1 /* 2 * Copyright (C) 2014 The Android Open Source Project 3 * Copyright (c) 1997, 2014, Oracle and/or its affiliates. All rights reserved. 4 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. 5 * 6 * This code is free software; you can redistribute it and/or modify it 7 * under the terms of the GNU General Public License version 2 only, as 8 * published by the Free Software Foundation. Oracle designates this 9 * particular file as subject to the "Classpath" exception as provided 10 * by Oracle in the LICENSE file that accompanied this code. 11 * 12 * This code is distributed in the hope that it will be useful, but WITHOUT 13 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or 14 * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License 15 * version 2 for more details (a copy is included in the LICENSE file that 16 * accompanied this code). 17 * 18 * You should have received a copy of the GNU General Public License version 19 * 2 along with this work; if not, write to the Free Software Foundation, 20 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. 21 * 22 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA 23 * or visit www.oracle.com if you need additional information or have any 24 * questions. 25 */ 26 27 package javax.crypto; 28 29 import java.util.*; 30 31 import java.security.*; 32 import java.security.Provider.Service; 33 import java.security.spec.*; 34 35 import sun.security.jca.*; 36 import sun.security.jca.GetInstance.Instance; 37 38 /** 39 * This class provides the functionality of a key agreement (or key 40 * exchange) protocol. 41 * <p> 42 * The keys involved in establishing a shared secret are created by one of the 43 * key generators (<code>KeyPairGenerator</code> or 44 * <code>KeyGenerator</code>), a <code>KeyFactory</code>, or as a result from 45 * an intermediate phase of the key agreement protocol. 46 * 47 * <p> For each of the correspondents in the key exchange, <code>doPhase</code> 48 * needs to be called. For example, if this key exchange is with one other 49 * party, <code>doPhase</code> needs to be called once, with the 50 * <code>lastPhase</code> flag set to <code>true</code>. 51 * If this key exchange is 52 * with two other parties, <code>doPhase</code> needs to be called twice, 53 * the first time setting the <code>lastPhase</code> flag to 54 * <code>false</code>, and the second time setting it to <code>true</code>. 55 * There may be any number of parties involved in a key exchange. 56 * 57 * <p> Android provides the following <code>KeyAgreement</code> algorithms: 58 * <table> 59 * <thead> 60 * <tr> 61 * <th>Algorithm</th> 62 * <th>Supported API Levels</th> 63 * </tr> 64 * </thead> 65 * <tbody> 66 * <tr> 67 * <td>DH</td> 68 * <td>1+</td> 69 * </tr> 70 * <tr> 71 * <td>ECDH</td> 72 * <td>11+</td> 73 * </tr> 74 * </tbody> 75 * </table> 76 * 77 * This algorithm is described in the <a href= 78 * "{@docRoot}openjdk-redirect.html?v=8&path=/technotes/guides/security/StandardNames.html#KeyAgreement"> 79 * KeyAgreement section</a> of the 80 * Java Cryptography Architecture Standard Algorithm Name Documentation. 81 * 82 * @author Jan Luehe 83 * 84 * @see KeyGenerator 85 * @see SecretKey 86 * @since 1.4 87 */ 88 89 public class KeyAgreement { 90 91 // Android-removed: this debugging mechanism is not used in Android. 92 /* 93 private static final Debug debug = 94 Debug.getInstance("jca", "KeyAgreement"); 95 96 private static final Debug pdebug = 97 Debug.getInstance("provider", "Provider"); 98 private static final boolean skipDebug = 99 Debug.isOn("engine=") && !Debug.isOn("keyagreement"); 100 */ 101 102 // The provider 103 private Provider provider; 104 105 // The provider implementation (delegate) 106 private KeyAgreementSpi spi; 107 108 // The name of the key agreement algorithm. 109 private final String algorithm; 110 111 // BEGIN Android-removed: Redo the provider selection logic to allow reselecting provider. 112 // When only the algorithm is specified, we want to allow the KeyAgreement provider for that 113 // algorithm to change if multiple providers exist and they support different subsets of 114 // keys. To that end, we don't hold an iterator and exhaust it when we need to choose 115 // a provider like the upstream implementation, we reestablish the list of providers 116 // each time. 117 /* 118 // next service to try in provider selection 119 // null once provider is selected 120 private Service firstService; 121 122 // remaining services to try in provider selection 123 // null once provider is selected 124 private Iterator<Service> serviceIterator; 125 */ 126 // END Android-removed: Redo the provider selection logic to allow reselecting provider. 127 128 private final Object lock; 129 130 /** 131 * Creates a KeyAgreement object. 132 * 133 * @param keyAgreeSpi the delegate 134 * @param provider the provider 135 * @param algorithm the algorithm 136 */ KeyAgreement(KeyAgreementSpi keyAgreeSpi, Provider provider, String algorithm)137 protected KeyAgreement(KeyAgreementSpi keyAgreeSpi, Provider provider, 138 String algorithm) { 139 this.spi = keyAgreeSpi; 140 this.provider = provider; 141 this.algorithm = algorithm; 142 lock = null; 143 } 144 145 // Android-changed: Remove Service and Iterator from constructor args. KeyAgreement(String algorithm)146 private KeyAgreement(String algorithm) { 147 this.algorithm = algorithm; 148 lock = new Object(); 149 } 150 151 /** 152 * Returns the algorithm name of this <code>KeyAgreement</code> object. 153 * 154 * <p>This is the same name that was specified in one of the 155 * <code>getInstance</code> calls that created this 156 * <code>KeyAgreement</code> object. 157 * 158 * @return the algorithm name of this <code>KeyAgreement</code> object. 159 */ getAlgorithm()160 public final String getAlgorithm() { 161 return this.algorithm; 162 } 163 164 /** 165 * Returns a <code>KeyAgreement</code> object that implements the 166 * specified key agreement algorithm. 167 * 168 * <p> This method traverses the list of registered security Providers, 169 * starting with the most preferred Provider. 170 * A new KeyAgreement object encapsulating the 171 * KeyAgreementSpi implementation from the first 172 * Provider that supports the specified algorithm is returned. 173 * 174 * <p> Note that the list of registered providers may be retrieved via 175 * the {@link Security#getProviders() Security.getProviders()} method. 176 * 177 * @param algorithm the standard name of the requested key agreement 178 * algorithm. 179 * See the KeyAgreement section in the <a href= 180 * "{@docRoot}openjdk-redirect.html?v=8&path=/technotes/guides/security/StandardNames.html#KeyAgreement"> 181 * Java Cryptography Architecture Standard Algorithm Name Documentation</a> 182 * for information about standard algorithm names. 183 * 184 * @return the new <code>KeyAgreement</code> object. 185 * 186 * @exception NullPointerException if the specified algorithm 187 * is null. 188 * 189 * @exception NoSuchAlgorithmException if no Provider supports a 190 * KeyAgreementSpi implementation for the 191 * specified algorithm. 192 * 193 * @see java.security.Provider 194 */ getInstance(String algorithm)195 public static final KeyAgreement getInstance(String algorithm) 196 throws NoSuchAlgorithmException { 197 List<Service> services = 198 GetInstance.getServices("KeyAgreement", algorithm); 199 // make sure there is at least one service from a signed provider 200 Iterator<Service> t = services.iterator(); 201 while (t.hasNext()) { 202 Service s = t.next(); 203 if (JceSecurity.canUseProvider(s.getProvider()) == false) { 204 continue; 205 } 206 // Android-changed: Remove Service and Iterator from constructor args. 207 // return new KeyAgreement(s, t, algorithm); 208 return new KeyAgreement(algorithm); 209 } 210 throw new NoSuchAlgorithmException 211 ("Algorithm " + algorithm + " not available"); 212 } 213 214 /** 215 * Returns a <code>KeyAgreement</code> object that implements the 216 * specified key agreement algorithm. 217 * 218 * <p> A new KeyAgreement object encapsulating the 219 * KeyAgreementSpi implementation from the specified provider 220 * is returned. The specified provider must be registered 221 * in the security provider list. 222 * 223 * <p> Note that the list of registered providers may be retrieved via 224 * the {@link Security#getProviders() Security.getProviders()} method. 225 * 226 * @param algorithm the standard name of the requested key agreement 227 * algorithm. 228 * See the KeyAgreement section in the <a href= 229 * "{@docRoot}openjdk-redirect.html?v=8&path=/technotes/guides/security/StandardNames.html#KeyAgreement"> 230 * Java Cryptography Architecture Standard Algorithm Name Documentation</a> 231 * for information about standard algorithm names. 232 * 233 * @param provider the name of the provider. 234 * 235 * @return the new <code>KeyAgreement</code> object. 236 * 237 * @exception NullPointerException if the specified algorithm 238 * is null. 239 * 240 * @exception NoSuchAlgorithmException if a KeyAgreementSpi 241 * implementation for the specified algorithm is not 242 * available from the specified provider. 243 * 244 * @exception NoSuchProviderException if the specified provider is not 245 * registered in the security provider list. 246 * 247 * @exception IllegalArgumentException if the <code>provider</code> 248 * is null or empty. 249 * 250 * @see java.security.Provider 251 */ getInstance(String algorithm, String provider)252 public static final KeyAgreement getInstance(String algorithm, 253 String provider) throws NoSuchAlgorithmException, 254 NoSuchProviderException { 255 Instance instance = JceSecurity.getInstance 256 ("KeyAgreement", KeyAgreementSpi.class, algorithm, provider); 257 return new KeyAgreement((KeyAgreementSpi)instance.impl, 258 instance.provider, algorithm); 259 } 260 261 /** 262 * Returns a <code>KeyAgreement</code> object that implements the 263 * specified key agreement algorithm. 264 * 265 * <p> A new KeyAgreement object encapsulating the 266 * KeyAgreementSpi implementation from the specified Provider 267 * object is returned. Note that the specified Provider object 268 * does not have to be registered in the provider list. 269 * 270 * @param algorithm the standard name of the requested key agreement 271 * algorithm. 272 * See the KeyAgreement section in the <a href= 273 * "{@docRoot}openjdk-redirect.html?v=8&path=/technotes/guides/security/StandardNames.html#KeyAgreement"> 274 * Java Cryptography Architecture Standard Algorithm Name Documentation</a> 275 * for information about standard algorithm names. 276 * 277 * @param provider the provider. 278 * 279 * @return the new <code>KeyAgreement</code> object. 280 * 281 * @exception NullPointerException if the specified algorithm 282 * is null. 283 * 284 * @exception NoSuchAlgorithmException if a KeyAgreementSpi 285 * implementation for the specified algorithm is not available 286 * from the specified Provider object. 287 * 288 * @exception IllegalArgumentException if the <code>provider</code> 289 * is null. 290 * 291 * @see java.security.Provider 292 */ getInstance(String algorithm, Provider provider)293 public static final KeyAgreement getInstance(String algorithm, 294 Provider provider) throws NoSuchAlgorithmException { 295 Instance instance = JceSecurity.getInstance 296 ("KeyAgreement", KeyAgreementSpi.class, algorithm, provider); 297 return new KeyAgreement((KeyAgreementSpi)instance.impl, 298 instance.provider, algorithm); 299 } 300 301 // max number of debug warnings to print from chooseFirstProvider() 302 private static int warnCount = 10; 303 304 /** 305 * Choose the Spi from the first provider available. Used if 306 * delayed provider selection is not possible because init() 307 * is not the first method called. 308 */ chooseFirstProvider()309 void chooseFirstProvider() { 310 if (spi != null) { 311 return; 312 } 313 synchronized (lock) { 314 if (spi != null) { 315 return; 316 } 317 // Android-removed: this debugging mechanism is not used in Android. 318 /* 319 if (debug != null) { 320 int w = --warnCount; 321 if (w >= 0) { 322 debug.println("KeyAgreement.init() not first method " 323 + "called, disabling delayed provider selection"); 324 if (w == 0) { 325 debug.println("Further warnings of this type will " 326 + "be suppressed"); 327 } 328 new Exception("Call trace").printStackTrace(); 329 } 330 } 331 */ 332 Exception lastException = null; 333 // Android-changed: Provider selection; loop over a new list each time. 334 for (Service s : GetInstance.getServices("KeyAgreement", algorithm)) { 335 if (JceSecurity.canUseProvider(s.getProvider()) == false) { 336 continue; 337 } 338 try { 339 Object obj = s.newInstance(null); 340 if (obj instanceof KeyAgreementSpi == false) { 341 continue; 342 } 343 spi = (KeyAgreementSpi)obj; 344 provider = s.getProvider(); 345 // Android-removed: Provider selection; loop over a new list each time. 346 /* 347 // not needed any more 348 firstService = null; 349 serviceIterator = null; 350 */ 351 return; 352 } catch (Exception e) { 353 lastException = e; 354 } 355 } 356 ProviderException e = new ProviderException 357 ("Could not construct KeyAgreementSpi instance"); 358 if (lastException != null) { 359 e.initCause(lastException); 360 } 361 throw e; 362 } 363 } 364 365 private final static int I_NO_PARAMS = 1; 366 private final static int I_PARAMS = 2; 367 implInit(KeyAgreementSpi spi, int type, Key key, AlgorithmParameterSpec params, SecureRandom random)368 private void implInit(KeyAgreementSpi spi, int type, Key key, 369 AlgorithmParameterSpec params, SecureRandom random) 370 throws InvalidKeyException, InvalidAlgorithmParameterException { 371 if (type == I_NO_PARAMS) { 372 spi.engineInit(key, random); 373 } else { // I_PARAMS 374 spi.engineInit(key, params, random); 375 } 376 } 377 chooseProvider(int initType, Key key, AlgorithmParameterSpec params, SecureRandom random)378 private void chooseProvider(int initType, Key key, 379 AlgorithmParameterSpec params, SecureRandom random) 380 throws InvalidKeyException, InvalidAlgorithmParameterException { 381 synchronized (lock) { 382 // Android-changed: Use the currently-selected provider only if no key was provided. 383 // if (spi != null) { 384 if (spi != null && key == null) { 385 implInit(spi, initType, key, params, random); 386 return; 387 } 388 Exception lastException = null; 389 // Android-changed: Provider selection; loop over a new list each time. 390 for (Service s : GetInstance.getServices("KeyAgreement", algorithm)) { 391 // if provider says it does not support this key, ignore it 392 if (s.supportsParameter(key) == false) { 393 continue; 394 } 395 if (JceSecurity.canUseProvider(s.getProvider()) == false) { 396 continue; 397 } 398 try { 399 KeyAgreementSpi spi = (KeyAgreementSpi)s.newInstance(null); 400 implInit(spi, initType, key, params, random); 401 provider = s.getProvider(); 402 this.spi = spi; 403 // Android-removed: Provider selection; loop over a new list each time. 404 /* 405 firstService = null; 406 serviceIterator = null; 407 */ 408 return; 409 } catch (Exception e) { 410 // NoSuchAlgorithmException from newInstance() 411 // InvalidKeyException from init() 412 // RuntimeException (ProviderException) from init() 413 if (lastException == null) { 414 lastException = e; 415 } 416 } 417 } 418 // no working provider found, fail 419 if (lastException instanceof InvalidKeyException) { 420 throw (InvalidKeyException)lastException; 421 } 422 if (lastException instanceof InvalidAlgorithmParameterException) { 423 throw (InvalidAlgorithmParameterException)lastException; 424 } 425 if (lastException instanceof RuntimeException) { 426 throw (RuntimeException)lastException; 427 } 428 String kName = (key != null) ? key.getClass().getName() : "(null)"; 429 throw new InvalidKeyException 430 ("No installed provider supports this key: " 431 + kName, lastException); 432 } 433 } 434 435 /** 436 * Returns the provider of this <code>KeyAgreement</code> object. 437 * 438 * @return the provider of this <code>KeyAgreement</code> object 439 */ getProvider()440 public final Provider getProvider() { 441 chooseFirstProvider(); 442 return this.provider; 443 } 444 445 /** 446 * Initializes this key agreement with the given key, which is required to 447 * contain all the algorithm parameters required for this key agreement. 448 * 449 * <p> If this key agreement requires any random bytes, it will get 450 * them using the 451 * {@link java.security.SecureRandom} 452 * implementation of the highest-priority 453 * installed provider as the source of randomness. 454 * (If none of the installed providers supply an implementation of 455 * SecureRandom, a system-provided source of randomness will be used.) 456 * 457 * @param key the party's private information. For example, in the case 458 * of the Diffie-Hellman key agreement, this would be the party's own 459 * Diffie-Hellman private key. 460 * 461 * @exception InvalidKeyException if the given key is 462 * inappropriate for this key agreement, e.g., is of the wrong type or 463 * has an incompatible algorithm type. 464 */ init(Key key)465 public final void init(Key key) throws InvalidKeyException { 466 init(key, JceSecurity.RANDOM); 467 } 468 469 /** 470 * Initializes this key agreement with the given key and source of 471 * randomness. The given key is required to contain all the algorithm 472 * parameters required for this key agreement. 473 * 474 * <p> If the key agreement algorithm requires random bytes, it gets them 475 * from the given source of randomness, <code>random</code>. 476 * However, if the underlying 477 * algorithm implementation does not require any random bytes, 478 * <code>random</code> is ignored. 479 * 480 * @param key the party's private information. For example, in the case 481 * of the Diffie-Hellman key agreement, this would be the party's own 482 * Diffie-Hellman private key. 483 * @param random the source of randomness 484 * 485 * @exception InvalidKeyException if the given key is 486 * inappropriate for this key agreement, e.g., is of the wrong type or 487 * has an incompatible algorithm type. 488 */ init(Key key, SecureRandom random)489 public final void init(Key key, SecureRandom random) 490 throws InvalidKeyException { 491 // Android-changed: Use the currently-selected provider only if no key was provided. 492 // if (spi != null) { 493 if (spi != null && (key == null || lock == null)) { 494 spi.engineInit(key, random); 495 } else { 496 try { 497 chooseProvider(I_NO_PARAMS, key, null, random); 498 } catch (InvalidAlgorithmParameterException e) { 499 // should never occur 500 throw new InvalidKeyException(e); 501 } 502 } 503 504 // Android-removed: this debugging mechanism is not used in Android. 505 /* 506 if (!skipDebug && pdebug != null) { 507 pdebug.println("KeyAgreement." + algorithm + " algorithm from: " + 508 this.provider.getName()); 509 } 510 */ 511 } 512 513 /** 514 * Initializes this key agreement with the given key and set of 515 * algorithm parameters. 516 * 517 * <p> If this key agreement requires any random bytes, it will get 518 * them using the 519 * {@link java.security.SecureRandom} 520 * implementation of the highest-priority 521 * installed provider as the source of randomness. 522 * (If none of the installed providers supply an implementation of 523 * SecureRandom, a system-provided source of randomness will be used.) 524 * 525 * @param key the party's private information. For example, in the case 526 * of the Diffie-Hellman key agreement, this would be the party's own 527 * Diffie-Hellman private key. 528 * @param params the key agreement parameters 529 * 530 * @exception InvalidKeyException if the given key is 531 * inappropriate for this key agreement, e.g., is of the wrong type or 532 * has an incompatible algorithm type. 533 * @exception InvalidAlgorithmParameterException if the given parameters 534 * are inappropriate for this key agreement. 535 */ init(Key key, AlgorithmParameterSpec params)536 public final void init(Key key, AlgorithmParameterSpec params) 537 throws InvalidKeyException, InvalidAlgorithmParameterException 538 { 539 init(key, params, JceSecurity.RANDOM); 540 } 541 542 /** 543 * Initializes this key agreement with the given key, set of 544 * algorithm parameters, and source of randomness. 545 * 546 * @param key the party's private information. For example, in the case 547 * of the Diffie-Hellman key agreement, this would be the party's own 548 * Diffie-Hellman private key. 549 * @param params the key agreement parameters 550 * @param random the source of randomness 551 * 552 * @exception InvalidKeyException if the given key is 553 * inappropriate for this key agreement, e.g., is of the wrong type or 554 * has an incompatible algorithm type. 555 * @exception InvalidAlgorithmParameterException if the given parameters 556 * are inappropriate for this key agreement. 557 */ init(Key key, AlgorithmParameterSpec params, SecureRandom random)558 public final void init(Key key, AlgorithmParameterSpec params, 559 SecureRandom random) 560 throws InvalidKeyException, InvalidAlgorithmParameterException 561 { 562 if (spi != null) { 563 spi.engineInit(key, params, random); 564 } else { 565 chooseProvider(I_PARAMS, key, params, random); 566 } 567 568 // Android-removed: this debugging mechanism is not used in Android. 569 /* 570 if (!skipDebug && pdebug != null) { 571 pdebug.println("KeyAgreement." + algorithm + " algorithm from: " + 572 this.provider.getName()); 573 } 574 */ 575 } 576 577 /** 578 * Executes the next phase of this key agreement with the given 579 * key that was received from one of the other parties involved in this key 580 * agreement. 581 * 582 * @param key the key for this phase. For example, in the case of 583 * Diffie-Hellman between 2 parties, this would be the other party's 584 * Diffie-Hellman public key. 585 * @param lastPhase flag which indicates whether or not this is the last 586 * phase of this key agreement. 587 * 588 * @return the (intermediate) key resulting from this phase, or null 589 * if this phase does not yield a key 590 * 591 * @exception InvalidKeyException if the given key is inappropriate for 592 * this phase. 593 * @exception IllegalStateException if this key agreement has not been 594 * initialized. 595 */ doPhase(Key key, boolean lastPhase)596 public final Key doPhase(Key key, boolean lastPhase) 597 throws InvalidKeyException, IllegalStateException 598 { 599 chooseFirstProvider(); 600 return spi.engineDoPhase(key, lastPhase); 601 } 602 603 /** 604 * Generates the shared secret and returns it in a new buffer. 605 * 606 * <p>This method resets this <code>KeyAgreement</code> object, so that it 607 * can be reused for further key agreements. Unless this key agreement is 608 * reinitialized with one of the <code>init</code> methods, the same 609 * private information and algorithm parameters will be used for 610 * subsequent key agreements. 611 * 612 * @return the new buffer with the shared secret 613 * 614 * @exception IllegalStateException if this key agreement has not been 615 * completed yet 616 */ generateSecret()617 public final byte[] generateSecret() throws IllegalStateException { 618 chooseFirstProvider(); 619 return spi.engineGenerateSecret(); 620 } 621 622 /** 623 * Generates the shared secret, and places it into the buffer 624 * <code>sharedSecret</code>, beginning at <code>offset</code> inclusive. 625 * 626 * <p>If the <code>sharedSecret</code> buffer is too small to hold the 627 * result, a <code>ShortBufferException</code> is thrown. 628 * In this case, this call should be repeated with a larger output buffer. 629 * 630 * <p>This method resets this <code>KeyAgreement</code> object, so that it 631 * can be reused for further key agreements. Unless this key agreement is 632 * reinitialized with one of the <code>init</code> methods, the same 633 * private information and algorithm parameters will be used for 634 * subsequent key agreements. 635 * 636 * @param sharedSecret the buffer for the shared secret 637 * @param offset the offset in <code>sharedSecret</code> where the 638 * shared secret will be stored 639 * 640 * @return the number of bytes placed into <code>sharedSecret</code> 641 * 642 * @exception IllegalStateException if this key agreement has not been 643 * completed yet 644 * @exception ShortBufferException if the given output buffer is too small 645 * to hold the secret 646 */ generateSecret(byte[] sharedSecret, int offset)647 public final int generateSecret(byte[] sharedSecret, int offset) 648 throws IllegalStateException, ShortBufferException 649 { 650 chooseFirstProvider(); 651 return spi.engineGenerateSecret(sharedSecret, offset); 652 } 653 654 /** 655 * Creates the shared secret and returns it as a <code>SecretKey</code> 656 * object of the specified algorithm. 657 * 658 * <p>This method resets this <code>KeyAgreement</code> object, so that it 659 * can be reused for further key agreements. Unless this key agreement is 660 * reinitialized with one of the <code>init</code> methods, the same 661 * private information and algorithm parameters will be used for 662 * subsequent key agreements. 663 * 664 * @param algorithm the requested secret-key algorithm 665 * 666 * @return the shared secret key 667 * 668 * @exception IllegalStateException if this key agreement has not been 669 * completed yet 670 * @exception NoSuchAlgorithmException if the specified secret-key 671 * algorithm is not available 672 * @exception InvalidKeyException if the shared secret-key material cannot 673 * be used to generate a secret key of the specified algorithm (e.g., 674 * the key material is too short) 675 */ generateSecret(String algorithm)676 public final SecretKey generateSecret(String algorithm) 677 throws IllegalStateException, NoSuchAlgorithmException, 678 InvalidKeyException 679 { 680 chooseFirstProvider(); 681 return spi.engineGenerateSecret(algorithm); 682 } 683 } 684