Java tutorial
/* * Copyright (c) 1997, 2018, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it * under the terms of the GNU General Public License version 2 only, as * published by the Free Software Foundation. Oracle designates this * particular file as subject to the "Classpath" exception as provided * by Oracle in the LICENSE file that accompanied this code. * * This code is distributed in the hope that it will be useful, but WITHOUT * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License * version 2 for more details (a copy is included in the LICENSE file that * accompanied this code). * * You should have received a copy of the GNU General Public License version * 2 along with this work; if not, write to the Free Software Foundation, * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. * * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA * or visit www.oracle.com if you need additional information or have any * questions. */ package javax.crypto.spec; import java.security.spec.KeySpec; import java.util.Arrays; /** * A user-chosen password that can be used with password-based encryption * (<i>PBE</i>). * * <p>The password can be viewed as some kind of raw key material, from which * the encryption mechanism that uses it derives a cryptographic key. * * <p>Different PBE mechanisms may consume different bits of each password * character. For example, the PBE mechanism defined in * <a href="http://www.ietf.org/rfc/rfc2898.txt"> * PKCS #5</a> looks at only the low order 8 bits of each character, whereas * PKCS #12 looks at all 16 bits of each character. * * <p>You convert the password characters to a PBE key by creating an * instance of the appropriate secret-key factory. For example, a secret-key * factory for PKCS #5 will construct a PBE key from only the low order 8 bits * of each password character, whereas a secret-key factory for PKCS #12 will * take all 16 bits of each character. * * <p>Also note that this class stores passwords as char arrays instead of * <code>String</code> objects (which would seem more logical), because the * String class is immutable and there is no way to overwrite its * internal value when the password stored in it is no longer needed. Hence, * this class requests the password as a char array, so it can be overwritten * when done. * * @author Jan Luehe * @author Valerie Peng * * @see javax.crypto.SecretKeyFactory * @see PBEParameterSpec * @since 1.4 */ public class PBEKeySpec implements KeySpec { private char[] password; private byte[] salt = null; private int iterationCount = 0; private int keyLength = 0; /** * Constructor that takes a password. An empty char[] is used if * null is specified. * * <p> Note: <code>password</code> is cloned before it is stored in * the new <code>PBEKeySpec</code> object. * * @param password the password. */ public PBEKeySpec(char[] password) { if ((password == null) || (password.length == 0)) { this.password = new char[0]; } else { this.password = password.clone(); } } /** * Constructor that takes a password, salt, iteration count, and * to-be-derived key length for generating PBEKey of variable-key-size * PBE ciphers. An empty char[] is used if null is specified for * <code>password</code>. * * <p> Note: the <code>password</code> and <code>salt</code> * are cloned before they are stored in * the new <code>PBEKeySpec</code> object. * * @param password the password. * @param salt the salt. * @param iterationCount the iteration count. * @param keyLength the to-be-derived key length. * @exception NullPointerException if <code>salt</code> is null. * @exception IllegalArgumentException if <code>salt</code> is empty, * i.e. 0-length, <code>iterationCount</code> or * <code>keyLength</code> is not positive. */ public PBEKeySpec(char[] password, byte[] salt, int iterationCount, int keyLength) { if ((password == null) || (password.length == 0)) { this.password = new char[0]; } else { this.password = password.clone(); } if (salt == null) { throw new NullPointerException("the salt parameter " + "must be non-null"); } else if (salt.length == 0) { throw new IllegalArgumentException("the salt parameter " + "must not be empty"); } else { this.salt = salt.clone(); } if (iterationCount <= 0) { throw new IllegalArgumentException("invalid iterationCount value"); } if (keyLength <= 0) { throw new IllegalArgumentException("invalid keyLength value"); } this.iterationCount = iterationCount; this.keyLength = keyLength; } /** * Constructor that takes a password, salt, iteration count for * generating PBEKey of fixed-key-size PBE ciphers. An empty * char[] is used if null is specified for <code>password</code>. * * <p> Note: the <code>password</code> and <code>salt</code> * are cloned before they are stored in the new * <code>PBEKeySpec</code> object. * * @param password the password. * @param salt the salt. * @param iterationCount the iteration count. * @exception NullPointerException if <code>salt</code> is null. * @exception IllegalArgumentException if <code>salt</code> is empty, * i.e. 0-length, or <code>iterationCount</code> is not positive. */ public PBEKeySpec(char[] password, byte[] salt, int iterationCount) { if ((password == null) || (password.length == 0)) { this.password = new char[0]; } else { this.password = password.clone(); } if (salt == null) { throw new NullPointerException("the salt parameter " + "must be non-null"); } else if (salt.length == 0) { throw new IllegalArgumentException("the salt parameter " + "must not be empty"); } else { this.salt = salt.clone(); } if (iterationCount <= 0) { throw new IllegalArgumentException("invalid iterationCount value"); } this.iterationCount = iterationCount; } /** * Clears the internal copy of the password. * */ public final void clearPassword() { if (password != null) { Arrays.fill(password, ' '); password = null; } } /** * Returns a copy of the password. * * <p> Note: this method returns a copy of the password. It is * the caller's responsibility to zero out the password information after * it is no longer needed. * * @exception IllegalStateException if password has been cleared by * calling <code>clearPassword</code> method. * @return the password. */ public final char[] getPassword() { if (password == null) { throw new IllegalStateException("password has been cleared"); } return password.clone(); } /** * Returns a copy of the salt or null if not specified. * * <p> Note: this method should return a copy of the salt. It is * the caller's responsibility to zero out the salt information after * it is no longer needed. * * @return the salt. */ public final byte[] getSalt() { if (salt != null) { return salt.clone(); } else { return null; } } /** * Returns the iteration count or 0 if not specified. * * @return the iteration count. */ public final int getIterationCount() { return iterationCount; } /** * Returns the to-be-derived key length or 0 if not specified. * * <p> Note: this is used to indicate the preference on key length * for variable-key-size ciphers. The actual key size depends on * each provider's implementation. * * @return the to-be-derived key length. */ public final int getKeyLength() { return keyLength; } }