All Classes and Interfaces
Class
Description
InputStream that transforms data in fixed-size chunks with optional
finalization.
Convenience base class for concrete
CryptoAlgorithm implementations.Abstract EdDSA Key-Pair Builder
Abstract EdDSA Encoded Private Key Builder
Abstract EdDSA Encoded Public Key Builder
An abstract base class for exportable data content, providing default
implementations for managing input data and export mode.
Passthrough
InputStream that forwards body bytes and optionally emits
a trailer at EOF.A reusable streaming signature builder that signs or verifies data as it
flows through an
InputStream.Operating mode for the builder.
AES algorithm registration and capability wiring.
Streaming AES cipher context for GCM / CBC / CTR.
Fluent builder that exposes AES as a
DataContent in pull‑mode.Minimal AES header codec that persists runtime parameters only:
Key generation parameters for AES.
Specification for importing an existing AES key.
Static configuration for AES encryption and decryption.
Builder for
AesSpec.AES block modes supported by this implementation.
Padding schemes for CBC mode.
Context for performing key agreement protocols using a private key and a
peer's public key.
High-level classification of cryptographic algorithms.
Marker interface for algorithm-specific key specifications.
Factory interface for constructing asymmetric key pairs and importing
public/private keys from specifications.
Lightweight dynamic proxy that audits crypto contexts without changing their
behavior.
Listener for structured audit events emitted by audited crypto contexts.
A streaming
InputStream that encodes binary input data into Base64
format with optional line prefixes and suffixes for each encoded line.Integration of BIKE (Bit Flipping Key Encapsulation) algorithm
BIKE Key Encapsulation Mechanism context
Specification for BIKE key generation
Available BIKE parameter sets.
Specification for a BIKE private key
Specification for a BIKE public key
Describes block sizing rules for RSA encryption and decryption.
Provides initialization support for the Bouncy Castle cryptographic provider.
Verification strategy for comparing two byte arrays in constant time.
Immutable descriptor of an algorithm capability.
Helper routines for catalog selection by family and roles.
ChaCha20-Poly1305 (AEAD) algorithm
ChaCha20-Poly1305 streaming header codec
ChaCha20-Poly1305 algorithm specification
Fluent builder for
ChaCha20Poly1305Spec.ChaCha20 (stream) algorithm
ChaCha base specification marker
ChaCha20 cipher context (stream)
ChaChaDataContentBuilder builds streaming ChaCha20 and ChaCha20-Poly1305
pipelines that encrypt or decrypt as an
InputStream is
consumed.ChaCha20 streaming header codec
ChaCha20 key generation specification
ChaCha20 key import specification
ChaCha20 stream cipher specification
Fluent builder for
ChaChaSpec.Builder for chunk-transforming
InputStreams backed by a
Cipher.Configures
java.util.logging (JUL) from a jul.properties
resource on the classpath.Classic McEliece (CMCE) algorithm adapter
Classic McEliece (CMCE) KEM context
CMCE key generation specification
Enumeration of supported CMCE parameter set variants.
Classic McEliece (CMCE) private key specification
Classic McEliece (CMCE) public key specification
General-purpose bidirectional codec between a domain type
T and a
serialized representation R.Base class for EdDSA signature contexts that adapts a JCA
Signature
for streaming sign and verify.A compact single-line
Formatter for JUL log
records.Shared typed keys for ephemeral cryptographic parameters.
Optional service-provider interface for cryptographic primitives that need to
share or persist per-session parameters using a
CtxInterface.Factory interface to construct a
CryptoContext from a key and an
optional specification.Marker interface for per-operation parameters.
Abstract base class for all cryptographic algorithm definitions in ZeroEcho.
Immutable descriptor for an asymmetric builder registered with this
algorithm.
Immutable descriptor for a symmetric key builder registered with this
algorithm.
Static façade and registry for
CryptoAlgorithm providers.Declares how auditing is applied to cryptographic contexts.
Immutable snapshot of discovered
CryptoAlgorithm implementations,
with utilities to validate and serialize the catalog.Common interface for all cryptographic operation contexts.
A strategy interface for validating cryptographic keys, usages, and
specifications before contexts are created.
Represents a generic unit of data content.
A builder interface for constructing instances of
DataContent.A builder interface for constructing a chain of
DataContent
components, where each content unit passes its output as the input to the
next one.Default implementation of
DataContentChainBuilder.Defines a contract for objects that can provide a concise, human-readable
description.
Diffie-Hellman algorithm registration for use in the pluggable cryptography
catalog.
DH key pair builder
Key specification for a Diffie-Hellman private key encoded in PKCS#8 format.
Key specification for a Diffie-Hellman public key encoded in X.509 format.
Diffie-Hellman parameter specification
Context for computing unkeyed message digests and extendable-output functions
(XOFs) in streaming pipelines.
DigestDataContentBuilder constructs streaming pipelines that compute message
digests while reading an InputStream.
Digest parameters for SHA-2, SHA-3, and SHAKE
Enumeration of supported digest algorithms.
Declares a human-friendly display name for a class, specification, or
capability.
Elliptic Curve Diffie-Hellman (ECDH) Algorithm
Standardized ECDH Curve Specifications
ECDH Key Pair Generator
Elliptic Curve Digital Signature Algorithm (ECDSA)
ECDSA Curve Specifications
EcdsaDataContentBuilder configures and builds streaming ECDSA signature
pipelines over an InputStream.
ECDSA Key Pair Generator
ECDSA Private Key Builder
ECDSA Private Key Specification
ECDSA Public Key Builder
ECDSA Public Key Specification
Ed25519 Digital Signature Algorithm
Ed25519DataContentBuilder builds streaming Ed25519 signature pipelines that
sign or verify as an InputStream is consumed.
Key-pair builder for Ed25519
Specification for Ed25519 key-pair generation
Private key builder for Ed25519
Specification for Ed25519 private keys
Public key builder for Ed25519
Specification for Ed25519 public keys
Signature context for Ed25519 with a fixed 64-byte tag length.
Ed448 Digital Signature Algorithm
Builder for constructing streaming Ed448 signature and verification
DataContent pipelines.Ed448 Key-Pair Builder
Ed448 Key Generation Specification
Ed448 Private Key Builder
Ed448 Private Key Specification
Ed448 Public Key Builder
Ed448 Public Key Specification
Signature context for Ed448 with a fixed 114-byte tag length.
ElGamal Asymmetric Encryption Algorithm
Streaming ElGamal cipher context that adapts an upstream stream into an
encrypted or decrypted stream.
ElgamalEncDataContentBuilder builds streaming ElGamal encryption or
decryption pipelines that operate as an InputStream is consumed.
ElGamal Encryption Parameters
Supported padding modes for ElGamal encryption.
ElGamal Key Generation Specification
ElGamal Parameter Specification
ElGamal Private Key Specification
ElGamal Public Key Specification
Opener that recognizes "CTX-ENC:<algId>" entries and attempts CEK
recovery using an
EncryptionContext in DECRYPT role.Recipient implementation that delegates content-encryption key (CEK) wrapping
to a provided
EncryptionContext.Represents encrypted content, which is the result of an encryption process
and can be safely deployed to a public space without security concerns.
Context for performing encryption or decryption in streaming pipelines.
An extension of
DataContent that provides export capabilities in
different modes.Enumeration of supported export modes.
Frodo Key Encapsulation Mechanism (KEM)
FrodoKEM runtime context
Key generation specification for FrodoKEM
Enumerates the standardized FrodoKEM parameter sets.
Specification for importing a Frodo private key
Specification for importing a Frodo public key
Emits an HTML fragment with a table that summarizes discovered cryptographic
algorithms.
Generic JCA-based Key Agreement Context
Factory of initialized
Signature engines.Strategy for determining the signature trailer length in SIGN mode.
Strategy for determining the expected signature length in VERIFY mode.
HMAC Algorithm Integration
HmacDataContentBuilder constructs streaming pipelines that compute or verify
HMAC tags while an InputStream is consumed.
Mode selects whether the pipeline computes an HMAC tag or verifies one.
Specification for HMAC key generation
Specification for importing raw HMAC keys into a
SecretKey.Streaming HMAC context backed by the JCA
Mac API.Specification for HMAC operation parameters
HQC (Hamming Quasi-Cyclic) Algorithm Integration
HQC KEM Context
HQC Key Generation Specification
Enumeration of HQC parameter sets.
HQC Private Key Specification
HQC Public Key Specification
Enumeration of image formats supported for steganographic processing.
Digest context that adapts a JCA
MessageDigest to a
pull-based streaming pipeline.Utility class for embedding and extracting binary payloads across multiple
EXIF slots in JPEG files.
AuditListener implementation that emits structured Java Util Logging records.
Fluent factory for
JulAuditListenerStd.HKDF utilities for deriving symmetric keys from a KEM shared secret.
Context for performing key encapsulation and decapsulation (KEM) operations.
Encapsulation result holding both ciphertext and shared secret.
Opener for "KEM:<algId>:GCM-WRAP" entries.
Recipient implementation that derives a key-encryption key (KEK) via a
KemContext encapsulation and uses it to wrap a content-encryption key
(CEK).KEM-based envelope builder that first collects KEM parameters and only then
delegates to an explicit symmetric builder for the payload.
Adapter: using a KEM as a message-based agreement primitive
Builder for
KemMessageAgreementAdapter.Role of the adapter: initiator or responder.
Human-editable keyring persisted in a simple UTF-8 text format.
PrivateWithId pairs the algorithm identifier with a resolved private key.
PublicWithId pairs the algorithm identifier with a resolved public key.
Immutable entry in a
KeyringStore.Enumeration of supported key kinds.
SecretWithId pairs the algorithm identifier with a resolved secret key.
Declares the intended purpose(s) of a cryptographic key.
Concrete CryptoAlgorithm implementation for the post-quantum key
encapsulation mechanism (KEM) Kyber, standardized as ML-KEM.
KyberKemContext is a lightweight KEM context used to perform Kyber (ML-KEM)
encapsulation or decapsulation.
Key generation specification for the Kyber (ML-KEM) algorithm family.
Enumerates the supported Kyber parameter sets.
Specification wrapper for a Kyber (ML-KEM) private key encoded in PKCS#8.
Specification wrapper for a Kyber (ML-KEM) public key encoded in X.509.
Least Significant Bit steganography implementation operating in the spatial
domain.
Context for computing message authentication codes (MACs) in streaming
pipelines.
Extension of
AgreementContext for message-based key agreement
protocols.Builds a data content pipeline that supports multiple recipients and
delegates payload encryption to AES or ChaCha builders.
NtruAlgorithm exposes the NTRU KEM from the Bouncy Castle PQC provider and
adapts it for both KEM and message-based agreement roles.
NtruKemContext performs NTRU key encapsulation and decapsulation against a
single key and parameter set.
NtruKeyGenSpec selects an NTRU parameter set for key pair generation.
Variant enumerates supported NTRU parameter sets for key generation.
Configures and exposes the NTRU LPRime post-quantum KEM and a
message-agreement adapter backed by the Bouncy Castle PQC provider.
KEM context for NTRU LPRime that performs encapsulation and decapsulation
using the underlying key material.
Algorithm-specific key generation parameters for NTRU LPRime.
Enumeration of supported NTRU LPRime parameter sets.
Specification wrapper for an encoded NTRU LPRime private key in PKCS#8
format.
Specification wrapper for an encoded NTRU LPRime public key in X.509 format.
NtruPrivateKeySpec holds a PKCS#8-encoded NTRU private key and supports a
simple marshal/unmarshal form.
NtruPublicKeySpec holds an X.509 SubjectPublicKeyInfo encoded NTRU public key
and supports a simple marshal/unmarshal form.
Sentinel
Key representing the intentional absence of cryptographic
key material.An abstract adapter that converts an
OutputStream-based
transformation (such as encryption or compression) into an
InputStream-based one.A streaming writer that reads a variable-length 7-bit encoded length prefix
from the input data and writes the subsequent payload to a target
OutputStream.Immutable sequence of string key-value pairs with cursor-based iteration and
simple text serialization.
Utility class for generating random passwords and secure random byte arrays.
Recipient opener for password-based entries that derives a KEK via PBKDF2 and
unwraps the CEK with AES-GCM.
Password recipient that derives a KEK via PBKDF2(HMAC-SHA-256) and wraps the
CEK with AES-GCM.
An implementation of
PlainContent that encapsulates a byte array.Builder interface for constructing
PlainBytes instances that
encapsulate unencrypted byte array content.Default implementation of the
PlainBytesBuilder interface.Represents a plain content that includes some original content, such as data
from interactive input, a file, or the result of decrypting encrypted
content.
A
PlainContent implementation that reads content from a file-like
URL.Builder interface for constructing
PlainContent instances that
represent unencrypted file-based content sourced from a URL.Default implementation of the
PlainFileBuilder interface.A
PlainContent implementation that wraps a UTF-8 string.Builder interface for constructing
PlainString instances, which
represent unencrypted textual content.Default implementation of the
PlainStringBuilder interface.Exception signaling a failure in the underlying cryptographic provider during
algorithm initialization or operation.
Utility class providing support for secure random number generation.
Recipient describes how to encode a single recipient entry that can recover a
content-encryption key (CEK) during decryption.
RSA algorithm binding for encryption/decryption and signature/verification.
Streaming RSA cipher context that transforms data block-by-block using OAEP
or PKCS#1 v1.5 padding.
RsaEncDataContentBuilder builds streaming RSA encryption or decryption
pipelines that operate while an InputStream is consumed.
Specification of RSA encryption parameters including padding mode, hash
function, and optional OAEP label.
Hash algorithms usable within OAEP padding.
Supported RSA padding schemes.
Key generation specification for RSA key pairs.
Encoded RSA private key specification in PKCS#8 format.
Encoded RSA public key specification in X.509 SubjectPublicKeyInfo format.
RsaSigDataContentBuilder builds streaming RSA signature pipelines that sign
or verify as an InputStream is consumed.
Mode selects whether the builder signs or verifies.
Streaming RSA signature context for signing or verifying data in a pull
pipeline.
Specification of RSA signature parameters including padding mode, hash
function, and (for PSS) salt length.
Supported hash algorithms for RSA signatures.
Signature padding modes supported by RSA.
Implements the SABER post-quantum key encapsulation mechanism for the crypto
catalog and wires it to the Bouncy Castle PQC provider.
KEM context for SABER supporting encapsulation with a public key and
decapsulation with a private key.
Key generation specification for the SABER post-quantum KEM algorithm.
Enumeration of SABER parameter set variants.
Encoded private key specification for the SABER post-quantum KEM algorithm.
Encoded public key specification for the SABER post-quantum KEM algorithm.
Represents secret content, which is a specific type of plain content that
stores a secret phrase.
A
SecretContent implementation that encapsulates a passwordKey
string.Estimates conservative security strength in bits for a given algorithm
identifier and key.
SHA-2, SHA-3, and SHAKE digest algorithms
Context for streaming digital signature operations in pull-based pipelines.
SignatureTrailerInputStream reads an upstream stream that has a trailing
signature tag and exposes only the original body while capturing the detached
signature.
Verification strategy that delegates to a JCA
Signature object.Represents a target slot in an EXIF/TIFF metadata directory for covert data
embedding.
Logical groupings of EXIF/TIFF directories used to categorize slots.
Configures and exposes the SNTRU Prime post-quantum KEM and a
message-agreement adapter backed by the Bouncy Castle PQC provider.
KEM context for SNTRU Prime that performs encapsulation and decapsulation
using the underlying key material.
Algorithm-specific key generation parameters for SNTRU Prime.
Enumeration of supported SNTRU Prime parameter sets.
Specification wrapper for an encoded SNTRU Prime private key in PKCS#8
format.
Specification wrapper for an encoded SNTRU Prime public key in X.509 format.
SPHINCS+ signature algorithm binding for the ZeroEcho framework.
Builder for streaming signature operations using the SPHINCS+ post-quantum
signature scheme.
Key pair builder for the SPHINCS+ post-quantum signature scheme.
Specification for generating SPHINCS+ key pairs.
Hash function families supported by SPHINCS+.
Construction mode: conservative
ROBUST vs.Security levels as defined by NIST PQC (L1, L3, L5).
Signature variants trading performance against signature size.
Builder for importing SPHINCS+ private keys from encoded specifications.
Encoded representation of a SPHINCS+ private key.
Builder for importing SPHINCS+ public keys from encoded specifications.
Encoded representation of a SPHINCS+ public key.
SPHINCS+ signature context that adapts a JCA engine for streaming sign and
verify.
Contract for stream-based steganographic methods.
Metadata that describes a steganographic method.
Utility class providing string conversion helpers for debugging and logging.
Optional SPI to write/read a small header that carries runtime params (e.g.,
IV, tag length, AAD hash).
Factory interface for constructing symmetric keys from algorithm-specific
specifications.
Minimal streaming engine for producing or verifying authentication tags on
byte streams.
Factory-style builder that supplies fresh
TagEngine instances on
demand.Builder for
DataContent pipelines that attach or verify an
authentication tag at end of stream.InputStream that withholds the last N bytes from the upstream stream and
emits everything before that tail, delivering the withheld tail to a callback
at EOF.
A utility class for generating pseudo-random textual content based on
predefined character frequency distributions.
Generates characters or strings using a frequency-based distribution.
A functional predicate of two arguments that may throw a checked exception.
Decorator that records the verification outcome in a context before returning
it.
Decorator that throws
VerificationException when the delegated
verification fails.Base type for verification strategies that compare a value of type
T
to a byte array and may throw VerificationException.UnlockMaterial represents the unlocking data supplied to a recipient opener
to recover a content-encryption key (CEK).
Password holds characters used to derive a key-encryption key (KEK) for
unwrapping the CEK.
Private holds a private key used to decrypt or decapsulate a recipient entry.
Exception indicating that an algorithm does not support the requested role.
Exception indicating that a provided key/spec combination is not supported by
the algorithm for the requested role.
Utility class for performing efficient I/O operations with support for packed
integers.
Exception thrown when a cryptographic signature or digest verification fails.
Context specification for algorithms that require no additional parameters.
Utility class providing support for working with X.509 certificates, private
keys, and certification requests using PEM-encoded files and the Bouncy
Castle library.
Algorithm definition for XDH (elliptic curve Diffie-Hellman) key agreement,
backed by the JCA
KeyAgreement API.KeyPair generator for XDH curves using the JCA KeyPairGenerator SPI.
Key specification for an XDH (elliptic curve Diffie-Hellman) private key.
Key specification for an XDH (elliptic curve Diffie-Hellman) public key.
Specification for X25519 and X448 Diffie-Hellman over Montgomery-form
elliptic curves.