JCA/JCE 6.0

Added tighter length check to decode() method.

New methods added allowing to enable some tighter DER checks during decoding.

When parsing simple types now an Exception is thrown if constructed encoding has been used (can be switched off by ASN1String.setIgnoreConstructedEncodingForSimpleTypes(true);).

Method getRegisteredObjectID(String nameOrShortName) added allowing to query for an ObjectID based on its name or short name. Method getObject(String oid) now first looks for a registered ObjectID and creates a new one only if it cannot found a registered one.

Method getAlgorithmParameterSpec() also tries java.security.spec.PSSParameterSpec for RSA-PSS signature parameters and javax.crypto.spec.OAEPParameterSpec for RSA-OAEP encryption parameters. Method getRawImplementationName() returns RSAES-OAEP for rsaesOAEP AlgorithmID.

AlgorithmID for ChaCha20Poly1305 (1.2.840.113549.1.9.16.3.18) according to RFC 8103 added.

Added leading zero byte check to unpad().

Added message size check to rawCrypt().

Does not throw an exception anymore if the certificate chain of an key entry cannot be sorted, rather the given (maybe unsorted) certificate chain is used .

New method PKCS12KeyStore.setUSEJKSFallBack(boolean) allows to advise the PKCS12KeyStore to fall back to a JKS KeyStore to solve JSSE default KeyStore parsing problems.

Padding schemes do not give detailed error information anymore when they throw a BadPaddingException.

In CCM mode Ciphers now also can use method updateAAD to provide the additional authenticated (associated) data (if Java 7 or newer is used).
If associated data is specified by a CCMParameterSpec the associated data is also included in the parameters got from a CCM Cipher when calling ccmCipher.getParameters(). However, associated data that has been supplied by calling ccmCipher.updateAAD() is not included in the parameters got from a CCM Cipher when calling ccmCipher.getParameters().

Fixed GCM increment function in engineInit().

In CCM and GCM mode now a BadPaddingException (AEADBadTagException) instead of an IllegalBlockSizeException is thrown if the mac value is invalid.

Implements the AES Key Wrap with Padding Algorithm as specified by RFC 5649 allowing to also wrap keys with a size that is not a multiple of 64 bits (as extension to the AES Key Wrap algorithm specified by RFC 3394 that requires that the size of the to-be-wrapped key is a multiple of 64 bits).
RFC 5649 key wrap with padding can be used by either directly instantiating the RFC 5649 with padding Cipher, e.g.:

 Cipher cipher =  Cipher.getInstance("AESWrapWithPadding", "IAIK");

or by instantiating the AESWrap Cipher and specifying “RFC5649Padding” as padding mode:

 Cipher cipher = Cipher.getInstance("AESWrap/ECB/RFC5649Padding");

ChaCha20 now also may be initialized by an javax.crypto.spec.ChaCha20ParameterSpec (for Java 11 upwards).

Method checkKeyAndNonceReuse() added to decide whether to check if the Cipher is used for encryption again without re-initialization (default: true).

64 bit nonce not allowed anymore. Nonce must be 96 bits long. Block counter must be 0.

New AlgortihmParameterSpec class allowing to initialize a ChaChaPoly1305 Cipher engine for use with Cryptographic Message Syntax (CMS, RFC 8103).

Now also may be initialized by a ChaCha20Poly1305CMSParameterSpec to be used for Cryptographic Message Syntax (CMS, RFC 8103) where the mac is not appended to the cipher text and can be set/got by/from parameters.

Additional authenticated (associated) data now may be supplied only either by a ChaCha20Poly1305(CMS)ParameterSpec or by calling method updateAAD(). Using both alternatives simultaneously is not more allowed.
If associated data is specified by a ChaCha20Poly1305(CMS)ParameterSpec the associated data is also included in the parameters got from a ChaCha20Poly1305 Cipher when calling chacha20Poly1305Cipher.getParameters(). However, associated data that has been supplied by calling chacha20Poly1305Cipher.updateAAD() is not included in the parameters got from a ChaCha20Poly1305 Cipher when calling chacha20Poly1305Cipher.getParameters().

Fixed output size calculation.

Method checkKeyAndNonceReuse() added to decide whether to check if the CCM Cipher is used for encryption again without re-initialization (default: true).

checkKeyAndNonceReuse() by default set to true so that in GCM mode by default is checked if the Cipher is used for encryption again without re-initialization.

Method setUseJava7ApiByDefault() added allowing to decide whether to use the Java7 GCM API also when the Cipher has not been initialized with a javax.crypto.spec.GCMParameterSpec and no additional authenticated data (AAD) has been specified by Cipher.updateAAD() call(s).

MessageDigest engines implement the Cloneable interface.

Implements method clone().

Fixed index calculation in engineUpdate().

Fixed engineUpdate().

Static method setBufferMoreAEADCipherDataThanNecessary() added allowing to decide whether the IAIK AEAD Cipher engines/modes ChaCha20Poly1305, GCM and CCM shall buffer more than necessary cipher data during update() calls during decryption (e.g. for use with javax.crypto.CipherInputStream).

RSA key pair generators now support initialization by an RSAKeyGenParameterSpec.

Method checkObjectIDForAssociatedOIDs() added allowing to advise the RFC2253NameParser to also look in class ObjectID for (short)name – ObjectID associations if no one can be found in the internal RFC2253NameParser repository.

Added “title” to short name associations. Made associations_ table private.

Universal KeyStore utility for reading Java key stores without using a specific format.

Method createCertificateChain() now checks for authorityCertIssuer and authorityCertSerialNumber if the AuthorityKeyUdentifier extension does not contain the keyIdentifier field.

When decoding a private or public key method decodeKey() does not throw a NoSuchAlgortihmException anymore if no KeyFactory is available for the particular key algorithm. Rather a iaik.pkcs.pkcs8.RawPrivateKey or iaik.x509.RawPublicKey is returned.

Fixed toASN1Object().

Removed short name “T” from ObjectID.title since not RFC2253/4514 compliant. If required it can be registered again by:

new ObjectID(ObjectID.title.getID(), ObjectID.title.getName(), "T");

Now also can be used with javax.crypto.spec.OAEPParameterSpec (for JDK >= 1.5).

Static method setUseSHA1ForMGF1WithJCAStandardName() allowing to configure the IAIK provider to use SHA-1 for MGF1 anytime the hash algorithm name is specified in the padding scheme name when creating a RSA-OAEP cipher:

Cipher cipher = Cipher.getInstance(("RSA/ECB/OAEPWithSHA256AndMGF1Padding", "IAIK");

By default the IAIK provider uses the same hash algorithm for both the RSAES-OAEP en/decryption scheme as well as the MGF1 mask generation function. However, the SunJCE provider uses SHA-1 as hash algorithm for the MGF1 mask generation regardless of which hash algorithm is specified in the padding scheme name. When calling

RSAOaepParameters.setUseSHA1ForMGF1WithJCAStandardName(true);

the IAIK provider may be configured to behave as the SunJCE provider.

Fixed init(int opmode, Key key, AlgorithmParameterSpec params) to internally use a new AlgorithmParameters object to allow re-initialization with a PBEParameterSpec object.

Default key size changed to 2048 bits; pre-generated parameters from RFC 2409/3526/7919.

Method validatePublicKey() adopted from ESDHPubliKey. Now automatically called in (ES)DHKeyAgreement.doPhase() and need not to be called explicitly anymore.

Added support for blinding for DSA signing operations as countermeasure against timing attacks. Blinding is enabled by default but can be disabled by calling DSA.setUseBlinding(false). Checks for hash algorithm security strength compliance during signature generation.

Default key size changed to 2048 bits, maximum bit size changed to 3072 bits (FIPS 186-3 for 2048 and 3072 bit keys). Default key size can be set back to 1024 bit by calling DSA.setUseBachwardsCompatibilityMode(true).

Can only more use to generate parameters up to p size of 1024. A SHA2withDSAParameterGenerator may be used for generating parameters for 2048 or 3072 bit keys.

Default key size of RSA key pair generators changed to 2048 bits.

get*Instance() now search for an implementation based on the JCA standard name, too.

AlgorithmID.rsassapss: By default absent parameters will not be encoded as NULL anymore.

toASN1Object(): Fixed pSouceAlgorithm default parameter check.

setCipherProvider(): Fixed cipher provider setting in DECRYPT_MODE.

getInstance() uses lazy initialization holder class idiom to create static IAIK instance

Implementation of the ChcCha20Poly1305 AEAD cipher according to RFC 8439

Implementation of the Poly1305 message authentication algorithm according to RFC 8439

If no parameters are included the parameters field will be absent from the AlgorithmID encoding (not encoded as NULL anymore).

Implements a “subsidiary” provider for the IAIK provider for fixing a JSSE MessageDigest Cloneable bug. Some versions of JSSE (e.g. Java 11) may contain a bug (https://bugs.openjdk.java.net/browse/JDK-8214098) that may cause a TLS handshake to fail with an UnsupportedOperationException if a MessageDigest engine is used that implements the Cloneable interface and is extended from the java.security.MessageDigest class.
The IAIK-MD provider contains MessageDigest engines for the message digest algorithms commonly used by JSSE for TLS (“MD5”, “SHA”, “SHA-256”, “SHA-384”) by wrapping around the corresponding MessageDigest implementations of the IAIK provider but extending from the MessageDigestSpi class and therefore allows to use the IAIK provider with affected JSSE versions when installing thisIAIK-MD provider as first provider in front of the IAIK provider:

Security.insertProviderAt(new IAIKMD(), 1);
Security.insertProviderAt(new IAIK(), 2);

Allows line wrapping after RDN or AVA separator character (according to RFC 4514).

Method verify(PublicKey key, Provider provider) does not throw a NoSuchProviderException anymore.

Fixed possible NullPointer problems during finalization.

New method checkForMinumumLengthEncoding(boolean) allowing to en/disable checking INTEGER encodings for being encoded in the minimum number of octets (as required by BER/DER).

Now supports UTF-8 en/decoding of supplementary Unicode characters represented as character pairs (high surrogate, low surrogate).

Method getRawImplementationName() now also tries to get the “raw” name for signature algorithms names (e.g. “RSA” for “SHA1withRSA”).

Method getAlgorithmParameterSpec() now also tries to get an AlgorithmParameters implementation for the raw implementation name.

Registered DSA/ECDSA SHA*, SHA3* based signature algorithms to not include parameters when used in PKIX certificate, crl, etc. objects.

Now also can be used with java.security.spec.PSSParameterSpec (for JDK >=1.5).

Fixed OneAsymmetricKey attributes and publicKey fields to use implicit tagging. Parse optional attributes and publicKey fields before calling deocde() of key algorithm implementing child class.

Added implementation of deterministic signing according to RFC 6979:

Signature dsa = Signature.createInstance(“…withDSA”, IAIK.getInstance());
dsa.setParameter(new DetSigDSAParameterSpec());
dsa.initSign(…);
…

Added method isValidSP80089SignatureVerificationKey() to check if the public DSA/RSA key is applicable for signature verification according to NIST SP 800-89.

engineSetParameter: do not throw InvalidAlgorithmParameterException if params are null (to avoid JCE jar file verification problems with Java 11)

Added aliases “PBEWithHmacSHA1AndAES_128”, “PBEWithHmacSHA256AndAES_128”, “PBEWithHmacSHA384AndAES_192”, “PBEWithHmacSHA512AndAES_256” to the PBES2 cipher implementations according to the JDK Standard Algorithm Names conventions.

Registered Cipher name based PKCS#5, PKCS#12 SecretKeyFactories for PBE ciphers (instead of general “PBE” SecretKeyFactories).

Changed java.version check use CertificatePath supporting (X509)CertificateFactory implementation on Android, too.

New method HttpURLConnection openConnection(URL responderUrl) allowing an application to configure the HttpURLConnection object (e.g. setting read/connect timeout).

Added SHA-3 based DSA Signature engine classes.

Fixed adding of entries to v0 IAIKKeyStores.

Fixed alias for “RipeMd256withRSA” to actually refer to the “RIPEMD256/RSA” signature algorithm.

Throughout support for using the IAIK provider without the necessity
of installing it within the JCA/JCE Security framework:

• Replaced any internal IAIK provider name based JCA/JCE Engine instantiation (<Engine>.getInstance(algorithm, “IAIK”);)
  by IAIK provider object based instantiation
  ( <Engine>.getInstance(algorithm, IAIK.getInstance();)
• Preceded any internal general (provider-less) JCA/JCE Engine instantiation (<Engine>.getInstance(algorithm))
  by an IAIK provider object based instantiation.
• Added Provider object based methods to classes that already contain
  Provider name based methods, e.g.AlgorithmID.getSignatureInstance(Provider),X509Certificate.sign(AlgorithmID, PrivateKey, Provider),X509Certificate.verify(PublicKey, Provider), etc., including
  the javax_crypto.jar JCE engines like Cipher.getInstance(String, Provider).

New method getJcaStandardName() that returns the JCA standard
name for the algorithm id. Since JCA standard algorithm names have been changed over time a JCA standard algorithm name may be different to the implementation name for the same algorithm id. For backwards compatibility method getImplementationName() continues to return the implementation name used by IAIK-JCE so far, whereas this method returns the algorithm name defined by the JCA specification. The JCA standard name is now also returned by the getSigAlgName() method of classes X509Certificate, X509CRL, AttributeCertificate and ACRL.

Enhanced PrivateKeyInfo about optional attributes and publicKey fields according to RFC 5958 OneAsymmetricKey syntax. Added implementation about RFC 5958 AsymmetricKeyPackage type.

Creates random iv (instead of default iv of all zeros as specified by BSI standard) if iv is not explicitly specified.

GCM mode now also supports the JDK GCM Cipher API introduced by Java7
using javax.crypto.spec.GCMParameterSpec to specify nonce and mac length parameters and Cipher.updateAAD() to set the additional authenticated data (AAD). The mac value is appended to the cipher text.

Fixed GCM increment function.

New method checkKeyAndNonceReuse allowing to enable a check that a GCM Cipher is not reused for encryption a second time without re-initialization (to ensure that same key and nonce pair are used again).

When having parsed CCM/GCMParameters that do contain a default aes-ICVlen (macLength) component (12) the aes-ICVlen (macLength) component is also included when encoding the parameters again. New static method setIncludeDefaultMacLengthInEncding added allowing to decide to include a default macLength component anytime when encoding CCM/GCM parameters (may be required for compatibility reasons).

Added SHA-3 based DSA Signature engines: “SHA3-224withDSA”, “SHA3-256withDSA”, “SHA3-384withDSA”, “SHA3-512withDSA”.

Added aliases “AES_128” “AES_192”, “AES_256”, “AESWrap_128”, “AESWrap_192”, “AESWrap_256”, “Camellia_128” “Camellia_192”, “Camellia_256”, “CamelliaWrap_128”, “CamelliaWrap_192”, “CamelliaWrap_256” according to the JDK Standard Algorithm Names conventions.

Uses stronger algorithms for mac calculation and encryption (HmacSHA3-512, AES 256 bit) and increased salt and iteration count values. Reading of old format still supported. Now keeps encoded certificate representation to avoid de-re-encoding issues.

Uses iaik.x509.X509CertificateFactory as default CertificateFactory.

Added SHA-3 based HMAC Mac and KeyGenerator engines:
“HmacSHA3-224”, “HmacSHA3-256”, “HmacSHA3-384”, “HmacSHA3-512”

Added SHA-512/224, SHA-512/256 based HMAC Mac and KeyGenerator engines: “HmacSHA512/224”, “HmacSHA512/256”

Added SHA-3 based RSASSA-PKCS1-v1_5 Signature engines:
“SHA3-224withRSA”, “SHA3-256withRSA”, “SHA3-384withRSA”, “SHA3-512withRSA”.
Added SHA-3 based RSASSA-PSS Signature engines: “SHA3-224withRSAandMGF1”, “SHA3-256withRSAandMGF1”,
“SHA3-384withRSAandMGF1”, “SHA3-512withRSAandMGF1”.

Added SHA-512/224, SHA-512/256 based RSASSA-PKCS1-v1_5 Signature engines: “SHA512/224withRSA”, “SHA512/256withRSA”.
Added SHA-512/224, SHA-512/256 based RSASSA-PSS Signature engines:
“SHA512/224withRSAandMGF1”, “SHA512/256withRSAandMGF1”.

Skips secret key entries. Now uses keystore entry alias as file name
because alias must be unique for each entry.

CertificateFactory implementation for parsing attribute certificates and ACRLs added.

CertPath supporting QualifiedCertificateFactory added.

jar files signed with old (for supporting old DSA JCE Root CA) and new (for supporting new RSA JCE Root CA) IAIK-JCE provider certificates. The new certificate provides a stronger protection (SHA256withRSA) than the old one (SHA1withDSA). The new JCE Root CA is effective for Java versions 8u121, 7u131, 6u141 upwards. To support other (former) Java versions the
jar files must be signed with the old provider certificate, too.

Added AlgorithmIDs and aliases (2.16.840.1.101.3.4.3.3, 2.16.840.1.101.3.4.3.4) for the dsaWithSHA384 and dsaWithSHA512 signature algorithms.

Fixed milli seconds representation when creating a ChoiceOfTime object of type GeneralizedTime from a Date object.

Fixed internal buffering and input length calculation for CCM mode.

Implementation of the BSI TR-03109-1 AES-CBC-CMAC authenticated encryption cipher family (ciphers, key generators, algorithm parameters, secret key
factories)

Fixed default encoding (to not include aes-ICVlen component if default length (12) is used).

Implementation of the ChaCha20 stream cipher as specified by RFC 7539.

Added method getAlgorithm() to also can be called when creating the SecureRandom object in the old way by using the PRNG class constructor (and not calling SecureRandom.getInstance()).

Fixed to actually use HMacSHA384 (used HMacSHA512 so far when creating the HMacSHA384SP80090Random object in the old way by using its constructor).

Synchronized engineGetBytes, engineSetSeed
to avoid synchronization issues with jdk versions >=8u112.

Method getChallenge() added to get the challenge from the request. Constructors/methods added allowing to create and sign a NetscapeCertRequest from scratch.

Implementation of the ETSI EN 319 412-5 QcType QCStatementInfo for declaring the type(s) of EU qualified certificates.

Added hexadecimal representation to serial number output of toString() method.

Changed toString method to output the crl number in hexadecimal representation.

Shows usage with non-default OAEP parameters. Now uses standard RSA-OAEP algorithm oid.

Default ASN.1 types are now registered by their class name to avoid static initialization dependencies.

Method readEncoded allowing to read the encoding of an ASN.1 object from a stream without keeping the internal ASN.1 structure in memory.

Fixed NULL/absent parameter handling when parsed from an InputStream ( AlgorithmID(DerInputStream)).

Tighter explicit text check.

Made unpadding more time constant.

When Cipher is used in ENCRYPT mode for signature creation with CRT keys the signature value is verified as countermeasure against RSA CRT key leaks. The check can be disabled by new static method RSACipher.setDoVerifyCRTSignature(false);. The check is not performed for PSS signatures since they are not deterministic.

Fixed pSourceAlgorithm DEFAULT parameter check.

When init from encoding ( init(byte[] params)) the encoded parameters are kept to be returned unchanged when getEncoded() is called.

Check for right label encoding.

MessageDigest engines for the NIST FIPS PUB 202 Secure Hash Algorithm 3
(SHA-3) Hash Functions added (SHA3-224, SHA3-256, SHA3-384, SHA3-512) added

InputStream implementations for the NIST FIPS PUB 202 Secure Hash Algorithm 3
(SHA-3) Extendable Output Functions (XOFs) SHAKE128, SHAKE256 added

Fixed possible NullpointerException in method toString.

Fixed possible NullpointerException in method setSignature.

connect: if readTimeOut is set, register it also as JNDI com.sun.jndi.ldap.read.timeout environment property.

Method engineLoad now checks unencrypted AuthenticatedSafe objects for CertificateBags, too

BasicOCSPResponse, SingleResponse, RevokedInfo, ArchiveCutoff: milliseconds are not included in GeneralizedTime encodings for compatibility to RFC 6960

Method equals does not check the ASN.1 String type anymore; only the value is compared

Changed default content encryption algorithm parameter management for EncryptedContentInfo, EnvelopedData and SignedAndEnvelopedData to try to get algorithm specific parameters from the content encryption algorithm id

Added SignedAndEnvelopedDataStream(InputStream is, AlgorithmID contentEA, int keyLength)
constructor.

Changed SignedAndEnvelopedData(byte[] content, AlgorithmID contentEA, int version)
constructor to SignedAndEnvelopedData(byte[] content, AlgorithmID contentEA, int keyLength).

For backwards compatibility to prior versions the keyLength parameter is interpreted as version if it has one of the two only possible version values 1 (default; indicating a PKCS#7v1.5 SignedAndEnvelopedData) or 2 (indicating a PKCS#71.6 SignedAndEnvelopedData).

Added SignedAndEnvelopedData(byte[] content, AlgorithmID contentEA, int keyLength, int version) constructor.

When searching for the certificate that belongs to the private key and no match is found between the localeKeyId attribute of the KeyBag and the lokaleKeyId attribute of any CertBag, the friendlyName attribute is checked, if present. Also the friendlyName is checked if more than one CertBag has the same localKeyId as the KeyBag.

Support for setting/getting of certificate (trust) entries.

New static method setCopyCipherData(boolean) allows to decide whether to internally copy cipher data when Cipher encryption/decryption uses the same array for input/output (default: false).

Method setDefault sets the provided class also as default VarLengthSeedGenerator, if applicable

Fixed DigestInfo prefix (length) encoding.

If GeneralizedTime is used, milliseconds are not included in the encodings of X.509 types
X509Certificate, X509CRL, RevokedCertificate, InvalidyDate, PrivateKeyUsagePeriod,
AttributeCertificate

jar files signed with new JCE code signing certificate.

Included jar file versions containing the “Trusted-Library=true”
manifest attribute to may be used for avoiding problems due to JDK
requirements when mixing signed/privileged with unsigned/sandbox code
(especially when used with Java(TM) WebStart, applets and JavaScript)

Fixed push back handling in decoding routine.

forceImplicitlyTagged: workaround trying to handle
falsely explicitly tagged simple components when implicit tagging
is required.

Registered java.security.spec.DSAParameterSpec as
AlgorithmParamaterSpec class for DSA* AlgorithmIDs.

Method getAlgorithmParameterSpec(Class parameterSpecClass, String provider) again does not throw an InvalidAlgorithmParameterException if parameterSpecClass is not specified. Rather it returns null in this case to avoid problems due to missing parameter implementation registration.

Added some MessageDigest aliases (OIDs).

Signature engines now extended from java.security.SignatureSpi
to support delayed provider selection.

Fixed signature verification.

Improved extensions memory management to support,
e.g. bigger CRLs with class X509CRL when revocation
entries contain some (especially only the ReasonCode) extension(s))

Added tsl-signing key purpose id (0.4.0.2231.3.0) as
specified by ETSI TS 102 231 V3.1.2 for the purpose of signing
Trust-service Status Lists

Aligned with new OCSP version (RFC 6960); added implementation
of ExtendedRevoked response and PreferredSignatureAlgorithms
request extensions

Added the COSINE LDAP/X.500 Schema attribute personalTitle,
“0.9.2342.19200300.100.1.40” from RFC 4525.

Added method setDefaultEncodeAbsentParametersAsNull allowing to change the default behaviour for encoding absent AlgorithmID parameters as ASN.1 NULL or omitting the parameters field.

Added AlgorithmIDs and OID aliases for HMAC/SHA224, HMAC/SHA256, HMAC/SHA384,
HMAC/SHA512 according to RFC 4231.

Added additional implementation names for some AlgorithmIDs.

Changed default implementation names for: sha1WithRSAEncryption
(from “SHA/RSA” to “SHA1/RSA”), cms_aes192_wrap
(from “AESWrapAES” to “AES192WrapAES192”),
cms_aes256_wrap (from “AESWrapAES” to “AES256WrapAES256”),
,camellia_aes192_wrap (from “CamelliaWrapCamellia” to
“Camellia192WrapCamellia192”), camellia_aes256_wrap
(from “CamelliaWrapCamellia” to “Camellia256WrapCamellia256”).

Changed OID of AlgorithmID.dsaWithSHA1 from 1.3.14.3.2.27 to 1.2.840.10040.4.3.
AlgorithmID for 1.3.14.3.2.27 now is AlgorithmID.dsaWithSHA1_, but deprecated.
AlgorithmID.dsa_With_SHA1 (1.3.14.3.2.13) also marked as deprecated.

Added parameter implementation and (parameter based) pseudorandom function agility for PKCS#5 PBKDF2 key derivation function.

Added PBKDF2 KeyGenerator engines for HmacSHA1,
HmacSHA224, HmacSHA256, HmacSHA384, HmacSHA512:

KeyGenerator.getInstance(“PBKDF2WithHmacSHA1”, “IAIK”);
KeyGenerator.getInstance(“PBKDF2WithHmacSHA224”, “IAIK”);
KeyGenerator.getInstance(“PBKDF2WithHmacSHA256”, “IAIK”);
KeyGenerator.getInstance(“PBKDF2WithHmacSHA384”, “IAIK”);
KeyGenerator.getInstance(“PBKDF2WithHmacSHA512”, “IAIK”);

New method setDefault() allowing to set a RSACipherProvider to be used as default.

PrivateKeyInfo.getPrivateKey() now returns a generic RawPrivateKey object if no specific KeyFactory is available for the private key algorithm. The RawPrivateKey allows to get some information about the key (algorithm, encoding).

Fixed parameter decoding (optional iv)

Added Cipher engine and parameter implementation for the PKCS#5 PBES2 password based encryption scheme.

Cipher.getInstance(“PBES2”, “IAIK”);

Now first try to get PBE AlgorithmParameters from provider IAIK.

Added PBBES2 Cipher engines for HmacSHA1 and AES, HmacSHA256 and AES, HmacSHA384 and AES192, HmacSHA512 and AES256, HmacSHA1 and DESede:

Cipher.getInstance(“PBES2WithHmacSHA1AndAES”, “IAIK”);
Cipher.getInstance(“PBES2WithHmacSHA256AndAES”, “IAIK”);
Cipher.getInstance(“PBES2WithHmacSHA384AndAES192”, “IAIK”);
Cipher.getInstance(“PBES2WithHmacSHA512AndAES256”, “IAIK”);
Cipher.getInstance(“PBES2WithHmacSHA1AndDESede”, “IAIK”);

Fixed algorithm name check in equals method

Default iteration count for encryption set to 2000

Changed default PRNG to SHA256FIPS186Random

Registered the COSINE LDAP/X.500 Schema attribute personalTitle,
OID “0.9.2342.19200300.100.1.40” from RFC 4525.

New method setDefaultRFC2253StringEscaping allowing to set the default escaping mechanism (strict or non strict) for RFC2253 String representations of Name, RDN and AVA objects.

Now really converts one KeyStore to another (and not dumps the contents as the DumpKeyStore utility).

getUTF8EncodingFromString, getUTF8EncodingFromCharArray, getCharFromUTF8Array now also use UTF8CodingException instead of general CodingException.

PublicKeyInfo.getPublicKey() now returns a generic RawPublicKey object if no specific KeyFactory is available for the public key algorithm. The RawPublicKey allows to get some information about the key (algorithm, encoding).

Attribute Certificate implementation aligned with new PKIX specification (RFC 5755); Cleareance components are no more tagged when building their ASN.1 representation

Added implementation of the ETSI EN 319 412-5 QcEuPDS QCStatementInfo
for pointing to a Policy Disclosure Statement (PDS)

According to OCSP spec clarification about the ASN.1 syntax of the Nonce extension, the Nonce value is wrapped into an ASN.1 OCTET STRING before putting it into the OCSP Extension extnValue OCTET STRING; new method Nonce.setWrapNonceValue(false); allows to fall back
to old behaviour (not wrapping the Nonce value)

postRequest: accept application/ocsp-response with parameters in content-type header, too.

fixed performance regression of AES-GCM/CCM in combination with the AES addon in Windows

improved password strength computation

overall stability improvements

new IAIK-JCE addon that comes with native support for Intel’s AES-NI instruction

added SHA-3 candidate message digest algorithms:

• BLAKE-224, BLAKE-256, BLAKE-384, and BLAKE-512,
• Groestl-224, Groestl-256, Groestl-384, and Groestl-512,
• JH-224, JH-256, JH-384, and JH-512,
• KECCAK-224, KECCAK-256, KECCAK-384, and KECCAK-512, as well as
• Skein-224, Skein-256, Skein-384, and Skein-512

added GOST-3411 message digest algorithm

added new SHA-512 based message digest algorithms: SHA-512/224, and SHA-512/256

added GOST-3411 HMAC algoritm

added password store

added password generator class

added password strength checker (requires JDK1.4 or higher)

fixed inconsistency with smallest key sizes in RSAKeyPairGenerator

fixed parsing of hex pair escape sequence

implementation of the CBC MAC algorithm for AES, DESede, DES according to ISO/IEC 9797-1

added set/getCrlNumber methods allowing to set/get the crl number as BigInteger

SHA/SHA-1 algorithm/implementation name changed to SHA1

JDK 1.1.x is no longer supported. Supported Java version are 1.2, 1.3, 1.4, 1.5 (5.0), 1.6 (6.0), 1.7 (7.0)) and compatible.

overall performance improvements (e.g. of hash functions, ciphers, etc.)

now security-critical parts of the library use safe comparisons in order to prevent timing attacks (so for example GCM and CCM)

method encode implemented

performance improvements affecting repeated invocations of Cipher.doFinal()

– up to 3.52 times higher throughput of the GCM mode (on 32-bit Windows systems) compared to version 3.181

– up to 2.11 times higher of GCM mode (on 64 bit systems) compared to version 3.181 (on 64 bit systems)

– fixed wrong computation of maximum input length, and

– 8% higher throughput on 64-bit systems

method engineLoad() throws IOException if a null password has been
specified and also tries to verify the MAC if a zero-length password has been specified

– up to 63% higher throughput of RipeMd128 on 32-bit systems (depending on the input length),

– up to 55% higher throughput of RipeMd160 on 32-bit Windows systems (depending on the input length),

new message digests: RipeMd256 and RipeMd320

new PRNG registrations:

– SHA1PRNG, SHA256PRNG, SHA384PRNG, SHA512PRNG, MD5PRNG, RipeMd128PRNG, RipeMd160PRNG, WhirlpoolPRNG,

– SHA1PRNG-FIPS, SHA256PRNG-FIPS, SHA384PRNG-FIPS, SHA512PRNG-FIPS, RipeMd160PRNG-FIPS (FIPS-186-2 PRNGs),

– 3DESPRNG (corresponds to ANSIRandom class),

– SHA1PRNG-SP80090, SHA224PRNG-SP80090, SHA256PRNG-SP80090, SHA384PRNG-SP80090, SHA512PRNG-SP80090 (new hash based NIST SP800-90 PRNGs),

– HMacSHA1PRNG-SP80090, HMacSHA224PRNG-SP80090, HMacSHA256PRNG-SP80090, HMacSHA384PRNG-SP80090, HMacSHA512PRNG-SP80090 (new HMAC based NIST SP800-90 PRNGs),

– AES128PRNG-SP80090, AES192PRNG-SP80090, AES256PRNG-SP80090 (new block cipher based NIST SP800-90 PRNGs),

as well as new RSA key pair generator registrations:

– RSA-FIPS, RSA-OAEP-FIPS, RSA-PSS-FIPS

Method addAsJDK14Provider() deprecated; IAIK provider can be added as first provider by calling

IAIK.addAsProvider or Security.insertProviderAt(new IAIK(), 1);

Since JDK 1.1 compatiblity is no more required, registration of algorithm engines can be done
as privileged action

transition to the SecureRandom framework. Now, SecureRandom instances can (and should) be obtained using SecureRandom.getInstance().

Code sample:

SecureRandom random = SecureRandom.getInstance(“SHA1PRNG”, “IAIK”);
byte[] bytes = new byte[8];
random.nextBytes(bytes);

new NIST SP800-90 pseudo-random number generators based on

– SHA1

– SHA-224

– SHA-256

– SHA-384, and

– SHA-512

added.

new NIST SP800-90 pseudo-random number generators based on

– HMac/SHA1

– HMac/SHA-224

– HMac/SHA-256

– HMac/SHA-384, and

– HMac/SHA-512

added.

new NIST SP800-90 pseudo-random number generators based on

– AES-128

– AES-192

– AES-256

added.

Method SecRandom.setDefault(Class) is now deprecated; use SecRandom.setDefault(String) instead

new RSA signature class based on RipeMd256: RipeMd256RSASignature

Code sample:

Signature sig = Signature.getInstance(“RipeMd256withRSA”, “IAIK”);
…
sig.update(data);
byte[] signature = sig.sign();

the key pair generation is now based on IEEE P1363.

the key pair generation of the OAEP key pair generator is now based on IEEE P1363.

the key pair generation of the Pss key pair generator is now based on IEEE P1363.

new key pair generator that is based on the FIPS-186-3 standard.

OAEP key pair generator that is based on the new FIPS-186-3 key pair generator.

PSS key pair generator that is based on the new FIPS-186-3 key pair generator.

Verification now checks both absent and NULL digest algorithm parameters.

performance improvements of several central methods (note that this also affects the overall performance)

performance improvements of several central methods (note that this also affects the overall performance)

new method overloads: many important helper methods are now not only availaible for the datatype byte[], but also for the datatypes int[] and long[]

two new secureEqualsBlock methods that provide a timing-attack-resistant way to compare two byte arrays.

new addModBlockSize method that allows the addition of two blocks modulo a specific blocksize.

millerRabin is now implemented according to IEEE P1363.

New method getRawExtensionValue to get the raw DER encoded extension (not wrapped into an OCTET STRING)

Where possible Hashtables are replaced by HashMaps to increase
access performance in multithreaded environments; for
JDK 1.1.x a new jdk11x_update.jar version must be used

Support for the CamelliaKeyWrap algorithm for wrapping Camellia Camellia content encryption keys with Camellia key encryption keys according to RFC 3657 added.

Support for the HMACwithAESwrap algorithm for wrapping HMAC message authentication code keys
with a AES key encryption keys according to RFC 3537 added.

addCertificate(AttributeCertificate cert, Date revocationDate): Use critical CertificateIssuer
extension for indirect CRL entries.

listCertificates: the order in the Enumeration of revocation entries reflects the structure of the crl (for each certificate issuer of an indirect crl the first RevokedCertificate contains the CertificateIssuer extension with the name of the certificate issuer)
getRevokedCertificates: the Set of revocation entries does not reflect the order; threfore each RevokedCertificate that represents an indirect crl entry contains the CertificateIssuer extension with the name of the corresponding certificate issuer

addExtension: now throws an IllegalArgumentException when trying to add a critical/non critical
extension if an extension with contrarian (non critical / critical) state has been already added;
getExtensionValue: does not clear existing ObjectID name / short name registration anymore

contains a simple (Hashtable based and therefore still access synchronized) HashMap implementation to allow JDK independent use of HashMaps