Class SecurityUtils
- java.lang.Object
-
- org.apache.sshd.common.util.security.SecurityUtils
-
public final class SecurityUtils extends java.lang.Object
Specific security providers related code
-
-
Field Summary
Fields Modifier and Type Field Description private static java.util.Set<java.lang.String>
APRIORI_DISABLED_PROVIDERS
static java.lang.String
BOUNCY_CASTLE
Bouncycastle JCE provider namestatic java.lang.String
CURVE_ED25519_SHA512
private static java.util.concurrent.atomic.AtomicReference<SecurityProviderChoice>
DEFAULT_PROVIDER_HOLDER
static java.util.List<java.lang.String>
DEFAULT_SECURITY_PROVIDER_REGISTRARS
static java.lang.String
ECC_SUPPORTED_PROP
System property used to control whether Elliptic Curves are supported or not.static java.lang.String
EDDSA
EDDSA support - should matchEdDSAKey.KEY_ALGORITHM
static java.lang.String
EDDSA_SUPPORTED_PROP
Deprecated.Please use "org.apache.sshd.security.provider.EdDSA.enabled&qupt;private static java.lang.Boolean
hasEcc
private static java.util.concurrent.atomic.AtomicReference<KeyPairResourceParser>
KEYPAIRS_PARSER_HODLER
private static java.util.concurrent.atomic.AtomicInteger
MAX_DHG_KEY_SIZE_HOLDER
static int
MAX_DHGEX_KEY_SIZE
static java.lang.String
MAX_DHGEX_KEY_SIZE_PROP
System property used to configure the value for the maximum supported Diffie-Hellman Group Exchange key size.private static java.util.concurrent.atomic.AtomicInteger
MIN_DHG_KEY_SIZE_HOLDER
static int
MIN_DHGEX_KEY_SIZE
The min.static java.lang.String
MIN_DHGEX_KEY_SIZE_PROP
System property used to configure the value for the minimum supported Diffie-Hellman Group Exchange key size.static int
PREFERRED_DHGEX_KEY_SIZE
static java.lang.String
PROP_DEFAULT_SECURITY_PROVIDER
static java.lang.String
REGISTER_BOUNCY_CASTLE_PROP
Deprecated.Please use "org.apache.sshd.security.provider.BC.enabled"private static java.util.Map<java.lang.String,SecurityProviderRegistrar>
REGISTERED_PROVIDERS
private static java.util.concurrent.atomic.AtomicBoolean
REGISTRATION_STATE_HOLDER
private static java.util.Map<java.lang.Class<?>,java.util.Map<java.lang.String,SecurityEntityFactory<?>>>
SECURITY_ENTITY_FACTORIES
static java.lang.String
SECURITY_PROVIDER_REGISTRARS
Comma separated list of fully qualifiedSecurityProviderRegistrar
s to automatically register
-
Constructor Summary
Constructors Modifier Constructor Description private
SecurityUtils()
-
Method Summary
All Methods Static Methods Concrete Methods Modifier and Type Method Description static boolean
compareEDDSAPPublicKeys(java.security.PublicKey k1, java.security.PublicKey k2)
static boolean
compareEDDSAPrivateKeys(java.security.PrivateKey k1, java.security.PrivateKey k2)
static AbstractGeneratorHostKeyProvider
createGeneratorHostKeyProvider(java.nio.file.Path path)
static <T> SecurityEntityFactory<T>
createSecurityEntityFactory(java.lang.Class<T> entityType, java.util.function.Predicate<? super SecurityProviderRegistrar> entitySelector)
static java.security.KeyPair
extractEDDSAKeyPair(Buffer buffer, java.lang.String keyType)
static java.security.PublicKey
generateEDDSAPublicKey(java.lang.String keyType, byte[] seed)
static java.util.Set<java.lang.String>
getAPrioriDisabledProviders()
static Decryptor
getBouncycastleEncryptedPrivateKeyInfoDecryptor()
static KeyPairResourceParser
getBouncycastleKeyPairResourceParser()
static java.security.cert.CertificateFactory
getCertificateFactory(java.lang.String type)
static javax.crypto.Cipher
getCipher(java.lang.String transformation)
static SecurityProviderChoice
getDefaultProviderChoice()
static int
getEDDSAKeySize(java.security.Key key)
static java.lang.Class<? extends java.security.PrivateKey>
getEDDSAPrivateKeyType()
static PublicKeyEntryDecoder<? extends java.security.PublicKey,? extends java.security.PrivateKey>
getEDDSAPublicKeyEntryDecoder()
static java.lang.Class<? extends java.security.PublicKey>
getEDDSAPublicKeyType()
static Signature
getEDDSASigner()
static javax.crypto.KeyAgreement
getKeyAgreement(java.lang.String algorithm)
static java.security.KeyFactory
getKeyFactory(java.lang.String algorithm)
static java.security.KeyPairGenerator
getKeyPairGenerator(java.lang.String algorithm)
static KeyPairResourceParser
getKeyPairResourceParser()
static javax.crypto.Mac
getMac(java.lang.String algorithm)
static int
getMaxDHGroupExchangeKeySize()
static java.security.MessageDigest
getMessageDigest(java.lang.String algorithm)
static int
getMinDHGroupExchangeKeySize()
static PrivateKeyEntryDecoder<? extends java.security.PublicKey,? extends java.security.PrivateKey>
getOpenSSHEDDSAPrivateKeyEntryDecoder()
static RandomFactory
getRandomFactory()
static SecurityProviderRegistrar
getRegisteredProvider(java.lang.String provider)
static java.util.Set<java.lang.String>
getRegisteredProviders()
static java.security.Signature
getSignature(java.lang.String algorithm)
static boolean
isAPrioriDisabledProvider(java.lang.String name)
static boolean
isBouncyCastleRegistered()
static boolean
isDHGroupExchangeSupported()
static boolean
isDHGroupExchangeSupported(int maxKeySize)
static boolean
isDHOakelyGroupSupported(int keySize)
static boolean
isECCSupported()
static boolean
isEDDSACurveSupported()
static boolean
isProviderRegistered(java.lang.String provider)
static boolean
isRegistrationCompleted()
static java.lang.Iterable<java.security.KeyPair>
loadKeyPairIdentities(SessionContext session, NamedResource resourceKey, java.io.InputStream inputStream, FilePasswordProvider provider)
static <B extends Buffer>
BputEDDSAKeyPair(B buffer, java.security.KeyPair kp)
static <B extends Buffer>
BputEDDSAKeyPair(B buffer, java.security.PublicKey pubKey, java.security.PrivateKey prvKey)
static <B extends Buffer>
BputRawEDDSAPublicKey(B buffer, java.security.PublicKey key)
static java.security.PublicKey
recoverEDDSAPublicKey(java.security.PrivateKey key)
private static void
register()
static SecurityProviderRegistrar
registerSecurityProvider(SecurityProviderRegistrar registrar)
private static int
resolveDHGEXKeySizeValue(java.util.concurrent.atomic.AtomicInteger holder, java.lang.String propName, int maxKeySize)
static <T> SecurityEntityFactory<T>
resolveSecurityEntityFactory(java.lang.Class<T> entityType, java.lang.String algorithm, java.util.function.Predicate<? super SecurityProviderRegistrar> entitySelector)
static void
setAPrioriDisabledProvider(java.lang.String name, boolean disabled)
Marks a provider's registrar as "a-priori" programatically so that when itsSecurityProviderRegistrar.isEnabled()
is eventually consulted it will returnfalse
regardless of the configured value for the specific provider registrar instance.static void
setDefaultProviderChoice(SecurityProviderChoice choice)
static void
setKeyPairResourceParser(KeyPairResourceParser parser)
static void
setMaxDHGroupExchangeKeySize(int keySize)
Set programmatically the reported value forgetMaxDHGroupExchangeKeySize()
static void
setMinDHGroupExchangeKeySize(int keySize)
Set programmatically the reported value forgetMinDHGroupExchangeKeySize()
-
-
-
Field Detail
-
BOUNCY_CASTLE
public static final java.lang.String BOUNCY_CASTLE
Bouncycastle JCE provider name- See Also:
- Constant Field Values
-
EDDSA
public static final java.lang.String EDDSA
EDDSA support - should matchEdDSAKey.KEY_ALGORITHM
- See Also:
- Constant Field Values
-
CURVE_ED25519_SHA512
public static final java.lang.String CURVE_ED25519_SHA512
- See Also:
- Constant Field Values
-
MIN_DHGEX_KEY_SIZE_PROP
public static final java.lang.String MIN_DHGEX_KEY_SIZE_PROP
System property used to configure the value for the minimum supported Diffie-Hellman Group Exchange key size. If not set, then an internal auto-discovery mechanism is employed. If set to negative value then Diffie-Hellman Group Exchange is disabled. If set to a negative value then Diffie-Hellman Group Exchange is disabled- See Also:
- Constant Field Values
-
MAX_DHGEX_KEY_SIZE_PROP
public static final java.lang.String MAX_DHGEX_KEY_SIZE_PROP
System property used to configure the value for the maximum supported Diffie-Hellman Group Exchange key size. If not set, then an internal auto-discovery mechanism is employed. If set to negative value then Diffie-Hellman Group Exchange is disabled. If set to a negative value then Diffie-Hellman Group Exchange is disabled- See Also:
- Constant Field Values
-
MIN_DHGEX_KEY_SIZE
public static final int MIN_DHGEX_KEY_SIZE
The min. key size value used for testing whether Diffie-Hellman Group Exchange is supported or not. According to RFC 4419 section 3: "Servers and clients SHOULD support groups with a modulus length of k bits, where 1024 <= k <= 8192". Note: this has been amended by RFC 8270- See Also:
- Constant Field Values
-
PREFERRED_DHGEX_KEY_SIZE
public static final int PREFERRED_DHGEX_KEY_SIZE
- See Also:
- Constant Field Values
-
MAX_DHGEX_KEY_SIZE
public static final int MAX_DHGEX_KEY_SIZE
- See Also:
- Constant Field Values
-
SECURITY_PROVIDER_REGISTRARS
public static final java.lang.String SECURITY_PROVIDER_REGISTRARS
Comma separated list of fully qualifiedSecurityProviderRegistrar
s to automatically register- See Also:
- Constant Field Values
-
DEFAULT_SECURITY_PROVIDER_REGISTRARS
public static final java.util.List<java.lang.String> DEFAULT_SECURITY_PROVIDER_REGISTRARS
-
REGISTER_BOUNCY_CASTLE_PROP
@Deprecated public static final java.lang.String REGISTER_BOUNCY_CASTLE_PROP
Deprecated.Please use "org.apache.sshd.security.provider.BC.enabled"System property used to control whether to automatically register theBouncyastle
JCE provider- See Also:
- Constant Field Values
-
ECC_SUPPORTED_PROP
public static final java.lang.String ECC_SUPPORTED_PROP
System property used to control whether Elliptic Curves are supported or not. If not set then the support is auto-detected. Note: if set totrue
it is up to the user to make sure that indeed there is a provider for them- See Also:
- Constant Field Values
-
EDDSA_SUPPORTED_PROP
@Deprecated public static final java.lang.String EDDSA_SUPPORTED_PROP
Deprecated.Please use "org.apache.sshd.security.provider.EdDSA.enabled&qupt;System property used to decide whether EDDSA curves are supported or not (in addition or even in spite ofisEDDSACurveSupported()
). If not set or set totrue
, then the existence of the optional support classes determines the support.- See Also:
- Constant Field Values
-
PROP_DEFAULT_SECURITY_PROVIDER
public static final java.lang.String PROP_DEFAULT_SECURITY_PROVIDER
- See Also:
- Constant Field Values
-
MIN_DHG_KEY_SIZE_HOLDER
private static final java.util.concurrent.atomic.AtomicInteger MIN_DHG_KEY_SIZE_HOLDER
-
MAX_DHG_KEY_SIZE_HOLDER
private static final java.util.concurrent.atomic.AtomicInteger MAX_DHG_KEY_SIZE_HOLDER
-
REGISTERED_PROVIDERS
private static final java.util.Map<java.lang.String,SecurityProviderRegistrar> REGISTERED_PROVIDERS
-
KEYPAIRS_PARSER_HODLER
private static final java.util.concurrent.atomic.AtomicReference<KeyPairResourceParser> KEYPAIRS_PARSER_HODLER
-
APRIORI_DISABLED_PROVIDERS
private static final java.util.Set<java.lang.String> APRIORI_DISABLED_PROVIDERS
-
REGISTRATION_STATE_HOLDER
private static final java.util.concurrent.atomic.AtomicBoolean REGISTRATION_STATE_HOLDER
-
SECURITY_ENTITY_FACTORIES
private static final java.util.Map<java.lang.Class<?>,java.util.Map<java.lang.String,SecurityEntityFactory<?>>> SECURITY_ENTITY_FACTORIES
-
DEFAULT_PROVIDER_HOLDER
private static final java.util.concurrent.atomic.AtomicReference<SecurityProviderChoice> DEFAULT_PROVIDER_HOLDER
-
hasEcc
private static java.lang.Boolean hasEcc
-
-
Method Detail
-
isAPrioriDisabledProvider
public static boolean isAPrioriDisabledProvider(java.lang.String name)
- Parameters:
name
- The provider's name - nevernull
/empty- Returns:
true
if the provider is marked as disabled a-priori- See Also:
setAPrioriDisabledProvider(String, boolean)
-
setAPrioriDisabledProvider
public static void setAPrioriDisabledProvider(java.lang.String name, boolean disabled)
Marks a provider's registrar as "a-priori" programatically so that when itsSecurityProviderRegistrar.isEnabled()
is eventually consulted it will returnfalse
regardless of the configured value for the specific provider registrar instance. Note: has no effect if the provider has already been registered.- Parameters:
name
- The provider's name - nevernull
/emptydisabled
-true
whether to disable it a-priori- See Also:
isAPrioriDisabledProvider(String)
-
getAPrioriDisabledProviders
public static java.util.Set<java.lang.String> getAPrioriDisabledProviders()
- Returns:
- A copy if the current a-priori disabled providers names
-
isECCSupported
public static boolean isECCSupported()
- Returns:
true
if Elliptic Curve Cryptography is supported- See Also:
ECC_SUPPORTED_PROP
-
isDHGroupExchangeSupported
public static boolean isDHGroupExchangeSupported()
- Returns:
true
if Diffie-Hellman Group Exchange is supported- See Also:
getMinDHGroupExchangeKeySize()
,getMaxDHGroupExchangeKeySize()
-
isDHOakelyGroupSupported
public static boolean isDHOakelyGroupSupported(int keySize)
- Parameters:
keySize
- The expected key size- Returns:
true
if Oakely Diffie-Hellman Group Exchange is supported for the specified key size- See Also:
isDHGroupExchangeSupported()
,getMaxDHGroupExchangeKeySize()
-
getMinDHGroupExchangeKeySize
public static int getMinDHGroupExchangeKeySize()
- Returns:
- The minimum supported Diffie-Hellman Group Exchange key size, or non-positive if not supported
-
setMinDHGroupExchangeKeySize
public static void setMinDHGroupExchangeKeySize(int keySize)
Set programmatically the reported value forgetMinDHGroupExchangeKeySize()
- Parameters:
keySize
- The reported key size - if zero, then it will be auto-detected, if negative then DH group exchange will be disabled
-
getMaxDHGroupExchangeKeySize
public static int getMaxDHGroupExchangeKeySize()
- Returns:
- The maximum supported Diffie-Hellman Group Exchange key size, or non-positive if not supported
-
setMaxDHGroupExchangeKeySize
public static void setMaxDHGroupExchangeKeySize(int keySize)
Set programmatically the reported value forgetMaxDHGroupExchangeKeySize()
- Parameters:
keySize
- The reported key size - if zero, then it will be auto-detected, if negative then DH group exchange will be disabled
-
resolveDHGEXKeySizeValue
private static int resolveDHGEXKeySizeValue(java.util.concurrent.atomic.AtomicInteger holder, java.lang.String propName, int maxKeySize)
-
isDHGroupExchangeSupported
public static boolean isDHGroupExchangeSupported(int maxKeySize)
-
getDefaultProviderChoice
public static SecurityProviderChoice getDefaultProviderChoice()
-
setDefaultProviderChoice
public static void setDefaultProviderChoice(SecurityProviderChoice choice)
-
getRegisteredProviders
public static java.util.Set<java.lang.String> getRegisteredProviders()
- Returns:
- A copy of the currently registered security providers
-
isBouncyCastleRegistered
public static boolean isBouncyCastleRegistered()
-
isProviderRegistered
public static boolean isProviderRegistered(java.lang.String provider)
-
getRegisteredProvider
public static SecurityProviderRegistrar getRegisteredProvider(java.lang.String provider)
-
isRegistrationCompleted
public static boolean isRegistrationCompleted()
-
register
private static void register()
-
registerSecurityProvider
public static SecurityProviderRegistrar registerSecurityProvider(SecurityProviderRegistrar registrar)
- Parameters:
registrar
- The registrar instance to register- Returns:
- The registered instance - may be different than required if already registered. Returns
null
if not already registered and not enabled or not supported registrar.
-
loadKeyPairIdentities
public static java.lang.Iterable<java.security.KeyPair> loadKeyPairIdentities(SessionContext session, NamedResource resourceKey, java.io.InputStream inputStream, FilePasswordProvider provider) throws java.io.IOException, java.security.GeneralSecurityException
- Parameters:
session
- TheSessionContext
for invoking this load command - may benull
if not invoked within a session context (e.g., offline tool).resourceKey
- An identifier of the key being loaded - used as argument to theFilePasswordProvider#getPassword
invocationinputStream
- TheInputStream
for the private keyprovider
- AFilePasswordProvider
- may benull
if the loaded key is guaranteed not to be encrypted- Returns:
- The loaded
KeyPair
-s - ornull
if none loaded - Throws:
java.io.IOException
- If failed to read/parse the input streamjava.security.GeneralSecurityException
- If failed to generate the keys
-
createGeneratorHostKeyProvider
public static AbstractGeneratorHostKeyProvider createGeneratorHostKeyProvider(java.nio.file.Path path)
-
getBouncycastleKeyPairResourceParser
public static KeyPairResourceParser getBouncycastleKeyPairResourceParser()
-
getBouncycastleEncryptedPrivateKeyInfoDecryptor
public static Decryptor getBouncycastleEncryptedPrivateKeyInfoDecryptor()
-
getRandomFactory
public static RandomFactory getRandomFactory()
- Returns:
- If
isBouncyCastleRegistered()
then aBouncyCastleRandomFactory
instance, otherwise aJceRandomFactory
one
-
isEDDSACurveSupported
public static boolean isEDDSACurveSupported()
- Returns:
true
if EDDSA curves (e.g.,ed25519
) are supported
-
getEDDSAPublicKeyEntryDecoder
public static PublicKeyEntryDecoder<? extends java.security.PublicKey,? extends java.security.PrivateKey> getEDDSAPublicKeyEntryDecoder()
-
getOpenSSHEDDSAPrivateKeyEntryDecoder
public static PrivateKeyEntryDecoder<? extends java.security.PublicKey,? extends java.security.PrivateKey> getOpenSSHEDDSAPrivateKeyEntryDecoder()
-
getEDDSASigner
public static Signature getEDDSASigner()
-
getEDDSAKeySize
public static int getEDDSAKeySize(java.security.Key key)
-
getEDDSAPublicKeyType
public static java.lang.Class<? extends java.security.PublicKey> getEDDSAPublicKeyType()
-
getEDDSAPrivateKeyType
public static java.lang.Class<? extends java.security.PrivateKey> getEDDSAPrivateKeyType()
-
compareEDDSAPPublicKeys
public static boolean compareEDDSAPPublicKeys(java.security.PublicKey k1, java.security.PublicKey k2)
-
compareEDDSAPrivateKeys
public static boolean compareEDDSAPrivateKeys(java.security.PrivateKey k1, java.security.PrivateKey k2)
-
recoverEDDSAPublicKey
public static java.security.PublicKey recoverEDDSAPublicKey(java.security.PrivateKey key) throws java.security.GeneralSecurityException
- Throws:
java.security.GeneralSecurityException
-
generateEDDSAPublicKey
public static java.security.PublicKey generateEDDSAPublicKey(java.lang.String keyType, byte[] seed) throws java.security.GeneralSecurityException
- Throws:
java.security.GeneralSecurityException
-
putRawEDDSAPublicKey
public static <B extends Buffer> B putRawEDDSAPublicKey(B buffer, java.security.PublicKey key)
-
putEDDSAKeyPair
public static <B extends Buffer> B putEDDSAKeyPair(B buffer, java.security.KeyPair kp)
-
putEDDSAKeyPair
public static <B extends Buffer> B putEDDSAKeyPair(B buffer, java.security.PublicKey pubKey, java.security.PrivateKey prvKey)
-
extractEDDSAKeyPair
public static java.security.KeyPair extractEDDSAKeyPair(Buffer buffer, java.lang.String keyType) throws java.security.GeneralSecurityException
- Throws:
java.security.GeneralSecurityException
-
getKeyPairResourceParser
public static KeyPairResourceParser getKeyPairResourceParser()
-
setKeyPairResourceParser
public static void setKeyPairResourceParser(KeyPairResourceParser parser)
- Parameters:
parser
- The system-wideKeyPairResourceParser
to use. If set tonull
, then the default parser will be re-constructed on next call togetKeyPairResourceParser()
-
resolveSecurityEntityFactory
public static <T> SecurityEntityFactory<T> resolveSecurityEntityFactory(java.lang.Class<T> entityType, java.lang.String algorithm, java.util.function.Predicate<? super SecurityProviderRegistrar> entitySelector)
-
createSecurityEntityFactory
public static <T> SecurityEntityFactory<T> createSecurityEntityFactory(java.lang.Class<T> entityType, java.util.function.Predicate<? super SecurityProviderRegistrar> entitySelector)
-
getKeyFactory
public static java.security.KeyFactory getKeyFactory(java.lang.String algorithm) throws java.security.GeneralSecurityException
- Throws:
java.security.GeneralSecurityException
-
getCipher
public static javax.crypto.Cipher getCipher(java.lang.String transformation) throws java.security.GeneralSecurityException
- Throws:
java.security.GeneralSecurityException
-
getMessageDigest
public static java.security.MessageDigest getMessageDigest(java.lang.String algorithm) throws java.security.GeneralSecurityException
- Throws:
java.security.GeneralSecurityException
-
getKeyPairGenerator
public static java.security.KeyPairGenerator getKeyPairGenerator(java.lang.String algorithm) throws java.security.GeneralSecurityException
- Throws:
java.security.GeneralSecurityException
-
getKeyAgreement
public static javax.crypto.KeyAgreement getKeyAgreement(java.lang.String algorithm) throws java.security.GeneralSecurityException
- Throws:
java.security.GeneralSecurityException
-
getMac
public static javax.crypto.Mac getMac(java.lang.String algorithm) throws java.security.GeneralSecurityException
- Throws:
java.security.GeneralSecurityException
-
getSignature
public static java.security.Signature getSignature(java.lang.String algorithm) throws java.security.GeneralSecurityException
- Throws:
java.security.GeneralSecurityException
-
getCertificateFactory
public static java.security.cert.CertificateFactory getCertificateFactory(java.lang.String type) throws java.security.GeneralSecurityException
- Throws:
java.security.GeneralSecurityException
-
-