Package javacard.security

Class Signature

java.lang.Object

javacard.security.Signature

Direct Known Subclasses:

Signature.OneShot

public abstract class Signature
extends Object

The Signature class is the base class for Signature algorithms. Implementations of Signature algorithms must extend this class and implement all the abstract methods.

The term "pad" is used in the public key signature algorithms below to refer to all the operations specified in the referenced scheme to transform the message digest into the encryption block size.

Even if a transaction is in progress, update of intermediate result state in the implementation instance shall not participate in the transaction.

A tear or card reset event resets an initialized Signature object to a state where:

• the key and the mode are the same as when previously initialized via a call to init(Key, byte) or init(Key, byte, byte[], short, short).
• other initial values are the same default values as after a call to init(Key, byte). For example:
  • AES, DES, triple DES, Korean SEED and SM4 algorithms used in modes requiring an initial vector (like CBC, CFB, CTR, XTS modes) will use 0 for initial vector(IV).
  • RSA algorithm used with the PKCS#1-PSS scheme, will use default values for the salt length and the default message digest algorithm for MGF1 as specified in the description of the related constants.
  • EDDSA algorithms will use the default value for the context as defined in the description of the related constants.

That is, the object is reset and available to sign or verify (depending on the operation mode that was specified in the call to init()) more data.

Notes:

• The byte array containing algorithm specific initialization information can be re-initialized using the init(Key, byte, byte[], short, short) method.
• For algorithms which support keys with transient key data sets, e.g RSA, the Signature object key becomes uninitialized on clear events associated with the Key object used to initialize the Signature object.

Nested Class Summary

Nested Classes

Modifier and Type	Class	Description
static class	Signature.OneShot	The OneShot class is a specialization of the Signature class intended to support efficient one-shot signing and verification operations that may avoid persistent memory writes entirely.

Field Summary

Fields

Modifier and Type	Field	Description
static byte	ALG_AES_CMAC_128	Signature algorithm ALG_AES_CMAC_128 generates a 16-byte Cipher-based MAC (CMAC) using AES with blocksize 128 in CBC mode with ISO9797_M2 padding scheme.
static byte	ALG_AES_MAC_128_NOPAD	Signature algorithm ALG_AES_MAC_128_NOPAD generates a 16-byte MAC using AES with blocksize 128 in CBC mode and does not pad input data.
static byte	ALG_AES_MAC_192_NOPAD	Deprecated.
static byte	ALG_AES_MAC_256_NOPAD	Deprecated.
static byte	ALG_DES_MAC4_ISO9797_1_M1_ALG3	Signature algorithm ALG_DES_MAC4_ISO9797_1_M1_ALG3 generates a 4-byte MAC using triple DES with a 2-key DES3 key according to ISO9797-1 MAC algorithm 3 with method 1, where input data is padded using method 1 and the data is processed as described in MAC Algorithm 3 of the ISO 9797-1 specification.
static byte	ALG_DES_MAC4_ISO9797_1_M2_ALG3	Signature algorithm ALG_DES_MAC4_ISO9797_1_M2_ALG3 generates a 4-byte MAC using triple DES with a 2-key DES3 key according to ISO9797-1 MAC algorithm 3 with method 2 (also 3.0, EMV 4.0), where input data is padded using method 2 and the data is processed as described in MAC Algorithm 3 of the ISO 9797-1 specification.
static byte	ALG_DES_MAC4_ISO9797_M1	Signature algorithm ALG_DES_MAC4_ISO9797_M1 generates a 4-byte MAC (most significant 4 bytes of encrypted block) using DES in CBC mode or triple DES in outer CBC mode.
static byte	ALG_DES_MAC4_ISO9797_M2	Signature algorithm ALG_DES_MAC4_ISO9797_M2 generates a 4-byte MAC (most significant 4 bytes of encrypted block) using DES in CBC mode or triple DES in outer CBC mode.
static byte	ALG_DES_MAC4_NOPAD	Signature algorithm ALG_DES_MAC4_NOPAD generates a 4-byte MAC (most significant 4 bytes of encrypted block) using DES in CBC mode or triple DES in outer CBC mode.
static byte	ALG_DES_MAC4_PKCS5	Signature algorithm ALG_DES_MAC4_PKCS5 generates a 4-byte MAC (most significant 4 bytes of encrypted block) using DES in CBC mode or triple DES in outer CBC mode.
static byte	ALG_DES_MAC8_ISO9797_1_M1_ALG3	Signature algorithm ALG_DES_MAC8_ISO9797_1_M1_ALG3 generates an 8-byte MAC using triple DES with a 2-key DES3 key according to ISO9797-1 MAC algorithm 3 with method 1, where input data is padded using method 1 and the data is processed as described in MAC Algorithm 3 of the ISO 9797-1 specification.
static byte	ALG_DES_MAC8_ISO9797_1_M2_ALG3	Signature algorithm ALG_DES_MAC8_ISO9797_1_M2_ALG3 generates an 8-byte MAC using triple DES with a 2-key DES3 key according to ISO9797-1 MAC algorithm 3 with method 2 (also EMV 3.0, EMV 4.0), where input data is padded using method 2 and the data is processed as described in MAC Algorithm 3 of the ISO 9797-1 specification.
static byte	ALG_DES_MAC8_ISO9797_M1	Signature algorithm ALG_DES_MAC8_ISO9797_M1 generates an 8-byte MAC using DES in CBC mode or triple DES in outer CBC mode.
static byte	ALG_DES_MAC8_ISO9797_M2	Signature algorithm ALG_DES_MAC8_ISO9797_M2 generates an 8-byte MAC using DES in CBC mode or triple DES in outer CBC mode.
static byte	ALG_DES_MAC8_NOPAD	Signature algorithm ALG_DES_MAC8_NOPAD generates an 8-byte MAC using DES in CBC mode or triple DES in outer CBC mode.
static byte	ALG_DES_MAC8_PKCS5	Signature algorithm ALG_DES_MAC8_PKCS5 generates an 8-byte MAC using DES in CBC mode or triple DES in outer CBC mode.
static byte	ALG_DSA_SHA	Signature algorithm ALG_DSA_SHA generates a 20-byte SHA digest and signs/verifies the digests using DSA.
static byte	ALG_ECDSA_SHA	Signature algorithm ALG_ECDSA_SHA generates a 20-byte SHA digest and signs/verifies the digest using ECDSA.
static byte	ALG_ECDSA_SHA_224	Signature algorithm ALG_ECDSA_SHA_224 generates a 28-byte SHA-224 digest and signs/verifies the digest using ECDSA with the curve defined in the ECKey parameters - such as the P-224 curve specified in the Digital Signature Standards specification[NIST FIPS PUB 186-2].
static byte	ALG_ECDSA_SHA_256	Signature algorithm ALG_ECDSA_SHA_256 generates a 32-byte SHA-256 digest and signs/verifies the digest using ECDSA with the curve defined in the ECKey parameters - such as the P-256 curve specified in the Digital Signature Standards specification[NIST FIPS PUB 186-2].
static byte	ALG_ECDSA_SHA_384	Signature algorithm ALG_ECDSA_SHA_384 generates a 48-byte SHA-384 digest and signs/verifies the digest using ECDSA with the curve defined in the ECKey parameters - such as the P-384 curve specified in the Digital Signature Standards specification[NIST FIPS PUB 186-2].
static byte	ALG_ECDSA_SHA_512	Signature algorithm ALG_ECDSA_SHA_512 generates a 64-byte SHA-512 digest and signs/verifies the digest using ECDSA with the curve defined in the ECKey parameters - such as the P-521 curve specified in the Digital Signature Standards specification[NIST FIPS PUB 186-2].
static byte	ALG_HMAC_MD5	HMAC message authentication algorithm ALG_HMAC_MD5 This algorithm generates an HMAC following the steps found in RFC: 2104 using MD5 as the hashing algorithm.
static byte	ALG_HMAC_RIPEMD160	HMAC message authentication algorithm ALG_HMAC_RIPEMD160 This algorithm generates an HMAC following the steps found in RFC: 2104 using RIPEMD160 as the hashing algorithm.
static byte	ALG_HMAC_SHA_256	HMAC message authentication algorithm ALG_HMAC_SHA_256 This algorithm generates an HMAC following the steps found in RFC: 2104 using SHA-256 as the hashing algorithm.
static byte	ALG_HMAC_SHA_384	HMAC message authentication algorithm ALG_HMAC_SHA_384 This algorithm generates an HMAC following the steps found in RFC: 2104 using SHA-384 as the hashing algorithm.
static byte	ALG_HMAC_SHA_512	HMAC message authentication algorithm ALG_HMAC_SHA_512 This algorithm generates an HMAC following the steps found in RFC: 2104 using SHA-512 as the hashing algorithm.
static byte	ALG_HMAC_SHA1	HMAC message authentication algorithm ALG_HMAC_SHA1 This algorithm generates an HMAC following the steps found in RFC: 2104 using SHA1 as the hashing algorithm.
static byte	ALG_KOREAN_SEED_MAC_NOPAD	Signature algorithm ALG_KOREAN_SEED_MAC_NOPAD generates an 16-byte MAC using Korean SEED in CBC mode.
static byte	ALG_RSA_MD5_PKCS1	Signature algorithm ALG_RSA_MD5_PKCS1 generates a 16-byte MD5 digest, pads the digest according to the PKCS#1 (v1.5) scheme, and encrypts it using RSA.
static byte	ALG_RSA_MD5_PKCS1_PSS	Signature algorithm ALG_RSA_MD5_PKCS1_PSS generates a 16-byte MD5 digest, pads it according to the PKCS#1-PSS scheme (IEEE 1363-2000), with a salt length equal to the MD5 digest length i.e 16 bytes and with MD5 as the message digest algorithm for MGF1, and encrypts it using RSA.
static byte	ALG_RSA_MD5_RFC2409	Signature algorithm ALG_RSA_MD5_RFC2409 generates a 16-byte MD5 digest, pads the digest according to the RFC2409 scheme, and encrypts it using RSA.
static byte	ALG_RSA_RIPEMD160_ISO9796	Signature algorithm ALG_RSA_RIPEMD160_ISO9796 generates a 20-byte RIPE MD-160 digest, pads the digest according to the ISO 9796 scheme, and encrypts it using RSA.
static byte	ALG_RSA_RIPEMD160_ISO9796_MR	Signature algorithm ALG_RSA_RIPEMD160_ISO9796_MR generates 20-byte RIPE MD-160 digest, pads it according to the ISO9796-2 specification and encrypts using RSA.
static byte	ALG_RSA_RIPEMD160_PKCS1	Signature algorithm ALG_RSA_RIPEMD160_PKCS1 generates a 20-byte RIPE MD-160 digest, pads the digest according to the PKCS#1 (v1.5) scheme, and encrypts it using RSA.
static byte	ALG_RSA_RIPEMD160_PKCS1_PSS	Signature algorithm ALG_RSA_RIPEMD160_PKCS1_PSS generates a 20-byte RIPE MD-160 digest, pads it according to the PKCS#1-PSS scheme (IEEE 1363-2000), with a salt length equal to the RIPE MD-160 digest length i.e 20 bytes and with RIPE MD-160 as the message digest algorithm for MGF1, and encrypts it using RSA.
static byte	ALG_RSA_SHA_224_PKCS1	Signature algorithm ALG_RSA_SHA_224_PKCS1 generates a 28-byte SHA digest, pads the digest according to the PKCS#1 (v1.5) scheme, and encrypts it using RSA.
static byte	ALG_RSA_SHA_224_PKCS1_PSS	Signature algorithm ALG_RSA_SHA_224_PKCS1_PSS generates a 28-byte SHA-224 digest, pads it according to the PKCS#1-PSS scheme (IEEE 1363-2000), with a salt length equal to the SHA-224 digest length i.e 28 bytes and with SHA-224 as the message digest algorithm of MGF1, and encrypts it using RSA.
static byte	ALG_RSA_SHA_256_PKCS1	Signature algorithm ALG_RSA_SHA_256_PKCS1 generates a 32-byte SHA digest, pads the digest according to the PKCS#1 (v1.5) scheme, and encrypts it using RSA.
static byte	ALG_RSA_SHA_256_PKCS1_PSS	Signature algorithm ALG_RSA_SHA_256_PKCS1_PSS generates a 32-byte SHA-256 digest, pads it according to the PKCS#1-PSS scheme (IEEE 1363-2000), with a salt length equal to the SHA-256 digest length i.e 32 bytes and with SHA-256 as the message digest algorithm of MGF1, and encrypts it using RSA.
static byte	ALG_RSA_SHA_384_PKCS1	Signature algorithm ALG_RSA_SHA_384_PKCS1 generates a 48-byte SHA digest, pads the digest according to the PKCS#1 (v1.5) scheme, and encrypts it using RSA.
static byte	ALG_RSA_SHA_384_PKCS1_PSS	Signature algorithm ALG_RSA_SHA_384_PKCS1_PSS generates a 48-byte SHA-384 digest, pads it according to the PKCS#1-PSS scheme (IEEE 1363-2000), with a salt length equal to the SHA-384 digest length i.e 48 bytes and with SHA-384 as the message digest algorithm of MGF1, and encrypts it using RSA.
static byte	ALG_RSA_SHA_512_PKCS1	Signature algorithm ALG_RSA_SHA_512_PKCS1 generates a 64-byte SHA digest, pads the digest according to the PKCS#1 (v1.5) scheme, and encrypts it using RSA.
static byte	ALG_RSA_SHA_512_PKCS1_PSS	Signature algorithm ALG_RSA_SHA_512_PKCS1_PSS generates a 64-byte SHA-512 digest, pads it according to the PKCS#1-PSS scheme (IEEE 1363-2000), with a salt length equal to the SHA-512 digest length i.e 64 bytes and with SHA-512 as the message digest algorithm of MGF1, and encrypts it using RSA.
static byte	ALG_RSA_SHA_ISO9796	Signature algorithm ALG_RSA_SHA_ISO9796 generates a 20-byte SHA digest, pads the digest according to the ISO/IEC 9796-2 scheme as specified in EMV 3.0 and EMV 4.0, and encrypts it using RSA.
static byte	ALG_RSA_SHA_ISO9796_MR	Signature algorithm ALG_RSA_SHA_ISO9796_MR generates 20-byte SHA-1 digest, pads it according to the ISO/IEC 9796-2 specification and encrypts using RSA.
static byte	ALG_RSA_SHA_PKCS1	Signature algorithm ALG_RSA_SHA_PKCS1 generates a 20-byte SHA digest, pads the digest according to the PKCS#1 (v1.5) scheme, and encrypts it using RSA.
static byte	ALG_RSA_SHA_PKCS1_PSS	Signature algorithm ALG_RSA_SHA_PKCS1_PSS generates a 20-byte SHA-1 digest, pads it according to the PKCS#1-PSS scheme (IEEE 1363-2000), with a salt length equal to the SHA-1 digest length i.e 20 bytes and with SHA-1 as the message digest algorithm for MGF1, and encrypts it using RSA.
static byte	ALG_RSA_SHA_RFC2409	Signature algorithm ALG_RSA_SHA_RFC2409 generates a 20-byte SHA digest, pads the digest according to the RFC2409 scheme, and encrypts it using RSA.
static byte	MODE_SIGN	Used in init() methods to indicate signature sign mode.
static byte	MODE_VERIFY	Used in init() methods to indicate signature verify mode.
static byte	SIG_CIPHER_AES_CMAC128	Cipher algorithm SIG_CIPHER_AES_CMAC128 choice for the cipherAlgorithm parameter of the getInstance(byte, byte, byte, boolean) method.
static byte	SIG_CIPHER_AES_MAC128	Cipher algorithm SIG_CIPHER_AES_MAC128 choice for the cipherAlgorithm parameter of the getInstance(byte, byte, byte, boolean) method.
static byte	SIG_CIPHER_DES_MAC4	Cipher algorithm SIG_CIPHER_DES_MAC4 choice for the cipherAlgorithm parameter of the getInstance(byte, byte, byte, boolean) method.
static byte	SIG_CIPHER_DES_MAC8	Cipher algorithm SIG_CIPHER_DES_MAC8 choice for the cipherAlgorithm parameter of the getInstance(byte, byte, byte, boolean) method.
static byte	SIG_CIPHER_DSA	Cipher algorithm SIG_CIPHER_DSA choice for the cipherAlgorithm parameter of the getInstance(byte, byte, byte, boolean) method.
static byte	SIG_CIPHER_ECDSA	Cipher algorithm SIG_CIPHER_ECDSA choice for the cipherAlgorithm parameter of the getInstance(byte, byte, byte, boolean) method.
static byte	SIG_CIPHER_ECDSA_PLAIN	Cipher algorithm SIG_CIPHER_ECDSA_PLAIN choice for the cipherAlgorithm parameter of the getInstance(byte, byte, byte, boolean) method.
static byte	SIG_CIPHER_EDDSA	Cipher algorithm SIG_CIPHER_EDDSA choice for the cipherAlgorithm parameter of the getInstance(byte, byte, byte, boolean) method.
static byte	SIG_CIPHER_EDDSA_ED25519	Cipher algorithm SIG_CIPHER_EDDSA_ED25519 choice for the cipherAlgorithm parameter of the getInstance(byte, byte, byte, boolean) method.
static byte	SIG_CIPHER_EDDSA_ED448	Cipher algorithm SIG_CIPHER_EDDSA_ED448 choice for the cipherAlgorithm parameter of the getInstance(byte, byte, byte, boolean) method.
static byte	SIG_CIPHER_EDDSAPH	Cipher algorithm SIG_CIPHER_EDDSAPH choice for the cipherAlgorithm parameter of the getInstance(byte, byte, byte, boolean) method.
static byte	SIG_CIPHER_EDDSAPH_ED25519	Cipher algorithm SIG_CIPHER_EDDSAPH_ED25519 choice for the cipherAlgorithm parameter of the getInstance(byte, byte, byte, boolean) method.
static byte	SIG_CIPHER_EDDSAPH_ED448	Cipher algorithm SIG_CIPHER_EDDSAPH_ED448 choice for the cipherAlgorithm parameter of the getInstance(byte, byte, byte, boolean) method.
static byte	SIG_CIPHER_HMAC	Cipher algorithm SIG_CIPHER_HMAC choice for the cipherAlgorithm parameter of the getInstance(byte, byte, byte, boolean) method.
static byte	SIG_CIPHER_KOREAN_SEED_MAC	Cipher algorithm SIG_CIPHER_KOREAN_SEED_MAC choice for the cipherAlgorithm parameter of the getInstance(byte, byte, byte, boolean) method.
static byte	SIG_CIPHER_RSA	Cipher algorithm SIG_CIPHER_RSA choice for the cipherAlgorithm parameter of the getInstance(byte, byte, byte, boolean) method.
static byte	SIG_CIPHER_SM2	Cipher algorithm SIG_CIPHER_SM2 choice for the cipherAlgorithm parameter of the getInstance(byte, byte, byte, boolean) method.
static byte	SIG_CIPHER_SM4_MAC128	Cipher algorithm SIG_CIPHER_SM4_MAC128 choice for the cipherAlgorithm parameter of the getInstance(byte, byte, byte, boolean) method.

Constructor Summary

Constructors

Modifier	Constructor	Description
protected	Signature()	Protected Constructor

Method Summary

Modifier and Type	Method	Description
abstract byte	getAlgorithm()	Gets the Signature algorithm.
abstract byte	getCipherAlgorithm()	Gets the cipher algorithm.
static Signature	getInstance(byte algorithm, boolean externalAccess)	Creates a Signature object instance of the selected algorithm.
static Signature	getInstance(byte messageDigestAlgorithm, byte cipherAlgorithm, byte paddingAlgorithm, boolean externalAccess)	Creates a Signature object instance with the selected message digest algorithm, cipher algorithm and padding algorithm.
abstract short	getLength()	Returns the byte length of the signature data.
abstract byte	getMessageDigestAlgorithm()	Gets the message digest algorithm.
abstract byte	getPaddingAlgorithm()	Gets the padding algorithm.
abstract void	init(Key theKey, byte theMode)	Initializes the Signature object with the appropriate Key.
abstract void	init(Key theKey, byte theMode, byte[] bArray, short bOff, short bLen)	Initializes the Signature object with the appropriate Key and algorithm specific parameters.
abstract void	setInitialDigest(byte[] state, short stateOffset, short stateLength, byte[] digestedMsgLenBuf, short digestedMsgLenOffset, short digestedMsgLenLength)	This method initializes the starting hash value in place of the default value used by the Signature class.
abstract short	sign(byte[] inBuff, short inOffset, short inLength, byte[] sigBuff, short sigOffset)	Generates the signature of all/last input data.
abstract short	signPreComputedHash(byte[] hashBuff, short hashOffset, short hashLength, byte[] sigBuff, short sigOffset)	Generates the signature of the precomputed hash data.
abstract void	update(byte[] inBuff, short inOffset, short inLength)	Accumulates a signature of the input data.
abstract boolean	verify(byte[] inBuff, short inOffset, short inLength, byte[] sigBuff, short sigOffset, short sigLength)	Verifies the signature of all/last input data against the passed in signature.
abstract boolean	verifyPreComputedHash(byte[] hashBuff, short hashOffset, short hashLength, byte[] sigBuff, short sigOffset, short sigLength)	Verifies the signature of precomputed hash data.

Methods inherited from class java.lang.Object

equals

Field Detail

ALG_DES_MAC4_NOPAD

public static final byte ALG_DES_MAC4_NOPAD

Signature algorithm ALG_DES_MAC4_NOPAD generates a 4-byte MAC (most significant 4 bytes of encrypted block) using DES in CBC mode or triple DES in outer CBC mode. This algorithm does not pad input data. If the input data is not (8 byte) block aligned it throws CryptoException with the reason code ILLEGAL_USE.

To request this algorithm using the getInstance(byte, byte, byte, boolean) method use the MessageDigest.ALG_NULL, SIG_CIPHER_DES_MAC4, Cipher.PAD_NOPAD constants respectively.

See Also:

Constant Field Values

ALG_DES_MAC8_NOPAD

public static final byte ALG_DES_MAC8_NOPAD

Signature algorithm ALG_DES_MAC8_NOPAD generates an 8-byte MAC using DES in CBC mode or triple DES in outer CBC mode. This algorithm does not pad input data. If the input data is not (8 byte) block aligned it throws CryptoException with the reason code ILLEGAL_USE.

To request this algorithm using the getInstance(byte, byte, byte, boolean) method use the MessageDigest.ALG_NULL, SIG_CIPHER_DES_MAC8, Cipher.PAD_NOPAD constants respectively.

Note:

• This algorithm must not be implemented if export restrictions apply.

See Also:

Constant Field Values

ALG_DES_MAC4_ISO9797_M1

public static final byte ALG_DES_MAC4_ISO9797_M1

Signature algorithm ALG_DES_MAC4_ISO9797_M1 generates a 4-byte MAC (most significant 4 bytes of encrypted block) using DES in CBC mode or triple DES in outer CBC mode. Input data is padded according to the ISO 9797 method 1 scheme.

To request this algorithm using the getInstance(byte, byte, byte, boolean) method use the MessageDigest.ALG_NULL, SIG_CIPHER_DES_MAC4, Cipher.PAD_ISO9797_M1 constants respectively.

See Also:

Constant Field Values

ALG_DES_MAC8_ISO9797_M1

public static final byte ALG_DES_MAC8_ISO9797_M1

Signature algorithm ALG_DES_MAC8_ISO9797_M1 generates an 8-byte MAC using DES in CBC mode or triple DES in outer CBC mode. Input data is padded according to the ISO 9797 method 1 scheme.

To request this algorithm using the getInstance(byte, byte, byte, boolean) method use the MessageDigest.ALG_NULL, SIG_CIPHER_DES_MAC8, Cipher.PAD_ISO9797_M1 constants respectively.

Note:

• This algorithm must not be implemented if export restrictions apply.

See Also:

Constant Field Values

ALG_DES_MAC4_ISO9797_M2

public static final byte ALG_DES_MAC4_ISO9797_M2

Signature algorithm ALG_DES_MAC4_ISO9797_M2 generates a 4-byte MAC (most significant 4 bytes of encrypted block) using DES in CBC mode or triple DES in outer CBC mode. Input data is padded according to the ISO 9797 method 2 (ISO 7816-4, EMV 3.0) scheme.

To request this algorithm using the getInstance(byte, byte, byte, boolean) method use the MessageDigest.ALG_NULL, SIG_CIPHER_DES_MAC4, Cipher.PAD_ISO9797_M2 constants respectively.

See Also:

Constant Field Values

ALG_DES_MAC8_ISO9797_M2

public static final byte ALG_DES_MAC8_ISO9797_M2

Signature algorithm ALG_DES_MAC8_ISO9797_M2 generates an 8-byte MAC using DES in CBC mode or triple DES in outer CBC mode. Input data is padded according to the ISO 9797 method 2 (ISO 7816-4, EMV 3.0) scheme.

To request this algorithm using the getInstance(byte, byte, byte, boolean) method use the MessageDigest.ALG_NULL, SIG_CIPHER_DES_MAC8, Cipher.PAD_ISO9797_M2 constants respectively.

Note:

• This algorithm must not be implemented if export restrictions apply.

See Also:

Constant Field Values

ALG_DES_MAC4_PKCS5

public static final byte ALG_DES_MAC4_PKCS5

Signature algorithm ALG_DES_MAC4_PKCS5 generates a 4-byte MAC (most significant 4 bytes of encrypted block) using DES in CBC mode or triple DES in outer CBC mode. Input data is padded according to the PKCS#5 scheme.

To request this algorithm using the getInstance(byte, byte, byte, boolean) method use the MessageDigest.ALG_NULL, SIG_CIPHER_DES_MAC4, Cipher.PAD_PKCS5 constants respectively.

See Also:

Constant Field Values

ALG_DES_MAC8_PKCS5

public static final byte ALG_DES_MAC8_PKCS5

Signature algorithm ALG_DES_MAC8_PKCS5 generates an 8-byte MAC using DES in CBC mode or triple DES in outer CBC mode. Input data is padded according to the PKCS#5 scheme.

To request this algorithm using the getInstance(byte, byte, byte, boolean) method use the MessageDigest.ALG_NULL, SIG_CIPHER_DES_MAC8, Cipher.PAD_PKCS5 constants respectively.

Note:

• This algorithm must not be implemented if export restrictions apply.

See Also:

Constant Field Values

ALG_RSA_SHA_ISO9796

public static final byte ALG_RSA_SHA_ISO9796

Signature algorithm ALG_RSA_SHA_ISO9796 generates a 20-byte SHA digest, pads the digest according to the ISO/IEC 9796-2 scheme as specified in EMV 3.0 and EMV 4.0, and encrypts it using RSA. The signature options are according to Cipher.PAD_ISO9796.

To request this algorithm using the getInstance(byte, byte, byte, boolean) method use the MessageDigest.ALG_SHA, SIG_CIPHER_RSA, Cipher.PAD_ISO9796 constants respectively.

Note:

• The verify method does not support the message recovery semantics of this algorithm.

See Also:

Constant Field Values

ALG_RSA_SHA_PKCS1

public static final byte ALG_RSA_SHA_PKCS1

Signature algorithm ALG_RSA_SHA_PKCS1 generates a 20-byte SHA digest, pads the digest according to the PKCS#1 (v1.5) scheme, and encrypts it using RSA.

Note:

• The encryption block(EB) during signing is built as follows:
  EB = 00 || 01 || PS || 00 || T
  :: where T is the DER encoding of :
  digestInfo ::= SEQUENCE {
  digestAlgorithm AlgorithmIdentifier of SHA-1,
  digest OCTET STRING
  }
  :: PS is an octet string of length k-3-||T|| with value FF. The length of PS must be at least 8 octets.
  :: k is the RSA modulus size.
  DER encoded SHA-1 AlgorithmIdentifier = 30 21 30 09 06 05 2B 0E 03 02 1A 05 00 04 14.
  

To request this algorithm using the getInstance(byte, byte, byte, boolean) method use the MessageDigest.ALG_SHA, SIG_CIPHER_RSA, Cipher.PAD_PKCS1 constants respectively.

See Also:

Constant Field Values

ALG_RSA_MD5_PKCS1

public static final byte ALG_RSA_MD5_PKCS1

Signature algorithm ALG_RSA_MD5_PKCS1 generates a 16-byte MD5 digest, pads the digest according to the PKCS#1 (v1.5) scheme, and encrypts it using RSA.

Note:

• The encryption block(EB) during signing is built as follows:
  EB = 00 || 01 || PS || 00 || T
  :: where T is the DER encoding of :
  digestInfo ::= SEQUENCE {
  digestAlgorithm AlgorithmIdentifier of MD5,
  digest OCTET STRING
  }
  :: PS is an octet string of length k-3-||T|| with value FF. The length of PS must be at least 8 octets.
  :: k is the RSA modulus size.
  DER encoded MD5 AlgorithmIdentifier = 30 20 30 0C 06 08 2A 86 48 86 F7 0D 02 05 05 00 04 10.
  

To request this algorithm using the getInstance(byte, byte, byte, boolean) method use the MessageDigest.ALG_MD5, SIG_CIPHER_RSA, Cipher.PAD_PKCS1 constants respectively.

See Also:

Constant Field Values

ALG_RSA_RIPEMD160_ISO9796

public static final byte ALG_RSA_RIPEMD160_ISO9796

Signature algorithm ALG_RSA_RIPEMD160_ISO9796 generates a 20-byte RIPE MD-160 digest, pads the digest according to the ISO 9796 scheme, and encrypts it using RSA. The signature options are according to Cipher.PAD_ISO9796.

To request this algorithm using the getInstance(byte, byte, byte, boolean) method use the MessageDigest.ALG_RIPEMD160, SIG_CIPHER_RSA, Cipher.PAD_ISO9796 constants respectively.

See Also:

Constant Field Values

ALG_RSA_RIPEMD160_PKCS1

public static final byte ALG_RSA_RIPEMD160_PKCS1

Signature algorithm ALG_RSA_RIPEMD160_PKCS1 generates a 20-byte RIPE MD-160 digest, pads the digest according to the PKCS#1 (v1.5) scheme, and encrypts it using RSA.

Note:

• The encryption block(EB) during signing is built as follows:
  EB = 00 || 01 || PS || 00 || T
  :: where T is the DER encoding of :
  digestInfo ::= SEQUENCE {
  digestAlgorithm AlgorithmIdentifier of RIPEMD160,
  digest OCTET STRING
  }
  :: PS is an octet string of length k-3-||T|| with value FF. The length of PS must be at least 8 octets.
  :: k is the RSA modulus size.
  

To request this algorithm using the getInstance(byte, byte, byte, boolean) method use the MessageDigest.ALG_RIPEMD160, SIG_CIPHER_RSA, Cipher.PAD_PKCS1 constants respectively.

See Also:

Constant Field Values

ALG_DSA_SHA

public static final byte ALG_DSA_SHA

Signature algorithm ALG_DSA_SHA generates a 20-byte SHA digest and signs/verifies the digests using DSA. The signature is encoded as an ASN.1 sequence of two INTEGER values, r and s, in that order: SEQUENCE ::= { r INTEGER, s INTEGER }

To request this algorithm using the getInstance(byte, byte, byte, boolean) method use the MessageDigest.ALG_SHA, SIG_CIPHER_DSA, Cipher.PAD_NULL constants respectively.

See Also:

Constant Field Values

ALG_RSA_SHA_RFC2409

public static final byte ALG_RSA_SHA_RFC2409

Signature algorithm ALG_RSA_SHA_RFC2409 generates a 20-byte SHA digest, pads the digest according to the RFC2409 scheme, and encrypts it using RSA.

To request this algorithm using the getInstance(byte, byte, byte, boolean) method use the MessageDigest.ALG_SHA, SIG_CIPHER_RSA, Cipher.PAD_RFC2409 constants respectively.

See Also:

Constant Field Values

ALG_RSA_MD5_RFC2409

public static final byte ALG_RSA_MD5_RFC2409

Signature algorithm ALG_RSA_MD5_RFC2409 generates a 16-byte MD5 digest, pads the digest according to the RFC2409 scheme, and encrypts it using RSA.

To request this algorithm using the getInstance(byte, byte, byte, boolean) method use the MessageDigest.ALG_MD5, SIG_CIPHER_RSA, Cipher.PAD_RFC2409 constants respectively.

See Also:

Constant Field Values

ALG_ECDSA_SHA

public static final byte ALG_ECDSA_SHA

Signature algorithm ALG_ECDSA_SHA generates a 20-byte SHA digest and signs/verifies the digest using ECDSA. The signature is encoded as an ASN.1 sequence of two INTEGER values, r and s, in that order: SEQUENCE ::= { r INTEGER, s INTEGER }

Note:

• This algorithm truncates the SHA-1 digest to the length of the EC key for EC key lengths less than 160 bits in accordance with section 4.1 "Elliptic Curve Digit Signature Algorithm" of the "SEC 1: Elliptic Curve Cryptography" specification

To request this algorithm using the getInstance(byte, byte, byte, boolean) method use the MessageDigest.ALG_SHA, SIG_CIPHER_ECDSA, Cipher.PAD_NULL constants respectively.

See Also:

Constant Field Values

ALG_AES_MAC_128_NOPAD

public static final byte ALG_AES_MAC_128_NOPAD

Signature algorithm ALG_AES_MAC_128_NOPAD generates a 16-byte MAC using AES with blocksize 128 in CBC mode and does not pad input data. If the input data is not (16-byte) block aligned it throws CryptoException with the reason code ILLEGAL_USE.

To request this algorithm using the getInstance(byte, byte, byte, boolean) method use the MessageDigest.ALG_NULL, SIG_CIPHER_AES_MAC128, Cipher.PAD_NOPAD constants respectively.

See Also:

Constant Field Values

ALG_AES_CMAC_128

public static final byte ALG_AES_CMAC_128

Signature algorithm ALG_AES_CMAC_128 generates a 16-byte Cipher-based MAC (CMAC) using AES with blocksize 128 in CBC mode with ISO9797_M2 padding scheme.

To request this algorithm using the getInstance(byte, byte, byte, boolean) method use the MessageDigest.ALG_NULL, SIG_CIPHER_AES_CMAC_128, Cipher.PAD_ISO9797_M2 constants respectively.

See Also:

Constant Field Values

ALG_DES_MAC4_ISO9797_1_M2_ALG3

public static final byte ALG_DES_MAC4_ISO9797_1_M2_ALG3

Signature algorithm ALG_DES_MAC4_ISO9797_1_M2_ALG3 generates a 4-byte MAC using triple DES with a 2-key DES3 key according to ISO9797-1 MAC algorithm 3 with method 2 (also 3.0, EMV 4.0), where input data is padded using method 2 and the data is processed as described in MAC Algorithm 3 of the ISO 9797-1 specification. The left key block of the triple DES key is used as a single DES key(K) and the right key block of the triple DES key is used as a single DES Key (K') during MAC processing. The final result is truncated to 4 bytes as described in ISO9797-1.

To request this algorithm using the getInstance(byte, byte, byte, boolean) method use the MessageDigest.ALG_NULL, SIG_CIPHER_DES_MAC4, Cipher.PAD_ISO9797_1_M2_ALG3 constants respectively.

Note:

• This algorithm is a triple DES algorithm and requires a 16 byte key (2-key DES3 key)

See Also:

Constant Field Values

ALG_DES_MAC8_ISO9797_1_M2_ALG3

public static final byte ALG_DES_MAC8_ISO9797_1_M2_ALG3

Signature algorithm ALG_DES_MAC8_ISO9797_1_M2_ALG3 generates an 8-byte MAC using triple DES with a 2-key DES3 key according to ISO9797-1 MAC algorithm 3 with method 2 (also EMV 3.0, EMV 4.0), where input data is padded using method 2 and the data is processed as described in MAC Algorithm 3 of the ISO 9797-1 specification. The left key block of the triple DES key is used as a single DES key(K) and the right key block of the triple DES key is used as a single DES Key (K') during MAC processing. The final result is truncated to 8 bytes as described in ISO9797-1.

To request this algorithm using the getInstance(byte, byte, byte, boolean) method use the MessageDigest.ALG_NULL, SIG_CIPHER_DES_MAC8, Cipher.PAD_ISO9797_1_M2_ALG3 constants respectively.

Note:

• This algorithm is a triple DES algorithm and requires a 16 byte key (2-key DES3 key)

See Also:

Constant Field Values

ALG_RSA_SHA_PKCS1_PSS

public static final byte ALG_RSA_SHA_PKCS1_PSS

Signature algorithm ALG_RSA_SHA_PKCS1_PSS generates a 20-byte SHA-1 digest, pads it according to the PKCS#1-PSS scheme (IEEE 1363-2000), with a salt length equal to the SHA-1 digest length i.e 20 bytes and with SHA-1 as the message digest algorithm for MGF1, and encrypts it using RSA.

To request this algorithm using the getInstance(byte, byte, byte, boolean) method use the MessageDigest.ALG_SHA, SIG_CIPHER_RSA, Cipher.PAD_PKCS1_PSS constants respectively.

See Also:

Constant Field Values

ALG_RSA_MD5_PKCS1_PSS

public static final byte ALG_RSA_MD5_PKCS1_PSS

Signature algorithm ALG_RSA_MD5_PKCS1_PSS generates a 16-byte MD5 digest, pads it according to the PKCS#1-PSS scheme (IEEE 1363-2000), with a salt length equal to the MD5 digest length i.e 16 bytes and with MD5 as the message digest algorithm for MGF1, and encrypts it using RSA.

To request this algorithm using the getInstance(byte, byte, byte, boolean) method use the MessageDigest.ALG_MD5, SIG_CIPHER_RSA, Cipher.PAD_PKCS1_PSS constants respectively.

See Also:

Constant Field Values

ALG_RSA_RIPEMD160_PKCS1_PSS

public static final byte ALG_RSA_RIPEMD160_PKCS1_PSS

Signature algorithm ALG_RSA_RIPEMD160_PKCS1_PSS generates a 20-byte RIPE MD-160 digest, pads it according to the PKCS#1-PSS scheme (IEEE 1363-2000), with a salt length equal to the RIPE MD-160 digest length i.e 20 bytes and with RIPE MD-160 as the message digest algorithm for MGF1, and encrypts it using RSA.

To request this algorithm using the getInstance(byte, byte, byte, boolean) method use the MessageDigest.ALG_RIPEMD160, SIG_CIPHER_RSA, Cipher.PAD_PKCS1_PSS constants respectively.

See Also:

Constant Field Values

ALG_HMAC_SHA1

public static final byte ALG_HMAC_SHA1

HMAC message authentication algorithm ALG_HMAC_SHA1 This algorithm generates an HMAC following the steps found in RFC: 2104 using SHA1 as the hashing algorithm.

To request this algorithm using the getInstance(byte, byte, byte, boolean) method use the MessageDigest.ALG_SHA, SIG_CIPHER_HMAC, Cipher.PAD_NULL constants respectively.

See Also:

Constant Field Values

ALG_HMAC_SHA_256

public static final byte ALG_HMAC_SHA_256

HMAC message authentication algorithm ALG_HMAC_SHA_256 This algorithm generates an HMAC following the steps found in RFC: 2104 using SHA-256 as the hashing algorithm.

To request this algorithm using the getInstance(byte, byte, byte, boolean) method use the MessageDigest.ALG_SHA_256, SIG_CIPHER_HMAC, Cipher.PAD_NULL constants respectively.

See Also:

Constant Field Values

ALG_HMAC_SHA_384

public static final byte ALG_HMAC_SHA_384

HMAC message authentication algorithm ALG_HMAC_SHA_384 This algorithm generates an HMAC following the steps found in RFC: 2104 using SHA-384 as the hashing algorithm.

To request this algorithm using the getInstance(byte, byte, byte, boolean) method use the MessageDigest.ALG_SHA_384, SIG_CIPHER_HMAC, Cipher.PAD_NULL constants respectively.

See Also:

Constant Field Values

ALG_HMAC_SHA_512

public static final byte ALG_HMAC_SHA_512

HMAC message authentication algorithm ALG_HMAC_SHA_512 This algorithm generates an HMAC following the steps found in RFC: 2104 using SHA-512 as the hashing algorithm.

To request this algorithm using the getInstance(byte, byte, byte, boolean) method use the MessageDigest.ALG_SHA_512, SIG_CIPHER_HMAC, Cipher.PAD_NULL constants respectively.

See Also:

Constant Field Values

ALG_HMAC_MD5

public static final byte ALG_HMAC_MD5

HMAC message authentication algorithm ALG_HMAC_MD5 This algorithm generates an HMAC following the steps found in RFC: 2104 using MD5 as the hashing algorithm.

To request this algorithm using the getInstance(byte, byte, byte, boolean) method use the MessageDigest.ALG_MD5, SIG_CIPHER_HMAC, Cipher.PAD_NULL constants respectively.

See Also:

Constant Field Values

ALG_HMAC_RIPEMD160

public static final byte ALG_HMAC_RIPEMD160

HMAC message authentication algorithm ALG_HMAC_RIPEMD160 This algorithm generates an HMAC following the steps found in RFC: 2104 using RIPEMD160 as the hashing algorithm.

To request this algorithm using the getInstance(byte, byte, byte, boolean) method use the MessageDigest.ALG_RIPEMD160, SIG_CIPHER_HMAC, Cipher.PAD_NULL constants respectively.

See Also:

Constant Field Values

ALG_RSA_SHA_ISO9796_MR

public static final byte ALG_RSA_SHA_ISO9796_MR

Signature algorithm ALG_RSA_SHA_ISO9796_MR generates 20-byte SHA-1 digest, pads it according to the ISO/IEC 9796-2 specification and encrypts using RSA. This algorithm is conformant with EMV 4.0. The signature options are according to Cipher.PAD_ISO9796_MR.

This algorithm uses the first part of the input message as padding bytes during signing. During verification, these message bytes (recoverable message) can be recovered to reconstruct the message.

To use this algorithm the Signature object instance returned by the getInstance method must be cast to the SignatureMessageRecovery interface to invoke the applicable methods.

To request this algorithm using the getInstance(byte, byte, byte, boolean) method use the MessageDigest.ALG_SHA, SIG_CIPHER_RSA, Cipher.PAD_ISO9796_MR constants respectively.

See Also:

Constant Field Values

ALG_RSA_RIPEMD160_ISO9796_MR

public static final byte ALG_RSA_RIPEMD160_ISO9796_MR

Signature algorithm ALG_RSA_RIPEMD160_ISO9796_MR generates 20-byte RIPE MD-160 digest, pads it according to the ISO9796-2 specification and encrypts using RSA. The signature options are according to Cipher.PAD_ISO9796_MR.

This algorithm uses the first part of the input message as padding bytes during signing. During verification, these message bytes (recoverable message) can be recovered to reconstruct the message.

To use this algorithm the Signature object instance returned by the getInstance method must be cast to the SignatureMessageRecovery interface to invoke the applicable methods.

To request this algorithm using the getInstance(byte, byte, byte, boolean) method use the MessageDigest.ALG_RIPEMD160, SIG_CIPHER_RSA, Cipher.PAD_ISO9796_MR constants respectively.

See Also:

Constant Field Values

ALG_KOREAN_SEED_MAC_NOPAD

public static final byte ALG_KOREAN_SEED_MAC_NOPAD

Signature algorithm ALG_KOREAN_SEED_MAC_NOPAD generates an 16-byte MAC using Korean SEED in CBC mode. This algorithm does not pad input data. If the input data is not (16 byte) block aligned it throws CryptoException with the reason code ILLEGAL_USE.

To request this algorithm using the getInstance(byte, byte, byte, boolean) method use the MessageDigest.ALG_NULL, SIG_CIPHER_KOREAN_SEED_MAC, Cipher.PAD_NOPAD constants respectively.

Note:

• This algorithm must not be implemented if export restrictions apply.

See Also:

Constant Field Values

ALG_ECDSA_SHA_256

public static final byte ALG_ECDSA_SHA_256

Signature algorithm ALG_ECDSA_SHA_256 generates a 32-byte SHA-256 digest and signs/verifies the digest using ECDSA with the curve defined in the ECKey parameters - such as the P-256 curve specified in the Digital Signature Standards specification[NIST FIPS PUB 186-2]. The signature is encoded as an ASN.1 sequence of two INTEGER values, r and s, in that order: SEQUENCE ::= { r INTEGER, s INTEGER }

To request this algorithm using the getInstance(byte, byte, byte, boolean) method use the MessageDigest.ALG_SHA_256, SIG_CIPHER_ECDSA, Cipher.PAD_NULL constants respectively.

Note:

• This algorithm truncates the SHA-256 digest to the length of the EC key for EC key lengths less than 256 bits in accordance with section 4.1 "Elliptic Curve Digit Signature Algorithm" of the "SEC 1: Elliptic Curve Cryptography" specification

See Also:

Constant Field Values

ALG_ECDSA_SHA_384

public static final byte ALG_ECDSA_SHA_384

Signature algorithm ALG_ECDSA_SHA_384 generates a 48-byte SHA-384 digest and signs/verifies the digest using ECDSA with the curve defined in the ECKey parameters - such as the P-384 curve specified in the Digital Signature Standards specification[NIST FIPS PUB 186-2]. The signature is encoded as an ASN.1 sequence of two INTEGER values, r and s, in that order: SEQUENCE ::= { r INTEGER, s INTEGER }

To request this algorithm using the getInstance(byte, byte, byte, boolean) method use the MessageDigest.ALG_SHA_384, SIG_CIPHER_ECDSA, Cipher.PAD_NULL constants respectively.

Note:

• This algorithm truncates the SHA-384 digest to the length of the EC key for EC key lengths less than 384 bits in accordance with section 4.1 "Elliptic Curve Digit Signature Algorithm" of the "SEC 1: Elliptic Curve Cryptography" specification

See Also:

Constant Field Values

ALG_AES_MAC_192_NOPAD

@Deprecated
public static final byte ALG_AES_MAC_192_NOPAD

Deprecated.

This Signature algorithm ALG_AES_MAC_192_NOPAD should not be used. AES algorithms as defined by NIST in the FIPS PUB 197 standard only support a block size of 128 bits.

See Also:

Constant Field Values

ALG_AES_MAC_256_NOPAD

@Deprecated
public static final byte ALG_AES_MAC_256_NOPAD

Deprecated.

This Signature algorithm ALG_AES_MAC_256_NOPAD should not be used. AES algorithms as defined by NIST in the FIPS PUB 197 standard only support a block size of 128 bits.

See Also:

Constant Field Values

ALG_ECDSA_SHA_224

public static final byte ALG_ECDSA_SHA_224

Signature algorithm ALG_ECDSA_SHA_224 generates a 28-byte SHA-224 digest and signs/verifies the digest using ECDSA with the curve defined in the ECKey parameters - such as the P-224 curve specified in the Digital Signature Standards specification[NIST FIPS PUB 186-2]. The signature is encoded as an ASN.1 sequence of two INTEGER values, r and s, in that order: SEQUENCE ::= { r INTEGER, s INTEGER }

To request this algorithm using the getInstance(byte, byte, byte, boolean) method use the MessageDigest.ALG_SHA_224, SIG_CIPHER_ECDSA, Cipher.PAD_NULL constants respectively.

Note:

• This algorithm truncates the SHA-224 digest to the length of the EC key for EC key lengths less than 224 bits in accordance with section 4.1 "Elliptic Curve Digit Signature Algorithm" of the "SEC 1: Elliptic Curve Cryptography" specification

See Also:

Constant Field Values

ALG_ECDSA_SHA_512

public static final byte ALG_ECDSA_SHA_512

Signature algorithm ALG_ECDSA_SHA_512 generates a 64-byte SHA-512 digest and signs/verifies the digest using ECDSA with the curve defined in the ECKey parameters - such as the P-521 curve specified in the Digital Signature Standards specification[NIST FIPS PUB 186-2]. The signature is encoded as an ASN.1 sequence of two INTEGER values, r and s, in that order: SEQUENCE ::= { r INTEGER, s INTEGER }

To request this algorithm using the getInstance(byte, byte, byte, boolean) method use the MessageDigest.ALG_SHA_512, SIG_CIPHER_ECDSA, Cipher.PAD_NULL constants respectively.

Note:

• This algorithm truncates the SHA-512 digest to the length of the EC key for EC key lengths less than 512 bits in accordance with section 4.1 "Elliptic Curve Digit Signature Algorithm" of the "SEC 1: Elliptic Curve Cryptography" specification

See Also:

Constant Field Values

ALG_RSA_SHA_224_PKCS1

public static final byte ALG_RSA_SHA_224_PKCS1

Signature algorithm ALG_RSA_SHA_224_PKCS1 generates a 28-byte SHA digest, pads the digest according to the PKCS#1 (v1.5) scheme, and encrypts it using RSA.

To request this algorithm using the getInstance(byte, byte, byte, boolean) method use the MessageDigest.ALG_SHA_224, SIG_CIPHER_RSA, Cipher.PAD_PKCS1 constants respectively.

Note:

• The encryption block(EB) during signing is built as follows:
  EB = 00 || 01 || PS || 00 || T
  :: where T is the DER encoding of :
  digestInfo ::= SEQUENCE {
  digestAlgorithm AlgorithmIdentifier of SHA-224,
  digest OCTET STRING
  }
  :: PS is an octet string of length k-3-||T|| with value FF. The length of PS must be at least 8 octets.
  :: k is the RSA modulus size.
  DER encoded SHA-224 AlgorithmIdentifier = 30 2d 30 0d 06 09 60 86 48 01 65 03 04 02 04 05 00 04 1c.
  

See Also:

Constant Field Values

ALG_RSA_SHA_256_PKCS1

public static final byte ALG_RSA_SHA_256_PKCS1

Signature algorithm ALG_RSA_SHA_256_PKCS1 generates a 32-byte SHA digest, pads the digest according to the PKCS#1 (v1.5) scheme, and encrypts it using RSA.

To request this algorithm using the getInstance(byte, byte, byte, boolean) method use the MessageDigest.ALG_SHA_256, SIG_CIPHER_RSA, Cipher.PAD_PKCS1 constants respectively.

Note:

• The encryption block(EB) during signing is built as follows:
  EB = 00 || 01 || PS || 00 || T
  :: where T is the DER encoding of :
  digestInfo ::= SEQUENCE {
  digestAlgorithm AlgorithmIdentifier of SHA-256,
  digest OCTET STRING
  }
  :: PS is an octet string of length k-3-||T|| with value FF. The length of PS must be at least 8 octets.
  :: k is the RSA modulus size.
  DER encoded SHA-256 AlgorithmIdentifier = 30 31 30 0d 06 09 60 86 48 01 65 03 04 02 01 05 00 04 20.
  

See Also:

Constant Field Values

ALG_RSA_SHA_384_PKCS1

public static final byte ALG_RSA_SHA_384_PKCS1

Signature algorithm ALG_RSA_SHA_384_PKCS1 generates a 48-byte SHA digest, pads the digest according to the PKCS#1 (v1.5) scheme, and encrypts it using RSA.

To request this algorithm using the getInstance(byte, byte, byte, boolean) method use the MessageDigest.ALG_SHA_384, SIG_CIPHER_RSA, Cipher.PAD_PKCS1 constants respectively.

Note:

• The encryption block(EB) during signing is built as follows:
  EB = 00 || 01 || PS || 00 || T
  :: where T is the DER encoding of :
  digestInfo ::= SEQUENCE {
  digestAlgorithm AlgorithmIdentifier of SHA-384,
  digest OCTET STRING
  }
  :: PS is an octet string of length k-3-||T|| with value FF. The length of PS must be at least 8 octets.
  :: k is the RSA modulus size.
  DER encoded SHA-384 AlgorithmIdentifier = 30 41 30 0d 06 09 60 86 48 01 65 03 04 02 02 05 00 04 30.
  

See Also:

Constant Field Values

ALG_RSA_SHA_512_PKCS1

public static final byte ALG_RSA_SHA_512_PKCS1

Signature algorithm ALG_RSA_SHA_512_PKCS1 generates a 64-byte SHA digest, pads the digest according to the PKCS#1 (v1.5) scheme, and encrypts it using RSA.

To request this algorithm using the getInstance(byte, byte, byte, boolean) method use the MessageDigest.ALG_SHA_512, SIG_CIPHER_RSA, Cipher.PAD_PKCS1 constants respectively.

Note:

• The encryption block(EB) during signing is built as follows:
  EB = 00 || 01 || PS || 00 || T
  :: where T is the DER encoding of :
  digestInfo ::= SEQUENCE {
  digestAlgorithm AlgorithmIdentifier of SHA-512,
  digest OCTET STRING
  }
  :: PS is an octet string of length k-3-||T|| with value FF. The length of PS must be at least 8 octets.
  :: k is the RSA modulus size.
  DER encoded SHA-512 AlgorithmIdentifier = 30 51 30 0d 06 09 60 86 48 01 65 03 04 02 03 05 00 04 40.
  

See Also:

Constant Field Values

ALG_RSA_SHA_224_PKCS1_PSS

public static final byte ALG_RSA_SHA_224_PKCS1_PSS

Signature algorithm ALG_RSA_SHA_224_PKCS1_PSS generates a 28-byte SHA-224 digest, pads it according to the PKCS#1-PSS scheme (IEEE 1363-2000), with a salt length equal to the SHA-224 digest length i.e 28 bytes and with SHA-224 as the message digest algorithm of MGF1, and encrypts it using RSA.

To request this algorithm using the getInstance(byte, byte, byte, boolean) method use the MessageDigest.ALG_SHA_224, SIG_CIPHER_RSA, Cipher.PAD_PKCS1_PSS constants respectively.

See Also:

Constant Field Values

ALG_RSA_SHA_256_PKCS1_PSS

public static final byte ALG_RSA_SHA_256_PKCS1_PSS

Signature algorithm ALG_RSA_SHA_256_PKCS1_PSS generates a 32-byte SHA-256 digest, pads it according to the PKCS#1-PSS scheme (IEEE 1363-2000), with a salt length equal to the SHA-256 digest length i.e 32 bytes and with SHA-256 as the message digest algorithm of MGF1, and encrypts it using RSA.

To request this algorithm using the getInstance(byte, byte, byte, boolean) method use the MessageDigest.ALG_SHA_256, SIG_CIPHER_RSA, Cipher.PAD_PKCS1_PSS constants respectively.

See Also:

Constant Field Values

ALG_RSA_SHA_384_PKCS1_PSS

public static final byte ALG_RSA_SHA_384_PKCS1_PSS

Signature algorithm ALG_RSA_SHA_384_PKCS1_PSS generates a 48-byte SHA-384 digest, pads it according to the PKCS#1-PSS scheme (IEEE 1363-2000), with a salt length equal to the SHA-384 digest length i.e 48 bytes and with SHA-384 as the message digest algorithm of MGF1, and encrypts it using RSA.

To request this algorithm using the getInstance(byte, byte, byte, boolean) method use the MessageDigest.ALG_SHA_384, SIG_CIPHER_RSA, Cipher.PAD_PKCS1_PSS constants respectively.

See Also:

Constant Field Values

ALG_RSA_SHA_512_PKCS1_PSS

public static final byte ALG_RSA_SHA_512_PKCS1_PSS

Signature algorithm ALG_RSA_SHA_512_PKCS1_PSS generates a 64-byte SHA-512 digest, pads it according to the PKCS#1-PSS scheme (IEEE 1363-2000), with a salt length equal to the SHA-512 digest length i.e 64 bytes and with SHA-512 as the message digest algorithm of MGF1, and encrypts it using RSA.

To request this algorithm using the getInstance(byte, byte, byte, boolean) method use the MessageDigest.ALG_SHA_512, SIG_CIPHER_RSA, Cipher.PAD_PKCS1_PSS constants respectively.

See Also:

Constant Field Values

ALG_DES_MAC4_ISO9797_1_M1_ALG3

public static final byte ALG_DES_MAC4_ISO9797_1_M1_ALG3

Signature algorithm ALG_DES_MAC4_ISO9797_1_M1_ALG3 generates a 4-byte MAC using triple DES with a 2-key DES3 key according to ISO9797-1 MAC algorithm 3 with method 1, where input data is padded using method 1 and the data is processed as described in MAC Algorithm 3 of the ISO 9797-1 specification. The left key block of the triple DES key is used as a single DES key(K) and the right key block of the triple DES key is used as a single DES Key (K') during MAC processing. The final result is truncated to 4 bytes as described in ISO9797-1.

To request this algorithm using the getInstance(byte, byte, byte, boolean) method use the MessageDigest.ALG_NULL, SIG_CIPHER_DES_MAC4, Cipher.PAD_ISO9797_1_M1_ALG3 constants respectively.

Note:

• This algorithm is a triple DES algorithm and requires a 16 byte key (2-key DES3 key)

See Also:

Constant Field Values

ALG_DES_MAC8_ISO9797_1_M1_ALG3

public static final byte ALG_DES_MAC8_ISO9797_1_M1_ALG3

Signature algorithm ALG_DES_MAC8_ISO9797_1_M1_ALG3 generates an 8-byte MAC using triple DES with a 2-key DES3 key according to ISO9797-1 MAC algorithm 3 with method 1, where input data is padded using method 1 and the data is processed as described in MAC Algorithm 3 of the ISO 9797-1 specification. The left key block of the triple DES key is used as a single DES key(K) and the right key block of the triple DES key is used as a single DES Key (K') during MAC processing. The final result is truncated to 8 bytes as described in ISO9797-1.

To request this algorithm using the getInstance(byte, byte, byte, boolean) method use the MessageDigest.ALG_NULL, SIG_CIPHER_DES_MAC8, Cipher.PAD_ISO9797_1_M1_ALG3 constants respectively.

Note:

• This algorithm is a triple DES algorithm and requires a 16 byte key (2-key DES3 key)

See Also:

Constant Field Values

SIG_CIPHER_DES_MAC4

public static final byte SIG_CIPHER_DES_MAC4

Cipher algorithm SIG_CIPHER_DES_MAC4 choice for the cipherAlgorithm parameter of the getInstance(byte, byte, byte, boolean) method. The signature algorithm generates a 4-byte MAC (most significant 4 bytes of encrypted block) using DES in CBC mode or triple DES in outer CBC mode.

See Also:

Constant Field Values

SIG_CIPHER_DES_MAC8

public static final byte SIG_CIPHER_DES_MAC8

Cipher algorithm SIG_CIPHER_DES_MAC8 choice for the cipherAlgorithm parameter of the getInstance(byte, byte, byte, boolean) method. The signature algorithm generates a 8-byte MAC (most significant 8 bytes of encrypted block) using DES in CBC mode or triple DES in outer CBC mode.

See Also:

Constant Field Values

SIG_CIPHER_RSA

public static final byte SIG_CIPHER_RSA

Cipher algorithm SIG_CIPHER_RSA choice for the cipherAlgorithm parameter of the getInstance(byte, byte, byte, boolean) method. The signature algorithm uses the RSA cipher.

See Also:

Constant Field Values

SIG_CIPHER_DSA

public static final byte SIG_CIPHER_DSA

Cipher algorithm SIG_CIPHER_DSA choice for the cipherAlgorithm parameter of the getInstance(byte, byte, byte, boolean) method. The signature algorithm uses the DSA cipher. The signature is encoded as an ASN.1 sequence of two INTEGER values, r and s, in that order: SEQUENCE ::= { r INTEGER, s INTEGER }

See Also:

Constant Field Values

SIG_CIPHER_ECDSA

public static final byte SIG_CIPHER_ECDSA

Cipher algorithm SIG_CIPHER_ECDSA choice for the cipherAlgorithm parameter of the getInstance(byte, byte, byte, boolean) method. The signature algorithm uses the ECDSA cipher.

The signature is encoded as an ASN.1 sequence of two INTEGER values, r and s, in that order: SEQUENCE ::= { r INTEGER, s INTEGER }

Note:

• This algorithm truncates the message digest to the length of the EC key for EC key lengths less than the length of the message digest in accordance with section 4.1 "Elliptic Curve Digit Signature Algorithm" of the "SEC 1: Elliptic Curve Cryptography" specification

See Also:

Constant Field Values

SIG_CIPHER_ECDSA_PLAIN

public static final byte SIG_CIPHER_ECDSA_PLAIN

Cipher algorithm SIG_CIPHER_ECDSA_PLAIN choice for the cipherAlgorithm parameter of the getInstance(byte, byte, byte, boolean) method. The signature algorithm uses the ECDSA cipher.

The signature is encoded as an octet string R || S as specified in section 5.2.1 of BSI TR-03111.

Note:

• This algorithm truncates the message digest to the length of the EC key for EC key lengths less than the length of the message digest in accordance with section 4.1 "Elliptic Curve Digit Signature Algorithm" of the "SEC 1: Elliptic Curve Cryptography" specification

See Also:

Constant Field Values

SIG_CIPHER_AES_MAC128

public static final byte SIG_CIPHER_AES_MAC128

Cipher algorithm SIG_CIPHER_AES_MAC128 choice for the cipherAlgorithm parameter of the getInstance(byte, byte, byte, boolean) method. The signature algorithm generates a 16-byte MAC using AES with block size 128 in CBC mode.

See Also:

Constant Field Values

SIG_CIPHER_AES_CMAC128

public static final byte SIG_CIPHER_AES_CMAC128

Cipher algorithm SIG_CIPHER_AES_CMAC128 choice for the cipherAlgorithm parameter of the getInstance(byte, byte, byte, boolean) method. The signature algorithm generates a 16-byte Cipher-based MAC (CMAC) using AES with block size 128 in CBC mode.

See Also:

Constant Field Values

SIG_CIPHER_HMAC

public static final byte SIG_CIPHER_HMAC

Cipher algorithm SIG_CIPHER_HMAC choice for the cipherAlgorithm parameter of the getInstance(byte, byte, byte, boolean) method. The signature algorithm generates an HMAC following the steps found in RFC: 2104 using the specified hashing algorithm.

See Also:

Constant Field Values

SIG_CIPHER_KOREAN_SEED_MAC

public static final byte SIG_CIPHER_KOREAN_SEED_MAC

Cipher algorithm SIG_CIPHER_KOREAN_SEED_MAC choice for the cipherAlgorithm parameter of the getInstance(byte, byte, byte, boolean) method. The signature algorithm generates a 16-byte MAC using Korean SEED in CBC mode.

See Also:

Constant Field Values

SIG_CIPHER_SM2

public static final byte SIG_CIPHER_SM2

Cipher algorithm SIG_CIPHER_SM2 choice for the cipherAlgorithm parameter of the getInstance(byte, byte, byte, boolean) method. Used to generate elliptic curve signature scheme using SM2 curve as defined in GM/T 0003.2-2012 (Public Key Cryptographic Algorithm SM2 Based on Elliptic Curves Part 2: Digital Signature Algorithm).

Since:

3.1

See Also:

Constant Field Values

SIG_CIPHER_SM4_MAC128

public static final byte SIG_CIPHER_SM4_MAC128

Cipher algorithm SIG_CIPHER_SM4_MAC128 choice for the cipherAlgorithm parameter of the getInstance(byte, byte, byte, boolean) method. Used to generate a 128-bit MAC using SM4 algorithm in CBC mode.

See SM4 block cipher algorithm, December 2010 from Organization of State Commercial Administration of China

Since:

3.1

See Also:

Constant Field Values

SIG_CIPHER_EDDSA

public static final byte SIG_CIPHER_EDDSA

Cipher algorithm SIG_CIPHER_EDDSA choice for the cipherAlgorithm parameter of the getInstance(byte, byte, byte, boolean) method. Used to generate elliptic curve signature scheme Edwards-curve Digital Signature Algorithm (pure EdDSA) with no context / an empty context and for the curves edwards25519 (ed25519 variant) and edwards448 (ed448 variant) defined in RFC 8032.

The parameter messageDigestAlgorithm must be MessageDigest.ALG_NULL and the parameter paddingAlgorithm must be Cipher.PAD_NULL.

The selection of the variant depends on the named curve of the key passed within one of the the init() methods:

• ed25519 variant for a named curve based on ED25519 parameters
• ed448 variant for a named curve based on ED448 parameters

Since:

3.1

See Also:

Constant Field Values

SIG_CIPHER_EDDSAPH

public static final byte SIG_CIPHER_EDDSAPH

Cipher algorithm SIG_CIPHER_EDDSAPH choice for the cipherAlgorithm parameter of the getInstance(byte, byte, byte, boolean) method. Used to generate elliptic curve signature scheme Edwards-curve Digital Signature Algorithm (pre-hash EdDSA) with an empty context and for the curves edwards25519 (ed25519ph variant) and edwards448 (ed448ph variant) defined in RFC 8032.

The parameter messageDigestAlgorithm must be MessageDigest.ALG_NULL and the parameter paddingAlgorithm must be Cipher.PAD_NULL.

The selection of the variant depends on the named curve of the key passed within one of the the init() methods:

• ed25519ph variant for a named curve based on ED25519 parameters
• ed448ph variant for a named curve based on ED448 parameters

Since:

3.1

See Also:

Constant Field Values

SIG_CIPHER_EDDSA_ED25519

public static final byte SIG_CIPHER_EDDSA_ED25519

Cipher algorithm SIG_CIPHER_EDDSA_ED25519 choice for the cipherAlgorithm parameter of the getInstance(byte, byte, byte, boolean) method. Used to generate elliptic curve signature scheme Edwards-curve Digital Signature Algorithm (pure EdDSA) for the variant ed25519 defined in RFC 8032 (Note: there is no context in this case).

The parameter messageDigestAlgorithm must be MessageDigest.ALG_NULL and the parameter paddingAlgorithm must be Cipher.PAD_NULL.

Since:

3.2

See Also:

Constant Field Values

SIG_CIPHER_EDDSA_ED448

public static final byte SIG_CIPHER_EDDSA_ED448

Cipher algorithm SIG_CIPHER_EDDSA_ED448 choice for the cipherAlgorithm parameter of the getInstance(byte, byte, byte, boolean) method. Used to generate elliptic curve signature scheme Edwards-curve Digital Signature Algorithm (pure EdDSA) with an empty context and for the variant ed448 defined in RFC 8032.

The parameter messageDigestAlgorithm must be MessageDigest.ALG_NULL and the parameter paddingAlgorithm must be Cipher.PAD_NULL.

Since:

3.2

See Also:

Constant Field Values

SIG_CIPHER_EDDSAPH_ED25519

public static final byte SIG_CIPHER_EDDSAPH_ED25519

Cipher algorithm SIG_CIPHER_EDDSAPH_ED25519 choice for the cipherAlgorithm parameter of the getInstance(byte, byte, byte, boolean) method. Used to generate elliptic curve signature scheme Edwards-curve Digital Signature Algorithm (pre-hash EdDSA) with an empty context and for the variant ed25519ph defined in RFC 8032.

The parameter messageDigestAlgorithm must be MessageDigest.ALG_NULL and the parameter paddingAlgorithm must be Cipher.PAD_NULL.

Since:

3.2

See Also:

Constant Field Values

SIG_CIPHER_EDDSAPH_ED448

public static final byte SIG_CIPHER_EDDSAPH_ED448

Cipher algorithm SIG_CIPHER_EDDSAPH_ED448 choice for the cipherAlgorithm parameter of the getInstance(byte, byte, byte, boolean) method. Used to generate elliptic curve signature scheme Edwards-curve Digital Signature Algorithm (pre-hash EdDSA) with an empty context and for the variant ed448 defined in RFC 8032.

The parameter messageDigestAlgorithm must be MessageDigest.ALG_NULL and the parameter paddingAlgorithm must be Cipher.PAD_NULL.

Since:

3.2

See Also:

Constant Field Values

MODE_SIGN

public static final byte MODE_SIGN

Used in init() methods to indicate signature sign mode.

See Also:

Constant Field Values

MODE_VERIFY

public static final byte MODE_VERIFY

Used in init() methods to indicate signature verify mode.

See Also:

Constant Field Values

Constructor Detail

Signature

protected Signature()

Protected Constructor

Method Detail

getInstance

public static final Signature getInstance(byte algorithm,
                                          boolean externalAccess)
                                   throws CryptoException

Creates a Signature object instance of the selected algorithm.

Parameters:

algorithm - the desired Signature algorithm. Valid codes listed in ALG_* constants above e.g. ALG_DES_MAC4_NOPAD.

externalAccess - true indicates that the instance will be shared among multiple applet instances and that the Signature instance will also be accessed (via a Shareable interface) when the owner of the Signature instance is not the currently selected applet. If true the implementation must not allocate CLEAR_ON_DESELECT transient space for internal data.

Returns:

the Signature object instance of the requested algorithm

Throws:

CryptoException - with the following reason codes:

• CryptoException.NO_SUCH_ALGORITHM if the requested algorithm or shared access mode is not supported.

See Also:

getInstance(byte, byte, byte, boolean), getAlgorithm()

getInstance

public static final Signature getInstance(byte messageDigestAlgorithm,
                                          byte cipherAlgorithm,
                                          byte paddingAlgorithm,
                                          boolean externalAccess)
                                   throws CryptoException

Creates a Signature object instance with the selected message digest algorithm, cipher algorithm and padding algorithm.

Note:

• Note that the cipher algorithms listed in the Signature class include some choices not available directly as a Cipher - e.g DSA.
• When there is no discrete message digest algorithm, use the MessageDigest.ALG_NULL choice for the message digest algorithm.
• When the padding algorithm is built into the cipher algorithm use the PAD_NULL choice for the padding algorithm.

Parameters:

messageDigestAlgorithm - the desired message digest algorithm. Valid codes listed in ALG_* constants in the MessageDigest class e.g. ALG_NULL.

cipherAlgorithm - the desired cipher algorithm. Valid codes listed in SIG_CIPHER_* constants in this class e.g. SIG_CIPHER_DES_MAC4.

paddingAlgorithm - the desired padding algorithm. Valid codes listed in PAD_* constants in the Cipher class e.g. PAD_NULL.

externalAccess - true indicates that the instance will be shared among multiple applet instances and that the Signature instance will also be accessed (via a Shareable interface) when the owner of the Signature instance is not the currently selected applet. If true the implementation must not allocate CLEAR_ON_DESELECT transient space for internal data.

Returns:

the Signature object instance of the requested algorithm

Throws:

CryptoException - with the following reason codes:

• CryptoException.NO_SUCH_ALGORITHM if the requested message digest algorithm or cipher algorithm or padding algorithm or their combination or the requested shared access mode is not supported.

Since:

3.0.4

See Also:

getInstance(byte, boolean), getMessageDigestAlgorithm(), getCipherAlgorithm(), getPaddingAlgorithm()

init

public abstract void init(Key theKey,
                          byte theMode)
                   throws CryptoException

Initializes the Signature object with the appropriate Key. This method should be used for algorithms which do not need initialization parameters or use default parameter values.

init() must be used to update the Signature object with a new key. If the Key object is modified after invoking the init() method, the behavior of the update(), sign(), and verify() methods is unspecified.

The Key is checked for consistency with the Signature algorithm. For example, the key type must be matched. For elliptic curve algorithms, the key must represent a valid point on the curve's domain parameters. Additional key component/domain parameter strength checks are implementation specific.

Note:

• AES, DES, triple DES, and Korean SEED algorithms in CBC mode will use 0 for initial vector(IV) if this method is used.

Parameters:

theKey - the key object to use for signing or verifying

theMode - one of MODE_SIGN or MODE_VERIFY

Throws:

CryptoException - with the following reason codes:

• CryptoException.ILLEGAL_VALUE if theMode option is an undefined value or if the Key is inconsistent with theMode or with the Signature implementation.
• CryptoException.UNINITIALIZED_KEY if theKey instance is uninitialized.
• CryptoException.ILLEGAL_USE if theMode is not allowed by this Signature algorithm.

init

public abstract void init(Key theKey,
                          byte theMode,
                          byte[] bArray,
                          short bOff,
                          short bLen)
                   throws CryptoException

Initializes the Signature object with the appropriate Key and algorithm specific parameters.

init() must be used to update the Signature object with a new key. If the Key object is modified after invoking the init() method, the behavior of the update(), sign(), and verify() methods is unspecified.

The Key is checked for consistency with the Signature algorithm. For example, the key type must be matched. For elliptic curve algorithms, the key must represent a valid point on the curve's domain parameters. Additional key component/domain parameter strength checks are implementation specific.

Note:

• DES and triple DES algorithms in CBC mode expect an 8-byte parameter value for the initial vector(IV) in bArray.
• AES algorithms, except for ALG_AES_CMAC_128, in CBC mode expect a 16-byte parameter value for the initial vector(IV) in bArray.
• Korean SEED algorithms in CBC mode expect a 16-byte parameter value for the initial vector(IV) in bArray.
• ECDSA, DSA and HMAC algorithms throw CryptoException.ILLEGAL_VALUE.
• For RSA:
  • algorithms using the padding scheme PAD_PKCS1_PSS expect a two-byte parameter value (b1 b2) for the salt length in bArray. This two-byte parameter represents a short value where b1 is the first byte (high order byte) and b2 is the second byte (low order byte)
  • algorithms using the padding scheme PAD_PKCS1_PSS_EXT_PARAMETERS expect a three-byte parameter value (b1 b2 b3) for the salt length and the MGF1 digest algorithm in bArray. The first two bytes parameter represents a short value of the salt length where b1 is the first byte (high order byte) and b2 is the second byte (low order byte). The third byte parameter b3 represents the MGF1 digest algorithm (Valid codes listed in ALG_* constants in the MessageDigest class or 0xFF). Notes:
    • if b1b2 is equal to 0xFFFF, the salt length must fall back to the default value i.e the salt length is equal to the length of the message digest of the PSS scheme
    • if b3 is equal to 0xFF, the MGF1 digest algorithm must fall back to the default value i.e the digest algorithm of the PSS scheme
  • all other algorithms throw CryptoException.ILLEGAL_VALUE
• For EDDSA:
  • algorithms with a context parameter expect a 0 to 255-byte parameter value for the context value
  • algorithms without a context parameter i.e SIG_CIPHER_EDDSA for the variant ed25519 and SIG_CIPHER_EDDSA_ED25519 throw CryptoException.ILLEGAL_VALUE

Parameters:

theKey - the key object to use for signing

theMode - one of MODE_SIGN or MODE_VERIFY

bArray - byte array containing algorithm specific initialization information

bOff - offset within bArray where the algorithm specific data begins

bLen - byte length of algorithm specific parameter data

Throws:

CryptoException - with the following reason codes:

• CryptoException.NO_SUCH_ALGORITHM if the specified algorithm parameters are not supported that is when the specified digest algorithm for MGF1 is not supported in case of RSA algorithms with the padding scheme PAD_PKCS1_PSS_EXT_PARAMETERS.
• CryptoException.ILLEGAL_VALUE if theMode option is an undefined value or if a byte array parameter option is not supported by the algorithm or if the bLen is an incorrect byte length for the algorithm specific data or if the Key is inconsistent with theMode or with the Signature implementation.
• CryptoException.UNINITIALIZED_KEY if theKey instance is uninitialized.
• CryptoException.ILLEGAL_USE if theMode is not allowed by this Signature algorithm.

setInitialDigest

public abstract void setInitialDigest(byte[] state,
                                      short stateOffset,
                                      short stateLength,
                                      byte[] digestedMsgLenBuf,
                                      short digestedMsgLenOffset,
                                      short digestedMsgLenLength)
                               throws CryptoException

This method initializes the starting hash value in place of the default value used by the Signature class. The starting hash value represents the previously computed hash (using the same algorithm) of the first part of the message. The remaining bytes of the message must be presented to this Signature object via the update and sign or verify methods to generate or verify the signature.

Note:

• The maximum allowed value of the byte length of the first part of the message is algorithm specific
• This method throws an exception if the underlying signature algorithm does not compute a distinct message digest value prior to applying cryptographic primitives. These algorithms throw exception - DES, triple DES, AES, HMAC and KOREAN SEED.

Parameters:

state - input buffer containing the starting hash value representing the previously computed hash (using the same algorithm) of first part of the message

stateOffset - offset into state array where the starting digest value data begins

stateLength - the length of data in state array.

digestedMsgLenBuf - the byte array containing the number of bytes in the first part of the message that has previously been hashed to obtain the specified starting digest value

digestedMsgLenOffset - the offset within digestedMsgLenBuf where the digested length begins(the bytes starting at this offset for digestedMsgLenLength bytes are concatenated to form the actual digested message length value)

digestedMsgLenLength - byte length of the digested length

Throws:

CryptoException - with the following reason codes:

• CryptoException.ILLEGAL_VALUE if the parameter stateLength is not equal to the intermediate hash value size of the algorithm or if the number of bytes in the first part of the message that has previously been hashed is 0 or not a multiple of the algorithm's block size or greater than the maximum length supported by the algorithm (see ALG_* algorithm descriptions MessageDigest.ALG_SHA).
• CryptoException.ILLEGAL_USE if the Signature algorithm does not compute a distinct message digest value prior to applying cryptographic primitives or if this Signature algorithm includes message recovery functionality.

Since:

3.0.4

getAlgorithm

public abstract byte getAlgorithm()

Gets the Signature algorithm. Pre-defined codes listed in ALG_* constants above, for example, ALG_DES_MAC4_NOPAD.

Returns:

the algorithm code defined above; if the algorithm is not one of the pre-defined algorithms, 0 is returned.

getMessageDigestAlgorithm

public abstract byte getMessageDigestAlgorithm()

Gets the message digest algorithm. Pre-defined codes listed in ALG_* constants in the MessageDigest class e.g. ALG_NULL.

Returns:

the message digest algorithm code defined in the MessageDigest class; if the algorithm is not one of the pre-defined algorithms, 0 is returned.

Since:

3.0.5

getCipherAlgorithm

public abstract byte getCipherAlgorithm()

Gets the cipher algorithm. Pre-defined codes listed in SIG_CIPHER_* constants in this class e.g. SIG_CIPHER_DES_MAC4.

Returns:

the cipher algorithm code defined above; if the algorithm is not one of the pre-defined algorithms, 0 is returned.

Since:

3.0.5

getPaddingAlgorithm

public abstract byte getPaddingAlgorithm()

Gets the padding algorithm. Pre-defined codes listed in PAD_* constants in the Cipher class e.g. PAD_NULL.

Returns:

the padding algorithm code defined in the Cipher class; if the algorithm is not one of the pre-defined algorithms, 0 is returned.

Since:

3.0.5

getLength

public abstract short getLength()
                         throws CryptoException

Returns the byte length of the signature data.

Note:

• For DSA and ECDSA signatures encoded as an ASN.1 sequence of two INTEGER values, r and s (SEQUENCE ::= { r INTEGER, s INTEGER }), the signature length may vary since r and s are signed values. In this case, the returned length must be the maximum possible length of the ASN.1 sequence. It allows an applet to prepare a buffer long enough to hold the signature in any case.

Returns:

the byte length of the signature data

Throws:

CryptoException - with the following reason codes:

• CryptoException.INVALID_INIT if this Signature object is not initialized.
• CryptoException.UNINITIALIZED_KEY if key not initialized.

update

public abstract void update(byte[] inBuff,
                            short inOffset,
                            short inLength)
                     throws CryptoException

Accumulates a signature of the input data. This method requires temporary storage of intermediate results. In addition, if the input data length is not block aligned (multiple of block size) then additional internal storage may be allocated at this time to store a partial input data block. This may result in additional resource consumption and/or slow performance. This method should only be used if all the input data required for signing/verifying is not available in one byte array. If all of the input data required for signing/verifying is located in a single byte array, use of the sign() or verify() method is recommended. The sign() or verify() method must be called to complete processing of input data accumulated by one or more calls to the update() method.

Note:

• If inLength is 0 this method does nothing.

Parameters:

inBuff - the input buffer of data to be signed/verified

inOffset - the offset into the input buffer where input data begins

inLength - the byte length to sign/verify

Throws:

CryptoException - with the following reason codes:

• CryptoException.UNINITIALIZED_KEY if key not initialized.
• CryptoException.INVALID_INIT if this Signature object is not initialized.
• CryptoException.ILLEGAL_USE if the message value is not supported by the Signature algorithm or if a message value consistency check failed.

See Also:

sign(byte[], short, short, byte[], short), verify(byte[], short, short, byte[], short, short)

sign

public abstract short sign(byte[] inBuff,
                           short inOffset,
                           short inLength,
                           byte[] sigBuff,
                           short sigOffset)
                    throws CryptoException

Generates the signature of all/last input data.

A call to this method also resets this initialized Signature object to a state where:

• the key and the mode are the same as when previously initialized via a call to init(Key, byte) or init(Key, byte, byte[], short, short).
• other initial values are the same default values as after a call to init(Key, byte). For example:
  • AES, DES, triple DES, Korean SEED and SM4 algorithms used in modes requiring an initial vector (like CBC, CFB, CTR, XTS modes) will use 0 for initial vector(IV).
  • RSA algorithm used with the PKCS#1-PSS scheme, will use default values for the salt length and the default message digest algorithm for MGF1 as specified in the description of the related constants.
  • EDDSA algorithms will use the default value for the context as defined in the description of the related constants.

That is, the object is reset and available to sign another message. The byte array containing algorithm specific initialization information can be re-initialized using the init(Key, byte, byte[], short, short) method.

The input and output buffer data may overlap.

In addition to returning a short result, this method sets the result in an internal state which can be rechecked using assertion methods of the SensitiveResult class, if supported by the platform.

Parameters:

inBuff - the input buffer of data to be signed

inOffset - the offset into the input buffer at which to begin signature generation

inLength - the byte length to sign

sigBuff - the output buffer to store signature data

sigOffset - the offset into sigBuff at which to begin signature data

Returns:

number of bytes of signature output in sigBuff

Throws:

CryptoException - with the following reason codes:

• CryptoException.UNINITIALIZED_KEY if key not initialized.
• CryptoException.INVALID_INIT if this Signature object is not initialized or initialized for signature verify mode.
• CryptoException.ILLEGAL_USE if one of the following conditions is met:
  • if this Signature algorithm does not pad the message and the message is not block aligned.
  • if this Signature algorithm does not pad the message and no input data has been provided in inBuff or via the update() method.
  • if the message value is not supported by the Signature algorithm or if a message value consistency check failed.
  • if this Signature algorithm includes message recovery functionality.

signPreComputedHash

public abstract short signPreComputedHash(byte[] hashBuff,
                                          short hashOffset,
                                          short hashLength,
                                          byte[] sigBuff,
                                          short sigOffset)
                                   throws CryptoException

Generates the signature of the precomputed hash data.

A call to this method also resets this initialized Signature object to a state where:

• the key and the mode are the same as when previously initialized via a call to init(Key, byte) or init(Key, byte, byte[], short, short).
• other initial values are the same default values as after a call to init(Key, byte). For example:
  • AES, DES, triple DES, Korean SEED and SM4 algorithms used in modes requiring an initial vector (like CBC, CFB, CTR, XTS modes) will use 0 for initial vector(IV).
  • RSA algorithm used with the PKCS#1-PSS scheme, will use default values for the salt length and the default message digest algorithm for MGF1 as specified in the description of the related constants.

That is, the object is reset and available to sign another precomputed hash. The byte array containing algorithm specific initialization information can be re-initialized using the init(Key, byte, byte[], short, short) method.

Note:

• This method throws an exception if the underlying signature algorithm does not compute a distinct message digest value prior to applying cryptographic primitives. These algorithms throw exception - DES, triple DES, AES, HMAC, KOREAN SEED and EDDSA.
• Any data previously accumulated from previous calls to the update method are discarded.

The hash and output buffer data may overlap.

In addition to returning a short result, this method sets the result in an internal state which can be rechecked using assertion methods of the SensitiveResult class, if supported by the platform.

Parameters:

hashBuff - the input buffer of precomputed hash to be signed

hashOffset - the offset into the buffer where the hash begins

hashLength - the byte length of the hash

sigBuff - the output buffer to store signature data

sigOffset - the offset into sigBuff at which to begin signature data

Returns:

number of bytes of signature output in sigBuff

Throws:

CryptoException - with the following reason codes:

• CryptoException.UNINITIALIZED_KEY if key not initialized.
• CryptoException.INVALID_INIT if this Signature object is not initialized or initialized for signature verify mode.
• CryptoException.ILLEGAL_USE if one of the following conditions is met:
  • if the hashLength value is not equal to the length of the algorithm's message digest length.
  • if this Signature algorithm includes message recovery functionality.
  • if the Signature algorithm does not compute a distinct message digest value prior to applying cryptographic primitives, e.g. EDDSA

verify

public abstract boolean verify(byte[] inBuff,
                               short inOffset,
                               short inLength,
                               byte[] sigBuff,
                               short sigOffset,
                               short sigLength)
                        throws CryptoException

Verifies the signature of all/last input data against the passed in signature.

A call to this method also resets this initialized Signature object to a state where:

• the key and the mode are the same as when previously initialized via a call to init(Key, byte) or init(Key, byte, byte[], short, short).
• other initial values are the same default values as after a call to init(Key, byte). For example:
  • AES, DES, triple DES, Korean SEED and SM4 algorithms used in modes requiring an initial vector (like CBC, CFB, CTR, XTS modes) will use 0 for initial vector(IV).
  • RSA algorithm used with the PKCS#1-PSS scheme, will use default values for the salt length and the default message digest algorithm for MGF1 as specified in the description of the related constants.
  • EDDSA algorithms will use the default value for the context as defined in the description of the related constants.

That is, the object is reset and available to verify another message. The byte array containing algorithm specific initialization information can be re-initialized using the init(Key, byte, byte[], short, short) method.

In addition to returning a boolean result, this method sets the result in an internal state which can be rechecked using assertion methods of the SensitiveResult class, if supported by the platform.

Parameters:

inBuff - the input buffer of data to be verified

inOffset - the offset into the input buffer at which to begin signature generation

inLength - the byte length to sign

sigBuff - the input buffer containing signature data

sigOffset - the offset into sigBuff where signature data begins

sigLength - the byte length of the signature data

Returns:

true if the signature verifies, false otherwise. Note, if sigLength is inconsistent with this Signature algorithm, false is returned.

Throws:

CryptoException - with the following reason codes:

• CryptoException.UNINITIALIZED_KEY if key not initialized.
• CryptoException.INVALID_INIT if this Signature object is not initialized or initialized for signature sign mode.
• CryptoException.ILLEGAL_USE if one of the following conditions is met:
  • if this Signature algorithm does not pad the message and the message is not block aligned.
  • if this Signature algorithm does not pad the message and no input data has been provided in inBuff or via the update() method.
  • if the message value is not supported by the Signature algorithm or if a message value consistency check failed.
  • if this Signature algorithm includes message recovery functionality.

verifyPreComputedHash

public abstract boolean verifyPreComputedHash(byte[] hashBuff,
                                              short hashOffset,
                                              short hashLength,
                                              byte[] sigBuff,
                                              short sigOffset,
                                              short sigLength)
                                       throws CryptoException

Verifies the signature of precomputed hash data.

A call to this method also resets this initialized Signature object to a state where:

• the key and the mode are the same as when previously initialized via a call to init(Key, byte) or init(Key, byte, byte[], short, short).
• other initial values are the same default values as after a call to init(Key, byte). For example:
  • AES, DES, triple DES, Korean SEED and SM4 algorithms used in modes requiring an initial vector (like CBC, CFB, CTR, XTS modes) will use 0 for initial vector(IV).
  • RSA algorithm used with the PKCS#1-PSS scheme, will use default values for the salt length and the default message digest algorithm for MGF1 as specified in the description of the related constants.

That is, the object is reset and available to verify another precomputed hash. The byte array containing algorithm specific initialization information can be re-initialized using the init(Key, byte, byte[], short, short) method.

Note:

• This method throws an exception if the underlying signature algorithm does not compute a distinct message digest value prior to applying cryptographic primitives. These algorithms throw exception - DES, triple DES, AES, HMAC, KOREAN SEED and EDDSA.
• Any data previously accumulated from previous calls to the update method are discarded.

The hash and output buffer data may overlap.

In addition to returning a boolean result, this method sets the result in an internal state which can be rechecked using assertion methods of the SensitiveResult class, if supported by the platform.

Parameters:

hashBuff - the input buffer of precomputed hash to be verified

hashOffset - the offset into the buffer where the hash begins

hashLength - the byte length of the hash

sigBuff - the input buffer containing signature data

sigOffset - the offset into sigBuff where signature data begins

sigLength - the byte length of the signature data

Returns:

true if the signature verifies, false otherwise. Note, if sigLength is inconsistent with this Signature algorithm, false is returned.

Throws:

CryptoException - with the following reason codes:

• CryptoException.UNINITIALIZED_KEY if key not initialized.
• CryptoException.INVALID_INIT if this Signature object is not initialized or initialized for signature sign mode.
• CryptoException.ILLEGAL_USE if one of the following conditions is met:
  • if the hashLength value is not equal to the length of the algorithm's message digest length.
  • if this Signature algorithm includes message recovery functionality.
  • if the Signature algorithm does not compute a distinct message digest value prior to applying cryptographic primitives, e.g. EDDSA