### AES-GCM Counter Overflow Example

Source: https://github.com/c2sp/wycheproof/blob/main/doc/aesgcm.md

Illustrates the counter increment behavior in AES-GCM for a specific block value, showing the modulo 2^32 arithmetic.

```plaintext
0xffffffffffffffffffffffffffffffff
```

--------------------------------

### JWE Ciphertext Header with 'alg'

Source: https://github.com/c2sp/wycheproof/blob/main/doc/json_web_crypto.md

Example of a JWE ciphertext header containing an 'alg' field. This field indicates the algorithm used for encryption and should match the algorithm associated with the key.

```json
{"alg":"RSA1_5","enc":"..."}
```

--------------------------------

### RSA Key with 'alg' field

Source: https://github.com/c2sp/wycheproof/blob/main/doc/json_web_crypto.md

Example of an RSA key object including the 'alg' field, which specifies the intended encryption algorithm. This field is crucial for security to prevent algorithm confusion attacks.

```json
{
        "alg": "RSA-OAEP",
        "use": "enc",
        "n": "...",
        "e": "...",
        "d": "...",
        "p": "...",
        "q": "...",
        "dp": "...",
        "dq": "...",
        "qi": "...",
        "kid": "...",
        "kty": "RSA"
}
```

--------------------------------

### Initialize RSASSA-PSS Verifier in Java

Source: https://github.com/c2sp/wycheproof/blob/main/doc/rsa.md

Demonstrates how to initialize an RSASSA-PSS verifier in Java by specifying algorithm parameters. This approach is used when the algorithm name is 'RSASSA-PSS' and requires explicit parameter configuration.

```java
Signature verifier = Signature.getInstance("RSASSA-PSS");
PSSParameterSpec pssParams = ...;
verifier.setParameter(pssParams);
verifier.init(publicKey);
```

--------------------------------

### Instantiate Signature with SHA1withDSA

Source: https://github.com/c2sp/wycheproof/blob/main/doc/dsa.md

This Java code snippet shows how to instantiate a Signature object for SHA1withDSA. Using the short name 'DSA' is equivalent to this.

```java
    Signature s = Signature.getInstance("SHA1withDSA");
```

--------------------------------

### RSA PSS Signing with Parameters

Source: https://github.com/c2sp/wycheproof/blob/main/doc/rsa.md

When signing or verifying RSA PSS signatures, it is necessary to copy the parameters. This snippet demonstrates the correct initialization and usage of the Signature object for signing.

```java
RSAPrivateKey priv = ...;
byte[] msg = ...;
signer = Signature.getInstance("RSASSA-PSS");
signer.initSign(priv);
signer.setParameter(priv.getParams());
signer.update(msg);
byte[] signature = signer.sign();
```

--------------------------------

### Instantiate Signature with Explicit Hash Algorithm

Source: https://github.com/c2sp/wycheproof/blob/main/doc/dsa.md

These Java code snippets demonstrate how to instantiate Signature objects for DSA with specific SHA algorithms (SHA1, SHA224, SHA256).

```java
  Signature.getInstance("SHA1withDSA");
```

```java
  Signature.getInstance("SHA224withDSA");
```

```java
  Signature.getInstance("SHA256withDSA");
```

--------------------------------

### Generate 2048-bit DSA Key Pair and Initialize Signature

Source: https://github.com/c2sp/wycheproof/blob/main/doc/dsa.md

This Java code snippet demonstrates generating a 2048-bit DSA key pair and initializing a signature instance. Note that 'DSA' defaults to 'SHA1withDSA'.

```java
    KeyPairGenerator keygen = KeyPairGenerator.getInstance("DSA");
    Keygen.initialize(2048);
    KeyPair keypair = keygen.genKeyPair();
    Signature s = Signature.getInstance("DSA");
    s.initSign(keypair.getPrivate());
```

--------------------------------

### Simplified FF1.Encrypt Algorithm

Source: https://github.com/c2sp/wycheproof/blob/main/doc/ff1.md

This simplified version of FF1.Encrypt avoids numeral string conversions for intermediate values, directly using integer representations. This can improve performance and reduce arithmetic complexity.

```pseudocode
1. Let u = ⎣n/2⎦; v = n - u.
2. Let A = NUMradix(X[1..u]); B = NUMradix(X[u + 1..n])
3. Let b = ⎡ ⎡v log2(radix)⎤/8⎤.
4. Let d = 4⎡b / 4⎤ + 4.
5. Let P = [1]1 || [2]1 || [1]1 || [radix]3 || [10]1 || [u mod 256]1 || [n]4 || [t]4 .
6. For i from 0 to 9: 
   i. Let Q = T || [0]^(-t-b-1) mod 16 || [i]1 || [B]b 
   ii. Let R = PRF(P || Q). 
   iii. Let S be the first d bytes of the following string of ⎡d/16⎤ blocks: R || EK(R ⊕ [1]16) || EK(R ⊕ [2]16) .. EK(R ⊕ [⎡d/16⎤-1]16). 
   iv. Let y = NUM(S). 
   v. If i is even, let m = u; else, let m = v. 
   vi. Let C = (A+y) mod radixm .
   vii. A = B
   viii. B = C
7. Return STRmradix(A) || STRmradix(B).
```

--------------------------------

### FF1.Encrypt Algorithm (NIST SP800-38G)

Source: https://github.com/c2sp/wycheproof/blob/main/doc/ff1.md

This snippet outlines the steps for FF1 encryption as described in NIST SP800-38G. It involves conversions to numeral strings and blockwise operations.

```pseudocode
1. Let u = ⎣n/2⎦; v = n - u.
2. Let A = X[1..u]; B = X[u + 1..n].
3. Let b = ⎡ ⎡v log2(radix)⎤/8⎤.
4. Let d = 4⎡b / 4⎤ + 4.
5. Let P = [1]1 || [2]1 || [1]1 || [radix]3 || [10]1 || [u mod 256]1 || [n]4 || [t]4 .
6. For i from 0 to 9: 
   i. Let Q = T || [0]^(-t-b-1) mod 16 || [i]1 || [NUMradix(B)]b 
   ii. Let R = PRF(P || Q). 
   iii. Let S be the first d bytes of the following string of ⎡d/16⎤ blocks: R || EK(R ⊕ [1]16) || EK(R ⊕ [2]16) .. EK(R ⊕ [⎡d/16⎤-1]16). 
   iv. Let y = NUM(S). 
   v. If i is even, let m = u; else, let m = v. 
   vi. Let c = (NUMradix(A)+y) mod radix m . 
   vii. Let C = STRmradix(c). 
   viii. Let A = B. 
   ix. Let B = C.
7. Return A || B.
```

--------------------------------

### JWS Compact Serialization Format

Source: https://github.com/c2sp/wycheproof/blob/main/doc/json_web_crypto.md

Illustrates the structure of a JSON Web Signature in its compact serialization format.

```text
BASE64URL(UTF8(JWS Protected Header)) || '.' ||
BASE64URL(JWS Payload) || '.' ||
BASE64URL(JWS Signature)
```

--------------------------------

### Domain Parameters Structure (RFC 2459)

Source: https://github.com/c2sp/wycheproof/blob/main/doc/dh.md

Describes the domain parameters for Diffie-Hellman keys according to RFC 2459, including p, g, q, and an optional j and validationParms.

```ASN.1
DomainParameters ::=
SEQUENCE {
    p       INTEGER, -- odd prime, p=jq +1
    g       INTEGER, -- generator, g
    q       INTEGER, -- factor of p-1
    j       INTEGER OPTIONAL, -- subgroup factor, j>= 2
    validationParms  ValidationParms OPTIONAL }
```

--------------------------------

### DHParameter Structure (PKCS #3)

Source: https://github.com/c2sp/wycheproof/blob/main/doc/dh.md

Defines the Diffie-Hellman parameters as specified in PKCS #3, including prime (p), base (g), and an optional privateValueLength.

```ASN.1
DHParameter ::=
SEQUENCE {
prime INTEGER, -- p
base INTEGER, -- g
privateValueLength INTEGER OPTIONAL }
```

--------------------------------

### Specify RSA OAEP Parameters Explicitly

Source: https://github.com/c2sp/wycheproof/blob/main/doc/rsa.md

Use this pattern to ensure compatible RSA OAEP implementations by explicitly setting SHA-256 for both the digest and MGF1, and using a specified PSource.

```java
Cipher cipher = Cipher.getInstance("RSA/ECB/OAEPPadding");
  PSource p = PSource.PSpecified.DEFAULT;
  MGF1ParameterSpec mgf1Params = new MGF1ParameterSpec("SHA-256");
  OAEPParameterSpec params = new OAEPParameterSpec("SHA-256", "MGF1", mgf1Params, p);
  cipher.init(mode, key, params);
```

--------------------------------

### RSASSA-PSS-params ASN.1 Definition

Source: https://github.com/c2sp/wycheproof/blob/main/doc/rsa.md

Defines the ASN.1 structure for RSASSA-PSS parameters, including default values for hash algorithm, mask generation function, salt length, and trailer field. Note that the default values (sha1, mgf1SHA1, 20, trailerFieldBC) are considered weak and should not be used for key generation.

```asn.1
RSASSA-PSS-params ::= SEQUENCE {
     hashAlgorithm      [0] HashAlgorithm      DEFAULT sha1,
     maskGenAlgorithm   [1] MaskGenAlgorithm   DEFAULT mgf1SHA1,
     saltLength         [2] INTEGER            DEFAULT 20,
     trailerField       [3] TrailerField       DEFAULT trailerFieldBC
   }
```

--------------------------------

### Generate 2048-bit DSA Key Pair

Source: https://github.com/c2sp/wycheproof/blob/main/doc/dsa.md

This Java code snippet focuses on generating a 2048-bit DSA key pair using KeyPairGenerator. The key size refers to the 'p' parameter.

```java
    KeyPairGenerator keygen = KeyPairGenerator.getInstance("DSA");
    Keygen.initialize(2048);
    KeyPair keypair = keygen.genKeyPair();
```

--------------------------------

### JWS Signature Input Definition

Source: https://github.com/c2sp/wycheproof/blob/main/doc/json_web_crypto.md

Defines the input used for generating the JWS Signature in the compact serialization.

```text
ASCII(BASE64URL(UTF8(JWS Protected Header)) || '.' || BASE64URL(JWS Payload))
```