Get the encrypted biometric data of the field. Use this function if you cannot use getBiometricData() for decrypting the biometric data (for instance, because the private key is stored in an HSM). In the following description of the format of the encrypted data retrieved by this function, all numbers are stored in little-endian format (howver, RSA uses big-endian format): - 4 octets: version number - 4 octets: number of following octets (hash and body) - 32 octets: SHA-256 hash of body (ie, of the octets which follow) - body (format depends on version number) . If the version number is 1, the encryption method is be_rsa with a 2048-bit key and the body has this format: - 32 octets: SHA-256 hash of unencrypted biometric data - 256 octets: AES-256 session key encrypted with 2048-bit RSA 2.0 (OAEP) with SHA-256 - rest: biometric data encrypted with AES-256 in CBC mode using padding as described in RFC 2246. The IV is zero (not a problem as the session key is random). . If the version number is 2, the body has this format: - 4 octets: method (be_fixed, be_binary, be_passphrase) - 32 octets: IV (only the first 16 octets are used, please ignore the rest) - 32 octets: SHA-256 hash of unencrypted biometric data - rest: biometric data encrypted with AES-256 in CBC mode using padding as described in RFC 2246. . If the version number is 3, the encryption method is be_rsa with a key longer than 2048 bits and the body has this format: - 4 octets: size n of encrypted AES key in octets - n octets: AES-256 session key encrypted with RSA 2.0 (OAEP) with SHA-256 - 32 octets: IV (only the first 16 octets are used, please ignore the rest) - 32 octets: SHA-256 hash of unencrypted biometric data - rest: biometric data encrypted with AES-256 in CBC mode using padding as described in RFC 2246. This function fails for document time stamps, see getMethod().

public byte[] getEncryptedBiometricData()