Providers¶
At the current moment, the following providers are available out of the box:
- JDK - via JDK built-in JCA
- WebCrypto - via WebCrypto
- Apple - via CommonCrypto
- CryptoKit - via CryptoKit
- OpenSSL3 - via OpenSSL 3.x, statically linked to prebuilt OpenSSL 3.3.2 or dynamically linked (experimental)
Optimal provider¶
While the library is overall multiplatform and all algorithm/operation interfaces are available on all targets,
support for a specific algorithm for a specific target depends on the used provider.
Still, most of the popular algorithms are supported by providers, with minimal dependencies.
That’s why a library provides a specific dependency called optimal provider: it doesn’t implement any new algorithms, but allows to use it
as a single dependency with best-fit preconfigured providers per target:
- js, wasmJs: WebCrypto provider will be used
- jvm: JDK provider with an ability to use custom security providers like BouncyCastle
- ios, macos, watchos, tvos: CryptoKit provider with the fallback to Apple
- linux, mingw, androidNative: OpenSSL3 provider will be used
To use optimal provider just add the following dependency for any target/platform/source-set:
dependencies {
implementation("dev.whyoleg.cryptography:cryptography-provider-optimal:0.5.0")
}
Supported primitives¶
Below there are several tables that show what is supported and what is not (I know that it’s not the easiest thing to understand… But we have what we have).
For additional limitation please consult provider specific documentation.
Supported targets per provider¶
| Target | jdk | webcrypto | apple | cryptokit | openssl3 |
|---|---|---|---|---|---|
| jvm | ✅ | ➖ | ➖ | ➖ | ❌ |
| js | ➖ | ✅ | ➖ | ➖ | ❌ |
| wasmJs | ➖ | ✅ | ➖ | ➖ | ❌ |
| wasmWasi | ➖ | ➖ | ➖ | ➖ | ❌ |
| iosX64 iosSimulatorArm64 iosArm64 |
➖ | ➖ | ✅ | ✅ | ✅ prebuilt only |
| watchosX64 watchosArm32 watchosArm64 watchosSimulatorArm64 watchosDeviceArm64 |
➖ | ➖ | ✅ | ✅ (except watchosArm32) |
✅ prebuilt only |
| tvosX64 tvosArm64 tvosSimulatorArm64 |
➖ | ➖ | ✅ | ✅ | ✅ prebuilt only |
| macosX64 macosArm64 |
➖ | ➖ | ✅ | ✅ | ✅ |
| linuxX64 linuxArm64 |
➖ | ➖ | ➖ | ➖ | ✅ |
| mingwX64 | ➖ | ➖ | ➖ | ➖ | ✅ |
| androidNativeX64 androidNativeX86 androidNativeArm64 androidNativeArm32 |
➖ | ➖ | ➖ | ➖ | ✅ prebuilt only |
✅ : supported
➖ : not applicable
❌ : not supported (yet?)
Supported algorithms per provider¶
supportedhere means that those algorithms are tested and works at least in some configuration (f.e. different Java versions or Java providers can have different algorithms supported)
| Operation | Algorithm | jdk | webcrypto | apple | cryptokit | openssl3 |
|---|---|---|---|---|---|---|
| Digest | ⚠️ MD5 | ✅ | ❌ | ✅ | ✅ | ✅ |
| ⚠️ SHA1 | ✅ | ✅ | ✅ | ✅ | ✅ | |
| SHA224 | ✅ | ❌ | ✅ | ❌ | ✅ | |
| SHA256 | ✅ | ✅ | ✅ | ✅ | ✅ | |
| SHA384 | ✅ | ✅ | ✅ | ✅ | ✅ | |
| SHA512 | ✅ | ✅ | ✅ | ✅ | ✅ | |
| SHA3 family | ✅ | ❌ | ❌ | ❌ | ✅ | |
| ⚠️ RIPEMD160 | ✅ | ❌ | ❌ | ❌ | ✅ | |
| MAC | HMAC | ✅ | ✅ | ✅ | ✅ | ✅ |
| CMAC | ✅ | ❌ | ❌ | ❌ | ✅ | |
| Symmetric-key encryption/decryption |
AES-CBC | ✅ | ✅ | ✅ | ❌ | ✅ |
| AES-CTR | ✅ | ✅ | ✅ | ❌ | ✅ | |
| AES-GCM | ✅ | ✅ | ❌ | ✅ | ✅ | |
| ⚠️ AES-ECB | ✅ | ❌ | ✅ | ❌ | ✅ | |
| Public-key encryption/decryption |
RSA-OAEP | ✅ | ✅ | ✅ | ❌ | ✅ |
| ⚠️ RSA-PKS1-v1_5 | ✅ | ❌ | ✅ | ❌ | ✅ | |
| ⚠️ RSA-RAW | ✅ | ❌ | ✅ | ❌ | ✅ | |
| Digital Signatures | ECDSA | ✅ | ✅ | ✅ | ✅ | ✅ |
| RSA-SSA-PSS | ✅ | ✅ | ✅ | ❌ | ✅ | |
| RSA-PKS1-v1_5 | ✅ | ✅ | ✅ | ❌ | ✅ | |
| Key Agreement | ECDH | ✅ | ✅ | ❌ | ✅ | ✅ |
| PRF/KDF | PBKDF2 | ✅ | ✅ | ✅ | ❌ | ✅ |
| HKDF | ✅ | ✅ | ✅ | ✅ | ✅ |
⚠️ : use carefully
✅ : supported
❌ : not supported (yet?)