Package zeroecho.core.context

Interface MacContext

All Superinterfaces:

AutoCloseable, Closeable, CryptoContext, TagEngine<byte[]>

All Known Implementing Classes:

HmacMacContext

public non-sealed interface MacContext
extends TagEngine<byte[]>, CryptoContext

Context for computing message authentication codes (MACs) in streaming pipelines.

A MacContext encapsulates the state of a keyed integrity primitive such as HMAC, KMAC, or CMAC and exposes the TagEngine contract: the wrapped input stream passes bytes through while the MAC state is updated; at end-of-file a fixed-length tag is either appended (produce mode) or compared with an expected tag (verify mode).

Operation

• Produce mode: TagEngine.wrap(java.io.InputStream) emits the original data and then appends the computed MAC as a trailer.
• Verify mode: Supply the expected tag via TagEngine.setExpectedTag(byte[]) and ensure the upstream body does not include a trailer. At EOF the computed tag is compared using the configured verification approach set with TagEngine.setVerificationApproach(ThrowingBiPredicate.VerificationBiPredicate).

Usage

Produce an HMAC trailer

 
 javax.crypto.SecretKey key = ...;
 HmacSpec spec = HmacSpec.sha256();

 TagEngine<byte[]> eng = TagEngineBuilder.hmac(key, spec).get();
 try (java.io.InputStream in = eng.wrap(upstream)) {
     in.transferTo(out); // body bytes, then HMAC trailer are written to 'out'
 }
 
 

Verify a detached MAC

 
 byte[] expectedMac = ...; // obtained via a trusted channel

 TagEngine<byte[]> eng = TagEngineBuilder.hmac(key, HmacSpec.sha256()).get();
 // Optional: throw on mismatch instead of silent flagging
 eng.setVerificationApproach(eng.getVerificationCore().getThrowOnMismatch());
 eng.setExpectedTag(expectedMac);

 try (java.io.InputStream in = eng.wrap(bodyWithoutTrailer)) {
     in.transferTo(java.io.OutputStream.nullOutputStream()); // comparison at EOF
 }
 
 

Security considerations

• MACs are keyed and provide authenticity and integrity, unlike DigestContext.
• Comparisons should be constant time. Use a strategy such as ByteVerificationStrategy via TagEngine.setVerificationApproach(ThrowingBiPredicate.VerificationBiPredicate).
• Instances are stateful and not thread-safe. Use one context per pipeline.

Since:

1.0

Field Summary

Fields inherited from interface zeroecho.core.tag.TagEngine

LOG

Method Summary

Methods inherited from interface zeroecho.core.context.CryptoContext

algorithm, close, key

Methods inherited from interface zeroecho.core.tag.TagEngine

getVerificationCore, setExpectedTag, setVerificationApproach, tagLength, wrap