JCA/JCE

JCA/JCE 6.1

The IAIK Provider for the Java™ Cryptography Extension (IAIK-JCE) is a set of APIs and implementations of cryptographic functionality, including hash functions, message authentication codes, symmetric, asymmetric, stream, and block encryption, key and certificate management. It supplements the security functionality of the default JDK.

Main Features

  • Extensive Security Provider
  • Built-in ASN.1 library
  • Support for many PKCS standards
  • X.509 certificate and CRL handling for building PKI solutions
  • Ldap Certificate/Crl Search utilities
  • Secure Random number generators
  • Comprehensive API documentation and many demo samples

Show all

Pricing and Licensing

For current prices of IAIK-JCE, please see our price list and license conditions. IAIK-JCE is free for educational and research purposes, please see our educational/research license conditions.

See Prices

Documentation

For more information please visit:

Javadoc

IAIK-JCE works on any Java™ version starting with JDK 1.2 up to the most recent versions.
IAIK-JCE comes with its own security provider offering a great variety of cryptographic services, algorithms and secure random number generators. The X.509 package supports X.509 public key, qualified and attributes certificates, revocation information handling via CRLs and OCSP, and searching and downloading certificates or CRLs from LDAP directories. Comprehensive ASN.1 and PKCS APIs allow easy modelling of ASN.1 structures, secure storing of sensitive keying and data material, and signing or encrypting digital documents. An extensive demo source library makes it easy to soon become familiar with Cryptography for the Java™ platform and IAIK-JCE.

Since IAIK-JCE version 5.0 we have been delivering an optional AES addon, which makes use of the AES-NI instruction set extensions of modern x86 CPUs. Using this addon the throughput of AES can be sped up tremendously. Take a look at our speed tables to see the difference.

The IAIK provider

The provider architecture has been introduced by the Java™ Cryptographic Architecture (JCA), making it possible for different cryptographic implementations to operate on common interfaces (consult the Java™ Cryptography Architecture API Specification & Reference).

The term provider is an abbreviation for Cryptographic Package Provider and denotes a package or a set of packages supplying concrete implementations of some cryptographic services of the Java™ Cryptography API (see JCA). A JCA provider may realise implementations of digital signature, message digest and key pair generation algorithms, certificate factories and keystores. If the JCA API is extended by the Java™ Cryptography Extension (JCE) API, a provider may also implement encryption, message authentication and key exchange algorithms.

The master class of the IAIK security package provider is class IAIK of package iaik.security.provider. It extends class java.security.Provider for registering the IAIK provider specific cryptographic implementations within the Java™ cryptography architecture. The IAIK provider supports both, algorithm implemetations for JCA and for the JCE extension (see below).

The IAIK provider contains the following JCA implementations (follow this link for a detailed list):

Message Digest Algorithms

SHA-1, SHA-224, SHA-256, SHA-384, SHA-512, SHA512/224, SHA512/256, SHA3-224, SHA3-256, SHA3-384, SHA3-512;

SHA3 Extendable Output Functions (XOFs): SHAKE128 (SHAKE128InputStream), SHAKE256 (SHAKE256InputStream)

Groestl-224, Groestl-256, Groestl-384, Groestl-512
BLAKE-224, BLAKE-256, BLAKE-384, BLAKE-512
Keccak-224, Keccak-256, Keccak-384, Keccak-512
JH-224, JH-256, JH-384, JH-512
Skein-224, Skein-256, Skein-384, Skein-512
MD2, MD5
RIPEMD-128, RIPEMD-160, RIPEMD-256, RIPEMD-320
WHIRLPOOL
GOST-3411

Signature Schemes

PKCS#1 version 1.5 RSA with SHA-1, SHA-224, SHA-256, SHA-384, SHA-512, SHA512/224, SHA512/256, SHA3-224, SHA3-256, SHA3-384, SHA3-512, MD2, MD5, RIPEMD-128, RIPEMD-160, RIPEMD-256, WHIRLPOOL; raw RSA with external hashing
PKCS#1 version 2.1 RSA PSS with SHA-1, SHA-256, SHA-384, SHA-512, SHA512/224, SHA512/256, SHA3-224, SHA3-256, SHA3-384, SHA3-512, MD2, MD5, RIPEMD-128, RIPEMD-160, WHIRLPOOL; raw RSA PSS with external hashing
Support for RSASSA-PSS keys according to RFC 4055
ISO 9796-2 (2002) RSA with SHA-1, SHA-256, SHA-384, SHA-512, RIPEMD-128, RIPEMD-160, WHIRLPOOL;
raw RSA with external hashing
SSL/TLS RSA signature with MD5 and SHA-1
DSA and DSA with external hashing; DSA with SHA-1, SHA-256, SHA-384, SHA-512, SHA3-224, SHA3-256, SHA3-384, SHA3-512

Key Pair Generators

RSA and RSASSA-PSS (IEEE P1363 and FIPS 186-3)
DSA, SHA1withDSA, SHA224withDSA, SHA256withDSA

Key Factories

RSA, RSASSA-PSS
DSA, SHA1withDSA, SHA224withDSA, SHA256withDSA

Algorithm Parameter Generators

DSA, SHA1withDSA, SHA224withDSA, SHA256withDSA

Algorithm Parameters

DSA, SHA1withDSA, SHA224withDSA, SHA256withDSA
RSAPkcs15 (raw), RSASSA-PSS
ISO9796-2-RM
MGF1

Key Stores

IAIKKeyStore
PKCS#12

Certificate Factories

X.509
Qualified
X.509 AC (Attribute certificate factory)

Mask Generation Functions

MGF1

Secure Random Generators

NIST SP800-90 with SHA-1, SHA-224, SHA-256, SHA-384, SHA-512, HMAC/SHA-1, HMAC/SHA-224, HMAC/SHA256, HMAC/SHA-384, HMAC/SHA-512, AES-128, AES-192 and AES-256
FIPS 186 with SHA-1, SHA-224, SHA-256, SHA-384, SHA-512, RIPEMD-160
BSI AIS 20 (v2.0) E5 with SHA-1, SHA-224, SHA-256, SHA-384, SHA-512, MD5, RIPEMD-128, RIPEMD-160, WHIRLPOOL
ANSI X9.17

See here  for a detailed list of the JCA implementations of the IAIK provider.

The IAIK provider supports the following JCE implementations (follow this link for a detailed list):

Cipher Algorithms

AES, Blowfish, Camellia, CAST-128, DES, DESede, GOST, IDEA, MARS, RC2, RC5, RC6, Rijndael, Rijndael-256, Serpent, Twofish
ARCFOUR (compatible with RC4™), ChaCha20, ChaCha20Poly1305
Key Wrap (AES, AES Key Wrap with Padding, Camellia, CAST-128, DESede, HMAC-DESede, HMAC-AES, IDEA, RC2)
PBE (PKCS#5 PBES1 with MD5, SHA-1 and DES, Triple-DES, RC2; PKCS#5 PBES2 with AES, DESede, … and HMAC/SHA-1, HMAC/SHA-2)
AES-CBC-CMAC-128, AES-CBC-CMAC-192, AES-CBC-CMAC-256 (BSI TR-03109-1)
RSA (PKCS#1v1.5), RSAES-OAEP (PKCS#1v2.1)
ElGamal (PKCS#1v1.5)

Cipher Modes
ECB, CBC, PCBC, CFB, OFB, CTR, CCM, GCM, CTS, OpenPGPCFB
RSA (PKCS#1v1.5): 0, 1, 2 (block types); SSL

Padding Schemes
NoPadding, PKCS5Padding, SSL3Padding, ISO78164Padding, ISO10126-2
RSA: PKCS1Padding, OAEP
ElGamal: PKCS1Padding

Key Agreement Algorithms

DH, ESDH

Message Authentication Codes

HMAC with SHA-1, SHA-224, SHA-256, SHA-384, SHA-512, SHA512/224, SHA512/256, SHA3-224, SHA3-256, SHA3-384, SHA3-512, MD5,
RIPEMD-128, RIPEMD-160, WHIRLPOOL, GOST-3411
CMAC with AES and DESede
CBCMac with AES, DESede, and DES
Poly1305, PBMAC1

Key Pair Generators

RSA (PKCS#1v1.5), RSAES-OAEP (PKCS#1v2.1) (IEEE P1363 and FIPS 186-3)
DH, ESDH
ElGamal

Key Factories

RSA (PKCS#1v1.5), RSAES-OAEP (PKCS#1v2.1)
DH, ESDH
ElGamal

Key Generators

AES, AES-192, AES-256, Blowfish, Camellia, Camellia-192, Camellia-256, CAST-128, DES, DESede, GOST, IDEA, MARS, RC2, RC5, RC6, Rijndael, Rijndael-256, Serpent, Twofish
ARCFOUR (compatible with RC4™), ChaCha20
PBKDF2 (with HMAC/SHA-1, HMAC/SHA-2), PKCS12, PKCS12-IV, PKCS12-MAC
HMAC with SHA-1, SHA-224, SHA-256, SHA-384, SHA-512, SHA512/224, SHA512/256, SHA3-224, SHA3-256, SHA3-384, SHA3-512, MD5, RIPEMD-128, RIPEMD-160, WHIRLPOOL
Key Wrap (AES, AES-192, AES-256, CAST-128, DESede, DESede-HMAC, IDEA, RC2)
AES-CBC-CMAC-128, AES-CBC-CMAC-192, AES-CBC-CMAC-256 (BSI TR-03109-1)
Poly1305

Secret Key Factories

AES, AES-192, AES-256, Blowfish, Camellia, CAST-128, DES, DESede, GOST, IDEA, MARS, RC2, RC5, RC6, Rijndael, Rijndael-256, Serpent, Twofish
ARCFOUR (compatible with RC4™), ChaCha20
PBE, PBES2, PKCS#5, PKCS#12
Key Wrap (AES, AES-192, AES-256, CAST-128, DESede, DESede-HMAC, IDEA, RC2)
AES-CBC-CMAC-128, AES-CBC-CMAC-192, AES-CBC-CMAC-256 (BSI TR-03109-1)
Poly1305

Algorithm Parameter Generators

DH, ESDH
ElGamal
PBE

Algorithm Parameters

DH, ESDH, ESDHKEK
ElGamal
AES, AES-192, AES-256, Blowfish, Camellia, CAST-128, DES, DESede, GOST, IDEA, MARS, RC2, RC5, RC6, Rijndael, Rijndael-256, Serpent, Twofish
IV (initialization vector)
ARCFOUR (compatible with RC4™)
PBE, PBES2
Key Wrap (CAST-128, RC2)
CCM, CCMCMS, GCM
ChaCha20Poly1305

See here  for a detailed list of the JCE implementations of the IAIK provider.

The
Abstract Syntax Notation One
(ASN.1), defined by the ISO standard ISO 8824/ITU X.208, specifies a language for describing data structures in an abstract and platform independent manner.
IAIK-JCE supports all essential basic – simple and constructed – ASN.1 types:

  • BOOLEAN
  • INTEGER
  • BITSTRING
  • OCTETSTRING
  • NULL
  • OBJECTIDENTIFIER
  • ENUMERATED
  • SEQUENCE
  • SET
  • SEQUENCE OF
  • SET OF
  • UTCTime
  • GeneralizedTime
  • all essential String types

IAIK-JCE provides the functionality for properly handling private, context-specific and application dependent types, as well as the pre-defined standard types.

Several en/decoding utilities support mechanisms for DER, Base64, and PEM en/decoding ASN.1 structures that may be implemented as Java™ classes.  For avoiding memory problems ASN.1 structures may be written or parsed to/from their encodings in stream based manner.

IAK-JCE includes a library of pre-built ASN.1 structures to be used for application protocols like  PKCS or X.509

IAIK-JCE supports the following standards of the PKCS public-key cryptography family:

  • PKCS#1: RSA Encryption Standard
  • PKCS#3: Diffie Hellman Key Agreement Standard
  • PKCS#5: Password-Based Encryprion Standard
  • PKCS#7: Cryptographic Message Syntax Standard
  • PKCS#8: Private-Key Information Syntax Standard
  • PKCS#9: Selected Attribute Types
  • PKCS#10: Certification Request Syntax Standard
  • PKCS#12: Personal Information Exchange Syntax Standard

There is support for these additional standards via separate products:

  • PKCS#11: Cryptographic Token Interface Standard. Not supported by IAIK-JCE, but supported by the separate product PKCS#11 Provider

 

  • fits into the JCA certificate/crl API
  • extends the JCA certificate/crl API about the ability of creating and issuing new certificates
  • supports X.509 public key certificates
  • supports X.509 certificate revocation lists (CRLs), delta CRLs and indirect CRLs
  • supports X.509 qualified certificates
  • supports X.509 attribute certificates
  • implements all X.509 certificate and crl extensions
  • implements all private Netscape cert extenions
  • implements all pkix qualified, attribute, and OCSP certificate extensions
  • implements the OCSP Online Certificate Status Protocol, version 2.01
    • supports client-side and server-side creation, signing, parsing and verification of OCSP requests and responses
    • implements all OCSP client and server extensions
    • supports OCSP over HTTP
    • includes utilities for creating OCSP responses from CRLs and maintaining trusted responder certs

IAIK-JCE includes a variety of random number generators including those from NIST SP800-90, ANSI X9.17, FIPS PUB 186-2 and other hash-based random generators. In addition, IAIK-JCE provides utilities making it easy for GUI developers to use Java™ AWT events for seeding the generator.

 

Class name Standard name Description
SHA1SP80090Random SHA1PRNG-SP80090 A SHA-1 hash-based secure random according NIST SP800-90.
SHA224SP80090Random SHA224PRNG-SP80090 A SHA-224 hash-based secure random according NIST SP800-90.
SHA256SP80090Random SHA256PRNG-SP80090 A SHA-256 hash-based secure random according NIST SP800-90.
SHA384SP80090Random SHA384PRNG-SP80090 A SHA-384 hash-based secure random according NIST SP800-90.
SHA512SP80090Random SHA512PRNG-SP80090 A SHA-512 hash-based secure random according NIST SP800-90.
HMacSHA1SP80090Random HMacSHA1PRNG-SP80090 An HMac/SHA-1 based secure random according NIST SP800-90.
HMacSHA224SP80090Random HMacSHA224PRNG-SP80090 An HMac/SHA-224 MAC-based secure random according NIST SP800-90.
HMacSHA256SP80090Random HMacSHA256PRNG-SP80090 An HMac/SHA-256 MAC-based secure random according NIST SP800-90.
HMacSHA384SP80090Random HMacSHA384PRNG-SP80090 An HMac/SHA-384 MAC-based secure random according NIST SP800-90.
HMacSHA512SP80090Random HMacSHA512PRNG-SP80090 An HMac/SHA-512 MAC-based secure random according NIST SP800-90.
AES128SP80090Random AES128PRNG-SP80090 An AES-128 blockcipher-based secure random according NIST SP800-90.
AES192SP80090Random AES192PRNG-SP80090 An AES-192 blockcipher-based secure random according NIST SP800-90.
AES256SP80090Random AES256PRNG-SP80090 An AES-256 blockcipher-based secure random according NIST SP800-90.
SHA1Random SHA1PRNG A SHA-1 hash-based secure random according to example E.5 of the AIS 20 (v2.0) document for Common Criteria from BSI.
MD5Random A MD5 hash-based secure random according to example E.5 of the AIS 20 (v2.0) document for Common Criteria from BSI.
RipeMd128Random A RIPEMD-128 hash-based secure random according to example E.5 of the AIS 20 (v2.0) document for Common Criteria from BSI.
RipeMd160Random RipeMD160PRNG A RIPEMD-160 hash-based secure random according to example E.5 of the AIS 20 (v2.0) document for Common Criteria from BSI.
SHA256Random SHA256PRNG A SHA-256 hash-based secure random according to example E.5 of the AIS 20 (v2.0) document for Common Criteria from BSI.
SHA384Random SHA384PRNG A SHA-384 hash-based secure random according to example E.5 of the AIS 20 (v2.0) document for Common Criteria from BSI.
SHA512Random SHA512PRNG A SHA-512 hash-based secure random according to example E.5 of the AIS 20 (v2.0) document for Common Criteria from BSI.
SHA1FIPS186Random SHA1PRNG-FIPS186 A SHA-1 hash-based secure random according to the general purpose version of the FIPS 186-2 random generator.
RipeMd160FIPS186Random RipeMD160PRNG-FIPS186 A RIPEMD-160 hash-based secure random according to the general purpose version of the FIPS 186-2 random generator.
SHA256FIPS186Random SHA256PRNG-FIPS186 A SHA-256 hash-based secure random according to the general purpose version of the FIPS 186-2 random generator.
SHA384FIPS186Random SHA384PRNG-FIPS186 A SHA-384 hash-based secure random according to the general purpose version of the FIPS 186-2 random generator.
SHA512FIPS186Random SHA512PRNG-FIPS186 A SHA-512 hash-based secure random according to the general purpose version of the FIPS 186-2 random generator.
AnsiRandom DESedePRNG A triple DES based secure random according to ANSI X9.17.

IAIK-JCE class LdapURLConnection  allows to easily search an ldap directory for certificates, attribute certificates or certificate revocation lists in a way as accustomed from the java.net URL framework. In its most simple case you only will have to create an
LdapURLConnection object by calling method
openConnection on an LDAP URL object, set — if required — any request properties, and finally call method
getInputStream or
getContent for reading the search result, e.g.:

System.getProperties().put("java.protocol.handler.pkgs",
                           "iaik.x509.net");
// the ldap url
 URL url = new URL("ldap://...");
 // open connection
 LdapURLConnection con = (LdapURLConnection)url.openConnection();
 ...
 // set any request properties (if required)
 ...
 // connect to the ldap server and read the result:
 X509CRL crl = (X509CRL)con.getContent();

For downloading a CRL from its (http or ldap) distribution point you simple can use method
loadCrl of the
DistributionPoint class. With this method you can download any referenced CRL(s) immediately while stepping through the distribution points contained in an
CRLDistributionPoints extension of a certificate, e.g.:

X509Certificate cert = ...;
 ...
 // get CRLDistributionPoints extension
 CRLDistributionPoints cRLDistributionPoints = cert.getExtension(CRLDistributionPoints.oid);
 if (cRLDistributionPoints != null) {
   // get DistributionPoints
   Enumeration e = cRLDistributionPoints.getDistributionPoints();
     while (e.hasMoreElements()) {
     DistributionPoint dp = (DistributionPoint)e.nextElement();
     if (dp.containsUriDpName()) {
       // download crl
       X509CRL crl = dp.loadCrl();
       ...
     }
   }
 }

IAIK-JCE also contains command line utilities (see sub-directory
cmd/ldapSearch of the IAIK-JCE distribution) for searching an LDAP directory for certificates, attribute certificates and certificate revocation lists.

See also tech tip “LDAP for the Java™ NET URL framework” Part 1 and Part 2 .

This program also may be used to benchmark other JCA/JCE providers, like the default Sun provider for MD5 and SHA-1 hashes or the SunJCE provider.

The results below have been obtained on an Intel(R) Core(TM)i5 2540M 2.60 GHz (running in turbo mode at 3.3GHz), 8.00 GB RAM running Windows 7 Enterprise (64 Bit) and Ubuntu Linux 11.10/amd64 network connected with standard services active. The tests were done on IAIK JCE 5.0 release with JDK 1.6.0, each test for 3.0 seconds.

Results for Windows7/x64 and 64-bit VM:

 Security provider: IAIK, version 5.01
 Java VM: Sun Microsystems Inc., version 1.7.0_01, JIT
 OS: Windows 7/amd64, version 6.1The ‘numbers’
are in 1000s of bytes per second processed.

type              8 bytes    64 bytes   256 bytes  1024 bytes  8192 bytes   
md2               8192.8k     8361.8k     8328.8k     8367.4k     8368.8k   
md5             192768.8k   278787.2k   299987.1k   308221.9k   310547.8k   
sha1            131748.4k   178218.1k   181367.1k   180751.9k   174020.8k   
sha224           92638.3k   111189.5k   113375.8k   114167.3k   113953.4k   
sha256           93090.7k   108834.0k   112697.8k   113722.4k   114043.1k   
sha384          128688.7k   164949.4k   170873.2k   171309.9k   171457.9k   
sha512          130878.8k   164634.2k   169945.4k   170414.5k   171128.7k   
ripe md128      146981.0k   204095.7k   204572.0k   204929.2k   207050.0k   
ripe md160       81875.8k   105747.6k   106845.8k   106367.4k   106700.0k   
ripe md256      143191.8k   197190.0k   197856.2k   199598.3k   201015.5k   
ripe md320       82946.9k    97874.1k    99081.7k    99863.6k    99979.9k   
whirlpool        22848.2k    26719.6k    26641.5k    26676.3k    26426.0k   
aes cbc              n/a    104703.3k   109686.7k   110553.5k   111307.7k   
aes gcm              n/a     47072.2k    48876.1k    45624.4k    47391.1k   
aes ccm              n/a     37161.4k    39320.9k    38398.4k    38792.7k   
des cbc          45501.5k    51692.5k    52308.7k    52770.5k    52533.8k   
rc2 cbc          34764.1k    37557.7k    38205.0k    38238.9k    38217.5k   
blowfish cbc     64908.8k    74834.3k    78109.4k    78271.8k    78840.1k   
rc5 cbc          66286.7k    79032.8k    81391.9k    78292.6k    82015.2k   
gost cbc         37226.2k    40858.4k    41593.7k    41875.8k    41778.9k   
cast128 cbc      58399.8k    66593.6k    68516.5k    68696.7k    69083.7k   
rc6 cbc              n/a     90648.9k    91982.9k    92758.2k    92704.8k   
mars cbc             n/a     78499.2k    81449.8k    80043.7k    81199.0k   
twofish cbc          n/a     83585.2k    85332.4k    85644.6k    86694.8k   
arcfour         148935.0k   252969.5k   264484.7k   284319.3k   285884.7k   
serpent cbc          n/a     50064.3k    53411.5k    53415.3k    53600.3k   
rijndael-256 cbc     n/a     71354.6k    74097.3k    74019.1k    74816.2k   
camellia cbc         n/a     71468.5k    73533.3k    73922.5k    74503.3k   
rsa 512  bit private key             0.309 ms
rsa 512  bit public key (2^16 +1)    0.024 ms
rsa 1024 bit private key             1.448 ms
rsa 1024 bit public key (2^16 +1)    0.066 ms
rsa 2048 bit private key             8.115 ms
rsa 2048 bit public key (2^16 +1)    0.225 ms
rsa 4096 bit private key            55.759 ms
rsa 4096 bit public key (2^16 +1)    0.834 ms
 Security provider: IAIK, version 5.01 (with AES addon)
 Java VM: Sun Microsystems Inc., version 1.7.0_01, JIT
 OS: Windows 7/amd64, version 6.1The ‘numbers’
are in 1000s of bytes per second processed.

type              8 bytes    64 bytes   256 bytes  1024 bytes  8192 bytes   
md2               8186.1k     8276.6k     8292.4k     8320.8k     8308.9k   
md5             194896.0k   297683.1k   307329.9k   309925.1k   309717.9k   
sha1            133692.3k   177186.7k   180563.7k   181079.3k   181655.0k   
sha224           92125.6k   110622.5k   113042.4k   114933.8k   112418.9k   
sha256           93814.0k   110153.5k   113298.2k   114672.6k   114908.3k   
sha384          130208.5k   166805.7k   160485.8k   171432.4k   169314.0k   
sha512          130768.5k   164233.4k   169897.2k   170384.2k   170603.6k   
ripe md128      147508.0k   202093.8k   203951.1k   205582.8k   203752.5k   
ripe md160       87422.6k   105639.0k   105817.8k   106642.2k   106972.1k   
ripe md256      145238.0k   192878.3k   196550.1k   197925.8k   199268.8k   
ripe md320       87399.8k   102687.1k   100944.2k   102346.2k    97338.1k   
whirlpool        20088.6k    25927.7k    26547.9k    26761.3k    26649.1k   
aes cbc              n/a    163261.0k   326741.5k   490796.6k   570920.6k   
aes gcm              n/a     47103.8k    48320.8k    46011.0k    47410.7k   
aes ccm              n/a     37366.7k    39127.2k    38821.9k    39561.5k   
des cbc          46504.8k    52049.1k    53410.0k    53529.5k    53284.7k   
rc2 cbc          33437.0k    37142.4k    38048.0k    38268.8k    38261.0k   
blowfish cbc     65475.8k    77140.6k    79923.4k    80948.4k    81413.9k   
rc5 cbc          66750.8k    82410.6k    85805.7k    86510.8k    86686.6k   
gost cbc         39299.1k    43802.9k    44716.4k    44873.0k    45013.8k   
cast128 cbc      55421.2k    65639.5k    67577.5k    67988.7k    67494.8k   
rc6 cbc              n/a     91000.4k    92971.7k    88395.5k    93790.3k   
mars cbc             n/a     77938.2k    80620.3k    80840.9k    81413.9k   
twofish cbc          n/a     82801.9k    85394.4k    84413.8k    85397.0k   
arcfour         152430.8k   255504.2k   281974.4k   286814.2k   284818.2k   
serpent cbc          n/a     49235.5k    53060.6k    53073.1k    53077.9k   
rijndael-256 cbc     n/a     69108.3k    73627.0k    73466.8k    73630.0k   
camellia cbc         n/a     69944.4k    72135.6k    67346.6k    73276.3k   
rsa 512  bit private key             0.370 ms
rsa 512  bit public key (2^16 +1)    0.024 ms
rsa 1024 bit private key             1.446 ms
rsa 1024 bit public key (2^16 +1)    0.066 ms
rsa 2048 bit private key             8.050 ms
rsa 2048 bit public key (2^16 +1)    0.223 ms
rsa 4096 bit private key            55.599 ms
rsa 4096 bit public key (2^16 +1)    0.826 ms

 

Results for Windows7/x64 and 32-bit VM:

 Security provider: IAIK, version 5.01
 Java VM: Sun Microsystems Inc., version 1.7.0, JIT
 OS: Windows 7/x86, version 6.1The ‘numbers’
are in 1000s of bytes per second processed.

type              8 bytes    64 bytes   256 bytes  1024 bytes  8192 bytes   
md2               7774.5k     7881.9k     7925.5k     7908.0k     7909.0k   
md5             171882.2k   245575.6k   264835.0k   269613.6k   271590.2k   
sha1            120515.3k   144979.5k   164770.3k   164323.9k   166476.3k   
sha224           72577.3k    84347.5k    85443.8k    84795.4k    85184.8k   
sha256           68138.6k    83742.6k    84524.9k    84298.2k    83919.7k   
sha384           31501.7k    33904.5k    33929.0k    34311.3k    34209.9k   
sha512           31645.3k    33714.4k    33814.7k    34377.2k    33981.4k   
ripe md128      125691.1k   169376.1k   171722.9k   172169.3k   171436.1k   
ripe md160       93459.2k   116264.1k   116800.7k   118136.8k   118818.0k   
ripe md256      123595.7k   160494.2k   169136.9k   168605.6k   169711.2k   
ripe md320       91941.3k   114195.7k   116037.5k   116498.9k   117327.0k   
whirlpool        18850.7k    19818.2k    19785.2k    19849.4k    19833.8k   
aes cbc              n/a     70377.6k    72619.8k    73566.7k    73779.7k   
aes gcm              n/a     25391.6k    25416.8k    25976.6k    26293.3k   
aes ccm              n/a     24322.0k    25035.0k    24973.0k    25808.0k   
des cbc          32244.7k    36594.5k    37615.9k    37876.4k    37956.3k   
rc2 cbc          30393.1k    34085.6k    34889.7k    34687.1k    34990.8k   
blowfish cbc     48282.5k    58331.5k    59988.8k    60680.2k    60611.5k   
rc5 cbc          45844.3k    56464.8k    58255.0k    58278.8k    58908.3k   
gost cbc         32375.6k    37288.9k    38109.2k    35691.7k    38649.3k   
cast128 cbc      41960.0k    52945.9k    54240.5k    54363.1k    54880.9k   
rc6 cbc              n/a     70250.6k    72971.9k    73694.3k    73659.9k   
mars cbc             n/a     59707.3k    61145.5k    61575.7k    61709.4k   
twofish cbc          n/a     69657.0k    72412.4k    73484.8k    73888.5k   
arcfour          77074.4k   122718.0k   132467.8k   134102.5k   134671.4k   
serpent cbc          n/a     39023.5k    39972.0k    37220.7k    39605.0k   
rijndael-256 cbc     n/a     57642.5k    59913.0k    60327.5k    60850.9k   
camellia cbc         n/a     48140.4k    49426.2k    49791.3k    50185.8k   
rsa 512  bit private key             0.943 ms
rsa 512  bit public key (2^16 +1)    0.077 ms
rsa 1024 bit private key             5.282 ms
rsa 1024 bit public key (2^16 +1)    0.259 ms
rsa 2048 bit private key            34.397 ms
rsa 2048 bit public key (2^16 +1)    0.957 ms
rsa 4096 bit private key           246.000 ms
rsa 4096 bit public key (2^16 +1)    3.685 ms
 Security provider: IAIK, version 5.01 (with AES addon)
 Java VM: Sun Microsystems Inc., version 1.7.0, JIT
 OS: Windows 7/x86, version 6.1The ‘numbers’
are in 1000s of bytes per second processed.

type              8 bytes    64 bytes   256 bytes  1024 bytes  8192 bytes   
md2               7745.9k     7805.1k     7866.7k     7877.4k     7881.8k   
md5             169483.8k   258748.7k   267118.0k   268694.0k   268926.6k   
sha1            121917.7k   164900.0k   167138.3k   167731.2k   168533.1k   
sha224           71909.7k    84566.7k    85486.3k    85113.0k    85456.8k   
sha256           72745.7k    84280.3k    78504.0k    85535.4k    84874.6k   
sha384           31642.9k    33985.7k    34220.8k    34389.1k    34294.3k   
sha512           31898.9k    33875.8k    34239.9k    34446.3k    34316.0k   
ripe md128      126060.4k   169366.4k   172089.8k   172652.3k   173139.3k   
ripe md160       93140.6k   116492.3k   117037.7k   117702.8k   119068.3k   
ripe md256      123817.0k   166513.2k   170014.0k   170803.9k   164454.8k   
ripe md320       91572.1k   112127.3k   115389.1k   116275.5k   116908.0k   
whirlpool        18882.8k    19888.2k    19839.3k    19850.8k    19956.2k   
aes cbc              n/a     76694.7k   155416.7k   349515.5k   520000.1k   
aes gcm              n/a     25321.9k    25524.3k    25610.7k    26539.6k   
aes ccm              n/a     24460.8k    25289.7k    25360.1k    25427.9k   
des cbc          32389.8k    35310.1k    37647.3k    38046.8k    38242.0k   
rc2 cbc          30618.7k    34714.9k    35310.4k    35132.9k    35349.9k   
blowfish cbc     47507.0k    58538.2k    60084.2k    60974.0k    60908.1k   
rc5 cbc          45850.7k    56426.6k    58797.7k    59504.5k    58149.3k   
gost cbc         32309.1k    37413.3k    38156.0k    38422.9k    38271.9k   
cast128 cbc      43636.0k    50771.7k    53521.5k    54698.1k    54579.7k   
rc6 cbc              n/a     69451.4k    72207.0k    73344.7k    73834.1k   
mars cbc             n/a     58796.5k    60591.9k    60795.1k    61082.2k   
twofish cbc          n/a     68775.4k    72478.7k    73572.9k    73763.3k   
arcfour          91715.6k   154340.5k   157259.0k   165858.7k   170162.8k   
serpent cbc          n/a     38782.6k    39749.6k    40038.7k    39871.7k   
rijndael-256 cbc     n/a     58765.7k    56869.4k    62217.4k    62341.9k   
camellia cbc         n/a     49482.5k    50792.0k    51140.4k    51135.3k   
rsa 512  bit private key             0.931 ms
rsa 512  bit public key (2^16 +1)    0.075 ms
rsa 1024 bit private key             5.218 ms
rsa 1024 bit public key (2^16 +1)    0.256 ms
rsa 2048 bit private key            33.831 ms
rsa 2048 bit public key (2^16 +1)    0.938 ms
rsa 4096 bit private key           244.846 ms
rsa 4096 bit public key (2^16 +1)    3.623 ms

Results for Ubuntu Linux 11.10/amd64 and 64-bit VM:

Security provider: IAIK, version 5.01
Java VM: Sun Microsystems Inc., version 1.6.0_23, JIT
OS: Linux/amd64, version 3.0.0-14-genericThe ‘numbers’
are in 1000s of bytes per second processed.

type               8 bytes   64 bytes   256 bytes   1024 bytes   8192 bytes   
md2               8236.0k     8322.3k     8396.9k     8386.5k     8347.5k   
md5             200893.0k   302100.4k   310835.1k   313921.5k   313638.9k   
sha1            131815.3k   174837.6k   176549.9k   178310.8k   178853.2k   
sha224           91425.2k   110981.9k   111590.7k   112523.6k   112902.1k   
sha256           92974.0k   110711.5k   111650.3k   111594.1k   112164.8k   
sha384          126978.0k   165760.8k   171397.4k   171090.9k   172569.9k   
sha512          132950.3k   165426.8k   171347.0k   171213.4k   172367.8k   
ripe md128      150315.3k   203312.5k   206315.3k   207510.5k   207541.5k   
ripe md160       82350.6k    96687.2k    97386.4k    97715.5k    97525.7k   
ripe md256      145574.3k   185433.1k   195366.7k   198403.0k   199240.3k   
ripe md320       81370.7k    95493.2k    94723.9k    96071.4k    96266.9k   
whirlpool        29228.9k    41794.9k    41804.8k    42024.9k    42109.6k   
aes cbc              n/a    102938.4k   109955.2k   111000.5k   111392.0k   
aes gcm              n/a     47065.2k    48433.2k    48786.5k    48859.9k   
aes ccm              n/a     37085.9k    40440.3k    39611.5k    39653.5k   
des cbc          45203.2k    50808.8k    52400.2k    52482.0k    52228.4k   
rc2 cbc          34699.1k    37845.5k    38228.7k    38521.5k    38469.6k   
blowfish cbc     58037.8k    67607.6k    69156.4k    69793.7k    69976.0k   
rc5 cbc          69334.6k    84703.3k    87511.0k    88754.5k    88307.6k   
gost cbc         31446.2k    34583.7k    35014.5k    35003.7k    35159.2k   
cast128 cbc      56889.1k    66440.8k    68167.1k    68507.9k    68949.3k   
rc6 cbc              n/a     87897.3k    90236.8k    91657.2k    91335.3k   
mars cbc             n/a     78245.4k    81238.2k    81473.8k    82070.1k   
twofish cbc          n/a     83661.0k    85644.4k    86681.7k    86499.3k   
arcfour         157530.5k   282012.5k   305346.7k   311394.3k   318327.8k   
serpent cbc          n/a     48921.1k    53738.7k    53887.1k    54010.9k   
rijndael-256 cbc     n/a     71919.5k    74154.2k    74159.6k    74918.1k   
camellia cbc         n/a     70834.4k    72754.0k    73924.9k    74006.4k   
rsa 512  bit private key             0.327 ms
rsa 512  bit public key (2^16 +1)    0.034 ms
rsa 1024 bit private key             1.437 ms
rsa 1024 bit public key (2^16 +1)    0.085 ms
rsa 2048 bit private key             7.973 ms
rsa 2048 bit public key (2^16 +1)    0.257 ms
rsa 4096 bit private key            53.210 ms
rsa 4096 bit public key (2^16 +1)    0.873 ms
Security provider: IAIK, version 5.01 (with AES addon)
Java VM: Sun Microsystems Inc., version 1.6.0_23, JIT
OS: Linux/amd64, version 3.0.0-14-genericThe ‘numbers’
are in 1000s of bytes per second processed.

type               8 bytes   64 bytes   256 bytes   1024 bytes   8192 bytes   
md2               8240.1k     8356.1k     8389.8k     8367.1k     8402.1k   
md5             200615.5k   285807.1k   307981.6k   313814.0k   313942.0k   
sha1            132045.8k   174409.8k   177720.2k   178468.0k   178413.5k   
sha224           90700.4k   111554.9k   111726.4k   112596.3k   112347.8k   
sha256           92736.0k   111675.9k   111847.0k   112741.0k   112905.4k   
sha384          130648.6k   163098.0k   168191.6k   171061.2k   172474.3k   
sha512          131690.2k   162739.2k   168391.5k   169603.4k   171338.4k   
ripe md128      148196.9k   194506.1k   204275.4k   205884.0k   208112.2k   
ripe md160       81362.3k    96420.2k    97392.0k    97101.8k    97954.4k   
ripe md256      146730.9k   196365.8k   198911.4k   200342.5k   200518.3k   
ripe md320       81581.5k    95425.3k    96213.7k    96698.3k    96526.3k   
whirlpool        29832.1k    42052.8k    41802.5k    41990.4k    41869.3k   
aes cbc              n/a    213282.8k   424044.2k   546418.6k   593420.2k   
aes gcm              n/a     47007.2k    48171.0k    48504.4k    49076.4k   
aes ccm              n/a     37497.2k    39250.8k    39474.4k    39534.8k   
des cbc          47209.0k    51961.1k    53043.5k    53127.5k    51876.2k   
rc2 cbc          35272.0k    37791.1k    38388.9k    38582.9k    38491.4k   
blowfish cbc     58732.5k    68587.4k    69673.5k    70517.7k    70579.5k   
rc5 cbc          72282.8k    85963.0k    88641.5k    88909.1k    89388.3k   
gost cbc         31690.4k    34705.9k    35284.6k    34957.9k    35394.9k   
cast128 cbc      57858.7k    66357.3k    68378.0k    68814.8k    68506.9k   
rc6 cbc              n/a     89383.5k    90965.6k    92157.9k    91873.2k   
mars cbc             n/a     78277.5k    81047.8k    81582.4k    81510.4k   
twofish cbc          n/a     83700.7k    85169.4k    86283.6k    86343.6k   
arcfour         153854.9k   247516.6k   276623.3k   283919.7k   286067.3k   
serpent cbc          n/a     49861.1k    53550.5k    53803.0k    53661.5k   
rijndael-256 cbc     n/a     72108.5k    74293.0k    74430.8k    74866.3k   
camellia cbc         n/a     70028.1k    72900.9k    73359.7k    73176.5k   
rsa 512  bit private key             0.331 ms
rsa 512  bit public key (2^16 +1)    0.034 ms
rsa 1024 bit private key             1.433 ms
rsa 1024 bit public key (2^16 +1)    0.085 ms
rsa 2048 bit private key             7.934 ms
rsa 2048 bit public key (2^16 +1)    0.256 ms
rsa 4096 bit private key            52.789 ms
rsa 4096 bit public key (2^16 +1)    0.870 ms

Results for Ubuntu Linux 11.10/amd64 and 32-bit VM:

Security provider: IAIK, version 5.01
Java VM: Sun Microsystems Inc., version 1.6.0_25, JIT
OS: Linux/i386, version 3.0.0-14-genericThe ‘numbers’
are in 1000s of bytes per second processed.

type               8 bytes   64 bytes   256 bytes   1024 bytes   8192 bytes   
md2               8123.2k     8323.6k     8334.8k     8300.5k     8314.8k   
md5             163998.5k   280917.1k   290870.5k   292294.9k   293718.6k   
sha1            114625.3k   161941.3k   165003.4k   165266.7k   166488.7k   
sha224           79338.9k    99172.1k    99858.2k   101340.5k   101086.5k   
sha256           81325.2k    99121.9k   100820.9k   101279.4k   100951.8k   
sha384           45611.7k    53295.1k    53973.7k    54096.8k    52244.8k   
sha512           49214.6k    53348.5k    53898.5k    54094.8k    54160.0k   
ripe md128      133182.6k   183257.6k   184231.4k   185255.9k   185685.3k   
ripe md160       67132.4k    76492.9k    78156.6k    78592.3k    79026.4k   
ripe md256      128659.5k   172585.8k   175225.0k   176485.7k   175946.4k   
ripe md320       62078.6k    71091.0k    71843.0k    72224.7k    71862.9k   
whirlpool        11485.9k    22302.7k    22122.4k    22390.1k    22112.9k   
aes cbc              n/a     86624.4k    90797.0k    91254.1k    91657.0k   
aes gcm              n/a     31214.2k    31707.1k    31846.4k    31673.0k   
aes ccm              n/a     28844.9k    31227.8k    31362.1k    31164.5k   
des cbc          40946.6k    45942.3k    47072.7k    47101.6k    47325.1k   
rc2 cbc          30166.2k    33607.8k    34285.3k    34455.8k    34349.0k   
blowfish cbc     41867.3k    48407.3k    49830.3k    50254.8k    50154.1k   
rc5 cbc          60944.0k    75899.5k    77879.2k    79369.8k    78700.5k   
gost cbc         27987.0k    31404.5k    31813.4k    32105.1k    32082.8k   
cast128 cbc      49533.4k    60321.7k    62051.2k    62795.7k    62852.6k   
rc6 cbc              n/a     74263.6k    77131.6k    78049.2k    78084.6k   
mars cbc             n/a     66706.6k    69652.6k    70404.7k    70478.5k   
twofish cbc          n/a     74914.6k    77963.7k    78634.7k    78900.8k   
arcfour          94164.4k   165045.9k   181442.9k   186806.9k   185222.1k   
serpent cbc          n/a     47466.0k    50887.5k    51566.5k    51638.8k   
rijndael-256 cbc     n/a     61845.7k    65315.7k    65909.7k    64782.3k   
camellia cbc         n/a     59095.5k    61602.4k    61722.8k    61919.0k   
rsa 512  bit private key             0.540 ms
rsa 512  bit public key (2^16 +1)    0.054 ms
rsa 1024 bit private key             2.541 ms
rsa 1024 bit public key (2^16 +1)    0.152 ms
rsa 2048 bit private key            15.842 ms
rsa 2048 bit public key (2^16 +1)    0.509 ms
rsa 4096 bit private key           113.629 ms
rsa 4096 bit public key (2^16 +1)    1.842 ms
Security provider: IAIK, version 5.01 (with AES addon)
Java VM: Sun Microsystems Inc., version 1.6.0_23, JIT
OS: Linux/amd64, version 3.0.0-14-genericThe ‘numbers’
are in 1000s of bytes per second processed.

type               8 bytes   64 bytes   256 bytes   1024 bytes   8192 bytes   
md2               8140.4k     8322.7k     8333.1k     8327.5k     8331.2k   
md5             164416.9k   281184.4k   290190.5k   292677.9k   294548.8k   
sha1            113844.2k   161927.9k   164697.7k   165188.6k   166283.9k   
sha224           78332.7k    99790.5k   100921.1k   100834.6k   101520.7k   
sha256           79921.3k    95432.8k    99465.9k   100059.8k   100963.6k   
sha384           45961.4k    53365.5k    54081.3k    54155.6k    53980.9k   
sha512           48953.9k    53315.5k    54106.7k    54083.9k    53937.2k   
ripe md128      132593.1k   182542.4k   183173.3k   184803.3k   184486.5k   
ripe md160       66327.9k    76120.5k    77479.6k    78453.7k    78727.8k   
ripe md256      127782.8k   174707.8k   175121.7k   176989.5k   177430.5k   
ripe md320       60981.3k    71265.3k    71368.5k    71416.4k    71761.9k   
whirlpool        11451.8k    22391.0k    22411.3k    22330.0k    22418.7k   
aes cbc              n/a    197636.5k   392540.5k   533565.0k   589840.3k   
aes gcm              n/a     31917.9k    31893.3k    31809.4k    31747.9k   
aes ccm              n/a     28073.2k    31412.8k    31635.4k    31335.4k   
des cbc          43596.4k    47793.5k    48235.2k    48693.4k    48810.7k   
rc2 cbc          31506.0k    34358.7k    34414.0k    34882.2k    34891.7k   
blowfish cbc     44011.2k    51104.8k    52252.5k    51456.3k    52662.4k   
rc5 cbc          57674.5k    66731.0k    68554.4k    68882.0k    68476.9k   
gost cbc         29352.2k    32181.8k    32606.2k    32797.6k    32680.6k   
cast128 cbc      53401.3k    61587.8k    63050.9k    63672.6k    63824.4k   
rc6 cbc              n/a     79707.4k    81850.3k    82350.7k    82741.6k   
mars cbc             n/a     69498.9k    69516.4k    72093.6k    72433.6k   
twofish cbc          n/a     77930.9k    80370.9k    81131.8k    80863.2k   
arcfour         110587.0k   180509.5k   196470.2k   203962.7k   203833.3k   
serpent cbc          n/a     48094.3k    51911.0k    51978.2k    52262.2k   
rijndael-256 cbc     n/a     62717.2k    64887.3k    65800.8k    65828.1k   
camellia cbc         n/a     59323.2k    61237.4k    61360.4k    61718.5k   
rsa 512  bit private key             0.535 ms
rsa 512  bit public key (2^16 +1)    0.054 ms
rsa 1024 bit private key             2.544 ms
rsa 1024 bit public key (2^16 +1)    0.152 ms
rsa 2048 bit private key            15.826 ms
rsa 2048 bit public key (2^16 +1)    0.507 ms
rsa 4096 bit private key           113.370 ms
rsa 4096 bit public key (2^16 +1)    1.849 ms
IAIK-JCE 6.1 – 28. August 2023
Class or Package Bug / Change / New Feature Description and Examples
iaik.asn1.structures.AlgorithmID C

Checks all registered implementation names when instantiating a JCA/JCE engine.

iaik.pkcs.pkcs5.PBMAC1ParameterSpec, iaik.pkcs.pkcs5.PBKDF2PBMAC1ParameterSpec, iaik.pkcs.pkcs5.PBMAC1Parameters NF

AlgorithmParameters and AlgorithmParameterSpec implementations for the PKCS#5 password-based PBMAC1 Message Authentication Scheme.

iaik.pkcs.pkcs12.PKCS12KeyStore C

JKS KeyStore fall back mechanism enabled by default. Explicitly call PKCS12KeyStore.setUSEJKSFallBack(false); if you want to disable it.

iaik.pkcs.pkcs12 NF

Support for parsing and verification of PKCS#12 objects and key stores that use the PKCS#5 v2.1 password-based PBMAC1 Message Authentication Scheme for protecting the intergrity of the PKCS#12 file as specified in draft-ietf-lamps-pkcs12-pbmac1-02. Generation of PBMAC1 protected PKCS#12 objects / key stores is currently disabled because the specification (draft-ietf-lamps-pkcs12-pbmac1-02) has not been finalized yet.

iaik.security.cipher.AESCBCCMac128, iaik.security.cipher.AESCBCCMac192, iaik.security.cipher.AESCBCCMac256, NF, C

Additional associated data alternatively may be supplied by calling cipher.updateAAD().

iaik.security.cipher.ChaCha20Poly1305 B

Fixed reset of aad buffer.

iaik.security.mac.PBMAC1 NF

Mac engine for password-based PBMAC1 Message Authentication Scheme as specified by PKCS#5 v2.1 (RFC 8018).

iaik.security.mac NF

SecretKeyFactories for HMAC algorithms added.

iaik.x509.extensions.etsi.QcCClegislation NF

Implementation of the ETSI EN 319 412-1 ValidityAssuredShortTermCerts certificate extension.

iaik.x509.extensions.qualified.structures.etsi.QcCClegislation NF

Implementation of the ETSI EN 319 412-5 QCStatements QCStatementInfo.

IAIK-JCE 6.0 – 23. December 2022
Class or Package Bug / Change / New Feature Description and Examples
* NF

Jar file signed with new JCE provider certificate.

iaik.asn1.structures.AlgorithmID

Added IDs for key agreement schemes dhSinglePass-stdDH-sha224kdf-scheme, dhSinglePass-stdDH-sha512kdf-scheme, dhSinglePass-cofactorDH-sha224kdf-scheme, dhSinglePass-cofactorDH-sha256kdf-scheme, dhSinglePass-cofactorDH-sha384kdf-scheme, dhSinglePass-cofactorDH-sha512kdf-scheme added.

iaik.asn1.structures.AlgorithmID C

Ensure to not encode parameters field as NULL for CMS AES key wrap ciphers, encode parameters field as NULL for CMS DES-EDE key wrap cipher.

iaik.pkcs.pkcs10.CertificateRequest NF

New sign() methods allowing to specify signature algorithm parameters.

iaik.pkcs.pkcs12.P12KeyStore NF

Automatically plugged in for JDK versions >= Java 8 to allow the usage of protection parameters to specify different than the default algorithms when adding key/certificate entries to a or/and storing a particular PKCS#12 KeyStore.

iaik.security.dsa NF, C

For deterministic DSA signatures the signature value is now verified immediately after creation as countermeasure against fault attacks. The check can be generally en/disabled for all (deterministic and non deterministic) DSA signatures by using the static method DSA.setDoVerifySignature().

iaik.security.kdf.KDF1 NF

Implementation of Key Derivation Function (KDF) 1 as specified by ISO/IEC 18033-2.

iaik.security.kdf.KDF2 NF

Implementation of Key Derivation Function (KDF) 2 as specified by ANS X9.44.

iaik.security.kdf.KDF3 NF

Implementation of Key Derivation Function (KDF) 3 as specified by ANS X9.44.

iaik.security.rsa.RsaKem NF

Implementation of the RSA-KEM Key Encapsulation Mechanism as specified by RFC 5990 and ISO/IEC 18033-2.

iaik.utils.Base64OutputStream NF

Support for Base64Url encoding added.

iaik.utils.Util NF

Added testCreateRsaPssParameters(), createRsaPssAlgorithmID() to generate RSA PSS parameters and AlgorithmIDs from hash algorithm and salt length.

iaik.utils.Util NF

Added testCreateRsaOaepParameters(), createRsaOaepAlgorithmID() to generate RSA OAEP parameters and AlgorithmIDs from hash algorithm and label value.

iaik.x509.X509Certificate NF

Method setVersion added.

iaik.x509.X509CRL NF

Overrides method getRevokedCertificate(java.security.cert.X509Certificate). Tries to convert Principal objects to iaik.asn1.structures.Name objects.

iaik.x509.attr.ACRL C

Overrides method getRevokedCertificate(java.security.cert.X509Certificate). to throw a NoSuchMethodError (attribute certificates are no public key certificates).

iaik.x509.X509Certificate, iaik.x509.X509CRL, iaik.x509.attr.AttributeCertificate, iaik.x509.attr.ACRL, iaik.x509.ocsp.BasicOCSPResponse, iaik.x509.ocsp.OCSPRequest NF

New sign() methods allowing to specify signature algorithm parameters.

IAIK-JCE 5.63 – 23. December 2021
Class or Package Bug / Change / New Feature Description and Examples
iaik.asn1.structures.Attributes B

Fixed method addAttribute(Attribute attribute, boolean replace) to ensure to add the attribute if replace is set to true and no attribute of the given type is not included yet.

iaik.pkcs.pkcs5 NF

KeyFactories for SHA256AndAES256 and SHA384AndAES128 added.

iaik.pkcs.pkcs7.SignerInfo C

Default hash algorithm changed from SHA-1 to SHA-256.

iaik.pkcs.pkcs12 NF, C

PKCS#12 implementation adapted to PKCS#12 v1.1 (RFC 7292).
Default algorithms HMacSHA1, PBEWithSHAAnd3_KeyTripleDES_CBC, PBEWithSHAAnd40BitRC2_CBC changed to HMacSHA256, PBES2WithHmacSHA256AndAES256 and PBES2WithHmacSHA256AndAES256 for protecting the integrity of the PKCS#12 KeyStore and password based encrypting Key- and CertificateBags.

iaik.security.cipher NF

IvParamterGenerators for AES and Camellia added.

iaik.security.keystore.IAIKKeyStore C

Uses a higher iteration count value.

iaik.security.kdf.HKDF NF

Implementation of the HMAC-based HKDF key derivation function as specified by RFC 5869.

iaik.security.md.SHAKE128, iaik.security.md.SHAKE256 NF

SHAKE128 and SHAKE256 are now also available as MessageDigest engines (as alternative to the InputStream based implementations). Default output sizes are 256 bits for SHAKE128 and 512 bits for SHAKE256. To get a digest output of other than the default length create a byte array of the desired output length and specify this array when calling the final digest(byte[] buf, int offset, int len) method of the MessageDigest engine, e.g.:

	MessageDigest shake256 = MessageDigest.getInstance("SHAKE256");
	...
	shake256.update(m1);
	shake256.update(m2);
	...
	int digestLen = ...;
	byte[] output = new byte[digestLen]
	shake256.digest(output, 0, digestLen); 
IAIK-JCE 5.62 – 1. December 2020
Class or Package Bug / Change / New Feature Description and Examples
iaik.asn1.ConstructedType C

Added tighter length check to decode() method.

iaik.asn1.DerCoder NF, C

New methods added allowing to enable some tighter DER checks during decoding.

iaik.asn1 C

When parsing simple types now an Exception is thrown if constructed encoding has been used (can be switched off by ASN1String.setIgnoreConstructedEncodingForSimpleTypes(true);).

iaik.asn1.ObjectID NF, C

Method getRegisteredObjectID(String nameOrShortName) added allowing to query for an ObjectID based on its name or short name. Method getObject(String oid) now first looks for a registered ObjectID and creates a new one only if it cannot found a registered one.

iaik.asn1.structures.AlgorithmID C

Method getAlgorithmParameterSpec() also tries java.security.spec.PSSParameterSpec for RSA-PSS signature parameters and javax.crypto.spec.OAEPParameterSpec for RSA-OAEP encryption parameters. Method getRawImplementationName() returns RSAES-OAEP for rsaesOAEP AlgorithmID.

iaik.asn1.structures.AlgorithmID NF

AlgorithmID for ChaCha20Poly1305 (1.2.840.113549.1.9.16.3.18) according to RFC 8103 added.

iaik.pkcs.pkcs1.OAEPPadding C

Added leading zero byte check to unpad().

iaik.pkcs.pkcs1.RSACipher C

Added message size check to rawCrypt().

iaik.pkcs.pkcs12.PKCS12KeyStore C

Does not throw an exception anymore if the certificate chain of an key entry cannot be sorted, rather the given (maybe unsorted) certificate chain is used .

iaik.pkcs.pkcs12.PKCS12KeyStore NF

New method PKCS12KeyStore.setUSEJKSFallBack(boolean) allows to advise the PKCS12KeyStore to fall back to a JKS KeyStore to solve JSSE default KeyStore parsing problems.

iaik.security.cipher C

Padding schemes do not give detailed error information anymore when they throw a BadPaddingException.

iaik.security.cipher NF, C

In CCM mode Ciphers now also can use method updateAAD to provide the additional authenticated (associated) data (if Java 7 or newer is used).
If associated data is specified by a CCMParameterSpec the associated data is also included in the parameters got from a CCM Cipher when calling ccmCipher.getParameters(). However, associated data that has been supplied by calling ccmCipher.updateAAD() is not included in the parameters got from a CCM Cipher when calling ccmCipher.getParameters().

iaik.security.cipher B

Fixed GCM increment function in engineInit().

iaik.security.cipher C

In CCM and GCM mode now a BadPaddingException (AEADBadTagException) instead of an IllegalBlockSizeException is thrown if the mac value is invalid.

iaik.security.cipher.AESKeyWrapWithPadding NF

Implements the AES Key Wrap with Padding Algorithm as specified by RFC 5649 allowing to also wrap keys with a size that is not a multiple of 64 bits (as extension to the AES Key Wrap algorithm specified by RFC 3394 that requires that the size of the to-be-wrapped key is a multiple of 64 bits).
RFC 5649 key wrap with padding can be used by either directly instantiating the RFC 5649 with padding Cipher, e.g.:

 Cipher cipher =  Cipher.getInstance("AESWrapWithPadding", "IAIK");

or by instantiating the AESWrap Cipher and specifying “RFC5649Padding” as padding mode:

 Cipher cipher = Cipher.getInstance("AESWrap/ECB/RFC5649Padding");
iaik.security.cipher.ChaCha20 NF, C

ChaCha20 now also may be initialized by an javax.crypto.spec.ChaCha20ParameterSpec (for Java 11 upwards).

iaik.security.cipher.ChaCha20 C

Method checkKeyAndNonceReuse() added to decide whether to check if the Cipher is used for encryption again without re-initialization (default: true).

iaik.security.cipher.ChaCha20Poly1305, iaik.security.cipher.ChaCha20Poly1305ParameterSpec C

64 bit nonce not allowed anymore. Nonce must be 96 bits long. Block counter must be 0.

iaik.security.cipher.ChaCha20Poly1305CMSParameterSpec NF

New AlgortihmParameterSpec class allowing to initialize a ChaChaPoly1305 Cipher engine for use with Cryptographic Message Syntax (CMS, RFC 8103).

iaik.security.cipher.ChaCha20Poly1305 NF, C

Now also may be initialized by a ChaCha20Poly1305CMSParameterSpec to be used for Cryptographic Message Syntax (CMS, RFC 8103) where the mac is not appended to the cipher text and can be set/got by/from parameters.

iaik.security.cipher.ChaCha20Poly1305 C

Additional authenticated (associated) data now may be supplied only either by a ChaCha20Poly1305(CMS)ParameterSpec or by calling method updateAAD(). Using both alternatives simultaneously is not more allowed.
If associated data is specified by a ChaCha20Poly1305(CMS)ParameterSpec the associated data is also included in the parameters got from a ChaCha20Poly1305 Cipher when calling chacha20Poly1305Cipher.getParameters(). However, associated data that has been supplied by calling chacha20Poly1305Cipher.updateAAD() is not included in the parameters got from a ChaCha20Poly1305 Cipher when calling chacha20Poly1305Cipher.getParameters().

iaik.security.cipher.ChaCha20Poly1305 B

Fixed output size calculation.

iaik.security.cipher.CCMParameters NF, C

Method checkKeyAndNonceReuse() added to decide whether to check if the CCM Cipher is used for encryption again without re-initialization (default: true).

iaik.security.cipher.GCMParameters C

checkKeyAndNonceReuse() by default set to true so that in GCM mode by default is checked if the Cipher is used for encryption again without re-initialization.

iaik.security.cipher.GCMParameters NF

Method setUseJava7ApiByDefault() added allowing to decide whether to use the Java7 GCM API also when the Cipher has not been initialized with a javax.crypto.spec.GCMParameterSpec and no additional authenticated data (AAD) has been specified by Cipher.updateAAD() call(s).

iaik.security.md C

MessageDigest engines implement the Cloneable interface.

iaik.security.md.GOST3411 B, C

Implements method clone().

iaik.security.md.KECCAK B

Fixed index calculation in engineUpdate().

iaik.security.md.Skein64Bit B

Fixed engineUpdate().

iaik.security.provider.IAIK NF

Static method setBufferMoreAEADCipherDataThanNecessary() added allowing to decide whether the IAIK AEAD Cipher engines/modes ChaCha20Poly1305, GCM and CCM shall buffer more than necessary cipher data during update() calls during decryption (e.g. for use with javax.crypto.CipherInputStream).

iaik.security.rsa NF, C

RSA key pair generators now support initialization by an RSAKeyGenParameterSpec.

iaik.utils.RFC2253NameParser NF

Method checkObjectIDForAssociatedOIDs() added allowing to advise the RFC2253NameParser to also look in class ObjectID for (short)name – ObjectID associations if no one can be found in the internal RFC2253NameParser repository.

iaik.utils.RFC2253NameParser C

Added “title” to short name associations. Made associations_ table private.

iaik.utils.UniversalKeyStore NF

Universal KeyStore utility for reading Java key stores without using a specific format.

iaik.utils.Util B, C

Method createCertificateChain() now checks for authorityCertIssuer and authorityCertSerialNumber if the AuthorityKeyUdentifier extension does not contain the keyIdentifier field.

iaik.utils.Util C

When decoding a private or public key method decodeKey() does not throw a NoSuchAlgortihmException anymore if no KeyFactory is available for the particular key algorithm. Rather a iaik.pkcs.pkcs8.RawPrivateKey or iaik.x509.RawPublicKey is returned.

iaik.x509.attr.extensions.AcceptableCertPolicies B

Fixed toASN1Object().

IAIK-JCE 5.61 – 7. June 2020
Class or Package Bug / Change / New Feature Description and Examples
iaik.asn1.ObjectID C

Removed short name “T” from ObjectID.title since not RFC2253/4514 compliant. If required it can be registered again by:

new ObjectID(ObjectID.title.getID(), ObjectID.title.getName(), "T");
iaik.pkcs1.RSAOaepParameterSpec, iaik.pkcs1.RSAOaepParameters, iaik.pkcs1.RSACipher NF, C

Now also can be used with javax.crypto.spec.OAEPParameterSpec (for JDK >= 1.5).

iaik.pkcs1.RSAOaepParameters NF

Static method setUseSHA1ForMGF1WithJCAStandardName() allowing to configure the IAIK provider to use SHA-1 for MGF1 anytime the hash algorithm name is specified in the padding scheme name when creating a RSA-OAEP cipher:

Cipher cipher = Cipher.getInstance(("RSA/ECB/OAEPWithSHA256AndMGF1Padding", "IAIK");

By default the IAIK provider uses the same hash algorithm for both the RSAES-OAEP en/decryption scheme as well as the MGF1 mask generation function. However, the SunJCE provider uses SHA-1 as hash algorithm for the MGF1 mask generation regardless of which hash algorithm is specified in the padding scheme name. When calling

RSAOaepParameters.setUseSHA1ForMGF1WithJCAStandardName(true);

the IAIK provider may be configured to behave as the SunJCE provider.

iaik.security.cipher.PbeWithSHAAnd40BitRC2_CBC, iaik.security.cipher.PbeWithSHAAnd3_KeyTripleDES_CBC, iaik.security.cipher.PbeWithMD5AndDES_CBC B

Fixed init(int opmode, Key key, AlgorithmParameterSpec params) to internally use a new AlgorithmParameters object to allow re-initialization with a PBEParameterSpec object.

iaik.security.dh.DHKeyPairGenerator C

Default key size changed to 2048 bits; pre-generated parameters from RFC 2409/3526/7919.

iaik.security.dh.DHPublicKey NF, C

Method validatePublicKey() adopted from ESDHPubliKey. Now automatically called in (ES)DHKeyAgreement.doPhase() and need not to be called explicitly anymore.

iaik.security.dsa.DSA NF, C

Added support for blinding for DSA signing operations as countermeasure against timing attacks. Blinding is enabled by default but can be disabled by calling DSA.setUseBlinding(false). Checks for hash algorithm security strength compliance during signature generation.

iaik.security.dsa.DSAKeyPairGenerator C

Default key size changed to 2048 bits, maximum bit size changed to 3072 bits (FIPS 186-3 for 2048 and 3072 bit keys). Default key size can be set back to 1024 bit by calling DSA.setUseBachwardsCompatibilityMode(true).

iaik.security.dsa.DSAParameterGenerator C

Can only more use to generate parameters up to p size of 1024. A SHA2withDSAParameterGenerator may be used for generating parameters for 2048 or 3072 bit keys.

iaik.security.rsa.RSAKeyPairGenerator* C

Default key size of RSA key pair generators changed to 2048 bits.

IAIK-JCE 5.60 – 6. August 2019
Class or Package Bug / Change / New Feature Description and Examples
iaik.asn1.structures.AlgorithmID NF, C

get*Instance() now search for an implementation based on the JCA standard name, too.

iaik.asn1.structures.AlgorithmID C

AlgorithmID.rsassapss: By default absent parameters will not be encoded as NULL anymore.

B

toASN1Object(): Fixed pSouceAlgorithm default parameter check.

iaik.pkcs.pcks7.RSACipherProvider B

setCipherProvider(): Fixed cipher provider setting in DECRYPT_MODE.

iaik.security.provider.IAIK C

getInstance() uses lazy initialization holder class idiom to create static IAIK instance

iaik.security.cipher.ChaCha20Poly1305 NF

Implementation of the ChcCha20Poly1305 AEAD cipher according to RFC 8439

iaik.security.mac.Poly1305 NF

Implementation of the Poly1305 message authentication algorithm according to RFC 8439

iaik.security.rsa.RSAOaepPrivateKey, iaik.security.rsa.RSAOaepPublicKey, iaik.security.rsa.RSAPssPrivateKey, iaik.security.rsa.RSAPssPublicKey NF, C

If no parameters are included the parameters field will be absent from the AlgorithmID encoding (not encoded as NULL anymore).

iaik.security.provider.IAIKMD NF

Implements a “subsidiary” provider for the IAIK provider for fixing a JSSE MessageDigest Cloneable bug. Some versions of JSSE (e.g. Java 11) may contain a bug (https://bugs.openjdk.java.net/browse/JDK-8214098) that may cause a TLS handshake to fail with an UnsupportedOperationException if a MessageDigest engine is used that implements the Cloneable interface and is extended from the java.security.MessageDigest class.
The IAIK-MD provider contains MessageDigest engines for the message digest algorithms commonly used by JSSE for TLS (“MD5”, “SHA”, “SHA-256”, “SHA-384”) by wrapping around the corresponding MessageDigest implementations of the IAIK provider but extending from the MessageDigestSpi class and therefore allows to use the IAIK provider with affected JSSE versions when installing thisIAIK-MD provider as first provider in front of the IAIK provider:

Security.insertProviderAt(new IAIKMD(), 1);
Security.insertProviderAt(new IAIK(), 2);
iaik.utils.RFC2253NameParser NF, C

Allows line wrapping after RDN or AVA separator character (according to RFC 4514).

iaik.x509.X509Certificate, iaik.x509.X509CRL, iaik.x509.attr.AttributeCertificate, iaik.x509.attr.ACRL B, C

Method verify(PublicKey key, Provider provider) does not throw a NoSuchProviderException anymore.

IAIK-JCE 5.52 – 9. August 2018
Class or Package Bug / Change / New Feature Description and Examples
* B

Fixed possible NullPointer problems during finalization.

iaik.asn1.INTEGER C

New method checkForMinumumLengthEncoding(boolean) allowing to en/disable checking INTEGER encodings for being encoded in the minimum number of octets (as required by BER/DER).

iaik.asn1.UTF8String, iaik.utils.Util C

Now supports UTF-8 en/decoding of supplementary Unicode characters represented as character pairs (high surrogate, low surrogate).

iaik.asn1.structures.AlgorithmID C

Method getRawImplementationName() now also tries to get the “raw” name for signature algorithms names (e.g. “RSA” for “SHA1withRSA”).

Method getAlgorithmParameterSpec() now also tries to get an AlgorithmParameters implementation for the raw implementation name.

Registered DSA/ECDSA SHA*, SHA3* based signature algorithms to not include parameters when used in PKIX certificate, crl, etc. objects.

iaik.pkcs.pkcs1.RSAPssParameters, iaik.security.rsa.RSAPssSignature NF, C

Now also can be used with java.security.spec.PSSParameterSpec (for JDK >=1.5).

iaik.pkcs.pkcs8.PrivateKeyInfo NF, C

Fixed OneAsymmetricKey attributes and publicKey fields to use implicit tagging. Parse optional attributes and publicKey fields before calling deocde() of key algorithm implementing child class.

iaik.security.dsa NF

Added implementation of deterministic signing according to RFC 6979:

Signature dsa = Signature.createInstance(“…withDSA”, IAIK.getInstance());
dsa.setParameter(new DetSigDSAParameterSpec());
dsa.initSign(…);

iaik.security.dsa.DSAPublicKey, iaik.security.rsa.RSAPublicKey, NF

Added method isValidSP80089SignatureVerificationKey() to check if the public DSA/RSA key is applicable for signature verification according to NIST SP 800-89.

iaik.security.dsa.DSA, iaik.security.rsa.RSAPkcs1Signature C

engineSetParameter: do not throw InvalidAlgorithmParameterException if params are null (to avoid JCE jar file verification problems with Java 11)

iaik.security.provider.IAIK NF

Added aliases “PBEWithHmacSHA1AndAES_128”, “PBEWithHmacSHA256AndAES_128”, “PBEWithHmacSHA384AndAES_192”, “PBEWithHmacSHA512AndAES_256” to the PBES2 cipher implementations according to the JDK Standard Algorithm Names conventions.

iaik.security.provider.IAIK C

Registered Cipher name based PKCS#5, PKCS#12 SecretKeyFactories for PBE ciphers (instead of general “PBE” SecretKeyFactories).

iaik.security.provider.IAIK C

Changed java.version check use CertificatePath supporting (X509)CertificateFactory implementation on Android, too.

iaik.x509.ocsp.net.HttpOCSPRequest NF

New method HttpURLConnection openConnection(URL responderUrl) allowing an application to configure the HttpURLConnection object (e.g. setting read/connect timeout).

IAIK-JCE 5.51 – 23. September 2017
Class or Package Bug / Change / New Feature Description and Examples
iaik.security.dsa B

Added SHA-3 based DSA Signature engine classes.

iaik.security.keystore.IAIKKeyStore B

Fixed adding of entries to v0 IAIKKeyStores.

iaik.security.provider.IAIK B

Fixed alias for “RipeMd256withRSA” to actually refer to the “RIPEMD256/RSA” signature algorithm.

IAIK-JCE 5.5 – 19. August 2017
Class or Package Bug / Change / New Feature Description and Examples
* NF, C

Throughout support for using the IAIK provider without the necessity
of installing it within the JCA/JCE Security framework:

  • Replaced any internal IAIK provider name based JCA/JCE Engine instantiation (<Engine>.getInstance(algorithm, “IAIK”);)
    by IAIK provider object based instantiation
    <Engine>.getInstance(algorithm, IAIK.getInstance();)
  • Preceded any internal general (provider-less) JCA/JCE Engine instantiation (<Engine>.getInstance(algorithm))
    by an IAIK provider object based instantiation.
  • Added Provider object based methods to classes that already contain
    Provider name based methods, e.g.AlgorithmID.getSignatureInstance(Provider),X509Certificate.sign(AlgorithmID, PrivateKey, Provider),X509Certificate.verify(PublicKey, Provider), etc., including
    the javax_crypto.jar JCE engines like Cipher.getInstance(String, Provider).
iaik.asn1.structures.AlgorithmID NF

New method getJcaStandardName() that returns the JCA standard
name for the algorithm id. Since JCA standard algorithm names have been changed over time a JCA standard algorithm name may be different to the implementation name for the same algorithm id. For backwards compatibility method getImplementationName() continues to return the implementation name used by IAIK-JCE so far, whereas this method returns the algorithm name defined by the JCA specification. The JCA standard name is now also returned by the getSigAlgName() method of classes X509Certificate, X509CRL, AttributeCertificate and ACRL.

iaik.pkcs.pkcs8 NF, C

Enhanced PrivateKeyInfo about optional attributes and publicKey fields according to RFC 5958 OneAsymmetricKey syntax. Added implementation about RFC 5958 AsymmetricKeyPackage type.

iaik.security.cipher.AESCBCCMac* C

Creates random iv (instead of default iv of all zeros as specified by BSI standard) if iv is not explicitly specified.

iaik.security.cipher NF

GCM mode now also supports the JDK GCM Cipher API introduced by Java7
using javax.crypto.spec.GCMParameterSpec to specify nonce and mac length parameters and Cipher.updateAAD() to set the additional authenticated data (AAD). The mac value is appended to the cipher text.

iaik.security.cipher B

Fixed GCM increment function.

iaik.security.cipher.GCMParameters NF

New method checkKeyAndNonceReuse allowing to enable a check that a GCM Cipher is not reused for encryption a second time without re-initialization (to ensure that same key and nonce pair are used again).

iaik.security.cipher.CCMParameters, iaik.security.cipher.GCMParameters C

When having parsed CCM/GCMParameters that do contain a default aes-ICVlen (macLength) component (12) the aes-ICVlen (macLength) component is also included when encoding the parameters again. New static method setIncludeDefaultMacLengthInEncding added allowing to decide to include a default macLength component anytime when encoding CCM/GCM parameters (may be required for compatibility reasons).

iaik.security.dsa NF

Added SHA-3 based DSA Signature engines: “SHA3-224withDSA”, “SHA3-256withDSA”, “SHA3-384withDSA”, “SHA3-512withDSA”.

iaik.security.provider.IAIK NF

Added aliases “AES_128” “AES_192”, “AES_256”, “AESWrap_128”, “AESWrap_192”, “AESWrap_256”, “Camellia_128” “Camellia_192”, “Camellia_256”, “CamelliaWrap_128”, “CamelliaWrap_192”, “CamelliaWrap_256” according to the JDK Standard Algorithm Names conventions.

iaik.security.keystore.IAIKKeyStore C

Uses stronger algorithms for mac calculation and encryption (HmacSHA3-512, AES 256 bit) and increased salt and iteration count values. Reading of old format still supported. Now keeps encoded certificate representation to avoid de-re-encoding issues.

iaik.security.provider.IAIK C

Uses iaik.x509.X509CertificateFactory as default CertificateFactory.

iaik.security.mac NF

Added SHA-3 based HMAC Mac and KeyGenerator engines:
“HmacSHA3-224”, “HmacSHA3-256”, “HmacSHA3-384”, “HmacSHA3-512”

iaik.security.mac NF

Added SHA-512/224, SHA-512/256 based HMAC Mac and KeyGenerator engines: “HmacSHA512/224”, “HmacSHA512/256”

iaik.security.rsa NF

Added SHA-3 based RSASSA-PKCS1-v1_5 Signature engines:
“SHA3-224withRSA”, “SHA3-256withRSA”, “SHA3-384withRSA”, “SHA3-512withRSA”.
Added SHA-3 based RSASSA-PSS Signature engines: “SHA3-224withRSAandMGF1”, “SHA3-256withRSAandMGF1”,
“SHA3-384withRSAandMGF1”, “SHA3-512withRSAandMGF1”.

iaik.security.rsa NF

Added SHA-512/224, SHA-512/256 based RSASSA-PKCS1-v1_5 Signature engines: “SHA512/224withRSA”, “SHA512/256withRSA”.
Added SHA-512/224, SHA-512/256 based RSASSA-PSS Signature engines:
“SHA512/224withRSAandMGF1”, “SHA512/256withRSAandMGF1”.

iaik.utils.DumpKeyStore C

Skips secret key entries. Now uses keystore entry alias as file name
because alias must be unique for each entry.

iaik.x509.attr.AttributeCertificateFactory NF

CertificateFactory implementation for parsing attribute certificates and ACRLs added.

iaik.x509.qualified.X509QualifiedCertificateFactory NF

CertPath supporting QualifiedCertificateFactory added.

IAIK-JCE 5.4 – 28. June 2017
Class or Package Bug / Change / New Feature Description and Examples
* NF, C

jar files signed with old (for supporting old DSA JCE Root CA) and new (for supporting new RSA JCE Root CA) IAIK-JCE provider certificates. The new certificate provides a stronger protection (SHA256withRSA) than the old one (SHA1withDSA). The new JCE Root CA is effective for Java versions 8u121, 7u131, 6u141 upwards. To support other (former) Java versions the
jar files must be signed with the old provider certificate, too.

iaik.asn1.structures.AlgorithID, iaik.security.provider.IAIK NF

Added AlgorithmIDs and aliases (2.16.840.1.101.3.4.3.3, 2.16.840.1.101.3.4.3.4) for the dsaWithSHA384 and dsaWithSHA512 signature algorithms.

iaik.asn1.structures.ChoiceOfTime B

Fixed milli seconds representation when creating a ChoiceOfTime object of type GeneralizedTime from a Date object.

iaik.security.cipher B

Fixed internal buffering and input length calculation for CCM mode.

iaik.security.cipher.AESCBCCMac128, iaik.security.cipher.AESCBCCMac192, iaik.security.cipher.AESCBCCMac256 NF

Implementation of the BSI TR-03109-1 AES-CBC-CMAC authenticated encryption cipher family (ciphers, key generators, algorithm parameters, secret key
factories)

iaik.security.cipher.CCMParameters, iaik.security.cipher.GCMParameters B

Fixed default encoding (to not include aes-ICVlen component if default length (12) is used).

iaik.security.cipher.ChaCha20 NF

Implementation of the ChaCha20 stream cipher as specified by RFC 7539.

iaik.security.random.SecRandom NF

Added method getAlgorithm() to also can be called when creating the SecureRandom object in the old way by using the PRNG class constructor (and not calling SecureRandom.getInstance()).

iaik.security.random.HMacSHA384SP80090Random B

Fixed to actually use HMacSHA384 (used HMacSHA512 so far when creating the HMacSHA384SP80090Random object in the old way by using its constructor).

iaik.security.random C

Synchronized engineGetBytes, engineSetSeed
to avoid synchronization issues with jdk versions >=8u112.

iaik.x509.NetscapeCertRequest NF

Method getChallenge() added to get the challenge from the request. Constructors/methods added allowing to create and sign a NetscapeCertRequest from scratch.

iaik.x509.extensions.qualified.structures.etsi.QcType NF

Implementation of the ETSI EN 319 412-5 QcType QCStatementInfo for declaring the type(s) of EU qualified certificates.

iaik.x509.X509Certificate, iaik.x509.RevokedCertificate, iaik.x509.attr.AttributeCertificate, iaik.x509.attr.IssuerSerial, iaik.x509.ocsp.CertID NF, C

Added hexadecimal representation to serial number output of toString() method.

iaik.x509.ocsp.extensions.CrlID NF, C

Changed toString method to output the crl number in hexadecimal representation.

IAIK-JCE 5.3 – 23. December 2015
Class or Package Bug / Change / New Feature Description and Examples
demo.pkcs.EnvelopedDataOAEP C

Shows usage with non-default OAEP parameters. Now uses standard RSA-OAEP algorithm oid.

iaik.asn1.ASN C

Default ASN.1 types are now registered by their class name to avoid static initialization dependencies.

iaik.asn1.ASN1 NF

Method readEncoded allowing to read the encoding of an ASN.1 object from a stream without keeping the internal ASN.1 structure in memory.

iaik.asn1.structures.AlgorithmID B

Fixed NULL/absent parameter handling when parsed from an InputStream ( AlgorithmID(DerInputStream)).

iaik.asn1.structures.PolicyQualifierInfo C

Tighter explicit text check.

iaik.pkcs.pkcs1.PKCS1v15Padding, iaik.pkcs.pkcs1.OAEPPadding C

Made unpadding more time constant.

iaik.pkcs.pkcs1.RSACipher NF, C

When Cipher is used in ENCRYPT mode for signature creation with CRT keys the signature value is verified as countermeasure against RSA CRT key leaks. The check can be disabled by new static method RSACipher.setDoVerifyCRTSignature(false);. The check is not performed for PSS signatures since they are not deterministic.

iaik.pkcs.pkcs1.RSAOaepParameters B

Fixed pSourceAlgorithm DEFAULT parameter check.

iaik.pkcs.pkcs1.PKCS1AlgorithmParameters, iaik.pkcs.pkcs1.MGF1Parameters, iaik.pkcs.pkcs1.RSASSAPkcs1v15Parameters, iaik.pkcs.pkcs1.RSAOaepParameters, iaik.pkcs.pkcs1.RSAPssParameters, C

When init from encoding ( init(byte[] params)) the encoded parameters are kept to be returned unchanged when getEncoded() is called.

iaik.pkcs.pkcs1.RSAOaepPSourceParameterSpec C

Check for right label encoding.

iaik.security.md.SHA3_224, iaik.security.md.SHA3_256, iaik.security.md.SHA3_384, iaik.security.md.SHA3_512 NF

MessageDigest engines for the NIST FIPS PUB 202 Secure Hash Algorithm 3
(SHA-3) Hash Functions added (SHA3-224, SHA3-256, SHA3-384, SHA3-512) added

iaik.security.md.SHAKE128InputStream, iaik.security.md.SHAKE256InputStream, NF

InputStream implementations for the NIST FIPS PUB 202 Secure Hash Algorithm 3
(SHA-3) Extendable Output Functions (XOFs) SHAKE128, SHAKE256 added

iaik.x509.RevokedCertificate B

Fixed possible NullpointerException in method toString.

iaik.x509.X509CRL B

Fixed possible NullpointerException in method setSignature.

iaik.x509.net.ldap.LdapURLConnection C

connect: if readTimeOut is set, register it also as JNDI com.sun.jndi.ldap.read.timeout environment property.

IAIK-JCE 5.25 – 5. March 2015
Class or Package Bug / Change / New Feature Description and Examples
iaik.pkcs.pkcs12.PKCS12KeyStore C

Method engineLoad now checks unencrypted AuthenticatedSafe objects for CertificateBags, too

iaik.x509.ocsp C

BasicOCSPResponse, SingleResponse, RevokedInfo, ArchiveCutoff: milliseconds are not included in GeneralizedTime encodings for compatibility to RFC 6960

IAIK-JCE 5.24 – 22. December 2014
Class or Package Bug / Change / New Feature Description and Examples
iaik.asn1.ASN1String iaik.asn1.PrintableString C

Method equals does not check the ASN.1 String type anymore; only the value is compared

iaik.pkcs.pkcs7 NF, C

Changed default content encryption algorithm parameter management for EncryptedContentInfo, EnvelopedData and SignedAndEnvelopedData to try to get algorithm specific parameters from the content encryption algorithm id

iaik.pkcs.pkcs7.SignedAndEnvelopedDataStream NF

Added SignedAndEnvelopedDataStream(InputStream is, AlgorithmID contentEA, int keyLength)
constructor.

iaik.pkcs.pkcs7.SignedAndEnvelopedData C

Changed SignedAndEnvelopedData(byte[] content, AlgorithmID contentEA, int version)
constructor to SignedAndEnvelopedData(byte[] content, AlgorithmID contentEA, int keyLength).

For backwards compatibility to prior versions the keyLength parameter is interpreted as version if it has one of the two only possible version values 1 (default; indicating a PKCS#7v1.5 SignedAndEnvelopedData) or 2 (indicating a PKCS#71.6 SignedAndEnvelopedData).

iaik.pkcs.pkcs7.SignedAndEnvelopedData NF

Added SignedAndEnvelopedData(byte[] content, AlgorithmID contentEA, int keyLength, int version) constructor.

iaik.pkcs.pkcs12.PKCS12KeyStore NF, C

When searching for the certificate that belongs to the private key and no match is found between the localeKeyId attribute of the KeyBag and the lokaleKeyId attribute of any CertBag, the friendlyName attribute is checked, if present. Also the friendlyName is checked if more than one CertBag has the same localKeyId as the KeyBag.

iaik.pkcs.pkcs12.PKCS12KeyStore NF, C

Support for setting/getting of certificate (trust) entries.

iaik.security.provider.IAIK NF, B, C

New static method setCopyCipherData(boolean) allows to decide whether to internally copy cipher data when Cipher encryption/decryption uses the same array for input/output (default: false).

iaik.security.random.SeedGenerator C

Method setDefault sets the provided class also as default VarLengthSeedGenerator, if applicable

iaik.security.rsa.RipeMd256RSASignature B

Fixed DigestInfo prefix (length) encoding.

iaik.x509 B

If GeneralizedTime is used, milliseconds are not included in the encodings of X.509 types
X509Certificate, X509CRL, RevokedCertificate, InvalidyDate, PrivateKeyUsagePeriod,
AttributeCertificate

IAIK-JCE 5.2 – 31. October 2013
Class or Package Bug / Change / New Feature Description and Examples
* NF, C

jar files signed with new JCE code signing certificate.

* NF

Included jar file versions containing the “Trusted-Library=true”
manifest attribute to may be used for avoiding problems due to JDK
requirements when mixing signed/privileged with unsigned/sandbox code
(especially when used with Java(TM) WebStart, applets and JavaScript)

iaik.asn1.ASN1 B

Fixed push back handling in decoding routine.

iaik.asn1.CON_SPEC NF, C

forceImplicitlyTagged: workaround trying to handle
falsely explicitly tagged simple components when implicit tagging
is required.

iaik.asn1.structrues.AlgorithmID C

Registered java.security.spec.DSAParameterSpec as
AlgorithmParamaterSpec class for DSA* AlgorithmIDs.

iaik.asn1.structrues.AlgorithmID C

Method getAlgorithmParameterSpec(Class parameterSpecClass, String provider) again does not throw an InvalidAlgorithmParameterException if parameterSpecClass is not specified. Rather it returns null in this case to avoid problems due to missing parameter implementation registration.

iaik.security.provider.IAIK NF, C

Added some MessageDigest aliases (OIDs).

iaik.security.dsa, iaik.security.rsa, iaik.iso.iso9796 C

Signature engines now extended from java.security.SignatureSpi
to support delayed provider selection.

iaik.security.rsa.SSLRSASignature B

Fixed signature verification.

iaik.x509 C

Improved extensions memory management to support,
e.g. bigger CRLs with class X509CRL when revocation
entries contain some (especially only the ReasonCode) extension(s))

iaik.x509.extensions.ExtendedKeyUsage NF

Added tsl-signing key purpose id (0.4.0.2231.3.0) as
specified by ETSI TS 102 231 V3.1.2 for the purpose of signing
Trust-service Status Lists

iaik.x509.ocsp.* NF

Aligned with new OCSP version (RFC 6960); added implementation
of ExtendedRevoked response and PreferredSignatureAlgorithms
request extensions

IAIK-JCE 5.1 – 28. March 2013
Class or Package Bug / Change / New Feature Description and Examples
iaik.asn1.ObjectID NF

Added the COSINE LDAP/X.500 Schema attribute personalTitle,
“0.9.2342.19200300.100.1.40” from RFC 4525.

iaik.asn1.structures.AlgorithmID NF

Added method setDefaultEncodeAbsentParametersAsNull allowing to change the default behaviour for encoding absent AlgorithmID parameters as ASN.1 NULL or omitting the parameters field.

iaik.asn1.structures.AlgorithmID, iaik.security.provider.IAIK NF

Added AlgorithmIDs and OID aliases for HMAC/SHA224, HMAC/SHA256, HMAC/SHA384,
HMAC/SHA512 according to RFC 4231.

iaik.asn1.structures.AlgorithmID NF, C

Added additional implementation names for some AlgorithmIDs.

Changed default implementation names for: sha1WithRSAEncryption
(from “SHA/RSA” to “SHA1/RSA”), cms_aes192_wrap
(from “AESWrapAES” to “AES192WrapAES192”),
cms_aes256_wrap (from “AESWrapAES” to “AES256WrapAES256”),
,camellia_aes192_wrap (from “CamelliaWrapCamellia” to
“Camellia192WrapCamellia192”), camellia_aes256_wrap
(from “CamelliaWrapCamellia” to “Camellia256WrapCamellia256”).

Changed OID of AlgorithmID.dsaWithSHA1 from 1.3.14.3.2.27 to 1.2.840.10040.4.3.
AlgorithmID for 1.3.14.3.2.27 now is AlgorithmID.dsaWithSHA1_, but deprecated.
AlgorithmID.dsa_With_SHA1 (1.3.14.3.2.13) also marked as deprecated.

iaik.pkcs.pkcs5.PBKDF2 iaik.pkcs.pkcs5.PBKDF2KeyAndParameterSpec iaik.pkcs.pkcs5.PBKDF2ParameterSpec iaik.pkcs.pkcs5.PBKDF2Parameters NF

Added parameter implementation and (parameter based) pseudorandom function agility for PKCS#5 PBKDF2 key derivation function.

iaik.pkcs.pkcs5.PBKDF2.PBKDF2WithHmacSHA1 iaik.pkcs.pkcs5.PBKDF2.PBKDF2WithHmacSHA224 iaik.pkcs.pkcs5.PBKDF2.PBKDF2WithHmacSHA256 iaik.pkcs.pkcs5.PBKDF2.PBKDF2WithHmacSHA384 iaik.pkcs.pkcs5.PBKDF2.PBKDF2WithHmacSHA512 NF

Added PBKDF2 KeyGenerator engines for HmacSHA1,
HmacSHA224, HmacSHA256, HmacSHA384, HmacSHA512:

KeyGenerator.getInstance(“PBKDF2WithHmacSHA1”, “IAIK”);
KeyGenerator.getInstance(“PBKDF2WithHmacSHA224”, “IAIK”);
KeyGenerator.getInstance(“PBKDF2WithHmacSHA256”, “IAIK”);
KeyGenerator.getInstance(“PBKDF2WithHmacSHA384”, “IAIK”);
KeyGenerator.getInstance(“PBKDF2WithHmacSHA512”, “IAIK”);

iaik.pkcs.pkcs7.RSACipherProvider NF

New method setDefault() allowing to set a RSACipherProvider to be used as default.

iaik.pkcs.pkcs8.PrivateKeyInfo iaik.pkcs.pkcs8.RawPrivateKey NF, C

PrivateKeyInfo.getPrivateKey() now returns a generic RawPrivateKey object if no specific KeyFactory is available for the private key algorithm. The RawPrivateKey allows to get some information about the key (algorithm, encoding).

iaik.security.cipher.CAST128Parameters B

Fixed parameter decoding (optional iv)

iaik.security.cipher.PBES2Cipher iaik.pkcs.pkcs5.PBES2ParameterSpec iaik.pkcs.pkcs5.PBES2Parameters NF

Added Cipher engine and parameter implementation for the PKCS#5 PBES2 password based encryption scheme.

Cipher.getInstance(“PBES2”, “IAIK”);

iaik.security.cipher.PbeWithMD5AndDES_CBC iaik.security.cipher.PbeWithSHAAnd3_KeyTripleDES_CBC iaik.security.cipher.PbeWithSHAAnd40BitRC2_CBC C

Now first try to get PBE AlgorithmParameters from provider IAIK.

iaik.security.cipher.PBES2Cipher.PBES2WithHmacSHA1AndAES iaik.security.cipher.PBES2Cipher.PBES2WithHmacSHA256AndAES iaik.security.cipher.PBES2Cipher.PBES2WithHmacSHA384AndAES192 iaik.security.cipher.PBES2Cipher.PBES2WithHmacSHA512AndAES256 iaik.security.cipher.PBES2Cipher.PBES2WithHmacSHA1AndDESede NF

Added PBBES2 Cipher engines for HmacSHA1 and AES, HmacSHA256 and AES, HmacSHA384 and AES192, HmacSHA512 and AES256, HmacSHA1 and DESede:

Cipher.getInstance(“PBES2WithHmacSHA1AndAES”, “IAIK”);
Cipher.getInstance(“PBES2WithHmacSHA256AndAES”, “IAIK”);
Cipher.getInstance(“PBES2WithHmacSHA384AndAES192”, “IAIK”);
Cipher.getInstance(“PBES2WithHmacSHA512AndAES256”, “IAIK”);
Cipher.getInstance(“PBES2WithHmacSHA1AndDESede”, “IAIK”);

iaik.security.cipher.SecretKey C

Fixed algorithm name check in equals method

iaik.security.pbe.PBEParameterGenerator C

Default iteration count for encryption set to 2000

iaik.security.random.SecRandom C

Changed default PRNG to SHA256FIPS186Random

iaik.utils.RFC2253NameParser NF

Registered the COSINE LDAP/X.500 Schema attribute personalTitle,
OID “0.9.2342.19200300.100.1.40” from RFC 4525.

iaik.utils.Util NF

New method setDefaultRFC2253StringEscaping allowing to set the default escaping mechanism (strict or non strict) for RFC2253 String representations of Name, RDN and AVA objects.

iaik.utils.ConvertKeyStore B, C

Now really converts one KeyStore to another (and not dumps the contents as the DumpKeyStore utility).

iaik.utils.Util C

getUTF8EncodingFromString, getUTF8EncodingFromCharArray, getCharFromUTF8Array now also use UTF8CodingException instead of general CodingException.

iaik.x509.PublicKeyInfo iaik.x509.RawPublicKey NF, C

PublicKeyInfo.getPublicKey() now returns a generic RawPublicKey object if no specific KeyFactory is available for the public key algorithm. The RawPublicKey allows to get some information about the key (algorithm, encoding).

iaik.x509.attr.* iaik.x509.attr.Clearance C

Attribute Certificate implementation aligned with new PKIX specification (RFC 5755); Cleareance components are no more tagged when building their ASN.1 representation

iaik.x509.extensions.qualified.structures.etsi.QcEuSSCD NF

Added implementation of the ETSI EN 319 412-5 QcEuPDS QCStatementInfo
for pointing to a Policy Disclosure Statement (PDS)

iaik.x509.ocsp.OCSPExtensions iaik.x509.ocsp.extensions.Nonce C

According to OCSP spec clarification about the ASN.1 syntax of the Nonce extension, the Nonce value is wrapped into an ASN.1 OCTET STRING before putting it into the OCSP Extension extnValue OCTET STRING; new method Nonce.setWrapNonceValue(false); allows to fall back
to old behaviour (not wrapping the Nonce value)

iaik.x509.ocsp.net.HttpOCSPRequest C

postRequest: accept application/ocsp-response with parameters in content-type header, too.

IAIK-JCE 5.01 – 16. January 2012
Class or Package Bug / Change / New Feature Description and Examples
iaik.security.cipher B

fixed performance regression of AES-GCM/CCM in combination with the AES addon in Windows

iaik.utils.PasswordStrengthChecker C

improved password strength computation

IAIK-JCE 5.0 – 23. December 2011
Class or Package Bug / Change / New Feature Description and Examples
* C

overall stability improvements

iaik.security.cipher NF

new IAIK-JCE addon that comes with native support for Intel’s AES-NI instruction

iaik.security.md NF

added SHA-3 candidate message digest algorithms:

  • BLAKE-224, BLAKE-256, BLAKE-384, and BLAKE-512,
  • Groestl-224, Groestl-256, Groestl-384, and Groestl-512,
  • JH-224, JH-256, JH-384, and JH-512,
  • KECCAK-224, KECCAK-256, KECCAK-384, and KECCAK-512, as well as
  • Skein-224, Skein-256, Skein-384, and Skein-512
iaik.security.md NF

added GOST-3411 message digest algorithm

iaik.security.md NF

added new SHA-512 based message digest algorithms: SHA-512/224, and SHA-512/256

iaik.security.mac NF

added GOST-3411 HMAC algoritm

iaik.utils.IAIKPasswordStore NF

added password store

iaik.utils.PasswordGenerator NF

added password generator class

iaik.utils.PasswordStrengthChecker NF

added password strength checker (requires JDK1.4 or higher)

iaik.security.rsa B

fixed inconsistency with smallest key sizes in RSAKeyPairGenerator

iaik.utils.RFC2253NameParser B

fixed parsing of hex pair escape sequence

iaik.security.mac.CBCMac NF

implementation of the CBC MAC algorithm for AES, DESede, DES according to ISO/IEC 9797-1

iaik.x509.ocsp.extensions.CrlID NF

added set/getCrlNumber methods allowing to set/get the crl number as BigInteger

iaik.asn1.strutures.AlgorithmID C

SHA/SHA-1 algorithm/implementation name changed to SHA1

IAIK-JCE 4.0 – 4. November 2010
Class or Package Bug / Change / New Feature Description and Examples
* C

JDK 1.1.x is no longer supported. Supported Java version are 1.2, 1.3, 1.4, 1.5 (5.0), 1.6 (6.0), 1.7 (7.0)) and compatible.

* C

overall performance improvements (e.g. of hash functions, ciphers, etc.)

* C

now security-critical parts of the library use safe comparisons in order to prevent timing attacks (so for example GCM and CCM)

iaik.asn1.UNKOWN C

method encode implemented

iaik.security.cipher C

performance improvements affecting repeated invocations of Cipher.doFinal()

iaik.security.cipher.GCM C

– up to 3.52 times higher throughput of the GCM mode (on 32-bit Windows systems) compared to version 3.181

– up to 2.11 times higher of GCM mode (on 64 bit systems) compared to version 3.181 (on 64 bit systems)

iaik.security.cipher.CCM B

– fixed wrong computation of maximum input length, and

– 8% higher throughput on 64-bit systems

iaik.security.keystore.IAIKKeyStore C

method engineLoad() throws IOException if a null password has been
specified and also tries to verify the MAC if a zero-length password has been specified

iaik.security.md C

– up to 63% higher throughput of RipeMd128 on 32-bit systems (depending on the input length),

– up to 55% higher throughput of RipeMd160 on 32-bit Windows systems (depending on the input length),

iaik.security.md NF

new message digests: RipeMd256 and RipeMd320

iaik.security.provider.IAIK NF

new PRNG registrations:

– SHA1PRNG, SHA256PRNG, SHA384PRNG, SHA512PRNG, MD5PRNG, RipeMd128PRNG, RipeMd160PRNG, WhirlpoolPRNG,

– SHA1PRNG-FIPS, SHA256PRNG-FIPS, SHA384PRNG-FIPS, SHA512PRNG-FIPS, RipeMd160PRNG-FIPS (FIPS-186-2 PRNGs),

– 3DESPRNG (corresponds to ANSIRandom class),

– SHA1PRNG-SP80090, SHA224PRNG-SP80090, SHA256PRNG-SP80090, SHA384PRNG-SP80090, SHA512PRNG-SP80090 (new hash based NIST SP800-90 PRNGs),

– HMacSHA1PRNG-SP80090, HMacSHA224PRNG-SP80090, HMacSHA256PRNG-SP80090, HMacSHA384PRNG-SP80090, HMacSHA512PRNG-SP80090 (new HMAC based NIST SP800-90 PRNGs),

– AES128PRNG-SP80090, AES192PRNG-SP80090, AES256PRNG-SP80090 (new block cipher based NIST SP800-90 PRNGs),

as well as new RSA key pair generator registrations:

– RSA-FIPS, RSA-OAEP-FIPS, RSA-PSS-FIPS

iaik.security.provider.IAIK C

Method addAsJDK14Provider() deprecated; IAIK provider can be added as first provider by calling

IAIK.addAsProvider or Security.insertProviderAt(new IAIK(), 1);

iaik.security.provider.IAIK C

Since JDK 1.1 compatiblity is no more required, registration of algorithm engines can be done
as privileged action

iaik.security.random NF

transition to the SecureRandom framework. Now, SecureRandom instances can (and should) be obtained using SecureRandom.getInstance().

Code sample:

SecureRandom random = SecureRandom.getInstance(“SHA1PRNG”, “IAIK”);
byte[] bytes = new byte[8];
random.nextBytes(bytes);

iaik.security.random NF

new NIST SP800-90 pseudo-random number generators based on

– SHA1

– SHA-224

– SHA-256

– SHA-384, and

– SHA-512

added.

iaik.security.random NF

new NIST SP800-90 pseudo-random number generators based on

– HMac/SHA1

– HMac/SHA-224

– HMac/SHA-256

– HMac/SHA-384, and

– HMac/SHA-512

added.

iaik.security.random NF

new NIST SP800-90 pseudo-random number generators based on

– AES-128

– AES-192

– AES-256

added.

iaik.security.random.SecRandom C

Method SecRandom.setDefault(Class) is now deprecated; use SecRandom.setDefault(String) instead

iaik.security.rsa NF

new RSA signature class based on RipeMd256: RipeMd256RSASignature

Code sample:

Signature sig = Signature.getInstance(“RipeMd256withRSA”, “IAIK”);

sig.update(data);
byte[] signature = sig.sign();

iaik.security.rsa.RSAKeyPairGenerator C

the key pair generation is now based on IEEE P1363.

iaik.security.rsa.RSAOaepKeyPairGenerator C

the key pair generation of the OAEP key pair generator is now based on IEEE P1363.

iaik.security.rsa.RSAPssKeyPairGenerator C

the key pair generation of the Pss key pair generator is now based on IEEE P1363.

iaik.security.rsa.RSAKeyPairGeneratorFIPS NF

new key pair generator that is based on the FIPS-186-3 standard.

iaik.security.rsa.RSAOaepKeyPairGeneratorFIPS NF

OAEP key pair generator that is based on the new FIPS-186-3 key pair generator.

iaik.security.rsa.RSAPssKeyPairGeneratorFIPS NF

PSS key pair generator that is based on the new FIPS-186-3 key pair generator.

iaik.security.rsa.RawRSAPkcs1v15Signature NF, C

Verification now checks both absent and NULL digest algorithm parameters.

iaik.utils.Utils C

performance improvements of several central methods (note that this also affects the overall performance)

iaik.utils.CryptoUtils C

performance improvements of several central methods (note that this also affects the overall performance)

iaik.utils.CryptoUtils NF

new method overloads: many important helper methods are now not only availaible for the datatype byte[], but also for the datatypes int[] and long[]

iaik.utils.CryptoUtils NF

two new secureEqualsBlock methods that provide a timing-attack-resistant way to compare two byte arrays.

iaik.utils.CryptoUtils NF

new addModBlockSize method that allows the addition of two blocks modulo a specific blocksize.

iaik.utils.NumberTheory C

millerRabin is now implemented according to IEEE P1363.

iaik.x509.X509Certificate iaik.x509.X509CRL iaik.x509.X509Extensions iaik.x509.RevokedCertificate NF

New method getRawExtensionValue to get the raw DER encoded extension (not wrapped into an OCTET STRING)

IAIK-JCE 3.181 – 28. September 2009
Class or Package Bug / Change / New Feature Description and Examples
* C

Where possible Hashtables are replaced by HashMaps to increase
access performance in multithreaded environments; for
JDK 1.1.x a new jdk11x_update.jar version must be used

iaik.security.cipher.CamelliaKeyWrap NF

Support for the CamelliaKeyWrap algorithm for wrapping Camellia Camellia content encryption keys with Camellia key encryption keys according to RFC 3657 added.

iaik.security.cipher.HMACwithAESwrap NF

Support for the HMACwithAESwrap algorithm for wrapping HMAC message authentication code keys
with a AES key encryption keys according to RFC 3537 added.

iaik.x509.attr.ACRL B

addCertificate(AttributeCertificate cert, Date revocationDate): Use critical CertificateIssuer
extension for indirect CRL entries.

iaik.x509.X509CRL C

listCertificates: the order in the Enumeration of revocation entries reflects the structure of the crl (for each certificate issuer of an indirect crl the first RevokedCertificate contains the CertificateIssuer extension with the name of the certificate issuer)
getRevokedCertificates: the Set of revocation entries does not reflect the order; threfore each RevokedCertificate that represents an indirect crl entry contains the CertificateIssuer extension with the name of the corresponding certificate issuer

iaik.x509.X509Extensions C

addExtension: now throws an IllegalArgumentException when trying to add a critical/non critical
extension if an extension with contrarian (non critical / critical) state has been already added;
getExtensionValue: does not clear existing ObjectID name / short name registration anymore

jdk11x_update.jar NF, C

contains a simple (Hashtable based and therefore still access synchronized) HashMap implementation to allow JDK independent use of HashMaps

Problem: When connecting to a TLS/HTTPS server using JSSE with IAIK as first provider the connection fails with an exception saying that that the trust store cannot be accessed because of a KeyStore parsing error. A typical exception stacktrace may look like:

    Exception in thread "main" java.net.SocketException: java.security.NoSuchAlgorithmException: Error constructing implementation (algorithm: Default, provider: SunJSSE, class: sun.security.ssl.SSLContextImpl$DefaultSSLContext)
			at java.base/javax.net.ssl.DefaultSSLSocketFactory.throwException(SSLSocketFactory.java:263)
			at java.base/javax.net.ssl.DefaultSSLSocketFactory.createSocket(SSLSocketFactory.java:270)
			at java.base/sun.net.www.protocol.https.HttpsClient.createSocket(HttpsClient.java:413)
			at java.base/sun.net.NetworkClient.doConnect(NetworkClient.java:162)
			at java.base/sun.net.www.http.HttpClient.openServer(HttpClient.java:474)
			at java.base/sun.net.www.http.HttpClient.openServer(HttpClient.java:569)
			at java.base/sun.net.www.protocol.https.HttpsClient.(HttpsClient.java:265)
			at java.base/sun.net.www.protocol.https.HttpsClient.New(HttpsClient.java:372)
			at java.base/sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.getNewHttpClient(AbstractDelegateHttpsURLConnection.java:191)
			at java.base/sun.net.www.protocol.http.HttpURLConnection.plainConnect0(HttpURLConnection.java:1181)
			at java.base/sun.net.www.protocol.http.HttpURLConnection.plainConnect(HttpURLConnection.java:1075)
			at java.base/sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:177)
			at java.base/sun.net.www.protocol.http.HttpURLConnection.getInputStream0(HttpURLConnection.java:1581)
			at java.base/sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1509)
			at java.base/sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(HttpsURLConnectionImpl.java:245)
			at java.base/java.net.URL.openStream(URL.java:1117)
		Caused by: java.security.NoSuchAlgorithmException: Error constructing implementation (algorithm: Default, provider: SunJSSE, class: sun.security.ssl.SSLContextImpl$DefaultSSLContext)
			at java.base/java.security.Provider$Service.newInstance(Provider.java:1831)
			at java.base/sun.security.jca.GetInstance.getInstance(GetInstance.java:236)
			at java.base/sun.security.jca.GetInstance.getInstance(GetInstance.java:164)
			at java.base/javax.net.ssl.SSLContext.getInstance(SSLContext.java:168)
			at java.base/javax.net.ssl.SSLContext.getDefault(SSLContext.java:99)
			at java.base/javax.net.ssl.SSLSocketFactory.getDefault(SSLSocketFactory.java:123)
			at java.base/javax.net.ssl.HttpsURLConnection.getDefaultSSLSocketFactory(HttpsURLConnection.java:335)
			at java.base/javax.net.ssl.HttpsURLConnection.(HttpsURLConnection.java:292)
			at java.base/sun.net.www.protocol.https.HttpsURLConnectionImpl.(HttpsURLConnectionImpl.java:95)
			at java.base/sun.net.www.protocol.https.Handler.openConnection(Handler.java:62)
			at java.base/sun.net.www.protocol.https.Handler.openConnection(Handler.java:57)
			at java.base/java.net.URL.openConnection(URL.java:1051)
			... 2 more
		Caused by: java.security.KeyStoreException: problem accessing trust store
			at java.base/sun.security.ssl.TrustManagerFactoryImpl.engineInit(TrustManagerFactoryImpl.java:73)
			at java.base/javax.net.ssl.TrustManagerFactory.init(TrustManagerFactory.java:278)
			at java.base/sun.security.ssl.SSLContextImpl$DefaultManagersHolder.getTrustManagers(SSLContextImpl.java:1052)
			at java.base/sun.security.ssl.SSLContextImpl$DefaultManagersHolder.(SSLContextImpl.java:1022)
			at java.base/sun.security.ssl.SSLContextImpl$DefaultSSLContext.(SSLContextImpl.java:1197)
			at java.base/jdk.internal.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
			at java.base/jdk.internal.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)
			at java.base/jdk.internal.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
			at java.base/java.lang.reflect.Constructor.newInstance(Constructor.java:490)
			at java.base/java.security.Provider.newInstanceUtil(Provider.java:153)
			at java.base/java.security.Provider$Service.newInstance(Provider.java:1824)
			... 13 more
		Caused by: iaik.pkcs.pkcs12.PKCS12ParsingException: iaik.pkcs.PKCSParsingException: ASN.1 creation error: iaik.asn1.CodingException: Length: Too large ASN.1 object: 109
			at iaik.pkcs.pkcs12.PKCS12KeyStore.engineLoad(PKCS12KeyStore.java:362)
			at iaik.utils.UniveralKeyStore.engineLoad(UniveralKeyStore.java:935)
			at java.base/java.security.KeyStore.load(KeyStore.java:1479)
			at java.base/sun.security.ssl.TrustStoreManager$TrustAnchorManager.loadKeyStore(TrustStoreManager.java:365)
			at java.base/sun.security.ssl.TrustStoreManager$TrustAnchorManager.getTrustedCerts(TrustStoreManager.java:313)
			at java.base/sun.security.ssl.TrustStoreManager.getTrustedCerts(TrustStoreManager.java:55)
			at java.base/sun.security.ssl.TrustManagerFactoryImpl.engineInit(TrustManagerFactoryImpl.java:49)
			... 23 more

The root exception also may be “masked” causing an exception message like: ” Unable to execute HTTP request: No X509TrustManager implementation available”.

Solution: Oracle has changed the JDK default KeyStore format from “JKS” to “PKCS12”, but still uses the JKS format for its cacerts default KeyStore. When, for instance, an application uses JSSE to connect to some TLS/HTTPS server (and does not have explicitly set some trust store) JSSE tries to read the certificates from the default cacerts KeyStore by instantiating a KeyStore with the default format (“PKCS12”). When IAIK is installed as first provider the PKCS12 KeyStore of the IAIK provider is instantiated and tries to parse the cacerts KeyStore. This, however, must fail since cacerts is a JKS KeyStore which cannot be read by the IAIK PKCS12KeyStore (that, of course, expects a KeyStore in PKCS12 format). The TLS/HTTPS connection attempt will fail with an Exception saying that the trust store cannot be accessed because of a KeyStore parsing problem.

There are several work arounds for solving this problem (and keeping IAIK as first provider):

  • Explicitly use and specify your own trust store in PKCS#12 format.
  • Run the VM with the java -Djavax.net.ssl.trustStoreType (and maybe -Djavax.net.ssl.keyStoreType) option(s) to set jks as trust/keystore format to be used:
        java -Djavax.net.ssl.trustStoreType=jks -Djavax.net.ssl.keyStoreType=jks ...
    
  • Advise the IAIK PKCS12KeyStore to try to parse a JKS KeyStore if it fails to parse a PKCS#12 KeyStore by setting setUseJKSFallBack() to true:
        PKCS12KeyStore.setUSEJKSFallBack(true);
    

Note that in the last case (using PKCS12KeyStore.setUSEJKSFallBack(true);) the IAIK PKCS12KeyStore will be advised to try the JKS format anytime it fails to parse a PKCS#12 KeyStore. This may cause some overhead. For that reason — and because you may not notice that you read a JKS KeyStore while you are expecting to read a PKCS#12 KeyStore — the JKS fallback mechanism is disabled by default and has to be explicitly enabled by calling PKCS12KeyStore.setUSEJKSFallBack(true);.

With JDK1.4 the JCE framework (JAVAX CRYPTO) has been incorporated into the standard JDK. Because of export regulations a JCE provider only maybe used with JDK1.4 (or JCE 1.2.1) if it is signed. IAIK-JCE provides signed and unsigned versions of its jar files (iaik_jce.jar, iaik_jce_full.jar). Using the unsigned version with JDK 1.4 will cause the ExceptionInInitializerError „Cannot set up certs for trusted CAs“. Please use the signed jar file. You also may ensure that the right JCE policy files are installed in the lib/security directory.

Due to a bug in the JDK jar file verification mechanism it may be necessary that the original SUN provider is installed as first provider. So insert the Stiftung SIC provider as second provider and explicitly request an IAIK engine when calling getInstance:

Security.insertProviderAt(new IAIK(), 2);
Cipher c = Cipher.getInstance("DES/CBC/PKCS5Padding", "IAIK");

Alternatively you may use static method addAsJDK14Provider of the IAIK-JCE provider main class. This method uses a work around that allows to use IAIK as first provider for JDK1.4, too:

IAIK.addAsJDK14Provider();

JDK 1.5.0_02 and later already have fixed the jar file verification problem. For this versions the IAIK provider
can be installed as first provider in the convential way (or registered statically):

Security.insertProviderAt(new IAIK(), 1);

Due to import control restrictions of some countries, JDK1.4 per default comes with jurisdiction policy files allowing “strong” but limited cryptography; so keys that exceed the allowed strength are not allowed to be used by this policy. If you are entitled to do so, you may download and install an “unlimited strength” version of these files (http://java.sun.com/j2se/1.4/download.html)

To be compatible with the standard JDK certificate API we had to change method getExtensionValue to return the encoding of the OCTET STRING extnValue:

Extension ::= SEQUENCE { extnID OBJECT IDENTIFIER, critical BOOLEAN DEFAULT FALSE, extnValue OCTET STRING }

The value of the extnValue OCTET_STRING represents the DER encoding of the Extension in mind itself; so you may have to add a second decoding step, e.g.:

byte[] extnValueEnc = cert.getExtensionValue(); 
 OCTET_STRING extnValue = DerCoder.decode(extnValueEnc); 
 ASN1Object asn1Extension = DerCoder.decode(extnValue.getValue());

However, generally it might be more appropriate to call method getExtension immediately (except when forced to produce provider independent code):

BasicConstraints bc = (BasicConstraints)cert.getExtension(BasicConstraints.oid);

In practice PKCS#7 objects like SignedData or EnvelopedData are wrapped into a ContentInfo before transmission to tell the recipient the PKCS#7 content type (s)he has to deal with. When parsing your SignedData object you first have to unwrap the ContentInfo as shown in demo.pkcs.TestContentInfo, e.g.:

// the stream from which to read the PKCS#7 object InputStream is = ...;
// the stream from which to read the content in explicit mode InputStream message = ...;
// create the ContentInfo object
ContentInfoStream cis = new ContentInfoStream(is);
System.out.println("This ContentInfo holds content of type " + cis.getContentType().getName());
SignedDataStream signed_data = null;
if (message == null) {
  // implicitly signed; get the content
  signed_data = (SignedDataStream)cis.getContent();
} else {
  // explicitly signed; set the data stream for digesting the message;
  // we assume here that SHA-1 and MD5 have been used for digesting
  AlgorithmID[] algIDs = { AlgorithmID.sha1, AlgorithmID.md5 };
  signed_data = new SignedDataStream(message, algIDs);
}
// get an InputStream for reading the signed content
InputStream data = signed_data.getInputStream();
OutputStream os = ...;
StreamCopier sc = new StreamCopier(data, os);
sc.copyStream();
if (message != null) {
  // if explicitly signed now decode the SignedData
  signed_data.decode(cis.getContentInputStream());
}
// now you may verify the signature(s)
System.out.println("SignedData contains the following signer information:");
SignerInfo[] signer_infos = signed_data.getSignerInfos();
for (int i=0; i<signer_infos.length; i++) {
  try {
    // verify the signed data using the SignerInfo at index i
    X509Certificate signer_cert = signed_data.verify(i);
    // if the signature is OK the certificate of the signer is returned
    System.out.println("Signature OK from signer: "+signer_cert.getSubjectDN());
  } catch (SignatureException ex) {
    // if the signature is not OK a SignatureException is thrown
    System.out.println("Signature ERROR from signer: "+ signed_data.getCertificate(signer_infos[i].getIssuerAndSerialNumber()).getSubjectDN());
    ex.printStackTrace();
  }
}

RFC2459 recommends to use UTF8String as default encoding. Where the character set is sufficient, PrintableString maybe used. For that reason IAIK-JCE uses PrintableString as default encoding for AVA string attribute values, but switches to UTF8String if the string value does contain non printable characters.

UTF8String, however, may not be handled by older versions of  certificate processing applications like Netscape 4.7. You either may switch do a more recent version of Netscape or use static method setNonPrintableDefaultEncoding of class AVA to change the default secondary encoding to be used for string values containing non printable characters, e.g.:

AVA.setNonPrintableDefaultEncoding(ASN.BMPString);

In explicit mode (where the content data is not included in the signature) we have observed that it might be necessary to apply “UnicodeLittleUnmarked” encoding to the data before verifying the Capicom signature, or to avoid using this encoding format right at the sender side as suggested in a former posting to this Newsgroup:

From the signing side (Capicom), the following code was used to read the file
 and avoid Unicode formatting:
       
 -------------------
 Dim objUtilities As New CAPICOM.Utilities
 Open strPathDocToBeSigned For Binary Access Read As #1
       
 ' Removing EOF
 ReDim abytFile(LOF(1) - 1)
 Get #1, , abytFile
 Close #1
       
 strFileContents = objUtilities.ByteArrayToBinaryString(abytFile)
 -------------------
       
 and after this the normal signing process of strFileContents.

However, with the following sample code you should be able to verify both, explicit and implicit signatures (use the stream based classes if you have to deal with big amounts of data):

  import java.io.IOException;
  import java.io.InputStream;
  import java.io.FileInputStream;
  import java.security.NoSuchAlgorithmException;
  import java.security.SignatureException;
                      
  import iaik.asn1.CodingException;
  import iaik.asn1.ObjectID;
  import iaik.asn1.structures.AlgorithmID;
  import iaik.asn1.structures.Attribute;
  import iaik.asn1.structures.ChoiceOfTime;
  import iaik.pkcs.PKCSException;
  import iaik.pkcs.pkcs7.ContentInfo;
  import iaik.pkcs.pkcs7.SignedData;
  import iaik.pkcs.pkcs7.SignerInfo;
  import iaik.security.provider.IAIK;
  import iaik.utils.ASN1InputStream;
  import iaik.x509.X509Certificate;
                      
  public class SignedDataParse {
  public static void main(String[] args) {
                      
      InputStream is = null;
      try {
      byte[] data = null;
      IAIK.addAsJDK14Provider();
         // read in the PKCS#7 SignedData encoding
      is = new FileInputStream("...");
  /*
      uncomment the follwing line to supply the data in explicit mode;
  */
      // data = "...".getBytes("UnicodeLittleUnmarked");
      ASN1InputStream asn1In = new ASN1InputStream(is);
      byte[] content = getSignedData(asn1In, data);
  /*
      uncomment the follwing if the data represents an (UnicodeLittleUnmarked) encoded string
  */        
  //String s1 = new String(content, "UnicodeLittleUnmarked");
  //System.out.println(s1);
  
  System.out.println("Ready");
  } catch (Exception ex) {
      ex.printStackTrace();
  } finally {
  if (is != null) {
    try {
      is.close();
      } catch (IOException ex) {
      }
    }
  }
 }
                      
  /**
  * Parses a PKCS#7 SignedData object and verifies the signature.
  *
  * @param is the input stream supplying the BER encoded PKCS#7 SignedData object.
  * @param message the content data supplied by other means (only required in explicit mode)
  *
  * @return the content data
  *
  * @exception PKCSException if an error occurs when parsing the SignedData
  * @exception IOException if an error occurs when reading from the stream
  */
  static byte[] getSignedData(InputStream is, byte[] message) throws PKCSException, IOException {
                      
  // create a content info from the encoding
      ContentInfo ci = new ContentInfo(is);
      System.out.println("This ContentInfo holds content of type " + ci.getContentType().getName());
                      
      SignedData signed_data = null;
      if (message == null) {
        //in implicit mode we simply can get the content:
        signed_data = (SignedData)ci.getContent();
      } else {
        // explicitly signed; set the data for digesting the message; we assume SHA-1 and MD5
        AlgorithmID[] algIDs = { AlgorithmID.sha1, AlgorithmID.md5 };
        try {
          signed_data = new SignedData(message, algIDs);
          // now explicit decode the DER encoded signedData obtained from the contentInfo:
          signed_data.decode(ci.getContentInputStream());
        } catch (NoSuchAlgorithmException ex) {
          throw new PKCSException(ex.getMessage());
        }
     }
                      
      System.out.println("SignedData contains the following signer information:");
      SignerInfo[] signer_infos = signed_data.getSignerInfos();
                      
      for (int i=0; i<<<font  id="ezfont"><<font  id="ezfont">font  id="ezfont">font id='ezfont'</font>>signer_infos.length; i++) {
       try {
         // verify the signed data using the SignerInfo at index i
         X509Certificate signer_cert = signed_data.verify(i);
         // if the signature is OK the certificate of the signer is returned
         System.out.println("Signature OK from signer: "+signer_cert.getSubjectDN());
         Attribute signingTime = signer_infos[i].getAuthenticatedAttribute(ObjectID.signingTime);
         if (signingTime != null) {
          ChoiceOfTime cot = new ChoiceOfTime(signingTime.getValue()[0]);
          System.out.println("This message has been signed at " + cot.getDate());
         }
         Attribute contentType = signer_infos[i].getAuthenticatedAttribute(ObjectID.contentType);
         if (contentType != null) {
          System.out.println("The content has PKCS#7 content type " + contentType.getValue()[0]);
         }
       } catch (SignatureException ex) {
        // if the signature is not OK a SignatureException is thrown
        System.out.println("Signature ERROR from signer: "+ 
        signed_data.getCertificate(signer_infos[i].getIssuerAndSerialNumber()).getSubjectDN()); ex.printStackTrace();
       } catch (CodingException ex) {
        System.out.println("Attribute decoding error: " + ex.getMessage());
       }
     }
     return signed_data.getContent();
   }
 }

There are several ways for using OAEP padding (for instance you may encrypt the content encryption key outside with OAEP and then use the
constructor to supply the already encrypted key), but the most simple way might be to override the RSACipherProvider to use RSA with OEAP padding and set it for the RecipientInfos for which you want to use OAEP (note that you will have to specify a proper AlgorithmID for RSAEncryptionOAEP), e.g.:

public class RSACipherProviderOAEP extends RSACipherProvider { ... 
/**
  * En/deciphers the given data using RSA with OAEP padding.
  * 
  * @param mode the cipher mode, either ENCRYPT (1) or DECRYPT (2)
  * @param key the key to be used
  * @param data the data to be en/deciphered:
  * <ul>
  * <li>for RecipientInfo cek encryption: the raw content encryption key
  * <li>for RecipientInfo cek decryption: the encrypted content encryption key
  * </ul>
  * 
  * @return the en/deciphered data:
  * <ul>
  * <li>for RecipientInfo cek encryption: the encrypted content encryption key
  * <li>for RecipientInfo cek decryption: the raw (decrypted) content encryption key
  * </ul>
  *
  * @exception NoSuchProviderException if any of the crypto providers of this RSACipherProvider is not suitable
  * for requested operation
  * @exception NoSuchAlgorithmException if RSA ciphering is not supported
  * @exception InvalidKeyException if the supplied key is invalid
  * @exception GeneralSecurityException if a general security problem occurs
  */
  protected byte[] cipher(int mode, Key key, byte[] data) 
      throws NoSuchProviderException, NoSuchAlgorithmException, InvalidKeyException, GeneralSecurityException {
    Cipher rsa = Cipher.getInstance("RSA/ECB/OAEP");
    rsa.init(mode, key);
    return rsa.doFinal(data);
  } 
}

On the sender side set your RSA cipher provider for each RecipientInfo you which to use it:

 // specify an AlgorithmID for RSA with OAEP padding
 AlgorithmID rsaEncryptionOAEP = new AlgorithmID("1.2.840.113549.1.1.6", "RSAEncryptionOAEP");
 // the recipient certificate
 X509Certificate recipientCert = ...;
 // create the RecipientInfo
 RecipientInfo recipient = new RecipientInfo(recipientCert, rsaEncryptionOAEP);
 // set the RSA cipher provider for using RSA with OAEP padding
 recipients[0].setRSACipherProvider(new RSACipherProviderOAEP());

On the receiving side set yout RSA cipher provider before decrypting the encrypted content encryption key:

// the RSA OAEP provider to be used
 RSACipherProviderOAEP rsaCipherProviderOAEP = new RSACipherProviderOAEP();
 ...
 // get the RecipientInfos  
 RecipientInfo[] recipients = enveloped_data.getRecipientInfos();
 for (int i=0; i<recipients.length; i++) {
   System.out.println("Recipient: "+(i+1));
   System.out.print(recipients[i].getIssuerAndSerialNumber());
   // set the RSA cipher provider for using RSA with OAEP padding
   recipients[i].setRSACipherProvider(rsaCipherProviderOAEP);
 }
 // decrypt the message
       
 envelopedData.setupCipher(recipientPrivateKey, recipientInfoIndex);

Problem: When connecting to a TLS/HTTPS server using JSSE with IAIK as first provider the connection fails with an exception saying that that the trust store cannot be accessed because of a KeyStore parsing error. A typical exception stacktrace may look like:

    Exception in thread "main" java.net.SocketException: java.security.NoSuchAlgorithmException: Error constructing implementation (algorithm: Default, provider: SunJSSE, class: sun.security.ssl.SSLContextImpl$DefaultSSLContext)
			at java.base/javax.net.ssl.DefaultSSLSocketFactory.throwException(SSLSocketFactory.java:263)
			at java.base/javax.net.ssl.DefaultSSLSocketFactory.createSocket(SSLSocketFactory.java:270)
			at java.base/sun.net.www.protocol.https.HttpsClient.createSocket(HttpsClient.java:413)
			at java.base/sun.net.NetworkClient.doConnect(NetworkClient.java:162)
			at java.base/sun.net.www.http.HttpClient.openServer(HttpClient.java:474)
			at java.base/sun.net.www.http.HttpClient.openServer(HttpClient.java:569)
			at java.base/sun.net.www.protocol.https.HttpsClient.(HttpsClient.java:265)
			at java.base/sun.net.www.protocol.https.HttpsClient.New(HttpsClient.java:372)
			at java.base/sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.getNewHttpClient(AbstractDelegateHttpsURLConnection.java:191)
			at java.base/sun.net.www.protocol.http.HttpURLConnection.plainConnect0(HttpURLConnection.java:1181)
			at java.base/sun.net.www.protocol.http.HttpURLConnection.plainConnect(HttpURLConnection.java:1075)
			at java.base/sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:177)
			at java.base/sun.net.www.protocol.http.HttpURLConnection.getInputStream0(HttpURLConnection.java:1581)
			at java.base/sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1509)
			at java.base/sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(HttpsURLConnectionImpl.java:245)
			at java.base/java.net.URL.openStream(URL.java:1117)
		Caused by: java.security.NoSuchAlgorithmException: Error constructing implementation (algorithm: Default, provider: SunJSSE, class: sun.security.ssl.SSLContextImpl$DefaultSSLContext)
			at java.base/java.security.Provider$Service.newInstance(Provider.java:1831)
			at java.base/sun.security.jca.GetInstance.getInstance(GetInstance.java:236)
			at java.base/sun.security.jca.GetInstance.getInstance(GetInstance.java:164)
			at java.base/javax.net.ssl.SSLContext.getInstance(SSLContext.java:168)
			at java.base/javax.net.ssl.SSLContext.getDefault(SSLContext.java:99)
			at java.base/javax.net.ssl.SSLSocketFactory.getDefault(SSLSocketFactory.java:123)
			at java.base/javax.net.ssl.HttpsURLConnection.getDefaultSSLSocketFactory(HttpsURLConnection.java:335)
			at java.base/javax.net.ssl.HttpsURLConnection.(HttpsURLConnection.java:292)
			at java.base/sun.net.www.protocol.https.HttpsURLConnectionImpl.(HttpsURLConnectionImpl.java:95)
			at java.base/sun.net.www.protocol.https.Handler.openConnection(Handler.java:62)
			at java.base/sun.net.www.protocol.https.Handler.openConnection(Handler.java:57)
			at java.base/java.net.URL.openConnection(URL.java:1051)
			... 2 more
		Caused by: java.security.KeyStoreException: problem accessing trust store
			at java.base/sun.security.ssl.TrustManagerFactoryImpl.engineInit(TrustManagerFactoryImpl.java:73)
			at java.base/javax.net.ssl.TrustManagerFactory.init(TrustManagerFactory.java:278)
			at java.base/sun.security.ssl.SSLContextImpl$DefaultManagersHolder.getTrustManagers(SSLContextImpl.java:1052)
			at java.base/sun.security.ssl.SSLContextImpl$DefaultManagersHolder.(SSLContextImpl.java:1022)
			at java.base/sun.security.ssl.SSLContextImpl$DefaultSSLContext.(SSLContextImpl.java:1197)
			at java.base/jdk.internal.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
			at java.base/jdk.internal.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)
			at java.base/jdk.internal.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
			at java.base/java.lang.reflect.Constructor.newInstance(Constructor.java:490)
			at java.base/java.security.Provider.newInstanceUtil(Provider.java:153)
			at java.base/java.security.Provider$Service.newInstance(Provider.java:1824)
			... 13 more
		Caused by: iaik.pkcs.pkcs12.PKCS12ParsingException: iaik.pkcs.PKCSParsingException: ASN.1 creation error: iaik.asn1.CodingException: Length: Too large ASN.1 object: 109
			at iaik.pkcs.pkcs12.PKCS12KeyStore.engineLoad(PKCS12KeyStore.java:362)
			at iaik.utils.UniveralKeyStore.engineLoad(UniveralKeyStore.java:935)
			at java.base/java.security.KeyStore.load(KeyStore.java:1479)
			at java.base/sun.security.ssl.TrustStoreManager$TrustAnchorManager.loadKeyStore(TrustStoreManager.java:365)
			at java.base/sun.security.ssl.TrustStoreManager$TrustAnchorManager.getTrustedCerts(TrustStoreManager.java:313)
			at java.base/sun.security.ssl.TrustStoreManager.getTrustedCerts(TrustStoreManager.java:55)
			at java.base/sun.security.ssl.TrustManagerFactoryImpl.engineInit(TrustManagerFactoryImpl.java:49)
			... 23 more

The root exception also may be “masked” causing an exception message like: ” Unable to execute HTTP request: No X509TrustManager implementation available”.

Solution: Oracle has changed the JDK default KeyStore format from “JKS” to “PKCS12”, but still uses the JKS format for its cacerts default KeyStore. When, for instance, an application uses JSSE to connect to some TLS/HTTPS server (and does not have explicitly set some trust store) JSSE tries to read the certificates from the default cacerts KeyStore by instantiating a KeyStore with the default format (“PKCS12”). When IAIK is installed as first provider the PKCS12 KeyStore of the IAIK provider is instantiated and tries to parse the cacerts KeyStore. This, however, must fail since cacerts is a JKS KeyStore which cannot be read by the IAIK PKCS12KeyStore (that, of course, expects a KeyStore in PKCS12 format). The TLS/HTTPS connection attempt will fail with an Exception saying that the trust store cannot be accessed because of a KeyStore parsing problem.

There are several work arounds for solving this problem (and keeping IAIK as first provider):

  • Explicitly use and specify your own trust store in PKCS#12 format.
  • Run the VM with the java -Djavax.net.ssl.trustStoreType (and maybe -Djavax.net.ssl.keyStoreType) option(s) to set jks as trust/keystore format to be used:
        java -Djavax.net.ssl.trustStoreType=jks -Djavax.net.ssl.keyStoreType=jks ...
    
  • Advise the IAIK PKCS12KeyStore to try to parse a JKS KeyStore if it fails to parse a PKCS#12 KeyStore by setting setUseJKSFallBack() to true:
        PKCS12KeyStore.setUSEJKSFallBack(true);
    

Note that in the last case (using PKCS12KeyStore.setUSEJKSFallBack(true);) the IAIK PKCS12KeyStore will be advised to try the JKS format anytime it fails to parse a PKCS#12 KeyStore. This may cause some overhead. For that reason — and because you may not notice that you read a JKS KeyStore while you are expecting to read a PKCS#12 KeyStore — the JKS fallback mechanism is disabled by default and has to be explicitly enabled by calling PKCS12KeyStore.setUSEJKSFallBack(true);.

With JDK1.4 the JCE framework (JAVAX CRYPTO) has been incorporated into the standard JDK. Because of export regulations a JCE provider only maybe used with JDK1.4 (or JCE 1.2.1) if it is signed. IAIK-JCE provides signed and unsigned versions of its jar files (iaik_jce.jar, iaik_jce_full.jar). Using the unsigned version with JDK 1.4 will cause the ExceptionInInitializerError „Cannot set up certs for trusted CAs“. Please use the signed jar file. You also may ensure that the right JCE policy files are installed in the lib/security directory.

Due to a bug in the JDK jar file verification mechanism it may be necessary that the original SUN provider is installed as first provider. So insert the Stiftung SIC provider as second provider and explicitly request an IAIK engine when calling getInstance:

Security.insertProviderAt(new IAIK(), 2);
Cipher c = Cipher.getInstance("DES/CBC/PKCS5Padding", "IAIK");

Alternatively you may use static method addAsJDK14Provider of the IAIK-JCE provider main class. This method uses a work around that allows to use IAIK as first provider for JDK1.4, too:

IAIK.addAsJDK14Provider();

JDK 1.5.0_02 and later already have fixed the jar file verification problem. For this versions the IAIK provider
can be installed as first provider in the convential way (or registered statically):

Security.insertProviderAt(new IAIK(), 1);

Due to import control restrictions of some countries, JDK1.4 per default comes with jurisdiction policy files allowing “strong” but limited cryptography; so keys that exceed the allowed strength are not allowed to be used by this policy. If you are entitled to do so, you may download and install an “unlimited strength” version of these files (http://java.sun.com/j2se/1.4/download.html)

To be compatible with the standard JDK certificate API we had to change method getExtensionValue to return the encoding of the OCTET STRING extnValue:

Extension ::= SEQUENCE { extnID OBJECT IDENTIFIER, critical BOOLEAN DEFAULT FALSE, extnValue OCTET STRING }

The value of the extnValue OCTET_STRING represents the DER encoding of the Extension in mind itself; so you may have to add a second decoding step, e.g.:

byte[] extnValueEnc = cert.getExtensionValue(); 
 OCTET_STRING extnValue = DerCoder.decode(extnValueEnc); 
 ASN1Object asn1Extension = DerCoder.decode(extnValue.getValue());

However, generally it might be more appropriate to call method getExtension immediately (except when forced to produce provider independent code):

BasicConstraints bc = (BasicConstraints)cert.getExtension(BasicConstraints.oid);

In practice PKCS#7 objects like SignedData or EnvelopedData are wrapped into a ContentInfo before transmission to tell the recipient the PKCS#7 content type (s)he has to deal with. When parsing your SignedData object you first have to unwrap the ContentInfo as shown in demo.pkcs.TestContentInfo, e.g.:

// the stream from which to read the PKCS#7 object InputStream is = ...;
// the stream from which to read the content in explicit mode InputStream message = ...;
// create the ContentInfo object
ContentInfoStream cis = new ContentInfoStream(is);
System.out.println("This ContentInfo holds content of type " + cis.getContentType().getName());
SignedDataStream signed_data = null;
if (message == null) {
  // implicitly signed; get the content
  signed_data = (SignedDataStream)cis.getContent();
} else {
  // explicitly signed; set the data stream for digesting the message;
  // we assume here that SHA-1 and MD5 have been used for digesting
  AlgorithmID[] algIDs = { AlgorithmID.sha1, AlgorithmID.md5 };
  signed_data = new SignedDataStream(message, algIDs);
}
// get an InputStream for reading the signed content
InputStream data = signed_data.getInputStream();
OutputStream os = ...;
StreamCopier sc = new StreamCopier(data, os);
sc.copyStream();
if (message != null) {
  // if explicitly signed now decode the SignedData
  signed_data.decode(cis.getContentInputStream());
}
// now you may verify the signature(s)
System.out.println("SignedData contains the following signer information:");
SignerInfo[] signer_infos = signed_data.getSignerInfos();
for (int i=0; i<signer_infos.length; i++) {
  try {
    // verify the signed data using the SignerInfo at index i
    X509Certificate signer_cert = signed_data.verify(i);
    // if the signature is OK the certificate of the signer is returned
    System.out.println("Signature OK from signer: "+signer_cert.getSubjectDN());
  } catch (SignatureException ex) {
    // if the signature is not OK a SignatureException is thrown
    System.out.println("Signature ERROR from signer: "+ signed_data.getCertificate(signer_infos[i].getIssuerAndSerialNumber()).getSubjectDN());
    ex.printStackTrace();
  }
}

RFC2459 recommends to use UTF8String as default encoding. Where the character set is sufficient, PrintableString maybe used. For that reason IAIK-JCE uses PrintableString as default encoding for AVA string attribute values, but switches to UTF8String if the string value does contain non printable characters.

UTF8String, however, may not be handled by older versions of  certificate processing applications like Netscape 4.7. You either may switch do a more recent version of Netscape or use static method setNonPrintableDefaultEncoding of class AVA to change the default secondary encoding to be used for string values containing non printable characters, e.g.:

AVA.setNonPrintableDefaultEncoding(ASN.BMPString);

In explicit mode (where the content data is not included in the signature) we have observed that it might be necessary to apply “UnicodeLittleUnmarked” encoding to the data before verifying the Capicom signature, or to avoid using this encoding format right at the sender side as suggested in a former posting to this Newsgroup:

From the signing side (Capicom), the following code was used to read the file
 and avoid Unicode formatting:
       
 -------------------
 Dim objUtilities As New CAPICOM.Utilities
 Open strPathDocToBeSigned For Binary Access Read As #1
       
 ' Removing EOF
 ReDim abytFile(LOF(1) - 1)
 Get #1, , abytFile
 Close #1
       
 strFileContents = objUtilities.ByteArrayToBinaryString(abytFile)
 -------------------
       
 and after this the normal signing process of strFileContents.

However, with the following sample code you should be able to verify both, explicit and implicit signatures (use the stream based classes if you have to deal with big amounts of data):

  import java.io.IOException;
  import java.io.InputStream;
  import java.io.FileInputStream;
  import java.security.NoSuchAlgorithmException;
  import java.security.SignatureException;
                      
  import iaik.asn1.CodingException;
  import iaik.asn1.ObjectID;
  import iaik.asn1.structures.AlgorithmID;
  import iaik.asn1.structures.Attribute;
  import iaik.asn1.structures.ChoiceOfTime;
  import iaik.pkcs.PKCSException;
  import iaik.pkcs.pkcs7.ContentInfo;
  import iaik.pkcs.pkcs7.SignedData;
  import iaik.pkcs.pkcs7.SignerInfo;
  import iaik.security.provider.IAIK;
  import iaik.utils.ASN1InputStream;
  import iaik.x509.X509Certificate;
                      
  public class SignedDataParse {
  public static void main(String[] args) {
                      
      InputStream is = null;
      try {
      byte[] data = null;
      IAIK.addAsJDK14Provider();
         // read in the PKCS#7 SignedData encoding
      is = new FileInputStream("...");
  /*
      uncomment the follwing line to supply the data in explicit mode;
  */
      // data = "...".getBytes("UnicodeLittleUnmarked");
      ASN1InputStream asn1In = new ASN1InputStream(is);
      byte[] content = getSignedData(asn1In, data);
  /*
      uncomment the follwing if the data represents an (UnicodeLittleUnmarked) encoded string
  */        
  //String s1 = new String(content, "UnicodeLittleUnmarked");
  //System.out.println(s1);
  
  System.out.println("Ready");
  } catch (Exception ex) {
      ex.printStackTrace();
  } finally {
  if (is != null) {
    try {
      is.close();
      } catch (IOException ex) {
      }
    }
  }
 }
                      
  /**
  * Parses a PKCS#7 SignedData object and verifies the signature.
  *
  * @param is the input stream supplying the BER encoded PKCS#7 SignedData object.
  * @param message the content data supplied by other means (only required in explicit mode)
  *
  * @return the content data
  *
  * @exception PKCSException if an error occurs when parsing the SignedData
  * @exception IOException if an error occurs when reading from the stream
  */
  static byte[] getSignedData(InputStream is, byte[] message) throws PKCSException, IOException {
                      
  // create a content info from the encoding
      ContentInfo ci = new ContentInfo(is);
      System.out.println("This ContentInfo holds content of type " + ci.getContentType().getName());
                      
      SignedData signed_data = null;
      if (message == null) {
        //in implicit mode we simply can get the content:
        signed_data = (SignedData)ci.getContent();
      } else {
        // explicitly signed; set the data for digesting the message; we assume SHA-1 and MD5
        AlgorithmID[] algIDs = { AlgorithmID.sha1, AlgorithmID.md5 };
        try {
          signed_data = new SignedData(message, algIDs);
          // now explicit decode the DER encoded signedData obtained from the contentInfo:
          signed_data.decode(ci.getContentInputStream());
        } catch (NoSuchAlgorithmException ex) {
          throw new PKCSException(ex.getMessage());
        }
     }
                      
      System.out.println("SignedData contains the following signer information:");
      SignerInfo[] signer_infos = signed_data.getSignerInfos();
                      
      for (int i=0; i<<<font  id="ezfont"><<font  id="ezfont">font  id="ezfont">font id='ezfont'</font>>signer_infos.length; i++) {
       try {
         // verify the signed data using the SignerInfo at index i
         X509Certificate signer_cert = signed_data.verify(i);
         // if the signature is OK the certificate of the signer is returned
         System.out.println("Signature OK from signer: "+signer_cert.getSubjectDN());
         Attribute signingTime = signer_infos[i].getAuthenticatedAttribute(ObjectID.signingTime);
         if (signingTime != null) {
          ChoiceOfTime cot = new ChoiceOfTime(signingTime.getValue()[0]);
          System.out.println("This message has been signed at " + cot.getDate());
         }
         Attribute contentType = signer_infos[i].getAuthenticatedAttribute(ObjectID.contentType);
         if (contentType != null) {
          System.out.println("The content has PKCS#7 content type " + contentType.getValue()[0]);
         }
       } catch (SignatureException ex) {
        // if the signature is not OK a SignatureException is thrown
        System.out.println("Signature ERROR from signer: "+ 
        signed_data.getCertificate(signer_infos[i].getIssuerAndSerialNumber()).getSubjectDN()); ex.printStackTrace();
       } catch (CodingException ex) {
        System.out.println("Attribute decoding error: " + ex.getMessage());
       }
     }
     return signed_data.getContent();
   }
 }

There are several ways for using OAEP padding (for instance you may encrypt the content encryption key outside with OAEP and then use the
constructor to supply the already encrypted key), but the most simple way might be to override the RSACipherProvider to use RSA with OEAP padding and set it for the RecipientInfos for which you want to use OAEP (note that you will have to specify a proper AlgorithmID for RSAEncryptionOAEP), e.g.:

public class RSACipherProviderOAEP extends RSACipherProvider { ... 
/**
  * En/deciphers the given data using RSA with OAEP padding.
  * 
  * @param mode the cipher mode, either ENCRYPT (1) or DECRYPT (2)
  * @param key the key to be used
  * @param data the data to be en/deciphered:
  * <ul>
  * <li>for RecipientInfo cek encryption: the raw content encryption key
  * <li>for RecipientInfo cek decryption: the encrypted content encryption key
  * </ul>
  * 
  * @return the en/deciphered data:
  * <ul>
  * <li>for RecipientInfo cek encryption: the encrypted content encryption key
  * <li>for RecipientInfo cek decryption: the raw (decrypted) content encryption key
  * </ul>
  *
  * @exception NoSuchProviderException if any of the crypto providers of this RSACipherProvider is not suitable
  * for requested operation
  * @exception NoSuchAlgorithmException if RSA ciphering is not supported
  * @exception InvalidKeyException if the supplied key is invalid
  * @exception GeneralSecurityException if a general security problem occurs
  */
  protected byte[] cipher(int mode, Key key, byte[] data) 
      throws NoSuchProviderException, NoSuchAlgorithmException, InvalidKeyException, GeneralSecurityException {
    Cipher rsa = Cipher.getInstance("RSA/ECB/OAEP");
    rsa.init(mode, key);
    return rsa.doFinal(data);
  } 
}

On the sender side set your RSA cipher provider for each RecipientInfo you which to use it:

 // specify an AlgorithmID for RSA with OAEP padding
 AlgorithmID rsaEncryptionOAEP = new AlgorithmID("1.2.840.113549.1.1.6", "RSAEncryptionOAEP");
 // the recipient certificate
 X509Certificate recipientCert = ...;
 // create the RecipientInfo
 RecipientInfo recipient = new RecipientInfo(recipientCert, rsaEncryptionOAEP);
 // set the RSA cipher provider for using RSA with OAEP padding
 recipients[0].setRSACipherProvider(new RSACipherProviderOAEP());

On the receiving side set yout RSA cipher provider before decrypting the encrypted content encryption key:

// the RSA OAEP provider to be used
 RSACipherProviderOAEP rsaCipherProviderOAEP = new RSACipherProviderOAEP();
 ...
 // get the RecipientInfos  
 RecipientInfo[] recipients = enveloped_data.getRecipientInfos();
 for (int i=0; i<recipients.length; i++) {
   System.out.println("Recipient: "+(i+1));
   System.out.print(recipients[i].getIssuerAndSerialNumber());
   // set the RSA cipher provider for using RSA with OAEP padding
   recipients[i].setRSACipherProvider(rsaCipherProviderOAEP);
 }
 // decrypt the message
       
 envelopedData.setupCipher(recipientPrivateKey, recipientInfoIndex);

Any questions?

Don‘t hestitate to ask us about our products.

Contact us