.. java:import:: android.os Build .. java:import:: com.idopte.scmiddleware Log .. java:import:: androidx.annotation RequiresApi .. java:import:: org.json JSONException .. java:import:: org.json JSONObject .. java:import:: java.io IOException .. java:import:: java.nio.charset StandardCharsets .. java:import:: java.security.spec AlgorithmParameterSpec .. java:import:: java.security.spec PSSParameterSpec .. java:import:: java.util HashMap .. java:import:: java.util Map PrivateKey ========== .. java:package:: com.idopte.scmapi :noindex: .. java:type:: @SuppressWarnings public abstract class PrivateKey extends Key implements java.security.PrivateKey Class describes a private key object. Inherits from \ :java:ref:`Key`\ . Note that the constructor is not intended to be called by user code. Such objects are constructed internally by the API. Since version 6.23.44.2, changes have been introduced on \ :java:ref:`PrivateKey`\ and \ :java:ref:`PublicKey`\ . See the note in \ :java:ref:`Key`\ for more details. Methods ------- decrypt ^^^^^^^ .. java:method:: public byte[] decrypt(byte[] data) throws SCMException :outertype: PrivateKey Decrypts the provided data using a private key. The operation will use PKCS#1 padding. :param data: bytearray containing the ciphertext data to decrypt. :return: a bytearray containing the plaintext data. decrypt ^^^^^^^ .. java:method:: public byte[] decrypt(byte[] data, String alg) throws SCMException :outertype: PrivateKey Decrypts the provided data using a private key. :param data: bytearray containing the ciphertext data to decrypt. :param alg: algorithm to use as a String. Possible values are: \ ``"raw"``\ for raw decryption and \ ``"pkcs1"``\ for PKCS#1 padding. :return: a bytearray containing the plaintext data. hashAndSign ^^^^^^^^^^^ .. java:method:: @RequiresApi public byte[] hashAndSign(byte[] data, String algorithm) throws SCMException :outertype: PrivateKey Hashes the provided data and signs the hash using a private key. For ECDSA the returned signature is of format RAW. The operation will use PKCS#1 or PSS padding for ``RSA`` private key or ECDSA for ``EC`` private key, depending on ``algorithm`` value: .. * for RSA PKCS#1 padding and ECDSA, the ``algorithm`` parameter indicates the hash algorithm to use and can take the following values: .. * ``"sha1"`` or ``"sha256"``: Available for all keys (SHA-1 may be forbidden with qualified signature keys depending on the card profile). The API will automatically take care of the partial hashing requirement when used with a qualified signature key. * ``"sha384"`` or ``"sha512"``: Not available for qualified signature keys. * for ``RSA`` PSS padding, the ``algorithm`` parameter indicates the hash and padding parameters used for PSS padding. It can take the following values: .. * ``"sha1pss"``: hash function and mask generation function will be SHA-1 and salt length will be 20. * ``"sha256pss"``: hash function and mask generation function will be SHA-256 and salt length will be 32. * ``"sha384pss"``: hash function and mask generation function will be SHA-384 and salt length will be 48. * ``"sha512pss"``: hash function and mask generation function will be SHA-512 and salt length will be 64. :param data: data to hash, provided as a bytearray. :param algorithm: algorithm of the signature. :return: the bytearray containing the signature. isPartialHash ^^^^^^^^^^^^^ .. java:method:: public boolean isPartialHash() :outertype: PrivateKey Returns \ ``true``\ if the key must use partial hashing (qualified signature key). Available only for private Keys :return: \ ``true``\ if the key must use partial hashing; \ ``false``\ otherwise sign ^^^^ .. java:method:: public byte[] sign(byte[] hash, String algorithm) throws SCMException :outertype: PrivateKey Signs the provided hash using a private key. For ECDSA the returned signature is of format RAW. The operation will use PKCS#1 or PSS padding for ``RSA`` private key or ECDSA for ``EC`` private key, depending on ``algorithm`` value: .. * The algorithm of the hash needs to be indicated if the ``OID`` needs to be added within the signature block. The ``algorithm`` parameter can take the following values: .. * ``null``: The hash data will be signed as provided. Not available for qualified signature keys. * ``"sha1"``, ``"sha256"``, ``"sha384"`` or ``"sha512"``: The corresponding OID will be prepended. Not available for qualified signature keys. * ``"sha1-partial"`` or ``"sha256-partial"``: The hash must be provided as a partial hash block (containing intermediate hash values) as defined by the IAS specifications. The hash will be finalized by the card and the corresponding OID will be prepended. Available only for qualified signature keys. The \ :java:ref:`PrivateKey.isPartialHash()`\ property can be used to check whether the key is a qualified signature key that requires partial hashing. * for RSA PSS padding, the ``algorithm`` parameter indicates the PSS padding parameters. It can take the following values: .. * ``"sha1pss"``: mask generation function will be SHA-1 and salt length will be 20. * ``"sha256pss"``: mask generation function will be SHA-256 and salt length will be 32. * ``"sha384pss"``: mask generation function will be SHA-384 and salt length will be 48. * ``"sha512pss"``: mask generation function will be SHA-512 and salt length will be 64. :param hash: ``bytearray`` containing the hash value. :param algorithm: (optional) algorithm of the signature. :return: a ``bytearray`` containing the signature. sign ^^^^ .. java:method:: public byte[] sign(byte[] hash, String algorithm, AlgorithmParameterSpec params) throws SCMException :outertype: PrivateKey Signs the provided hash using a private key. If ``params`` parameter is null, this is equivalent than calling \ :java:ref:`PrivateKey.sign(byte[],String)`\ . Otherwise, it must contain a ``PSSParameterSpec`` object defining PSS padding parameters. In this case, ``algorithm`` parameter is not used. :param hash: ``bytearray`` containing hash to sign. :param algorithm: (optional) algorithm of the signature. :param params: (optional) signature algorithm parameters. Only \ ``PSSParameterSpec``\ is supported. :return: a ``bytearray`` containing the signature.