com.muquit.libsodiumjna

Class SodiumLibrary

java.lang.Object

com.muquit.libsodiumjna.SodiumLibrary

public class SodiumLibrary
extends java.lang.Object

SodiumLibrary is a Java binding to libsodium crypto C APIs using Java Native Access. All the methods are static methods. Most methods throw SodiumLibraryException at run time in case of errors.

Please look at libsodium-jna Homepage for instructions on how to get started.

See Also:

Native libsodium documentation libsodium-jna Homepage

Nested Class Summary

Nested Classes

Modifier and Type	Class and Description
static interface	SodiumLibrary.Sodium Declare all the supported libsodium C functions in this interface and implement them in this class as static methods.

Method Summary

Modifier and Type	Method and Description
static byte[]	cryptoAuth(byte[] message, byte[] key) Computes an authentication tag for a message with a secret key.
static boolean	cryptoAuthVerify(byte[] mac, byte[] message, byte[] key) Verify message authentication code with the secret key
static byte[]	cryptoBoxEasy(byte[] message, byte[] nonce, byte[] publicKey, byte[] privateKey) Encrypts a message with recipient's public key.
static SodiumKeyPair	cryptoBoxKeyPair() Randomly generates a private key and the corresponding public key
static NativeLong	cryptoBoxMacBytes()
static NativeLong	cryptoBoxNonceBytes()
static byte[]	cryptoBoxOpenEasy(byte[] cipherText, byte[] nonce, byte[] publicKey, byte[] privateKey) Recipient decrypts a message with his private key.
static byte[]	cryptoBoxSeal(byte[] message, byte[] recipientPublicKey) Encrypts a message with recipient's public key.
static NativeLong	cryptoBoxSealBytes()
static byte[]	cryptoBoxSealOpen(byte[] cipherText, byte[] pk, byte[] sk) Decrypts a ciphertext using recipient's key pair.
static byte[]	cryptoGenerichash(byte[] input, int length)
static int	cryptoNumberSaltBytes()
static byte[]	cryptoPublicKey(byte[] privateKey) Given a private key, generate the corresponding public key
static byte[]	cryptoPwhash(byte[] passwd, byte[] salt, long opsLimit, NativeLong memLimit, int algorithm)
static int	cryptoPwhashAlgArgon2i13()
static int	cryptoPwhashAlgArgon2id13()
static int	cryptoPwhashAlgDefault()
static byte[]	cryptoPwhashArgon2i(byte[] passwd, byte[] salt) Derive a key using Argon2id password hashing scheme
static NativeLong	cryptoPwHashMemLimitInterative()
static long	cryptoPwHashOpsLimitInteractive()
static int	cryptoPwhashSaltBytes()
static byte[]	cryptoPwhashScrypt(byte[] passwd, byte[] salt) Derive key from a password using scrypt.
static byte[]	cryptoPwhashScryptSalsa208Sha256(byte[] passwd, byte[] salt, java.lang.Long opsLimit, NativeLong memLimit)
static NativeLong	cryptoPwHashScryptSalsa208Sha256SaltBytes()
static java.lang.String	cryptoPwhashStr(byte[] password) Returns a US-ASCII encoded key derived from the password.
static boolean	cryptoPwhashStrVerify(java.lang.String usAsciiKey, byte[] password) Verify a US-ASCII encoded key derived previously by calling cryptoPwhashStr(byte[])
static SodiumSecretBox	cryptoSecretBoxDetached(byte[] message, byte[] nonce, byte[] key) Encrypts a message with a key and a nonce to keep it confidential - detached mode.
static byte[]	cryptoSecretBoxEasy(byte[] message, byte[] nonce, byte[] key) Encrypts a message with a key and a nonce to keep it confidential.
static NativeLong	cryptoSecretBoxKeyBytes()
static NativeLong	cryptoSecretBoxMacBytes()
static NativeLong	cryptoSecretBoxNonceBytes()
static byte[]	cryptoSecretBoxOpenDetached(SodiumSecretBox secretBox, byte[] nonce, byte[] key) Verifies and decrypts a ciphertext - detached mode
static byte[]	cryptoSecretBoxOpenEasy(byte[] cipherText, byte[] nonce, byte[] key) Verifies and decrypts a ciphertext.
static byte[]	cryptoSign(byte[] m, byte[] sk)
static byte[]	cryptoSignDetached(byte[] msg, byte[] sk)
static byte[]	cryptoSignEdPkTOcurvePk(byte[] edPK)
static byte[]	cryptoSignEdSkTOcurveSk(byte[] edSK)
static SodiumKeyPair	cryptoSignKeyPair()
static byte[]	cryptoSignOpen(byte[] sig, byte[] pk)
static boolean	cryptoSignVerifyDetached(byte[] sig, byte[] msg, byte[] pk)
static NativeLong	crytoBoxPublicKeyBytes()
static NativeLong	crytoBoxSecretKeyBytes()
static NativeLong	crytoBoxSeedBytes()
static byte[]	deriveKey(byte[] passwd, byte[] salt) A helper function to call cryptoPwhashArgon2i()
static java.lang.String	getLibaryPath()
static java.lang.String	libsodiumVersionString()
static void	log(java.lang.String msg)
static byte[]	randomBytes(int size) Return unpredictable sequence of bytes.
static void	setLibraryPath(java.lang.String libraryPath) Set the absolute path of the libsodium shared library/DLL.
static SodiumLibrary.Sodium	sodium()

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Method Detail

log

public static void log(java.lang.String msg)

setLibraryPath

public static void setLibraryPath(java.lang.String libraryPath)

Set the absolute path of the libsodium shared library/DLL.

This method must be called before calling any methods in libsodium-jna. Although JNA supports loading a shared library from path, libsodium-jna requires specifying the absolute path to make sure that the exact library is being loaded. For example, in Linux, it might be /usr/local/lib/libsodium.so, in Windows, it might be c:/libs/libsodium.dll, in MacOS, it might be /usr/local/lib/libsodium.dylib etc. The point is there is no ambiguity, I want to load the library I want, not one from somewhere in the path.

Parameters:

libraryPath - The absolute path of the libsodium library.

Example

 
 private static String libraryPath = null;

 if (Platform.isMac())
 {
     // MacOS
     libraryPath = "/usr/local/lib/libsodium.dylib";
     libraryPath = libraryPath;
     logger.info("Library path in Mac: " + libraryPath);
 }
 else if (Platform.isWindows())
 {
     // Windows
     libraryPath = "C:/libsodium/libsodium.dll";
     logger.info("Library path in Windows: " + libraryPath);
 }
 else
 {
     // Linux
     libraryPath = "/usr/local/lib/libsodium.so";
     logger.info("Library path: " + libraryPath);
 }
 
 logger.info("loading libsodium...");
 SodiumLibrary.setLibraryPath(libraryPath);
 // To check the native library is actually loaded, print the version of 
 // native sodium library
 String v = SodiumLibrary.libsodiumVersionString();
 logger.info("libsodium version: " + v);
 
 

getLibaryPath

public static java.lang.String getLibaryPath()

Returns:

path of library set by SodiumLibary.setLibraryPath()

sodium

public static SodiumLibrary.Sodium sodium()

Returns:

The singleton Sodium object. The singleton pattern is adapted from kalium java library. Other than that, this library does not use any code from kalium.

Although libsodium seems to be thread safe now, the code is written sometime back and I don't have plan to remove it at this time.

Throws:

java.lang.RuntimeException - at run time if the libsodium library path is not set by calling setLibraryPath(String)

cryptoSignOpen

public static byte[] cryptoSignOpen(byte[] sig,
                                    byte[] pk)
                             throws SodiumLibraryException

Throws:

SodiumLibraryException

cryptoSign

public static byte[] cryptoSign(byte[] m,
                                byte[] sk)
                         throws SodiumLibraryException

Throws:

SodiumLibraryException

cryptoSignVerifyDetached

public static boolean cryptoSignVerifyDetached(byte[] sig,
                                               byte[] msg,
                                               byte[] pk)
                                        throws SodiumLibraryException

Throws:

SodiumLibraryException

cryptoSignDetached

public static byte[] cryptoSignDetached(byte[] msg,
                                        byte[] sk)
                                 throws SodiumLibraryException

Throws:

SodiumLibraryException

cryptoSignKeyPair

public static SodiumKeyPair cryptoSignKeyPair()
                                       throws SodiumLibraryException

Throws:

SodiumLibraryException

cryptoGenerichash

public static byte[] cryptoGenerichash(byte[] input,
                                       int length)
                                throws SodiumLibraryException

Throws:

SodiumLibraryException

cryptoSignEdSkTOcurveSk

public static byte[] cryptoSignEdSkTOcurveSk(byte[] edSK)
                                      throws SodiumLibraryException

Throws:

SodiumLibraryException

cryptoSignEdPkTOcurvePk

public static byte[] cryptoSignEdPkTOcurvePk(byte[] edPK)
                                      throws SodiumLibraryException

Throws:

SodiumLibraryException

libsodiumVersionString

public static java.lang.String libsodiumVersionString()

Returns:

version string of libsodium

randomBytes

public static byte[] randomBytes(int size)

Return unpredictable sequence of bytes. Excerpt from libsodium documentation:

• On Windows systems, the RtlGenRandom() function is used
• On OpenBSD and Bitrig, the arc4random() function is used
• On recent Linux kernels, the getrandom system call is used (since Sodium 1.0.3)
• On other Unices, the /dev/urandom device is used
• If none of these options can safely be used, custom implementations can easily be hooked.

Parameters:

size - Number of random bytes to generate

Returns:

Array of random bytes

See Also:

Generating random data in libsodium page

Example

 
 // generate 16 bytes of random data
 byte[] randomBytes = SodiumLibrary.randomBytes(16);
 String hex = SodiumUtils.binary2Hex(salt);
 
 // generate libsodium's standard number of salt bytes
 int n = SodiumLibrary.cryptoNumberSaltBytes();
 logger.info("Generate " + n + " random bytes");
 
 byte[] salt = SodiumLibrary.randomBytes(n);
 logger.info("Generated " + salt.length + " random bytes");
 String hex = SodiumUtils.binary2Hex(salt);
 logger.info("Random bytes: " + hex);
 
 

cryptoPwhash

public static byte[] cryptoPwhash(byte[] passwd,
                                  byte[] salt,
                                  long opsLimit,
                                  NativeLong memLimit,
                                  int algorithm)
                           throws SodiumLibraryException

Throws:

SodiumLibraryException

cryptoPwhashArgon2i

public static byte[] cryptoPwhashArgon2i(byte[] passwd,
                                         byte[] salt)
                                  throws SodiumLibraryException

Derive a key using Argon2id password hashing scheme

The following is taken from libsodium documentation:

Argon2 is optimized for the x86 architecture and exploits the cache and memory organization of the recent Intel and AMD processors. But its implementation remains portable and fast on other architectures. Argon2 has three variants: Argon2d, Argon2i and Argon2id. Argon2i uses data-independent memory access, which is preferred for password hashing and password-based key derivation. Argon2i also makes multiple passes over the memory to protect from tradeoff attacks. Argon2id combines both.

Parameters:

passwd - Array of bytes of password

salt - Salt to use in key generation. The salt should be unpredictable and can be generated by calling SodiumLibary.randomBytes(int) The salt should be saved by the caller as it will be needed to derive the key again from the password.

Returns:

Generated key as an array of bytes

Throws:

SodiumLibraryException - if libsodium's crypto_pwhash() does not return 0 crypto_pwhash() in Password hashing libsodium page. Argon2i v1.3 Algorithm.

Example

 
 String password = "This is a Secret";
 salt = SodiumLibary.randomBytes(sodium().crypto_pwhash_saltbytes());
 byte[] key = SodiumLibary.cryptoPwhashArgon2i(password.getBytes(),salt);
 String keyHex = SodiumUtils.bin2hex(key);
     

deriveKey

public static byte[] deriveKey(byte[] passwd,
                               byte[] salt)
                        throws SodiumLibraryException

A helper function to call cryptoPwhashArgon2i()

Parameters:

passwd - Password bytes

salt - Salt bytes

Returns:

key bytes

Throws:

SodiumLibraryException - on error

cryptoPwhashStr

public static java.lang.String cryptoPwhashStr(byte[] password)
                                        throws SodiumLibraryException

Returns a US-ASCII encoded key derived from the password. The key can be stored for verification. Memory-hard, CPU-intensive hash function is applied to the password in key generation process. Automatically generated salt is used in the key generation Uses opslimit as crypto_pwhash_opslimit_interactive() and memlimit as crypto_pwhash_memlimit_interactive()

Parameters:

password - The password

Returns:

derived key as US-ASCII encoded string

Example

 
  String password = new String("বাংলা");
  // convert to UTF-8 encoded bytes
  byte[] passwordBytes = password.getBytes(StandardCharsets.UTF_8); // requires jdk 1.7+
  String key = SodiumLibrary.cryptoPwhashStr(passwordBytes);
 
 

Throws:

SodiumLibraryException - on error

cryptoPwhashStrVerify

public static boolean cryptoPwhashStrVerify(java.lang.String usAsciiKey,
                                            byte[] password)

Verify a US-ASCII encoded key derived previously by calling cryptoPwhashStr(byte[])

Parameters:

usAsciiKey - US-ASCII encoded key to verify

password - The password

Returns:

true if the key can be verified, false otherwise

Example

  
  String password = new String("বাংলা");
 // convert to UTF-8 encoded bytes
 byte[] passwordBytes = password.getBytes(StandardCharsets.UTF_8); // requires jdk 1.7+
 String key = SodiumLibrary.cryptoPwhashStr(passwordBytes);
 // verify the password
 boolean rc = SodiumLibrary.cryptoPwhashStrVerify(key, passwordBytes);
 if (rc)
 {
   logger.info("Password is verified");
 }
  
  

cryptoPwhashScrypt

public static byte[] cryptoPwhashScrypt(byte[] passwd,
                                        byte[] salt)
                                 throws SodiumLibraryException

Derive key from a password using scrypt.

Excerpt from libsodium documentation:

Scrypt was also designed to make it costly to perform large-scale custom hardware attacks by requiring large amounts of memory.

Even though its memory hardness can be significantly reduced at the cost of extra computations, this function remains an excellent choice today, provided that its parameters are properly chosen.

Scrypt is available in libsodium since version 0.5.0, which makes it a better choice than Argon2 if compatibility with older libsodium versions is a concern.

Parameters:

passwd - Array of bytes of password

salt - Salt to use in key generation. The salt should be unpredictable and can be generated by calling randomBytes(int) The salt should be saved by the caller as it will be needed to derive the key again from the password.

Returns:

key as an array of bytes

Throws:

SodiumLibraryException - on error

See Also:

Password hashing

cryptoPwhashScryptSalsa208Sha256

public static byte[] cryptoPwhashScryptSalsa208Sha256(byte[] passwd,
                                                      byte[] salt,
                                                      java.lang.Long opsLimit,
                                                      NativeLong memLimit)
                                               throws SodiumLibraryException

Throws:

SodiumLibraryException

cryptoSecretBoxEasy

public static byte[] cryptoSecretBoxEasy(byte[] message,
                                         byte[] nonce,
                                         byte[] key)
                                  throws SodiumLibraryException

Encrypts a message with a key and a nonce to keep it confidential. The same key is used to encrypt and decrypt the messages. Therefore, the key must be kept confidential.

Parameters:

message - message bytes to encrypt

nonce - nonce bytes. The nonce must be cryptoBoxNonceBytes() bytes long and can be generated by calling randomBytes(int)

key - They key for encryption

Returns:

Encrypted cipher text bytes

Throws:

SodiumLibraryException - on error

See Also:

Secret-key authenticated encryption

cryptoSecretBoxOpenEasy

public static byte[] cryptoSecretBoxOpenEasy(byte[] cipherText,
                                             byte[] nonce,
                                             byte[] key)
                                      throws SodiumLibraryException

Verifies and decrypts a ciphertext. The ciphertext is created by cryptoSecretBoxEasy(byte[] message, byte[] nonce, byte[] key)

Parameters:

cipherText - The ciphertext to decrypt

nonce - The nonce used during encryption

key - The key used in encryption

Returns:

decrypted plaintext bytes

Throws:

SodiumLibraryException - - if nonce size is incorrect or decryption fails

See Also:

Secret-key authenticated encryption

Example

 
 // don't forget to load the libsodium library first
 String message = "This is a message";
 
 // generate nonce
 long nonceBytesLength = SodiumLibrary.cryptoSecretBoxNonceBytes();
 byte[] nonceBytes = SodiumLibrary.randomBytes((int) nonceBytesLength);
 byte[] messageBytes = message.getBytes();

 // generate the encryption key
 byte[] key = SodiumLibrary.randomBytes((int) SodiumLibrary.cryptoSecretBoxKeyBytes());
 
 // encrypt
 byte[] cipherText = SodiumLibrary.cryptoSecretBoxEasy(messageBytes, nonceBytes, key);

 // now decrypt
 byte[] decryptedMessageBytes = SodiumLibrary.cryptoSecretBoxOpenEasy(cipherText, nonceBytes, key);
 String decryptedMessage;
 try
 {
    decryptedMessage = new String(decryptedMessageBytes, "UTF-8");
    System.out.println("Decrypted message: " + decryptedMessageBytes);
 } catch (UnsupportedEncodingException e)
 {
    e.printStackTrace();
 }
 
 

cryptoSecretBoxDetached

public static SodiumSecretBox cryptoSecretBoxDetached(byte[] message,
                                                      byte[] nonce,
                                                      byte[] key)
                                               throws SodiumLibraryException

Encrypts a message with a key and a nonce to keep it confidential - detached mode.

Parameters:

message - The message bytes to encrypt

nonce - The nonce to use in encryption

key - The key to encrypt

Returns:

SodiumSecretBox

Throws:

SodiumLibraryException - on error

See Also:

Secret-key authenticated encryption

cryptoSecretBoxOpenDetached

public static byte[] cryptoSecretBoxOpenDetached(SodiumSecretBox secretBox,
                                                 byte[] nonce,
                                                 byte[] key)
                                          throws SodiumLibraryException

Verifies and decrypts a ciphertext - detached mode

Parameters:

secretBox - SodiumSecretBox used during encryption

nonce - Nonce used in encryption

key - The key used in encryption

Returns:

decrypted plaintext bytes

Throws:

SodiumLibraryException - on error

See Also:

Secret-key authenticated encryption

cryptoAuth

public static byte[] cryptoAuth(byte[] message,
                                byte[] key)
                         throws SodiumLibraryException

Computes an authentication tag for a message with a secret key. The operation does not encrypt the message. Usage: Alice prepares a message and the authentication tag and send it to Bob. Alice does not store the message. Later Bob sends the message and the authentication tag to Alice. Alice calls cryptoAuthVerify(byte[] mac, byte[] message, byte[] key) verify that the message is created by her.

Parameters:

message - Computes the tag for this message bytes

key - The secret key. The key size must be crypto_auth_keybytes() long

Returns:

Authentication tag bytes

Throws:

SodiumLibraryException - on error

See Also:

Secret-key authentication

cryptoAuthVerify

public static boolean cryptoAuthVerify(byte[] mac,
                                       byte[] message,
                                       byte[] key)
                                throws SodiumLibraryException

Verify message authentication code with the secret key

Parameters:

mac - Message authentication code

message - The message

key - The secret key used to create the authentication code

Returns:

true or false

Throws:

SodiumLibraryException - on error

See Also:

Secret-key authentication

cryptoBoxKeyPair

public static SodiumKeyPair cryptoBoxKeyPair()
                                      throws SodiumLibraryException

Randomly generates a private key and the corresponding public key

Returns:

SodiumKeyPair

Throws:

SodiumLibraryException - on error

See Also:

Public-key authenticated encryption

cryptoPublicKey

public static byte[] cryptoPublicKey(byte[] privateKey)
                              throws SodiumLibraryException

Given a private key, generate the corresponding public key

Parameters:

privateKey - The private key

Returns:

public key bytes

Throws:

SodiumLibraryException - on error

cryptoBoxNonceBytes

public static NativeLong cryptoBoxNonceBytes()

crytoBoxSeedBytes

public static NativeLong crytoBoxSeedBytes()

crytoBoxPublicKeyBytes

public static NativeLong crytoBoxPublicKeyBytes()

crytoBoxSecretKeyBytes

public static NativeLong crytoBoxSecretKeyBytes()

cryptoBoxMacBytes

public static NativeLong cryptoBoxMacBytes()

cryptoBoxSealBytes

public static NativeLong cryptoBoxSealBytes()

cryptoSecretBoxKeyBytes

public static NativeLong cryptoSecretBoxKeyBytes()

cryptoSecretBoxNonceBytes

public static NativeLong cryptoSecretBoxNonceBytes()

cryptoSecretBoxMacBytes

public static NativeLong cryptoSecretBoxMacBytes()

cryptoNumberSaltBytes

public static int cryptoNumberSaltBytes()

cryptoPwhashAlgArgon2i13

public static int cryptoPwhashAlgArgon2i13()

cryptoPwhashAlgArgon2id13

public static int cryptoPwhashAlgArgon2id13()

cryptoPwhashAlgDefault

public static int cryptoPwhashAlgDefault()

cryptoPwhashSaltBytes

public static int cryptoPwhashSaltBytes()

cryptoPwHashOpsLimitInteractive

public static long cryptoPwHashOpsLimitInteractive()

cryptoPwHashMemLimitInterative

public static NativeLong cryptoPwHashMemLimitInterative()

cryptoPwHashScryptSalsa208Sha256SaltBytes

public static NativeLong cryptoPwHashScryptSalsa208Sha256SaltBytes()

cryptoBoxEasy

public static byte[] cryptoBoxEasy(byte[] message,
                                   byte[] nonce,
                                   byte[] publicKey,
                                   byte[] privateKey)
                            throws SodiumLibraryException

Encrypts a message with recipient's public key. Usage: Alice encrypts a message with Bob's public key and creates authentication tag with her private key

Parameters:

message - The message to encrypt

nonce - cryptoBoxNonceBytes() bytes of nonce. It must be preserved because it will be needed during decryption

publicKey - Recipient's public key for encrypting the message

privateKey - Sender's private key for creating authentication tag

Returns:

encrypted message as an array of bytes

Throws:

SodiumLibraryException - on error

cryptoBoxOpenEasy

public static byte[] cryptoBoxOpenEasy(byte[] cipherText,
                                       byte[] nonce,
                                       byte[] publicKey,
                                       byte[] privateKey)
                                throws SodiumLibraryException

Recipient decrypts a message with his private key. Usage: Bob (recipient) verifies the message with Alice's (sender) public key and decrypts the message with his private key.

Parameters:

cipherText - Message to decrypt

nonce - Nonce used during encryption

publicKey - Sender's (Alice) public key for verifying the message

privateKey - Recipient's (Bob) Private key to decrypt the message

Returns:

Decrypted message as an array of bytes.

Throws:

SodiumLibraryException - on error

cryptoBoxSeal

public static byte[] cryptoBoxSeal(byte[] message,
                                   byte[] recipientPublicKey)
                            throws SodiumLibraryException

Encrypts a message with recipient's public key. Usage: Alice can anonymously send a message to Bob by encrypting the message with his public key.

Parameters:

message - The message bytes to encrypt

recipientPublicKey - Recipient's public key

Returns:

Encrypted message bytes. The length of the cipher text will be cryptoBoxSealBytes() + message.length

Throws:

SodiumLibraryException - on error

See Also:

Sealed boxes

cryptoBoxSealOpen

public static byte[] cryptoBoxSealOpen(byte[] cipherText,
                                       byte[] pk,
                                       byte[] sk)
                                throws SodiumLibraryException

Decrypts a ciphertext using recipient's key pair. Only the recipient can decrypt the message with his private key but the recipient can not identify the sender.

Parameters:

cipherText - Ciphertext to decrypt

pk - Recipient's public key

sk - Recipient's private Key

Returns:

Decrypted plaintext bytes.

Throws:

SodiumLibraryException - on error

SodiumLibraryException - on error

See Also:

Sealed boxes