PrivateKey

public class PrivateKey extends Key implements java.security.interfaces.RSAPrivateCrtKey

Class describes a private key object. Inherits from Key and implements from java.security.interfaces.RSAPrivateCrtKey.

Note that the constructor is not intended to be called by user code. Such objects are constructed internally by the API.

Methods

decrypt

public byte[] decrypt(byte[] data)

Decrypts the provided data using a private key. The operation will use PKCS#1 padding.

Parameters:

  • data – bytearray containing the ciphertext data to decrypt.

Returns:

a bytearray containing the plaintext data.

getActualModulus

public BigInteger getActualModulus()

Gets the modulus.

Returns:

the modulus.

getActualPublicExponent

public BigInteger getActualPublicExponent()

Gets the public exponent.

Returns:

the public exponent.

getAlgorithm

public String getAlgorithm()

Not implemented.

Returns:

null.

getCrtCoefficient

public BigInteger getCrtCoefficient()

The private key is not extractable from the card, thus this method is not available.

Throws:

getEncoded

public byte[] getEncoded()

The private key is not extractable from the card, thus this method is not available.

Throws:

getFormat

public String getFormat()

Returns the name of the primary encoding format of this key (null for a private key).

getModulus

public BigInteger getModulus()

Because of the constraints imposed by Java Cryptography Architecture (JCA) and its provider, this method is not available. However, to get the modulus, you can use PrivateKey.getActualModulus() method.

Returns:

null.

getPrimeExponentP

public BigInteger getPrimeExponentP()

The private key is not extractable from the card, thus this method is not available.

Throws:

getPrimeExponentQ

public BigInteger getPrimeExponentQ()

The private key is not extractable from the card, thus this method is not available.

Throws:

getPrimeP

public BigInteger getPrimeP()

The private key is not extractable from the card, thus this method is not available.

Throws:

getPrimeQ

public BigInteger getPrimeQ()

The private key is not extractable from the card, thus this method is not available.

Throws:

getPrivateExponent

public BigInteger getPrivateExponent()

The private key is not extractable from the card, thus this method is not available.

Throws:

getPublicExponent

public BigInteger getPublicExponent()

Because of the constraints imposed by Java Cryptography Architecture (JCA) and its provider, this method is not available. However, to get the modulus, you can use PrivateKey.getActualPublicExponent() method.

Returns:

null.

hashAndSign

public byte[] hashAndSign(byte[] data, String hashAlg)

Hashes the provided data and signs the hash using a private key. The operation will use PKCS#1 padding. The hashAlg parameter indicates the hash algorithm to use and can take the following values:

  • "sha1" or "sha256": Available for all keys (SHA-1 may be forbidden with qualified signature keys depending on the card profile). The API will automatically take care of the partial hashing requirement when used with a qualified signature key.

  • "sha384" or "sha512": Not available for qualified signature keys.

Parameters:

  • data – Data to hash, provided as a bytearray.

  • hashAlg – Algorithm of the hash.

Returns:

the bytearray containing the signature.

isPartialHash

public boolean isPartialHash()

Returns true if the key must use partial hashing (qualified signature key). Available only for private Keys

Returns:

true if the key must use partial hashing; false otherwise

sign

public byte[] sign(byte[] hash, String hashAlg)

Signs the provided hash using a private key. The operation will use PKCS#1 padding. The algorithm of the hash needs to be indicated if the OID needs to be added within the signature block. The hashAlg parameter can take the following values:

  • null: The hash data will be signed as provided. Not available for qualified signature keys.

  • "sha1", "sha256", "sha384" or "sha512": The corresponding OID will be prepended. Not available for qualified signature keys.

  • "sha1-partial" or "sha256-partial": The hash must be provided as a partial hash block (containing intermediate hash values) as defined by the IAS specifications. The hash will be finalized by the card and the corresponding OID will be prepended. Available only for qualified signature keys.

The PrivateKey.isPartialHash() property can be used to check whether the key is a qualified signature key that requires partial hashing.

Parameters:

  • hashbytearray containing the hash value.

  • hashAlg – (optional) Algorithm of the hash.

Returns:

a bytearray containing the signature.