Package org.apache.sshd.common.util.security

Class SecurityUtils

java.lang.Object

org.apache.sshd.common.util.security.SecurityUtils

public final class SecurityUtils
extends Object

Specific security providers related code

Author:

Apache MINA SSHD Project

Field Summary

Fields

Modifier and Type	Field	Description
static String	BOUNCY_CASTLE	Bouncycastle JCE provider name
static String	CURVE_ED25519_SHA512
static List<String>	DEFAULT_SECURITY_PROVIDER_REGISTRARS
static String	ECC_SUPPORTED_PROP	System property used to control whether Elliptic Curves are supported or not.
static String	EDDSA	EDDSA support - should match EdDSAKey.KEY_ALGORITHM
static String	EDDSA_SUPPORTED_PROP	Deprecated. Please use "org.apache.sshd.security.provider.EdDSA.enabled&qupt;
static int	MAX_DHGEX_KEY_SIZE
static String	MAX_DHGEX_KEY_SIZE_PROP	System property used to configure the value for the maximum supported Diffie-Hellman Group Exchange key size.
static int	MIN_DHGEX_KEY_SIZE	The min.
static String	MIN_DHGEX_KEY_SIZE_PROP	System property used to configure the value for the minimum supported Diffie-Hellman Group Exchange key size.
static int	PREFERRED_DHGEX_KEY_SIZE
static String	PROP_DEFAULT_SECURITY_PROVIDER
static String	REGISTER_BOUNCY_CASTLE_PROP	Deprecated. Please use "org.apache.sshd.security.provider.BC.enabled"
static String	SECURITY_PROVIDER_REGISTRARS	Comma separated list of fully qualified SecurityProviderRegistrars to automatically register

Method Summary

Modifier and Type	Method	Description
static boolean	compareEDDSAPPublicKeys(PublicKey k1, PublicKey k2)
static boolean	compareEDDSAPrivateKeys(PrivateKey k1, PrivateKey k2)
static AbstractGeneratorHostKeyProvider	createGeneratorHostKeyProvider(Path path)
static <T> SecurityEntityFactory<T>	createSecurityEntityFactory(Class<T> entityType, Predicate<? super SecurityProviderRegistrar> entitySelector)
static KeyPair	extractEDDSAKeyPair(Buffer buffer, String keyType)
static PublicKey	generateEDDSAPublicKey(String keyType, byte[] seed)
static Set<String>	getAPrioriDisabledProviders()
static KeyPairResourceParser	getBouncycastleKeyPairResourceParser()
static CertificateFactory	getCertificateFactory(String type)
static Cipher	getCipher(String transformation)
static SecurityProviderChoice	getDefaultProviderChoice()
static int	getEDDSAKeySize(Key key)
static Class<? extends PrivateKey>	getEDDSAPrivateKeyType()
static PublicKeyEntryDecoder<? extends PublicKey,? extends PrivateKey>	getEDDSAPublicKeyEntryDecoder()
static Class<? extends PublicKey>	getEDDSAPublicKeyType()
static Signature	getEDDSASigner()
static KeyAgreement	getKeyAgreement(String algorithm)
static KeyFactory	getKeyFactory(String algorithm)
static KeyPairGenerator	getKeyPairGenerator(String algorithm)
static KeyPairResourceParser	getKeyPairResourceParser()
static Mac	getMac(String algorithm)
static int	getMaxDHGroupExchangeKeySize()
static MessageDigest	getMessageDigest(String algorithm)
static int	getMinDHGroupExchangeKeySize()
static PrivateKeyEntryDecoder<? extends PublicKey,? extends PrivateKey>	getOpenSSHEDDSAPrivateKeyEntryDecoder()
static RandomFactory	getRandomFactory()
static SecurityProviderRegistrar	getRegisteredProvider(String provider)
static Set<String>	getRegisteredProviders()
static Signature	getSignature(String algorithm)
static boolean	isAPrioriDisabledProvider(String name)
static boolean	isBouncyCastleRegistered()
static boolean	isDHGroupExchangeSupported()
static boolean	isDHGroupExchangeSupported(int maxKeySize)
static boolean	isDHOakelyGroupSupported(int keySize)
static boolean	isECCSupported()
static boolean	isEDDSACurveSupported()
static boolean	isProviderRegistered(String provider)
static boolean	isRegistrationCompleted()
static Iterable<KeyPair>	loadKeyPairIdentities(SessionContext session, NamedResource resourceKey, InputStream inputStream, FilePasswordProvider provider)
static <B extends Buffer> B	putEDDSAKeyPair(B buffer, KeyPair kp)
static <B extends Buffer> B	putEDDSAKeyPair(B buffer, PublicKey pubKey, PrivateKey prvKey)
static <B extends Buffer> B	putRawEDDSAPublicKey(B buffer, PublicKey key)
static PublicKey	recoverEDDSAPublicKey(PrivateKey key)
static SecurityProviderRegistrar	registerSecurityProvider(SecurityProviderRegistrar registrar)
static <T> SecurityEntityFactory<T>	resolveSecurityEntityFactory(Class<T> entityType, String algorithm, Predicate<? super SecurityProviderRegistrar> entitySelector)
static void	setAPrioriDisabledProvider(String name, boolean disabled)	Marks a provider's registrar as "a-priori" programatically so that when its SecurityProviderRegistrar.isEnabled() is eventually consulted it will return false regardless of the configured value for the specific provider registrar instance.
static void	setDefaultProviderChoice(SecurityProviderChoice choice)
static void	setKeyPairResourceParser(KeyPairResourceParser parser)
static void	setMaxDHGroupExchangeKeySize(int keySize)	Set programmatically the reported value for getMaxDHGroupExchangeKeySize()
static void	setMinDHGroupExchangeKeySize(int keySize)	Set programmatically the reported value for getMinDHGroupExchangeKeySize()

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Detail

BOUNCY_CASTLE

public static final String BOUNCY_CASTLE

Bouncycastle JCE provider name

See Also:

Constant Field Values

EDDSA

public static final String EDDSA

EDDSA support - should match EdDSAKey.KEY_ALGORITHM

See Also:

Constant Field Values

CURVE_ED25519_SHA512

public static final String CURVE_ED25519_SHA512

See Also:

Constant Field Values

MIN_DHGEX_KEY_SIZE_PROP

public static final String MIN_DHGEX_KEY_SIZE_PROP

System property used to configure the value for the minimum supported Diffie-Hellman Group Exchange key size. If not set, then an internal auto-discovery mechanism is employed. If set to negative value then Diffie-Hellman Group Exchange is disabled. If set to a negative value then Diffie-Hellman Group Exchange is disabled

See Also:

Constant Field Values

MAX_DHGEX_KEY_SIZE_PROP

public static final String MAX_DHGEX_KEY_SIZE_PROP

System property used to configure the value for the maximum supported Diffie-Hellman Group Exchange key size. If not set, then an internal auto-discovery mechanism is employed. If set to negative value then Diffie-Hellman Group Exchange is disabled. If set to a negative value then Diffie-Hellman Group Exchange is disabled

See Also:

Constant Field Values

MIN_DHGEX_KEY_SIZE

public static final int MIN_DHGEX_KEY_SIZE

The min. key size value used for testing whether Diffie-Hellman Group Exchange is supported or not. According to RFC 4419 section 3: "Servers and clients SHOULD support groups with a modulus length of k bits, where 1024 <= k <= 8192". Note: this has been amended by RFC 8270

See Also:

Constant Field Values

PREFERRED_DHGEX_KEY_SIZE

public static final int PREFERRED_DHGEX_KEY_SIZE

See Also:

Constant Field Values

MAX_DHGEX_KEY_SIZE

public static final int MAX_DHGEX_KEY_SIZE

See Also:

Constant Field Values

SECURITY_PROVIDER_REGISTRARS

public static final String SECURITY_PROVIDER_REGISTRARS

Comma separated list of fully qualified SecurityProviderRegistrars to automatically register

See Also:

Constant Field Values

DEFAULT_SECURITY_PROVIDER_REGISTRARS

public static final List<String> DEFAULT_SECURITY_PROVIDER_REGISTRARS

REGISTER_BOUNCY_CASTLE_PROP

@Deprecated
public static final String REGISTER_BOUNCY_CASTLE_PROP

Deprecated.

Please use "org.apache.sshd.security.provider.BC.enabled"

System property used to control whether to automatically register the Bouncyastle JCE provider

See Also:

Constant Field Values

ECC_SUPPORTED_PROP

public static final String ECC_SUPPORTED_PROP

System property used to control whether Elliptic Curves are supported or not. If not set then the support is auto-detected. Note: if set to true it is up to the user to make sure that indeed there is a provider for them

See Also:

Constant Field Values

EDDSA_SUPPORTED_PROP

@Deprecated
public static final String EDDSA_SUPPORTED_PROP

Deprecated.

Please use "org.apache.sshd.security.provider.EdDSA.enabled&qupt;

System property used to decide whether EDDSA curves are supported or not (in addition or even in spite of isEDDSACurveSupported()). If not set or set to true, then the existence of the optional support classes determines the support.

See Also:

Constant Field Values

PROP_DEFAULT_SECURITY_PROVIDER

public static final String PROP_DEFAULT_SECURITY_PROVIDER

See Also:

Constant Field Values

Method Detail

isAPrioriDisabledProvider

public static boolean isAPrioriDisabledProvider(String name)

Parameters:

name - The provider's name - never null/empty

Returns:

true if the provider is marked as disabled a-priori

See Also:

setAPrioriDisabledProvider(String, boolean)

setAPrioriDisabledProvider

public static void setAPrioriDisabledProvider(String name,
                                              boolean disabled)

Marks a provider's registrar as "a-priori" programatically so that when its SecurityProviderRegistrar.isEnabled() is eventually consulted it will return false regardless of the configured value for the specific provider registrar instance. Note: has no effect if the provider has already been registered.

Parameters:

name - The provider's name - never null/empty

disabled - true whether to disable it a-priori

See Also:

isAPrioriDisabledProvider(String)

getAPrioriDisabledProviders

public static Set<String> getAPrioriDisabledProviders()

Returns:

A copy if the current a-priori disabled providers names

isECCSupported

public static boolean isECCSupported()

Returns:

true if Elliptic Curve Cryptography is supported

See Also:

ECC_SUPPORTED_PROP

isDHGroupExchangeSupported

public static boolean isDHGroupExchangeSupported()

Returns:

true if Diffie-Hellman Group Exchange is supported

See Also:

getMinDHGroupExchangeKeySize(), getMaxDHGroupExchangeKeySize()

isDHOakelyGroupSupported

public static boolean isDHOakelyGroupSupported(int keySize)

Parameters:

keySize - The expected key size

Returns:

true if Oakely Diffie-Hellman Group Exchange is supported for the specified key size

See Also:

isDHGroupExchangeSupported(), getMaxDHGroupExchangeKeySize()

getMinDHGroupExchangeKeySize

public static int getMinDHGroupExchangeKeySize()

Returns:

The minimum supported Diffie-Hellman Group Exchange key size, or non-positive if not supported

setMinDHGroupExchangeKeySize

public static void setMinDHGroupExchangeKeySize(int keySize)

Set programmatically the reported value for getMinDHGroupExchangeKeySize()

Parameters:

keySize - The reported key size - if zero, then it will be auto-detected, if negative then DH group exchange will be disabled

getMaxDHGroupExchangeKeySize

public static int getMaxDHGroupExchangeKeySize()

Returns:

The maximum supported Diffie-Hellman Group Exchange key size, or non-positive if not supported

setMaxDHGroupExchangeKeySize

public static void setMaxDHGroupExchangeKeySize(int keySize)

Set programmatically the reported value for getMaxDHGroupExchangeKeySize()

Parameters:

keySize - The reported key size - if zero, then it will be auto-detected, if negative then DH group exchange will be disabled

isDHGroupExchangeSupported

public static boolean isDHGroupExchangeSupported(int maxKeySize)

getDefaultProviderChoice

public static SecurityProviderChoice getDefaultProviderChoice()

setDefaultProviderChoice

public static void setDefaultProviderChoice(SecurityProviderChoice choice)

getRegisteredProviders

public static Set<String> getRegisteredProviders()

Returns:

A copy of the currently registered security providers

isBouncyCastleRegistered

public static boolean isBouncyCastleRegistered()

isProviderRegistered

public static boolean isProviderRegistered(String provider)

getRegisteredProvider

public static SecurityProviderRegistrar getRegisteredProvider(String provider)

isRegistrationCompleted

public static boolean isRegistrationCompleted()

registerSecurityProvider

public static SecurityProviderRegistrar registerSecurityProvider(SecurityProviderRegistrar registrar)

Parameters:

registrar - The registrar instance to register

Returns:

The registered instance - may be different than required if already registered. Returns null if not already registered and not enabled or not supported registrar.

loadKeyPairIdentities

public static Iterable<KeyPair> loadKeyPairIdentities(SessionContext session,
                                                      NamedResource resourceKey,
                                                      InputStream inputStream,
                                                      FilePasswordProvider provider)
                                               throws IOException,
                                                      GeneralSecurityException

Parameters:

session - The SessionContext for invoking this load command - may be null if not invoked within a session context (e.g., offline tool).

resourceKey - An identifier of the key being loaded - used as argument to the FilePasswordProvider#getPassword invocation

inputStream - The InputStream for the private key

provider - A FilePasswordProvider - may be null if the loaded key is guaranteed not to be encrypted

Returns:

The loaded KeyPair-s - or null if none loaded

Throws:

IOException - If failed to read/parse the input stream

GeneralSecurityException - If failed to generate the keys

createGeneratorHostKeyProvider

public static AbstractGeneratorHostKeyProvider createGeneratorHostKeyProvider(Path path)

getBouncycastleKeyPairResourceParser

public static KeyPairResourceParser getBouncycastleKeyPairResourceParser()

getRandomFactory

public static RandomFactory getRandomFactory()

Returns:

If isBouncyCastleRegistered() then a BouncyCastleRandomFactory instance, otherwise a JceRandomFactory one

isEDDSACurveSupported

public static boolean isEDDSACurveSupported()

Returns:

true if EDDSA curves (e.g., ed25519) are supported

getEDDSAPublicKeyEntryDecoder

public static PublicKeyEntryDecoder<? extends PublicKey,? extends PrivateKey> getEDDSAPublicKeyEntryDecoder()

getOpenSSHEDDSAPrivateKeyEntryDecoder

public static PrivateKeyEntryDecoder<? extends PublicKey,? extends PrivateKey> getOpenSSHEDDSAPrivateKeyEntryDecoder()

getEDDSASigner

public static Signature getEDDSASigner()

getEDDSAKeySize

public static int getEDDSAKeySize(Key key)

getEDDSAPublicKeyType

public static Class<? extends PublicKey> getEDDSAPublicKeyType()

getEDDSAPrivateKeyType

public static Class<? extends PrivateKey> getEDDSAPrivateKeyType()

compareEDDSAPPublicKeys

public static boolean compareEDDSAPPublicKeys(PublicKey k1,
                                              PublicKey k2)

compareEDDSAPrivateKeys

public static boolean compareEDDSAPrivateKeys(PrivateKey k1,
                                              PrivateKey k2)

recoverEDDSAPublicKey

public static PublicKey recoverEDDSAPublicKey(PrivateKey key)
                                       throws GeneralSecurityException

Throws:

GeneralSecurityException

generateEDDSAPublicKey

public static PublicKey generateEDDSAPublicKey(String keyType,
                                               byte[] seed)
                                        throws GeneralSecurityException

Throws:

GeneralSecurityException

putRawEDDSAPublicKey

public static <B extends Buffer> B putRawEDDSAPublicKey(B buffer,
                                                        PublicKey key)

putEDDSAKeyPair

public static <B extends Buffer> B putEDDSAKeyPair(B buffer,
                                                   KeyPair kp)

putEDDSAKeyPair

public static <B extends Buffer> B putEDDSAKeyPair(B buffer,
                                                   PublicKey pubKey,
                                                   PrivateKey prvKey)

extractEDDSAKeyPair

public static KeyPair extractEDDSAKeyPair(Buffer buffer,
                                          String keyType)
                                   throws GeneralSecurityException

Throws:

GeneralSecurityException

getKeyPairResourceParser

public static KeyPairResourceParser getKeyPairResourceParser()

setKeyPairResourceParser

public static void setKeyPairResourceParser(KeyPairResourceParser parser)

Parameters:

parser - The system-wide KeyPairResourceParser to use. If set to null, then the default parser will be re-constructed on next call to getKeyPairResourceParser()

resolveSecurityEntityFactory

public static <T> SecurityEntityFactory<T> resolveSecurityEntityFactory(Class<T> entityType,
                                                                        String algorithm,
                                                                        Predicate<? super SecurityProviderRegistrar> entitySelector)

createSecurityEntityFactory

public static <T> SecurityEntityFactory<T> createSecurityEntityFactory(Class<T> entityType,
                                                                       Predicate<? super SecurityProviderRegistrar> entitySelector)

getKeyFactory

public static KeyFactory getKeyFactory(String algorithm)
                                throws GeneralSecurityException

Throws:

GeneralSecurityException

getCipher

public static Cipher getCipher(String transformation)
                        throws GeneralSecurityException

Throws:

GeneralSecurityException

getMessageDigest

public static MessageDigest getMessageDigest(String algorithm)
                                      throws GeneralSecurityException

Throws:

GeneralSecurityException

getKeyPairGenerator

public static KeyPairGenerator getKeyPairGenerator(String algorithm)
                                            throws GeneralSecurityException

Throws:

GeneralSecurityException

getKeyAgreement

public static KeyAgreement getKeyAgreement(String algorithm)
                                    throws GeneralSecurityException

Throws:

GeneralSecurityException

getMac

public static Mac getMac(String algorithm)
                  throws GeneralSecurityException

Throws:

GeneralSecurityException

getSignature

public static Signature getSignature(String algorithm)
                              throws GeneralSecurityException

Throws:

GeneralSecurityException

getCertificateFactory

public static CertificateFactory getCertificateFactory(String type)
                                                throws GeneralSecurityException

Throws:

GeneralSecurityException