1 /*
   2  * Copyright (c) 1997, 2016, Oracle and/or its affiliates. All rights reserved.
   3  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
   4  *
   5  * This code is free software; you can redistribute it and/or modify it
   6  * under the terms of the GNU General Public License version 2 only, as
   7  * published by the Free Software Foundation.  Oracle designates this
   8  * particular file as subject to the "Classpath" exception as provided
   9  * by Oracle in the LICENSE file that accompanied this code.
  10  *
  11  * This code is distributed in the hope that it will be useful, but WITHOUT
  12  * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
  13  * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  14  * version 2 for more details (a copy is included in the LICENSE file that
  15  * accompanied this code).
  16  *
  17  * You should have received a copy of the GNU General Public License version
  18  * 2 along with this work; if not, write to the Free Software Foundation,
  19  * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
  20  *
  21  * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
  22  * or visit www.oracle.com if you need additional information or have any
  23  * questions.
  24  */
  25 
  26 package javax.crypto;
  27 
  28 import java.util.*;
  29 import java.util.concurrent.ConcurrentHashMap;
  30 import java.util.concurrent.ConcurrentMap;
  31 import java.util.regex.*;
  32 
  33 
  34 import java.security.*;
  35 import java.security.Provider.Service;
  36 import java.security.spec.AlgorithmParameterSpec;
  37 import java.security.spec.InvalidParameterSpecException;
  38 import java.security.cert.Certificate;
  39 import java.security.cert.X509Certificate;
  40 
  41 import javax.crypto.spec.*;
  42 
  43 import java.nio.ByteBuffer;
  44 import java.nio.ReadOnlyBufferException;
  45 
  46 import sun.security.util.Debug;
  47 import sun.security.jca.*;
  48 
  49 /**
  50  * This class provides the functionality of a cryptographic cipher for
  51  * encryption and decryption. It forms the core of the Java Cryptographic
  52  * Extension (JCE) framework.
  53  *
  54  * <p>In order to create a Cipher object, the application calls the
  55  * Cipher's {@code getInstance} method, and passes the name of the
  56  * requested <i>transformation</i> to it. Optionally, the name of a provider
  57  * may be specified.
  58  *
  59  * <p>A <i>transformation</i> is a string that describes the operation (or
  60  * set of operations) to be performed on the given input, to produce some
  61  * output. A transformation always includes the name of a cryptographic
  62  * algorithm (e.g., <i>DES</i>), and may be followed by a feedback mode and
  63  * padding scheme.
  64  *
  65  * <p> A transformation is of the form:
  66  *
  67  * <ul>
  68  * <li>"<i>algorithm/mode/padding</i>" or
  69  *
  70  * <li>"<i>algorithm</i>"
  71  * </ul>
  72  *
  73  * <P> (in the latter case,
  74  * provider-specific default values for the mode and padding scheme are used).
  75  * For example, the following is a valid transformation:
  76  *
  77  * <pre>
  78  *     Cipher c = Cipher.getInstance("<i>DES/CBC/PKCS5Padding</i>");
  79  * </pre>
  80  *
  81  * Using modes such as {@code CFB} and {@code OFB}, block
  82  * ciphers can encrypt data in units smaller than the cipher's actual
  83  * block size.  When requesting such a mode, you may optionally specify
  84  * the number of bits to be processed at a time by appending this number
  85  * to the mode name as shown in the "{@code DES/CFB8/NoPadding}" and
  86  * "{@code DES/OFB32/PKCS5Padding}" transformations. If no such
  87  * number is specified, a provider-specific default is used. (For
  88  * example, the SunJCE provider uses a default of 64 bits for DES.)
  89  * Thus, block ciphers can be turned into byte-oriented stream ciphers by
  90  * using an 8 bit mode such as CFB8 or OFB8.
  91  * <p>
  92  * Modes such as Authenticated Encryption with Associated Data (AEAD)
  93  * provide authenticity assurances for both confidential data and
  94  * Additional Associated Data (AAD) that is not encrypted.  (Please see
  95  * <a href="http://www.ietf.org/rfc/rfc5116.txt"> RFC 5116 </a> for more
  96  * information on AEAD and AAD algorithms such as GCM/CCM.) Both
  97  * confidential and AAD data can be used when calculating the
  98  * authentication tag (similar to a {@link Mac}).  This tag is appended
  99  * to the ciphertext during encryption, and is verified on decryption.
 100  * <p>
 101  * AEAD modes such as GCM/CCM perform all AAD authenticity calculations
 102  * before starting the ciphertext authenticity calculations.  To avoid
 103  * implementations having to internally buffer ciphertext, all AAD data
 104  * must be supplied to GCM/CCM implementations (via the {@code updateAAD}
 105  * methods) <b>before</b> the ciphertext is processed (via
 106  * the {@code update} and {@code doFinal} methods).
 107  * <p>
 108  * Note that GCM mode has a uniqueness requirement on IVs used in
 109  * encryption with a given key. When IVs are repeated for GCM
 110  * encryption, such usages are subject to forgery attacks. Thus, after
 111  * each encryption operation using GCM mode, callers should re-initialize
 112  * the cipher objects with GCM parameters which has a different IV value.
 113  * <pre>
 114  *     GCMParameterSpec s = ...;
 115  *     cipher.init(..., s);
 116  *
 117  *     // If the GCM parameters were generated by the provider, it can
 118  *     // be retrieved by:
 119  *     // cipher.getParameters().getParameterSpec(GCMParameterSpec.class);
 120  *
 121  *     cipher.updateAAD(...);  // AAD
 122  *     cipher.update(...);     // Multi-part update
 123  *     cipher.doFinal(...);    // conclusion of operation
 124  *
 125  *     // Use a different IV value for every encryption
 126  *     byte[] newIv = ...;
 127  *     s = new GCMParameterSpec(s.getTLen(), newIv);
 128  *     cipher.init(..., s);
 129  *     ...
 130  *
 131  * </pre>
 132  * Every implementation of the Java platform is required to support
 133  * the following standard {@code Cipher} transformations with the keysizes
 134  * in parentheses:
 135  * <ul>
 136  * <li>{@code AES/CBC/NoPadding} (128)</li>
 137  * <li>{@code AES/CBC/PKCS5Padding} (128)</li>
 138  * <li>{@code AES/ECB/NoPadding} (128)</li>
 139  * <li>{@code AES/ECB/PKCS5Padding} (128)</li>
 140  * <li>{@code DES/CBC/NoPadding} (56)</li>
 141  * <li>{@code DES/CBC/PKCS5Padding} (56)</li>
 142  * <li>{@code DES/ECB/NoPadding} (56)</li>
 143  * <li>{@code DES/ECB/PKCS5Padding} (56)</li>
 144  * <li>{@code DESede/CBC/NoPadding} (168)</li>
 145  * <li>{@code DESede/CBC/PKCS5Padding} (168)</li>
 146  * <li>{@code DESede/ECB/NoPadding} (168)</li>
 147  * <li>{@code DESede/ECB/PKCS5Padding} (168)</li>
 148  * <li>{@code RSA/ECB/PKCS1Padding} (1024, 2048)</li>
 149  * <li>{@code RSA/ECB/OAEPWithSHA-1AndMGF1Padding} (1024, 2048)</li>
 150  * <li>{@code RSA/ECB/OAEPWithSHA-256AndMGF1Padding} (1024, 2048)</li>
 151  * </ul>
 152  * These transformations are described in the
 153  * <a href="{@docRoot}/../technotes/guides/security/StandardNames.html#Cipher">
 154  * Cipher section</a> of the
 155  * Java Cryptography Architecture Standard Algorithm Name Documentation.
 156  * Consult the release documentation for your implementation to see if any
 157  * other transformations are supported.
 158  *
 159  * @author Jan Luehe
 160  * @see KeyGenerator
 161  * @see SecretKey
 162  * @since 1.4
 163  */
 164 
 165 public class Cipher {
 166 
 167     private static final Debug debug =
 168                         Debug.getInstance("jca", "Cipher");
 169 
 170     private static final Debug pdebug =
 171                         Debug.getInstance("provider", "Provider");
 172     private static final boolean skipDebug =
 173         Debug.isOn("engine=") && !Debug.isOn("cipher");
 174 
 175     /**
 176      * Constant used to initialize cipher to encryption mode.
 177      */
 178     public static final int ENCRYPT_MODE = 1;
 179 
 180     /**
 181      * Constant used to initialize cipher to decryption mode.
 182      */
 183     public static final int DECRYPT_MODE = 2;
 184 
 185     /**
 186      * Constant used to initialize cipher to key-wrapping mode.
 187      */
 188     public static final int WRAP_MODE = 3;
 189 
 190     /**
 191      * Constant used to initialize cipher to key-unwrapping mode.
 192      */
 193     public static final int UNWRAP_MODE = 4;
 194 
 195     /**
 196      * Constant used to indicate the to-be-unwrapped key is a "public key".
 197      */
 198     public static final int PUBLIC_KEY = 1;
 199 
 200     /**
 201      * Constant used to indicate the to-be-unwrapped key is a "private key".
 202      */
 203     public static final int PRIVATE_KEY = 2;
 204 
 205     /**
 206      * Constant used to indicate the to-be-unwrapped key is a "secret key".
 207      */
 208     public static final int SECRET_KEY = 3;
 209 
 210     // The provider
 211     private Provider provider;
 212 
 213     // The provider implementation (delegate)
 214     private CipherSpi spi;
 215 
 216     // The transformation
 217     private String transformation;
 218 
 219     // Crypto permission representing the maximum allowable cryptographic
 220     // strength that this Cipher object can be used for. (The cryptographic
 221     // strength is a function of the keysize and algorithm parameters encoded
 222     // in the crypto permission.)
 223     private CryptoPermission cryptoPerm;
 224 
 225     // The exemption mechanism that needs to be enforced
 226     private ExemptionMechanism exmech;
 227 
 228     // Flag which indicates whether or not this cipher has been initialized
 229     private boolean initialized = false;
 230 
 231     // The operation mode - store the operation mode after the
 232     // cipher has been initialized.
 233     private int opmode = 0;
 234 
 235     // The OID for the KeyUsage extension in an X.509 v3 certificate
 236     private static final String KEY_USAGE_EXTENSION_OID = "2.5.29.15";
 237 
 238     // next SPI  to try in provider selection
 239     // null once provider is selected
 240     private CipherSpi firstSpi;
 241 
 242     // next service to try in provider selection
 243     // null once provider is selected
 244     private Service firstService;
 245 
 246     // remaining services to try in provider selection
 247     // null once provider is selected
 248     private Iterator<Service> serviceIterator;
 249 
 250     // list of transform Strings to lookup in the provider
 251     private List<Transform> transforms;
 252 
 253     private final Object lock;
 254 
 255     /**
 256      * Creates a Cipher object.
 257      *
 258      * @param cipherSpi the delegate
 259      * @param provider the provider
 260      * @param transformation the transformation
 261      */
 262     protected Cipher(CipherSpi cipherSpi,
 263                      Provider provider,
 264                      String transformation) {
 265         // See bug 4341369 & 4334690 for more info.
 266         // If the caller is trusted, then okay.
 267         // Otherwise throw a NullPointerException.
 268         if (!JceSecurityManager.INSTANCE.isCallerTrusted(provider)) {
 269             throw new NullPointerException();
 270         }
 271         this.spi = cipherSpi;
 272         this.provider = provider;
 273         this.transformation = transformation;
 274         this.cryptoPerm = CryptoAllPermission.INSTANCE;
 275         this.lock = null;
 276     }
 277 
 278     /**
 279      * Creates a Cipher object. Called internally and by NullCipher.
 280      *
 281      * @param cipherSpi the delegate
 282      * @param transformation the transformation
 283      */
 284     Cipher(CipherSpi cipherSpi, String transformation) {
 285         this.spi = cipherSpi;
 286         this.transformation = transformation;
 287         this.cryptoPerm = CryptoAllPermission.INSTANCE;
 288         this.lock = null;
 289     }
 290 
 291     private Cipher(CipherSpi firstSpi, Service firstService,
 292             Iterator<Service> serviceIterator, String transformation,
 293             List<Transform> transforms) {
 294         this.firstSpi = firstSpi;
 295         this.firstService = firstService;
 296         this.serviceIterator = serviceIterator;
 297         this.transforms = transforms;
 298         this.transformation = transformation;
 299         this.lock = new Object();
 300     }
 301 
 302     private static String[] tokenizeTransformation(String transformation)
 303             throws NoSuchAlgorithmException {
 304         if (transformation == null) {
 305             throw new NoSuchAlgorithmException("No transformation given");
 306         }
 307         /*
 308          * array containing the components of a Cipher transformation:
 309          *
 310          * index 0: algorithm component (e.g., DES)
 311          * index 1: feedback component (e.g., CFB)
 312          * index 2: padding component (e.g., PKCS5Padding)
 313          */
 314         String[] parts = new String[3];
 315         int count = 0;
 316         StringTokenizer parser = new StringTokenizer(transformation, "/");
 317         try {
 318             while (parser.hasMoreTokens() && count < 3) {
 319                 parts[count++] = parser.nextToken().trim();
 320             }
 321             if (count == 0 || count == 2 || parser.hasMoreTokens()) {
 322                 throw new NoSuchAlgorithmException("Invalid transformation"
 323                                                + " format:" +
 324                                                transformation);
 325             }
 326         } catch (NoSuchElementException e) {
 327             throw new NoSuchAlgorithmException("Invalid transformation " +
 328                                            "format:" + transformation);
 329         }
 330         if ((parts[0] == null) || (parts[0].length() == 0)) {
 331             throw new NoSuchAlgorithmException("Invalid transformation:" +
 332                                    "algorithm not specified-"
 333                                    + transformation);
 334         }
 335         return parts;
 336     }
 337 
 338     // Provider attribute name for supported chaining mode
 339     private static final String ATTR_MODE = "SupportedModes";
 340     // Provider attribute name for supported padding names
 341     private static final String ATTR_PAD  = "SupportedPaddings";
 342 
 343     // constants indicating whether the provider supports
 344     // a given mode or padding
 345     private static final int S_NO    = 0;       // does not support
 346     private static final int S_MAYBE = 1;       // unable to determine
 347     private static final int S_YES   = 2;       // does support
 348 
 349     /**
 350      * Nested class to deal with modes and paddings.
 351      */
 352     private static class Transform {
 353         // transform string to lookup in the provider
 354         final String transform;
 355         // the mode/padding suffix in upper case. for example, if the algorithm
 356         // to lookup is "DES/CBC/PKCS5Padding" suffix is "/CBC/PKCS5PADDING"
 357         // if loopup is "DES", suffix is the empty string
 358         // needed because aliases prevent straight transform.equals()
 359         final String suffix;
 360         // value to pass to setMode() or null if no such call required
 361         final String mode;
 362         // value to pass to setPadding() or null if no such call required
 363         final String pad;
 364         Transform(String alg, String suffix, String mode, String pad) {
 365             this.transform = alg + suffix;
 366             this.suffix = suffix.toUpperCase(Locale.ENGLISH);
 367             this.mode = mode;
 368             this.pad = pad;
 369         }
 370         // set mode and padding for the given SPI
 371         void setModePadding(CipherSpi spi) throws NoSuchAlgorithmException,
 372                 NoSuchPaddingException {
 373             if (mode != null) {
 374                 spi.engineSetMode(mode);
 375             }
 376             if (pad != null) {
 377                 spi.engineSetPadding(pad);
 378             }
 379         }
 380         // check whether the given services supports the mode and
 381         // padding described by this Transform
 382         int supportsModePadding(Service s) {
 383             int smode = supportsMode(s);
 384             if (smode == S_NO) {
 385                 return smode;
 386             }
 387             int spad = supportsPadding(s);
 388             // our constants are defined so that Math.min() is a tri-valued AND
 389             return Math.min(smode, spad);
 390         }
 391 
 392         // separate methods for mode and padding
 393         // called directly by Cipher only to throw the correct exception
 394         int supportsMode(Service s) {
 395             return supports(s, ATTR_MODE, mode);
 396         }
 397         int supportsPadding(Service s) {
 398             return supports(s, ATTR_PAD, pad);
 399         }
 400 
 401         private static int supports(Service s, String attrName, String value) {
 402             if (value == null) {
 403                 return S_YES;
 404             }
 405             String regexp = s.getAttribute(attrName);
 406             if (regexp == null) {
 407                 return S_MAYBE;
 408             }
 409             return matches(regexp, value) ? S_YES : S_NO;
 410         }
 411 
 412         // ConcurrentMap<String,Pattern> for previously compiled patterns
 413         private static final ConcurrentMap<String, Pattern> patternCache =
 414             new ConcurrentHashMap<String, Pattern>();
 415 
 416         private static boolean matches(String regexp, String str) {
 417             Pattern pattern = patternCache.get(regexp);
 418             if (pattern == null) {
 419                 pattern = Pattern.compile(regexp);
 420                 patternCache.putIfAbsent(regexp, pattern);
 421             }
 422             return pattern.matcher(str.toUpperCase(Locale.ENGLISH)).matches();
 423         }
 424 
 425     }
 426 
 427     private static List<Transform> getTransforms(String transformation)
 428             throws NoSuchAlgorithmException {
 429         String[] parts = tokenizeTransformation(transformation);
 430 
 431         String alg = parts[0];
 432         String mode = parts[1];
 433         String pad = parts[2];
 434         if ((mode != null) && (mode.length() == 0)) {
 435             mode = null;
 436         }
 437         if ((pad != null) && (pad.length() == 0)) {
 438             pad = null;
 439         }
 440 
 441         if ((mode == null) && (pad == null)) {
 442             // DES
 443             Transform tr = new Transform(alg, "", null, null);
 444             return Collections.singletonList(tr);
 445         } else { // if ((mode != null) && (pad != null)) {
 446             // DES/CBC/PKCS5Padding
 447             List<Transform> list = new ArrayList<>(4);
 448             list.add(new Transform(alg, "/" + mode + "/" + pad, null, null));
 449             list.add(new Transform(alg, "/" + mode, null, pad));
 450             list.add(new Transform(alg, "//" + pad, mode, null));
 451             list.add(new Transform(alg, "", mode, pad));
 452             return list;
 453         }
 454     }
 455 
 456     // get the transform matching the specified service
 457     private static Transform getTransform(Service s,
 458                                           List<Transform> transforms) {
 459         String alg = s.getAlgorithm().toUpperCase(Locale.ENGLISH);
 460         for (Transform tr : transforms) {
 461             if (alg.endsWith(tr.suffix)) {
 462                 return tr;
 463             }
 464         }
 465         return null;
 466     }
 467 
 468     /**
 469      * Returns a {@code Cipher} object that implements the specified
 470      * transformation.
 471      *
 472      * <p> This method traverses the list of registered security Providers,
 473      * starting with the most preferred Provider.
 474      * A new Cipher object encapsulating the
 475      * CipherSpi implementation from the first
 476      * Provider that supports the specified algorithm is returned.
 477      *
 478      * <p> Note that the list of registered providers may be retrieved via
 479      * the {@link Security#getProviders() Security.getProviders()} method.
 480      *
 481      * @implNote
 482      * The JDK Reference Implementation additionally uses the
 483      * {@code jdk.security.provider.preferred}
 484      * {@link Security#getProperty(String) Security} property to determine
 485      * the preferred provider order for the specified algorithm. This
 486      * may be different than the order of providers returned by
 487      * {@link Security#getProviders() Security.getProviders()}.
 488      *
 489      * @param transformation the name of the transformation, e.g.,
 490      * <i>DES/CBC/PKCS5Padding</i>.
 491      * See the Cipher section in the <a href=
 492      *   "{@docRoot}/../technotes/guides/security/StandardNames.html#Cipher">
 493      * Java Cryptography Architecture Standard Algorithm Name Documentation</a>
 494      * for information about standard transformation names.
 495      *
 496      * @return a cipher that implements the requested transformation.
 497      *
 498      * @exception NoSuchAlgorithmException if {@code transformation}
 499      *          is null, empty, in an invalid format,
 500      *          or if no Provider supports a CipherSpi implementation for the
 501      *          specified algorithm.
 502      *
 503      * @exception NoSuchPaddingException if {@code transformation}
 504      *          contains a padding scheme that is not available.
 505      *
 506      * @see java.security.Provider
 507      */
 508     public static final Cipher getInstance(String transformation)
 509             throws NoSuchAlgorithmException, NoSuchPaddingException
 510     {
 511         List<Transform> transforms = getTransforms(transformation);
 512         List<ServiceId> cipherServices = new ArrayList<>(transforms.size());
 513         for (Transform transform : transforms) {
 514             cipherServices.add(new ServiceId("Cipher", transform.transform));
 515         }
 516         List<Service> services = GetInstance.getServices(cipherServices);
 517         // make sure there is at least one service from a signed provider
 518         // and that it can use the specified mode and padding
 519         Iterator<Service> t = services.iterator();
 520         Exception failure = null;
 521         while (t.hasNext()) {
 522             Service s = t.next();
 523             if (JceSecurity.canUseProvider(s.getProvider()) == false) {
 524                 continue;
 525             }
 526             Transform tr = getTransform(s, transforms);
 527             if (tr == null) {
 528                 // should never happen
 529                 continue;
 530             }
 531             int canuse = tr.supportsModePadding(s);
 532             if (canuse == S_NO) {
 533                 // does not support mode or padding we need, ignore
 534                 continue;
 535             }
 536             if (canuse == S_YES) {
 537                 return new Cipher(null, s, t, transformation, transforms);
 538             } else { // S_MAYBE, try out if it works
 539                 try {
 540                     CipherSpi spi = (CipherSpi)s.newInstance(null);
 541                     tr.setModePadding(spi);
 542                     return new Cipher(spi, s, t, transformation, transforms);
 543                 } catch (Exception e) {
 544                     failure = e;
 545                 }
 546             }
 547         }
 548         throw new NoSuchAlgorithmException
 549             ("Cannot find any provider supporting " + transformation, failure);
 550     }
 551 
 552     /**
 553      * Returns a {@code Cipher} object that implements the specified
 554      * transformation.
 555      *
 556      * <p> A new Cipher object encapsulating the
 557      * CipherSpi implementation from the specified provider
 558      * is returned.  The specified provider must be registered
 559      * in the security provider list.
 560      *
 561      * <p> Note that the list of registered providers may be retrieved via
 562      * the {@link Security#getProviders() Security.getProviders()} method.
 563      *
 564      * @param transformation the name of the transformation,
 565      * e.g., <i>DES/CBC/PKCS5Padding</i>.
 566      * See the Cipher section in the <a href=
 567      *   "{@docRoot}/../technotes/guides/security/StandardNames.html#Cipher">
 568      * Java Cryptography Architecture Standard Algorithm Name Documentation</a>
 569      * for information about standard transformation names.
 570      *
 571      * @param provider the name of the provider.
 572      *
 573      * @return a cipher that implements the requested transformation.
 574      *
 575      * @exception NoSuchAlgorithmException if {@code transformation}
 576      *          is null, empty, in an invalid format,
 577      *          or if a CipherSpi implementation for the specified algorithm
 578      *          is not available from the specified provider.
 579      *
 580      * @exception NoSuchProviderException if the specified provider is not
 581      *          registered in the security provider list.
 582      *
 583      * @exception NoSuchPaddingException if {@code transformation}
 584      *          contains a padding scheme that is not available.
 585      *
 586      * @exception IllegalArgumentException if the {@code provider}
 587      *          is null or empty.
 588      *
 589      * @see java.security.Provider
 590      */
 591     public static final Cipher getInstance(String transformation,
 592                                            String provider)
 593             throws NoSuchAlgorithmException, NoSuchProviderException,
 594             NoSuchPaddingException
 595     {
 596         if ((provider == null) || (provider.length() == 0)) {
 597             throw new IllegalArgumentException("Missing provider");
 598         }
 599         Provider p = Security.getProvider(provider);
 600         if (p == null) {
 601             throw new NoSuchProviderException("No such provider: " +
 602                                               provider);
 603         }
 604         return getInstance(transformation, p);
 605     }
 606 
 607     /**
 608      * Returns a {@code Cipher} object that implements the specified
 609      * transformation.
 610      *
 611      * <p> A new Cipher object encapsulating the
 612      * CipherSpi implementation from the specified Provider
 613      * object is returned.  Note that the specified Provider object
 614      * does not have to be registered in the provider list.
 615      *
 616      * @param transformation the name of the transformation,
 617      * e.g., <i>DES/CBC/PKCS5Padding</i>.
 618      * See the Cipher section in the <a href=
 619      *   "{@docRoot}/../technotes/guides/security/StandardNames.html#Cipher">
 620      * Java Cryptography Architecture Standard Algorithm Name Documentation</a>
 621      * for information about standard transformation names.
 622      *
 623      * @param provider the provider.
 624      *
 625      * @return a cipher that implements the requested transformation.
 626      *
 627      * @exception NoSuchAlgorithmException if {@code transformation}
 628      *          is null, empty, in an invalid format,
 629      *          or if a CipherSpi implementation for the specified algorithm
 630      *          is not available from the specified Provider object.
 631      *
 632      * @exception NoSuchPaddingException if {@code transformation}
 633      *          contains a padding scheme that is not available.
 634      *
 635      * @exception IllegalArgumentException if the {@code provider}
 636      *          is null.
 637      *
 638      * @see java.security.Provider
 639      */
 640     public static final Cipher getInstance(String transformation,
 641                                            Provider provider)
 642             throws NoSuchAlgorithmException, NoSuchPaddingException
 643     {
 644         if (provider == null) {
 645             throw new IllegalArgumentException("Missing provider");
 646         }
 647         Exception failure = null;
 648         List<Transform> transforms = getTransforms(transformation);
 649         boolean providerChecked = false;
 650         String paddingError = null;
 651         for (Transform tr : transforms) {
 652             Service s = provider.getService("Cipher", tr.transform);
 653             if (s == null) {
 654                 continue;
 655             }
 656             if (providerChecked == false) {
 657                 // for compatibility, first do the lookup and then verify
 658                 // the provider. this makes the difference between a NSAE
 659                 // and a SecurityException if the
 660                 // provider does not support the algorithm.
 661                 Exception ve = JceSecurity.getVerificationResult(provider);
 662                 if (ve != null) {
 663                     String msg = "JCE cannot authenticate the provider "
 664                         + provider.getName();
 665                     throw new SecurityException(msg, ve);
 666                 }
 667                 providerChecked = true;
 668             }
 669             if (tr.supportsMode(s) == S_NO) {
 670                 continue;
 671             }
 672             if (tr.supportsPadding(s) == S_NO) {
 673                 paddingError = tr.pad;
 674                 continue;
 675             }
 676             try {
 677                 CipherSpi spi = (CipherSpi)s.newInstance(null);
 678                 tr.setModePadding(spi);
 679                 Cipher cipher = new Cipher(spi, transformation);
 680                 cipher.provider = s.getProvider();
 681                 cipher.initCryptoPermission();
 682                 return cipher;
 683             } catch (Exception e) {
 684                 failure = e;
 685             }
 686         }
 687 
 688         // throw NoSuchPaddingException if the problem is with padding
 689         if (failure instanceof NoSuchPaddingException) {
 690             throw (NoSuchPaddingException)failure;
 691         }
 692         if (paddingError != null) {
 693             throw new NoSuchPaddingException
 694                 ("Padding not supported: " + paddingError);
 695         }
 696         throw new NoSuchAlgorithmException
 697                 ("No such algorithm: " + transformation, failure);
 698     }
 699 
 700     // If the requested crypto service is export-controlled,
 701     // determine the maximum allowable keysize.
 702     private void initCryptoPermission() throws NoSuchAlgorithmException {
 703         if (JceSecurity.isRestricted() == false) {
 704             cryptoPerm = CryptoAllPermission.INSTANCE;
 705             exmech = null;
 706             return;
 707         }
 708         cryptoPerm = getConfiguredPermission(transformation);
 709         // Instantiate the exemption mechanism (if required)
 710         String exmechName = cryptoPerm.getExemptionMechanism();
 711         if (exmechName != null) {
 712             exmech = ExemptionMechanism.getInstance(exmechName);
 713         }
 714     }
 715 
 716     // max number of debug warnings to print from chooseFirstProvider()
 717     private static int warnCount = 10;
 718 
 719     /**
 720      * Choose the Spi from the first provider available. Used if
 721      * delayed provider selection is not possible because init()
 722      * is not the first method called.
 723      */
 724     void chooseFirstProvider() {
 725         if (spi != null) {
 726             return;
 727         }
 728         synchronized (lock) {
 729             if (spi != null) {
 730                 return;
 731             }
 732             if (debug != null) {
 733                 int w = --warnCount;
 734                 if (w >= 0) {
 735                     debug.println("Cipher.init() not first method "
 736                         + "called, disabling delayed provider selection");
 737                     if (w == 0) {
 738                         debug.println("Further warnings of this type will "
 739                             + "be suppressed");
 740                     }
 741                     new Exception("Call trace").printStackTrace();
 742                 }
 743             }
 744             Exception lastException = null;
 745             while ((firstService != null) || serviceIterator.hasNext()) {
 746                 Service s;
 747                 CipherSpi thisSpi;
 748                 if (firstService != null) {
 749                     s = firstService;
 750                     thisSpi = firstSpi;
 751                     firstService = null;
 752                     firstSpi = null;
 753                 } else {
 754                     s = serviceIterator.next();
 755                     thisSpi = null;
 756                 }
 757                 if (JceSecurity.canUseProvider(s.getProvider()) == false) {
 758                     continue;
 759                 }
 760                 Transform tr = getTransform(s, transforms);
 761                 if (tr == null) {
 762                     // should never happen
 763                     continue;
 764                 }
 765                 if (tr.supportsModePadding(s) == S_NO) {
 766                     continue;
 767                 }
 768                 try {
 769                     if (thisSpi == null) {
 770                         Object obj = s.newInstance(null);
 771                         if (obj instanceof CipherSpi == false) {
 772                             continue;
 773                         }
 774                         thisSpi = (CipherSpi)obj;
 775                     }
 776                     tr.setModePadding(thisSpi);
 777                     initCryptoPermission();
 778                     spi = thisSpi;
 779                     provider = s.getProvider();
 780                     // not needed any more
 781                     firstService = null;
 782                     serviceIterator = null;
 783                     transforms = null;
 784                     return;
 785                 } catch (Exception e) {
 786                     lastException = e;
 787                 }
 788             }
 789             ProviderException e = new ProviderException
 790                     ("Could not construct CipherSpi instance");
 791             if (lastException != null) {
 792                 e.initCause(lastException);
 793             }
 794             throw e;
 795         }
 796     }
 797 
 798     private static final int I_KEY       = 1;
 799     private static final int I_PARAMSPEC = 2;
 800     private static final int I_PARAMS    = 3;
 801     private static final int I_CERT      = 4;
 802 
 803     private void implInit(CipherSpi thisSpi, int type, int opmode, Key key,
 804             AlgorithmParameterSpec paramSpec, AlgorithmParameters params,
 805             SecureRandom random) throws InvalidKeyException,
 806             InvalidAlgorithmParameterException {
 807         switch (type) {
 808         case I_KEY:
 809             checkCryptoPerm(thisSpi, key);
 810             thisSpi.engineInit(opmode, key, random);
 811             break;
 812         case I_PARAMSPEC:
 813             checkCryptoPerm(thisSpi, key, paramSpec);
 814             thisSpi.engineInit(opmode, key, paramSpec, random);
 815             break;
 816         case I_PARAMS:
 817             checkCryptoPerm(thisSpi, key, params);
 818             thisSpi.engineInit(opmode, key, params, random);
 819             break;
 820         case I_CERT:
 821             checkCryptoPerm(thisSpi, key);
 822             thisSpi.engineInit(opmode, key, random);
 823             break;
 824         default:
 825             throw new AssertionError("Internal Cipher error: " + type);
 826         }
 827     }
 828 
 829     private void chooseProvider(int initType, int opmode, Key key,
 830             AlgorithmParameterSpec paramSpec,
 831             AlgorithmParameters params, SecureRandom random)
 832             throws InvalidKeyException, InvalidAlgorithmParameterException {
 833         synchronized (lock) {
 834             if (spi != null) {
 835                 implInit(spi, initType, opmode, key, paramSpec, params, random);
 836                 return;
 837             }
 838             Exception lastException = null;
 839             while ((firstService != null) || serviceIterator.hasNext()) {
 840                 Service s;
 841                 CipherSpi thisSpi;
 842                 if (firstService != null) {
 843                     s = firstService;
 844                     thisSpi = firstSpi;
 845                     firstService = null;
 846                     firstSpi = null;
 847                 } else {
 848                     s = serviceIterator.next();
 849                     thisSpi = null;
 850                 }
 851                 // if provider says it does not support this key, ignore it
 852                 if (s.supportsParameter(key) == false) {
 853                     continue;
 854                 }
 855                 if (JceSecurity.canUseProvider(s.getProvider()) == false) {
 856                     continue;
 857                 }
 858                 Transform tr = getTransform(s, transforms);
 859                 if (tr == null) {
 860                     // should never happen
 861                     continue;
 862                 }
 863                 if (tr.supportsModePadding(s) == S_NO) {
 864                     continue;
 865                 }
 866                 try {
 867                     if (thisSpi == null) {
 868                         thisSpi = (CipherSpi)s.newInstance(null);
 869                     }
 870                     tr.setModePadding(thisSpi);
 871                     initCryptoPermission();
 872                     implInit(thisSpi, initType, opmode, key, paramSpec,
 873                                                         params, random);
 874                     provider = s.getProvider();
 875                     this.spi = thisSpi;
 876                     firstService = null;
 877                     serviceIterator = null;
 878                     transforms = null;
 879                     return;
 880                 } catch (Exception e) {
 881                     // NoSuchAlgorithmException from newInstance()
 882                     // InvalidKeyException from init()
 883                     // RuntimeException (ProviderException) from init()
 884                     // SecurityException from crypto permission check
 885                     if (lastException == null) {
 886                         lastException = e;
 887                     }
 888                 }
 889             }
 890             // no working provider found, fail
 891             if (lastException instanceof InvalidKeyException) {
 892                 throw (InvalidKeyException)lastException;
 893             }
 894             if (lastException instanceof InvalidAlgorithmParameterException) {
 895                 throw (InvalidAlgorithmParameterException)lastException;
 896             }
 897             if (lastException instanceof RuntimeException) {
 898                 throw (RuntimeException)lastException;
 899             }
 900             String kName = (key != null) ? key.getClass().getName() : "(null)";
 901             throw new InvalidKeyException
 902                 ("No installed provider supports this key: "
 903                 + kName, lastException);
 904         }
 905     }
 906 
 907     /**
 908      * Returns the provider of this {@code Cipher} object.
 909      *
 910      * @return the provider of this {@code Cipher} object
 911      */
 912     public final Provider getProvider() {
 913         chooseFirstProvider();
 914         return this.provider;
 915     }
 916 
 917     /**
 918      * Returns the algorithm name of this {@code Cipher} object.
 919      *
 920      * <p>This is the same name that was specified in one of the
 921      * {@code getInstance} calls that created this {@code Cipher}
 922      * object..
 923      *
 924      * @return the algorithm name of this {@code Cipher} object.
 925      */
 926     public final String getAlgorithm() {
 927         return this.transformation;
 928     }
 929 
 930     /**
 931      * Returns the block size (in bytes).
 932      *
 933      * @return the block size (in bytes), or 0 if the underlying algorithm is
 934      * not a block cipher
 935      */
 936     public final int getBlockSize() {
 937         chooseFirstProvider();
 938         return spi.engineGetBlockSize();
 939     }
 940 
 941     /**
 942      * Returns the length in bytes that an output buffer would need to be in
 943      * order to hold the result of the next {@code update} or
 944      * {@code doFinal} operation, given the input length
 945      * {@code inputLen} (in bytes).
 946      *
 947      * <p>This call takes into account any unprocessed (buffered) data from a
 948      * previous {@code update} call, padding, and AEAD tagging.
 949      *
 950      * <p>The actual output length of the next {@code update} or
 951      * {@code doFinal} call may be smaller than the length returned by
 952      * this method.
 953      *
 954      * @param inputLen the input length (in bytes)
 955      *
 956      * @return the required output buffer size (in bytes)
 957      *
 958      * @exception IllegalStateException if this cipher is in a wrong state
 959      * (e.g., has not yet been initialized)
 960      */
 961     public final int getOutputSize(int inputLen) {
 962 
 963         if (!initialized && !(this instanceof NullCipher)) {
 964             throw new IllegalStateException("Cipher not initialized");
 965         }
 966         if (inputLen < 0) {
 967             throw new IllegalArgumentException("Input size must be equal " +
 968                                                "to or greater than zero");
 969         }
 970         chooseFirstProvider();
 971         return spi.engineGetOutputSize(inputLen);
 972     }
 973 
 974     /**
 975      * Returns the initialization vector (IV) in a new buffer.
 976      *
 977      * <p>This is useful in the case where a random IV was created,
 978      * or in the context of password-based encryption or
 979      * decryption, where the IV is derived from a user-supplied password.
 980      *
 981      * @return the initialization vector in a new buffer, or null if the
 982      * underlying algorithm does not use an IV, or if the IV has not yet
 983      * been set.
 984      */
 985     public final byte[] getIV() {
 986         chooseFirstProvider();
 987         return spi.engineGetIV();
 988     }
 989 
 990     /**
 991      * Returns the parameters used with this cipher.
 992      *
 993      * <p>The returned parameters may be the same that were used to initialize
 994      * this cipher, or may contain a combination of default and random
 995      * parameter values used by the underlying cipher implementation if this
 996      * cipher requires algorithm parameters but was not initialized with any.
 997      *
 998      * @return the parameters used with this cipher, or null if this cipher
 999      * does not use any parameters.
1000      */
1001     public final AlgorithmParameters getParameters() {
1002         chooseFirstProvider();
1003         return spi.engineGetParameters();
1004     }
1005 
1006     /**
1007      * Returns the exemption mechanism object used with this cipher.
1008      *
1009      * @return the exemption mechanism object used with this cipher, or
1010      * null if this cipher does not use any exemption mechanism.
1011      */
1012     public final ExemptionMechanism getExemptionMechanism() {
1013         chooseFirstProvider();
1014         return exmech;
1015     }
1016 
1017     //
1018     // Crypto permission check code below
1019     //
1020     private void checkCryptoPerm(CipherSpi checkSpi, Key key)
1021             throws InvalidKeyException {
1022         if (cryptoPerm == CryptoAllPermission.INSTANCE) {
1023             return;
1024         }
1025         // Check if key size and default parameters are within legal limits
1026         AlgorithmParameterSpec params;
1027         try {
1028             params = getAlgorithmParameterSpec(checkSpi.engineGetParameters());
1029         } catch (InvalidParameterSpecException ipse) {
1030             throw new InvalidKeyException
1031                 ("Unsupported default algorithm parameters");
1032         }
1033         if (!passCryptoPermCheck(checkSpi, key, params)) {
1034             throw new InvalidKeyException(
1035                 "Illegal key size or default parameters");
1036         }
1037     }
1038 
1039     private void checkCryptoPerm(CipherSpi checkSpi, Key key,
1040             AlgorithmParameterSpec params) throws InvalidKeyException,
1041             InvalidAlgorithmParameterException {
1042         if (cryptoPerm == CryptoAllPermission.INSTANCE) {
1043             return;
1044         }
1045         // Determine keysize and check if it is within legal limits
1046         if (!passCryptoPermCheck(checkSpi, key, null)) {
1047             throw new InvalidKeyException("Illegal key size");
1048         }
1049         if ((params != null) && (!passCryptoPermCheck(checkSpi, key, params))) {
1050             throw new InvalidAlgorithmParameterException("Illegal parameters");
1051         }
1052     }
1053 
1054     private void checkCryptoPerm(CipherSpi checkSpi, Key key,
1055             AlgorithmParameters params)
1056             throws InvalidKeyException, InvalidAlgorithmParameterException {
1057         if (cryptoPerm == CryptoAllPermission.INSTANCE) {
1058             return;
1059         }
1060         // Convert the specified parameters into specs and then delegate.
1061         AlgorithmParameterSpec pSpec;
1062         try {
1063             pSpec = getAlgorithmParameterSpec(params);
1064         } catch (InvalidParameterSpecException ipse) {
1065             throw new InvalidAlgorithmParameterException
1066                 ("Failed to retrieve algorithm parameter specification");
1067         }
1068         checkCryptoPerm(checkSpi, key, pSpec);
1069     }
1070 
1071     private boolean passCryptoPermCheck(CipherSpi checkSpi, Key key,
1072                                         AlgorithmParameterSpec params)
1073             throws InvalidKeyException {
1074         String em = cryptoPerm.getExemptionMechanism();
1075         int keySize = checkSpi.engineGetKeySize(key);
1076         // Use the "algorithm" component of the cipher
1077         // transformation so that the perm check would
1078         // work when the key has the "aliased" algo.
1079         String algComponent;
1080         int index = transformation.indexOf('/');
1081         if (index != -1) {
1082             algComponent = transformation.substring(0, index);
1083         } else {
1084             algComponent = transformation;
1085         }
1086         CryptoPermission checkPerm =
1087             new CryptoPermission(algComponent, keySize, params, em);
1088 
1089         if (!cryptoPerm.implies(checkPerm)) {
1090             if (debug != null) {
1091                 debug.println("Crypto Permission check failed");
1092                 debug.println("granted: " + cryptoPerm);
1093                 debug.println("requesting: " + checkPerm);
1094             }
1095             return false;
1096         }
1097         if (exmech == null) {
1098             return true;
1099         }
1100         try {
1101             if (!exmech.isCryptoAllowed(key)) {
1102                 if (debug != null) {
1103                     debug.println(exmech.getName() + " isn't enforced");
1104                 }
1105                 return false;
1106             }
1107         } catch (ExemptionMechanismException eme) {
1108             if (debug != null) {
1109                 debug.println("Cannot determine whether "+
1110                               exmech.getName() + " has been enforced");
1111                 eme.printStackTrace();
1112             }
1113             return false;
1114         }
1115         return true;
1116     }
1117 
1118     // check if opmode is one of the defined constants
1119     // throw InvalidParameterExeption if not
1120     private static void checkOpmode(int opmode) {
1121         if ((opmode < ENCRYPT_MODE) || (opmode > UNWRAP_MODE)) {
1122             throw new InvalidParameterException("Invalid operation mode");
1123         }
1124     }
1125 
1126     private static String getOpmodeString(int opmode) {
1127         switch (opmode) {
1128             case ENCRYPT_MODE:
1129                 return "encryption";
1130             case DECRYPT_MODE:
1131                 return "decryption";
1132             case WRAP_MODE:
1133                 return "key wrapping";
1134             case UNWRAP_MODE:
1135                 return "key unwrapping";
1136             default:
1137                 return "";
1138         }
1139     }
1140 
1141     /**
1142      * Initializes this cipher with a key.
1143      *
1144      * <p>The cipher is initialized for one of the following four operations:
1145      * encryption, decryption, key wrapping or key unwrapping, depending
1146      * on the value of {@code opmode}.
1147      *
1148      * <p>If this cipher requires any algorithm parameters that cannot be
1149      * derived from the given {@code key}, the underlying cipher
1150      * implementation is supposed to generate the required parameters itself
1151      * (using provider-specific default or random values) if it is being
1152      * initialized for encryption or key wrapping, and raise an
1153      * {@code InvalidKeyException} if it is being
1154      * initialized for decryption or key unwrapping.
1155      * The generated parameters can be retrieved using
1156      * {@link #getParameters() getParameters} or
1157      * {@link #getIV() getIV} (if the parameter is an IV).
1158      *
1159      * <p>If this cipher requires algorithm parameters that cannot be
1160      * derived from the input parameters, and there are no reasonable
1161      * provider-specific default values, initialization will
1162      * necessarily fail.
1163      *
1164      * <p>If this cipher (including its underlying feedback or padding scheme)
1165      * requires any random bytes (e.g., for parameter generation), it will get
1166      * them using the {@link java.security.SecureRandom}
1167      * implementation of the highest-priority
1168      * installed provider as the source of randomness.
1169      * (If none of the installed providers supply an implementation of
1170      * SecureRandom, a system-provided source of randomness will be used.)
1171      *
1172      * <p>Note that when a Cipher object is initialized, it loses all
1173      * previously-acquired state. In other words, initializing a Cipher is
1174      * equivalent to creating a new instance of that Cipher and initializing
1175      * it.
1176      *
1177      * @param opmode the operation mode of this cipher (this is one of
1178      * the following:
1179      * {@code ENCRYPT_MODE}, {@code DECRYPT_MODE},
1180      * {@code WRAP_MODE} or {@code UNWRAP_MODE})
1181      * @param key the key
1182      *
1183      * @exception InvalidKeyException if the given key is inappropriate for
1184      * initializing this cipher, or requires
1185      * algorithm parameters that cannot be
1186      * determined from the given key, or if the given key has a keysize that
1187      * exceeds the maximum allowable keysize (as determined from the
1188      * configured jurisdiction policy files).
1189      * @throws UnsupportedOperationException if {@code opmode} is
1190      * {@code WRAP_MODE} or {@code UNWRAP_MODE} but the mode is not implemented
1191      * by the underlying {@code CipherSpi}.
1192      */
1193     public final void init(int opmode, Key key) throws InvalidKeyException {
1194         init(opmode, key, JceSecurity.RANDOM);
1195     }
1196 
1197     /**
1198      * Initializes this cipher with a key and a source of randomness.
1199      *
1200      * <p>The cipher is initialized for one of the following four operations:
1201      * encryption, decryption, key wrapping or  key unwrapping, depending
1202      * on the value of {@code opmode}.
1203      *
1204      * <p>If this cipher requires any algorithm parameters that cannot be
1205      * derived from the given {@code key}, the underlying cipher
1206      * implementation is supposed to generate the required parameters itself
1207      * (using provider-specific default or random values) if it is being
1208      * initialized for encryption or key wrapping, and raise an
1209      * {@code InvalidKeyException} if it is being
1210      * initialized for decryption or key unwrapping.
1211      * The generated parameters can be retrieved using
1212      * {@link #getParameters() getParameters} or
1213      * {@link #getIV() getIV} (if the parameter is an IV).
1214      *
1215      * <p>If this cipher requires algorithm parameters that cannot be
1216      * derived from the input parameters, and there are no reasonable
1217      * provider-specific default values, initialization will
1218      * necessarily fail.
1219      *
1220      * <p>If this cipher (including its underlying feedback or padding scheme)
1221      * requires any random bytes (e.g., for parameter generation), it will get
1222      * them from {@code random}.
1223      *
1224      * <p>Note that when a Cipher object is initialized, it loses all
1225      * previously-acquired state. In other words, initializing a Cipher is
1226      * equivalent to creating a new instance of that Cipher and initializing
1227      * it.
1228      *
1229      * @param opmode the operation mode of this cipher (this is one of the
1230      * following:
1231      * {@code ENCRYPT_MODE}, {@code DECRYPT_MODE},
1232      * {@code WRAP_MODE} or {@code UNWRAP_MODE})
1233      * @param key the encryption key
1234      * @param random the source of randomness
1235      *
1236      * @exception InvalidKeyException if the given key is inappropriate for
1237      * initializing this cipher, or requires
1238      * algorithm parameters that cannot be
1239      * determined from the given key, or if the given key has a keysize that
1240      * exceeds the maximum allowable keysize (as determined from the
1241      * configured jurisdiction policy files).
1242      * @throws UnsupportedOperationException if {@code opmode} is
1243      * {@code WRAP_MODE} or {@code UNWRAP_MODE} but the mode is not implemented
1244      * by the underlying {@code CipherSpi}.
1245      */
1246     public final void init(int opmode, Key key, SecureRandom random)
1247             throws InvalidKeyException
1248     {
1249         initialized = false;
1250         checkOpmode(opmode);
1251 
1252         if (spi != null) {
1253             checkCryptoPerm(spi, key);
1254             spi.engineInit(opmode, key, random);
1255         } else {
1256             try {
1257                 chooseProvider(I_KEY, opmode, key, null, null, random);
1258             } catch (InvalidAlgorithmParameterException e) {
1259                 // should never occur
1260                 throw new InvalidKeyException(e);
1261             }
1262         }
1263 
1264         initialized = true;
1265         this.opmode = opmode;
1266 
1267         if (!skipDebug && pdebug != null) {
1268             pdebug.println("Cipher." + transformation + " " +
1269                 getOpmodeString(opmode) + " algorithm from: " +
1270                 this.provider.getName());
1271         }
1272     }
1273 
1274     /**
1275      * Initializes this cipher with a key and a set of algorithm
1276      * parameters.
1277      *
1278      * <p>The cipher is initialized for one of the following four operations:
1279      * encryption, decryption, key wrapping or  key unwrapping, depending
1280      * on the value of {@code opmode}.
1281      *
1282      * <p>If this cipher requires any algorithm parameters and
1283      * {@code params} is null, the underlying cipher implementation is
1284      * supposed to generate the required parameters itself (using
1285      * provider-specific default or random values) if it is being
1286      * initialized for encryption or key wrapping, and raise an
1287      * {@code InvalidAlgorithmParameterException} if it is being
1288      * initialized for decryption or key unwrapping.
1289      * The generated parameters can be retrieved using
1290      * {@link #getParameters() getParameters} or
1291      * {@link #getIV() getIV} (if the parameter is an IV).
1292      *
1293      * <p>If this cipher requires algorithm parameters that cannot be
1294      * derived from the input parameters, and there are no reasonable
1295      * provider-specific default values, initialization will
1296      * necessarily fail.
1297      *
1298      * <p>If this cipher (including its underlying feedback or padding scheme)
1299      * requires any random bytes (e.g., for parameter generation), it will get
1300      * them using the {@link java.security.SecureRandom}
1301      * implementation of the highest-priority
1302      * installed provider as the source of randomness.
1303      * (If none of the installed providers supply an implementation of
1304      * SecureRandom, a system-provided source of randomness will be used.)
1305      *
1306      * <p>Note that when a Cipher object is initialized, it loses all
1307      * previously-acquired state. In other words, initializing a Cipher is
1308      * equivalent to creating a new instance of that Cipher and initializing
1309      * it.
1310      *
1311      * @param opmode the operation mode of this cipher (this is one of the
1312      * following:
1313      * {@code ENCRYPT_MODE}, {@code DECRYPT_MODE},
1314      * {@code WRAP_MODE} or {@code UNWRAP_MODE})
1315      * @param key the encryption key
1316      * @param params the algorithm parameters
1317      *
1318      * @exception InvalidKeyException if the given key is inappropriate for
1319      * initializing this cipher, or its keysize exceeds the maximum allowable
1320      * keysize (as determined from the configured jurisdiction policy files).
1321      * @exception InvalidAlgorithmParameterException if the given algorithm
1322      * parameters are inappropriate for this cipher,
1323      * or this cipher requires
1324      * algorithm parameters and {@code params} is null, or the given
1325      * algorithm parameters imply a cryptographic strength that would exceed
1326      * the legal limits (as determined from the configured jurisdiction
1327      * policy files).
1328      * @throws UnsupportedOperationException if {@code opmode} is
1329      * {@code WRAP_MODE} or {@code UNWRAP_MODE} but the mode is not implemented
1330      * by the underlying {@code CipherSpi}.
1331      */
1332     public final void init(int opmode, Key key, AlgorithmParameterSpec params)
1333             throws InvalidKeyException, InvalidAlgorithmParameterException
1334     {
1335         init(opmode, key, params, JceSecurity.RANDOM);
1336     }
1337 
1338     /**
1339      * Initializes this cipher with a key, a set of algorithm
1340      * parameters, and a source of randomness.
1341      *
1342      * <p>The cipher is initialized for one of the following four operations:
1343      * encryption, decryption, key wrapping or  key unwrapping, depending
1344      * on the value of {@code opmode}.
1345      *
1346      * <p>If this cipher requires any algorithm parameters and
1347      * {@code params} is null, the underlying cipher implementation is
1348      * supposed to generate the required parameters itself (using
1349      * provider-specific default or random values) if it is being
1350      * initialized for encryption or key wrapping, and raise an
1351      * {@code InvalidAlgorithmParameterException} if it is being
1352      * initialized for decryption or key unwrapping.
1353      * The generated parameters can be retrieved using
1354      * {@link #getParameters() getParameters} or
1355      * {@link #getIV() getIV} (if the parameter is an IV).
1356      *
1357      * <p>If this cipher requires algorithm parameters that cannot be
1358      * derived from the input parameters, and there are no reasonable
1359      * provider-specific default values, initialization will
1360      * necessarily fail.
1361      *
1362      * <p>If this cipher (including its underlying feedback or padding scheme)
1363      * requires any random bytes (e.g., for parameter generation), it will get
1364      * them from {@code random}.
1365      *
1366      * <p>Note that when a Cipher object is initialized, it loses all
1367      * previously-acquired state. In other words, initializing a Cipher is
1368      * equivalent to creating a new instance of that Cipher and initializing
1369      * it.
1370      *
1371      * @param opmode the operation mode of this cipher (this is one of the
1372      * following:
1373      * {@code ENCRYPT_MODE}, {@code DECRYPT_MODE},
1374      * {@code WRAP_MODE} or {@code UNWRAP_MODE})
1375      * @param key the encryption key
1376      * @param params the algorithm parameters
1377      * @param random the source of randomness
1378      *
1379      * @exception InvalidKeyException if the given key is inappropriate for
1380      * initializing this cipher, or its keysize exceeds the maximum allowable
1381      * keysize (as determined from the configured jurisdiction policy files).
1382      * @exception InvalidAlgorithmParameterException if the given algorithm
1383      * parameters are inappropriate for this cipher,
1384      * or this cipher requires
1385      * algorithm parameters and {@code params} is null, or the given
1386      * algorithm parameters imply a cryptographic strength that would exceed
1387      * the legal limits (as determined from the configured jurisdiction
1388      * policy files).
1389      * @throws UnsupportedOperationException if {@code opmode} is
1390      * {@code WRAP_MODE} or {@code UNWRAP_MODE} but the mode is not implemented
1391      * by the underlying {@code CipherSpi}.
1392      */
1393     public final void init(int opmode, Key key, AlgorithmParameterSpec params,
1394                            SecureRandom random)
1395             throws InvalidKeyException, InvalidAlgorithmParameterException
1396     {
1397         initialized = false;
1398         checkOpmode(opmode);
1399 
1400         if (spi != null) {
1401             checkCryptoPerm(spi, key, params);
1402             spi.engineInit(opmode, key, params, random);
1403         } else {
1404             chooseProvider(I_PARAMSPEC, opmode, key, params, null, random);
1405         }
1406 
1407         initialized = true;
1408         this.opmode = opmode;
1409 
1410         if (!skipDebug && pdebug != null) {
1411             pdebug.println("Cipher." + transformation + " " +
1412                 getOpmodeString(opmode) + " algorithm from: " +
1413                 this.provider.getName());
1414         }
1415     }
1416 
1417     /**
1418      * Initializes this cipher with a key and a set of algorithm
1419      * parameters.
1420      *
1421      * <p>The cipher is initialized for one of the following four operations:
1422      * encryption, decryption, key wrapping or  key unwrapping, depending
1423      * on the value of {@code opmode}.
1424      *
1425      * <p>If this cipher requires any algorithm parameters and
1426      * {@code params} is null, the underlying cipher implementation is
1427      * supposed to generate the required parameters itself (using
1428      * provider-specific default or random values) if it is being
1429      * initialized for encryption or key wrapping, and raise an
1430      * {@code InvalidAlgorithmParameterException} if it is being
1431      * initialized for decryption or key unwrapping.
1432      * The generated parameters can be retrieved using
1433      * {@link #getParameters() getParameters} or
1434      * {@link #getIV() getIV} (if the parameter is an IV).
1435      *
1436      * <p>If this cipher requires algorithm parameters that cannot be
1437      * derived from the input parameters, and there are no reasonable
1438      * provider-specific default values, initialization will
1439      * necessarily fail.
1440      *
1441      * <p>If this cipher (including its underlying feedback or padding scheme)
1442      * requires any random bytes (e.g., for parameter generation), it will get
1443      * them using the {@link java.security.SecureRandom}
1444      * implementation of the highest-priority
1445      * installed provider as the source of randomness.
1446      * (If none of the installed providers supply an implementation of
1447      * SecureRandom, a system-provided source of randomness will be used.)
1448      *
1449      * <p>Note that when a Cipher object is initialized, it loses all
1450      * previously-acquired state. In other words, initializing a Cipher is
1451      * equivalent to creating a new instance of that Cipher and initializing
1452      * it.
1453      *
1454      * @param opmode the operation mode of this cipher (this is one of the
1455      * following: {@code ENCRYPT_MODE},
1456      * {@code DECRYPT_MODE}, {@code WRAP_MODE}
1457      * or {@code UNWRAP_MODE})
1458      * @param key the encryption key
1459      * @param params the algorithm parameters
1460      *
1461      * @exception InvalidKeyException if the given key is inappropriate for
1462      * initializing this cipher, or its keysize exceeds the maximum allowable
1463      * keysize (as determined from the configured jurisdiction policy files).
1464      * @exception InvalidAlgorithmParameterException if the given algorithm
1465      * parameters are inappropriate for this cipher,
1466      * or this cipher requires
1467      * algorithm parameters and {@code params} is null, or the given
1468      * algorithm parameters imply a cryptographic strength that would exceed
1469      * the legal limits (as determined from the configured jurisdiction
1470      * policy files).
1471      * @throws UnsupportedOperationException if {@code opmode} is
1472      * {@code WRAP_MODE} or {@code UNWRAP_MODE} but the mode is not implemented
1473      * by the underlying {@code CipherSpi}.
1474      */
1475     public final void init(int opmode, Key key, AlgorithmParameters params)
1476             throws InvalidKeyException, InvalidAlgorithmParameterException
1477     {
1478         init(opmode, key, params, JceSecurity.RANDOM);
1479     }
1480 
1481     /**
1482      * Initializes this cipher with a key, a set of algorithm
1483      * parameters, and a source of randomness.
1484      *
1485      * <p>The cipher is initialized for one of the following four operations:
1486      * encryption, decryption, key wrapping or  key unwrapping, depending
1487      * on the value of {@code opmode}.
1488      *
1489      * <p>If this cipher requires any algorithm parameters and
1490      * {@code params} is null, the underlying cipher implementation is
1491      * supposed to generate the required parameters itself (using
1492      * provider-specific default or random values) if it is being
1493      * initialized for encryption or key wrapping, and raise an
1494      * {@code InvalidAlgorithmParameterException} if it is being
1495      * initialized for decryption or key unwrapping.
1496      * The generated parameters can be retrieved using
1497      * {@link #getParameters() getParameters} or
1498      * {@link #getIV() getIV} (if the parameter is an IV).
1499      *
1500      * <p>If this cipher requires algorithm parameters that cannot be
1501      * derived from the input parameters, and there are no reasonable
1502      * provider-specific default values, initialization will
1503      * necessarily fail.
1504      *
1505      * <p>If this cipher (including its underlying feedback or padding scheme)
1506      * requires any random bytes (e.g., for parameter generation), it will get
1507      * them from {@code random}.
1508      *
1509      * <p>Note that when a Cipher object is initialized, it loses all
1510      * previously-acquired state. In other words, initializing a Cipher is
1511      * equivalent to creating a new instance of that Cipher and initializing
1512      * it.
1513      *
1514      * @param opmode the operation mode of this cipher (this is one of the
1515      * following: {@code ENCRYPT_MODE},
1516      * {@code DECRYPT_MODE}, {@code WRAP_MODE}
1517      * or {@code UNWRAP_MODE})
1518      * @param key the encryption key
1519      * @param params the algorithm parameters
1520      * @param random the source of randomness
1521      *
1522      * @exception InvalidKeyException if the given key is inappropriate for
1523      * initializing this cipher, or its keysize exceeds the maximum allowable
1524      * keysize (as determined from the configured jurisdiction policy files).
1525      * @exception InvalidAlgorithmParameterException if the given algorithm
1526      * parameters are inappropriate for this cipher,
1527      * or this cipher requires
1528      * algorithm parameters and {@code params} is null, or the given
1529      * algorithm parameters imply a cryptographic strength that would exceed
1530      * the legal limits (as determined from the configured jurisdiction
1531      * policy files).
1532      * @throws UnsupportedOperationException if {@code opmode} is
1533      * {@code WRAP_MODE} or {@code UNWRAP_MODE} but the mode is not implemented
1534      * by the underlying {@code CipherSpi}.
1535      */
1536     public final void init(int opmode, Key key, AlgorithmParameters params,
1537                            SecureRandom random)
1538             throws InvalidKeyException, InvalidAlgorithmParameterException
1539     {
1540         initialized = false;
1541         checkOpmode(opmode);
1542 
1543         if (spi != null) {
1544             checkCryptoPerm(spi, key, params);
1545             spi.engineInit(opmode, key, params, random);
1546         } else {
1547             chooseProvider(I_PARAMS, opmode, key, null, params, random);
1548         }
1549 
1550         initialized = true;
1551         this.opmode = opmode;
1552 
1553         if (!skipDebug && pdebug != null) {
1554             pdebug.println("Cipher." + transformation + " " +
1555                 getOpmodeString(opmode) + " algorithm from: " +
1556                 this.provider.getName());
1557         }
1558     }
1559 
1560     /**
1561      * Initializes this cipher with the public key from the given certificate.
1562      * <p> The cipher is initialized for one of the following four operations:
1563      * encryption, decryption, key wrapping or  key unwrapping, depending
1564      * on the value of {@code opmode}.
1565      *
1566      * <p>If the certificate is of type X.509 and has a <i>key usage</i>
1567      * extension field marked as critical, and the value of the <i>key usage</i>
1568      * extension field implies that the public key in
1569      * the certificate and its corresponding private key are not
1570      * supposed to be used for the operation represented by the value
1571      * of {@code opmode},
1572      * an {@code InvalidKeyException}
1573      * is thrown.
1574      *
1575      * <p> If this cipher requires any algorithm parameters that cannot be
1576      * derived from the public key in the given certificate, the underlying
1577      * cipher
1578      * implementation is supposed to generate the required parameters itself
1579      * (using provider-specific default or random values) if it is being
1580      * initialized for encryption or key wrapping, and raise an
1581      * {@code InvalidKeyException} if it is being initialized for decryption or
1582      * key unwrapping.
1583      * The generated parameters can be retrieved using
1584      * {@link #getParameters() getParameters} or
1585      * {@link #getIV() getIV} (if the parameter is an IV).
1586      *
1587      * <p>If this cipher requires algorithm parameters that cannot be
1588      * derived from the input parameters, and there are no reasonable
1589      * provider-specific default values, initialization will
1590      * necessarily fail.
1591      *
1592      * <p>If this cipher (including its underlying feedback or padding scheme)
1593      * requires any random bytes (e.g., for parameter generation), it will get
1594      * them using the
1595      * {@code SecureRandom}
1596      * implementation of the highest-priority
1597      * installed provider as the source of randomness.
1598      * (If none of the installed providers supply an implementation of
1599      * SecureRandom, a system-provided source of randomness will be used.)
1600      *
1601      * <p>Note that when a Cipher object is initialized, it loses all
1602      * previously-acquired state. In other words, initializing a Cipher is
1603      * equivalent to creating a new instance of that Cipher and initializing
1604      * it.
1605      *
1606      * @param opmode the operation mode of this cipher (this is one of the
1607      * following:
1608      * {@code ENCRYPT_MODE}, {@code DECRYPT_MODE},
1609      * {@code WRAP_MODE} or {@code UNWRAP_MODE})
1610      * @param certificate the certificate
1611      *
1612      * @exception InvalidKeyException if the public key in the given
1613      * certificate is inappropriate for initializing this cipher, or this
1614      * cipher requires algorithm parameters that cannot be determined from the
1615      * public key in the given certificate, or the keysize of the public key
1616      * in the given certificate has a keysize that exceeds the maximum
1617      * allowable keysize (as determined by the configured jurisdiction policy
1618      * files).
1619      * @throws UnsupportedOperationException if {@code opmode} is
1620      * {@code WRAP_MODE} or {@code UNWRAP_MODE} but the mode is not implemented
1621      * by the underlying {@code CipherSpi}.
1622      */
1623     public final void init(int opmode, Certificate certificate)
1624             throws InvalidKeyException
1625     {
1626         init(opmode, certificate, JceSecurity.RANDOM);
1627     }
1628 
1629     /**
1630      * Initializes this cipher with the public key from the given certificate
1631      * and
1632      * a source of randomness.
1633      *
1634      * <p>The cipher is initialized for one of the following four operations:
1635      * encryption, decryption, key wrapping
1636      * or key unwrapping, depending on
1637      * the value of {@code opmode}.
1638      *
1639      * <p>If the certificate is of type X.509 and has a <i>key usage</i>
1640      * extension field marked as critical, and the value of the <i>key usage</i>
1641      * extension field implies that the public key in
1642      * the certificate and its corresponding private key are not
1643      * supposed to be used for the operation represented by the value of
1644      * {@code opmode},
1645      * an {@code InvalidKeyException}
1646      * is thrown.
1647      *
1648      * <p>If this cipher requires any algorithm parameters that cannot be
1649      * derived from the public key in the given {@code certificate},
1650      * the underlying cipher
1651      * implementation is supposed to generate the required parameters itself
1652      * (using provider-specific default or random values) if it is being
1653      * initialized for encryption or key wrapping, and raise an
1654      * {@code InvalidKeyException} if it is being
1655      * initialized for decryption or key unwrapping.
1656      * The generated parameters can be retrieved using
1657      * {@link #getParameters() getParameters} or
1658      * {@link #getIV() getIV} (if the parameter is an IV).
1659      *
1660      * <p>If this cipher requires algorithm parameters that cannot be
1661      * derived from the input parameters, and there are no reasonable
1662      * provider-specific default values, initialization will
1663      * necessarily fail.
1664      *
1665      * <p>If this cipher (including its underlying feedback or padding scheme)
1666      * requires any random bytes (e.g., for parameter generation), it will get
1667      * them from {@code random}.
1668      *
1669      * <p>Note that when a Cipher object is initialized, it loses all
1670      * previously-acquired state. In other words, initializing a Cipher is
1671      * equivalent to creating a new instance of that Cipher and initializing
1672      * it.
1673      *
1674      * @param opmode the operation mode of this cipher (this is one of the
1675      * following:
1676      * {@code ENCRYPT_MODE}, {@code DECRYPT_MODE},
1677      * {@code WRAP_MODE} or {@code UNWRAP_MODE})
1678      * @param certificate the certificate
1679      * @param random the source of randomness
1680      *
1681      * @exception InvalidKeyException if the public key in the given
1682      * certificate is inappropriate for initializing this cipher, or this
1683      * cipher
1684      * requires algorithm parameters that cannot be determined from the
1685      * public key in the given certificate, or the keysize of the public key
1686      * in the given certificate has a keysize that exceeds the maximum
1687      * allowable keysize (as determined by the configured jurisdiction policy
1688      * files).
1689      * @throws UnsupportedOperationException if {@code opmode} is
1690      * {@code WRAP_MODE} or {@code UNWRAP_MODE} but the mode is not implemented
1691      * by the underlying {@code CipherSpi}.
1692      */
1693     public final void init(int opmode, Certificate certificate,
1694                            SecureRandom random)
1695             throws InvalidKeyException
1696     {
1697         initialized = false;
1698         checkOpmode(opmode);
1699 
1700         // Check key usage if the certificate is of
1701         // type X.509.
1702         if (certificate instanceof java.security.cert.X509Certificate) {
1703             // Check whether the cert has a key usage extension
1704             // marked as a critical extension.
1705             X509Certificate cert = (X509Certificate)certificate;
1706             Set<String> critSet = cert.getCriticalExtensionOIDs();
1707 
1708             if (critSet != null && !critSet.isEmpty()
1709                 && critSet.contains(KEY_USAGE_EXTENSION_OID)) {
1710                 boolean[] keyUsageInfo = cert.getKeyUsage();
1711                 // keyUsageInfo[2] is for keyEncipherment;
1712                 // keyUsageInfo[3] is for dataEncipherment.
1713                 if ((keyUsageInfo != null) &&
1714                     (((opmode == Cipher.ENCRYPT_MODE) &&
1715                       (keyUsageInfo.length > 3) &&
1716                       (keyUsageInfo[3] == false)) ||
1717                      ((opmode == Cipher.WRAP_MODE) &&
1718                       (keyUsageInfo.length > 2) &&
1719                       (keyUsageInfo[2] == false)))) {
1720                     throw new InvalidKeyException("Wrong key usage");
1721                 }
1722             }
1723         }
1724 
1725         PublicKey publicKey =
1726             (certificate==null? null:certificate.getPublicKey());
1727 
1728         if (spi != null) {
1729             checkCryptoPerm(spi, publicKey);
1730             spi.engineInit(opmode, publicKey, random);
1731         } else {
1732             try {
1733                 chooseProvider(I_CERT, opmode, publicKey, null, null, random);
1734             } catch (InvalidAlgorithmParameterException e) {
1735                 // should never occur
1736                 throw new InvalidKeyException(e);
1737             }
1738         }
1739 
1740         initialized = true;
1741         this.opmode = opmode;
1742 
1743         if (!skipDebug && pdebug != null) {
1744             pdebug.println("Cipher." + transformation + " " +
1745                 getOpmodeString(opmode) + " algorithm from: " +
1746                 this.provider.getName());
1747         }
1748     }
1749 
1750     /**
1751      * Ensures that Cipher is in a valid state for update() and doFinal()
1752      * calls - should be initialized and in ENCRYPT_MODE or DECRYPT_MODE.
1753      * @throws IllegalStateException if Cipher object is not in valid state.
1754      */
1755     private void checkCipherState() {
1756         if (!(this instanceof NullCipher)) {
1757             if (!initialized) {
1758                 throw new IllegalStateException("Cipher not initialized");
1759             }
1760             if ((opmode != Cipher.ENCRYPT_MODE) &&
1761                 (opmode != Cipher.DECRYPT_MODE)) {
1762                 throw new IllegalStateException("Cipher not initialized " +
1763                                                 "for encryption/decryption");
1764             }
1765         }
1766     }
1767 
1768     /**
1769      * Continues a multiple-part encryption or decryption operation
1770      * (depending on how this cipher was initialized), processing another data
1771      * part.
1772      *
1773      * <p>The bytes in the {@code input} buffer are processed, and the
1774      * result is stored in a new buffer.
1775      *
1776      * <p>If {@code input} has a length of zero, this method returns
1777      * {@code null}.
1778      *
1779      * @param input the input buffer
1780      *
1781      * @return the new buffer with the result, or null if the underlying
1782      * cipher is a block cipher and the input data is too short to result in a
1783      * new block.
1784      *
1785      * @exception IllegalStateException if this cipher is in a wrong state
1786      * (e.g., has not been initialized)
1787      */
1788     public final byte[] update(byte[] input) {
1789         checkCipherState();
1790 
1791         // Input sanity check
1792         if (input == null) {
1793             throw new IllegalArgumentException("Null input buffer");
1794         }
1795 
1796         chooseFirstProvider();
1797         if (input.length == 0) {
1798             return null;
1799         }
1800         return spi.engineUpdate(input, 0, input.length);
1801     }
1802 
1803     /**
1804      * Continues a multiple-part encryption or decryption operation
1805      * (depending on how this cipher was initialized), processing another data
1806      * part.
1807      *
1808      * <p>The first {@code inputLen} bytes in the {@code input}
1809      * buffer, starting at {@code inputOffset} inclusive, are processed,
1810      * and the result is stored in a new buffer.
1811      *
1812      * <p>If {@code inputLen} is zero, this method returns
1813      * {@code null}.
1814      *
1815      * @param input the input buffer
1816      * @param inputOffset the offset in {@code input} where the input
1817      * starts
1818      * @param inputLen the input length
1819      *
1820      * @return the new buffer with the result, or null if the underlying
1821      * cipher is a block cipher and the input data is too short to result in a
1822      * new block.
1823      *
1824      * @exception IllegalStateException if this cipher is in a wrong state
1825      * (e.g., has not been initialized)
1826      */
1827     public final byte[] update(byte[] input, int inputOffset, int inputLen) {
1828         checkCipherState();
1829 
1830         // Input sanity check
1831         if (input == null || inputOffset < 0
1832             || inputLen > (input.length - inputOffset) || inputLen < 0) {
1833             throw new IllegalArgumentException("Bad arguments");
1834         }
1835 
1836         chooseFirstProvider();
1837         if (inputLen == 0) {
1838             return null;
1839         }
1840         return spi.engineUpdate(input, inputOffset, inputLen);
1841     }
1842 
1843     /**
1844      * Continues a multiple-part encryption or decryption operation
1845      * (depending on how this cipher was initialized), processing another data
1846      * part.
1847      *
1848      * <p>The first {@code inputLen} bytes in the {@code input}
1849      * buffer, starting at {@code inputOffset} inclusive, are processed,
1850      * and the result is stored in the {@code output} buffer.
1851      *
1852      * <p>If the {@code output} buffer is too small to hold the result,
1853      * a {@code ShortBufferException} is thrown. In this case, repeat this
1854      * call with a larger output buffer. Use
1855      * {@link #getOutputSize(int) getOutputSize} to determine how big
1856      * the output buffer should be.
1857      *
1858      * <p>If {@code inputLen} is zero, this method returns
1859      * a length of zero.
1860      *
1861      * <p>Note: this method should be copy-safe, which means the
1862      * {@code input} and {@code output} buffers can reference
1863      * the same byte array and no unprocessed input data is overwritten
1864      * when the result is copied into the output buffer.
1865      *
1866      * @param input the input buffer
1867      * @param inputOffset the offset in {@code input} where the input
1868      * starts
1869      * @param inputLen the input length
1870      * @param output the buffer for the result
1871      *
1872      * @return the number of bytes stored in {@code output}
1873      *
1874      * @exception IllegalStateException if this cipher is in a wrong state
1875      * (e.g., has not been initialized)
1876      * @exception ShortBufferException if the given output buffer is too small
1877      * to hold the result
1878      */
1879     public final int update(byte[] input, int inputOffset, int inputLen,
1880                             byte[] output)
1881             throws ShortBufferException {
1882         checkCipherState();
1883 
1884         // Input sanity check
1885         if (input == null || inputOffset < 0
1886             || inputLen > (input.length - inputOffset) || inputLen < 0) {
1887             throw new IllegalArgumentException("Bad arguments");
1888         }
1889 
1890         chooseFirstProvider();
1891         if (inputLen == 0) {
1892             return 0;
1893         }
1894         return spi.engineUpdate(input, inputOffset, inputLen,
1895                                       output, 0);
1896     }
1897 
1898     /**
1899      * Continues a multiple-part encryption or decryption operation
1900      * (depending on how this cipher was initialized), processing another data
1901      * part.
1902      *
1903      * <p>The first {@code inputLen} bytes in the {@code input}
1904      * buffer, starting at {@code inputOffset} inclusive, are processed,
1905      * and the result is stored in the {@code output} buffer, starting at
1906      * {@code outputOffset} inclusive.
1907      *
1908      * <p>If the {@code output} buffer is too small to hold the result,
1909      * a {@code ShortBufferException} is thrown. In this case, repeat this
1910      * call with a larger output buffer. Use
1911      * {@link #getOutputSize(int) getOutputSize} to determine how big
1912      * the output buffer should be.
1913      *
1914      * <p>If {@code inputLen} is zero, this method returns
1915      * a length of zero.
1916      *
1917      * <p>Note: this method should be copy-safe, which means the
1918      * {@code input} and {@code output} buffers can reference
1919      * the same byte array and no unprocessed input data is overwritten
1920      * when the result is copied into the output buffer.
1921      *
1922      * @param input the input buffer
1923      * @param inputOffset the offset in {@code input} where the input
1924      * starts
1925      * @param inputLen the input length
1926      * @param output the buffer for the result
1927      * @param outputOffset the offset in {@code output} where the result
1928      * is stored
1929      *
1930      * @return the number of bytes stored in {@code output}
1931      *
1932      * @exception IllegalStateException if this cipher is in a wrong state
1933      * (e.g., has not been initialized)
1934      * @exception ShortBufferException if the given output buffer is too small
1935      * to hold the result
1936      */
1937     public final int update(byte[] input, int inputOffset, int inputLen,
1938                             byte[] output, int outputOffset)
1939             throws ShortBufferException {
1940         checkCipherState();
1941 
1942         // Input sanity check
1943         if (input == null || inputOffset < 0
1944             || inputLen > (input.length - inputOffset) || inputLen < 0
1945             || outputOffset < 0) {
1946             throw new IllegalArgumentException("Bad arguments");
1947         }
1948 
1949         chooseFirstProvider();
1950         if (inputLen == 0) {
1951             return 0;
1952         }
1953         return spi.engineUpdate(input, inputOffset, inputLen,
1954                                       output, outputOffset);
1955     }
1956 
1957     /**
1958      * Continues a multiple-part encryption or decryption operation
1959      * (depending on how this cipher was initialized), processing another data
1960      * part.
1961      *
1962      * <p>All {@code input.remaining()} bytes starting at
1963      * {@code input.position()} are processed. The result is stored
1964      * in the output buffer.
1965      * Upon return, the input buffer's position will be equal
1966      * to its limit; its limit will not have changed. The output buffer's
1967      * position will have advanced by n, where n is the value returned
1968      * by this method; the output buffer's limit will not have changed.
1969      *
1970      * <p>If {@code output.remaining()} bytes are insufficient to
1971      * hold the result, a {@code ShortBufferException} is thrown.
1972      * In this case, repeat this call with a larger output buffer. Use
1973      * {@link #getOutputSize(int) getOutputSize} to determine how big
1974      * the output buffer should be.
1975      *
1976      * <p>Note: this method should be copy-safe, which means the
1977      * {@code input} and {@code output} buffers can reference
1978      * the same block of memory and no unprocessed input data is overwritten
1979      * when the result is copied into the output buffer.
1980      *
1981      * @param input the input ByteBuffer
1982      * @param output the output ByteByffer
1983      *
1984      * @return the number of bytes stored in {@code output}
1985      *
1986      * @exception IllegalStateException if this cipher is in a wrong state
1987      * (e.g., has not been initialized)
1988      * @exception IllegalArgumentException if input and output are the
1989      *   same object
1990      * @exception ReadOnlyBufferException if the output buffer is read-only
1991      * @exception ShortBufferException if there is insufficient space in the
1992      * output buffer
1993      * @since 1.5
1994      */
1995     public final int update(ByteBuffer input, ByteBuffer output)
1996             throws ShortBufferException {
1997         checkCipherState();
1998 
1999         if ((input == null) || (output == null)) {
2000             throw new IllegalArgumentException("Buffers must not be null");
2001         }
2002         if (input == output) {
2003             throw new IllegalArgumentException("Input and output buffers must "
2004                 + "not be the same object, consider using buffer.duplicate()");
2005         }
2006         if (output.isReadOnly()) {
2007             throw new ReadOnlyBufferException();
2008         }
2009 
2010         chooseFirstProvider();
2011         return spi.engineUpdate(input, output);
2012     }
2013 
2014     /**
2015      * Finishes a multiple-part encryption or decryption operation, depending
2016      * on how this cipher was initialized.
2017      *
2018      * <p>Input data that may have been buffered during a previous
2019      * {@code update} operation is processed, with padding (if requested)
2020      * being applied.
2021      * If an AEAD mode such as GCM/CCM is being used, the authentication
2022      * tag is appended in the case of encryption, or verified in the
2023      * case of decryption.
2024      * The result is stored in a new buffer.
2025      *
2026      * <p>Upon finishing, this method resets this cipher object to the state
2027      * it was in when previously initialized via a call to {@code init}.
2028      * That is, the object is reset and available to encrypt or decrypt
2029      * (depending on the operation mode that was specified in the call to
2030      * {@code init}) more data.
2031      *
2032      * <p>Note: if any exception is thrown, this cipher object may need to
2033      * be reset before it can be used again.
2034      *
2035      * @return the new buffer with the result
2036      *
2037      * @exception IllegalStateException if this cipher is in a wrong state
2038      * (e.g., has not been initialized)
2039      * @exception IllegalBlockSizeException if this cipher is a block cipher,
2040      * no padding has been requested (only in encryption mode), and the total
2041      * input length of the data processed by this cipher is not a multiple of
2042      * block size; or if this encryption algorithm is unable to
2043      * process the input data provided.
2044      * @exception BadPaddingException if this cipher is in decryption mode,
2045      * and (un)padding has been requested, but the decrypted data is not
2046      * bounded by the appropriate padding bytes
2047      * @exception AEADBadTagException if this cipher is decrypting in an
2048      * AEAD mode (such as GCM/CCM), and the received authentication tag
2049      * does not match the calculated value
2050      */
2051     public final byte[] doFinal()
2052             throws IllegalBlockSizeException, BadPaddingException {
2053         checkCipherState();
2054 
2055         chooseFirstProvider();
2056         return spi.engineDoFinal(null, 0, 0);
2057     }
2058 
2059     /**
2060      * Finishes a multiple-part encryption or decryption operation, depending
2061      * on how this cipher was initialized.
2062      *
2063      * <p>Input data that may have been buffered during a previous
2064      * {@code update} operation is processed, with padding (if requested)
2065      * being applied.
2066      * If an AEAD mode such as GCM/CCM is being used, the authentication
2067      * tag is appended in the case of encryption, or verified in the
2068      * case of decryption.
2069      * The result is stored in the {@code output} buffer, starting at
2070      * {@code outputOffset} inclusive.
2071      *
2072      * <p>If the {@code output} buffer is too small to hold the result,
2073      * a {@code ShortBufferException} is thrown. In this case, repeat this
2074      * call with a larger output buffer. Use
2075      * {@link #getOutputSize(int) getOutputSize} to determine how big
2076      * the output buffer should be.
2077      *
2078      * <p>Upon finishing, this method resets this cipher object to the state
2079      * it was in when previously initialized via a call to {@code init}.
2080      * That is, the object is reset and available to encrypt or decrypt
2081      * (depending on the operation mode that was specified in the call to
2082      * {@code init}) more data.
2083      *
2084      * <p>Note: if any exception is thrown, this cipher object may need to
2085      * be reset before it can be used again.
2086      *
2087      * @param output the buffer for the result
2088      * @param outputOffset the offset in {@code output} where the result
2089      * is stored
2090      *
2091      * @return the number of bytes stored in {@code output}
2092      *
2093      * @exception IllegalStateException if this cipher is in a wrong state
2094      * (e.g., has not been initialized)
2095      * @exception IllegalBlockSizeException if this cipher is a block cipher,
2096      * no padding has been requested (only in encryption mode), and the total
2097      * input length of the data processed by this cipher is not a multiple of
2098      * block size; or if this encryption algorithm is unable to
2099      * process the input data provided.
2100      * @exception ShortBufferException if the given output buffer is too small
2101      * to hold the result
2102      * @exception BadPaddingException if this cipher is in decryption mode,
2103      * and (un)padding has been requested, but the decrypted data is not
2104      * bounded by the appropriate padding bytes
2105      * @exception AEADBadTagException if this cipher is decrypting in an
2106      * AEAD mode (such as GCM/CCM), and the received authentication tag
2107      * does not match the calculated value
2108      */
2109     public final int doFinal(byte[] output, int outputOffset)
2110             throws IllegalBlockSizeException, ShortBufferException,
2111                BadPaddingException {
2112         checkCipherState();
2113 
2114         // Input sanity check
2115         if ((output == null) || (outputOffset < 0)) {
2116             throw new IllegalArgumentException("Bad arguments");
2117         }
2118 
2119         chooseFirstProvider();
2120         return spi.engineDoFinal(null, 0, 0, output, outputOffset);
2121     }
2122 
2123     /**
2124      * Encrypts or decrypts data in a single-part operation, or finishes a
2125      * multiple-part operation. The data is encrypted or decrypted,
2126      * depending on how this cipher was initialized.
2127      *
2128      * <p>The bytes in the {@code input} buffer, and any input bytes that
2129      * may have been buffered during a previous {@code update} operation,
2130      * are processed, with padding (if requested) being applied.
2131      * If an AEAD mode such as GCM/CCM is being used, the authentication
2132      * tag is appended in the case of encryption, or verified in the
2133      * case of decryption.
2134      * The result is stored in a new buffer.
2135      *
2136      * <p>Upon finishing, this method resets this cipher object to the state
2137      * it was in when previously initialized via a call to {@code init}.
2138      * That is, the object is reset and available to encrypt or decrypt
2139      * (depending on the operation mode that was specified in the call to
2140      * {@code init}) more data.
2141      *
2142      * <p>Note: if any exception is thrown, this cipher object may need to
2143      * be reset before it can be used again.
2144      *
2145      * @param input the input buffer
2146      *
2147      * @return the new buffer with the result
2148      *
2149      * @exception IllegalStateException if this cipher is in a wrong state
2150      * (e.g., has not been initialized)
2151      * @exception IllegalBlockSizeException if this cipher is a block cipher,
2152      * no padding has been requested (only in encryption mode), and the total
2153      * input length of the data processed by this cipher is not a multiple of
2154      * block size; or if this encryption algorithm is unable to
2155      * process the input data provided.
2156      * @exception BadPaddingException if this cipher is in decryption mode,
2157      * and (un)padding has been requested, but the decrypted data is not
2158      * bounded by the appropriate padding bytes
2159      * @exception AEADBadTagException if this cipher is decrypting in an
2160      * AEAD mode (such as GCM/CCM), and the received authentication tag
2161      * does not match the calculated value
2162      */
2163     public final byte[] doFinal(byte[] input)
2164             throws IllegalBlockSizeException, BadPaddingException {
2165         checkCipherState();
2166 
2167         // Input sanity check
2168         if (input == null) {
2169             throw new IllegalArgumentException("Null input buffer");
2170         }
2171 
2172         chooseFirstProvider();
2173         return spi.engineDoFinal(input, 0, input.length);
2174     }
2175 
2176     /**
2177      * Encrypts or decrypts data in a single-part operation, or finishes a
2178      * multiple-part operation. The data is encrypted or decrypted,
2179      * depending on how this cipher was initialized.
2180      *
2181      * <p>The first {@code inputLen} bytes in the {@code input}
2182      * buffer, starting at {@code inputOffset} inclusive, and any input
2183      * bytes that may have been buffered during a previous {@code update}
2184      * operation, are processed, with padding (if requested) being applied.
2185      * If an AEAD mode such as GCM/CCM is being used, the authentication
2186      * tag is appended in the case of encryption, or verified in the
2187      * case of decryption.
2188      * The result is stored in a new buffer.
2189      *
2190      * <p>Upon finishing, this method resets this cipher object to the state
2191      * it was in when previously initialized via a call to {@code init}.
2192      * That is, the object is reset and available to encrypt or decrypt
2193      * (depending on the operation mode that was specified in the call to
2194      * {@code init}) more data.
2195      *
2196      * <p>Note: if any exception is thrown, this cipher object may need to
2197      * be reset before it can be used again.
2198      *
2199      * @param input the input buffer
2200      * @param inputOffset the offset in {@code input} where the input
2201      * starts
2202      * @param inputLen the input length
2203      *
2204      * @return the new buffer with the result
2205      *
2206      * @exception IllegalStateException if this cipher is in a wrong state
2207      * (e.g., has not been initialized)
2208      * @exception IllegalBlockSizeException if this cipher is a block cipher,
2209      * no padding has been requested (only in encryption mode), and the total
2210      * input length of the data processed by this cipher is not a multiple of
2211      * block size; or if this encryption algorithm is unable to
2212      * process the input data provided.
2213      * @exception BadPaddingException if this cipher is in decryption mode,
2214      * and (un)padding has been requested, but the decrypted data is not
2215      * bounded by the appropriate padding bytes
2216      * @exception AEADBadTagException if this cipher is decrypting in an
2217      * AEAD mode (such as GCM/CCM), and the received authentication tag
2218      * does not match the calculated value
2219      */
2220     public final byte[] doFinal(byte[] input, int inputOffset, int inputLen)
2221             throws IllegalBlockSizeException, BadPaddingException {
2222         checkCipherState();
2223 
2224         // Input sanity check
2225         if (input == null || inputOffset < 0
2226             || inputLen > (input.length - inputOffset) || inputLen < 0) {
2227             throw new IllegalArgumentException("Bad arguments");
2228         }
2229 
2230         chooseFirstProvider();
2231         return spi.engineDoFinal(input, inputOffset, inputLen);
2232     }
2233 
2234     /**
2235      * Encrypts or decrypts data in a single-part operation, or finishes a
2236      * multiple-part operation. The data is encrypted or decrypted,
2237      * depending on how this cipher was initialized.
2238      *
2239      * <p>The first {@code inputLen} bytes in the {@code input}
2240      * buffer, starting at {@code inputOffset} inclusive, and any input
2241      * bytes that may have been buffered during a previous {@code update}
2242      * operation, are processed, with padding (if requested) being applied.
2243      * If an AEAD mode such as GCM/CCM is being used, the authentication
2244      * tag is appended in the case of encryption, or verified in the
2245      * case of decryption.
2246      * The result is stored in the {@code output} buffer.
2247      *
2248      * <p>If the {@code output} buffer is too small to hold the result,
2249      * a {@code ShortBufferException} is thrown. In this case, repeat this
2250      * call with a larger output buffer. Use
2251      * {@link #getOutputSize(int) getOutputSize} to determine how big
2252      * the output buffer should be.
2253      *
2254      * <p>Upon finishing, this method resets this cipher object to the state
2255      * it was in when previously initialized via a call to {@code init}.
2256      * That is, the object is reset and available to encrypt or decrypt
2257      * (depending on the operation mode that was specified in the call to
2258      * {@code init}) more data.
2259      *
2260      * <p>Note: if any exception is thrown, this cipher object may need to
2261      * be reset before it can be used again.
2262      *
2263      * <p>Note: this method should be copy-safe, which means the
2264      * {@code input} and {@code output} buffers can reference
2265      * the same byte array and no unprocessed input data is overwritten
2266      * when the result is copied into the output buffer.
2267      *
2268      * @param input the input buffer
2269      * @param inputOffset the offset in {@code input} where the input
2270      * starts
2271      * @param inputLen the input length
2272      * @param output the buffer for the result
2273      *
2274      * @return the number of bytes stored in {@code output}
2275      *
2276      * @exception IllegalStateException if this cipher is in a wrong state
2277      * (e.g., has not been initialized)
2278      * @exception IllegalBlockSizeException if this cipher is a block cipher,
2279      * no padding has been requested (only in encryption mode), and the total
2280      * input length of the data processed by this cipher is not a multiple of
2281      * block size; or if this encryption algorithm is unable to
2282      * process the input data provided.
2283      * @exception ShortBufferException if the given output buffer is too small
2284      * to hold the result
2285      * @exception BadPaddingException if this cipher is in decryption mode,
2286      * and (un)padding has been requested, but the decrypted data is not
2287      * bounded by the appropriate padding bytes
2288      * @exception AEADBadTagException if this cipher is decrypting in an
2289      * AEAD mode (such as GCM/CCM), and the received authentication tag
2290      * does not match the calculated value
2291      */
2292     public final int doFinal(byte[] input, int inputOffset, int inputLen,
2293                              byte[] output)
2294             throws ShortBufferException, IllegalBlockSizeException,
2295             BadPaddingException {
2296         checkCipherState();
2297 
2298         // Input sanity check
2299         if (input == null || inputOffset < 0
2300             || inputLen > (input.length - inputOffset) || inputLen < 0) {
2301             throw new IllegalArgumentException("Bad arguments");
2302         }
2303 
2304         chooseFirstProvider();
2305         return spi.engineDoFinal(input, inputOffset, inputLen,
2306                                        output, 0);
2307     }
2308 
2309     /**
2310      * Encrypts or decrypts data in a single-part operation, or finishes a
2311      * multiple-part operation. The data is encrypted or decrypted,
2312      * depending on how this cipher was initialized.
2313      *
2314      * <p>The first {@code inputLen} bytes in the {@code input}
2315      * buffer, starting at {@code inputOffset} inclusive, and any input
2316      * bytes that may have been buffered during a previous
2317      * {@code update} operation, are processed, with padding
2318      * (if requested) being applied.
2319      * If an AEAD mode such as GCM/CCM is being used, the authentication
2320      * tag is appended in the case of encryption, or verified in the
2321      * case of decryption.
2322      * The result is stored in the {@code output} buffer, starting at
2323      * {@code outputOffset} inclusive.
2324      *
2325      * <p>If the {@code output} buffer is too small to hold the result,
2326      * a {@code ShortBufferException} is thrown. In this case, repeat this
2327      * call with a larger output buffer. Use
2328      * {@link #getOutputSize(int) getOutputSize} to determine how big
2329      * the output buffer should be.
2330      *
2331      * <p>Upon finishing, this method resets this cipher object to the state
2332      * it was in when previously initialized via a call to {@code init}.
2333      * That is, the object is reset and available to encrypt or decrypt
2334      * (depending on the operation mode that was specified in the call to
2335      * {@code init}) more data.
2336      *
2337      * <p>Note: if any exception is thrown, this cipher object may need to
2338      * be reset before it can be used again.
2339      *
2340      * <p>Note: this method should be copy-safe, which means the
2341      * {@code input} and {@code output} buffers can reference
2342      * the same byte array and no unprocessed input data is overwritten
2343      * when the result is copied into the output buffer.
2344      *
2345      * @param input the input buffer
2346      * @param inputOffset the offset in {@code input} where the input
2347      * starts
2348      * @param inputLen the input length
2349      * @param output the buffer for the result
2350      * @param outputOffset the offset in {@code output} where the result
2351      * is stored
2352      *
2353      * @return the number of bytes stored in {@code output}
2354      *
2355      * @exception IllegalStateException if this cipher is in a wrong state
2356      * (e.g., has not been initialized)
2357      * @exception IllegalBlockSizeException if this cipher is a block cipher,
2358      * no padding has been requested (only in encryption mode), and the total
2359      * input length of the data processed by this cipher is not a multiple of
2360      * block size; or if this encryption algorithm is unable to
2361      * process the input data provided.
2362      * @exception ShortBufferException if the given output buffer is too small
2363      * to hold the result
2364      * @exception BadPaddingException if this cipher is in decryption mode,
2365      * and (un)padding has been requested, but the decrypted data is not
2366      * bounded by the appropriate padding bytes
2367      * @exception AEADBadTagException if this cipher is decrypting in an
2368      * AEAD mode (such as GCM/CCM), and the received authentication tag
2369      * does not match the calculated value
2370      */
2371     public final int doFinal(byte[] input, int inputOffset, int inputLen,
2372                              byte[] output, int outputOffset)
2373             throws ShortBufferException, IllegalBlockSizeException,
2374             BadPaddingException {
2375         checkCipherState();
2376 
2377         // Input sanity check
2378         if (input == null || inputOffset < 0
2379             || inputLen > (input.length - inputOffset) || inputLen < 0
2380             || outputOffset < 0) {
2381             throw new IllegalArgumentException("Bad arguments");
2382         }
2383 
2384         chooseFirstProvider();
2385         return spi.engineDoFinal(input, inputOffset, inputLen,
2386                                        output, outputOffset);
2387     }
2388 
2389     /**
2390      * Encrypts or decrypts data in a single-part operation, or finishes a
2391      * multiple-part operation. The data is encrypted or decrypted,
2392      * depending on how this cipher was initialized.
2393      *
2394      * <p>All {@code input.remaining()} bytes starting at
2395      * {@code input.position()} are processed.
2396      * If an AEAD mode such as GCM/CCM is being used, the authentication
2397      * tag is appended in the case of encryption, or verified in the
2398      * case of decryption.
2399      * The result is stored in the output buffer.
2400      * Upon return, the input buffer's position will be equal
2401      * to its limit; its limit will not have changed. The output buffer's
2402      * position will have advanced by n, where n is the value returned
2403      * by this method; the output buffer's limit will not have changed.
2404      *
2405      * <p>If {@code output.remaining()} bytes are insufficient to
2406      * hold the result, a {@code ShortBufferException} is thrown.
2407      * In this case, repeat this call with a larger output buffer. Use
2408      * {@link #getOutputSize(int) getOutputSize} to determine how big
2409      * the output buffer should be.
2410      *
2411      * <p>Upon finishing, this method resets this cipher object to the state
2412      * it was in when previously initialized via a call to {@code init}.
2413      * That is, the object is reset and available to encrypt or decrypt
2414      * (depending on the operation mode that was specified in the call to
2415      * {@code init}) more data.
2416      *
2417      * <p>Note: if any exception is thrown, this cipher object may need to
2418      * be reset before it can be used again.
2419      *
2420      * <p>Note: this method should be copy-safe, which means the
2421      * {@code input} and {@code output} buffers can reference
2422      * the same byte array and no unprocessed input data is overwritten
2423      * when the result is copied into the output buffer.
2424      *
2425      * @param input the input ByteBuffer
2426      * @param output the output ByteBuffer
2427      *
2428      * @return the number of bytes stored in {@code output}
2429      *
2430      * @exception IllegalStateException if this cipher is in a wrong state
2431      * (e.g., has not been initialized)
2432      * @exception IllegalArgumentException if input and output are the
2433      *   same object
2434      * @exception ReadOnlyBufferException if the output buffer is read-only
2435      * @exception IllegalBlockSizeException if this cipher is a block cipher,
2436      * no padding has been requested (only in encryption mode), and the total
2437      * input length of the data processed by this cipher is not a multiple of
2438      * block size; or if this encryption algorithm is unable to
2439      * process the input data provided.
2440      * @exception ShortBufferException if there is insufficient space in the
2441      * output buffer
2442      * @exception BadPaddingException if this cipher is in decryption mode,
2443      * and (un)padding has been requested, but the decrypted data is not
2444      * bounded by the appropriate padding bytes
2445      * @exception AEADBadTagException if this cipher is decrypting in an
2446      * AEAD mode (such as GCM/CCM), and the received authentication tag
2447      * does not match the calculated value
2448      *
2449      * @since 1.5
2450      */
2451     public final int doFinal(ByteBuffer input, ByteBuffer output)
2452             throws ShortBufferException, IllegalBlockSizeException,
2453             BadPaddingException {
2454         checkCipherState();
2455 
2456         if ((input == null) || (output == null)) {
2457             throw new IllegalArgumentException("Buffers must not be null");
2458         }
2459         if (input == output) {
2460             throw new IllegalArgumentException("Input and output buffers must "
2461                 + "not be the same object, consider using buffer.duplicate()");
2462         }
2463         if (output.isReadOnly()) {
2464             throw new ReadOnlyBufferException();
2465         }
2466 
2467         chooseFirstProvider();
2468         return spi.engineDoFinal(input, output);
2469     }
2470 
2471     /**
2472      * Wrap a key.
2473      *
2474      * @param key the key to be wrapped.
2475      *
2476      * @return the wrapped key.
2477      *
2478      * @exception IllegalStateException if this cipher is in a wrong
2479      * state (e.g., has not been initialized).
2480      *
2481      * @exception IllegalBlockSizeException if this cipher is a block
2482      * cipher, no padding has been requested, and the length of the
2483      * encoding of the key to be wrapped is not a
2484      * multiple of the block size.
2485      *
2486      * @exception InvalidKeyException if it is impossible or unsafe to
2487      * wrap the key with this cipher (e.g., a hardware protected key is
2488      * being passed to a software-only cipher).
2489      *
2490      * @throws UnsupportedOperationException if the corresponding method in the
2491      * {@code CipherSpi} is not supported.
2492      */
2493     public final byte[] wrap(Key key)
2494             throws IllegalBlockSizeException, InvalidKeyException {
2495         if (!(this instanceof NullCipher)) {
2496             if (!initialized) {
2497                 throw new IllegalStateException("Cipher not initialized");
2498             }
2499             if (opmode != Cipher.WRAP_MODE) {
2500                 throw new IllegalStateException("Cipher not initialized " +
2501                                                 "for wrapping keys");
2502             }
2503         }
2504 
2505         chooseFirstProvider();
2506         return spi.engineWrap(key);
2507     }
2508 
2509     /**
2510      * Unwrap a previously wrapped key.
2511      *
2512      * @param wrappedKey the key to be unwrapped.
2513      *
2514      * @param wrappedKeyAlgorithm the algorithm associated with the wrapped
2515      * key.
2516      *
2517      * @param wrappedKeyType the type of the wrapped key. This must be one of
2518      * {@code SECRET_KEY}, {@code PRIVATE_KEY}, or
2519      * {@code PUBLIC_KEY}.
2520      *
2521      * @return the unwrapped key.
2522      *
2523      * @exception IllegalStateException if this cipher is in a wrong state
2524      * (e.g., has not been initialized).
2525      *
2526      * @exception NoSuchAlgorithmException if no installed providers
2527      * can create keys of type {@code wrappedKeyType} for the
2528      * {@code wrappedKeyAlgorithm}.
2529      *
2530      * @exception InvalidKeyException if {@code wrappedKey} does not
2531      * represent a wrapped key of type {@code wrappedKeyType} for
2532      * the {@code wrappedKeyAlgorithm}.
2533      *
2534      * @throws UnsupportedOperationException if the corresponding method in the
2535      * {@code CipherSpi} is not supported.
2536      */
2537     public final Key unwrap(byte[] wrappedKey,
2538                             String wrappedKeyAlgorithm,
2539                             int wrappedKeyType)
2540             throws InvalidKeyException, NoSuchAlgorithmException {
2541 
2542         if (!(this instanceof NullCipher)) {
2543             if (!initialized) {
2544                 throw new IllegalStateException("Cipher not initialized");
2545             }
2546             if (opmode != Cipher.UNWRAP_MODE) {
2547                 throw new IllegalStateException("Cipher not initialized " +
2548                                                 "for unwrapping keys");
2549             }
2550         }
2551         if ((wrappedKeyType != SECRET_KEY) &&
2552             (wrappedKeyType != PRIVATE_KEY) &&
2553             (wrappedKeyType != PUBLIC_KEY)) {
2554             throw new InvalidParameterException("Invalid key type");
2555         }
2556 
2557         chooseFirstProvider();
2558         return spi.engineUnwrap(wrappedKey,
2559                                       wrappedKeyAlgorithm,
2560                                       wrappedKeyType);
2561     }
2562 
2563     private AlgorithmParameterSpec getAlgorithmParameterSpec(
2564                                       AlgorithmParameters params)
2565             throws InvalidParameterSpecException {
2566         if (params == null) {
2567             return null;
2568         }
2569 
2570         String alg = params.getAlgorithm().toUpperCase(Locale.ENGLISH);
2571 
2572         if (alg.equalsIgnoreCase("RC2")) {
2573             return params.getParameterSpec(RC2ParameterSpec.class);
2574         }
2575 
2576         if (alg.equalsIgnoreCase("RC5")) {
2577             return params.getParameterSpec(RC5ParameterSpec.class);
2578         }
2579 
2580         if (alg.startsWith("PBE")) {
2581             return params.getParameterSpec(PBEParameterSpec.class);
2582         }
2583 
2584         if (alg.startsWith("DES")) {
2585             return params.getParameterSpec(IvParameterSpec.class);
2586         }
2587         return null;
2588     }
2589 
2590     private static CryptoPermission getConfiguredPermission(
2591             String transformation) throws NullPointerException,
2592             NoSuchAlgorithmException {
2593         if (transformation == null) throw new NullPointerException();
2594         String[] parts = tokenizeTransformation(transformation);
2595         return JceSecurityManager.INSTANCE.getCryptoPermission(parts[0]);
2596     }
2597 
2598     /**
2599      * Returns the maximum key length for the specified transformation
2600      * according to the installed JCE jurisdiction policy files. If
2601      * JCE unlimited strength jurisdiction policy files are installed,
2602      * Integer.MAX_VALUE will be returned.
2603      * For more information on default key size in JCE jurisdiction
2604      * policy files, please see Appendix E in the
2605      * <a href=
2606      *   "{@docRoot}/../technotes/guides/security/crypto/CryptoSpec.html#AppC">
2607      * Java Cryptography Architecture Reference Guide</a>.
2608      *
2609      * @param transformation the cipher transformation.
2610      * @return the maximum key length in bits or Integer.MAX_VALUE.
2611      * @exception NullPointerException if {@code transformation} is null.
2612      * @exception NoSuchAlgorithmException if {@code transformation}
2613      * is not a valid transformation, i.e. in the form of "algorithm" or
2614      * "algorithm/mode/padding".
2615      * @since 1.5
2616      */
2617     public static final int getMaxAllowedKeyLength(String transformation)
2618             throws NoSuchAlgorithmException {
2619         CryptoPermission cp = getConfiguredPermission(transformation);
2620         return cp.getMaxKeySize();
2621     }
2622 
2623     /**
2624      * Returns an AlgorithmParameterSpec object which contains
2625      * the maximum cipher parameter value according to the
2626      * jurisdiction policy file. If JCE unlimited strength jurisdiction
2627      * policy files are installed or there is no maximum limit on the
2628      * parameters for the specified transformation in the policy file,
2629      * null will be returned.
2630      *
2631      * @param transformation the cipher transformation.
2632      * @return an AlgorithmParameterSpec which holds the maximum
2633      * value or null.
2634      * @exception NullPointerException if {@code transformation}
2635      * is null.
2636      * @exception NoSuchAlgorithmException if {@code transformation}
2637      * is not a valid transformation, i.e. in the form of "algorithm" or
2638      * "algorithm/mode/padding".
2639      * @since 1.5
2640      */
2641     public static final AlgorithmParameterSpec getMaxAllowedParameterSpec(
2642             String transformation) throws NoSuchAlgorithmException {
2643         CryptoPermission cp = getConfiguredPermission(transformation);
2644         return cp.getAlgorithmParameterSpec();
2645     }
2646 
2647     /**
2648      * Continues a multi-part update of the Additional Authentication
2649      * Data (AAD).
2650      * <p>
2651      * Calls to this method provide AAD to the cipher when operating in
2652      * modes such as AEAD (GCM/CCM).  If this cipher is operating in
2653      * either GCM or CCM mode, all AAD must be supplied before beginning
2654      * operations on the ciphertext (via the {@code update} and
2655      * {@code doFinal} methods).
2656      *
2657      * @param src the buffer containing the Additional Authentication Data
2658      *
2659      * @throws IllegalArgumentException if the {@code src}
2660      * byte array is null
2661      * @throws IllegalStateException if this cipher is in a wrong state
2662      * (e.g., has not been initialized), does not accept AAD, or if
2663      * operating in either GCM or CCM mode and one of the {@code update}
2664      * methods has already been called for the active
2665      * encryption/decryption operation
2666      * @throws UnsupportedOperationException if the corresponding method
2667      * in the {@code CipherSpi} has not been overridden by an
2668      * implementation
2669      *
2670      * @since 1.7
2671      */
2672     public final void updateAAD(byte[] src) {
2673         if (src == null) {
2674             throw new IllegalArgumentException("src buffer is null");
2675         }
2676 
2677         updateAAD(src, 0, src.length);
2678     }
2679 
2680     /**
2681      * Continues a multi-part update of the Additional Authentication
2682      * Data (AAD), using a subset of the provided buffer.
2683      * <p>
2684      * Calls to this method provide AAD to the cipher when operating in
2685      * modes such as AEAD (GCM/CCM).  If this cipher is operating in
2686      * either GCM or CCM mode, all AAD must be supplied before beginning
2687      * operations on the ciphertext (via the {@code update}
2688      * and {@code doFinal} methods).
2689      *
2690      * @param src the buffer containing the AAD
2691      * @param offset the offset in {@code src} where the AAD input starts
2692      * @param len the number of AAD bytes
2693      *
2694      * @throws IllegalArgumentException if the {@code src}
2695      * byte array is null, or the {@code offset} or {@code length}
2696      * is less than 0, or the sum of the {@code offset} and
2697      * {@code len} is greater than the length of the
2698      * {@code src} byte array
2699      * @throws IllegalStateException if this cipher is in a wrong state
2700      * (e.g., has not been initialized), does not accept AAD, or if
2701      * operating in either GCM or CCM mode and one of the {@code update}
2702      * methods has already been called for the active
2703      * encryption/decryption operation
2704      * @throws UnsupportedOperationException if the corresponding method
2705      * in the {@code CipherSpi} has not been overridden by an
2706      * implementation
2707      *
2708      * @since 1.7
2709      */
2710     public final void updateAAD(byte[] src, int offset, int len) {
2711         checkCipherState();
2712 
2713         // Input sanity check
2714         if ((src == null) || (offset < 0) || (len < 0)
2715                 || ((len + offset) > src.length)) {
2716             throw new IllegalArgumentException("Bad arguments");
2717         }
2718 
2719         chooseFirstProvider();
2720         if (len == 0) {
2721             return;
2722         }
2723         spi.engineUpdateAAD(src, offset, len);
2724     }
2725 
2726     /**
2727      * Continues a multi-part update of the Additional Authentication
2728      * Data (AAD).
2729      * <p>
2730      * Calls to this method provide AAD to the cipher when operating in
2731      * modes such as AEAD (GCM/CCM).  If this cipher is operating in
2732      * either GCM or CCM mode, all AAD must be supplied before beginning
2733      * operations on the ciphertext (via the {@code update}
2734      * and {@code doFinal} methods).
2735      * <p>
2736      * All {@code src.remaining()} bytes starting at
2737      * {@code src.position()} are processed.
2738      * Upon return, the input buffer's position will be equal
2739      * to its limit; its limit will not have changed.
2740      *
2741      * @param src the buffer containing the AAD
2742      *
2743      * @throws IllegalArgumentException if the {@code src ByteBuffer}
2744      * is null
2745      * @throws IllegalStateException if this cipher is in a wrong state
2746      * (e.g., has not been initialized), does not accept AAD, or if
2747      * operating in either GCM or CCM mode and one of the {@code update}
2748      * methods has already been called for the active
2749      * encryption/decryption operation
2750      * @throws UnsupportedOperationException if the corresponding method
2751      * in the {@code CipherSpi} has not been overridden by an
2752      * implementation
2753      *
2754      * @since 1.7
2755      */
2756     public final void updateAAD(ByteBuffer src) {
2757         checkCipherState();
2758 
2759         // Input sanity check
2760         if (src == null) {
2761             throw new IllegalArgumentException("src ByteBuffer is null");
2762         }
2763 
2764         chooseFirstProvider();
2765         if (src.remaining() == 0) {
2766             return;
2767         }
2768         spi.engineUpdateAAD(src);
2769     }
2770 }