KEM
class. A security provider implements this interface to provide an
implementation of a Key Encapsulation Mechanism (KEM) algorithm.
A KEM algorithm may support a family of configurations. Each configuration
may accept different types of keys, cryptographic primitives, and sizes of
shared secrets and key encapsulation messages. A configuration is defined
by the KEM algorithm name, the key it uses, and an optional
AlgorithmParameterSpec
argument that is specified when creating
an encapsulator or decapsulator. The result of calling
engineNewEncapsulator(java.security.PublicKey, java.security.spec.AlgorithmParameterSpec, java.security.SecureRandom)
or engineNewDecapsulator(java.security.PrivateKey, java.security.spec.AlgorithmParameterSpec)
must return
an encapsulator or decapsulator that maps to a single configuration,
where its engineSecretSize()
and engineEncapsulationSize()
methods return constant values.
A KEMSpi
implementation must be immutable. It must be safe to
call multiple engineNewEncapsulator
and engineNewDecapsulator
methods at the same time.
EncapsulatorSpi
and DecapsulatorSpi
implementations must also
be immutable. It must be safe to invoke multiple encapsulate
and
decapsulate
methods at the same time. Each invocation of
encapsulate
should generate a new shared secret and key
encapsulation message.
For example,
public static class MyKEMImpl implements KEMSpi {
@Override
public KEMSpi.EncapsulatorSpi engineNewEncapsulator(PublicKey publicKey,
AlgorithmParameterSpec spec, SecureRandom secureRandom)
throws InvalidAlgorithmParameterException, InvalidKeyException {
if (!checkPublicKey(publicKey)) {
throw new InvalidKeyException("unsupported key");
}
if (!checkParameters(spec)) {
throw new InvalidAlgorithmParameterException("unsupported params");
}
return new MyEncapsulator(publicKey, spec, secureRandom);
}
class MyEncapsulator implements KEMSpi.EncapsulatorSpi {
MyEncapsulator(PublicKey publicKey, AlgorithmParameterSpec spec,
SecureRandom secureRandom){
this.spec = spec != null ? spec : getDefaultParameters();
this.secureRandom = secureRandom != null
? secureRandom
: getDefaultSecureRandom();
this.publicKey = publicKey;
}
@Override
public KEM.Encapsulated encapsulate(int from, int to, String algorithm) {
byte[] encapsulation;
byte[] secret;
// calculating...
return new KEM.Encapsulated(
new SecretKeySpec(secret, from, to - from, algorithm),
encapsulation, null);
}
// ...
}
// ...
}
- API Note:
- This interface is defined in Java SE 17 Maintenance Release 1.
- Since:
- 17
- See Also:
-
Nested Class Summary
Modifier and TypeInterfaceDescriptionstatic interface
The KEM decapsulator implementation, generated byengineNewDecapsulator(java.security.PrivateKey, java.security.spec.AlgorithmParameterSpec)
on the KEM receiver side.static interface
The KEM encapsulator implementation, generated byengineNewEncapsulator(java.security.PublicKey, java.security.spec.AlgorithmParameterSpec, java.security.SecureRandom)
on the KEM sender side. -
Method Summary
Modifier and TypeMethodDescriptionengineNewDecapsulator
(PrivateKey privateKey, AlgorithmParameterSpec spec) Creates a KEM decapsulator on the KEM receiver side.engineNewEncapsulator
(PublicKey publicKey, AlgorithmParameterSpec spec, SecureRandom secureRandom) Creates a KEM encapsulator on the KEM sender side.
-
Method Details
-
engineNewEncapsulator
KEMSpi.EncapsulatorSpi engineNewEncapsulator(PublicKey publicKey, AlgorithmParameterSpec spec, SecureRandom secureRandom) throws InvalidAlgorithmParameterException, InvalidKeyException Creates a KEM encapsulator on the KEM sender side.- Parameters:
publicKey
- the receiver's public key, must not benull
spec
- the optional parameter, can benull
secureRandom
- the source of randomness for encapsulation. Ifnull
, the implementation must provide a default one.- Returns:
- the encapsulator for this key
- Throws:
InvalidAlgorithmParameterException
- ifspec
is invalid or one is required butspec
isnull
InvalidKeyException
- ifpublicKey
isnull
or invalid- See Also:
-
engineNewDecapsulator
KEMSpi.DecapsulatorSpi engineNewDecapsulator(PrivateKey privateKey, AlgorithmParameterSpec spec) throws InvalidAlgorithmParameterException, InvalidKeyException Creates a KEM decapsulator on the KEM receiver side.- Parameters:
privateKey
- the receiver's private key, must not benull
spec
- the optional parameter, can benull
- Returns:
- the decapsulator for this key
- Throws:
InvalidAlgorithmParameterException
- ifspec
is invalid or one is required butspec
isnull
InvalidKeyException
- ifprivateKey
isnull
or invalid- See Also:
-