/*

 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.

 *

 * This code is free software; you can redistribute it and/or modify it

 * under the terms of the GNU General Public License version 2 only, as

 * published by the Free Software Foundation.  Oracle designates this

 * particular file as subject to the "Classpath" exception as provided

 * by Oracle in the LICENSE file that accompanied this code.

 *

 * This code is distributed in the hope that it will be useful, but WITHOUT

 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or

 * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License

 * version 2 for more details (a copy is included in the LICENSE file that

 * accompanied this code).

 *

 * You should have received a copy of the GNU General Public License version

 * 2 along with this work; if not, write to the Free Software Foundation,

 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.

 *

 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA

 * or visit www.oracle.com if you need additional information or have any

 * questions.

 */

package javax.crypto.spec;

import java.security.spec.KeySpec;

/**

 * A user-chosen password that can be used with password-based encryption

 * (<i>PBE</i>).

 *

 * <p>The password can be viewed as some kind of raw key material, from which

 * the encryption mechanism that uses it derives a cryptographic key.

 *

 * <p>Different PBE mechanisms may consume different bits of each password

 * character. For example, the PBE mechanism defined in

 * <a href="http://www.ietf.org/rfc/rfc2898.txt">

 * PKCS #5</a> looks at only the low order 8 bits of each character, whereas

 * PKCS #12 looks at all 16 bits of each character.

 *

 * <p>You convert the password characters to a PBE key by creating an

 * instance of the appropriate secret-key factory. For example, a secret-key

 * factory for PKCS #5 will construct a PBE key from only the low order 8 bits

 * of each password character, whereas a secret-key factory for PKCS #12 will

 * take all 16 bits of each character.

 *

 * <p>Also note that this class stores passwords as char arrays instead of

 * <code>String</code> objects (which would seem more logical), because the

 * String class is immutable and there is no way to overwrite its

 * internal value when the password stored in it is no longer needed. Hence,

 * this class requests the password as a char array, so it can be overwritten

 * when done.

 *

 * @author Jan Luehe

 * @author Valerie Peng

 *

 * @see javax.crypto.SecretKeyFactory

 * @see PBEParameterSpec

 * @since 1.4

 */

public class PBEKeySpec implements KeySpec {

    private char[] password;

    private byte[] salt = null;

    private int iterationCount = 0;

    private int keyLength = 0;

    /**

     * Constructor that takes a password. An empty char[] is used if

     * null is specified.

     *

     * <p> Note: <code>password</code> is cloned before it is stored in

     * the new <code>PBEKeySpec</code> object.

     *

     * @param password the password.

     */

    public PBEKeySpec(char[] password) {

        if ((password == null) || (password.length == 0)) {

            this.password = new char[0];

        } else {

            this.password = password.clone();

        }

    }

    /**

     * Constructor that takes a password, salt, iteration count, and

     * to-be-derived key length for generating PBEKey of variable-key-size

     * PBE ciphers.  An empty char[] is used if null is specified for

     * <code>password</code>.

     *

     * <p> Note: the <code>password</code> and <code>salt</code>

     * are cloned before they are stored in

     * the new <code>PBEKeySpec</code> object.

     *

     * @param password the password.

     * @param salt the salt.

     * @param iterationCount the iteration count.

     * @param keyLength the to-be-derived key length.

     * @exception NullPointerException if <code>salt</code> is null.

     * @exception IllegalArgumentException if <code>salt</code> is empty,

     * i.e. 0-length, <code>iterationCount</code> or

     * <code>keyLength</code> is not positive.

     */

    public PBEKeySpec(char[] password, byte[] salt, int iterationCount,

        int keyLength) {

        if ((password == null) || (password.length == 0)) {

            this.password = new char[0];

        } else {

            this.password = password.clone();

        }

        if (salt == null) {

            throw new NullPointerException("the salt parameter " +

                                            "must be non-null");

        } else if (salt.length == 0) {

            throw new IllegalArgumentException("the salt parameter " +

                                                "must not be empty");

        } else {

            this.salt = salt.clone();

        }

        if (iterationCount<=0) {

            throw new IllegalArgumentException("invalid iterationCount value");

        }

        if (keyLength<=0) {

            throw new IllegalArgumentException("invalid keyLength value");

        }

        this.iterationCount = iterationCount;

        this.keyLength = keyLength;

    }

    /**

     * Constructor that takes a password, salt, iteration count for

     * generating PBEKey of fixed-key-size PBE ciphers. An empty

     * char[] is used if null is specified for <code>password</code>.

     *

     * <p> Note: the <code>password</code> and <code>salt</code>

     * are cloned before they are stored in the new

     * <code>PBEKeySpec</code> object.

     *

     * @param password the password.

     * @param salt the salt.

     * @param iterationCount the iteration count.

     * @exception NullPointerException if <code>salt</code> is null.

     * @exception IllegalArgumentException if <code>salt</code> is empty,

     * i.e. 0-length, or <code>iterationCount</code> is not positive.

     */

    public PBEKeySpec(char[] password, byte[] salt, int iterationCount) {

        if ((password == null) || (password.length == 0)) {

            this.password = new char[0];

        } else {

            this.password = password.clone();

        }

        if (salt == null) {

            throw new NullPointerException("the salt parameter " +

                                            "must be non-null");

        } else if (salt.length == 0) {

            throw new IllegalArgumentException("the salt parameter " +

                                                "must not be empty");

        } else {

            this.salt = salt.clone();

        }

        if (iterationCount<=0) {

            throw new IllegalArgumentException("invalid iterationCount value");

        }

        this.iterationCount = iterationCount;

    }

    /**

     * Clears the internal copy of the password.

     *

     */

    public final void clearPassword() {

        if (password != null) {

            password = null;

        }

    }

    /**

     * Returns a copy of the password.

     *

     * <p> Note: this method returns a copy of the password. It is

     * the caller's responsibility to zero out the password information after

     * it is no longer needed.

     *

     * @exception IllegalStateException if password has been cleared by

     * calling <code>clearPassword</code> method.

     * @return the password.

     */

    public final char[] getPassword() {

        if (password == null) {

            throw new IllegalStateException("password has been cleared");

        }

        return password.clone();

    }

    /**

     * Returns a copy of the salt or null if not specified.

     *

     * <p> Note: this method should return a copy of the salt. It is

     * the caller's responsibility to zero out the salt information after

     * it is no longer needed.

     *

     * @return the salt.

     */

    public final byte[] getSalt() {

        if (salt != null) {

            return salt.clone();

        } else {

            return null;

        }

    }

    /**

     * Returns the iteration count or 0 if not specified.

     *

     * @return the iteration count.

     */

    public final int getIterationCount() {

        return iterationCount;

    }

    /**

     * Returns the to-be-derived key length or 0 if not specified.

     *

     * <p> Note: this is used to indicate the preference on key length

     * for variable-key-size ciphers. The actual key size depends on

     * each provider's implementation.

     *

     * @return the to-be-derived key length.

     */

    public final int getKeyLength() {

        return keyLength;

    }

}