|
|||||||||
PREV CLASS NEXT CLASS | FRAMES NO FRAMES | ||||||||
SUMMARY: NESTED | FIELD | CONSTR | METHOD | DETAIL: FIELD | CONSTR | METHOD |
java.lang.Objectde.cardcontact.opencard.security.IsoSecureChannel
public class IsoSecureChannel
Class that implements secure messaging according to ISO7816-4 and specifically the profile from CWA 14890 (eSign-K), eGK and Extended Access Control 2.0.
The class has support for MAC protection of command and response APDU as well as encryption of command and response APDUs.
It supports send sequence counter for encryption and for MAC which can be incremented individually or in a synchronized way.
The class implements the SecureChannel interface and is as such a suitable APDU wrapper for the IsoCardService and TransparentCardService class.
Nested Class Summary | |
---|---|
static class |
IsoSecureChannel.SSCPolicyEnum
|
Field Summary | |
---|---|
protected int |
blocklen
|
protected java.lang.String |
cipheralgorithm
|
protected byte[] |
crt
|
protected byte[] |
encssc
|
protected byte[] |
iv
|
protected java.security.Key |
kenc
|
protected java.security.Key |
kmac
|
protected java.lang.String |
macalgorithm
|
protected int |
maclen
|
protected byte[] |
macssc
|
protected java.lang.String |
provider
|
protected IsoSecureChannel.SSCPolicyEnum |
sscpolicy
|
Fields inherited from interface de.cardcontact.opencard.security.SecureChannel |
---|
ALL, CENC, CPRO, RENC, RPRO |
Constructor Summary | |
---|---|
IsoSecureChannel()
Create uninitialised secure channel object The crypto provider is preset with "BC" |
|
IsoSecureChannel(java.lang.String provider)
Create uninitialised secure channel object |
Method Summary | |
---|---|
protected byte[] |
calculateMAC(byte cla,
byte ins,
byte p1,
byte p2,
byte[] do81or87,
byte[] doLe)
Calculates the MAC |
protected byte[] |
encodeBodyEvenINS(byte[] body,
boolean isEncrypted,
boolean isProtected)
Encode the body into a TLV encoded secure messaging body for even INS bytes |
protected byte[] |
encodeBodyOddINS(byte[] body,
boolean isEncrypted,
boolean isProtected)
Encode the body into a TLV encoded secure messaging body |
byte[] |
getEncryptionSendSequenceCounter()
Return current value of send sequence counter for encryption |
protected byte[] |
getIV(javax.crypto.Cipher cipher)
Determine the initialisation vector for encryption |
byte[] |
getMACSendSequenceCounter()
Return current value of send sequence counter for message authentication code |
byte[] |
getSendSequenceCounter()
Deprecated. Use getMACSendSequenceCounter instead |
protected void |
incrementENCSSC()
Increment send sequence counter for encryption by one |
protected void |
incrementMACSSC()
Increment send sequence counter for MAC by one |
protected static byte[] |
incrementSSC(byte[] ssc)
Increments a send sequence counte |
void |
setCipherAlgorithm(java.lang.String algo)
Sets the JCE algorithm name used for mac operations. |
void |
setCRT(byte[] crt)
Set the cryptographic reference template to be included in the command. |
void |
setEncKey(java.security.Key key)
Set key for encryption / decryption For DESede keys the default MAC algorithm is set to DESede/CBC/NoPadding. |
void |
setEncryptionSendSequenceCounter(byte[] ssc)
Initialise send sequence counter |
void |
setIV(byte[] iv)
Set initialisation vector for CBC |
void |
setMacAlgorithm(java.lang.String algo)
Sets the JCE algorithm name used for mac operations. |
void |
setMacKey(java.security.Key key)
Set key from MAC calculation / verification For DESede keys the default MAC algorithm is set to ISO9797ALG3Mac (Retail-MAC). |
void |
setMacLength(int maclen)
Set length of mac as number of rightmost bytes |
void |
setMACSendSequenceCounter(byte[] ssc)
Initialise send sequence counter |
void |
setSendSequenceCounter(byte[] ssc)
Deprecated. Use setMACSendSequenceCounter instead. |
void |
setSendSequenceCounterPolicy(IsoSecureChannel.SSCPolicyEnum policy)
Set policy for handling send sequence counters. |
ResponseAPDU |
unwrap(ResponseAPDU apduToUnwrap,
int usageQualifier)
Unwrap response APDU received with secure messaging |
CommandAPDU |
wrap(CommandAPDU apduToWrap,
int usageQualifier)
Wrap command APDU into a secure messaging command APDU using algorithm defined in eSign-K (CWA 14890) |
Methods inherited from class java.lang.Object |
---|
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait |
Field Detail |
---|
protected java.lang.String provider
protected java.lang.String macalgorithm
protected java.lang.String cipheralgorithm
protected java.security.Key kenc
protected java.security.Key kmac
protected byte[] encssc
protected byte[] macssc
protected byte[] iv
protected byte[] crt
protected int maclen
protected int blocklen
protected IsoSecureChannel.SSCPolicyEnum sscpolicy
Constructor Detail |
---|
public IsoSecureChannel()
public IsoSecureChannel(java.lang.String provider)
provider
- Cryptographic service provider for JCEMethod Detail |
---|
protected static byte[] incrementSSC(byte[] ssc)
ssc
- the send sequence counter
protected void incrementMACSSC()
protected void incrementENCSSC()
protected byte[] getIV(javax.crypto.Cipher cipher) throws java.security.GeneralSecurityException
cipher
- the cipher to use
java.security.GeneralSecurityException
protected byte[] encodeBodyEvenINS(byte[] body, boolean isEncrypted, boolean isProtected)
body
- the unwrapped bodyisEncrypted
- true if the body is encryptedisProtected
- true if the body is going to be MAC protected
protected byte[] encodeBodyOddINS(byte[] body, boolean isEncrypted, boolean isProtected)
body
- the unwrapped bodyisEncrypted
- true if the body is encryptedisProtected
- true if the body is going to be MAC protected
protected byte[] calculateMAC(byte cla, byte ins, byte p1, byte p2, byte[] do81or87, byte[] doLe)
cla
- the class byteins
- the instruction bytep1
- the parameter p1p2
- the parameter p2do81or87
- the data body objectdoLe
- the Le object
public CommandAPDU wrap(CommandAPDU apduToWrap, int usageQualifier)
wrap
in interface SecureChannel
apduToWrap
- Command APDU to be wrapped by secure messagingusageQualifier
- Bitmap of SecureChannel.CPRO and SecureChannel.CENC to indicate
if MAC protection and or encryption is required.
CardServiceInvalidParameterException
- Thrown if crypto service provider does not support algorithmpublic ResponseAPDU unwrap(ResponseAPDU apduToUnwrap, int usageQualifier)
unwrap
in interface SecureChannel
apduToUnwrap
- Response APDU to processusageQualifier
- Bitmap of SecureChannel.RPRO and SecureChannel.RENC to indicate
if MAC protection and or encryption is requested.
CardServiceInvalidParameterException
- Thrown if crypto service provider does not support algorithm or
secure messaging response is invalid
CardServiceInvalidCredentialException
- Thrown is MAC verification or decryption of message failedpublic void setEncKey(java.security.Key key)
For DESede keys the default MAC algorithm is set to DESede/CBC/NoPadding.
For AES keys the default MAC algorithm is set to AES/CBC/NoPadding.
All ISO padding is performed by the code itself.
key
- the key used for encipherment or deciphermentpublic void setMacKey(java.security.Key key)
For DESede keys the default MAC algorithm is set to ISO9797ALG3Mac (Retail-MAC).
For AES keys the default MAC algorithm is set to AES CMAC.
All ISO padding is performed by the code itself.
key
- the key used for mac calculationpublic void setMacAlgorithm(java.lang.String algo)
Setting this parameter overwrites the default setting from setMacKey()
algo
- the JCE algorithm namepublic void setCipherAlgorithm(java.lang.String algo)
Setting this parameter overwrites the default setting from setMacKey()
algo
- the JCE algorithm namepublic void setIV(byte[] iv)
iv
- public void setMacLength(int maclen)
maclen
- public void setSendSequenceCounter(byte[] ssc)
ssc
- public void setEncryptionSendSequenceCounter(byte[] ssc)
ssc
- public void setMACSendSequenceCounter(byte[] ssc)
ssc
- public byte[] getSendSequenceCounter()
public byte[] getEncryptionSendSequenceCounter()
public byte[] getMACSendSequenceCounter()
public void setSendSequenceCounterPolicy(IsoSecureChannel.SSCPolicyEnum policy)
Set to SSCPolicyEnum.DEFAULT to use SSC for encryption and SSC for MAC individually, if defined.
Set to SSCPolicyEnum.SYNC to use SSC for MAC for encryption as well.
Set to SSCPolicyEnum.SYNC_AND_ENCRYPT to use SSC for MAC for encrypted SSC for encryption.
policy
- the policy to usepublic void setCRT(byte[] crt)
crt
- the crt to be included. Odd tags are included in the MAC.
|
|||||||||
PREV CLASS NEXT CLASS | FRAMES NO FRAMES | ||||||||
SUMMARY: NESTED | FIELD | CONSTR | METHOD | DETAIL: FIELD | CONSTR | METHOD |