IAIK-JCE 3.01 Maintenance Release - 15. July 2002
|
|
Class or Package
|
B
ug /
C
hange
N
ew
F
eature
|
Description and Examples
|
|
iaik.asn1.BMPString
|
B
|
Fixed encoding problem (leading marker removed).
|
|
iaik.asn1.structures.AlgorithmID
|
NF
|
New static method getAlgorithmID(String implementationName) allows to query for AlgorithmID objects based on the implementation name, e.g.:
AlgorithmID algID = AlgorithmID.getAlgorithmID("3DES/CBC/PKCS5Padding");
|
|
iaik.asn1.structures.GeneralName
|
NF
|
Method getName() prints IPv6 addresses, too.
|
|
iaik.pkcs.pkcs12.*
|
NF
|
Multiple key bags allowed; additional bag types
|
|
iaik.pkcs.pkcs12.PKCS12
|
NF
|
New encrypt method allowing to use any combination of of
PbeWithSHAAnd40BitRC2_CBC
and
PbeWithSHAAnd3_KeyTripleDES_CBC
to be used for encrypting authenticated safes and shrouded key bags.
|
|
iaik.security.provider.IAIK
|
C
|
Patented ciphers now are registered, too (although they are not available in iaik_jce.jar) to avoid connection overhead problems due to class load trials when used in applets.
|
|
iaik.security.provider.IAIK
|
NF
|
New static
methodaddAsJDK14Provider
allowing to use IAIK as first provider for JDK 1.4, too.
|
|
iaik.security.dh
|
B
|
Bug fixed in serialization of DHKeys.
|
|
iaik.security.rsa.RSASignature
|
C
|
Now does not use RSA Cipher engine to avoid problems due to JCE provider signing and key length limitation.
|
|
iaik.x509.attr.*
|
C
|
Uses implicit encoding according to IETF specification (RFC3281)
|
|
iaik.x509.extensions.
qualified.structures.etsi.*
|
NF
|
Implementation of the ETSI Qualified Certificate Profile (TS 101 862 V1.2.1) qualified certificate statements QcEuCompliance, QcEuLimitValue, QcEuRetentionPeriod.
|
IAIK-JCE 3.0 Final - 29. January 2002
|
|
Class or Package
|
B
ug /
C
hange
N
ew
F
eature
|
Description and Examples
|
|
Signed Archive files
|
NF
|
IAIK-JCE is signed now to may be used with JDK 1.4. We provide two versions of our library files (
iaik_jce.jar, iaik_jce_full.jar
): a signed version and an unsigned version. The unsigned version does not include the JAVAX CRYPTO packages which have been splitted into a separate jar file (
iaik_javax_crypto.jar
).
|
|
Archive files for patented algorithms
|
C
|
Classes implementing crypto algorithms that may require separate licensing are no longer put together into one single jar file (
iaik_jce_patented.jar
); rather they are splitted into sevaral jar archives according to the algorithm scope:
iaik_idea.jar
(contains all IDEA classes),
iaik_rc.jar
(contains all classes for RC4, RC5, RC6), and
iaik_esdh.jar
(contains all classes implementing Ephemral Static Diffie Hellman).
|
|
demo.*
|
C
|
The IAIK provider is inserted at second position now to avoid problems due to the JDK provider signature verification mechanism that may require that the original SUN provider is installed as first provider.
|
|
iaik.asn1.ASN1String
|
NF,C
|
All ASN.1 String types are now grouped by extending abstract class ASN1String keeping the byte value immediately to avoid character encoding problems when writing a String type again after having parsed it.
|
|
iaik.asn1.ConstructedType
|
NF
|
EncodeListener now may be registered on a constructed type to allow "component based" encode listening.
|
|
iaik.asn1.PrintableString
|
NF
|
Method equalsmaybe forced to compare two PrintableStrings case insensitive and by ignoring intermediate consensitve spaces as recommended by RFC2459:
boolean checkCaseInsensitive = true;
PrintableString.checkCaseInsensitive(true);
The default setting is false; i.e. PrintableStrings a checked for exact match for providing backwards compatibility to former IAIK PrintableString versions, for performance reasons and because PrintableStrings may not differ only case/space based in typical applications (e.g. when comparing issuer/subject distinguished names of certificate chains).
|
|
iaik.asn1.UNKNOWN
|
NF
|
New method getBaseAsnType allows to query for the base type of an unknown ASN.1 object.
|
|
iaik.asn1.structures.AlgorithmID
|
NF
|
New constructor allowing to decide whether absent parameters shall be encoded as NULL or shall be omitted when calling toASN1Object. Method toString now also prints the dotted OID string number representation.
|
|
iaik.asn1.structures.Attribute
iaik.asn1.structures.AttributeValuue
|
NF
|
New Attribute framework now allowing to write and register implementations for specific AttributeValues so that attribute handling becomes more user friendly (see Javadoc™).
|
|
iaik.asn1.structures.AVA
|
C
|
Default secondary encoding (if a string attribute value contains non printable characters): UTF8String; may be changed by an application by calling static method setNonPrintableDefaultEncoding (may be used for avoiding cert parsing problems with browsers not supporting UTF8 encoding; e.g. prior versions of Netscape (4.x)).
|
|
iaik.pkcs.pkcs7
|
NF
|
Non-stream classes now support PKCS#7v1.6, too. Example (SignedData):
SignedData, creation:
only call setVersion(2) after creating a SignedData object:
int mode = ...;
byte[] content = ...;
SignedData signedData = new SignedData(content, mode);
// version number 2 indicates PKCS#7v1.6
signedData.setVersion(2);
SignedData, parsing:
If version 1.6 is used in explicit mode you have to specify the version number to indicate to calculate the hash over the content encoding (in implicit mode you do not have to take care about the version number at all):
int mode = ...;
// raw data received by other means:
byte[] content = ...;
// hash algorithm(s) used
AlgorithmID[] hashAlgIDs = ...;
// version 2 indicates PKCS#7v1.6
int version = 2;
SignedData signedData = new SignedData(content, hashAlgIDs, version);
Note that PKCS#7v1.6 is
not
CMS. CMS is the IETF standardized successor of PKCS#7v1.5 (see IAIK-CMS). PKCS#7v1.6 is not as widely used as PKCS#7v1.5; the most popular sample for an application using PKCS#7v1.6 may be the SET protocol.
|
|
iaik.pkcs.pkcs7.
EncryptedContentInfoStream
|
C
|
Now uses an iaik.utils.CipherInputStream since standard CipherInputStream does not support block based encoding
|
|
iaik.pkcs.pkcs9
|
NF
|
Implementations for the PKCS#9 attribute types ExtensionRequest and ChallengePassword to maybe include/parsed certificate extension information and/or challenge passoword into/from a PKCS#10 request:
Attribute[] attributes = new Attribute[2];
// add a ExtensionRequest attribute for KeyUsage digitalSignature
KeyUsage keyUsage = new KeyUsage(KeyUsage.digitalSignature);
ExtensionRequest extensionRequest = new ExtensionRequest();
extensionRequest.addExtension(keyUsage);
attributes[0] = new Attribute(extensionRequest);
// and an challenge password
ChallengePassword challengePassword = new ChallengePassword("myPassword");
attributes[1] = new Attribute(challengePassword);
// now set the attributes
request.setAttributes(attributes);...ExtensionRequest extensionRequest =
(ExtensionRequest)request.getAttributeValue(ExtensionRequest.oid);
if (extensionRequest != null) {
// we know that KeyUsage is included
keyUsage = (KeyUsage)extensionRequest.getExtension(KeyUsage.oid);
System.out.println("ExtensionRequest for KeyUsage: " + keyUsage);
}// look for a ChallengePassword attribute
ChallengePassword challengePassword =
(ChallengePassword)request.getAttributeValue(ChallengePassword.oid);
if (challengePassword != null) {
System.out.println("Challenge password: \"" + challengePassword.getPassword() + "\".");
}
|
|
iaik.pkcs.pkcs10.
CertificateRequest
|
C
|
Now ensures that a newly generated or modified request only may be encoded or verified if it has been signed; improved internal ASN.1 handling
|
|
iaik.pkcs.pkcs10.
CertificateRequest
|
NF
|
New sign and verify methods allowing to specify the provider to be used; new method setSignature allowing to set the signature value calculated from outside (may be used for integrating signature values calculated by smartcards)
|
|
iaik.pkcs.pkcs10.
CertificateRequest
|
NF
|
New methods to fit into the new ASN.1 attribute handling framework (see Attribute above)
|
|
iaik.pkcs.pkcs10.
CertificateRequest
|
C
|
Changed toString output to print key length and both MD5 and SHA-1 fingerprint.
|
|
iaik.security.cipher.
ISO78164Padding
|
NF
|
Padding scheme as described in the ISO 7816-4 Standard (Information technology -- Identification cards -- Integrated circuit(s) cards with contacts -- Part 4: Interindustry commands for interchange):
Cipher c = Cipher.getInstance("algorithm/mode/ISO78164Padding");
|
|
iaik.security.cipher.PBEKey
|
C
|
Method getEncoded now returns an UTF8 encoding of the password.
|
|
iaik.security.dh.ESDHPublickey,
iaik.security.dh.EDSHPrivateKey
|
B
|
Used wrong AlgorithmID so far (corrected from to "1.2.840.113549.1.9.16.3.5" to "1.2.840.10046.2.1").
|
|
iaik.security.mac
|
NF
|
Implementations for HMacRipeMd128, HMacRipeMd160, HMacSha256, HMacSha384, HMacSha512 added ("HMAC/RIPEMD128", "HMAC/RIPEMD160", "HMAC/SHA256", "HMAC/SHA384", "HMAC/SHA512").
|
|
iaik.security.mac.HMac
|
B
|
HMac engine may not have been properly reset when reinitialized.
|
|
iaik.security.rsa.RSAPublicKey
|
NF
|
Static method parse added allowing to parse a raw PKCS#1 encoded RSA public key.
|
|
iaik.security.rsa
|
NF
|
Implementations for RipeMd128WithRSAEncryption, RipeMd160WithRSAEncryption, Sha256WithRSAEncryption, Sha384WithRSAEncryption, Sha512WithRSAEncryption added ("RIPEMD128/RSA", "RIPEMD160/RSA", "SHA256/RSA", "SHA384/RSA", "SHA512/RSA").
|
|
iaik.utils.MacInputStream
iaik.utils.MacOutputStream
|
NF
|
Streams allowing to calculate a Mac on the data while reading/writing it from/to the underlying stream; similar to DigestStreams
|
|
iaik.utils.RFC2253NameParser
|
NF
|
Now allows dynamic association shortName -- OID.
|
|
iaik.x509.X509Certificate,
iaik.x509.X509CRL,
iaik.x509.X509Extensions
iaik.x509.RevokedCertificate,
iaik.x509.attr.AttributeCertificate,
iaik.x509.ocsp.OCSPExtensions
|
C
|
Method getExtensionValue now retruns the extnValue OCTET STRING immediately instead of the encoding of the specific extension´s ASN.1 value itself (to ensure compatibility to standard JDK certificate API)
|
|
iaik.x509.X509Certificate
|
C
|
Method getBasicConstraints returns Integer.MAX_VALUE if cA==true but pathLenConstraints is not set (according to JDK1.3)
|
|
iaik.x509.X509Certificate,
iaik.x509.X509CRL,
iaik.x509.attr.AttributeCertificate
|
NF
|
New method sign allowing to specify the provider to be used; new method setSignature allowing to set the signature value calculated from outside (may be used for integrating signature values calculated by smartcards), e.g.:
X509Certificate cert = ...;
...
// set issuer, subject, validity, ...
...
// set the signature algorithm to be used for signing
cert.setSignatureAlgorithm(AlgorithmID.sha1WithRSAEncryption);
// get the to-be-signed value
byte[] tbs = cert.getTBSCertificate();
// now calculate the signature over the tbs certificate
byte[] signatureValue = calculateSignature(tbs);
// and set the signatureValue
cert.setSignature(signatureValue);
// encode the certificate
byte[] encodedCert = cert.getEncoded();
|
|
iaik.x509.X509Certificate
|
C
|
Changed toString output to print key length and both MD5 and SHA-1 fingerprint.
|
|
iaik.x509.V3Extension
|
C
|
Method setCritical now returns the extension object itself to allow chained constructions like: caCert.addExtension(new KeyUsage(KeyUsage.keyCertSign).setCritical(true));
|
|
iaik.x509.extensions.
netscape.NetscapeCertType
|
B
|
Method toASN1Object: mark trailing zeros as unused to give right DER encoding
|
|
iaik.x509.ocsp.BasicOCSPResponse,
iaik.x509.ocsp.OCSPRequest
|
C
|
New method sign allowing to specify the provider to be used; Improved internal ASN.1 handling
|
|
iaik.x509.qualified.*
|
C
|
Adopted to RFC3039.
|
