Skip to content

Support for PBES1 algorithms #1189

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
jasonkatonica merged 1 commit into from
Feb 24, 2026
Merged

Support for PBES1 algorithms #1189

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
15 changes: 15 additions & 0 deletions README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -301,6 +301,11 @@ AlgorithmParameters | EC |X
AlgorithmParameters | GCM |X |X | |
AlgorithmParameters | OAEP |X |X | |
AlgorithmParameters | RSAPSS |X |X | |
AlgorithmParameters | PBEWithSHA1AndDESede | |X | |
AlgorithmParameters | PBEWithSHA1AndRC2_40 | |X | |
AlgorithmParameters | PBEWithSHA1AndRC2_128 | |X | |
AlgorithmParameters | PBEWithSHA1AndRC4_40 | |X | |
AlgorithmParameters | PBEWithSHA1AndRC4_128 | |X | |
AlgorithmParameters | PBEWithHmacSHA1AndAES_128 | |X | |
AlgorithmParameters | PBEWithHmacSHA1AndAES_256 | |X | |
AlgorithmParameters | PBEWithHmacSHA224AndAES_128 | |X | |
Expand All @@ -322,6 +327,11 @@ Cipher | ChaCha20 |
Cipher | ChaCha20-Poly1305 | |X | |
Cipher | DESede | |X | |
Cipher | RSA |X |X | |
Cipher | PBEWithSHA1AndDESede | |X | |
Cipher | PBEWithSHA1AndRC2_40 | |X | |
Cipher | PBEWithSHA1AndRC2_128 | |X | |
Cipher | PBEWithSHA1AndRC4_40 | |X | |
Cipher | PBEWithSHA1AndRC4_128 | |X | |
Cipher | PBEWithHmacSHA1AndAES_128 | |X | |
Cipher | PBEWithHmacSHA1AndAES_256 | |X | |
Cipher | PBEWithHmacSHA224AndAES_128 | |X | |
Expand Down Expand Up @@ -434,6 +444,11 @@ SecretKeyFactory | PBKDF2WithHmacSHA384 |X
SecretKeyFactory | PBKDF2WithHmacSHA512 |X |X | |
SecretKeyFactory | PBKDF2WithHmacSHA512/224 | |X | |
SecretKeyFactory | PBKDF2WithHmacSHA512/256 | |X | |
SecretKeyFactory | PBEWithSHA1AndDESede | |X | |
SecretKeyFactory | PBEWithSHA1AndRC2_40 | |X | |
SecretKeyFactory | PBEWithSHA1AndRC2_128 | |X | |
SecretKeyFactory | PBEWithSHA1AndRC4_40 | |X | |
SecretKeyFactory | PBEWithSHA1AndRC4_128 | |X | |
SecretKeyFactory | PBEWithHmacSHA1AndAES_128 | |X | |
SecretKeyFactory | PBEWithHmacSHA1AndAES_256 | |X | |
SecretKeyFactory | PBEWithHmacSHA224AndAES_128 | |X | |
Expand Down
3 changes: 1 addition & 2 deletions src/main/java/com/ibm/crypto/plus/provider/DESedeCipher.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -22,13 +22,12 @@
import java.util.Arrays;
import javax.crypto.BadPaddingException;
import javax.crypto.Cipher;
import javax.crypto.CipherSpi;
import javax.crypto.IllegalBlockSizeException;
import javax.crypto.NoSuchPaddingException;
import javax.crypto.ShortBufferException;
import javax.crypto.spec.IvParameterSpec;

public final class DESedeCipher extends CipherSpi implements DESConstants {
public final class DESedeCipher extends LegacyCipher implements DESConstants {

private OpenJCEPlusProvider provider = null;
private SymmetricCipher symmetricCipher = null;
Expand Down
80 changes: 80 additions & 0 deletions src/main/java/com/ibm/crypto/plus/provider/LegacyCipher.java
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,80 @@
/*
* Copyright IBM Corp. 2026
*
* This code is free software; you can redistribute it and/or modify it
* under the terms provided by IBM in the LICENSE file that accompanied
* this code, including the "Classpath" Exception described therein.
*/

package com.ibm.crypto.plus.provider;

import java.security.AlgorithmParameters;
import java.security.InvalidAlgorithmParameterException;
import java.security.InvalidKeyException;
import java.security.Key;
import java.security.NoSuchAlgorithmException;
import java.security.SecureRandom;
import java.security.spec.AlgorithmParameterSpec;
import javax.crypto.BadPaddingException;
import javax.crypto.CipherSpi;
import javax.crypto.IllegalBlockSizeException;
import javax.crypto.NoSuchPaddingException;
import javax.crypto.ShortBufferException;

abstract class LegacyCipher extends CipherSpi {

@Override
protected abstract byte[] engineDoFinal(byte[] input, int inputOffset, int inputLen)
throws IllegalBlockSizeException, BadPaddingException;

@Override
protected abstract int engineDoFinal(byte[] input, int inputOffset, int inputLen, byte[] output,
int outputOffset) throws ShortBufferException, IllegalBlockSizeException, BadPaddingException;

@Override
protected abstract int engineGetBlockSize();

@Override
protected abstract int engineGetKeySize(Key key) throws InvalidKeyException;

@Override
protected abstract byte[] engineGetIV();

@Override
protected abstract int engineGetOutputSize(int inputLen);

@Override
protected abstract AlgorithmParameters engineGetParameters();

@Override
protected abstract void engineInit(int opmode, Key key, SecureRandom random) throws InvalidKeyException;

@Override
protected abstract void engineInit(int opmode, Key key, AlgorithmParameterSpec params,
SecureRandom random) throws InvalidKeyException, InvalidAlgorithmParameterException;

@Override
protected abstract void engineInit(int opmode, Key key, AlgorithmParameters params, SecureRandom random)
throws InvalidKeyException, InvalidAlgorithmParameterException;

@Override
protected abstract void engineSetMode(String mode) throws NoSuchAlgorithmException;

@Override
protected abstract void engineSetPadding(String padding) throws NoSuchPaddingException;

@Override
protected abstract byte[] engineUpdate(byte[] input, int inputOffset, int inputLen);

@Override
protected abstract int engineUpdate(byte[] input, int inputOffset, int inputLen, byte[] output,
int outputOffset) throws ShortBufferException;

@Override
protected abstract byte[] engineWrap(Key key) throws InvalidKeyException, IllegalBlockSizeException;

@Override
protected abstract Key engineUnwrap(byte[] wrappedKey, String algorithm, int type)
throws InvalidKeyException, NoSuchAlgorithmException;

}
12 changes: 12 additions & 0 deletions src/main/java/com/ibm/crypto/plus/provider/MessageDigest.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -65,6 +65,18 @@ protected int engineGetDigestLength() {
}
}

/*
* This method helps in deriving PKCS12 key by performing update and digest in C
* in an iteration count loop avoiding excess JNI calls.
*/
protected byte[] PKCS12KeyDeriveHelp(byte[] input, int offset, int length, int iterationCount) {
try {
return this.digest.PKCS12KeyDeriveHelp(input, offset, length, iterationCount);
} catch (Exception e) {
throw provider.providerException("Failure in PKCS12 key derivation native helper method", e);
}
}

/**
* Compares two digests for equality. Two digests are equal if they have
* the same length and all bytes at corresponding positions are equal.
Expand Down
69 changes: 66 additions & 3 deletions src/main/java/com/ibm/crypto/plus/provider/OpenJCEPlus.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -25,13 +25,15 @@ public final class OpenJCEPlus extends OpenJCEPlusProvider {
+ " PBEWithHmacSHA1AndAES_128, PBEWithHmacSHA1AndAES_256, PBEWithHmacSHA224AndAES_128, PBEWithHmacSHA224AndAES_256\n"
+ " PBEWithHmacSHA256AndAES_128, PBEWithHmacSHA256AndAES_256, PBEWithHmacSHA384AndAES_128, PBEWithHmacSHA384AndAES_256\n"
+ " PBEWithHmacSHA512AndAES_128, PBEWithHmacSHA512AndAES_256, PBEWithHmacSHA512/224AndAES_128, PBEWithHmacSHA512/224AndAES_256\n"
+ " PBEWithHmacSHA512/256AndAES_128, PBEWithHmacSHA512/256AndAES_256\n"
+ " PBEWithHmacSHA512/256AndAES_128, PBEWithHmacSHA512/256AndAES_256\n"
+ " PBEWithSHA1AndDESede, PBEWithSHA1AndRC2_40, PBEWithSHA1AndRC2_128, PBEWithSHA1AndRC4_40, PBEWithSHA1AndRC4_128\n"
+ "Algorithm parameter generator : DiffieHellman, DSA, EC, XEC, GCM, CCM\n"
+ "Cipher algorithms : AES, ChaCha20, ChaCha20-Poly1305, DESede, RSA\n"
+ " PBEWithHmacSHA1AndAES_128, PBEWithHmacSHA1AndAES_256, PBEWithHmacSHA224AndAES_128, PBEWithHmacSHA224AndAES_256\n"
+ " PBEWithHmacSHA256AndAES_128, PBEWithHmacSHA256AndAES_256, PBEWithHmacSHA384AndAES_128, PBEWithHmacSHA384AndAES_256\n"
+ " PBEWithHmacSHA512AndAES_128, PBEWithHmacSHA512AndAES_256, PBEWithHmacSHA512/224AndAES_128, PBEWithHmacSHA512/224AndAES_256\n"
+ " PBEWithHmacSHA512/256AndAES_128, PBEWithHmacSHA512/256AndAES_256\n"
+ " PBEWithHmacSHA512/256AndAES_128, PBEWithHmacSHA512/256AndAES_256\n"
+ " PBEWithSHA1AndDESede, PBEWithSHA1AndRC2_40, PBEWithSHA1AndRC2_128, PBEWithSHA1AndRC4_40, PBEWithSHA1AndRC4_128\n"
+ "Key agreement algorithms : DiffieHellman, ECDH, XDH\n"
+ "Key Encapsulation Mechanisms : ML-KEM-512, ML-KEM-768, ML-KEM-1024\n"
+ "Key factory : DiffieHellman, DSA, EC, XEC, RSA, RSAPSS, ML-KEM-512, ML-KEM-768, ML-KEM-1024\n"
Expand All @@ -51,7 +53,8 @@ public final class OpenJCEPlus extends OpenJCEPlusProvider {
+ " PBEWithHmacSHA1AndAES_128, PBEWithHmacSHA1AndAES_256, PBEWithHmacSHA224AndAES_128, PBEWithHmacSHA224AndAES_256\n"
+ " PBEWithHmacSHA256AndAES_128, PBEWithHmacSHA256AndAES_256, PBEWithHmacSHA384AndAES_128, PBEWithHmacSHA384AndAES_256\n"
+ " PBEWithHmacSHA512AndAES_128, PBEWithHmacSHA512AndAES_256, PBEWithHmacSHA512/224AndAES_128, PBEWithHmacSHA512/224AndAES_256\n"
+ " PBEWithHmacSHA512/256AndAES_128, PBEWithHmacSHA512/256AndAES_256\n"
+ " PBEWithHmacSHA512/256AndAES_128, PBEWithHmacSHA512/256AndAES_256\n"
+ " PBEWithSHA1AndDESede, PBEWithSHA1AndRC2_40, PBEWithSHA1AndRC2_128, PBEWithSHA1AndRC4_40, PBEWithSHA1AndRC4_128\n"
+ "Secure random : HASHDRBG, SHA256DRBG, SHA512DRBG\n"
+ "Signature algorithms : NONEwithDSA, SHA1withDSA, SHA224withDSA, SHA256withDSA,\n"
+ " SHA3-224withDSA, SHA3-256withDSA, SHA3-384withDSA, SHA3-512withDSA,\n"
Expand Down Expand Up @@ -215,6 +218,26 @@ private void registerAlgorithms(Provider jce) {
putService(new OpenJCEPlusService(jce, "AlgorithmParameters", "ChaCha20-Poly1305",
"com.ibm.crypto.plus.provider.ChaCha20Poly1305Parameters", aliases));

aliases = null;
putService(new OpenJCEPlusService(jce, "AlgorithmParameters", "PBEWithSHA1AndDESede",
"com.ibm.crypto.plus.provider.PBEParameters", aliases));

aliases = null;
putService(new OpenJCEPlusService(jce, "AlgorithmParameters", "PBEWithSHA1AndRC2_40",
"com.ibm.crypto.plus.provider.PBEParameters", aliases));

aliases = null;
putService(new OpenJCEPlusService(jce, "AlgorithmParameters", "PBEWithSHA1AndRC2_128",
"com.ibm.crypto.plus.provider.PBEParameters", aliases));

aliases = null;
putService(new OpenJCEPlusService(jce, "AlgorithmParameters", "PBEWithSHA1AndRC4_40",
"com.ibm.crypto.plus.provider.PBEParameters", aliases));

aliases = null;
putService(new OpenJCEPlusService(jce, "AlgorithmParameters", "PBEWithSHA1AndRC4_128",
"com.ibm.crypto.plus.provider.PBEParameters", aliases));

/* =======================================================================
* Algorithm parameter generation engines
* =======================================================================
Expand Down Expand Up @@ -373,6 +396,26 @@ private void registerAlgorithms(Provider jce) {
putService(new OpenJCEPlusService(jce, "Cipher", "PBEWithHmacSHA512/256AndAES_256",
"com.ibm.crypto.plus.provider.PBES2Core$HmacSHA512_256AndAES_256", aliases));

aliases = null;
putService(new OpenJCEPlusService(jce, "Cipher", "PBEWithSHA1AndDESede",
"com.ibm.crypto.plus.provider.PBES1Core$PBEWithSHA1AndDESede", aliases));

aliases = null;
putService(new OpenJCEPlusService(jce, "Cipher", "PBEWithSHA1AndRC2_40",
"com.ibm.crypto.plus.provider.PBES1Core$PBEWithSHA1AndRC2_40", aliases));

aliases = null;
putService(new OpenJCEPlusService(jce, "Cipher", "PBEWithSHA1AndRC2_128",
"com.ibm.crypto.plus.provider.PBES1Core$PBEWithSHA1AndRC2_128", aliases));

aliases = null;
putService(new OpenJCEPlusService(jce, "Cipher", "PBEWithSHA1AndRC4_40",
"com.ibm.crypto.plus.provider.PBES1Core$PBEWithSHA1AndRC4_40", aliases));

aliases = null;
putService(new OpenJCEPlusService(jce, "Cipher", "PBEWithSHA1AndRC4_128",
"com.ibm.crypto.plus.provider.PBES1Core$PBEWithSHA1AndRC4_128", aliases));

/* =======================================================================
* Key agreement
* =======================================================================
Expand Down Expand Up @@ -930,6 +973,26 @@ private void registerAlgorithms(Provider jce) {
aliases = null;
putService(new OpenJCEPlusService(jce, "SecretKeyFactory", "PBEWithHmacSHA512/256AndAES_256",
"com.ibm.crypto.plus.provider.PBEKeyFactory$PBEWithHmacSHA512_256AndAES_256", aliases));

aliases = null;
putService(new OpenJCEPlusService(jce, "SecretKeyFactory", "PBEWithSHA1AndDESede",
"com.ibm.crypto.plus.provider.PBEKeyFactory$PBEWithSHA1AndDESede", aliases));

aliases = null;
putService(new OpenJCEPlusService(jce, "SecretKeyFactory", "PBEWithSHA1AndRC2_40",
"com.ibm.crypto.plus.provider.PBEKeyFactory$PBEWithSHA1AndRC2_40", aliases));

aliases = null;
putService(new OpenJCEPlusService(jce, "SecretKeyFactory", "PBEWithSHA1AndRC2_128",
"com.ibm.crypto.plus.provider.PBEKeyFactory$PBEWithSHA1AndRC2_128", aliases));

aliases = null;
putService(new OpenJCEPlusService(jce, "SecretKeyFactory", "PBEWithSHA1AndRC4_40",
"com.ibm.crypto.plus.provider.PBEKeyFactory$PBEWithSHA1AndRC4_40", aliases));

aliases = null;
putService(new OpenJCEPlusService(jce, "SecretKeyFactory", "PBEWithSHA1AndRC4_128",
"com.ibm.crypto.plus.provider.PBEKeyFactory$PBEWithSHA1AndRC4_128", aliases));

/* =======================================================================
* SecureRandom
Expand Down
32 changes: 31 additions & 1 deletion src/main/java/com/ibm/crypto/plus/provider/PBEKeyFactory.java
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
/*
* Copyright IBM Corp. 2025
* Copyright IBM Corp. 2025, 2026
*
* This code is free software; you can redistribute it and/or modify it
* under the terms provided by IBM in the LICENSE file that accompanied
Expand Down Expand Up @@ -121,6 +121,36 @@ public PBEWithHmacSHA512_256AndAES_256(OpenJCEPlusProvider provider) {
}
}

public static final class PBEWithSHA1AndDESede extends PBEKeyFactory {
public PBEWithSHA1AndDESede(OpenJCEPlusProvider provider) {
super("PBEWithSHA1AndDESede", provider);
}
}

public static final class PBEWithSHA1AndRC2_40 extends PBEKeyFactory {
public PBEWithSHA1AndRC2_40(OpenJCEPlusProvider provider) {
super("PBEWithSHA1AndRC2_40", provider);
}
}

public static final class PBEWithSHA1AndRC2_128 extends PBEKeyFactory {
public PBEWithSHA1AndRC2_128(OpenJCEPlusProvider provider) {
super("PBEWithSHA1AndRC2_128", provider);
}
}

public static final class PBEWithSHA1AndRC4_40 extends PBEKeyFactory {
public PBEWithSHA1AndRC4_40(OpenJCEPlusProvider provider) {
super("PBEWithSHA1AndRC4_40", provider);
}
}

public static final class PBEWithSHA1AndRC4_128 extends PBEKeyFactory {
public PBEWithSHA1AndRC4_128(OpenJCEPlusProvider provider) {
super("PBEWithSHA1AndRC4_128", provider);
}
}

/**
* Generates a <code>SecretKey</code> object from the provided key
* specification (key material).
Expand Down
Loading