JAVA Toolkit
| home | contact




versions

IAIK-JCE 5.4 - 28. June 2017

Class or Package

Bug / Change New Feature

Description and Examples

*

C, NF

jar files signed with old (for supporting old DSA JCE Root CA) and new (for supporting new RSA JCE Root CA) IAIK-JCE provider certificates. The new certificate provides a stronger protection (SHA256withRSA) than the old one (SHA1withDSA). The new JCE Root CA is effective for Java versions 8u121, 7u131, 6u141 upwards. To support other (former) Java versions the
jar files must be signed with the old provider  certificate, too.

iaik.asn1.structures.AlgorithID,
iaik.security.provider.IAIK

NF

Added AlgorithmIDs and aliases (2.16.840.1.101.3.4.3.3, 2.16.840.1.101.3.4.3.4) for the dsaWithSHA384 and dsaWithSHA512 signature algorithms.

iaik.asn1.structures.ChoiceOfTime

B

Fixed milli seconds representation when creating a ChoiceOfTime object of type GeneralizedTime from a Date object.

iaik.security.cipher

B

Fixed internal buffering and input length calculation for CCM mode.

iaik.security.cipher.AESCBCCMac128,
iaik.security.cipher.AESCBCCMac192,
iaik.security.cipher.AESCBCCMac256

NF

Implementation of the BSI TR-03109-1 AES-CBC-CMAC authenticated encryption cipher family (ciphers, key generators, algorithm parameters, secret key
factories)

iaik.security.cipher.CCMParameters,
iaik.security.cipher.GCMParameters

B

Fixed default encoding (to not include aes-ICVlen component if default length (12) is used).

iaik.security.cipher.ChaCha20

NF

Implementation of the ChaCha20 stream cipher as specified by RFC 7539.

iaik.security.random.SecRandom

NF

Added method getAlgorithm() to also can be called when creating the SecureRandom object in the old way by using the PRNG class constructor (and not calling SecureRandom.getInstance()).

iaik.security.random.HMacSHA384SP80090Random

B

Fixed to actually use HMacSHA384 (used HMacSHA512 so far when creating the HMacSHA384SP80090Random object in the old way by using its constructor).

iaik.security.random

C

Synchronized engineGetBytes, engineSetSeed
to avoid synchronization issues with jdk versions >=8u112.

iaik.x509.NetscapeCertRequest

NF

Method getChallenge() added to get the challenge from the request. Constructors/methods added allowing to create and sign a NetscapeCertRequest from scratch.

iaik.x509.extensions.qualified.structures.etsi.QcType

NF

Implementation of the ETSI EN 319 412-5 QcType QCStatementInfo for declaring the type(s) of EU qualified certificates.

iaik.x509.X509Certificate,
iaik.x509.RevokedCertificate,
iaik.x509.attr.AttributeCertificate,
iaik.x509.attr.IssuerSerial,
iaik.x509.ocsp.CertID

C, NF

Added hexadecimal representation to serial number output of toString() method.

iaik.x509.ocsp.extensions.CrlID

CF

Changed toString method to output the crl number in hexadecimal representation.

IAIK-JCE 5.3 - 23. December 2015

Class or Package

Bug / Change New Feature

Description and Examples

demo.pkcs.EnvelopedDataOAEP

C

Shows usage with non-default OAEP parameters. Now uses standard RSA-OAEP algorithm oid.

iaik.asn1.ASN

C

Default ASN.1 types are now registered by their class name to avoid static initialization dependencies.

iaik.asn1.ASN1

NF

Method readEncoded allowing to read the encoding of an ASN.1 object from a stream without keeping the internal ASN.1 structure in memory.

iaik.asn1.structures.AlgorithmID

B

Fixed NULL/absent parameter handling when parsed from an InputStream ( AlgorithmID(DerInputStream)).

iaik.asn1.structures.PolicyQualifierInfo

C

Tighter explicit text check.

iaik.pkcs.pkcs1.PKCS1v15Padding,
iaik.pkcs.pkcs1.OAEPPadding

C

Made unpadding more time constant.

iaik.pkcs.pkcs1.RSACipher

C, NF

When Cipher is used in ENCRYPT mode for signature creation with CRT keys the signature value is verified as countermeasure against RSA CRT key leaks. The check can be disabled by new static method RSACipher.setDoVerifyCRTSignature(false);. The check is not performed for PSS signatures since they are not deterministic.

iaik.pkcs.pkcs1.RSAOaepParameters

B

Fixed pSourceAlgorithm DEFAULT parameter check.

iaik.pkcs.pkcs1.PKCS1AlgorithmParameters,
iaik.pkcs.pkcs1.MGF1Parameters,
iaik.pkcs.pkcs1.RSASSAPkcs1v15Parameters,
iaik.pkcs.pkcs1.RSAOaepParameters,
iaik.pkcs.pkcs1.RSAPssParameters,

C

When init from encoding ( init(byte[] params)) the encoded parameters are kept to be returned unchanged when getEncoded() is called.

iaik.pkcs.pkcs1.RSAOaepPSourceParameterSpec

C

Check for right label encoding.

iaik.security.md.SHA3_224,
iaik.security.md.SHA3_256,
iaik.security.md.SHA3_384,
iaik.security.md.SHA3_512

NF

MessageDigest engines for the NIST FIPS PUB 202 Secure Hash Algorithm 3
(SHA-3) Hash Functions added (SHA3-224, SHA3-256, SHA3-384, SHA3-512) added

iaik.security.md.SHAKE128InputStream,
iaik.security.md.SHAKE256InputStream,

NF

InputStream implementations for the NIST FIPS PUB 202 Secure Hash Algorithm 3
(SHA-3) Extendable Output Functions (XOFs) SHAKE128, SHAKE256 added

iaik.x509.RevokedCertificate

B

Fixed possible NullpointerException in method toString.

iaik.x509.X509CRL

B

Fixed possible NullpointerException in method setSignature.

iaik.x509.net.ldap.LdapURLConnection

C

connect: if readTimeOut is set, register it also as JNDI com.sun.jndi.ldap.read.timeout environment property.

IAIK-JCE 5.25 - 05. March 2015

Class or Package

Bug / Change New Feature

Description and Examples

iaik.pkcs.pkcs12.PKCS12KeyStore

C

Method engineLoad now checks unencrypted AuthenticatedSafe objects for CertificateBags, too

iaik.x509.ocsp

C

BasicOCSPResponse, SingleResponse, RevokedInfo, ArchiveCutoff: milliseconds are not included in GeneralizedTime encodings for compatibility to RFC 6960

IAIK-JCE 5.24 - 22. December 2014

Class or Package

Bug / Change New Feature

Description and Examples

iaik.asn1.ASN1String
iaik.asn1.PrintableString

C

Method equals does not check the ASN.1 String type anymore; only the value is compared

iaik.pkcs.pkcs7

NF, C

Changed default content encryption algorithm parameter management for EncryptedContentInfo, EnvelopedData and SignedAndEnvelopedData to try to get algorithm specific parameters from the content encryption algorithm id

iaik.pkcs.pkcs7.SignedAndEnvelopedDataStream

NF

Added SignedAndEnvelopedDataStream(InputStream is, AlgorithmID contentEA, int keyLength)
constructor.

iaik.pkcs.pkcs7.SignedAndEnvelopedData

C

Changed SignedAndEnvelopedData(byte[] content, AlgorithmID contentEA, int version)
constructor to SignedAndEnvelopedData(byte[] content, AlgorithmID contentEA, int keyLength).

 For backwards compatibility to prior versions the keyLength parameter is interpreted as version if it has one of the two only possible version values 1 (default; indicating a PKCS#7v1.5 SignedAndEnvelopedData) or 2 (indicating a PKCS#71.6 SignedAndEnvelopedData).

iaik.pkcs.pkcs7.SignedAndEnvelopedData

NF

Added SignedAndEnvelopedData(byte[] content, AlgorithmID contentEA, int keyLength, int version) constructor.

iaik.pkcs.pkcs12.PKCS12KeyStore

C, NF

When searching for the certificate that belongs to the private key and no match is found between the localeKeyId attribute of the KeyBag and the lokaleKeyId attribute of any CertBag, the friendlyName attribute is checked, if present. Also the friendlyName is checked if more than one CertBag has the same localKeyId as the KeyBag.

iaik.pkcs.pkcs12.PKCS12KeyStore

C, NF

Support for setting/getting of certificate (trust) entries.

iaik.security.provider.IAIK

B, C, NF

New static method setCopyCipherData(boolean) allows to decide whether to internally copy cipher data when Cipher encryption/decryption uses the same array for input/output (default: false).

iaik.security.random.SeedGenerator

C

Method setDefault sets the provided class also as default VarLengthSeedGenerator, if applicable

iaik.security.rsa.RipeMd256RSASignature

B

Fixed DigestInfo prefix (length) encoding.

iaik.x509

B

If GeneralizedTime is used, milliseconds are not included in the encodings of X.509 types
 X509Certificate, X509CRL, RevokedCertificate, InvalidyDate, PrivateKeyUsagePeriod,
 AttributeCertificate

IAIK-JCE 5.2 - 31. October 2013

Class or Package

Bug / Change New Feature

Description and Examples

*

C, NF

jar files signed with new JCE code signing certificate.

*

NF

Included jar file versions containing the "Trusted-Library=true"
 manifest attribute to may be used for avoiding problems due to JDK
 requirements when mixing signed/privileged with unsigned/sandbox code
 (especially when used with Java(TM) WebStart, applets and JavaScript)

iaik.asn1.ASN1

B

Fixed push back handling in decoding routine.

iaik.asn1.CON_SPEC

C, NF

forceImplicitlyTagged: workaround trying to handle
 falsely explicitly tagged simple components when implicit tagging
 is required.

iaik.asn1.structrues.AlgorithmID

C

Registered java.security.spec.DSAParameterSpec as
 AlgorithmParamaterSpec class for DSA* AlgorithmIDs.

iaik.asn1.structrues.AlgorithmID

C

Method getAlgorithmParameterSpec(Class parameterSpecClass, String provider) again does not throw an InvalidAlgorithmParameterException if parameterSpecClass is not specified. Rather it returns null in this case to avoid problems due to missing parameter implementation registration.

iaik.security.provider.IAIK

C, NF

Added some MessageDigest aliases (OIDs).

iaik.security.dsa,
 iaik.security.rsa,
 iaik.iso.iso9796

C

Signature engines now extended from java.security.SignatureSpi
 to support delayed provider selection.

iaik.security.rsa.SSLRSASignature

B

Fixed signature verification.

iaik.x509

C

Improved extensions memory management to support,
 e.g. bigger CRLs with class X509CRL when revocation
 entries contain some (especially only the ReasonCode) extension(s))

iaik.x509.extensions.ExtendedKeyUsage

NF

Added tsl-signing key purpose id (0.4.0.2231.3.0) as
 specified by ETSI TS 102 231 V3.1.2 for the purpose of signing
 Trust-service Status Lists

iaik.x509.ocsp.*

NF

Aligned with new OCSP version (RFC 6960); added implementation
 of ExtendedRevoked response and PreferredSignatureAlgorithms
 request extensions

IAIK-JCE 5.1 - 28. March 2013

Class or Package

Bug / Change New Feature

Description and Examples

iaik.asn1.ObjectID

NF

Added the COSINE LDAP/X.500 Schema attribute personalTitle,
 "0.9.2342.19200300.100.1.40" from RFC 4525.

iaik.asn1.structures.AlgorithmID

NF

Added method setDefaultEncodeAbsentParametersAsNull allowing to change the default behaviour for encoding absent AlgorithmID parameters as ASN.1 NULL or omitting the parameters field.

iaik.asn1.structures.AlgorithmID,
 iaik.security.provider.IAIK

NF

Added AlgorithmIDs and OID aliases for HMAC/SHA224, HMAC/SHA256, HMAC/SHA384,
 HMAC/SHA512 according to RFC 4231.

iaik.asn1.structures.AlgorithmID

C, NF

Added additional implementation names for some AlgorithmIDs.

 Changed default implementation names for: sha1WithRSAEncryption
 (from "SHA/RSA" to "SHA1/RSA"), cms_aes192_wrap
 (from "AESWrapAES" to "AES192WrapAES192"),
 cms_aes256_wrap (from "AESWrapAES" to "AES256WrapAES256"),
 ,camellia_aes192_wrap (from "CamelliaWrapCamellia" to
 "Camellia192WrapCamellia192"), camellia_aes256_wrap
 (from "CamelliaWrapCamellia" to "Camellia256WrapCamellia256").

 Changed OID of AlgorithmID.dsaWithSHA1 from 1.3.14.3.2.27 to 1.2.840.10040.4.3.
 AlgorithmID for 1.3.14.3.2.27 now is AlgorithmID.dsaWithSHA1_, but deprecated.
 AlgorithmID.dsa_With_SHA1 (1.3.14.3.2.13) also marked as deprecated.

iaik.pkcs.pkcs5.PBKDF2
 iaik.pkcs.pkcs5.PBKDF2KeyAndParameterSpec
 iaik.pkcs.pkcs5.PBKDF2ParameterSpec
 iaik.pkcs.pkcs5.PBKDF2Parameters

NF

Added parameter implementation and (parameter based) pseudorandom function agility for PKCS#5 PBKDF2 key derivation function.

iaik.pkcs.pkcs5.PBKDF2.PBKDF2WithHmacSHA1
 iaik.pkcs.pkcs5.PBKDF2.PBKDF2WithHmacSHA224
 iaik.pkcs.pkcs5.PBKDF2.PBKDF2WithHmacSHA256
 iaik.pkcs.pkcs5.PBKDF2.PBKDF2WithHmacSHA384
 iaik.pkcs.pkcs5.PBKDF2.PBKDF2WithHmacSHA512

NF

Added PBKDF2 KeyGenerator engines for HmacSHA1,
 HmacSHA224, HmacSHA256, HmacSHA384, HmacSHA512:

       KeyGenerator.getInstance("PBKDF2WithHmacSHA1", "IAIK");
       KeyGenerator.getInstance("PBKDF2WithHmacSHA224", "IAIK");
       KeyGenerator.getInstance("PBKDF2WithHmacSHA256", "IAIK");
       KeyGenerator.getInstance("PBKDF2WithHmacSHA384", "IAIK");
       KeyGenerator.getInstance("PBKDF2WithHmacSHA512", "IAIK");
      

iaik.pkcs.pkcs7.RSACipherProvider

NF

New method setDefault() allowing to set a RSACipherProvider to be used as default.

iaik.pkcs.pkcs8.PrivateKeyInfo
 iaik.pkcs.pkcs8.RawPrivateKey

C, NF

PrivateKeyInfo.getPrivateKey() now returns a generic RawPrivateKey object if no specific KeyFactory is available for the private key algorithm. The RawPrivateKey allows to get some information about the key (algorithm, encoding).

iaik.security.cipher.CAST128Parameters

B

Fixed parameter decoding (optional iv)

iaik.security.cipher.PBES2Cipher
 iaik.pkcs.pkcs5.PBES2ParameterSpec
 iaik.pkcs.pkcs5.PBES2Parameters

NF

Added Cipher engine and parameter implementation for the PKCS#5 PBES2 password based encryption scheme.

      Cipher.getInstance("PBES2", "IAIK");
      

iaik.security.cipher.PbeWithMD5AndDES_CBC
 iaik.security.cipher.PbeWithSHAAnd3_KeyTripleDES_CBC
 iaik.security.cipher.PbeWithSHAAnd40BitRC2_CBC

C

Now first try to get PBE AlgorithmParameters from provider IAIK.

iaik.security.cipher.PBES2Cipher.PBES2WithHmacSHA1AndAES
 iaik.security.cipher.PBES2Cipher.PBES2WithHmacSHA256AndAES
 iaik.security.cipher.PBES2Cipher.PBES2WithHmacSHA384AndAES192
 iaik.security.cipher.PBES2Cipher.PBES2WithHmacSHA512AndAES256
 iaik.security.cipher.PBES2Cipher.PBES2WithHmacSHA1AndDESede

NF

Added PBBES2 Cipher engines for HmacSHA1 and AES, HmacSHA256 and AES, HmacSHA384 and AES192, HmacSHA512 and AES256, HmacSHA1 and DESede:

      Cipher.getInstance("PBES2WithHmacSHA1AndAES", "IAIK");
      Cipher.getInstance("PBES2WithHmacSHA256AndAES", "IAIK");
      Cipher.getInstance("PBES2WithHmacSHA384AndAES192", "IAIK");
      Cipher.getInstance("PBES2WithHmacSHA512AndAES256", "IAIK");
      Cipher.getInstance("PBES2WithHmacSHA1AndDESede", "IAIK");
      

iaik.security.cipher.SecretKey

C

Fixed algorithm name check in equals method

iaik.security.pbe.PBEParameterGenerator

C

Default iteration count for encryption set to 2000

iaik.security.random.SecRandom

C

Changed default PRNG to SHA256FIPS186Random

iaik.utils.RFC2253NameParser

NF

Registered the COSINE LDAP/X.500 Schema attribute personalTitle,
 OID "0.9.2342.19200300.100.1.40" from RFC 4525.

iaik.utils.Util

NF

New method setDefaultRFC2253StringEscaping allowing to set the default escaping mechanism (strict or non strict) for RFC2253 String representations of Name, RDN and AVA objects.

iaik.utils.ConvertKeyStore

B, C

Now really converts one KeyStore to another (and not dumps the contents as the DumpKeyStore utility).

iaik.utils.Util

C

getUTF8EncodingFromString, getUTF8EncodingFromCharArray, getCharFromUTF8Array now also use UTF8CodingException instead of general CodingException.

iaik.x509.PublicKeyInfo
 iaik.x509.RawPublicKey

C, NF

PublicKeyInfo.getPublicKey() now returns a generic RawPublicKey object if no specific KeyFactory is available for the public key algorithm. The RawPublicKey allows to get some information about the key (algorithm, encoding).

iaik.x509.attr.*
 iaik.x509.attr.Clearance

C

Attribute Certificate implementation aligned with new PKIX specification (RFC 5755); Cleareance components are no more tagged when building their ASN.1 representation

iaik.x509.extensions.qualified.structures.etsi.QcEuSSCD

NF

Added implementation of the ETSI EN 319 412-5 QcEuPDS QCStatementInfo
 for pointing to a Policy Disclosure Statement (PDS)

iaik.x509.ocsp.OCSPExtensions
 iaik.x509.ocsp.extensions.Nonce

C

According to OCSP spec clarification about the ASN.1 syntax of the Nonce extension, the Nonce value is wrapped into an ASN.1 OCTET STRING before putting it into the OCSP Extension extnValue OCTET STRING; new method Nonce.setWrapNonceValue(false); allows to fall back
 to old behaviour (not wrapping the Nonce value)

iaik.x509.ocsp.net.HttpOCSPRequest

C

postRequest: accept application/ocsp-response with parameters in content-type header, too.

IAIK-JCE 5.01 - 16. January 2012

Class or Package

Bug / Change New Feature

Description and Examples

iaik.security.cipher

B

fixed performance regression of AES-GCM/CCM in combination with the AES addon in Windows

iaik.utils.PasswordStrengthChecker

C

improved password strength computation


 
print    tip a friend
back to previous page back  |  top to the top of the page