Class JCESecurityModule

java.lang.Object
org.jpos.security.BaseSMAdapter<SecureDESKey>
org.jpos.security.jceadapter.JCESecurityModule
All Implemented Interfaces:
Configurable, SMAdapter<SecureDESKey>, LogSource
public class JCESecurityModule extends BaseSMAdapter<SecureDESKey>
JCESecurityModule is an implementation of a security module in software.

It doesn't require any hardware device to work.
JCESecurityModule also implements the SMAdapter, so you can view it: either as a self contained security module adapter that doesn't need a security module or a security module that plugs directly to jpos, so doesn't need a separate adapter.
It relies on Java(tm) Cryptography Extension (JCE), hence its name.
JCESecurityModule relies on the JCEHandler class to do the low level JCE work.

WARNING: This version of JCESecurityModule is meant for testing purposes and NOT for life operation, since the Local Master Keys are stored in CLEAR on the system's disk. Comming versions of JCESecurity Module will rely on java.security.KeyStore for a better protection of the Local Master Keys.

  • Field Details

  • Constructor Details

  • Method Details

    • setConfiguration

      public void setConfiguration(Configuration cfg) throws ConfigurationException
      Configures a JCESecurityModule
      Specified by:
      setConfiguration in interface Configurable
      Overrides:
      setConfiguration in class BaseSMAdapter<SecureDESKey>
      Parameters:
      cfg - The following properties are read:
      lmk: Local Master Keys file (The only required parameter)
      jce: JCE Provider Class Name, if not provided, it defaults to: com.sun.crypto.provider.SunJCE
      rebuildlmk: (true/false), rebuilds the Local Master Keys file with new keys (WARNING: old keys will be erased)
      cbc-mac: Cipher Block Chaining MAC algorithm name for given JCE Provider.
      Default is ISO9797ALG3MACWITHISO7816-4PADDING from BouncyCastle provider (known as Retail-MAC)
      that is suitable for most of interfaces with double length MAC key
      ANSI X9.19 aka ISO/IEC 9797-1 MAC algorithm 3 padding method 2 - ISO7816
      ede-mac: Encrypt Decrypt Encrypt MAC algorithm name for given JCE Provider.
      Default is DESEDEMAC from BouncyCastle provider
      that is suitable for BASE24 with double length MAC key
      ANSI X9.19
      Throws:
      ConfigurationException - if configuration is invalid

    • generateKeyImpl

      public SecureDESKey generateKeyImpl(short keyLength, String keyType) throws SMException
      Description copied from class: BaseSMAdapter
      Your SMAdapter should override this method if it has this functionality
      Overrides:
      generateKeyImpl in class BaseSMAdapter<SecureDESKey>
      Parameters:
      keyLength - requested key length
      keyType - requested key type
      Returns:
      generated key
      Throws:
      SMException - on security module error

    • importKeyImpl

      public SecureDESKey importKeyImpl(short keyLength, String keyType, byte[] encryptedKey, SecureDESKey kek, boolean checkParity) throws SMException
      Description copied from class: BaseSMAdapter
      Your SMAdapter should override this method if it has this functionality
      Overrides:
      importKeyImpl in class BaseSMAdapter<SecureDESKey>
      Parameters:
      keyLength - requested key length
      keyType - requested key type
      encryptedKey - encrypted key bytes
      kek - key-encrypting key
      checkParity - whether to check DES key parity
      Returns:
      imported key
      Throws:
      SMException - on security module error

    • exportKeyImpl

      public byte[] exportKeyImpl(SecureDESKey key, SecureDESKey kek) throws SMException
      Description copied from class: BaseSMAdapter
      Your SMAdapter should override this method if it has this functionality
      Overrides:
      exportKeyImpl in class BaseSMAdapter<SecureDESKey>
      Parameters:
      key - secure key
      kek - key-encrypting key
      Returns:
      exported key
      Throws:
      SMException - on security module error

    • encryptPINImpl

      public EncryptedPIN encryptPINImpl(String pin, String accountNumber) throws SMException
      Description copied from class: BaseSMAdapter
      Your SMAdapter should override this method if it has this functionality
      Overrides:
      encryptPINImpl in class BaseSMAdapter<SecureDESKey>
      Parameters:
      pin - clear PIN value
      accountNumber - account number associated with the PIN block
      Returns:
      encrypted PIN under LMK
      Throws:
      SMException - on security module error

    • encryptPINImpl

      protected EncryptedPIN encryptPINImpl(String pin, String accountNumber, SecureDESKey pek) throws SMException
      Description copied from class: BaseSMAdapter
      Your SMAdapter should override this method if it has this functionality.
      Overrides:
      encryptPINImpl in class BaseSMAdapter<SecureDESKey>
      Parameters:
      pin - clear PIN value
      accountNumber - account number associated with the PIN block
      pek - PIN-encrypting key
      Returns:
      encrypted PIN under PEK.
      Throws:
      SMException - on security module error

    • decryptPINImpl

      public String decryptPINImpl(EncryptedPIN pinUnderLmk) throws SMException
      Description copied from class: BaseSMAdapter
      Your SMAdapter should override this method if it has this functionality
      Overrides:
      decryptPINImpl in class BaseSMAdapter<SecureDESKey>
      Parameters:
      pinUnderLmk - PIN block encrypted under the LMK
      Returns:
      clear pin as entered by card holder
      Throws:
      SMException - on security module error

    • importPINImpl

      public EncryptedPIN importPINImpl(EncryptedPIN pinUnderKd1, SecureDESKey kd1) throws SMException
      Description copied from class: BaseSMAdapter
      Your SMAdapter should override this method if it has this functionality
      Overrides:
      importPINImpl in class BaseSMAdapter<SecureDESKey>
      Parameters:
      pinUnderKd1 - PIN block encrypted under the source key
      kd1 - source key
      Returns:
      imported pin
      Throws:
      SMException - on security module error

    • exportPINImpl

      public EncryptedPIN exportPINImpl(EncryptedPIN pinUnderLmk, SecureDESKey kd2, byte destinationPINBlockFormat) throws SMException
      Description copied from class: BaseSMAdapter
      Your SMAdapter should override this method if it has this functionality
      Overrides:
      exportPINImpl in class BaseSMAdapter<SecureDESKey>
      Parameters:
      pinUnderLmk - PIN block encrypted under the LMK
      kd2 - destination key
      destinationPINBlockFormat - destination PIN block format
      Returns:
      exported pin
      Throws:
      SMException - on security module error

    • generatePINImpl

      public EncryptedPIN generatePINImpl(String accountNumber, int pinLen, List<String> excludes) throws SMException
      Description copied from class: BaseSMAdapter
      Your SMAdapter should override this method if it has this functionality
      Overrides:
      generatePINImpl in class BaseSMAdapter<SecureDESKey>
      Parameters:
      accountNumber - account number associated with the PIN block
      pinLen - requested PIN length
      excludes - PIN values to reject
      Returns:
      generated PIN under LMK
      Throws:
      SMException - on security module error

    • concatKeys

      protected Key concatKeys(SecureDESKey keyA, SecureDESKey keyB) throws SMException
      Concatenates two single-length DES keys into a double-length DESede key, decrypting them from the LMK first. If either non-null input is already longer than single-length, decrypts and returns that key.
      Parameters:
      keyA - first secured key, may be null
      keyB - second secured key, may be null
      Returns:
      a clear-text DES/DESede key, or null if both inputs are null
      Throws:
      SMException - if key decryption or assembly fails

    • calculateCVV

      protected String calculateCVV(String accountNo, Key cvk, Date expDate, String serviceCode) throws SMException
      Calculates a CVV using the supplied clear CVK and an expiry Date formatted as yyMM.
      Parameters:
      accountNo - cardholder primary account number
      cvk - clear CVK
      expDate - expiry date
      serviceCode - 3-digit service code
      Returns:
      the 3-digit CVV
      Throws:
      SMException - if the cipher operation fails

    • calculateCVD

      protected String calculateCVD(String accountNo, Key cvk, String expDate, String serviceCode) throws SMException
      Calculates a CVD/CVV from the supplied clear CVK using the Visa algorithm.
      Parameters:
      accountNo - cardholder primary account number
      cvk - clear CVK
      expDate - expiry date as yyMM
      serviceCode - 3-digit service code
      Returns:
      the 3-digit CVD/CVV
      Throws:
      SMException - if the cipher operation fails

    • calculateCVVImpl

      protected String calculateCVVImpl(String accountNo, SecureDESKey cvkA, SecureDESKey cvkB, Date expDate, String serviceCode) throws SMException
      Description copied from class: BaseSMAdapter
      Your SMAdapter should override this method if it has this functionality
      Overrides:
      calculateCVVImpl in class BaseSMAdapter<SecureDESKey>
      Parameters:
      accountNo - card account number
      cvkA - first card verification key
      cvkB - second card verification key
      expDate - card expiration date
      serviceCode - card service code
      Returns:
      Card Verification Code/Value
      Throws:
      SMException - on security module error

    • calculateCVDImpl

      protected String calculateCVDImpl(String accountNo, SecureDESKey cvkA, SecureDESKey cvkB, String expDate, String serviceCode) throws SMException
      Description copied from class: BaseSMAdapter
      Your SMAdapter should override this method if it has this functionality
      Overrides:
      calculateCVDImpl in class BaseSMAdapter<SecureDESKey>
      Parameters:
      accountNo - card account number
      cvkA - first card verification key
      cvkB - second card verification key
      expDate - card expiration date
      serviceCode - card service code
      Returns:
      Card Verification Digit (Code/Value)
      Throws:
      SMException - on security module error

    • checkCAVVArgs

      protected void checkCAVVArgs(String upn, String authrc, String sfarc) throws SMException
      Validates the lengths of the CAVV inputs, throwing SMException with a descriptive message when any value is null or wrong-sized.
      Parameters:
      upn - 4-digit unpredictable number
      authrc - 1-character authorization result code
      sfarc - 2-character second-factor authorization result code
      Throws:
      SMException - if any argument is null or has the wrong length

    • calculateCAVVImpl

      protected String calculateCAVVImpl(String accountNo, SecureDESKey cvk, String upn, String authrc, String sfarc) throws SMException
      Description copied from class: BaseSMAdapter
      Your SMAdapter should override this method if it has this functionality
      Overrides:
      calculateCAVVImpl in class BaseSMAdapter<SecureDESKey>
      Parameters:
      accountNo - card account number
      cvk - card verification key
      upn - unpredictable number
      authrc - authorization response code
      sfarc - second-factor authorization response code
      Returns:
      Cardholder Authentication Verification Value
      Throws:
      SMException - on security module error

    • verifyCVVImpl

      protected boolean verifyCVVImpl(String accountNo, SecureDESKey cvkA, SecureDESKey cvkB, String cvv, Date expDate, String serviceCode) throws SMException
      Your SMAdapter should override this method if it has this functionality
      Overrides:
      verifyCVVImpl in class BaseSMAdapter<SecureDESKey>
      Parameters:
      accountNo - card account number
      cvkA - first card verification key
      cvkB - second card verification key
      cvv - card verification value
      expDate - card expiration date
      serviceCode - card service code
      Returns:
      true if CVV/CVC is falid or false if not
      Throws:
      SMException - on security module error

    • verifyCVVImpl

      protected boolean verifyCVVImpl(String accountNo, SecureDESKey cvkA, SecureDESKey cvkB, String cvv, String expDate, String serviceCode) throws SMException
      Your SMAdapter should override this method if it has this functionality
      Overrides:
      verifyCVVImpl in class BaseSMAdapter<SecureDESKey>
      Parameters:
      accountNo - card account number
      cvkA - first card verification key
      cvkB - second card verification key
      cvv - card verification value
      expDate - card expiration date
      serviceCode - card service code
      Returns:
      true if CVV/CVC is valid or false otherwise
      Throws:
      SMException - on security module error

    • verifyCAVVImpl

      protected boolean verifyCAVVImpl(String accountNo, SecureDESKey cvk, String cavv, String upn, String authrc, String sfarc) throws SMException
      Description copied from class: BaseSMAdapter
      Your SMAdapter should override this method if it has this functionality
      Overrides:
      verifyCAVVImpl in class BaseSMAdapter<SecureDESKey>
      Parameters:
      accountNo - card account number
      cvk - card verification key
      cavv - cardholder authentication verification value
      upn - unpredictable number
      authrc - authorization response code
      sfarc - second-factor authorization response code
      Returns:
      Cardholder Authentication Verification Value
      Throws:
      SMException - on security module error

    • calculatedCVV

      protected String calculatedCVV(String accountNo, SecureDESKey imkac, String expDate, String serviceCode, byte[] atc, MKDMethod mkdm) throws SMException
      Computes a dynamic CVV (dCVV) using ATC and an issuer master key.
      Parameters:
      accountNo - cardholder primary account number
      imkac - issuer master key for AC, encrypted under the LMK
      expDate - expiry date as yyMM
      serviceCode - 3-digit service code
      atc - application transaction counter
      mkdm - master-key derivation method (defaults to MKDMethod.OPTION_A)
      Returns:
      the calculated dCVV
      Throws:
      SMException - if key derivation or computation fails

    • verifydCVVImpl

      protected boolean verifydCVVImpl(String accountNo, SecureDESKey imkac, String dcvv, Date expDate, String serviceCode, byte[] atc, MKDMethod mkdm) throws SMException
      Description copied from class: BaseSMAdapter
      Your SMAdapter should override this method if it has this functionality
      Overrides:
      verifydCVVImpl in class BaseSMAdapter<SecureDESKey>
      Parameters:
      accountNo - card account number
      imkac - issuer master key for application cryptograms
      dcvv - dynamic card verification value
      expDate - card expiration date
      serviceCode - card service code
      atc - application transaction counter
      mkdm - master-key derivation method
      Returns:
      true if dcvv is valid false if not
      Throws:
      SMException - on security module error

    • verifydCVVImpl

      protected boolean verifydCVVImpl(String accountNo, SecureDESKey imkac, String dcvv, String expDate, String serviceCode, byte[] atc, MKDMethod mkdm) throws SMException
      Description copied from class: BaseSMAdapter
      Your SMAdapter should override this method if it has this functionality
      Overrides:
      verifydCVVImpl in class BaseSMAdapter<SecureDESKey>
      Parameters:
      accountNo - card account number
      imkac - issuer master key for application cryptograms
      dcvv - dynamic card verification value
      expDate - card expiration date
      serviceCode - card service code
      atc - application transaction counter
      mkdm - master-key derivation method
      Returns:
      true if dcvv is valid false if not
      Throws:
      SMException - on security module error

    • calculateCVC3

      protected String calculateCVC3(SecureDESKey imkcvc3, String accountNo, String acctSeqNo, byte[] atc, byte[] upn, byte[] data, MKDMethod mkdm) throws SMException
      Computes the contactless CVC3 from the issuer master key, ATC, UPN, and track data.
      Parameters:
      imkcvc3 - issuer master key for CVC3, encrypted under the LMK
      accountNo - cardholder primary account number
      acctSeqNo - PAN sequence number, or null
      atc - application transaction counter
      upn - unpredictable number
      data - IVCVC3 seed (or 2 bytes pre-computed IVCVC3)
      mkdm - master-key derivation method (defaults to MKDMethod.OPTION_A)
      Returns:
      the 5-digit CVC3
      Throws:
      SMException - if key derivation or computation fails

    • verifyCVC3Impl

      protected boolean verifyCVC3Impl(SecureDESKey imkcvc3, String accountNo, String acctSeqNo, byte[] atc, byte[] upn, byte[] data, MKDMethod mkdm, String cvc3) throws SMException
      Description copied from class: BaseSMAdapter
      Your SMAdapter should override this method if it has this functionality
      Overrides:
      verifyCVC3Impl in class BaseSMAdapter<SecureDESKey>
      Parameters:
      imkcvc3 - issuer master key for CVC3
      accountNo - card account number
      acctSeqNo - PAN sequence number
      atc - application transaction counter
      upn - unpredictable number
      data - input data
      mkdm - master-key derivation method
      cvc3 - card validation code 3
      Returns:
      true if cvc3 is valid false if not
      Throws:
      SMException - on security module error

    • deriveICCMasterKey

      protected Key deriveICCMasterKey(Key imk, byte[] panpsn) throws JCEHandlerException
      Derive ICC Master Key from Issuer Master Key and preformated PAN/PANSeqNo Compute two 8-byte numbers:
      • left part is a result of Triple-DES encryption of panpsn with imk as the key
      • right part is a result of Triple-DES encryption of binary-inverted panpsn with imk as the key
      • concatenate left and right parts

      Described in EMV v4.2 Book 2, Annex A1.4.1 Master Key Derivation point 2
      Parameters:
      imk - 16-bytes Issuer Master Key
      panpsn - preformated PAN and PAN Sequence Number
      Returns:
      derived 16-bytes ICC Master Key with adjusted DES parity
      Throws:
      JCEHandlerException - on cryptographic failure

    • calculatePVV

      protected String calculatePVV(EncryptedPIN pinUnderLmk, Key key, int keyIdx, List<String> excludes) throws SMException
      Calculates a 4-digit PVV using the IBM 3624 algorithm.
      Parameters:
      pinUnderLmk - PIN block encrypted under the LMK
      key - clear PVV key
      keyIdx - PVV key index (only the low decimal digit is used)
      excludes - optional list of PINs to reject before computing the PVV
      Returns:
      the 4-digit PVV
      Throws:
      SMException - if the PIN is on the excludes list or computation fails

    • calculatePVVImpl

      protected String calculatePVVImpl(EncryptedPIN pinUnderLmk, SecureDESKey pvkA, SecureDESKey pvkB, int pvkIdx, List<String> excludes) throws SMException
      Description copied from class: BaseSMAdapter
      Your SMAdapter should override this method if it has this functionality
      Overrides:
      calculatePVVImpl in class BaseSMAdapter<SecureDESKey>
      Parameters:
      pinUnderLmk - PIN block encrypted under the LMK
      pvkA - first PIN verification key
      pvkB - second PIN verification key
      pvkIdx - PIN verification key index
      excludes - PIN values to reject
      Returns:
      PVV (VISA PIN Verification Value)
      Throws:
      SMException - on security module error

    • calculatePVVImpl

      protected String calculatePVVImpl(EncryptedPIN pinUnderKd1, SecureDESKey kd1, SecureDESKey pvkA, SecureDESKey pvkB, int pvkIdx, List<String> excludes) throws SMException
      Description copied from class: BaseSMAdapter
      Your SMAdapter should override this method if it has this functionality
      Overrides:
      calculatePVVImpl in class BaseSMAdapter<SecureDESKey>
      Parameters:
      pinUnderKd1 - PIN block encrypted under the source key
      kd1 - source key
      pvkA - first PIN verification key
      pvkB - second PIN verification key
      pvkIdx - PIN verification key index
      excludes - PIN values to reject
      Returns:
      PVV (VISA PIN Verification Value)
      Throws:
      SMException - on security module error

    • verifyPVVImpl

      public boolean verifyPVVImpl(EncryptedPIN pinUnderKd1, SecureDESKey kd1, SecureDESKey pvkA, SecureDESKey pvkB, int pvki, String pvv) throws SMException
      Description copied from class: BaseSMAdapter
      Your SMAdapter should override this method if it has this functionality
      Overrides:
      verifyPVVImpl in class BaseSMAdapter<SecureDESKey>
      Parameters:
      pinUnderKd1 - PIN block encrypted under the key
      kd1 - secure key
      pvkA - first PIN verification key
      pvkB - second PIN verification key
      pvki - PIN verification key index
      pvv - PIN verification value
      Returns:
      true if pin is valid false if not
      Throws:
      SMException - on security module error

    • translatePINImpl

      public EncryptedPIN translatePINImpl(EncryptedPIN pinUnderKd1, SecureDESKey kd1, SecureDESKey kd2, byte destinationPINBlockFormat) throws SMException
      Description copied from class: BaseSMAdapter
      Your SMAdapter should override this method if it has this functionality
      Overrides:
      translatePINImpl in class BaseSMAdapter<SecureDESKey>
      Parameters:
      pinUnderKd1 - PIN block encrypted under the source key
      kd1 - source key
      kd2 - destination key
      destinationPINBlockFormat - destination PIN block format
      Returns:
      translated pin
      Throws:
      SMException - on security module error

    • calculateARQC

      protected byte[] calculateARQC(MKDMethod mkdm, SKDMethod skdm, SecureDESKey imkac, String accountNo, String accntSeqNo, byte[] atc, byte[] upn, byte[] transData) throws SMException
      Calculate ARQC (Application Request Cryptogram).

      Entry point e.g. for simulator systems.

      Parameters:
      mkdm - Master Key Derivation Method
      skdm - Session Key Derivation Method
      imkac - Issuer Master Key for Application Cryptogram
      accountNo - account number
      accntSeqNo - account sequence number
      atc - Application Transaction Counter
      upn - Unpredictable Number
      transData - transaction data
      Returns:
      computed ARQC bytes
      Throws:
      SMException - on cryptographic failure

    • verifyARQCImpl

      protected boolean verifyARQCImpl(MKDMethod mkdm, SKDMethod skdm, SecureDESKey imkac, String accountNo, String accntSeqNo, byte[] arqc, byte[] atc, byte[] upn, byte[] transData) throws SMException
      Description copied from class: BaseSMAdapter
      Your SMAdapter should override this method if it has this functionality
      Overrides:
      verifyARQCImpl in class BaseSMAdapter<SecureDESKey>
      Parameters:
      mkdm - master-key derivation method
      skdm - session-key derivation method
      imkac - issuer master key for application cryptograms
      accountNo - card account number
      accntSeqNo - PAN sequence number
      arqc - application request cryptogram
      atc - application transaction counter
      upn - unpredictable number
      transData - transaction data
      Returns:
      true if ARQC/TC/AAC is valid or false if not
      Throws:
      SMException - on security module error

    • generateARPCImpl

      public byte[] generateARPCImpl(MKDMethod mkdm, SKDMethod skdm, SecureDESKey imkac, String accountNo, String accntSeqNo, byte[] arqc, byte[] atc, byte[] upn, ARPCMethod arpcMethod, byte[] arc, byte[] propAuthData) throws SMException
      Description copied from class: BaseSMAdapter
      Your SMAdapter should override this method if it has this functionality
      Overrides:
      generateARPCImpl in class BaseSMAdapter<SecureDESKey>
      Parameters:
      mkdm - master-key derivation method
      skdm - session-key derivation method
      imkac - issuer master key for application cryptograms
      accountNo - card account number
      accntSeqNo - PAN sequence number
      arqc - application request cryptogram
      atc - application transaction counter
      upn - unpredictable number
      arpcMethod - ARPC generation method
      arc - authorization response code
      propAuthData - proprietary authentication data
      Returns:
      calculated ARPC
      Throws:
      SMException - on security module error

    • verifyARQCGenerateARPCImpl

      public byte[] verifyARQCGenerateARPCImpl(MKDMethod mkdm, SKDMethod skdm, SecureDESKey imkac, String accountNo, String accntSeqNo, byte[] arqc, byte[] atc, byte[] upn, byte[] transData, ARPCMethod arpcMethod, byte[] arc, byte[] propAuthData) throws SMException
      Description copied from class: BaseSMAdapter
      Your SMAdapter should override this method if it has this functionality
      Overrides:
      verifyARQCGenerateARPCImpl in class BaseSMAdapter<SecureDESKey>
      Parameters:
      mkdm - master-key derivation method
      skdm - session-key derivation method
      imkac - issuer master key for application cryptograms
      accountNo - card account number
      accntSeqNo - PAN sequence number
      arqc - application request cryptogram
      atc - application transaction counter
      upn - unpredictable number
      transData - transaction data
      arpcMethod - ARPC generation method
      arc - authorization response code
      propAuthData - proprietary authentication data
      Returns:
      calculated ARPC
      Throws:
      SMException - on security module error

    • calculateARPC

      protected byte[] calculateARPC(Key skarpc, byte[] arqc, ARPCMethod arpcMethod, byte[] arc, byte[] propAuthData) throws SMException
      Calculate ARPC (Application Response Cryptogram).

      Entry point e.g. for simulator systems.

      Parameters:
      skarpc - Session Key for ARPC computation
      arqc - Application Request Cryptogram
      arpcMethod - ARPC generation method
      arc - Authorization Response Code
      propAuthData - proprietary authentication data (may be null)
      Returns:
      computed ARPC bytes
      Throws:
      SMException - on cryptographic failure

    • generateSM_MACImpl

      protected byte[] generateSM_MACImpl(MKDMethod mkdm, SKDMethod skdm, SecureDESKey imksmi, String accountNo, String accntSeqNo, byte[] atc, byte[] arqc, byte[] data) throws SMException
      Description copied from class: BaseSMAdapter
      Your SMAdapter should override this method if it has this functionality
      Overrides:
      generateSM_MACImpl in class BaseSMAdapter<SecureDESKey>
      Parameters:
      mkdm - master-key derivation method
      skdm - session-key derivation method
      imksmi - issuer master key for secure messaging integrity
      accountNo - card account number
      accntSeqNo - PAN sequence number
      atc - application transaction counter
      arqc - application request cryptogram
      data - input data
      Returns:
      generated 8 bytes MAC
      Throws:
      SMException - on security module error

    • translatePINGenerateSM_MACImpl

      protected org.javatuples.Pair<EncryptedPIN, byte[]> translatePINGenerateSM_MACImpl(MKDMethod mkdm, SKDMethod skdm, PaddingMethod padm, SecureDESKey imksmi, String accountNo, String accntSeqNo, byte[] atc, byte[] arqc, byte[] data, EncryptedPIN currentPIN, EncryptedPIN newPIN, SecureDESKey kd1, SecureDESKey imksmc, SecureDESKey imkac, byte destinationPINBlockFormat) throws SMException
      Description copied from class: BaseSMAdapter
      Your SMAdapter should override this method if it has this functionality
      Overrides:
      translatePINGenerateSM_MACImpl in class BaseSMAdapter<SecureDESKey>
      Parameters:
      mkdm - master-key derivation method
      skdm - session-key derivation method
      padm - proprietary authentication data method
      imksmi - issuer master key for secure messaging integrity
      accountNo - card account number
      accntSeqNo - PAN sequence number
      atc - application transaction counter
      arqc - application request cryptogram
      data - input data
      currentPIN - current PIN value
      newPIN - replacement PIN value
      kd1 - source key
      imksmc - issuer master key for secure messaging confidentiality
      imkac - issuer master key for application cryptograms
      destinationPINBlockFormat - destination PIN block format
      Returns:
      Pair of values, encrypted PIN and 8 bytes MAC
      Throws:
      SMException - on security module error

    • encryptDataImpl

      public byte[] encryptDataImpl(CipherMode cipherMode, SecureDESKey kd, byte[] data, byte[] iv) throws SMException
      Description copied from class: BaseSMAdapter
      Your SMAdapter should override this method if it has this functionality
      Overrides:
      encryptDataImpl in class BaseSMAdapter<SecureDESKey>
      Parameters:
      cipherMode - cipher mode
      kd - secure key
      data - input data
      iv - initialization vector
      Returns:
      encrypted data
      Throws:
      SMException - on security module error

    • decryptDataImpl

      public byte[] decryptDataImpl(CipherMode cipherMode, SecureDESKey kd, byte[] data, byte[] iv) throws SMException
      Description copied from class: BaseSMAdapter
      Your SMAdapter should override this method if it has this functionality
      Overrides:
      decryptDataImpl in class BaseSMAdapter<SecureDESKey>
      Parameters:
      cipherMode - cipher mode
      kd - secure key
      data - input data
      iv - initialization vector
      Returns:
      decrypted data
      Throws:
      SMException - on security module error

    • generateCBC_MACImpl

      protected byte[] generateCBC_MACImpl(byte[] data, SecureDESKey kd) throws SMException
      Generates CBC-MAC (Cipher Block Chaining Message Authentication Code) for some data.
      Overrides:
      generateCBC_MACImpl in class BaseSMAdapter<SecureDESKey>
      Parameters:
      data - the data to be MACed
      kd - the key used for MACing
      Returns:
      generated CBC-MAC bytes
      Throws:
      SMException - on MAC computation failure

    • generateEDE_MACImpl

      protected byte[] generateEDE_MACImpl(byte[] data, SecureDESKey kd) throws SMException
      Generates EDE-MAC (Encrypt Decrypt Encrypt Message Authentication Code) for some data.
      Overrides:
      generateEDE_MACImpl in class BaseSMAdapter<SecureDESKey>
      Parameters:
      data - the data to be MACed
      kd - the key used for MACing
      Returns:
      generated EDE-MAC bytes
      Throws:
      SMException - on MAC computation failure

    • generateClearKeyComponent

      public String generateClearKeyComponent(short keyLength) throws SMException
      Generates a random clear key component.
      Parameters:
      keyLength - the desired key length (e.g. LENGTH_DES, LENGTH_DES3_2KEY)
      Returns:
      clear key component as a hex string
      Throws:
      SMException - on key generation failure

    • generateKeyCheckValueImpl

      protected byte[] generateKeyCheckValueImpl(SecureDESKey secureDESKey) throws SMException
      Generates key check value.
      Overrides:
      generateKeyCheckValueImpl in class BaseSMAdapter<SecureDESKey>
      Parameters:
      secureDESKey - SecureDESKey with untrusted or fake Key Check Value
      Returns:
      generated Key Check Value
      Throws:
      SMException - on cryptographic failure

    • translateKeySchemeImpl

      public SecureDESKey translateKeySchemeImpl(SecureDESKey key, KeyScheme keyScheme) throws SMException
      Description copied from class: BaseSMAdapter
      Your SMAdapter should override this method if it has this functionality
      Overrides:
      translateKeySchemeImpl in class BaseSMAdapter<SecureDESKey>
      Parameters:
      key - secure key
      keyScheme - destination key scheme
      Returns:
      translated key with destKeyScheme scheme
      Throws:
      SMException - on security module error

    • formKEYfromThreeClearComponents

      public SecureDESKey formKEYfromThreeClearComponents(short keyLength, String keyType, String clearComponent1HexString, String clearComponent2HexString, String clearComponent3HexString) throws SMException
      Forms a key from 3 clear components and returns it encrypted under its corresponding LMK The corresponding LMK is determined from the keyType
      Parameters:
      keyLength - e.g. LENGTH_DES, LENGTH_DES3_2, LENGTH_DES3_3, ..
      keyType - possible values are those defined in the SecurityModule interface, e.g. ZMK, TMK
      clearComponent1HexString - HexString containing the first component
      clearComponent2HexString - HexString containing the second component
      clearComponent3HexString - HexString containing the third component
      Returns:
      SecureDESKey formed from the three clear components
      Throws:
      SMException - on key formation failure

    • formKEYfromClearComponents

      public SecureDESKey formKEYfromClearComponents(short keyLength, String keyType, String... components) throws SMException
      Description copied from interface: SMAdapter
      Forms a key from 3 clear components and returns it encrypted under its corresponding LMK The corresponding LMK is determined from the keyType
      Specified by:
      formKEYfromClearComponents in interface SMAdapter<SecureDESKey>
      Overrides:
      formKEYfromClearComponents in class BaseSMAdapter<SecureDESKey>
      Parameters:
      keyLength - e.g. LENGTH_DES, LENGTH_DES3_2, LENGTH_DES3_3, ..
      keyType - possible values are those defined in the SecurityModule inteface. e.g., ZMK, TMK,...
      components - up to three HexStrings containing key components
      Returns:
      forms an SecureDESKey from two clear components
      Throws:
      SMException - on security module error

    • calculateKeyCheckValue

      protected byte[] calculateKeyCheckValue(Key key) throws SMException
      Calculates a key check value over a clear key.
      Parameters:
      key - the clear key
      Returns:
      the key check value
      Throws:
      SMException - on error

    • encryptToLMK

      protected SecureDESKey encryptToLMK(short keyLength, String keyType, Key clearDESKey) throws SMException
      Encrypts a clear DES Key under LMK to form a SecureKey.
      Parameters:
      keyLength - the key length (e.g. LENGTH_DES, LENGTH_DES3_2KEY)
      keyType - the key type as defined in SMAdapter (e.g. ZMK, TMK)
      clearDESKey - the clear DES key to encrypt
      Returns:
      secureDESKey the key encrypted under LMK
      Throws:
      SMException - on encryption failure

    • decryptFromLMK

      protected Key decryptFromLMK(SecureDESKey secureDESKey) throws SMException
      Decrypts a secure DES key from encryption under LMK.
      Parameters:
      secureDESKey - key encrypted under LMK
      Returns:
      clear key
      Throws:
      SMException - on decryption failure

    • calculatePINBlock

      protected byte[] calculatePINBlock(String pin, byte pinBlockFormat, String accountNumber) throws SMException
      Calculates the clear PIN Block
      Parameters:
      pin - as entered by the card holder on the PIN entry device
      pinBlockFormat - the PIN block format identifier
      accountNumber - (the 12 right-most digits of the account number excluding the check digit)
      Returns:
      The clear PIN Block
      Throws:
      SMException - on invalid PIN or format error

    • calculatePIN

      protected String calculatePIN(byte[] pinBlock, byte pinBlockFormat, String accountNumber) throws SMException
      Calculates the clear pin (as entered by card holder on the pin entry device) givin the clear PIN block
      Parameters:
      pinBlock - clear PIN Block
      pinBlockFormat - the PIN block format identifier
      accountNumber - the 12 right-most digits of the account number
      Returns:
      the pin
      Throws:
      SMException - on invalid PIN block or format error

    • specialEncrypt

      protected byte[] specialEncrypt(byte[] data, byte[] key) throws JCEHandlerException
      DUKPT helper that applies a single- or triple-DES "X9.24" style transform over an 8-byte block. For an 8-byte key the operation is data = (data XOR key) | encrypt | XOR key; for a 16-byte key it is the standard EDE3 transform.
      Parameters:
      data - 8-byte input block
      key - single- or double-length DES key
      Returns:
      the transformed 8-byte block
      Throws:
      JCEHandlerException - on cipher failure

    • specialDecrypt

      protected byte[] specialDecrypt(byte[] data, byte[] key) throws JCEHandlerException
      Inverse of specialEncrypt(byte[], byte[]).
      Parameters:
      data - 8-byte input block
      key - single- or double-length DES key
      Returns:
      the transformed 8-byte block
      Throws:
      JCEHandlerException - on cipher failure

    • dataEncrypt

      public byte[] dataEncrypt(SecureDESKey bdk, byte[] clearText) throws SMException
      Description copied from interface: SMAdapter
      Encrypt Data
      Specified by:
      dataEncrypt in interface SMAdapter<SecureDESKey>
      Overrides:
      dataEncrypt in class BaseSMAdapter<SecureDESKey>
      Parameters:
      bdk - base derivation key
      clearText - clear Text
      Returns:
      cyphertext
      Throws:
      SMException - on security module error

    • dataDecrypt

      public byte[] dataDecrypt(SecureDESKey bdk, byte[] cypherText) throws SMException
      Description copied from interface: SMAdapter
      Decrypt Data
      Specified by:
      dataDecrypt in interface SMAdapter<SecureDESKey>
      Overrides:
      dataDecrypt in class BaseSMAdapter<SecureDESKey>
      Parameters:
      bdk - base derivation key
      cypherText - clear Text
      Returns:
      cleartext
      Throws:
      SMException - on security module error

    • calculateDerivedKey

      protected byte[] calculateDerivedKey(KeySerialNumber ksn, SecureDESKey bdk, boolean tdes, boolean dataEncryption) throws SMException
      Computes the DUKPT-derived working key for the given KSN and BDK.
      Parameters:
      ksn - key serial number
      bdk - base derivation key, encrypted under the LMK
      tdes - if true, use the triple-DES variant; otherwise single-DES
      dataEncryption - true when deriving a data-encryption variant key
      Returns:
      the derived working key bytes
      Throws:
      SMException - if derivation fails

    • importBDK

      public SecureDESKey importBDK(String clearComponent1HexString, String clearComponent2HexString, String clearComponent3HexString) throws SMException
      Imports a 128-bit BDK assembled from three clear hex-encoded components.
      Parameters:
      clearComponent1HexString - first hex component
      clearComponent2HexString - second hex component
      clearComponent3HexString - third hex component
      Returns:
      the secured BDK encrypted under the LMK
      Throws:
      SMException - if any component is malformed or assembly fails

    • translatePINImpl

      protected EncryptedPIN translatePINImpl(EncryptedPIN pinUnderDuk, KeySerialNumber ksn, SecureDESKey bdk, SecureDESKey kd2, byte destinationPINBlockFormat, boolean tdes) throws SMException
      Translates a DUKPT-encrypted PIN block to a target encryption key, optionally re-formatting the PIN block.
      Overrides:
      translatePINImpl in class BaseSMAdapter<SecureDESKey>
      Parameters:
      pinUnderDuk - PIN block encrypted under a derived DUKPT key
      ksn - key serial number used to derive the source key
      bdk - base derivation key, encrypted under the LMK
      kd2 - destination key, encrypted under the LMK
      destinationPINBlockFormat - target PIN block format
      tdes - if true, derive using triple-DES
      Returns:
      the PIN re-encrypted under kd2
      Throws:
      SMException - if derivation, decryption, or re-encryption fails

    • importPINImpl

      protected EncryptedPIN importPINImpl(EncryptedPIN pinUnderDuk, KeySerialNumber ksn, SecureDESKey bdk, boolean tdes) throws SMException
      Description copied from class: BaseSMAdapter
      Your SMAdapter should override this method if it has this functionality
      Overrides:
      importPINImpl in class BaseSMAdapter<SecureDESKey>
      Parameters:
      pinUnderDuk - PIN block encrypted under a DUKPT-derived key
      ksn - key serial number
      bdk - base derivation key
      tdes - whether to use triple-DES DUKPT derivation
      Returns:
      imported pin
      Throws:
      SMException - on security module error

    • exportPIN

      public EncryptedPIN exportPIN(EncryptedPIN pinUnderLmk, KeySerialNumber ksn, SecureDESKey bdk, boolean tdes, byte destinationPINBlockFormat) throws SMException
      Exports PIN to DUKPT Encryption.
      Parameters:
      pinUnderLmk - PIN block encrypted under the LMK
      ksn - key serial number used to derive the working key
      bdk - base derivation key, encrypted under the LMK
      tdes - if true, derive using triple-DES
      destinationPINBlockFormat - target PIN block format
      Returns:
      The encrypted pin
      Throws:
      SMException - if derivation, decryption, or re-encryption fails