play.api.libs.ws.ssl

Algorithms

object Algorithms

This singleton object provides the code needed to check for minimum standards of an X.509 certificate. Over 95% of trusted leaf certificates and 95% of trusted signing certificates use NIST recommended key sizes. Play supports Java 1.6, which does not have built in certificate strength checking, so we roll our own here.

The default settings here are based off NIST SP 800-57, using Dates for Phasing out MD5-based signatures and 1024-bit moduli as a practical guide.

Note that the key sizes are checked on root CA certificates in the trust store. As the Mozilla document says:

The other concern that needs to be addressed is that of RSA1024 being too small a modulus to be robust against faster computers. Unlike a signature algorithm, where only intermediate and end-entity certificates are impacted, fast math means we have to disable or remove all instances of 1024-bit moduli, including the root certificates.

Relevant key sizes:

According to NIST SP 800-57 the recommended algorithms and minimum key sizes are as follows: Through 2010 (minimum of 80 bits of strength) FFC (e.g., DSA, D-H) Minimum: L=1024; N=160 IFC (e.g., RSA) Minimum: k=1024 ECC (e.g. ECDSA) Minimum: f=160 Through 2030 (minimum of 112 bits of strength) FFC (e.g., DSA, D-H) Minimum: L=2048; N=224 IFC (e.g., RSA) Minimum: k=2048 ECC (e.g. ECDSA) Minimum: f=224 Beyond 2030 (minimum of 128 bits of strength) FFC (e.g., DSA, D-H) Minimum: L=3072; N=256 IFC (e.g., RSA) Minimum: k=3072 ECC (e.g. ECDSA) Minimum: f=256

Relevant signature algorithms:

The known weak signature algorithms are "MD2, MD4, MD5".

SHA-1 is considered too weak for new certificates, but is still allowed for verifying old certificates in the chain. The TLS and NIST'S Policy on Hash Functions blog post by one of the JSSE authors has more details, in particular the "Put it into practice" section.

Source
Algorithms.scala
Linear Supertypes
AnyRef, Any
Ordering
  1. Alphabetic
  2. By inheritance
Inherited
  1. Algorithms
  2. AnyRef
  3. Any
  1. Hide All
  2. Show all
Learn more about member selection
Visibility
  1. Public
  2. All

Value Members

  1. final def !=(arg0: AnyRef): Boolean

    Definition Classes
    AnyRef
  2. final def !=(arg0: Any): Boolean

    Definition Classes
    Any
  3. final def ##(): Int

    Definition Classes
    AnyRef → Any
  4. final def ==(arg0: AnyRef): Boolean

    Definition Classes
    AnyRef
  5. final def ==(arg0: Any): Boolean

    Definition Classes
    Any
  6. final def asInstanceOf[T0]: T0

    Definition Classes
    Any
  7. def clone(): AnyRef

    Attributes
    protected[java.lang]
    Definition Classes
    AnyRef
    Annotations
    @throws( ... )
  8. def decomposes(algorithm: String): Set[String]

    Decompose the standard algorithm name into sub-elements.

    Decompose the standard algorithm name into sub-elements.

    For example, we need to decompose "SHA1WithRSA" into "SHA1" and "RSA" so that we can check the "SHA1" and "RSA" algorithm constraints separately.

    Please override the method if need to support more name pattern.

  9. def disabledKeyAlgorithms: String

    Disabled key algorithms are applied to all certificates, including the root CAs.

    Disabled key algorithms are applied to all certificates, including the root CAs.

    returns

    "RSA keySize < 2048, DSA keySize < 2048, EC keySize < 224"

  10. def disabledSignatureAlgorithms: String

    Disabled signature algorithms are applied to signed certificates in a certificate chain, not including CA certs.

    Disabled signature algorithms are applied to signed certificates in a certificate chain, not including CA certs.

    returns

    "MD2, MD4, MD5"

  11. final def eq(arg0: AnyRef): Boolean

    Definition Classes
    AnyRef
  12. def equals(arg0: Any): Boolean

    Definition Classes
    AnyRef → Any
  13. def finalize(): Unit

    Attributes
    protected[java.lang]
    Definition Classes
    AnyRef
    Annotations
    @throws( classOf[java.lang.Throwable] )
  14. final def getClass(): Class[_]

    Definition Classes
    AnyRef → Any
  15. def getKeyAlgorithmName(pubk: Key): String

  16. def hashCode(): Int

    Definition Classes
    AnyRef → Any
  17. final def isInstanceOf[T0]: Boolean

    Definition Classes
    Any
  18. def keySize(key: Key): Option[Int]

    Returns the keySize of the given key, or None if no key exists.

  19. final def ne(arg0: AnyRef): Boolean

    Definition Classes
    AnyRef
  20. final def notify(): Unit

    Definition Classes
    AnyRef
  21. final def notifyAll(): Unit

    Definition Classes
    AnyRef
  22. final def synchronized[T0](arg0: ⇒ T0): T0

    Definition Classes
    AnyRef
  23. def toString(): String

    Definition Classes
    AnyRef → Any
  24. def translateECKey(pubk: Key): Key

  25. def translateKey(pubk: Key): Key

  26. final def wait(): Unit

    Definition Classes
    AnyRef
    Annotations
    @throws( ... )
  27. final def wait(arg0: Long, arg1: Int): Unit

    Definition Classes
    AnyRef
    Annotations
    @throws( ... )
  28. final def wait(arg0: Long): Unit

    Definition Classes
    AnyRef
    Annotations
    @throws( ... )

Inherited from AnyRef

Inherited from Any

Ungrouped