Cryptography

Detailed description

Symmetric and asymmetric cryptographic hash operations.

Functions
byte[]	createHash (int nAlgId, byte[] hKey, int nFlags) throws TacException
	Creates a context for Hash calculation.
byte[]	createHash (int nAlgId) throws TacException
	Creates a context for calculating the hash.
byte[]	genEcdhKey (int dwOP, String szPriKey, byte[] pbInData) throws TacException
	It generates a shared secret/key using the ECDH (Elliptc Curve Diffie-Hellman) key-agreement protocol.
byte[]	genEcdhKeyX963 (int dwOP, String szPriKey, String szTargetKeyName, int dwTargetKeyAlg, int dwTargetKeyAttributes, byte[] pbPubKey, byte[] pbKDFData, int dwFlags) throws TacException
	Generates a shared secret/key using the ANSI X9.63 standard ECDH (Elliptc Curve Diffie-Hellman) key-agreement protocol.
byte[]	genEcdhKeyX963Sha256 (String szPriKey, String szTargetKeyName, int dwTargetKeyAlg, boolean isExportable, boolean isTemporary, byte[] pbPubKey, byte[] pbKDFData) throws TacException
	Generates a shared secret/key using the key-agreement protocol ECDH (Elliptc Curve Diffie-Hellman) standard ANSI X9.63 SHA256.
byte[]	getRand (int size) throws TacException
	Generates a pseudo-random buffer, generated in the HSM, for cryptographic use.
byte[]	encrypt (String strKeyId, byte[] byInput) throws TacException
	Encrypts a data buffer.
byte[]	encrypt (String strKeyId, byte[] byInput, int flags) throws TacException
	Encrypts a data buffer.
byte[]	encrypt (String strKeyId, byte[] byInput, byte[] byIV, int dwPadding, int dwMode) throws TacException
	Encrypts data.
byte[]	encrypt (String strKeyId, byte[] byInput, byte[] byIV, int dwPadding, int dwMode, int flags) throws TacException
	Encrypts data.
byte[]	decrypt (String keyId, byte[] input) throws TacException
	Decrypts data, often encrypted by the DEncrypt function.
byte[]	decrypt (String keyId, byte[] input, int flags) throws TacException
	Decrypts data, often encrypted by the DEncrypt function.
byte[]	decrypt (String keyId, byte[] input, byte[] byIV, int dwPadding, int dwMode) throws TacException
	Decrypts data, often encrypted by the DEncrypt function.
byte[]	decrypt (String keyId, byte[] input, byte[] byIV, int dwPadding, int dwMode, int flags) throws TacException
	Decrypts data, often encrypted by the DEncrypt function.
int	verifySignature (String keyId, int algHash, byte[] bSignature, byte[] bMessage) throws TacException
	Check a message.
int	verifySignature (String keyId, int algHash, int padding, byte[] bSignature, byte[] bMessage) throws TacException
	Check a message.
int	verifySignature (byte[] hPublicKey, byte[] hHash, byte[] bSignature) throws TacException
	Check a message.
int	verifySignature (byte[] hPublicKey, int hashAlg, byte[] bSignature, byte[] bMessage) throws TacException
	Check a message.
byte[]	signHash (String keyId, int algHash, byte[] bMessage) throws TacException
	Signs a piece of data based on its content.
byte[]	sign (String keyId, int algHash, byte[] bMessage) throws TacException
	Signs a piece of data based on its content.
byte[]	sign (String keyId, int algHash, int padding, byte[] bMessage) throws TacException
	Signs a piece of data based on its content.
byte[]	signHashedData (String keyId, int algHash, byte[] bHash) throws TacException
	Signs a piece of data based on its previously computed hash.
byte[]	signHashedData (String keyId, int algHash, byte[] bHash, boolean useOID) throws TacException
	Signs a piece of data based on its previously computed hash.
byte[]	signHashedData (String keyId, int algHash, byte[] bHash, int nFlags) throws TacException
	Signs a piece of data based on its previously computed hash.
byte[]	signHashedData (byte[] privateKeyHandle, int algHash, byte[] bHash, int nFlags) throws TacException
	Signs a piece of data based on its previously computed hash.
byte[]	generateHash (int algId, int flags, byte[] data) throws TacException
	Generates a hash in just one call.
byte[]	generateHash (int algId, byte[] data) throws TacException
	Generates a hash in just one call.
void	initHash (int algId, int flags) throws TacException
	Initializes a piecewise hash operation.
void	initHash (int algId) throws TacException
	Initializes a piecewise hash operation.
void	updateHash (byte[] data) throws TacException
	Updates a hash operation with more data.
byte[]	endHash () throws TacException
	Finalizes a hash operation.
byte[]	generateMAC (int algId, String macKey, int flags, byte[] data) throws TacException
	Generates a MAC in just one call.
byte[]	generateMAC (int algId, String macKey, byte[] data) throws TacException
	Generates a MAC in just one call.
void	initMAC (int algId, String macKey, int flags) throws TacException
	Initializes a MAC operation in parts.
void	initMAC (int algId, String macKey) throws TacException
	Initializes a MAC operation in parts.
void	updateMAC (byte[] data) throws TacException
	Updates a MAC operation with more data.
byte[]	endMAC () throws TacException
	Ends a MAC operation.

Functions

createHash() [1/2]

byte[] createHash	(	int	nAlgId,
		byte[]	hKey,
		int	nFlags ) throws TacException

Creates a context for Hash calculation.

Parameters

nAlgId	Identifier of the algorithm to be used
hKey	Key context to be used
nFlags

Return

Context for hash calculation

Exceptions

TacException

Obsolete

See also

getUserKey(String nKey)

createHash() [2/2]

byte[] createHash

(

int

nAlgId

)

throws TacException

Creates a context for calculating the hash.

Parameters

nAlgId

Indicates the algorithm associated with the hash context. Value Meaning TacNDJavaLib.ALG_MD5 MD5 hash algorithm. TacNDJavaLib.ALG_SHA1 SHA1 hash algorithm. TacNDJavaLib.ALG_SSL_SHA1_MD5 Hash for client authentication in SSLv3. TacNDJavaLib.ALG_SHA2_224 SHA2 hash algorithm - 224. TacNDJavaLib.ALG_SHA2_256 SHA2 hash algorithm - 256. TacNDJavaLib.ALG_SHA2_384 SHA2 hash algorithm - 384. TacNDJavaLib.ALG_SHA2_512 SHA2 hash algorithm - 512 TacNDJavaLib.ALG_SHA3_224 SHA3 hash algorithm - 224. TacNDJavaLib.ALG_SHA3_256 SHA3 hash algorithm - 256. TacNDJavaLib.ALG_SHA3_384 SHA3 hash algorithm - 384. TacNDJavaLib.ALG_SHA3_512 SHA3 hash algorithm - 512 TacNDJavaLib.ALG_IDENTITY_FUNC Identity function algorithm.

Return

Exceptions

TacException

genEcdhKey()

byte[] genEcdhKey	(	int	dwOP,
		String	szPriKey,
		byte[]	pbInData ) throws TacException

It generates a shared secret/key using the ECDH (Elliptc Curve Diffie-Hellman) key-agreement protocol.

Parameters

dwOP	Indicates the algorithm associated with the hash context. Value Meaning TacNDJavaLib.DN_GEN_KEY_KDF_RAW_SECRET The method returns the ECDH secret key without derivation. We recommend deriving a key from this to communicate with the peer. The parameter passed in pbInData must be a buffer containing the peer's public key in DER format.
szPriKey	String containing the identifier of the private key within the HSM. This identifier must not contain spaces or special characters. Uppercase and lowercase characters are case sensitive.
pbInData	Function input data. Must be filled in as described in the dwOP options.

Return

Buffer containing the output key/secret.

Exceptions

TacException

genEcdhKeyX963()

byte[] genEcdhKeyX963	(	int	dwOP,
		String	szPriKey,
		String	szTargetKeyName,
		int	dwTargetKeyAlg,
		int	dwTargetKeyAttributes,
		byte[]	pbPubKey,
		byte[]	pbKDFData,
		int	dwFlags ) throws TacException

Generates a shared secret/key using the ANSI X9.63 standard ECDH (Elliptc Curve Diffie-Hellman) key-agreement protocol.

Parameters

dwOP	Indicates the algorithm used. Value Meaning TacNDJavaLib.DN_GEN_KEY_X9_63_SHA256 Derives an ECDH secret key in the ANSI X9.63 standard using SHA256.
szPriKey	Identifier of the private key within the HSM.
szTargetKeyName	Identifier of the key that will be generated in the HSM. Only alphanumeric characters and underline '_' with a maximum length of TacNDJavaLib.MAX_OBJ_ID. Uppercase and lowercase characters are case sensitive. This parameter can be null if you want the contents of the generated key to be returned by the method.
dwTargetKeyAlg	Algorithm of the key that will be generated in the HSM. See options in the createKey method.
dwTargetKeyAttributes	Additional parameters of the key that will be generated in the HSM. See createKey.
pbPubKey	The other party's public key, in DER format. The maximum size of the pbPubKey and pbKDFData buffers together must not exceed TacNDJavaLib.DN_ECDH_GEN_KEY_MAX_DATA.
pbKDFData	Data that will be used to derive the key. The maximum size of the pbPubKey and pbKDFData buffers together must not exceed TacNDJavaLib.DN_ECDH_GEN_KEY_MAX_DATA.
dwFlags	Reserved for future use. You must pass 0.

Return

Exit key/secret.

Exceptions

TacException

genEcdhKeyX963Sha256()

byte[] genEcdhKeyX963Sha256	(	String	szPriKey,
		String	szTargetKeyName,
		int	dwTargetKeyAlg,
		boolean	isExportable,
		boolean	isTemporary,
		byte[]	pbPubKey,
		byte[]	pbKDFData ) throws TacException

Generates a shared secret/key using the key-agreement protocol ECDH (Elliptc Curve Diffie-Hellman) standard ANSI X9.63 SHA256.

Parameters

szPriKey	Identifier of the private key within the HSM.
szTargetKeyName	Identifier of the key that will be generated in the HSM. Only alphanumeric characters and underline '_' with a maximum length of TacNDJavaLib.MAX_OBJ_ID. Uppercase and lowercase characters are case sensitive. This parameter can be null if you want the contents of the generated key to be returned by the method.
dwTargetKeyAlg	Algorithm of the key that will be generated in the HSM. See options in the createKey method.
isTemporary	Informs whether the key, which will be generated in the HSM, is temporary.
isExportable	Informs whether the key, which will be generated in the HSM, is exportable.
pbPubKey	The other party's public key, in DER format. The maximum size of the pbPubKey and pbKDFData buffers together must not exceed TacNDJavaLib.DN_ECDH_GEN_KEY_MAX_DATA.
pbKDFData	Data that will be used to derive the key. The maximum size of the pbPubKey and pbKDFData buffers together must not exceed TacNDJavaLib.DN_ECDH_GEN_KEY_MAX_DATA.

Return

Output key/segment. Returns null if szTargetKeyName is NOT null.

Exceptions

TacException

getRand()

byte[] getRand

(

int

size

)

throws TacException

Generates a pseudo-random buffer, generated in the HSM, for cryptographic use.

Parameters

size	Size of the buffer that will be generated.

Return

Pseudo-random buffer.

Exceptions

TacException

encrypt() [1/4]

byte[] encrypt	(	String	strKeyId,
		byte[]	byInput ) throws TacException

Encrypts a data buffer.

Parameters

strKeyId	Key identifier.
byInput	Buffer containing the data to be encrypted.

Return

Returns the encrypted data.

Exceptions

TacException

encrypt() [2/4]

byte[] encrypt	(	String	strKeyId,
		byte[]	byInput,
		int	flags ) throws TacException

Encrypts a data buffer.

Parameters

strKeyId	Key identifier.
byInput	Buffer containing the data to be encrypted.
flags	Indicates additional options for operation. Value Meaning TacNDJavaLib.D_NO_RSA_PADDING Does not pad RSA PKCS#1.5. Can be used together with the TacNDJavaLib.D_FORCE_ACTUAL_RSA flag. TacNDJavaLib.D_FORCE_ACTUAL_RSA It uses the RSA key directly. Encryption with a private key and decryption with a public key. Can be used in conjunction with the TacNDJavaLib.D_NO_RSA_PADDING flag.

Return

Returns the encrypted data.

Exceptions

TacException

Notes

This API supports RSA operations performed directly on this function. The data to be operated on must have a length equal to or less than the size of the key minus 11 bytes. When using the public key for encryption, the padding used is PKCS#1 type 2 and in the decryption process, the padding is checked and removed. For operations with the private key, PKCS#1 type 1 padding is used. The HSM will check the padding formatting even when the operation has no padding defined, as in TacNDJavaLib.D_NO_RSA_PADDING.

encrypt() [3/4]

byte[] encrypt	(	String	strKeyId,
		byte[]	byInput,
		byte[]	byIV,
		int	dwPadding,
		int	dwMode ) throws TacException

Encrypts data.

Parameters

strKeyId	Key identifier.
byInput	Buffer containing the data to be encrypted.
byIV	Buffer containing the IV(Initialization Vector). Can be passed null to Not used or use the default. Initialization vector used with blockchain algorithms according to their symmetric encryption mode of operation. The size of the initialization vector depends on the symmetric algorithm used, since it has the same length as the block operation. Only valid for symmetric keys.
dwPadding	The library can work with the following forms of padding. Value Meaning TacNDJavaLib.D_NO_PADDING No padding is done, the data passed for encryption must already be a multiple of the size of the operation block. TacNDJavaLib.D_PKCS5_PADDING Padding is done following the standard defined in PKCS#5. TacNDJavaLib.D_ZERO_PADDING If the length of the data is not a multiple of the size of the operation block, it is completed with leading zeros until it reaches a size supported by the algorithm. This type of padding should not be used with data where there may be bytes with a value of zero, as it can lead to ambiguity in the decryption operation. If the data contains only ASCII text, for example, there is no problem. Only valid for symmetric keys.
dwMode	Indicates the encryption operating mode of the block algorithm. Value Meaning TacNDJavaLib.MODE_ECB Electronic Codebook (ECB) TacNDJavaLib.MODE_CBC Cipher Block Chain (CBC) TacNDJavaLib.MODE_GCM Galois/Counter Mode. The authentication tag is located right after the encrypted/decrypted data with the size of (returned size - message size in clear text). TacNDJavaLib.MODE_KW AESWRAP according to the RFC-3394 standard. Used in encryption and decryption operations of other keys. The padding used is the one defined in the default, any other value will be ignored. Use the standard IV with value 0xA6A6A6A6A6A6A6A60000000000000000. TacNDJavaLib.MODE_KWP AESWRAP with padding according to the RFC-5649 standard. Used in encryption and decryption operations of other keys. The padding used is the one defined in the default, any other value will be ignored. Use the standard IV with value 0xA65959A6000000000000000000000000. TacNDJavaLib.MODE_OFB Output-Feedback. Not yet supported. Valid only for symmetric keys and block algorithms. Only valid for symmetric keys and block algorithms.

Return

Returns the encrypted data.

Exceptions

TacException

encrypt() [4/4]

byte[] encrypt	(	String	strKeyId,
		byte[]	byInput,
		byte[]	byIV,
		int	dwPadding,
		int	dwMode,
		int	flags ) throws TacException

Encrypts data.

Parameters

strKeyId	Key identifier.
byInput	Buffer containing the data to be encrypted.
byIV	Buffer containing the IV(Initialization Vector). Can be passed null to Not used or use the default. Initialization vector used with blockchain algorithms according to their symmetric encryption mode of operation. The size of the initialization vector depends on the symmetric algorithm used, since it has the same length as the block operation. Only valid for symmetric keys.
dwPadding	The library can work with the following forms of padding. Value Meaning TacNDJavaLib.D_NO_PADDING No padding is done, the data passed for encryption must already be a multiple of the size of the operation block. TacNDJavaLib.D_PKCS5_PADDING Padding is done following the standard defined in PKCS#5. TacNDJavaLib.D_ZERO_PADDING If the length of the data is not a multiple of the size of the operation block, it is completed with leading zeros until it reaches a size supported by the algorithm. This type of padding should not be used with data where there may be bytes with a value of zero, as it can lead to ambiguity in the decryption operation. If the data contains only ASCII text, for example, there is no problem. Only valid for symmetric keys.
dwMode	Indicates the encryption operating mode of the block algorithm. Value Meaning TacNDJavaLib.MODE_ECB Electronic Codebook (ECB) TacNDJavaLib.MODE_CBC Cipher Block Chain (CBC) TacNDJavaLib.MODE_GCM Galois/Counter Mode. The authentication tag is located right after the encrypted/decrypted data with the size of (returned size - message size in clear text). TacNDJavaLib.MODE_KW AESWRAP according to the RFC-3394 standard. Used in encryption and decryption operations of other keys. The padding used is the one defined in the default, any other value will be ignored. Use the standard IV with value 0xA6A6A6A6A6A6A6A60000000000000000. TacNDJavaLib.MODE_KWP AESWRAP with padding according to the RFC-5649 standard. Used in encryption and decryption operations of other keys. The padding used is the one defined in the default, any other value will be ignored. Use the standard IV with value 0xA65959A6000000000000000000000000. TacNDJavaLib.MODE_OFB Output-Feedback. Not yet supported. Valid only for symmetric keys and block algorithms. Only valid for symmetric keys and block algorithms.
flags	Indicates additional options for operation. Value Meaning TacNDJavaLib.D_NO_RSA_PADDING Does not pad RSA PKCS#1.5.Can be used together with the TacNDJavaLib.D_FORCE_ACTUAL_RSA flag. TacNDJavaLib.D_FORCE_ACTUAL_RSA It uses the RSA key directly. Encryption with private key decryption with public key. Can be used in conjunction with the TacNDJavaLib.D_NO_RSA_PADDING flag.

Return

Returns the encrypted data.

Exceptions

TacException

Notes

This API supports RSA operations performed directly on this function. The data to be operated on must have a length equal to or less than the size of the key minus 11 bytes. When using the public key for encryption, the padding used is PKCS#1 type 2 and in the decryption process, the padding is checked and removed. For operations with the private key, PKCS#1 type 1 padding is used. The HSM will check the formatting of the padding even when the operation has no padding defined, as in TacNDJavaLib.D_NO_RSA_PADDING. RSA encryption and decryption operations are only enabled in non-restricted mode (NRM).

decrypt() [1/4]

byte[] decrypt	(	String	keyId,
		byte[]	input ) throws TacException

Decrypts data, often encrypted by the DEncrypt function.

Parameters

keyId	Key identifier.
input	Buffer containing the data to be decrypted. For block symmetric operations, the size of the data must always be a multiple of the block used by the algorithm in question.

Return

Returns the decrypted data.

Exceptions

TacException

decrypt() [2/4]

byte[] decrypt	(	String	keyId,
		byte[]	input,
		int	flags ) throws TacException

Decrypts data, often encrypted by the DEncrypt function.

Parameters

keyId	Key identifier.
input	Buffer containing the data to be decrypted. For block symmetric operations, the size of the data must always be a multiple of the block used by the algorithm in question.
flags	Indicates additional options for operation. Value Meaning TacNDJavaLib.D_NO_RSA_PADDING Does not pad RSA PKCS#1.5.Can be used together with the TacNDJavaLib.D_FORCE_ACTUAL_RSA flag. TacNDJavaLib.D_FORCE_ACTUAL_RSA It uses the RSA key directly. Encryption with private key decryption with public key. Can be used in conjunction with the TacNDJavaLib.D_NO_RSA_PADDING flag.

Return

Returns the decrypted data.

Exceptions

TacException

Notes

This API supports RSA operations performed directly on this function. The data to be operated on must have a length equal to or less than the size of the key minus 11 bytes. When using the public key for encryption, the padding used is PKCS#1 type 2 and in the decryption process, the padding is checked and removed. For operations with the private key, PKCS#1 type 1 padding is used. The HSM will check the formatting of the padding even when the operation has no padding defined, as in TacNDJavaLib.D_NO_RSA_PADDING. RSA encryption and decryption operations are only enabled in non-restricted mode (NRM).

decrypt() [3/4]

byte[] decrypt	(	String	keyId,
		byte[]	input,
		byte[]	byIV,
		int	dwPadding,
		int	dwMode ) throws TacException

Decrypts data, often encrypted by the DEncrypt function.

Parameters

keyId	Key identifier.
input	Buffer containing the data to be decrypted. For block symmetric operations, the size of the data must always be a multiple of the block used by the algorithm in question.
byIV	Buffer containing the IV(Initialization Vector). Can be passed null to Not used or use the default. Initialization vector used with blockchain algorithms according to their symmetric encryption mode of operation. The size of the initialization vector depends on the symmetric algorithm used, since it has the same length as the block operation. Only valid for symmetric keys.
dwPadding	The library can work with the following forms of padding. Value Meaning TacNDJavaLib.D_NO_PADDING No padding is done, the data passed for encryption must already be a multiple of the size of the operation block. TacNDJavaLib.D_PKCS5_PADDING Padding is done following the standard defined in PKCS#5. TacNDJavaLib.D_ZERO_PADDING If the length of the data is not a multiple of the size of the operation block, it is completed with leading zeros until it reaches a size supported by the algorithm. This type of padding should not be used with data where there may be bytes with a value of zero, as it can lead to ambiguity in the decryption operation. If the data contains only ASCII text, for example, there is no problem. Only valid for symmetric keys.
dwMode	Indicates the encryption operating mode of the block algorithm. Value Meaning TacNDJavaLib.MODE_ECB Electronic Codebook (ECB) TacNDJavaLib.MODE_CBC Cipher Block Chain (CBC) TacNDJavaLib.MODE_GCM Galois/Counter Mode. The authentication tag is located right after the encrypted/decrypted data with the size of (returned size - message size in clear text). TacNDJavaLib.MODE_KW AESWRAP according to the RFC-3394 standard. Used in encryption and decryption operations of other keys. The padding used is the one defined in the default, any other value will be ignored. Use the standard IV with value 0xA6A6A6A6A6A6A6A60000000000000000. TacNDJavaLib.MODE_KWP AESWRAP with padding according to the RFC-5649 standard. Used in encryption and decryption operations of other keys. The padding used is the one defined in the default, any other value will be ignored. Use the standard IV with value 0xA65959A6000000000000000000000000. TacNDJavaLib.MODE_OFB Output-Feedback. Not yet supported. Valid only for symmetric keys and block algorithms. Only valid for symmetric keys and block algorithms.

Return

Returns the decrypted data.

Exceptions

TacException

decrypt() [4/4]

byte[] decrypt	(	String	keyId,
		byte[]	input,
		byte[]	byIV,
		int	dwPadding,
		int	dwMode,
		int	flags ) throws TacException

Decrypts data, often encrypted by the DEncrypt function.

Parameters

keyId	Key identifier.
input	Buffer containing the data to be decrypted. For block symmetric operations, the size of the data must always be a multiple of the block used by the algorithm in question.
byIV	Buffer containing the IV(Initialization Vector). Can be passed null to Not used or use the default. Initialization vector used with blockchain algorithms according to their symmetric encryption mode of operation. The size of the initialization vector depends on the symmetric algorithm used, since it has the same length as the block operation. Only valid for symmetric keys.
dwPadding	The library can work with the following forms of padding. Value Meaning TacNDJavaLib.D_NO_PADDING No padding is done, the data passed for encryption must already be a multiple of the size of the operation block. TacNDJavaLib.D_PKCS5_PADDING Padding is done following the standard defined in PKCS#5. TacNDJavaLib.D_ZERO_PADDING If the length of the data is not a multiple of the size of the operation block, it is completed with leading zeros until it reaches a size supported by the algorithm. This type of padding should not be used with data where there may be bytes with a value of zero, as it can lead to ambiguity in the decryption operation. If the data contains only ASCII text, for example, there is no problem. Only valid for symmetric keys.
dwMode	Indicates the encryption operating mode of the block algorithm. Value Meaning TacNDJavaLib.MODE_ECB Electronic Codebook (ECB) TacNDJavaLib.MODE_CBC Cipher Block Chain (CBC) TacNDJavaLib.MODE_GCM Galois/Counter Mode. The authentication tag is located right after the encrypted/decrypted data with the size of (returned size - message size in clear text). TacNDJavaLib.MODE_KW AESWRAP according to the RFC-3394 standard. Used in encryption and decryption operations of other keys. The padding used is the one defined in the default, any other value will be ignored. Use the standard IV with value 0xA6A6A6A6A6A6A6A60000000000000000. TacNDJavaLib.MODE_KWP AESWRAP with padding according to the RFC-5649 standard. Used in encryption and decryption operations of other keys. The padding used is the one defined in the default, any other value will be ignored. Use the standard IV with value 0xA65959A6000000000000000000000000. TacNDJavaLib.MODE_OFB Output-Feedback. Not yet supported. Valid only for symmetric keys and block algorithms. Only valid for symmetric keys and block algorithms.
flags	Indicates additional options for operation. Value Meaning TacNDJavaLib.D_NO_RSA_PADDING Does not pad RSA PKCS#1.5.Can be used together with the TacNDJavaLib.D_FORCE_ACTUAL_RSA flag. TacNDJavaLib.D_FORCE_ACTUAL_RSA It uses the RSA key directly. Encryption with private key decryption with public key. Can be used in conjunction with the TacNDJavaLib.D_NO_RSA_PADDING flag.

Return

Returns the decrypted data.

Exceptions

TacException

Notes

This API supports RSA operations performed directly on this function. The data to be operated on must have a length equal to or less than the size of the key minus 11 bytes. When using the public key for encryption, the padding used is PKCS#1 type 2 and in the decryption process, the padding is checked and removed. For operations with the private key, PKCS#1 type 1 padding is used. The HSM will check the padding formatting even when the operation has no padding defined, as in TacNDJavaLib.D_NO_RSA_PADDING.

verifySignature() [1/4]

int verifySignature	(	String	keyId,
		int	algHash,
		byte[]	bSignature,
		byte[]	bMessage ) throws TacException

Check a message.

Uses PKCS#1 padding.

Parameters

keyId	Identifier of the private key from which the public key will be extracted for verification.
algHash	Hash algorithm used to verify the signature. See options in initHash().
bSignature	Signature.
bMessage	Message for signature verification.

Return

Exceptions

TacException

verifySignature() [2/4]

int verifySignature	(	String	keyId,
		int	algHash,
		int	padding,
		byte[]	bSignature,
		byte[]	bMessage ) throws TacException

Check a message.

Parameters

keyId	Identifier of the private key from which the public key will be extracted for verification.
algHash	Hash algorithm used to verify the signature. See options in initHash().
padding	Padding used in the signature. See options in setPadding().
bSignature	Signature.
bMessage	Message for signature verification.

Return

Exceptions

TacException

verifySignature() [3/4]

int verifySignature	(	byte[]	hPublicKey,
		byte[]	hHash,
		byte[]	bSignature ) throws TacException

Check a message.

Parameters

hPublicKey	Handle of the public key. importKey().
hHash	Handle of the message hash. See initHash().
bSignature	Signature.

Return

Exceptions

TacException

verifySignature() [4/4]

int verifySignature	(	byte[]	hPublicKey,
		int	hashAlg,
		byte[]	bSignature,
		byte[]	bMessage ) throws TacException

Check a message.

Parameters

hPublicKey	Handle of the public key. See importKey().
hashAlg	Hash algorithm. See options in initHash().
bSignature	Signature.
bMessage	Message for signature verification.

Return

Exceptions

TacException

signHash()

byte[] signHash	(	String	keyId,
		int	algHash,
		byte[]	bMessage ) throws TacException

Signs a piece of data based on its content.

Parameters

keyId	Private key identifier.
algHash	Hash algorithm used in the signature. See options in initHash().
bMessage	Message.

Return

The generated signature.

Exceptions

TacException

Notes

The format of the generated signature complies with the specifications of PKCS#1 v.1.5, using padding type 1 when an RSA key is used, with the use of ECC keys the signature will be in the DER standard.

Obsolete

Use sign().

sign() [1/2]

byte[] sign	(	String	keyId,
		int	algHash,
		byte[]	bMessage ) throws TacException

Signs a piece of data based on its content.

Uses standard padding.

Parameters

keyId	Private key identifier.
algHash	Hash algorithm used in the signature. See options in initHash().
bMessage	Message.

Return

The generated signature.

Exceptions

TacException

Notes

The format of the generated signature complies with the specifications of PKCS#1 v.1.5, using padding type 1 when an RSA key is used, with the use of ECC keys the signature will be in the DER standard.

sign() [2/2]

byte[] sign	(	String	keyId,
		int	algHash,
		int	padding,
		byte[]	bMessage ) throws TacException

Signs a piece of data based on its content.

Parameters

keyId	Private key identifier.
algHash	Hash algorithm used in the signature. See options in initHash().
padding	Padding used in the signature. See options in setPadding().
bMessage	Message.

Return

The generated signature.

Exceptions

TacException

signHashedData() [1/4]

byte[] signHashedData	(	String	keyId,
		int	algHash,
		byte[]	bHash ) throws TacException

Signs a piece of data based on its previously computed hash.

Parameters

keyId	Private key identifier.
algHash	Hash algorithm used in the signature. Value Meaning TacNDJavaLib.ALG_MD5 MD5 hash algorithm. TacNDJavaLib.ALG_SHA1 SHA1 hash algorithm. TacNDJavaLib.ALG_SSL_SHA1_MD5 Hash for client authentication in SSLv3. TacNDJavaLib.ALG_SHA2_224 SHA2 hash algorithm - 224. TacNDJavaLib.ALG_SHA2_256 SHA2 hash algorithm - 256. TacNDJavaLib.ALG_SHA2_384 SHA2 hash algorithm - 384. TacNDJavaLib.ALG_SHA2_512 SHA2 hash algorithm - 512 TacNDJavaLib.ALG_SHA3_224 SHA3 hash algorithm - 224. TacNDJavaLib.ALG_SHA3_256 SHA3 hash algorithm - 256. TacNDJavaLib.ALG_SHA3_384 SHA3 hash algorithm - 384. TacNDJavaLib.ALG_SHA3_512 SHA3 hash algorithm - 512 TacNDJavaLib.ALG_IDENTITY_FUNC Identity function algorithm.
bHash	Previously computed hash of the message according to the algorithm defined in algHash.

Return

The generated signature.

Exceptions

TacException

Notes

The format of the generated signature complies with the specifications of PKCS#1 v.1.5, using padding type 1 when an RSA key is used, with the use of ECC keys the signature will be in the DER standard.

signHashedData() [2/4]

byte[] signHashedData	(	String	keyId,
		int	algHash,
		byte[]	bHash,
		boolean	useOID ) throws TacException

Signs a piece of data based on its previously computed hash.

Parameters

keyId	Private key identifier.
algHash	Hash algorithm used in the signature. Value Meaning TacNDJavaLib.ALG_MD5 MD5 hash algorithm. TacNDJavaLib.ALG_SHA1 SHA1 hash algorithm. TacNDJavaLib.ALG_SSL_SHA1_MD5 Hash for client authentication in SSLv3. TacNDJavaLib.ALG_SHA2_224 SHA2 hash algorithm - 224. TacNDJavaLib.ALG_SHA2_256 SHA2 hash algorithm - 256. TacNDJavaLib.ALG_SHA2_384 SHA2 hash algorithm - 384. TacNDJavaLib.ALG_SHA2_512 SHA2 hash algorithm - 512 TacNDJavaLib.ALG_SHA3_224 SHA3 hash algorithm - 224. TacNDJavaLib.ALG_SHA3_256 SHA3 hash algorithm - 256. TacNDJavaLib.ALG_SHA3_384 SHA3 hash algorithm - 384. TacNDJavaLib.ALG_SHA3_512 SHA3 hash algorithm - 512 TacNDJavaLib.ALG_IDENTITY_FUNC Identity function algorithm.
bHash	Previously computed hash of the message according to the algorithm defined in algHash.
useOID	When this argument is set to false, the object identifier (OID) is not placed in front of the hash value, as provided for in PKCS#7, DigestInfo attribute.

Return

The generated signature.

Exceptions

TacException

Notes

The format of the generated signature complies with the specifications of PKCS#1 v.1.5, using padding type 1 when an RSA key is used, with the use of ECC keys the signature will be in the DER standard.

signHashedData() [3/4]

byte[] signHashedData	(	String	keyId,
		int	algHash,
		byte[]	bHash,
		int	nFlags ) throws TacException

Signs a piece of data based on its previously computed hash.

Parameters

keyId	Private key identifier.
algHash	Hash algorithm used in the signature. Value Meaning TacNDJavaLib.ALG_MD5 MD5 hash algorithm. TacNDJavaLib.ALG_SHA1 SHA1 hash algorithm. TacNDJavaLib.ALG_SSL_SHA1_MD5 Hash for client authentication in SSLv3. TacNDJavaLib.ALG_SHA2_224 SHA2 hash algorithm - 224. TacNDJavaLib.ALG_SHA2_256 SHA2 hash algorithm - 256. TacNDJavaLib.ALG_SHA2_384 SHA2 hash algorithm - 384. TacNDJavaLib.ALG_SHA2_512 SHA2 hash algorithm - 512 TacNDJavaLib.ALG_SHA3_224 SHA3 hash algorithm - 224. TacNDJavaLib.ALG_SHA3_256 SHA3 hash algorithm - 256. TacNDJavaLib.ALG_SHA3_384 SHA3 hash algorithm - 384. TacNDJavaLib.ALG_SHA3_512 SHA3 hash algorithm - 512 TacNDJavaLib.ALG_IDENTITY_FUNC Identity function algorithm.
bHash	Previously computed hash of the message according to the algorithm defined in algHash.
nFlags	You must pass 0 or some modifier defined in the list below. Value Meaning NO_HASH_OID When this flag is specified, the object identifier (OID) is not placed in front of the hash value, as provided for in PKCS#7, DigestInfo attribute. By default, this OID is always added to the signature.

Return

The generated signature.

Exceptions

TacException

Notes

The format of the generated signature complies with the specifications of PKCS#1 v.1.5, using padding type 1 when an RSA key is used, with the use of ECC keys the signature will be in the DER standard.

signHashedData() [4/4]

byte[] signHashedData	(	byte[]	privateKeyHandle,
		int	algHash,
		byte[]	bHash,
		int	nFlags ) throws TacException

Signs a piece of data based on its previously computed hash.

Parameters

privateKeyHandle	Handle of the private key. Retrieved by the getKeyHandle() method.
algHash	Hash algorithm used in the signature. Value Meaning TacNDJavaLib.ALG_MD5 MD5 hash algorithm. TacNDJavaLib.ALG_SHA1 SHA1 hash algorithm. TacNDJavaLib.ALG_SSL_SHA1_MD5 Hash for client authentication in SSLv3. TacNDJavaLib.ALG_SHA2_224 SHA2 hash algorithm - 224. TacNDJavaLib.ALG_SHA2_256 SHA2 hash algorithm - 256. TacNDJavaLib.ALG_SHA2_384 SHA2 hash algorithm - 384. TacNDJavaLib.ALG_SHA2_512 SHA2 hash algorithm - 512 TacNDJavaLib.ALG_SHA3_224 SHA3 hash algorithm - 224. TacNDJavaLib.ALG_SHA3_256 SHA3 hash algorithm - 256. TacNDJavaLib.ALG_SHA3_384 SHA3 hash algorithm - 384. TacNDJavaLib.ALG_SHA3_512 SHA3 hash algorithm - 512 TacNDJavaLib.ALG_IDENTITY_FUNC Identity function algorithm.
bHash	Previously computed hash of the message according to the algorithm defined in algHash.
nFlags	You must pass 0 or some modifier defined in the list below. Value Meaning NO_HASH_OID When this flag is specified, the object identifier (OID) is not placed in front of the hash value, as provided for in PKCS#7, DigestInfo attribute. By default, this OID is always added to the signature.

Return

The generated signature.

Exceptions

TacException

Notes

The format of the generated signature complies with the specifications of PKCS#1 v.1.5, using padding type 1 when an RSA key is used, with the use of ECC keys the signature will be in the DER standard.

generateHash() [1/2]

byte[] generateHash	(	int	algId,
		int	flags,
		byte[]	data ) throws TacException

Generates a hash in just one call.

Parameters

algId	Indicates the HASH algorithm. Value Meaning TacNDJavaLib.ALG_MD5 MD5 hash algorithm. TacNDJavaLib.ALG_SHA1 SHA1 hash algorithm. TacNDJavaLib.ALG_SSL_SHA1_MD5 Hash for client authentication in SSLv3. TacNDJavaLib.ALG_SHA2_224 SHA2 hash algorithm - 224. TacNDJavaLib.ALG_SHA2_256 SHA2 hash algorithm - 256. TacNDJavaLib.ALG_SHA2_384 SHA2 hash algorithm - 384. TacNDJavaLib.ALG_SHA2_512 SHA2 hash algorithm - 512 TacNDJavaLib.ALG_SHA3_224 SHA3 hash algorithm - 224. TacNDJavaLib.ALG_SHA3_256 SHA3 hash algorithm - 256. TacNDJavaLib.ALG_SHA3_384 SHA3 hash algorithm - 384. TacNDJavaLib.ALG_SHA3_512 SHA3 hash algorithm - 512 TacNDJavaLib.ALG_IDENTITY_FUNC Identity function algorithm.
flags	Zero must be spent.
data	Message.

Return

Hash generated.

Exceptions

TacException

generateHash() [2/2]

byte[] generateHash	(	int	algId,
		byte[]	data ) throws TacException

Generates a hash in just one call.

Parameters

algId

Indicates the HASH algorithm. Value Meaning TacNDJavaLib.ALG_MD5 MD5 hash algorithm. TacNDJavaLib.ALG_SHA1 SHA1 hash algorithm. TacNDJavaLib.ALG_SSL_SHA1_MD5 Hash for client authentication in SSLv3. TacNDJavaLib.ALG_SHA2_224 SHA2 hash algorithm - 224. TacNDJavaLib.ALG_SHA2_256 SHA2 hash algorithm - 256. TacNDJavaLib.ALG_SHA2_384 SHA2 hash algorithm - 384. TacNDJavaLib.ALG_SHA2_512 SHA2 hash algorithm - 512 TacNDJavaLib.ALG_SHA3_224 SHA3 hash algorithm - 224. TacNDJavaLib.ALG_SHA3_256 SHA3 hash algorithm - 256. TacNDJavaLib.ALG_SHA3_384 SHA3 hash algorithm - 384. TacNDJavaLib.ALG_SHA3_512 SHA3 hash algorithm - 512 TacNDJavaLib.ALG_IDENTITY_FUNC Identity function algorithm.

data

Message.

Return

Hash generated.

Exceptions

TacException

initHash() [1/2]

void initHash	(	int	algId,
		int	flags ) throws TacException

Initializes a piecewise hash operation.

It must be finalized with endHash.

Parameters

algId

Indicates the HASH algorithm. Value Meaning TacNDJavaLib.ALG_MD5 MD5 hash algorithm. TacNDJavaLib.ALG_SHA1 SHA1 hash algorithm. TacNDJavaLib.ALG_SSL_SHA1_MD5 Hash for client authentication in SSLv3. TacNDJavaLib.ALG_SHA2_224 SHA2 hash algorithm - 224. TacNDJavaLib.ALG_SHA2_256 SHA2 hash algorithm - 256. TacNDJavaLib.ALG_SHA2_384 SHA2 hash algorithm - 384. TacNDJavaLib.ALG_SHA2_512 SHA2 hash algorithm - 512 TacNDJavaLib.ALG_SHA3_224 SHA3 hash algorithm - 224. TacNDJavaLib.ALG_SHA3_256 SHA3 hash algorithm - 256. TacNDJavaLib.ALG_SHA3_384 SHA3 hash algorithm - 384. TacNDJavaLib.ALG_SHA3_512 SHA3 hash algorithm - 512 TacNDJavaLib.ALG_IDENTITY_FUNC Identity function algorithm.

flags

Zero must be spent.

Exceptions

TacException

Notes

The piecemeal operation MUST be initialized with initHash, the data passed with updateHash and finished with endHash.
updateHash can be called once or several times until the entire content of the message is sent and then endHash to finish the operation and generate the HASH.
A multi-part operation cannot be interspersed with other operations within the same session until it is finished with endHash.

initHash() [2/2]

void initHash

(

int

algId

)

throws TacException

Initializes a piecewise hash operation.

It must be finalized with endHash.

Parameters

algId

Indicates the HASH algorithm. Value Meaning TacNDJavaLib.ALG_MD5 MD5 hash algorithm. TacNDJavaLib.ALG_SHA1 SHA1 hash algorithm. TacNDJavaLib.ALG_SSL_SHA1_MD5 Hash for client authentication in SSLv3. TacNDJavaLib.ALG_SHA2_224 SHA2 hash algorithm - 224. TacNDJavaLib.ALG_SHA2_256 SHA2 hash algorithm - 256. TacNDJavaLib.ALG_SHA2_384 SHA2 hash algorithm - 384. TacNDJavaLib.ALG_SHA2_512 SHA2 hash algorithm - 512 TacNDJavaLib.ALG_SHA3_224 SHA3 hash algorithm - 224. TacNDJavaLib.ALG_SHA3_256 SHA3 hash algorithm - 256. TacNDJavaLib.ALG_SHA3_384 SHA3 hash algorithm - 384. TacNDJavaLib.ALG_SHA3_512 SHA3 hash algorithm - 512 TacNDJavaLib.ALG_IDENTITY_FUNC Identity function algorithm.

Exceptions

TacException

Notes

The piecemeal operation MUST be initialized with initHash, the data passed with updateHash and finished with endHash.
updateHash can be called once or several times until the entire content of the message is sent and then endHash to finish the operation and generate the HASH.
A multi-part operation cannot be interspersed with other operations within the same session until it is finished with endHash.

updateHash()

void updateHash

(

byte[]

data

)

throws TacException

Updates a hash operation with more data.

Parameters

data

Message.

Exceptions

TacException

Notes

The piecemeal operation MUST be initialized with initHash, the data passed with updateHash and finished with endHash.
updateHash can be called once or several times until the entire content of the message is sent and then endHash to finish the operation and generate the HASH.
A multi-part operation cannot be interspersed with other operations within the same session until it is finished with endHash.

endHash()

byte[] endHash

(

)

throws TacException

Finalizes a hash operation.

Return

HASH generated.

Exceptions

TacException

Notes

The piecemeal operation MUST be initialized with initHash, the data passed with updateHash and finished with endHash.
updateHash can be called once or several times until the entire content of the message is sent and then endHash to finish the operation and generate the HASH.
A multi-part operation cannot be interspersed with other operations within the same session until it is finished with endHash.

generateMAC() [1/2]

byte[] generateMAC	(	int	algId,
		String	macKey,
		int	flags,
		byte[]	data ) throws TacException

Generates a MAC in just one call.

Parameters

algId	Indicates the MAC algorithm. Value Meaning TacNDJavaLib.ALG_HMAC_MD5 HMAC MD5 algorithm. hmacKey must be the name of the key used in HMAC. TacNDJavaLib.ALG_HMAC_SHA1 HMAC SHA1 algorithm. hmacKey must be the name of the key used in HMAC. TacNDJavaLib.ALG_HMAC_SHA2_256 HMAC SHA2 algorithm - 256. hmacKey must be the name of the key used in HMAC. TacNDJavaLib.ALG_HMAC_SHA2_384 HMAC SHA2 algorithm - 384. hmacKey must be the name of the key used in HMAC. TacNDJavaLib.ALG_HMAC_SHA2_512 HMAC SHA2 algorithm - 512. hmacKey must be the name of the key used in HMAC. TacNDJavaLib.ALG_CMAC_DES CMAC 3DES algorithm. hmacKey must be the name of the 3DES key used in CMAC. TacNDJavaLib.ALG_CMAC_AES CMAC AES algorithm. hmacKey must be the name of the AES key used in CMAC.
macKey	MAC key name.
flags	Zero must be spent.
data	Message.

Return

MAC generated.

Exceptions

TacException

generateMAC() [2/2]

byte[] generateMAC	(	int	algId,
		String	macKey,
		byte[]	data ) throws TacException

Generates a MAC in just one call.

Parameters

algId	Indicates the MAC algorithm. Value Meaning TacNDJavaLib.ALG_HMAC_MD5 HMAC MD5 algorithm. hmacKey must be the name of the key used in HMAC. TacNDJavaLib.ALG_HMAC_SHA1 HMAC SHA1 algorithm. hmacKey must be the name of the key used in HMAC. TacNDJavaLib.ALG_HMAC_SHA2_256 HMAC SHA2 algorithm - 256. hmacKey must be the name of the key used in HMAC. TacNDJavaLib.ALG_HMAC_SHA2_384 HMAC SHA2 algorithm - 384. hmacKey must be the name of the key used in HMAC. TacNDJavaLib.ALG_HMAC_SHA2_512 HMAC SHA2 algorithm - 512. hmacKey must be the name of the key used in HMAC. TacNDJavaLib.ALG_CMAC_DES CMAC 3DES algorithm. hmacKey must be the name of the 3DES key used in CMAC. TacNDJavaLib.ALG_CMAC_AES CMAC AES algorithm. hmacKey must be the name of the AES key used in CMAC.
macKey	MAC key name.
data	Message.

Return

MAC generated.

Exceptions

TacException

initMAC() [1/2]

void initMAC	(	int	algId,
		String	macKey,
		int	flags ) throws TacException

Initializes a MAC operation in parts.

It must be finalized with endMAC.

Parameters

algId	Indicates the MAC algorithm. Value Meaning TacNDJavaLib.ALG_HMAC_MD5 HMAC MD5 algorithm. hmacKey must be the name of the key used in HMAC. TacNDJavaLib.ALG_HMAC_SHA1 HMAC SHA1 algorithm. hmacKey must be the name of the key used in HMAC. TacNDJavaLib.ALG_HMAC_SHA2_256 HMAC SHA2 algorithm - 256. hmacKey must be the name of the key used in HMAC. TacNDJavaLib.ALG_HMAC_SHA2_384 HMAC SHA2 algorithm - 384. hmacKey must be the name of the key used in HMAC. TacNDJavaLib.ALG_HMAC_SHA2_512 HMAC SHA2 algorithm - 512. hmacKey must be the name of the key used in HMAC. TacNDJavaLib.ALG_CMAC_DES CMAC 3DES algorithm. hmacKey must be the name of the 3DES key used in CMAC. TacNDJavaLib.ALG_CMAC_AES CMAC AES algorithm. hmacKey must be the name of the AES key used in CMAC.
macKey	MAC key name.
flags	Zero must be spent.

Exceptions

TacException

Notes

The piecewise operation MUST be initialized with initMAC, the data passed with updateMAC and finished with endMAC.
updateMAC can be called once or several times until the entire content of the message has been sent and then endMAC to finish the operation and generate the MAC.
A multi-part operation cannot be interspersed with other operations within the same session until it is finished with endMAC.

initMAC() [2/2]

void initMAC	(	int	algId,
		String	macKey ) throws TacException

Initializes a MAC operation in parts.

It must be finalized with endMAC.

Parameters

algId

Indicates the MAC algorithm. Value Meaning TacNDJavaLib.ALG_HMAC_MD5 HMAC MD5 algorithm. hmacKey must be the name of the key used in HMAC. TacNDJavaLib.ALG_HMAC_SHA1 HMAC SHA1 algorithm. hmacKey must be the name of the key used in HMAC. TacNDJavaLib.ALG_HMAC_SHA2_256 HMAC SHA2 algorithm - 256. hmacKey must be the name of the key used in HMAC. TacNDJavaLib.ALG_HMAC_SHA2_384 HMAC SHA2 algorithm - 384. hmacKey must be the name of the key used in HMAC. TacNDJavaLib.ALG_HMAC_SHA2_512 HMAC SHA2 algorithm - 512. hmacKey must be the name of the key used in HMAC. TacNDJavaLib.ALG_CMAC_DES CMAC 3DES algorithm. hmacKey must be the name of the 3DES key used in CMAC. TacNDJavaLib.ALG_CMAC_AES CMAC AES algorithm. hmacKey must be the name of the AES key used in CMAC.

macKey

MAC key name.

Exceptions

TacException

Notes

The piecewise operation MUST be initialized with initMAC, the data passed with updateMAC and finished with endMAC.
updateMAC can be called once or several times until the entire content of the message has been sent and then endMAC to finish the operation and generate the MAC.
A multi-part operation cannot be interspersed with other operations within the same session until it is finished with endMAC.

updateMAC()

void updateMAC

(

byte[]

data

)

throws TacException

Updates a MAC operation with more data.

Parameters

data

Message.

Exceptions

TacException

Notes

The piecewise operation MUST be initialized with initMAC, the data passed with updateMAC and finished with endMAC.
updateMAC can be called once or several times until the entire content of the message has been sent and then endMAC to finish the operation and generate the MAC.
A multi-part operation cannot be interspersed with other operations within the same session until it is finished with endMAC.

endMAC()

byte[] endMAC

(

)

throws TacException

Ends a MAC operation.

Return

MAC generated.

Exceptions

TacException

Notes

The piecewise operation MUST be initialized with initMAC, the data passed with updateMAC and finished with endMAC.
updateMAC can be called once or several times until the entire content of the message has been sent and then endMAC to finish the operation and generate the MAC.
A multi-part operation cannot be interspersed with other operations within the same session until it is finished with endMAC.