IAIK-JCE 3.141 Maintenance Release - 12. September 2006
|
|
Class or Package
|
B
ug /
C
hange
N
ew
F
eature
|
Description and Examples
|
|
demo.keystore.IaikKeyStore
|
C
|
RSASSA-PSS and RSAES-OAEP key/certificate samples added
|
|
iaik.asn1.BIT_STRING
|
NF, C
|
Automatic unused bit calculation if -1 is specified as bitsNotValid
|
|
iaik.asn1.DerCoder
|
B
|
encodeTo
: fixed long form tag encoding and implicit tagging
|
|
iaik.asn1.DerInputStream
|
NF, C
|
OctetInputStream.available first checks available bytes from the underlying stream
|
|
iaik.asn1.DerInputStream
|
NF
|
New method
readOctetString(boolean skipOuter)
to parse "away" any constructed octet strings at the outermost level to read the content of the the innermost (definite primitive or constructed with definite primitive components) octet string
|
|
iaik.asn1.DerInputStream
|
C
|
Method
readOctetString
now does not read the data of a definite primitive encoded OCTET STRING into a ByteArrayInputStream buffer; rather it retruns the original stream to read the data from it
|
|
iaik.asn1.OCTET_STRING
|
B, C
|
Fixed
getValue
when getting value of a nested octet string where some of the value(s) maybe supplied from streams; some performance improvements
|
|
iaik.asn1.structures.GeneralName,
iaik.asn1.structures.OtherName
|
NF,C
|
GeneralName now allows to implement and register OtherName types
|
|
iaik.pkcs.pkcs10.CertificateRequest
|
B,C
|
sign
: check if parameters shall be included in signature algorithm id encodings
|
|
iaik.pkcs.pkcs12.PKCS12
|
C
|
Default iteration count changed to 2000 (since now supported by all current browsers and providing enhanced security)
|
|
iaik.security.cipher.GeneralKeyFactory
|
B,C
|
Fixed internal KeyGenerator usage
|
|
iaik.security.cipher.TripleDESKeyWrap
|
C
|
Final decipher check for odd parity can be turned off (some application may not take care for odd parity on the sending side)
|
|
iaik.security.mac.CMac,
iaik.security.mac.CMacAES,
iaik.security.mac.CMacDESede
|
NF
|
Implementation of CMAC based on AES and Triple DES as specified in NIST SP 800-38B.
|
|
iaik.security.md.Whirlpool
|
NF
|
Implementation of the Whirlpool message digest algorithm; developed by Paulo S.L.M. Barreto and Vincent Rijmen; specified in ISO/IEC 10118-3.
|
|
iaik.security.provider.IAIK
|
C, NF
|
Added method
setCheckPKCS5PaddingBytes
to turn PKCS#5 byte value check on/off
|
|
iaik.security.rsa.RSASignature,
iaik.pkcs.pkcs7.DigestInfo
|
C
|
Implemented countermeasure against RSA signature forgery attack by Daniel Bleichenbacher (see http://www.imc.org/ietf-openpgp/mail-archive/msg14307.html)
|
|
iaik.security.spec.IaikPBEParameterSpec
|
B
|
Fixed constructor
IaikPBEParameterSpec(ASN1Object)
to work with other JCE frameworks
|
|
iaik.utils.Base64OutputStream, iaik.utils.PemOutputStream
|
C
|
flush
: calls
flush
on original stream
|
|
iaik.utils.Util
|
NF
|
New method
createCertificateChain
to build a certificate chain from an arbitrary list of certificates
|
|
iaik.x509.X509Certificate, iaik.x509.X509CRL, iaik.x509.attr.AttributeCertificate, iaik.x509.ocsp.BasicOCSPResponse, iaik.x509.ocsp.OCSPRequest
|
B,C
|
sign
: check if parameters shall be included in signature algorithm id encodings
|
|
iaik.x509.stream.X509CRLStream, iaik.x509.stream.RevokedCertificatesCRLListener
|
C
|
Improved handling of CRL entries to increase performance.
|
|
javax.crypto.Cipher
|
B
|
Fixed method
getInstance
for support of Cipher transformations with missing mode specification (e.g. "AES//PKCS5Padding")
|
IAIK-JCE 3.14 Final - 09. February 2006
|
|
Class or Package
|
B
ug /
C
hange
N
ew
F
eature
|
Description and Examples
|
|
demo.RSAPssKeys,
demo.RSAOeapKeys
|
NF
|
Usage samples for the new RSA-PSS, RSA-OAEP key implementation (RFC 4055).
|
|
demo.x509.attr
|
NF
|
AttributeCertificateDemo (demonstrates how to use IAIK AttributeCertificate library
with PKIX standard attributes and extensions).
|
|
demo.x509.net.ldap
|
NF
|
LdapCertSearch, LdapCrlSearch, LdapAttributeCertSearch demos (command line utilities)
using new IAIK
LdapURLConnection
for searching and downloading certificates,
crls, attribute certificates from LDAP directories (require
iaik_ldap
,
iaik_ldap_demo.jar
(and JNDI) in your classpath).
|
|
demo.x509.ocsp
|
C
|
OCSPClient, HttpOCSPClient: target and issuer certificate now can be specified
separatly; jce.keystore not required by default.
|
|
iaik.asn1.ASN1
|
C
|
Decoding routine now ignores invalid characters
in base64 encoding; ; EOF exception is thrown if
no data is available from underlying input stream
|
|
iaik.asn1.ASN1
|
C
|
Decoding routine now ignores invalid characters
in base64 encoding; EOF exception is thrown if no data is available
from underlying input stream
|
|
iaik.asn1.DerInputStream
|
B, C
|
Fixed Method
available
|
|
iaik.asn1.structures.AccessDescription
|
NF
|
New constructors and methods allowing to get/set uri
accessLocation immediately as String.
|
|
iaik.asn1.structures.AlgorithmID
|
NF
|
New
equals
method allows optinal parameter comparison.
|
|
iaik.asn1.structures.Attribute
|
C
|
Checks for multipleAllowed if an Attribute is added.
|
|
iaik.asn1.structures.DistributionPoint
|
NF
|
New
loadCrl
,
loadCrlStream
methods for downloading
crls from http or ldap distribution points, e.g.:
DistributionPoint dp = ...;
X509CRL crl = dp.loadCrl();
New constructors and methods allowing to get/set uri
distribution point names immediately as Strings, e.g:
String crlUri = "http://ca.iaik.at/test.crl";
DistributionPoint dp = new DistributionPoint(new String[] { crlUri });
|
|
iaik.asn1.structures.Name
|
NF
|
Method
insertRDNAt
added.
|
|
iaik.iso.iso9796
|
NF
|
Signature engine and parameter base classes for the
ISO 9796-2 signature schemes..
|
|
iaik.pkcs.pkcs1.RSACipher
|
C
|
Data now can also provide via
update
calls.
|
|
iaik.pkcs.pkcs1.RSACipher
|
NF
|
Support for RSAES-OAEP keys according to RFC 4055;
method
setValidateAgainstOaepKeyParameters
allows to decide whether to validate OAEP parameters
|
|
iaik.pkcs.pkcs10.CertificateRequest
|
C
|
method
sign
if Signature engine creates parameters
they are set for the Signature AlgorithmID.
|
|
iaik.security.cipher
|
C
|
All Cipher engines now include the required padding length in the value
returned by method
getOutputSize
(to be compliant to
JCE Cipher spec).
|
|
iaik.security.cipher.AESKeyWrap
|
NF
|
Implementation of the AES KeyWrap algorithm as specified
by RFC 3394.
|
|
iaik.security.cipher
|
NF
|
Added KeyGenerators for
AES-192
and
AES-256
|
|
iaik.security.cipher.GeneralKeyFactory
|
C
|
Method
engineGenerateSecret
: tries to create key of max/default/min
length, if supplied KeySpec is of invalid length
(required when called from
KeyAgreement.engineGenerateSecret
)
|
|
iaik.security.dh
|
NF
|
all DH, ESDH keys: improved serialization behaviour.
|
|
iaik.security.dsa
|
NF
|
DSA and RawDSA signature engines allow to set SecureRandom by calling
method
setParameter
, and support methods
initSign(PrivateKey, SecureRandom)
(>= JDK 1.2) and
getParameters()
(>= JDK 1.4)).
|
|
iaik.security.provider.IAIK
|
NF, C
|
New improved provider regsitration workaround allowing to install the
IAIK provider as first provider in the common way by calling
Security.insertProviderAt(new IAIK(), 1)
or statically
register it as first provider in the
java.security
file.
A CertPath supporting CertificateFactory automatically is pluged-in
for JDK versions >= 1.4 (which may be required for jar file verification)
|
|
iaik.security.provider.IAIK
|
NF, C
|
added "NONEwithRSA" as alias for raw RSA signature (for JSSE 1.5
compatibility)
|
|
iaik.security.random
|
NF
|
RipeMd128Random added
|
|
iaik.security.rsa
|
NF
|
RSAPssPrivateKey, RSAPssPublicKey, RSAPssKeyFactory, RSAPssKeyPairGenerator:
Key, KeyFactory and KeyPairGenerator implementations for the RSASSA-PSS signature scheme
according to RFC 4055, support for RSASSA-PSS keys for PSS signature engines
|
|
iaik.security.rsa
|
NF
|
Added RSA based signature engines for all three ISO 9796-2 (2002) signature schemes
with hash algorithms SHA-1, SHA-256, SHA-384, SHA-512, RIPEMD-128, RIPEMD-160,
and mask generation function MGF1 (for signature schemes 2 and 3)
|
|
iaik.security.rsa
|
NF
|
RSAOaepPrivateKey, RSAOaepPublicKey, RSAOaepKeyFactory, RSAOaepKeyPairGenerator:
Key, KeyFactory and KeyPairGenerator implementations for the RSAES-OAEP encryption scheme
according to RFC 4055.
|
|
iaik.utils.CipherInputStream
|
B, C
|
Fixed method
available
|
|
iaik.utils.PemOutputStream
|
C
|
Default line-break (till now System line.separator): CRLF according to PEM sepcification.
Added feature to allow setting the line-break to be used (in accordance with parent
Base64OutputStream).
|
|
iaik.x509.CertificateFactory,
iaik.x509.qualified.QualifiedCertificateFactory
|
B, C
|
Internally uses collection vector to the preserve oder
|
|
iaik.x509.CertificateFactory
|
NF
|
Now also can decode base64 encoded PKCS#7 and Netscape
cert lists; PkiPath decoding added
|
|
iaik.x509.X509Certificate
|
B
|
Fixed method
getVersion
which had returned 0 for
|
|
iaik.x509.X509Certificate
|
NF
|
New method
getEmailAddresses
to get all email
addresses that may be included in a certificate.
|
|
iaik.x509.X509Certificate,
iaik.x509.X509CRL
|
C
|
method
sign
if Signature engine creates parameters
they are set for the Signature AlgorithmID.
|
|
iaik.x509.X509CRL
|
B
|
Fixed version number setting when constructor
X509CRL(ASN1Object)
is used.
|
|
iaik.x509.X509CertificateFactory,
iaik.x509.X509CertPath
|
NF,C
|
CertPath supporting CertificateFactory; automatically pluged-in
for JDK versions >= 1.4 (which may be required for jar file verification)
|
|
iaik.x509.extensions.priv
|
NF
|
Added extension
PublicServiceProvider
("Dienstleistereigenschaft") to be used within Austrian E-Government
|
|
iaik.x509.X509Extensions
|
C
|
add/getExtension: now allows
extnValue
to be empty OCTET STRING
|
|
iaik.x509.attr.AttributeCertificate
|
C
|
method
sign
if Signature engine creates parameters
they are set for the Signature AlgorithmID.
|
|
iaik.x509.attr.AttributeCertificate
|
B
|
method
toString
has dumped MD5 fingerprint two times,
instead MD5 and SHA-1 fingerprint.
|
|
iaik.x509.attr.attributes
|
NF
|
Implementations of all mandatory IETF PKIX attributes from RFC 3281:
Service Authentication Information, Access Identity, Charging Identity
Group, Role, Clearance
|
|
iaik.x509.attr.extensions
|
NF
|
Implementations of all mandatory IETF PKIX attribute certificate extensions from RFC 3281:
Audit Identity, No Revocation Available, TargetInformation, + optional extension ProxyInfo,
+ ITU-T AcceptableCertPolicies, BasicAttConstraints extensions
|
|
iaik.x509.net.ldap
|
NF
|
New class LdapURLConnection allowing to search LDAP directories
for certificates, attribute certificates, revocation lists in an easy way as
accustomed from the java.net URL framework, e.g.:
// register ldap protocol handler
System.getProperties().put("java.protocol.handler.pkgs", "iaik.x509.net");
// the ldap url
URL url = new URL("ldap://...");
// open connection
LdapURLConnection con = (LdapURLConnection)url.openConnection();
...
// set any request properties (if required)
...
// connect to the ldap server and read the result:
InputStream ldapIn = new BufferedInputStream(con.getInputStream());
// or:
X509Certificate[] certs = (X509Certificate[])con.getContent();
|
|
iaik.x509.ocsp.BasicOCSPResponse,
iaik.x509.ocsp.OCSPRequest
|
C
|
method
sign
if Signature engine creates parameters
they are set for the Signature AlgorithmID.
|
|
iaik.x509.ocsp.OCSPRequest
|
B
|
Fixed NullpointerException in method
toASN1Object
.
|
|
iaik.x509.ocsp.net.HttpOCSPRequest
|
C
|
explicitly sets the Content-Length header field since JDK1.3 uses
"Content-length" which may cause problems with some
non http compliant OCSP servers that expect case sensitive header
fields
|
|
javax.crypto.CipherInputStream
|
B, C
|
Fixed method
available
|
