Package org.apache.sshd.common.util.security

Class SecurityUtils

  • public final class SecurityUtils
extends java.lang.Object
    Specific security providers related code

    • Field Detail

      • EDDSA

        public static final java.lang.String EDDSA
        EDDSA support - should match EdDSAKey.KEY_ALGORITHM
        See Also:
        Constant Field Values

      • CURVE_ED25519_SHA512

        public static final java.lang.String CURVE_ED25519_SHA512
        See Also:
        Constant Field Values

      • MIN_DHGEX_KEY_SIZE_PROP

        public static final java.lang.String MIN_DHGEX_KEY_SIZE_PROP
        System property used to configure the value for the minimum supported Diffie-Hellman Group Exchange key size. If not set, then an internal auto-discovery mechanism is employed. If set to negative value then Diffie-Hellman Group Exchange is disabled. If set to a negative value then Diffie-Hellman Group Exchange is disabled
        See Also:
        Constant Field Values

      • MAX_DHGEX_KEY_SIZE_PROP

        public static final java.lang.String MAX_DHGEX_KEY_SIZE_PROP
        System property used to configure the value for the maximum supported Diffie-Hellman Group Exchange key size. If not set, then an internal auto-discovery mechanism is employed. If set to negative value then Diffie-Hellman Group Exchange is disabled. If set to a negative value then Diffie-Hellman Group Exchange is disabled
        See Also:
        Constant Field Values

      • MIN_DHGEX_KEY_SIZE

        public static final int MIN_DHGEX_KEY_SIZE
        The min. key size value used for testing whether Diffie-Hellman Group Exchange is supported or not. According to RFC 4419 section 3: Servers and clients SHOULD support groups with a modulus length of k bits, where 1024 <= k <= 8192. Note: this has been amended by RFC 8270
        See Also:
        Constant Field Values

      • PREFERRED_DHGEX_KEY_SIZE

        public static final int PREFERRED_DHGEX_KEY_SIZE
        See Also:
        Constant Field Values

      • DEFAULT_SECURITY_PROVIDER_REGISTRARS

        public static final java.util.List<java.lang.String> DEFAULT_SECURITY_PROVIDER_REGISTRARS

      • REGISTER_BOUNCY_CASTLE_PROP

        @Deprecated
public static final java.lang.String REGISTER_BOUNCY_CASTLE_PROP
        Deprecated.
        Please use "org.apache.sshd.security.provider.BC.enabled"
        System property used to control whether to automatically register the Bouncyastle JCE provider
        See Also:
        Constant Field Values

      • ECC_SUPPORTED_PROP

        public static final java.lang.String ECC_SUPPORTED_PROP
        System property used to control whether Elliptic Curves are supported or not. If not set then the support is auto-detected. Note: if set to true it is up to the user to make sure that indeed there is a provider for them
        See Also:
        Constant Field Values

      • EDDSA_SUPPORTED_PROP

        @Deprecated
public static final java.lang.String EDDSA_SUPPORTED_PROP
        Deprecated.
        Please use "org.apache.sshd.security.provider.EdDSA.enabled&qupt;
        System property used to decide whether EDDSA curves are supported or not (in addition or even in spite of isEDDSACurveSupported()). If not set or set to true, then the existence of the optional support classes determines the support.
        See Also:
        Constant Field Values

      • PROP_DEFAULT_SECURITY_PROVIDER

        public static final java.lang.String PROP_DEFAULT_SECURITY_PROVIDER
        See Also:
        Constant Field Values

      • FIPS_ENABLED

        public static final java.lang.String FIPS_ENABLED
        A boolean system property that can be set to "true" to enable FIPS mode. In FIPS mode, crypto-algorithms not approved in FIPS-140 will not be available.

        Note: if this system property is not "true", it can be overridden via setFipsMode().

        See Also:
        Constant Field Values

      • MIN_DHG_KEY_SIZE_HOLDER

        private static final java.util.concurrent.atomic.AtomicInteger MIN_DHG_KEY_SIZE_HOLDER

      • MAX_DHG_KEY_SIZE_HOLDER

        private static final java.util.concurrent.atomic.AtomicInteger MAX_DHG_KEY_SIZE_HOLDER

      • REGISTERED_PROVIDERS

        private static final java.util.Map<java.lang.String,​SecurityProviderRegistrar> REGISTERED_PROVIDERS

      • KEYPAIRS_PARSER_HODLER

        private static final java.util.concurrent.atomic.AtomicReference<KeyPairResourceParser> KEYPAIRS_PARSER_HODLER

      • APRIORI_DISABLED_PROVIDERS

        private static final java.util.Set<java.lang.String> APRIORI_DISABLED_PROVIDERS

      • REGISTRATION_STATE_HOLDER

        private static final java.util.concurrent.atomic.AtomicBoolean REGISTRATION_STATE_HOLDER

      • SECURITY_ENTITY_FACTORIES

        private static final java.util.Map<java.lang.Class<?>,​java.util.Map<java.lang.String,​SecurityEntityFactory<?>>> SECURITY_ENTITY_FACTORIES

      • DEFAULT_PROVIDER_HOLDER

        private static final java.util.concurrent.atomic.AtomicReference<SecurityProviderChoice> DEFAULT_PROVIDER_HOLDER

      • FIPS_MODE

        private static final java.util.concurrent.atomic.AtomicReference<java.lang.Boolean> FIPS_MODE

      • hasEcc

        private static java.lang.Boolean hasEcc

    • Constructor Detail

      • SecurityUtils

        private SecurityUtils()

    • Method Detail

      • setFipsMode

        public static void setFipsMode()
        Unconditionally set FIPS mode, overriding the FIPS_ENABLED system property.
        Throws:
        java.lang.IllegalStateException - if a call to isFipsMode() had already occurred and returned false.

      • isFipsMode

        public static boolean isFipsMode()
        Tells whether FIPS mode is enabled, either through the system property FIPS_ENABLED or via setFipsMode().
        Returns:
        true if FIPS mode is enabled, false otherwise.

      • isAPrioriDisabledProvider

        public static boolean isAPrioriDisabledProvider​(java.lang.String name)
        Parameters:
        name - The provider's name - never null/empty
        Returns:
        true if the provider is marked as disabled a-priori
        See Also:
        setAPrioriDisabledProvider(String, boolean)

      • setAPrioriDisabledProvider

        public static void setAPrioriDisabledProvider​(java.lang.String name,
                                              boolean disabled)
        Marks a provider's registrar as "a-priori" programatically so that when its SecurityProviderRegistrar.isEnabled() is eventually consulted it will return false regardless of the configured value for the specific provider registrar instance. Note: has no effect if the provider has already been registered.
        Parameters:
        name - The provider's name - never null/empty
        disabled - true whether to disable it a-priori
        See Also:
        isAPrioriDisabledProvider(String)

      • getAPrioriDisabledProviders

        public static java.util.Set<java.lang.String> getAPrioriDisabledProviders()
        Returns:
        A copy if the current a-priori disabled providers names

      • isECCSupported

        public static boolean isECCSupported()
        Returns:
        true if Elliptic Curve Cryptography is supported
        See Also:
        ECC_SUPPORTED_PROP

      • isDHOakelyGroupSupported

        public static boolean isDHOakelyGroupSupported​(int keySize)
        Parameters:
        keySize - The expected key size
        Returns:
        true if Oakely Diffie-Hellman Group Exchange is supported for the specified key size
        See Also:
        isDHGroupExchangeSupported(), getMaxDHGroupExchangeKeySize()

      • getMinDHGroupExchangeKeySize

        public static int getMinDHGroupExchangeKeySize()
        Returns:
        The minimum supported Diffie-Hellman Group Exchange key size, or non-positive if not supported

      • setMinDHGroupExchangeKeySize

        public static void setMinDHGroupExchangeKeySize​(int keySize)
        Set programmatically the reported value for getMinDHGroupExchangeKeySize()
        Parameters:
        keySize - The reported key size - if zero, then it will be auto-detected, if negative then DH group exchange will be disabled

      • getMaxDHGroupExchangeKeySize

        public static int getMaxDHGroupExchangeKeySize()
        Returns:
        The maximum supported Diffie-Hellman Group Exchange key size, or non-positive if not supported

      • setMaxDHGroupExchangeKeySize

        public static void setMaxDHGroupExchangeKeySize​(int keySize)
        Set programmatically the reported value for getMaxDHGroupExchangeKeySize()
        Parameters:
        keySize - The reported key size - if zero, then it will be auto-detected, if negative then DH group exchange will be disabled

      • resolveDHGEXKeySizeValue

        private static int resolveDHGEXKeySizeValue​(java.util.concurrent.atomic.AtomicInteger holder,
                                            java.lang.String propName,
                                            int maxKeySize)

      • isDHGroupExchangeSupported

        public static boolean isDHGroupExchangeSupported​(int maxKeySize)

      • getRegisteredProviders

        public static java.util.Set<java.lang.String> getRegisteredProviders()
        Returns:
        A copy of the currently registered security providers

      • isBouncyCastleRegistered

        public static boolean isBouncyCastleRegistered()

      • isProviderRegistered

        public static boolean isProviderRegistered​(java.lang.String provider)

      • isRegistrationCompleted

        public static boolean isRegistrationCompleted()

      • register

        private static void register()

      • registerSecurityProvider

        public static SecurityProviderRegistrar registerSecurityProvider​(SecurityProviderRegistrar registrar)
        Parameters:
        registrar - The registrar instance to register
        Returns:
        The registered instance - may be different than required if already registered. Returns null if not already registered and not enabled or not supported registrar.

      • loadKeyPairIdentities

        public static java.lang.Iterable<java.security.KeyPair> loadKeyPairIdentities​(SessionContext session,
                                                                              NamedResource resourceKey,
                                                                              java.io.InputStream inputStream,
                                                                              FilePasswordProvider provider)
                                                                       throws java.io.IOException,
                                                                              java.security.GeneralSecurityException
        Parameters:
        session - The SessionContext for invoking this load command - may be null if not invoked within a session context (e.g., offline tool).
        resourceKey - An identifier of the key being loaded - used as argument to the FilePasswordProvider#getPassword invocation
        inputStream - The InputStream for the private key
        provider - A FilePasswordProvider - may be null if the loaded key is guaranteed not to be encrypted
        Returns:
        The loaded KeyPair-s - or null if none loaded
        Throws:
        java.io.IOException - If failed to read/parse the input stream
        java.security.GeneralSecurityException - If failed to generate the keys

      • getBouncycastleKeyPairResourceParser

        public static KeyPairResourceParser getBouncycastleKeyPairResourceParser()

      • getBouncycastleEncryptedPrivateKeyInfoDecryptor

        public static Decryptor getBouncycastleEncryptedPrivateKeyInfoDecryptor()

      • isEDDSACurveSupported

        public static boolean isEDDSACurveSupported()
        Returns:
        true if EDDSA curves (e.g., ed25519) are supported

      • isNetI2pCryptoEdDSARegistered

        public static boolean isNetI2pCryptoEdDSARegistered()

      • getEdDSASupport

        public static java.util.Optional<EdDSASupport<?,​?>> getEdDSASupport()

      • getEDDSAPublicKeyEntryDecoder

        public static PublicKeyEntryDecoder<? extends java.security.PublicKey,​? extends java.security.PrivateKey> getEDDSAPublicKeyEntryDecoder()

      • getOpenSSHEDDSAPrivateKeyEntryDecoder

        public static PrivateKeyEntryDecoder<? extends java.security.PublicKey,​? extends java.security.PrivateKey> getOpenSSHEDDSAPrivateKeyEntryDecoder()

      • getEDDSASigner

        public static Signature getEDDSASigner()

      • getEDDSAKeySize

        public static int getEDDSAKeySize​(java.security.Key key)

      • getEDDSAPublicKeyType

        public static java.lang.Class<? extends java.security.PublicKey> getEDDSAPublicKeyType()

      • getEDDSAPrivateKeyType

        public static java.lang.Class<? extends java.security.PrivateKey> getEDDSAPrivateKeyType()

      • compareEDDSAPPublicKeys

        public static boolean compareEDDSAPPublicKeys​(java.security.PublicKey k1,
                                              java.security.PublicKey k2)

      • compareEDDSAPrivateKeys

        public static boolean compareEDDSAPrivateKeys​(java.security.PrivateKey k1,
                                              java.security.PrivateKey k2)

      • recoverEDDSAPublicKey

        public static java.security.PublicKey recoverEDDSAPublicKey​(java.security.PrivateKey key)
                                                     throws java.security.GeneralSecurityException
        Throws:
        java.security.GeneralSecurityException

      • generateEDDSAPublicKey

        public static java.security.PublicKey generateEDDSAPublicKey​(java.lang.String keyType,
                                                             byte[] seed)
                                                      throws java.security.GeneralSecurityException
        Throws:
        java.security.GeneralSecurityException

      • generateEDDSAPrivateKey

        public static java.security.PrivateKey generateEDDSAPrivateKey​(java.lang.String keyType,
                                                               byte[] seed)
                                                        throws java.security.GeneralSecurityException,
                                                               java.io.IOException
        Throws:
        java.security.GeneralSecurityException
        java.io.IOException

      • putRawEDDSAPublicKey

        public static <B extends Buffer> B putRawEDDSAPublicKey​(B buffer,
                                                        java.security.PublicKey key)

      • putEDDSAKeyPair

        public static <B extends Buffer> B putEDDSAKeyPair​(B buffer,
                                                   java.security.KeyPair kp)

      • putEDDSAKeyPair

        public static <B extends Buffer> B putEDDSAKeyPair​(B buffer,
                                                   java.security.PublicKey pubKey,
                                                   java.security.PrivateKey prvKey)

      • extractEDDSAKeyPair

        public static java.security.KeyPair extractEDDSAKeyPair​(Buffer buffer,
                                                        java.lang.String keyType)
                                                 throws java.security.GeneralSecurityException
        Throws:
        java.security.GeneralSecurityException

      • setKeyPairResourceParser

        public static void setKeyPairResourceParser​(KeyPairResourceParser parser)
        Parameters:
        parser - The system-wide KeyPairResourceParser to use. If set to null, then the default parser will be re-constructed on next call to getKeyPairResourceParser()

      • resolveSecurityEntityFactory

        public static <T> SecurityEntityFactory<T> resolveSecurityEntityFactory​(java.lang.Class<T> entityType,
                                                                        java.lang.String algorithm,
                                                                        java.util.function.Predicate<? super SecurityProviderRegistrar> entitySelector)

      • getKeyFactory

        public static java.security.KeyFactory getKeyFactory​(java.lang.String algorithm)
                                              throws java.security.GeneralSecurityException
        Throws:
        java.security.GeneralSecurityException

      • getCipher

        public static javax.crypto.Cipher getCipher​(java.lang.String transformation)
                                     throws java.security.GeneralSecurityException
        Throws:
        java.security.GeneralSecurityException

      • getMessageDigest

        public static java.security.MessageDigest getMessageDigest​(java.lang.String algorithm)
                                                    throws java.security.GeneralSecurityException
        Throws:
        java.security.GeneralSecurityException

      • getKeyPairGenerator

        public static java.security.KeyPairGenerator getKeyPairGenerator​(java.lang.String algorithm)
                                                          throws java.security.GeneralSecurityException
        Throws:
        java.security.GeneralSecurityException

      • getKeyAgreement

        public static javax.crypto.KeyAgreement getKeyAgreement​(java.lang.String algorithm)
                                                 throws java.security.GeneralSecurityException
        Throws:
        java.security.GeneralSecurityException

      • getMac

        public static javax.crypto.Mac getMac​(java.lang.String algorithm)
                               throws java.security.GeneralSecurityException
        Throws:
        java.security.GeneralSecurityException

      • getSignature

        public static java.security.Signature getSignature​(java.lang.String algorithm)
                                            throws java.security.GeneralSecurityException
        Throws:
        java.security.GeneralSecurityException

      • getCertificateFactory

        public static java.security.cert.CertificateFactory getCertificateFactory​(java.lang.String type)
                                                                   throws java.security.GeneralSecurityException
        Throws:
        java.security.GeneralSecurityException