Class SecurityUtils
java.lang.Object
org.apache.sshd.common.util.security.SecurityUtils
Specific security providers related code
-
Field Summary
FieldsModifier and TypeFieldDescriptionstatic final StringBouncycastle JCE provider namestatic final Stringprivate static final AtomicReference<SecurityProviderChoice> static final StringSystem property used to control whether Elliptic Curves are supported or not.static final StringEDDSA support - should matchEdDSAKey.KEY_ALGORITHMstatic final StringDeprecated.Please use "org.apache.sshd.security.provider.EdDSA.enabled&qupt;private static Booleanprivate static final AtomicReference<KeyPairResourceParser> private static final AtomicIntegerstatic final intstatic final StringSystem property used to configure the value for the maximum supported Diffie-Hellman Group Exchange key size.private static final AtomicIntegerstatic final intThe min.static final StringSystem property used to configure the value for the minimum supported Diffie-Hellman Group Exchange key size.static final intstatic final Stringstatic final StringDeprecated.Please use "org.apache.sshd.security.provider.BC.enabled"private static final Map<String, SecurityProviderRegistrar> private static final AtomicBooleanprivate static final Map<Class<?>, Map<String, SecurityEntityFactory<?>>> static final StringComma separated list of fully qualifiedSecurityProviderRegistrars to automatically register -
Constructor Summary
Constructors -
Method Summary
Modifier and TypeMethodDescriptionstatic booleanstatic booleanstatic <T> SecurityEntityFactory<T> createSecurityEntityFactory(Class<T> entityType, Predicate<? super SecurityProviderRegistrar> entitySelector) static KeyPairextractEDDSAKeyPair(Buffer buffer, String keyType) static PublicKeygenerateEDDSAPublicKey(String keyType, byte[] seed) static Decryptorstatic KeyPairResourceParserstatic CertificateFactorygetCertificateFactory(String type) static Cipherstatic SecurityProviderChoicestatic intgetEDDSAKeySize(Key key) static Class<? extends PrivateKey> static PublicKeyEntryDecoder<? extends PublicKey, ? extends PrivateKey> static Signaturestatic KeyAgreementgetKeyAgreement(String algorithm) static KeyFactorygetKeyFactory(String algorithm) static KeyPairGeneratorgetKeyPairGenerator(String algorithm) static KeyPairResourceParserstatic Macstatic intstatic MessageDigestgetMessageDigest(String algorithm) static intstatic PrivateKeyEntryDecoder<? extends PublicKey, ? extends PrivateKey> static RandomFactorystatic SecurityProviderRegistrargetRegisteredProvider(String provider) static SignaturegetSignature(String algorithm) static booleanstatic booleanstatic booleanstatic booleanisDHGroupExchangeSupported(int maxKeySize) static booleanisDHOakelyGroupSupported(int keySize) static booleanstatic booleanstatic booleanisProviderRegistered(String provider) static booleanloadKeyPairIdentities(SessionContext session, NamedResource resourceKey, InputStream inputStream, FilePasswordProvider provider) static <B extends Buffer>
BputEDDSAKeyPair(B buffer, KeyPair kp) static <B extends Buffer>
BputEDDSAKeyPair(B buffer, PublicKey pubKey, PrivateKey prvKey) static <B extends Buffer>
BputRawEDDSAPublicKey(B buffer, PublicKey key) static PublicKeyprivate static voidregister()static SecurityProviderRegistrarprivate static intresolveDHGEXKeySizeValue(AtomicInteger holder, String propName, int maxKeySize) static <T> SecurityEntityFactory<T> resolveSecurityEntityFactory(Class<T> entityType, String algorithm, Predicate<? super SecurityProviderRegistrar> entitySelector) static voidsetAPrioriDisabledProvider(String name, boolean disabled) Marks a provider's registrar as "a-priori" programatically so that when itsSecurityProviderRegistrar.isEnabled()is eventually consulted it will returnfalseregardless of the configured value for the specific provider registrar instance.static voidstatic voidstatic voidsetMaxDHGroupExchangeKeySize(int keySize) Set programmatically the reported value forgetMaxDHGroupExchangeKeySize()static voidsetMinDHGroupExchangeKeySize(int keySize) Set programmatically the reported value forgetMinDHGroupExchangeKeySize()
-
Field Details
-
BOUNCY_CASTLE
Bouncycastle JCE provider name- See Also:
-
EDDSA
EDDSA support - should matchEdDSAKey.KEY_ALGORITHM- See Also:
-
CURVE_ED25519_SHA512
- See Also:
-
MIN_DHGEX_KEY_SIZE_PROP
System property used to configure the value for the minimum supported Diffie-Hellman Group Exchange key size. If not set, then an internal auto-discovery mechanism is employed. If set to negative value then Diffie-Hellman Group Exchange is disabled. If set to a negative value then Diffie-Hellman Group Exchange is disabled- See Also:
-
MAX_DHGEX_KEY_SIZE_PROP
System property used to configure the value for the maximum supported Diffie-Hellman Group Exchange key size. If not set, then an internal auto-discovery mechanism is employed. If set to negative value then Diffie-Hellman Group Exchange is disabled. If set to a negative value then Diffie-Hellman Group Exchange is disabled- See Also:
-
MIN_DHGEX_KEY_SIZE
public static final int MIN_DHGEX_KEY_SIZEThe min. key size value used for testing whether Diffie-Hellman Group Exchange is supported or not. According to RFC 4419 section 3: "Servers and clients SHOULD support groups with a modulus length of k bits, where 1024 <= k <= 8192". Note: this has been amended by RFC 8270- See Also:
-
PREFERRED_DHGEX_KEY_SIZE
public static final int PREFERRED_DHGEX_KEY_SIZE- See Also:
-
MAX_DHGEX_KEY_SIZE
public static final int MAX_DHGEX_KEY_SIZE- See Also:
-
SECURITY_PROVIDER_REGISTRARS
Comma separated list of fully qualifiedSecurityProviderRegistrars to automatically register- See Also:
-
DEFAULT_SECURITY_PROVIDER_REGISTRARS
-
REGISTER_BOUNCY_CASTLE_PROP
Deprecated.Please use "org.apache.sshd.security.provider.BC.enabled"System property used to control whether to automatically register theBouncyastleJCE provider- See Also:
-
ECC_SUPPORTED_PROP
System property used to control whether Elliptic Curves are supported or not. If not set then the support is auto-detected. Note: if set totrueit is up to the user to make sure that indeed there is a provider for them- See Also:
-
EDDSA_SUPPORTED_PROP
Deprecated.Please use "org.apache.sshd.security.provider.EdDSA.enabled&qupt;System property used to decide whether EDDSA curves are supported or not (in addition or even in spite ofisEDDSACurveSupported()). If not set or set totrue, then the existence of the optional support classes determines the support.- See Also:
-
PROP_DEFAULT_SECURITY_PROVIDER
- See Also:
-
MIN_DHG_KEY_SIZE_HOLDER
-
MAX_DHG_KEY_SIZE_HOLDER
-
REGISTERED_PROVIDERS
-
KEYPAIRS_PARSER_HODLER
-
APRIORI_DISABLED_PROVIDERS
-
REGISTRATION_STATE_HOLDER
-
SECURITY_ENTITY_FACTORIES
-
DEFAULT_PROVIDER_HOLDER
-
hasEcc
-
-
Constructor Details
-
SecurityUtils
private SecurityUtils()
-
-
Method Details
-
isAPrioriDisabledProvider
- Parameters:
name- The provider's name - nevernull/empty- Returns:
trueif the provider is marked as disabled a-priori- See Also:
-
setAPrioriDisabledProvider
Marks a provider's registrar as "a-priori" programatically so that when itsSecurityProviderRegistrar.isEnabled()is eventually consulted it will returnfalseregardless of the configured value for the specific provider registrar instance. Note: has no effect if the provider has already been registered.- Parameters:
name- The provider's name - nevernull/emptydisabled-truewhether to disable it a-priori- See Also:
-
getAPrioriDisabledProviders
- Returns:
- A copy if the current a-priori disabled providers names
-
isECCSupported
public static boolean isECCSupported()- Returns:
trueif Elliptic Curve Cryptography is supported- See Also:
-
isDHGroupExchangeSupported
public static boolean isDHGroupExchangeSupported()- Returns:
trueif Diffie-Hellman Group Exchange is supported- See Also:
-
isDHOakelyGroupSupported
public static boolean isDHOakelyGroupSupported(int keySize) - Parameters:
keySize- The expected key size- Returns:
trueif Oakely Diffie-Hellman Group Exchange is supported for the specified key size- See Also:
-
getMinDHGroupExchangeKeySize
public static int getMinDHGroupExchangeKeySize()- Returns:
- The minimum supported Diffie-Hellman Group Exchange key size, or non-positive if not supported
-
setMinDHGroupExchangeKeySize
public static void setMinDHGroupExchangeKeySize(int keySize) Set programmatically the reported value forgetMinDHGroupExchangeKeySize()- Parameters:
keySize- The reported key size - if zero, then it will be auto-detected, if negative then DH group exchange will be disabled
-
getMaxDHGroupExchangeKeySize
public static int getMaxDHGroupExchangeKeySize()- Returns:
- The maximum supported Diffie-Hellman Group Exchange key size, or non-positive if not supported
-
setMaxDHGroupExchangeKeySize
public static void setMaxDHGroupExchangeKeySize(int keySize) Set programmatically the reported value forgetMaxDHGroupExchangeKeySize()- Parameters:
keySize- The reported key size - if zero, then it will be auto-detected, if negative then DH group exchange will be disabled
-
resolveDHGEXKeySizeValue
-
isDHGroupExchangeSupported
public static boolean isDHGroupExchangeSupported(int maxKeySize) -
getDefaultProviderChoice
-
setDefaultProviderChoice
-
getRegisteredProviders
- Returns:
- A copy of the currently registered security providers
-
isBouncyCastleRegistered
public static boolean isBouncyCastleRegistered() -
isProviderRegistered
-
getRegisteredProvider
-
isRegistrationCompleted
public static boolean isRegistrationCompleted() -
register
private static void register() -
registerSecurityProvider
public static SecurityProviderRegistrar registerSecurityProvider(SecurityProviderRegistrar registrar) - Parameters:
registrar- The registrar instance to register- Returns:
- The registered instance - may be different than required if already registered. Returns
nullif not already registered and not enabled or not supported registrar.
-
loadKeyPairIdentities
public static Iterable<KeyPair> loadKeyPairIdentities(SessionContext session, NamedResource resourceKey, InputStream inputStream, FilePasswordProvider provider) throws IOException, GeneralSecurityException - Parameters:
session- TheSessionContextfor invoking this load command - may benullif not invoked within a session context (e.g., offline tool).resourceKey- An identifier of the key being loaded - used as argument to theFilePasswordProvider#getPasswordinvocationinputStream- TheInputStreamfor the private keyprovider- AFilePasswordProvider- may benullif the loaded key is guaranteed not to be encrypted- Returns:
- The loaded
KeyPair-s - ornullif none loaded - Throws:
IOException- If failed to read/parse the input streamGeneralSecurityException- If failed to generate the keys
-
createGeneratorHostKeyProvider
-
getBouncycastleKeyPairResourceParser
-
getBouncycastleEncryptedPrivateKeyInfoDecryptor
-
getRandomFactory
- Returns:
- If
isBouncyCastleRegistered()then aBouncyCastleRandomFactoryinstance, otherwise aJceRandomFactoryone
-
isEDDSACurveSupported
public static boolean isEDDSACurveSupported()- Returns:
trueif EDDSA curves (e.g.,ed25519) are supported
-
getEDDSAPublicKeyEntryDecoder
public static PublicKeyEntryDecoder<? extends PublicKey,? extends PrivateKey> getEDDSAPublicKeyEntryDecoder() -
getOpenSSHEDDSAPrivateKeyEntryDecoder
public static PrivateKeyEntryDecoder<? extends PublicKey,? extends PrivateKey> getOpenSSHEDDSAPrivateKeyEntryDecoder() -
getEDDSASigner
-
getEDDSAKeySize
-
getEDDSAPublicKeyType
-
getEDDSAPrivateKeyType
-
compareEDDSAPPublicKeys
-
compareEDDSAPrivateKeys
-
recoverEDDSAPublicKey
- Throws:
GeneralSecurityException
-
generateEDDSAPublicKey
public static PublicKey generateEDDSAPublicKey(String keyType, byte[] seed) throws GeneralSecurityException - Throws:
GeneralSecurityException
-
putRawEDDSAPublicKey
-
putEDDSAKeyPair
-
putEDDSAKeyPair
-
extractEDDSAKeyPair
public static KeyPair extractEDDSAKeyPair(Buffer buffer, String keyType) throws GeneralSecurityException - Throws:
GeneralSecurityException
-
getKeyPairResourceParser
-
setKeyPairResourceParser
- Parameters:
parser- The system-wideKeyPairResourceParserto use. If set tonull, then the default parser will be re-constructed on next call togetKeyPairResourceParser()
-
resolveSecurityEntityFactory
public static <T> SecurityEntityFactory<T> resolveSecurityEntityFactory(Class<T> entityType, String algorithm, Predicate<? super SecurityProviderRegistrar> entitySelector) -
createSecurityEntityFactory
public static <T> SecurityEntityFactory<T> createSecurityEntityFactory(Class<T> entityType, Predicate<? super SecurityProviderRegistrar> entitySelector) -
getKeyFactory
- Throws:
GeneralSecurityException
-
getCipher
- Throws:
GeneralSecurityException
-
getMessageDigest
- Throws:
GeneralSecurityException
-
getKeyPairGenerator
public static KeyPairGenerator getKeyPairGenerator(String algorithm) throws GeneralSecurityException - Throws:
GeneralSecurityException
-
getKeyAgreement
- Throws:
GeneralSecurityException
-
getMac
- Throws:
GeneralSecurityException
-
getSignature
- Throws:
GeneralSecurityException
-
getCertificateFactory
- Throws:
GeneralSecurityException
-