javax.crypto: abstract public class: CipherSpi

javax.crypto
abstract public class: CipherSpi [javadoc | source]

java.lang.Object
   javax.crypto.CipherSpi

Direct Known Subclasses:
NullCipherImpl, NullCipherSpi

This class defines the Service Provider Interface (SPI) for the Cipher class. All the abstract methods in this class must be implemented by each cryptographic service provider who wishes to supply the implementation of a particular cipher algorithm.

In order to create an instance of Cipher, which encapsulates an instance of this CipherSpi class, an application calls one of the getInstance factory methods of the Cipher engine class and specifies the requested transformation. Optionally, the application may also specify the name of a provider.

A transformation is a string that describes the operation (or set of operations) to be performed on the given input, to produce some output. A transformation always includes the name of a cryptographic algorithm (e.g., DES), and may be followed by a feedback mode and padding scheme.

A transformation is of the form:

"algorithm/mode/padding" or
"algorithm"

(in the latter case, provider-specific default values for the mode and padding scheme are used). For example, the following is a valid transformation:

    Cipher c = Cipher.getInstance("DES/CBC/PKCS5Padding");

A provider may supply a separate class for each combination of algorithm/mode/padding, or may decide to provide more generic classes representing sub-transformations corresponding to algorithm or algorithm/mode or algorithm//padding (note the double slashes), in which case the requested mode and/or padding are set automatically by the getInstance methods of Cipher, which invoke the engineSetMode and engineSetPadding methods of the provider's subclass of CipherSpi.

A Cipher property in a provider master class may have one of the following formats:

    // provider's subclass of "CipherSpi" implements "algName" with
    // pluggable mode and padding
    Cipher.algName

    // provider's subclass of "CipherSpi" implements "algName" in the
    // specified "mode", with pluggable padding
    Cipher.algName/mode

    // provider's subclass of "CipherSpi" implements "algName" with the
    // specified "padding", with pluggable mode
    Cipher.algName//padding

    // provider's subclass of "CipherSpi" implements "algName" with the
    // specified "mode" and "padding"
    Cipher.algName/mode/padding

For example, a provider may supply a subclass of CipherSpi that implements DES/ECB/PKCS5Padding, one that implements DES/CBC/PKCS5Padding, one that implements DES/CFB/PKCS5Padding, and yet another one that implements DES/OFB/PKCS5Padding. That provider would have the following Cipher properties in its master class:

```
    Cipher.DES/ECB/PKCS5Padding
```
```
    Cipher.DES/CBC/PKCS5Padding
```
```
    Cipher.DES/CFB/PKCS5Padding
```
```
    Cipher.DES/OFB/PKCS5Padding
```

Another provider may implement a class for each of the above modes (i.e., one class for ECB, one for CBC, one for CFB, and one for OFB), one class for PKCS5Padding, and a generic DES class that subclasses from CipherSpi. That provider would have the following Cipher properties in its master class:

```
    Cipher.DES
```

The getInstance factory method of the Cipher engine class follows these rules in order to instantiate a provider's implementation of CipherSpi for a transformation of the form "algorithm":

Check if the provider has registered a subclass of CipherSpi for the specified "algorithm".
If the answer is YES, instantiate this class, for whose mode and padding scheme default values (as supplied by the provider) are used.
If the answer is NO, throw a NoSuchAlgorithmException exception.

The getInstance factory method of the Cipher engine class follows these rules in order to instantiate a provider's implementation of CipherSpi for a transformation of the form "algorithm/mode/padding":

Check if the provider has registered a subclass of CipherSpi for the specified "algorithm/mode/padding" transformation.
If the answer is YES, instantiate it.
If the answer is NO, go to the next step.
Check if the provider has registered a subclass of CipherSpi for the sub-transformation "algorithm/mode".
If the answer is YES, instantiate it, and call engineSetPadding(padding) on the new instance.
If the answer is NO, go to the next step.
Check if the provider has registered a subclass of CipherSpi for the sub-transformation "algorithm//padding" (note the double slashes).
If the answer is YES, instantiate it, and call engineSetMode(mode) on the new instance.
If the answer is NO, go to the next step.
Check if the provider has registered a subclass of CipherSpi for the sub-transformation "algorithm".
If the answer is YES, instantiate it, and call engineSetMode(mode) and engineSetPadding(padding) on the new instance.
If the answer is NO, throw a NoSuchAlgorithmException exception.

Also see:

KeyGenerator

SecretKey

author: Jan - Luehe

since: 1.4 -

Method from javax.crypto.CipherSpi Summary:
engineDoFinal, engineDoFinal, engineDoFinal, engineGetBlockSize, engineGetIV, engineGetKeySize, engineGetOutputSize, engineGetParameters, engineInit, engineInit, engineInit, engineSetMode, engineSetPadding, engineUnwrap, engineUpdate, engineUpdate, engineUpdate, engineUpdateAAD, engineUpdateAAD, engineWrap, getTempArraySize

Methods from java.lang.Object:
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Method from javax.crypto.CipherSpi Detail:
protected int engineDoFinal(ByteBuffer input, ByteBuffer output) throws ShortBufferException, IllegalBlockSizeException, BadPaddingException { return bufferCrypt(input, output, false); } Encrypts or decrypts data in a single-part operation, or finishes a multiple-part operation. The data is encrypted or decrypted, depending on how this cipher was initialized. All `input.remaining()` bytes starting at `input.position()` are processed. If an AEAD mode such as GCM/CCM is being used, the authentication tag is appended in the case of encryption, or verified in the case of decryption. The result is stored in the output buffer. Upon return, the input buffer's position will be equal to its limit; its limit will not have changed. The output buffer's position will have advanced by n, where n is the value returned by this method; the output buffer's limit will not have changed. If `output.remaining()` bytes are insufficient to hold the result, a `ShortBufferException` is thrown. Upon finishing, this method resets this cipher object to the state it was in when previously initialized via a call to `engineInit`. That is, the object is reset and available to encrypt or decrypt (depending on the operation mode that was specified in the call to `engineInit`) more data. Note: if any exception is thrown, this cipher object may need to be reset before it can be used again. Subclasses should consider overriding this method if they can process ByteBuffers more efficiently than byte arrays.
abstract protected byte[] engineDoFinal(byte[] input, int inputOffset, int inputLen) throws IllegalBlockSizeException, BadPaddingException Encrypts or decrypts data in a single-part operation, or finishes a multiple-part operation. The data is encrypted or decrypted, depending on how this cipher was initialized. The first `inputLen` bytes in the `input` buffer, starting at `inputOffset` inclusive, and any input bytes that may have been buffered during a previous `update` operation, are processed, with padding (if requested) being applied. If an AEAD mode such as GCM/CCM is being used, the authentication tag is appended in the case of encryption, or verified in the case of decryption. The result is stored in a new buffer. Upon finishing, this method resets this cipher object to the state it was in when previously initialized via a call to `engineInit`. That is, the object is reset and available to encrypt or decrypt (depending on the operation mode that was specified in the call to `engineInit`) more data. Note: if any exception is thrown, this cipher object may need to be reset before it can be used again.
abstract protected int engineDoFinal(byte[] input, int inputOffset, int inputLen, byte[] output, int outputOffset) throws ShortBufferException, IllegalBlockSizeException, BadPaddingException Encrypts or decrypts data in a single-part operation, or finishes a multiple-part operation. The data is encrypted or decrypted, depending on how this cipher was initialized. The first `inputLen` bytes in the `input` buffer, starting at `inputOffset` inclusive, and any input bytes that may have been buffered during a previous `update` operation, are processed, with padding (if requested) being applied. If an AEAD mode such as GCM/CCM is being used, the authentication tag is appended in the case of encryption, or verified in the case of decryption. The result is stored in the `output` buffer, starting at `outputOffset` inclusive. If the `output` buffer is too small to hold the result, a `ShortBufferException` is thrown. Upon finishing, this method resets this cipher object to the state it was in when previously initialized via a call to `engineInit`. That is, the object is reset and available to encrypt or decrypt (depending on the operation mode that was specified in the call to `engineInit`) more data. Note: if any exception is thrown, this cipher object may need to be reset before it can be used again.
abstract protected int engineGetBlockSize() Returns the block size (in bytes).
abstract protected byte[] engineGetIV() Returns the initialization vector (IV) in a new buffer. This is useful in the context of password-based encryption or decryption, where the IV is derived from a user-provided passphrase.
protected int engineGetKeySize(Key key) throws InvalidKeyException { throw new UnsupportedOperationException(); } Returns the key size of the given key object in bits. This concrete method has been added to this previously-defined abstract class. It throws an `UnsupportedOperationException` if it is not overridden by the provider.
abstract protected int engineGetOutputSize(int inputLen) Returns the length in bytes that an output buffer would need to be in order to hold the result of the next `update` or `doFinal` operation, given the input length `inputLen` (in bytes). This call takes into account any unprocessed (buffered) data from a previous `update` call, padding, and AEAD tagging. The actual output length of the next `update` or `doFinal` call may be smaller than the length returned by this method.
abstract protected AlgorithmParameters engineGetParameters() Returns the parameters used with this cipher. The returned parameters may be the same that were used to initialize this cipher, or may contain a combination of default and random parameter values used by the underlying cipher implementation if this cipher requires algorithm parameters but was not initialized with any.
abstract protected void engineInit(int opmode, Key key, SecureRandom random) throws InvalidKeyException Initializes this cipher with a key and a source of randomness. The cipher is initialized for one of the following four operations: encryption, decryption, key wrapping or key unwrapping, depending on the value of `opmode`. If this cipher requires any algorithm parameters that cannot be derived from the given `key`, the underlying cipher implementation is supposed to generate the required parameters itself (using provider-specific default or random values) if it is being initialized for encryption or key wrapping, and raise an `InvalidKeyException` if it is being initialized for decryption or key unwrapping. The generated parameters can be retrieved using engineGetParameters or engineGetIV (if the parameter is an IV). If this cipher requires algorithm parameters that cannot be derived from the input parameters, and there are no reasonable provider-specific default values, initialization will necessarily fail. If this cipher (including its underlying feedback or padding scheme) requires any random bytes (e.g., for parameter generation), it will get them from `random`. Note that when a Cipher object is initialized, it loses all previously-acquired state. In other words, initializing a Cipher is equivalent to creating a new instance of that Cipher and initializing it.
abstract protected void engineInit(int opmode, Key key, AlgorithmParameterSpec params, SecureRandom random) throws InvalidKeyException, InvalidAlgorithmParameterException Initializes this cipher with a key, a set of algorithm parameters, and a source of randomness. The cipher is initialized for one of the following four operations: encryption, decryption, key wrapping or key unwrapping, depending on the value of `opmode`. If this cipher requires any algorithm parameters and `params` is null, the underlying cipher implementation is supposed to generate the required parameters itself (using provider-specific default or random values) if it is being initialized for encryption or key wrapping, and raise an `InvalidAlgorithmParameterException` if it is being initialized for decryption or key unwrapping. The generated parameters can be retrieved using engineGetParameters or engineGetIV (if the parameter is an IV). If this cipher requires algorithm parameters that cannot be derived from the input parameters, and there are no reasonable provider-specific default values, initialization will necessarily fail. If this cipher (including its underlying feedback or padding scheme) requires any random bytes (e.g., for parameter generation), it will get them from `random`. Note that when a Cipher object is initialized, it loses all previously-acquired state. In other words, initializing a Cipher is equivalent to creating a new instance of that Cipher and initializing it.
abstract protected void engineInit(int opmode, Key key, AlgorithmParameters params, SecureRandom random) throws InvalidKeyException, InvalidAlgorithmParameterException Initializes this cipher with a key, a set of algorithm parameters, and a source of randomness. The cipher is initialized for one of the following four operations: encryption, decryption, key wrapping or key unwrapping, depending on the value of `opmode`. If this cipher requires any algorithm parameters and `params` is null, the underlying cipher implementation is supposed to generate the required parameters itself (using provider-specific default or random values) if it is being initialized for encryption or key wrapping, and raise an `InvalidAlgorithmParameterException` if it is being initialized for decryption or key unwrapping. The generated parameters can be retrieved using engineGetParameters or engineGetIV (if the parameter is an IV). If this cipher requires algorithm parameters that cannot be derived from the input parameters, and there are no reasonable provider-specific default values, initialization will necessarily fail. If this cipher (including its underlying feedback or padding scheme) requires any random bytes (e.g., for parameter generation), it will get them from `random`. Note that when a Cipher object is initialized, it loses all previously-acquired state. In other words, initializing a Cipher is equivalent to creating a new instance of that Cipher and initializing it.
abstract protected void engineSetMode(String mode) throws NoSuchAlgorithmException Sets the mode of this cipher.
abstract protected void engineSetPadding(String padding) throws NoSuchPaddingException Sets the padding mechanism of this cipher.
protected Key engineUnwrap(byte[] wrappedKey, String wrappedKeyAlgorithm, int wrappedKeyType) throws InvalidKeyException, NoSuchAlgorithmException { throw new UnsupportedOperationException(); } Unwrap a previously wrapped key. This concrete method has been added to this previously-defined abstract class. (For backwards compatibility, it cannot be abstract.) It may be overridden by a provider to unwrap a previously wrapped key. Such an override is expected to throw an InvalidKeyException if the given wrapped key cannot be unwrapped. If this method is not overridden, it always throws an UnsupportedOperationException.
protected int engineUpdate(ByteBuffer input, ByteBuffer output) throws ShortBufferException { try { return bufferCrypt(input, output, true); } catch (IllegalBlockSizeException e) { // never thrown for engineUpdate() throw new ProviderException("Internal error in update()"); } catch (BadPaddingException e) { // never thrown for engineUpdate() throw new ProviderException("Internal error in update()"); } } Continues a multiple-part encryption or decryption operation (depending on how this cipher was initialized), processing another data part. All `input.remaining()` bytes starting at `input.position()` are processed. The result is stored in the output buffer. Upon return, the input buffer's position will be equal to its limit; its limit will not have changed. The output buffer's position will have advanced by n, where n is the value returned by this method; the output buffer's limit will not have changed. If `output.remaining()` bytes are insufficient to hold the result, a `ShortBufferException` is thrown. Subclasses should consider overriding this method if they can process ByteBuffers more efficiently than byte arrays.
abstract protected byte[] engineUpdate(byte[] input, int inputOffset, int inputLen) Continues a multiple-part encryption or decryption operation (depending on how this cipher was initialized), processing another data part. The first `inputLen` bytes in the `input` buffer, starting at `inputOffset` inclusive, are processed, and the result is stored in a new buffer.
abstract protected int engineUpdate(byte[] input, int inputOffset, int inputLen, byte[] output, int outputOffset) throws ShortBufferException Continues a multiple-part encryption or decryption operation (depending on how this cipher was initialized), processing another data part. The first `inputLen` bytes in the `input` buffer, starting at `inputOffset` inclusive, are processed, and the result is stored in the `output` buffer, starting at `outputOffset` inclusive. If the `output` buffer is too small to hold the result, a `ShortBufferException` is thrown.
protected void engineUpdateAAD(ByteBuffer src) { throw new UnsupportedOperationException( "The underlying Cipher implementation " + "does not support this method"); } Continues a multi-part update of the Additional Authentication Data (AAD). Calls to this method provide AAD to the cipher when operating in modes such as AEAD (GCM/CCM). If this cipher is operating in either GCM or CCM mode, all AAD must be supplied before beginning operations on the ciphertext (via the {@code update} and {@code doFinal} methods). All {@code src.remaining()} bytes starting at {@code src.position()} are processed. Upon return, the input buffer's position will be equal to its limit; its limit will not have changed.
protected void engineUpdateAAD(byte[] src, int offset, int len) { throw new UnsupportedOperationException( "The underlying Cipher implementation " + "does not support this method"); } Continues a multi-part update of the Additional Authentication Data (AAD), using a subset of the provided buffer. Calls to this method provide AAD to the cipher when operating in modes such as AEAD (GCM/CCM). If this cipher is operating in either GCM or CCM mode, all AAD must be supplied before beginning operations on the ciphertext (via the {@code update} and {@code doFinal} methods).
protected byte[] engineWrap(Key key) throws IllegalBlockSizeException, InvalidKeyException { throw new UnsupportedOperationException(); } Wrap a key. This concrete method has been added to this previously-defined abstract class. (For backwards compatibility, it cannot be abstract.) It may be overridden by a provider to wrap a key. Such an override is expected to throw an IllegalBlockSizeException or InvalidKeyException (under the specified circumstances), if the given key cannot be wrapped. If this method is not overridden, it always throws an UnsupportedOperationException.
static int getTempArraySize(int totalSize) { return Math.min(4096, totalSize); }