Package org.h2.security
Class CipherFactory
- java.lang.Object
-
- org.h2.security.CipherFactory
-
public class CipherFactory extends java.lang.Object
A factory to create new block cipher objects.
-
-
Field Summary
Fields Modifier and Type Field Description static java.lang.String
DEFAULT_LEGACY_ALGORITHMS
The value of "jdk.tls.legacyAlgorithms" security property at the time of class initialization.private static java.lang.String
KEYSTORE
private static java.lang.String
KEYSTORE_KEY
static java.lang.String
KEYSTORE_PASSWORD
The default password to use for the .h2.keystore fileprivate static java.lang.String
KEYSTORE_PASSWORD_KEY
static java.lang.String
LEGACY_ALGORITHMS_SECURITY_KEY
The security property which can prevent anonymous TLS connections.
-
Constructor Summary
Constructors Modifier Constructor Description private
CipherFactory()
-
Method Summary
All Methods Static Methods Concrete Methods Modifier and Type Method Description static java.net.ServerSocket
createServerSocket(int port, java.net.InetAddress bindAddress)
Create a secure server socket.static java.net.Socket
createSocket(java.net.InetAddress address, int port)
Create a secure client socket that is connected to the given address and port.private static java.lang.String[]
disableSSL(java.lang.String[] enabled)
private static java.lang.String[]
enableAnonymous(java.lang.String[] enabled, java.lang.String[] supported)
static BlockCipher
getBlockCipher(java.lang.String algorithm)
Get a new block cipher object for the given algorithm.static java.security.KeyStore
getKeyStore(java.lang.String password)
Get the keystore object using the given password.private static byte[]
getKeyStoreBytes(java.security.KeyStore store, java.lang.String password)
static java.lang.String
getLegacyAlgorithmsSilently()
Returns the security property "jdk.tls.legacyAlgorithms".static void
removeAnonFromLegacyAlgorithms()
Attempts to weaken the security properties to allow anonymous TLS.static java.lang.String
removeDhAnonFromCommaSeparatedList(java.lang.String list)
Removes DH_anon and ECDH_anon from a comma separated list of ciphers.static void
resetDefaultLegacyAlgorithms()
Attempts to resets the security property to the default value.private static void
setKeystore()
private static void
setLegacyAlgorithmsSilently(java.lang.String legacyAlgorithms)
-
-
-
Field Detail
-
KEYSTORE_PASSWORD
public static final java.lang.String KEYSTORE_PASSWORD
The default password to use for the .h2.keystore file- See Also:
- Constant Field Values
-
LEGACY_ALGORITHMS_SECURITY_KEY
public static final java.lang.String LEGACY_ALGORITHMS_SECURITY_KEY
The security property which can prevent anonymous TLS connections. Introduced into Java 6, 7, 8 in updates from July 2015.- See Also:
- Constant Field Values
-
DEFAULT_LEGACY_ALGORITHMS
public static final java.lang.String DEFAULT_LEGACY_ALGORITHMS
The value of "jdk.tls.legacyAlgorithms" security property at the time of class initialization. Null if it is not set.
-
KEYSTORE
private static final java.lang.String KEYSTORE
- See Also:
- Constant Field Values
-
KEYSTORE_KEY
private static final java.lang.String KEYSTORE_KEY
- See Also:
- Constant Field Values
-
KEYSTORE_PASSWORD_KEY
private static final java.lang.String KEYSTORE_PASSWORD_KEY
- See Also:
- Constant Field Values
-
-
Method Detail
-
getBlockCipher
public static BlockCipher getBlockCipher(java.lang.String algorithm)
Get a new block cipher object for the given algorithm.- Parameters:
algorithm
- the algorithm- Returns:
- a new cipher object
-
createSocket
public static java.net.Socket createSocket(java.net.InetAddress address, int port) throws java.io.IOException
Create a secure client socket that is connected to the given address and port.- Parameters:
address
- the address to connect toport
- the port- Returns:
- the socket
- Throws:
java.io.IOException
- on failure
-
createServerSocket
public static java.net.ServerSocket createServerSocket(int port, java.net.InetAddress bindAddress) throws java.io.IOException
Create a secure server socket. If a bind address is specified, the socket is only bound to this address. If h2.enableAnonymousTLS is true, an attempt is made to modify the security property jdk.tls.legacyAlgorithms (in newer JVMs) to allow anonymous TLS. This system change is effectively permanent for the lifetime of the JVM.- Parameters:
port
- the port to listen onbindAddress
- the address to bind to, or null to bind to all addresses- Returns:
- the server socket
- Throws:
java.io.IOException
- on failure- See Also:
removeAnonFromLegacyAlgorithms()
-
removeDhAnonFromCommaSeparatedList
public static java.lang.String removeDhAnonFromCommaSeparatedList(java.lang.String list)
Removes DH_anon and ECDH_anon from a comma separated list of ciphers. Only the first occurrence is removed. If there is nothing to remove, returns the reference to the argument.- Parameters:
list
- a list of names separated by commas (and spaces)- Returns:
- a new string without DH_anon and ECDH_anon items, or the original if none were found
-
removeAnonFromLegacyAlgorithms
public static void removeAnonFromLegacyAlgorithms()
Attempts to weaken the security properties to allow anonymous TLS. New JREs would not choose an anonymous cipher suite in a TLS handshake if server-side security property "jdk.tls.legacyAlgorithms" were not modified from the default value.NOTE: In current (as of 2016) default implementations of JSSE which use this security property, the value is permanently cached inside the ServerHandshake class upon its first use. Therefore the modification accomplished by this method has to be done before the first use of a server SSL socket. Later changes to this property will not have any effect on server socket behavior.
-
resetDefaultLegacyAlgorithms
public static void resetDefaultLegacyAlgorithms()
Attempts to resets the security property to the default value. The default value of "jdk.tls.legacyAlgorithms" was obtained at time of class initialization.NOTE: Resetting the property might not have any effect on server socket behavior.
- See Also:
removeAnonFromLegacyAlgorithms()
-
getLegacyAlgorithmsSilently
public static java.lang.String getLegacyAlgorithmsSilently()
Returns the security property "jdk.tls.legacyAlgorithms". Ignores security exceptions.- Returns:
- the value of the security property, or null if not set or not accessible
-
setLegacyAlgorithmsSilently
private static void setLegacyAlgorithmsSilently(java.lang.String legacyAlgorithms)
-
getKeyStoreBytes
private static byte[] getKeyStoreBytes(java.security.KeyStore store, java.lang.String password) throws java.io.IOException
- Throws:
java.io.IOException
-
getKeyStore
public static java.security.KeyStore getKeyStore(java.lang.String password) throws java.io.IOException
Get the keystore object using the given password.- Parameters:
password
- the keystore password- Returns:
- the keystore
- Throws:
java.io.IOException
- on failure
-
setKeystore
private static void setKeystore() throws java.io.IOException
- Throws:
java.io.IOException
-
enableAnonymous
private static java.lang.String[] enableAnonymous(java.lang.String[] enabled, java.lang.String[] supported)
-
disableSSL
private static java.lang.String[] disableSSL(java.lang.String[] enabled)
-
-