diff options
Diffstat (limited to 'libraries/spongycastle/jce/src/main/java/javax/crypto/spec/PBEKeySpec.java')
-rw-r--r-- | libraries/spongycastle/jce/src/main/java/javax/crypto/spec/PBEKeySpec.java | 222 |
1 files changed, 222 insertions, 0 deletions
diff --git a/libraries/spongycastle/jce/src/main/java/javax/crypto/spec/PBEKeySpec.java b/libraries/spongycastle/jce/src/main/java/javax/crypto/spec/PBEKeySpec.java new file mode 100644 index 000000000..3727031bc --- /dev/null +++ b/libraries/spongycastle/jce/src/main/java/javax/crypto/spec/PBEKeySpec.java @@ -0,0 +1,222 @@ +package javax.crypto.spec; + +import java.security.spec.KeySpec; + +import javax.crypto.SecretKeyFactory; + +/** + * A user-chosen password that can be used with password-based encryption (PBE). + * <p> + * The password can be viewed as some kind of raw key material, from which the + * encryption mechanism that uses it derives a cryptographic key. + * <p> + * Different PBE mechanisms may consume different bits of each password + * character. For example, the PBE mechanism defined in PKCS #5 looks at only + * the low order 8 bits of each character, whereas PKCS #12 looks at all 16 bits + * of each character. + * <p> + * You convert the password characters to a PBE key by creating an instance of + * the appropriate secret-key factory. For example, a secret-key factory for + * PKCS #5 will construct a PBE key from only the low order 8 bits of each + * password character, whereas a secret-key factory for PKCS #12 will take all + * 16 bits of each character. + * <p> + * Also note that this class stores passwords as char arrays instead of String + * objects (which would seem more logical), because the String class is + * immutable and there is no way to overwrite its internal value when the + * password stored in it is no longer needed. Hence, this class requests the + * password as a char array, so it can be overwritten when done. + * + * @see SecretKeyFactory + * @see PBEParameterSpec + */ +public class PBEKeySpec + implements KeySpec +{ + + private char[] password; + + private byte[] salt; + + private int iterationCount; + + private int keyLength; + + private boolean isPasswordCleared; + + /** + * Constructor that takes a password. An empty char[] is used if null is + * specified. + * <p> + * Note: password is cloned before it is stored in the new PBEKeySpec + * object. + * + * @param password - + * the password. + */ + public PBEKeySpec(char[] password) + { + if (password == null) + { + this.password = new char[0]; + } + else + { + this.password = new char[password.length]; + + System.arraycopy(password, 0, this.password, 0, password.length); + } + } + + /** + * Returns a copy of the password. + * <p> + * Note: this method returns a copy of the password. It is the caller's + * responsibility to zero out the password information after it is no longer + * needed. + * + * @return the password + * @throws IllegalStateException - + * if password has been cleared by calling clearPassword method. + */ + public final char[] getPassword() + { + if (isPasswordCleared) + { + throw new IllegalStateException("Password has been cleared"); + } + return password; + } + + /** + * Constructor that takes a password, salt, iteration count, and + * to-be-derived key length for generating PBEKey of variable-key-size PBE + * ciphers. An empty char[] is used if null is specified for password. + * <p> + * Note: the password and salt are cloned before they are stored in the new + * PBEKeySpec object. + * + * + * @param password + * password - the password. + * @param salt + * salt - the salt. + * @param iterationCount + * iterationCount - the iteration count. + * @param keyLength + * keyLength - the to-be-derived key length. + * @throws NullPointerException - + * if salt is null. + * @throws IllegalArgumentException - + * if salt is empty, i.e. 0-length, iterationCount or keyLength + * is not positive. + */ + public PBEKeySpec(char[] password, byte[] salt, int iterationCount, int keyLength) + { + this(password); + if (salt == null) + { + throw new NullPointerException("salt is null"); + } + if (salt.length == 0) + { + throw new IllegalArgumentException("salt is empty"); + } + if (iterationCount < 0) + { + throw new IllegalArgumentException("iterationCount is not positive"); + } + if (keyLength < 0) + { + throw new IllegalArgumentException("keyLength is not positive"); + } + this.keyLength = keyLength; + this.iterationCount = iterationCount; + this.salt = (byte[]) salt.clone(); + } + + /** + * Constructor that takes a password, salt, iteration count for generating + * PBEKey of fixed-key-size PBE ciphers. An empty char[] is used if null is + * specified for password. + * <p> + * Note: the password and salt are cloned before they are stored in the new + * PBEKeySpec object. + * + * @param password - + * the password. + * @param salt - + * the salt. + * @param iterationCount - + * the iteration count. + * @throws NullPointerException - + * if salt is null. + * @throws IllegalArgumentException - + * if salt is empty, i.e. 0-length, or iterationCount is not + * positive. + */ + public PBEKeySpec(char[] password, byte[] salt, int iterationCount) + { + this(password, salt, iterationCount, 0); + } + + /** + * Clears the internal copy of the password. + */ + public final void clearPassword() + { + for (int i = 0; i < password.length; i++) + { + password[i] = 0; + } + password = null; + isPasswordCleared = true; + } + + /** + * Returns a copy of the salt or null if not specified. + * + * Note: this method should return a copy of the salt. It is the caller's + * responsibility to zero out the salt information after it is no longer + * needed. + * + * @return the salt. + */ + public final byte[] getSalt() + { + if (salt != null) + { + byte[] tmp = new byte[salt.length]; + + System.arraycopy(salt, 0, tmp, 0, salt.length); + + return tmp; + } + + return null; + } + + /** + * Returns the iteration count or 0 if not specified. + * + * @return the iteration count. + */ + public final int getIterationCount() + { + return iterationCount; + } + + /** + * Returns the to-be-derived key length or 0 if not specified. + * <p> + * Note: this is used to indicate the preference on key length for + * variable-key-size ciphers. The actual key size depends on each provider's + * implementation. + * + * @return the to-be-derived key length. + */ + public final int getKeyLength() + { + return keyLength; + } +} |