASN.1 binary encoding of an X.509 certificate.
        Parameters:
        encoding - DER/BER encoding of the certificate of interest.
        Returns:
        a TlsCertificate.
        Throws:
        java.io.IOException - if there is an issue on decoding or constructing the certificate.

      • createCipher

        public TlsCipher createCipher​(TlsCryptoParameters cryptoParams,
                              int encryptionAlgorithm,
                              int macAlgorithm)
                       throws java.io.IOException
        Description copied from interface: TlsCrypto
        Create a cipher for the specified encryption and MAC algorithms.

        See enumeration classes EncryptionAlgorithm, MACAlgorithm for appropriate argument values.

        Parameters:
        cryptoParams - context specific parameters.
        encryptionAlgorithm - the encryption algorithm to be employed by the cipher.
        macAlgorithm - the MAC algorithm to be employed by the cipher.
        Returns:
        a TlsCipher implementing the encryption and MAC algorithms.
        Throws:
        java.io.IOException

      • createHMAC

        public TlsHMAC createHMAC​(int macAlgorithm)
        Description copied from interface: TlsCrypto
        Create a suitable HMAC for the MAC algorithm identifier passed in.

        See enumeration class MACAlgorithm for appropriate argument values.

        Parameters:
        macAlgorithm - the MAC algorithm the HMAC needs to match.
        Returns:
        a TlsHMAC.

      • createHMACForHash

        public TlsHMAC createHMACForHash​(int cryptoHashAlgorithm)
        Description copied from interface: TlsCrypto
        Create a suitable HMAC using the hash algorithm identifier passed in.

        See enumeration class CryptoHashAlgorithm for appropriate argument values.

        Parameters:
        cryptoHashAlgorithm - the hash algorithm the HMAC should use.
        Returns:
        a TlsHMAC.

      • createHMAC_SSL

        protected TlsHMAC createHMAC_SSL​(int macAlgorithm)
                          throws java.security.GeneralSecurityException,
                                 java.io.IOException
        Throws:
        java.security.GeneralSecurityException
        java.io.IOException

      • createMAC

        protected TlsHMAC createMAC​(TlsCryptoParameters cryptoParams,
                            int macAlgorithm)
                     throws java.security.GeneralSecurityException,
                            java.io.IOException
        Throws:
        java.security.GeneralSecurityException
        java.io.IOException

      • createSRP6Client

        public TlsSRP6Client createSRP6Client​(TlsSRPConfig srpConfig)
        Description copied from interface: TlsCrypto
        Create an SRP-6 client.
        Parameters:
        srpConfig - client config.
        Returns:
        an initialised SRP6 client object.

      • createSRP6Server

        public TlsSRP6Server createSRP6Server​(TlsSRPConfig srpConfig,
                                      java.math.BigInteger srpVerifier)
        Description copied from interface: TlsCrypto
        Create an SRP-6 server.
        Parameters:
        srpConfig - server config.
        srpVerifier - the SRP6 verifier value.
        Returns:
        an initialised SRP6 server object.

      • createSRP6VerifierGenerator

        public TlsSRP6VerifierGenerator createSRP6VerifierGenerator​(TlsSRPConfig srpConfig)
        Description copied from interface: TlsCrypto
        Create an SRP-6 verifier generator.
        Parameters:
        srpConfig - generator config.
        Returns:
        an initialized SRP6 verifier generator.

      • getNamedGroupAlgorithmParameters

        public java.security.AlgorithmParameters getNamedGroupAlgorithmParameters​(int namedGroup)
                                                                   throws java.security.GeneralSecurityException
        Throws:
        java.security.GeneralSecurityException

      • getSignatureSchemeAlgorithmParameters

        public java.security.AlgorithmParameters getSignatureSchemeAlgorithmParameters​(int signatureScheme)
                                                                        throws java.security.GeneralSecurityException
        Throws:
        java.security.GeneralSecurityException

      • hasAllRawSignatureAlgorithms

        public boolean hasAllRawSignatureAlgorithms()
        Description copied from interface: TlsCrypto
        Return true if this TlsCrypto can perform raw signatures and verifications for all supported algorithms.
        Returns:
        true if this instance can perform raw signatures and verifications for all supported algorithms, false otherwise.

      • hasDHAgreement

        public boolean hasDHAgreement()
        Description copied from interface: TlsCrypto
        Return true if this TlsCrypto can support DH key agreement.
        Returns:
        true if this instance can support DH key agreement, false otherwise.

      • hasECDHAgreement

        public boolean hasECDHAgreement()
        Description copied from interface: TlsCrypto
        Return true if this TlsCrypto can support ECDH key agreement.
        Returns:
        true if this instance can support ECDH key agreement, false otherwise.

      • hasEncryptionAlgorithm

        public boolean hasEncryptionAlgorithm​(int encryptionAlgorithm)
        Description copied from interface: TlsCrypto
        Return true if this TlsCrypto can support the passed in block/stream encryption algorithm.
        Parameters:
        encryptionAlgorithm - the algorithm of interest.
        Returns:
        true if encryptionAlgorithm is supported, false otherwise.

      • hasCryptoHashAlgorithm

        public boolean hasCryptoHashAlgorithm​(int cryptoHashAlgorithm)
        Description copied from interface: TlsCrypto
        Return true if this TlsCrypto can support the passed in hash algorithm.
        Parameters:
        cryptoHashAlgorithm - the algorithm of interest.
        Returns:
        true if cryptoHashAlgorithm is supported, false otherwise.

      • hasCryptoSignatureAlgorithm

        public boolean hasCryptoSignatureAlgorithm​(int cryptoSignatureAlgorithm)
        Description copied from interface: TlsCrypto
        Return true if this TlsCrypto can support the passed in signature algorithm (not necessarily in combination with EVERY hash algorithm).
        Parameters:
        cryptoSignatureAlgorithm - the algorithm of interest.
        Returns:
        true if cryptoSignatureAlgorithm is supported, false otherwise.

      • hasMacAlgorithm

        public boolean hasMacAlgorithm​(int macAlgorithm)
        Description copied from interface: TlsCrypto
        Return true if this TlsCrypto can support the passed in MAC algorithm.
        Parameters:
        macAlgorithm - the algorithm of interest.
        Returns:
        true if macAlgorithm is supported, false otherwise.

      • hasNamedGroup

        public boolean hasNamedGroup​(int namedGroup)
        Description copied from interface: TlsCrypto
        Return true if this TlsCrypto supports the passed in named group value.
        Returns:
        true if this instance supports the passed in named group value.

      • hasRSAEncryption

        public boolean hasRSAEncryption()
        Description copied from interface: TlsCrypto
        Return true if this TlsCrypto can support RSA encryption/decryption.
        Returns:
        true if this instance can support RSA encryption/decryption, false otherwise.

      • hasSignatureAlgorithm

        public boolean hasSignatureAlgorithm​(short signatureAlgorithm)
        Description copied from interface: TlsCrypto
        Return true if this TlsCrypto can support the passed in signature algorithm (not necessarily in combination with EVERY hash algorithm).
        Parameters:
        signatureAlgorithm - the algorithm of interest.
        Returns:
        true if signatureAlgorithm is supported, false otherwise.

      • hasSignatureAndHashAlgorithm

        public boolean hasSignatureAndHashAlgorithm​(SignatureAndHashAlgorithm sigAndHashAlgorithm)
        Description copied from interface: TlsCrypto
        Return true if this TlsCrypto can support the passed in signature algorithm.
        Parameters:
        sigAndHashAlgorithm - the algorithm of interest.
        Returns:
        true if sigAndHashAlgorithm is supported, false otherwise.

      • hasSignatureScheme

        public boolean hasSignatureScheme​(int signatureScheme)
        Description copied from interface: TlsCrypto
        Return true if this TlsCrypto can support the passed in signature scheme.
        Parameters:
        signatureScheme - the scheme of interest.
        Returns:
        true if signatureScheme is supported, false otherwise.

      • hasSRPAuthentication

        public boolean hasSRPAuthentication()
        Description copied from interface: TlsCrypto
        Return true if this TlsCrypto can support SRP authentication.
        Returns:
        true if this instance can support SRP authentication, false otherwise.

      • createSecret

        public TlsSecret createSecret​(byte[] data)
        Description copied from interface: TlsCrypto
        Create a TlsSecret object based on provided data.
        Parameters:
        data - the data to base the TlsSecret on.
        Returns:
        a TlsSecret based on the provided data.

      • generateRSAPreMasterSecret

        public TlsSecret generateRSAPreMasterSecret​(ProtocolVersion version)
        Description copied from interface: TlsCrypto
        Create a TlsSecret object containing a randomly-generated RSA PreMasterSecret
        Parameters:
        version - the client version to place in the first 2 bytes
        Returns:
        a TlsSecret containing the PreMasterSecret.

      • createHash

        public TlsHash createHash​(int cryptoHashAlgorithm)
        Description copied from interface: TlsCrypto
        Create a suitable hash for the hash algorithm identifier passed in.

        See enumeration class CryptoHashAlgorithm for appropriate argument values.

        Parameters:
        cryptoHashAlgorithm - the hash algorithm the hash needs to implement.
        Returns:
        a TlsHash.

      • createDHDomain

        public TlsDHDomain createDHDomain​(TlsDHConfig dhConfig)
        Description copied from interface: TlsCrypto
        Create a domain object supporting the domain parameters described in dhConfig.
        Parameters:
        dhConfig - the config describing the DH parameters to use.
        Returns:
        a TlsDHDomain supporting the parameters in dhConfig.

      • createECDomain

        public TlsECDomain createECDomain​(TlsECConfig ecConfig)
        Description copied from interface: TlsCrypto
        Create a domain object supporting the domain parameters described in ecConfig.
        Parameters:
        ecConfig - the config describing the EC parameters to use.
        Returns:
        a TlsECDomain supporting the parameters in ecConfig.

      • hkdfInit

        public TlsSecret hkdfInit​(int cryptoHashAlgorithm)
        Description copied from interface: TlsCrypto
        Setup an initial "secret" for a chain of HKDF calls (RFC 5869), containing a string of HashLen zeroes.
        Parameters:
        cryptoHashAlgorithm - the hash algorithm to instantiate HMAC with. See CryptoHashAlgorithm for values.

      • createAEADCipher

        protected TlsAEADCipherImpl createAEADCipher​(java.lang.String cipherName,
                                             java.lang.String algorithm,
                                             int keySize,
                                             boolean isEncrypting)
                                      throws java.security.GeneralSecurityException
        If you want to create your own versions of the AEAD ciphers required, override this method.
        Parameters:
        cipherName - the full name of the cipher (algorithm/mode/padding)
        algorithm - the base algorithm name
        keySize - keySize (in bytes) for the cipher key.
        isEncrypting - true if the cipher is for encryption, false otherwise.
        Returns:
        an AEAD cipher.
        Throws:
        java.security.GeneralSecurityException - in case of failure.

      • createBlockCipher

        protected TlsBlockCipherImpl createBlockCipher​(java.lang.String cipherName,
                                               java.lang.String algorithm,
                                               int keySize,
                                               boolean isEncrypting)
                                        throws java.security.GeneralSecurityException
        If you want to create your own versions of the block ciphers required, override this method.
        Parameters:
        cipherName - the full name of the cipher (algorithm/mode/padding)
        algorithm - the base algorithm name
        keySize - keySize (in bytes) for the cipher key.
        isEncrypting - true if the cipher is for encryption, false otherwise.
        Returns:
        a block cipher.
        Throws:
        java.security.GeneralSecurityException - in case of failure.

      • createBlockCipherWithCBCImplicitIV

        protected TlsBlockCipherImpl createBlockCipherWithCBCImplicitIV​(java.lang.String cipherName,
                                                                java.lang.String algorithm,
                                                                int keySize,
                                                                boolean isEncrypting)
                                                         throws java.security.GeneralSecurityException
        If you want to create your own versions of the block ciphers for < TLS 1.1, override this method.
        Parameters:
        cipherName - the full name of the cipher (algorithm/mode/padding)
        algorithm - the base algorithm name
        keySize - keySize (in bytes) for the cipher key.
        isEncrypting - true if the cipher is for encryption, false otherwise.
        Returns:
        a block cipher.
        Throws:
        java.security.GeneralSecurityException - in case of failure.

      • createHMAC

        protected TlsHMAC createHMAC​(java.lang.String hmacName)
        If you want to create your own versions of HMACs, override this method.
        Parameters:
        hmacName - the name of the HMAC required.
        Returns:
        a HMAC calculator.

      • createHash

        protected TlsHash createHash​(java.lang.String digestName)
                      throws java.security.GeneralSecurityException
        If you want to create your own versions of Hash functions, override this method.
        Parameters:
        digestName - the name of the Hash function required.
        Returns:
        a hash calculator.
        Throws:
        java.security.GeneralSecurityException - in case of failure.

      • createNullCipher

        protected TlsNullCipher createNullCipher​(TlsCryptoParameters cryptoParams,
                                         int macAlgorithm)
                                  throws java.io.IOException,
                                         java.security.GeneralSecurityException
        To disable the null cipher suite, override this method with one that throws an IOException.
        Parameters:
        macAlgorithm - the name of the algorithm supporting the MAC.
        Returns:
        a null cipher suite implementation.
        Throws:
        java.io.IOException - in case of failure.
        java.security.GeneralSecurityException - in case of a specific failure in the JCA/JCE layer.

      • createStreamSigner

        protected TlsStreamSigner createStreamSigner​(SignatureAndHashAlgorithm algorithm,
                                             java.security.PrivateKey privateKey,
                                             boolean needsRandom)
                                      throws java.io.IOException
        Throws:
        java.io.IOException

      • createStreamSigner

        protected TlsStreamSigner createStreamSigner​(java.lang.String algorithmName,
                                             java.security.spec.AlgorithmParameterSpec parameter,
                                             java.security.PrivateKey privateKey,
                                             boolean needsRandom)
                                      throws java.io.IOException
        Throws:
        java.io.IOException

      • createStreamVerifier

        protected TlsStreamVerifier createStreamVerifier​(DigitallySigned signature,
                                                 java.security.PublicKey publicKey)
                                          throws java.io.IOException
        Throws:
        java.io.IOException

      • createStreamVerifier

        protected TlsStreamVerifier createStreamVerifier​(java.lang.String algorithmName,
                                                 java.security.spec.AlgorithmParameterSpec parameter,
                                                 byte[] signature,
                                                 java.security.PublicKey publicKey)
                                          throws java.io.IOException
        Throws:
        java.io.IOException

      • createVerifyingStreamSigner

        protected TlsStreamSigner createVerifyingStreamSigner​(SignatureAndHashAlgorithm algorithm,
                                                      java.security.PrivateKey privateKey,
                                                      boolean needsRandom,
                                                      java.security.PublicKey publicKey)
                                               throws java.io.IOException
        Throws:
        java.io.IOException

      • createVerifyingStreamSigner

        protected TlsStreamSigner createVerifyingStreamSigner​(java.lang.String algorithmName,
                                                      java.security.spec.AlgorithmParameterSpec parameter,
                                                      java.security.PrivateKey privateKey,
                                                      boolean needsRandom,
                                                      java.security.PublicKey publicKey)
                                               throws java.io.IOException
        Throws:
        java.io.IOException

      • isSupportedEncryptionAlgorithm

        protected java.lang.Boolean isSupportedEncryptionAlgorithm​(int encryptionAlgorithm)

      • isSupportedNamedGroup

        protected java.lang.Boolean isSupportedNamedGroup​(int namedGroup)

      • isUsableCipher

        protected boolean isUsableCipher​(java.lang.String cipherAlgorithm,
                                 int keySize)

      • isUsableMAC

        protected boolean isUsableMAC​(java.lang.String macAlgorithm)

      • getHelper

        public org.bouncycastle.jcajce.util.JcaJceHelper getHelper()

      • createCBCBlockCipherImpl

        protected TlsBlockCipherImpl createCBCBlockCipherImpl​(TlsCryptoParameters cryptoParams,
                                                      java.lang.String algorithm,
                                                      int cipherKeySize,
                                                      boolean forEncryption)
                                               throws java.security.GeneralSecurityException
        Throws:
        java.security.GeneralSecurityException

      • createCipher_CBC

        protected TlsCipher createCipher_CBC​(TlsCryptoParameters cryptoParams,
                                     java.lang.String algorithm,
                                     int cipherKeySize,
                                     int macAlgorithm)
                              throws java.security.GeneralSecurityException,
                                     java.io.IOException
        Throws:
        java.security.GeneralSecurityException
        java.io.IOException