public class Crypto
This object controls and provides the available and supported signature schemes for Corda.
Any implemented class SignatureScheme
should be strictly defined here.
However, only the schemes returned by {@link #listSupportedSignatureSchemes()} are supported.
Note that Corda currently supports the following signature schemes by their code names:
class SignatureScheme
Modifier and Type | Field and Description |
---|---|
static Crypto |
INSTANCE
This object controls and provides the available and supported signature schemes for Corda.
Any implemented
class SignatureScheme should be strictly defined here.
However, only the schemes returned by {@link #listSupportedSignatureSchemes()} are supported.
Note that Corda currently supports the following signature schemes by their code names: |
Modifier and Type | Method and Description |
---|---|
java.security.PrivateKey |
decodePrivateKey(byte[] encodedKey)
Decode a PKCS8 encoded key to its PrivateKey object.
Use this method if the key type is a-priori unknown.
|
java.security.PrivateKey |
decodePrivateKey(java.lang.String schemeCodeName,
byte[] encodedKey)
Decode a PKCS8 encoded key to its PrivateKey object based on the input scheme code name.
This should be used when the type key is known, e.g. during deserialisation or with key caches or key managers.
|
java.security.PrivateKey |
decodePrivateKey(SignatureScheme signatureScheme,
byte[] encodedKey)
Decode a PKCS8 encoded key to its PrivateKey object based on the input scheme code name.
This should be used when the type key is known, e.g. during deserialisation or with key caches or key managers.
|
java.security.PublicKey |
decodePublicKey(byte[] encodedKey)
Decode an X509 encoded key to its PublicKey object.
Use this method if the key type is a-priori unknown.
|
java.security.PublicKey |
decodePublicKey(java.lang.String schemeCodeName,
byte[] encodedKey)
Decode an X509 encoded key to its PrivateKey object based on the input scheme code name.
This should be used when the type key is known, e.g. during deserialisation or with key caches or key managers.
|
java.security.PublicKey |
decodePublicKey(SignatureScheme signatureScheme,
byte[] encodedKey)
Decode an X509 encoded key to its PrivateKey object based on the input scheme code name.
This should be used when the type key is known, e.g. during deserialisation or with key caches or key managers.
|
java.security.KeyPair |
deriveKeyPair(SignatureScheme signatureScheme,
java.security.PrivateKey privateKey,
byte[] seed)
Deterministically generate/derive a KeyPair using an existing private key and a seed as inputs.
This operation is currently supported for ECDSA secp256r1 (NIST P-256), ECDSA secp256k1 and EdDSA ed25519.
|
java.security.KeyPair |
deriveKeyPair(java.security.PrivateKey privateKey,
byte[] seed)
Deterministically generate/derive a KeyPair using an existing private key and a seed as inputs.
Use this method if the
class SignatureScheme of the private key input is not known. |
java.security.KeyPair |
deriveKeyPairFromEntropy(SignatureScheme signatureScheme,
java.math.BigInteger entropy)
Returns a key pair derived from the given BigInteger entropy. This is useful for unit tests
and other cases where you want hard-coded private keys.
Currently, the following schemes are supported:
Crypto.getEDDSA_ED25519_SHA512 , Crypto.getECDSA_SECP256R1_SHA256 and Crypto.getECDSA_SECP256K1_SHA256 . |
java.security.KeyPair |
deriveKeyPairFromEntropy(java.math.BigInteger entropy)
Returns a
Crypto.getDEFAULT_SIGNATURE_SCHEME key pair derived from the given BigInteger entropy. |
byte[] |
doSign(java.security.PrivateKey privateKey,
byte[] clearData)
Generic way to sign ByteArray data with a PrivateKey. Strategy on on identifying the actual signing scheme is based
on the PrivateKey type, but if the schemeCodeName is known, then better use
doSign(signatureScheme: String, privateKey: PrivateKey, clearData: ByteArray).
|
byte[] |
doSign(java.lang.String schemeCodeName,
java.security.PrivateKey privateKey,
byte[] clearData)
|
byte[] |
doSign(SignatureScheme signatureScheme,
java.security.PrivateKey privateKey,
byte[] clearData)
|
TransactionSignature |
doSign(java.security.KeyPair keyPair,
SignableData signableData)
Generic way to sign
class SignableData objects with a PrivateKey.
class SignableData is a wrapper over the transaction's id (Merkle root) in order to attach extra information, such as
a timestamp or partial and blind signature indicators. |
boolean |
doVerify(java.lang.String schemeCodeName,
java.security.PublicKey publicKey,
byte[] signatureData,
byte[] clearData)
Utility to simplify the act of verifying a digital signature.
It returns true if it succeeds, but it always throws an exception if verification fails.
|
boolean |
doVerify(java.security.PublicKey publicKey,
byte[] signatureData,
byte[] clearData)
Utility to simplify the act of verifying a digital signature by identifying the signature scheme used from the input public key's type.
It returns true if it succeeds, but it always throws an exception if verification fails.
Strategy on identifying the actual signing scheme is based on the PublicKey type, but if the schemeCodeName is known,
then better use doVerify(schemeCodeName: String, publicKey: PublicKey, signatureData: ByteArray, clearData: ByteArray).
|
boolean |
doVerify(SignatureScheme signatureScheme,
java.security.PublicKey publicKey,
byte[] signatureData,
byte[] clearData)
Method to verify a digital signature.
It returns true if it succeeds, but it always throws an exception if verification fails.
|
boolean |
doVerify(SecureHash txId,
TransactionSignature transactionSignature)
Utility to simplify the act of verifying a
class TransactionSignature .
It returns true if it succeeds, but it always throws an exception if verification fails. |
java.security.Provider |
findProvider(java.lang.String name) |
SignatureScheme |
findSignatureScheme(NonExistentClass algorithm) |
SignatureScheme |
findSignatureScheme(int schemeNumberID)
Find
class SignatureScheme by platform specific schemeNumberID. |
SignatureScheme |
findSignatureScheme(java.lang.String schemeCodeName)
Factory pattern to retrieve the corresponding
class SignatureScheme based on SignatureScheme.schemeCodeName.
This function is usually called by key generators and verify signature functions.
In case the input is not a key in the supportedSignatureSchemes map, null will be returned. |
SignatureScheme |
findSignatureScheme(java.security.PublicKey key)
Retrieve the corresponding
class SignatureScheme based on the type of the input Key.
This function is usually called when requiring to verify signatures and the signing schemes must be defined.
For the supported signature schemes see class Crypto . |
SignatureScheme |
findSignatureScheme(java.security.PrivateKey key)
Retrieve the corresponding
class SignatureScheme based on the type of the input Key.
This function is usually called when requiring to verify signatures and the signing schemes must be defined.
For the supported signature schemes see class Crypto . |
java.security.KeyPair |
generateKeyPair(java.lang.String schemeCodeName)
Utility to simplify the act of generating keys.
Normally, we don't expect other errors here, assuming that key generation parameters for every supported signature scheme have been unit-tested.
|
java.security.KeyPair |
generateKeyPair(SignatureScheme signatureScheme)
Generate a KeyPair for the selected
class SignatureScheme .
Note that RSA is the sole algorithm initialized specifically by its supported keySize. |
SignatureScheme |
getCOMPOSITE_KEY()
Corda
class CompositeKey signature type. |
SignatureScheme |
getDEFAULT_SIGNATURE_SCHEME()
Our default signature scheme if no algorithm is specified (e.g. for key generation).
|
SignatureScheme |
getECDSA_SECP256K1_SHA256()
ECDSA signature scheme using the secp256k1 Koblitz curve and SHA256 for message hashing.
|
SignatureScheme |
getECDSA_SECP256R1_SHA256()
ECDSA signature scheme using the secp256r1 (NIST P-256) curve and SHA256 for message hashing.
|
SignatureScheme |
getEDDSA_ED25519_SHA512()
EdDSA signature scheme using the ed25519 twisted Edwards curve and SHA512 for message hashing.
The actual algorithm is PureEdDSA Ed25519 as defined in https://tools.ietf.org/html/rfc8032
Not to be confused with the EdDSA variants, Ed25519ctx and Ed25519ph.
|
SignatureScheme |
getRSA_SHA256()
RSA PKCS#1 signature scheme using SHA256 for message hashing.
The actual algorithm id is 1.2.840.113549.1.1.1
Note: Recommended key size >= 3072 bits.
|
NonExistentClass |
getSHA512_256()
DLSequence (ASN1Sequence) for SHA512 truncated to 256 bits, used in SPHINCS-256 signature scheme.
|
SignatureScheme |
getSPHINCS256_SHA256()
SPHINCS-256 hash-based signature scheme using SHA512 for message hashing. It provides 128bit security against
post-quantum attackers at the cost of larger key nd signature sizes and loss of compatibility.
|
boolean |
isSupportedSignatureScheme(SignatureScheme signatureScheme)
Check if the requested
class SignatureScheme is supported by the system. |
boolean |
isValid(SecureHash txId,
TransactionSignature transactionSignature)
Utility to simplify the act of verifying a digital signature by identifying the signature scheme used from the
input public key's type.
It returns true if it succeeds and false if not. In comparison to
Crypto.doVerify if the key and signature
do not match it returns false rather than throwing an exception. Normally you should use the function which throws,
as it avoids the risk of failing to test the result. |
boolean |
isValid(java.security.PublicKey publicKey,
byte[] signatureData,
byte[] clearData)
Utility to simplify the act of verifying a digital signature by identifying the signature scheme used from the
input public key's type.
It returns true if it succeeds and false if not. In comparison to
Crypto.doVerify if the key and signature
do not match it returns false rather than throwing an exception. Normally you should use the function which throws,
as it avoids the risk of failing to test the result.
Use this method if the signature scheme is not a-priori known. |
boolean |
isValid(SignatureScheme signatureScheme,
java.security.PublicKey publicKey,
byte[] signatureData,
byte[] clearData)
Method to verify a digital signature. In comparison to
Crypto.doVerify if the key and signature
do not match it returns false rather than throwing an exception.
Use this method if the signature scheme type is a-priori unknown. |
boolean |
publicKeyOnCurve(SignatureScheme signatureScheme,
java.security.PublicKey publicKey)
Check if a point's coordinates are on the expected curve to avoid certain types of ECC attacks.
Point-at-infinity is not permitted as well.
|
void |
registerProviders()
Method to force registering all
class Crypto -related cryptography Providers.
It is recommended that it is invoked first thing on main functions, so the Providers are in place before any
cryptographic operation is requested outside class Crypto (i.e., SecureRandom, KeyStore, cert-path validation,
CRL & CSR checks etc.). |
java.util.List<net.corda.core.crypto.SignatureScheme> |
supportedSignatureSchemes() |
java.security.PrivateKey |
toSupportedPrivateKey(java.security.PrivateKey key)
Convert a private key to a supported implementation. This can be used to convert a SUN's EC key to an BC key.
This method is usually required to retrieve keys from JKS keystores that by default return SUN implementations.
|
java.security.PublicKey |
toSupportedPublicKey(NonExistentClass key)
Convert a public key to a supported implementation.
|
java.security.PublicKey |
toSupportedPublicKey(java.security.PublicKey key)
Convert a public key to a supported implementation. This can be used to convert a SUN's EC key to an BC key.
This method is usually required to retrieve a key (via its corresponding cert) from JKS keystores that by default
return SUN implementations.
|
boolean |
validatePublicKey(java.security.PublicKey key)
Check if a public key satisfies algorithm specs.
For instance, an ECC key should lie on the curve and not being point-at-infinity.
|
public static Crypto INSTANCE
This object controls and provides the available and supported signature schemes for Corda.
Any implemented class SignatureScheme
should be strictly defined here.
However, only the schemes returned by {@link #listSupportedSignatureSchemes()} are supported.
Note that Corda currently supports the following signature schemes by their code names:
class SignatureScheme
public SignatureScheme getRSA_SHA256()
RSA PKCS#1 signature scheme using SHA256 for message hashing. The actual algorithm id is 1.2.840.113549.1.1.1 Note: Recommended key size >= 3072 bits.
public SignatureScheme getECDSA_SECP256K1_SHA256()
ECDSA signature scheme using the secp256k1 Koblitz curve and SHA256 for message hashing.
public SignatureScheme getECDSA_SECP256R1_SHA256()
ECDSA signature scheme using the secp256r1 (NIST P-256) curve and SHA256 for message hashing.
public SignatureScheme getEDDSA_ED25519_SHA512()
EdDSA signature scheme using the ed25519 twisted Edwards curve and SHA512 for message hashing. The actual algorithm is PureEdDSA Ed25519 as defined in https://tools.ietf.org/html/rfc8032 Not to be confused with the EdDSA variants, Ed25519ctx and Ed25519ph.
public NonExistentClass getSHA512_256()
DLSequence (ASN1Sequence) for SHA512 truncated to 256 bits, used in SPHINCS-256 signature scheme.
public SignatureScheme getSPHINCS256_SHA256()
SPHINCS-256 hash-based signature scheme using SHA512 for message hashing. It provides 128bit security against post-quantum attackers at the cost of larger key nd signature sizes and loss of compatibility.
public SignatureScheme getCOMPOSITE_KEY()
Corda class CompositeKey
signature type.
class CompositeKey
public SignatureScheme getDEFAULT_SIGNATURE_SCHEME()
Our default signature scheme if no algorithm is specified (e.g. for key generation).
public java.util.List<net.corda.core.crypto.SignatureScheme> supportedSignatureSchemes()
public java.security.Provider findProvider(java.lang.String name)
public SignatureScheme findSignatureScheme(NonExistentClass algorithm)
public SignatureScheme findSignatureScheme(int schemeNumberID)
Find class SignatureScheme
by platform specific schemeNumberID.
class SignatureScheme
public SignatureScheme findSignatureScheme(java.lang.String schemeCodeName)
Factory pattern to retrieve the corresponding class SignatureScheme
based on SignatureScheme.schemeCodeName.
This function is usually called by key generators and verify signature functions.
In case the input is not a key in the supportedSignatureSchemes map, null will be returned.
schemeCodeName
- a String that should match a supported signature scheme code name (e.g. ECDSA_SECP256K1_SHA256), see class Crypto
.class SignatureScheme
public SignatureScheme findSignatureScheme(java.security.PublicKey key)
Retrieve the corresponding class SignatureScheme
based on the type of the input Key.
This function is usually called when requiring to verify signatures and the signing schemes must be defined.
For the supported signature schemes see class Crypto
.
key
- either private or public.class SignatureScheme
,
Key,
class Crypto
public SignatureScheme findSignatureScheme(java.security.PrivateKey key)
Retrieve the corresponding class SignatureScheme
based on the type of the input Key.
This function is usually called when requiring to verify signatures and the signing schemes must be defined.
For the supported signature schemes see class Crypto
.
key
- either private or public.class SignatureScheme
,
Key,
class Crypto
public java.security.PrivateKey decodePrivateKey(byte[] encodedKey)
Decode a PKCS8 encoded key to its PrivateKey object. Use this method if the key type is a-priori unknown.
encodedKey
- a PKCS8 encoded private key.public java.security.PrivateKey decodePrivateKey(java.lang.String schemeCodeName, byte[] encodedKey)
Decode a PKCS8 encoded key to its PrivateKey object based on the input scheme code name. This should be used when the type key is known, e.g. during deserialisation or with key caches or key managers.
schemeCodeName
- a String that should match a key in supportedSignatureSchemes map (e.g. ECDSA_SECP256K1_SHA256).encodedKey
- a PKCS8 encoded private key.public java.security.PrivateKey decodePrivateKey(SignatureScheme signatureScheme, byte[] encodedKey)
Decode a PKCS8 encoded key to its PrivateKey object based on the input scheme code name. This should be used when the type key is known, e.g. during deserialisation or with key caches or key managers.
signatureScheme
- a signature scheme (e.g. ECDSA_SECP256K1_SHA256).encodedKey
- a PKCS8 encoded private key.public java.security.PublicKey decodePublicKey(byte[] encodedKey)
Decode an X509 encoded key to its PublicKey object. Use this method if the key type is a-priori unknown.
encodedKey
- an X509 encoded public key.public java.security.PublicKey decodePublicKey(java.lang.String schemeCodeName, byte[] encodedKey)
Decode an X509 encoded key to its PrivateKey object based on the input scheme code name. This should be used when the type key is known, e.g. during deserialisation or with key caches or key managers.
schemeCodeName
- a String that should match a key in supportedSignatureSchemes map (e.g. ECDSA_SECP256K1_SHA256).encodedKey
- an X509 encoded public key.public java.security.PublicKey decodePublicKey(SignatureScheme signatureScheme, byte[] encodedKey)
Decode an X509 encoded key to its PrivateKey object based on the input scheme code name. This should be used when the type key is known, e.g. during deserialisation or with key caches or key managers.
signatureScheme
- a signature scheme (e.g. ECDSA_SECP256K1_SHA256).encodedKey
- an X509 encoded public key.public byte[] doSign(java.security.PrivateKey privateKey, byte[] clearData)
Generic way to sign ByteArray data with a PrivateKey. Strategy on on identifying the actual signing scheme is based on the PrivateKey type, but if the schemeCodeName is known, then better use doSign(signatureScheme: String, privateKey: PrivateKey, clearData: ByteArray).
privateKey
- the signer's PrivateKey.clearData
- the data/message to be signed in ByteArray form (usually the Merkle root).public byte[] doSign(java.lang.String schemeCodeName, java.security.PrivateKey privateKey, byte[] clearData)
Generic way to sign ByteArray data with a PrivateKey and a known schemeCodeName String.
schemeCodeName
- a signature scheme's code name (e.g. ECDSA_SECP256K1_SHA256).privateKey
- the signer's PrivateKey.clearData
- the data/message to be signed in ByteArray form (usually the Merkle root).public byte[] doSign(SignatureScheme signatureScheme, java.security.PrivateKey privateKey, byte[] clearData)
Generic way to sign ByteArray data with a PrivateKey and a known Signature.
signatureScheme
- a class SignatureScheme
object, retrieved from supported signature schemes, see class Crypto
.privateKey
- the signer's PrivateKey.clearData
- the data/message to be signed in ByteArray form (usually the Merkle root).public TransactionSignature doSign(java.security.KeyPair keyPair, SignableData signableData)
Generic way to sign class SignableData
objects with a PrivateKey.
class SignableData
is a wrapper over the transaction's id (Merkle root) in order to attach extra information, such as
a timestamp or partial and blind signature indicators.
keyPair
- the signer's KeyPair.signableData
- a class SignableData
object that adds extra information to a transaction.class TransactionSignature
object than contains the output of a successful signing, signer's public key and
the signature metadata.class SignableData
,
PrivateKey,
class SignableData
public boolean doVerify(java.lang.String schemeCodeName, java.security.PublicKey publicKey, byte[] signatureData, byte[] clearData)
Utility to simplify the act of verifying a digital signature. It returns true if it succeeds, but it always throws an exception if verification fails.
schemeCodeName
- a signature scheme's code name (e.g. ECDSA_SECP256K1_SHA256).publicKey
- the signer's PublicKey.signatureData
- the signatureData on a message.clearData
- the clear data/message that was signed (usually the Merkle root).public boolean doVerify(java.security.PublicKey publicKey, byte[] signatureData, byte[] clearData)
Utility to simplify the act of verifying a digital signature by identifying the signature scheme used from the input public key's type. It returns true if it succeeds, but it always throws an exception if verification fails. Strategy on identifying the actual signing scheme is based on the PublicKey type, but if the schemeCodeName is known, then better use doVerify(schemeCodeName: String, publicKey: PublicKey, signatureData: ByteArray, clearData: ByteArray).
publicKey
- the signer's PublicKey.signatureData
- the signatureData on a message.clearData
- the clear data/message that was signed (usually the Merkle root).public boolean doVerify(SignatureScheme signatureScheme, java.security.PublicKey publicKey, byte[] signatureData, byte[] clearData)
Method to verify a digital signature. It returns true if it succeeds, but it always throws an exception if verification fails.
signatureScheme
- a class SignatureScheme
object, retrieved from supported signature schemes, see class Crypto
.publicKey
- the signer's PublicKey.signatureData
- the signatureData on a message.clearData
- the clear data/message that was signed (usually the Merkle root).public boolean doVerify(SecureHash txId, TransactionSignature transactionSignature)
Utility to simplify the act of verifying a class TransactionSignature
.
It returns true if it succeeds, but it always throws an exception if verification fails.
txId
- transaction's id.transactionSignature
- the signature on the transaction.class TransactionSignature
public boolean isValid(SecureHash txId, TransactionSignature transactionSignature)
Utility to simplify the act of verifying a digital signature by identifying the signature scheme used from the
input public key's type.
It returns true if it succeeds and false if not. In comparison to Crypto.doVerify
if the key and signature
do not match it returns false rather than throwing an exception. Normally you should use the function which throws,
as it avoids the risk of failing to test the result.
txId
- transaction's id.transactionSignature
- the signature on the transaction.Crypto.doVerify
public boolean isValid(java.security.PublicKey publicKey, byte[] signatureData, byte[] clearData)
Utility to simplify the act of verifying a digital signature by identifying the signature scheme used from the
input public key's type.
It returns true if it succeeds and false if not. In comparison to Crypto.doVerify
if the key and signature
do not match it returns false rather than throwing an exception. Normally you should use the function which throws,
as it avoids the risk of failing to test the result.
Use this method if the signature scheme is not a-priori known.
publicKey
- the signer's PublicKey.signatureData
- the signatureData on a message.clearData
- the clear data/message that was signed (usually the Merkle root).Crypto.doVerify
public boolean isValid(SignatureScheme signatureScheme, java.security.PublicKey publicKey, byte[] signatureData, byte[] clearData)
Method to verify a digital signature. In comparison to Crypto.doVerify
if the key and signature
do not match it returns false rather than throwing an exception.
Use this method if the signature scheme type is a-priori unknown.
signatureScheme
- a class SignatureScheme
object, retrieved from supported signature schemes, see class Crypto
.publicKey
- the signer's PublicKey.signatureData
- the signatureData on a message.clearData
- the clear data/message that was signed (usually the Merkle root).Crypto.doVerify
public java.security.KeyPair generateKeyPair(java.lang.String schemeCodeName)
Utility to simplify the act of generating keys. Normally, we don't expect other errors here, assuming that key generation parameters for every supported signature scheme have been unit-tested.
schemeCodeName
- a signature scheme's code name (e.g. ECDSA_SECP256K1_SHA256).public java.security.KeyPair generateKeyPair(SignatureScheme signatureScheme)
Generate a KeyPair for the selected class SignatureScheme
.
Note that RSA is the sole algorithm initialized specifically by its supported keySize.
signatureScheme
- a supported class SignatureScheme
, see class Crypto
, default to Crypto.getDEFAULT_SIGNATURE_SCHEME
if not provided.class SignatureScheme
.class SignatureScheme
public java.security.KeyPair deriveKeyPair(SignatureScheme signatureScheme, java.security.PrivateKey privateKey, byte[] seed)
Deterministically generate/derive a KeyPair using an existing private key and a seed as inputs. This operation is currently supported for ECDSA secp256r1 (NIST P-256), ECDSA secp256k1 and EdDSA ed25519.
Similarly to BIP32, the implemented algorithm uses an HMAC function based on SHA512 and it is actually an implementation the HKDF rfc - Step 1: Extract function,
signatureScheme
- the class SignatureScheme
of the private key input.privateKey
- the PrivateKey that will be used as key to the HMAC-ed DKG function.seed
- an extra seed that will be used as value to the underlying HMAC.public java.security.KeyPair deriveKeyPair(java.security.PrivateKey privateKey, byte[] seed)
Deterministically generate/derive a KeyPair using an existing private key and a seed as inputs.
Use this method if the class SignatureScheme
of the private key input is not known.
privateKey
- the PrivateKey that will be used as key to the HMAC-ed DKG function.seed
- an extra seed that will be used as value to the underlying HMAC.class SignatureScheme
public java.security.KeyPair deriveKeyPairFromEntropy(SignatureScheme signatureScheme, java.math.BigInteger entropy)
Returns a key pair derived from the given BigInteger entropy. This is useful for unit tests
and other cases where you want hard-coded private keys.
Currently, the following schemes are supported: Crypto.getEDDSA_ED25519_SHA512
, Crypto.getECDSA_SECP256R1_SHA256
and Crypto.getECDSA_SECP256K1_SHA256
.
signatureScheme
- a supported class SignatureScheme
, see class Crypto
.entropy
- a BigInteger value.Crypto.getEDDSA_ED25519_SHA512
,
Crypto.getECDSA_SECP256R1_SHA256
,
Crypto.getECDSA_SECP256K1_SHA256
public java.security.KeyPair deriveKeyPairFromEntropy(java.math.BigInteger entropy)
Returns a Crypto.getDEFAULT_SIGNATURE_SCHEME
key pair derived from the given BigInteger entropy.
entropy
- a BigInteger value.Crypto.getDEFAULT_SIGNATURE_SCHEME
,
BigIntegerpublic boolean publicKeyOnCurve(SignatureScheme signatureScheme, java.security.PublicKey publicKey)
Check if a point's coordinates are on the expected curve to avoid certain types of ECC attacks. Point-at-infinity is not permitted as well.
publicKey
- a PublicKey, usually used to validate a signer's public key in on the Curve.signatureScheme
- a class SignatureScheme
object, retrieved from supported signature schemes, see class Crypto
.public boolean isSupportedSignatureScheme(SignatureScheme signatureScheme)
Check if the requested class SignatureScheme
is supported by the system.
class SignatureScheme
public boolean validatePublicKey(java.security.PublicKey key)
Check if a public key satisfies algorithm specs. For instance, an ECC key should lie on the curve and not being point-at-infinity.
public java.security.PublicKey toSupportedPublicKey(NonExistentClass key)
Convert a public key to a supported implementation.
key
- a public key.public java.security.PublicKey toSupportedPublicKey(java.security.PublicKey key)
Convert a public key to a supported implementation. This can be used to convert a SUN's EC key to an BC key. This method is usually required to retrieve a key (via its corresponding cert) from JKS keystores that by default return SUN implementations.
key
- a public key.public java.security.PrivateKey toSupportedPrivateKey(java.security.PrivateKey key)
Convert a private key to a supported implementation. This can be used to convert a SUN's EC key to an BC key. This method is usually required to retrieve keys from JKS keystores that by default return SUN implementations.
key
- a private key.public void registerProviders()
Method to force registering all class Crypto
-related cryptography Providers.
It is recommended that it is invoked first thing on main
functions, so the Providers are in place before any
cryptographic operation is requested outside class Crypto
(i.e., SecureRandom, KeyStore, cert-path validation,
CRL & CSR checks etc.).
class Crypto
,
Provider,
Provider,
class Crypto