The following are text descriptions of images used in Java Cryptography Architecture (JCA) Reference Guide

Description of Figure 1a: Provider searching and Figure 1b: Specific provider requested

Figure 1a Provider searching

This image consists of five cylinders that represent the following:

• Application
• Provider Framework
• ProviderA: Message digest implementations SHA384 and SHA512
• ProviderB: Message digest implementations SHA256 and SHA384
• ProviderC: Message digest implementations SHA256 and SHA512

An arrow representing a call to MessageDigest.getInstance("SHA-256") starts from the Application cylinder and passes through the following cylinders in the indicated order:

1. Provider Framework
2. ProviderA
3. ProviderB
4. Provider Framework

The arrow ends at the Application cylinder. The call to MessageDigest.getInstance("SHA-256") has returned a SHA-256 message digest implementation from ProviderB.

Figure 1b Specific provider requested

This image consists of five cylinders that represent the following:

• Application
• Provider Framework
• ProviderA: Message digest implementations SHA384 and SHA512
• ProviderB: Message digest implementations SHA256 and SHA384
• ProviderC: Message digest implementations SHA256 and SHA512

An arrow representing a call to MessageDigest.getInstance("SHA-256", "ProviderC") starts from the Application cylinder and passes through the following cylinders in the indicated order:

1. Provider Framework
2. ProviderC
3. Provider Framework

The arrow ends at the Application cylinder. The call to MessageDigest.getInstance("SHA-256", "ProviderC") has returned a SHA-256 message digest implementation from ProviderC.

Description of Figure 2: Example of How Application Retrieves "AES" Cipher Instance

This figure consists of five boxes:

• Application: This box contains the following pseudocode:

  c:Cipher.getInstance("AES");

• JCA/JCE: This box contains the following list:

  • Signature
  • Message Digest
  • Key Script Generator
  • Key Factory
  • Algorithm Parameters
  • Cipher
  • Key Agreement
  • Key Generator
  • Secret Key Factory
  • MAC

• CSP, CSP2, CSP3: These boxes represent cryptographic service providers

• The fifth box represents CSP3. It contains the following headers and pseudocode:

  • Provider.class

    "Cipher.AES" -> "com.foo.AESCipher"

  • com.foo.AESCipher.class

    package com.foo:
      class AESCipher extends CipherSPi {
        .
        .
        .
      }

Arrows connect the boxes as follows:

• From Application to JCA/JCE
• From JCA/JCE to CSP1, CSP2, and CSP3 (the arrow branches)

A dotted line connects CSP3 to the headings Provider.class and com.foo.AESCipher.class

Description of Figure 3: Example of Provider Subclass

This figure consists of a cylinder labeled Provider C and a box. Dotted lines are used to indicate that Provider C contains the contents of the box. The box contains the following headers and Java code:

• provider.java

  public class fooJCA extends Provider {
      .
      .
      put("MessageDigest.SHA-256", "com.foo.SHA256");
      .
  }

• com.foo.SHA256.java

  package com.foo;
  public class SHA256 extends MessageDigestSpi {
      .
      .
  }

Description of Figure 4: The SecureRandom Class

This figure consists of three boxes labeled as follows:

• Seed
• SecureRandom (DRGB)
• data

Labeled arrows connect these boxes:

• setSeed(): From Seed to SecureRandom (DRGB)
• digest() and nextBytes(): From SecureRandom (DRGB) to data

Description of Figure 5: The MessageDigest Class

This figure consists of three boxes labeled as follows:

• Data
• Message Digest (SHA-256)
• Digest/Hash

Labeled arrows connect these boxes:

• update(): From Data to Message Digest (SHA-256)
• digest(): From Message Digest (SHA-256) to Digest/Hash

Description of Figure 6: The Signature Class

This figure consists of boxes labeled as follows:

• Generated by a Key Pair Generator: Contains a box labeled Private Key/Public Key
• Data
• These two boxes are attached to each other:
  • Signature (SHA256withRSA): Box 1 of 2
  • Sign
• Signature Bytes
• These two boxes are attached to each other:
  • Signature (SHA256withRSA): Box 2 of 2
  • Verify
• Yes/No

Labeled arrows connect these boxes:

• update(): From Data to Signature (SHA256withRSA) #1
• update(): From Data to Signature (SHA256withRSA) #2
• sign(): From Signature (SHA256withRSA) #1 to Signature Bytes
• verify(): From Signature Bytes Data to Signature (SHA256withRSA) #2

Unlabeled arrows connect these boxes:

• From Generated by a Key Pair Generator to Signature (SHA256withRSA) #1 and Signature (SHA256withRSA) #2 (the arrow branches)
• From Signature (MD5withRSA) #2 to Yes/No

Description of Figure 7: The Cipher Class

This figure consists of boxes labeled as follows:

• Key: Contains a box labeled Secret Key
• Plaintext
• These two boxes are attached to each other:
  • Cipher (AES): Box 1 of 2
  • Encrypt
• Algorithm Parameters
• Ciphertext
• These two boxes are attached to each other:
  • Cipher (AES): Box 2 of 2
  • Decrypt
• Plaintext

Labeled arrows connect these boxes:

• update(): From Plaintext to the Cipher (AES) #1
• doFinal(): From Plaintext to Encrypt
• update(): From Ciphertext to the Cipher (AES) #2
• doFinal(): From Ciphertext to Decrypt

Unlabeled arrows connect these boxes:

• From Key to the Cipher (AES) #1 and Cipher (AES) #2 (the arrow branches)
• From Cipher (AES) #1 to Algorithm Parameters
• From Algorithm Parameters to the Cipher (AES) compartment of the Decrypt box
• From Cipher (AES) #2 to Plaintext
• From Decrypt to Plaintext

Description of Figure 8: The Mac Class

This figure consists of boxes labeled as follows:

• Data: Two boxes are labeled this
• MAC (HmacSHA256): Two boxes are labeled this
• Shared Secret Key
• Signal Digest Hash: Two boxes are labeled this
• If data was the same, the hash is the same

Labeled arrows connect these boxes:

• update(): From Data #1 to MAC (HmacSHA256) #1
• doFinal(): From Data #1 to MAC (HmacSHA256) #1
• update(): From Data #2 to MAC (HmacSHA256) #2
• doFinal(): From Data #2 to MAC (HmacSHA256) #2

Unlabeled arrows connect these boxes:

• From Shared Secret Key to MAC (HmacSHA256) (two separate arrows)
• From MAC (HmacSHA256) #1 to Signed Digest Hash #1
• From MAC (HmacSHA256) #2 to Signed Digest Hash #2
• From Signed Digest Hash #1 to If data was the same, the hash is the same
• From Signed Digest Hash #2 to If data was the same, the hash is the same

Description of Figure 9: Differences Between Generators and Factories

This figure consists of two diagrams:

Generators

This diagram contains the following caption: Generators — Generate new objects based on initialization parameters

It consists of boxes labeled as follows:

• Initialization Parameters (Key Length)
• Generator
• Object Secret Key

Unlabeled arrows connect these boxes:

• From Initialization Parameters (Key Length) to Generator
• From Generator to Object Secret Key

Factories

This diagram contains the following caption: Factories — Transform existing specific objects into other object types

It consists of boxes labeled as follows:

• Type 1 Key Spec
• Factory
• Type 2 Secret Key

Unlabeled arrows connect these boxes:

• From Type 1 Key Spec to Factory
• From Factory to Type 2 Secret Key

Description of Figure 10: The KeyFactory Class

This figure consists of boxes labeled as follows:

• Key Spec
• Key Factory (RSA): Two boxes are labeled this
• Private Key
• Public Key
• Key Spec

Labeled arrows connect these boxes:

• generatePrivate(): From Key Factory (RSA) #1 to Private Key
• generatePublic(): From Key Factory (RSA) #1 to Public Key
• getKeySpec(): From Key Factory (RSA) #2 to Key Spec

Unlabeled arrows connect these boxes:

• From Key Spec to Key Factory (RSA) #1
• From Key to Key Factory (RSA) #2

Description of Figure 11: The SecretKeyFactory Class

This figure consists of boxes labeled as follows:

• Key Spec: Two boxes are labeled this
• Secret Key Factory (AES): This box has a sublabel, generateSecret()
• Secret Key: Two boxes are labeled this
• Secret Key Factory (AES): This box has a sublabel, getKeySpec()

Unlabeled arrows connect these boxes:

• From Key Spec #1 to Secret Key Factory (AES), generateSecret()
• From Secret Key Factory (AES), generateSecret() to Secret Key #1
• From Secret Key #2 to Secret Key Factory (AES), getKeySpec()
• From Secret Key Factory (AES), getKeySpec() to Key Spec #2

Description of Figure 12: The KeyPairGenerator Class

This figure consists of boxes labeled as follows:

• These boxes are joined by the word "or":
  • key length
  • AlgorithmParameterSpec
• Key Pair Generator (DH)
• Key Pair
• Private Key
• Public Key

Labeled arrows connect these boxes:

• init(): From key length to Key Pair Generator (DH)
• init(): From AlgorithmParameterSpec to Key Pair Generator (DH)
• genKeyPair(): From Key Pair Generator (DH) to Key Pair
• getPrivate(): From Key Pair to Private Key
• getPublic(): From Key Pair to Public Key

Description of Figure 13: The KeyGenerator Class

This figure consists of boxes labeled as follows:

• These boxes are joined by the word "or":
  • key length
  • AlgorithmParameterSpec
• Key Generator (AES)
• Secret Key

Labeled arrows connect these boxes:

• init(): From key length to Key Generator (AES)
• init(): From AlgorithmParameterSpec to Key Generator (AES)
• generateKey(): From Key Generator (AES) to Secret Pair

Description of Figure 14: The KeyAgreement Class

This figure is divided into halves by a dashed line. The top half is labeled Alice, and the bottom half is labeled Bob. The figure consists of boxes labeled as follows:

• These boxes are in Alice's half:
  • Key: This box contains a box labeled Alice's Private
  • Key: This box contains a box labeled Bob's Public
  • Key Agreement (DH)
  • Bytes: This box has another label, Bytes
• These boxes are in Bob's half:
  • Key: This box contains a box labeled Bob's Private
  • Key: This box contains a box labeled Alice's Public
  • Key Agreement (DH)
  • Bytes: This box has another label, Bytes

Labeled arrows connect these boxes:

• These arrows are in Alice's half:
  • init(): From Alice's Private Key to Key Agreement (DH)
  • doPhase(): From Bob's Public Key to Key Agreement (DH)
  • generateSecret(): From Key Agreement (DH) to Bytes
• These arrows are in Bob's half:
  • init(): From Bob's Private Key to Key Agreement (DH)
  • doPhase(): From Alice's Public Key to Key Agreement (DH)
  • generateSecret(): From Key Agreement (DH) to Bytes

A double-headed arrow joins the Bytes boxes in Alice's and Bob's halves. This arrow is labeled "Should be the same."

• init(): From key length to Key Generator (AES)
• init(): From AlgorithmParameterSpec to Key Generator (AES)
• generateKey(): From Key Generator (AES) to Secret Pair

Description of Figure 15: The KeyStore Class

This figure consists of a table labeled PKCS12 and a cylinder labeled File.

The table PKCS12 contains the following:

Alias	Type	Data
Brad	Private Key/Certificate	...
Deb	Secret Key	...
Milton	Trusted Certificate	...
Duke	Trusted Certificate	...

An arrow labeled store() points from the JKS table to the File cylinder. An arrow labeled load() points from the File cylinder to the PKCS12 table.

Description of Figure 16: SSL Messages

This figure contains two lists of steps that are next to each other. The list to the left is labeled Client. The list to the right is labeled Server.

The Client list contains the following items:

• 1. Client hello
• 7. Certificate optional
• 8. Client key exchange
• 9. Certificate verify optional
• 10. Change cipher spec
• 11. Finished
• 14. Encrypted data
• 15. Close messages

Five empty lines separate item 1. Client hello and item 7. Certificate. Two empty lines separate item 11. Finished and item 14. Finished.

The Server list contains the following items:

• 2. Server hello
• 3. Certificate optional
• 4. Certificate request optional
• 5. Server key exchange optional
• 6. Server hello done
• 12. Change cipher spec
• 13. Finished
• 14. Encrypted data
• 15. Close messages

Five empty lines separate item 6. Server hello done and item 12. Change cipher spec.

An arrow points from each item in the Client list to the corresponding empty line in the Server list. Similarly, an arrow points from each item in the Server list to the corresponding empty line in the Client list. For items 14 and 15 in the Client and Server lists, double-headed arrows connect them instead.