Looks for disabled algorithms in the certificate.
Looks for disabled algorithms in the certificate. This is because some certificates are signed with forgable hashes such as MD2 or MD5, so we can't be certain of their authenticity.
This class is needed because the JDK 1.6 Algorithm checker doesn't give us any way to customize the list of disabled algorithms, and we need to be able to support that.
Also note that we need to check the trust anchor for disabled key sizes, and the CertPath explicitly removes the trust anchor from the chain of certificates. This means we need to check the trust anchor explicitly in the through the CompositeTrustManager.
A certificate exception that contains underlying exceptions.
A keymanager that wraps other X509 key managers.
A trust manager that is a composite of several smaller trust managers.
A trust manager that is a composite of several smaller trust managers. It is responsible for verifying the credentials received from a peer.
Creates an SSL context builder from info objects.
Use the internal sun hostname checker as the hostname verifier.
Use the internal sun hostname checker as the hostname verifier. Thanks to Kevin Locke.
http://kevinlocke.name/bits/2012/10/03/ssl-certificate-verification-in-dispatch-and-asynchttpclient/
sun.security.util.HostnameChecker
Builds a keystore from a file containing PEM encoded certificates, using CertificateFactory internally.
Builds a keystore from a file containing PEM encoded certificates, using CertificateFactory internally.
java.security.cert.CertificateFactory
http://docs.oracle.com/javase/6/docs/technotes/guides/security/certpath/CertPathProgGuide.html
A builder for setting the system property options in "javax.net.debug" and in "java.security.debug' (in the case of "certpath").
A builder for setting the system property options in "javax.net.debug" and in "java.security.debug' (in the case of "certpath").
http://docs.oracle.com/javase/6/docs/technotes/guides/security/jsse/ReadDebug.html
http://docs.oracle.com/javase/6/docs/technotes/guides/security/jsse/JSSERefGuide.html#Debug
Contains configuration information for a key manager.
Contains configuration information for a key store.
Contains information for configuring a JSSE SSL context.
A simple SSL context builder.
A simple SSL context builder. If the keyManagers or trustManagers are empty, then null is used in the init method. Likewise, if secureRandom is None then null is used.
Builds a keystore from a string containing PEM encoded certificates, using CertificateFactory internally.
Builds a keystore from a string containing PEM encoded certificates, using CertificateFactory internally.
java.security.cert.CertificateFactory
Configures global system properties on the JSSE implementation, if defined.
Configures global system properties on the JSSE implementation, if defined.
WARNING: This class sets system properties to configure JSSE code which typically uses static initialization on load. Because of this, if classes are loaded in BEFORE this code has a chance to operate, you may find that this code works inconsistently. The solution is to set the system properties on the command line explicitly (or in the case of "ocsp.enable", in the security property file).
Contains configuration information for a trust manager.
Contains configuration information for a trust store.
Parser based on the jdk.certpath.disabledAlgorithm BNF.
Parser based on the jdk.certpath.disabledAlgorithm BNF.
http://sim.ivi.co/2011/07/java-se-7-release-security-enhancements.html
This singleton object provides the code needed to check for minimum standards of an X.509 certificate.
This singleton object provides the code needed to check for minimum standards of an X.509 certificate. Over 95% of trusted leaf certificates and 95% of trusted signing certificates use NIST recommended key sizes. Play supports Java 1.6, which does not have built in certificate strength checking, so we roll our own here.
The default settings here are based off NIST SP 800-57, using Dates for Phasing out MD5-based signatures and 1024-bit moduli as a practical guide.
Note that the key sizes are checked on root CA certificates in the trust store. As the Mozilla document says:
The other concern that needs to be addressed is that of RSA1024 being too small a modulus to be robust against faster computers. Unlike a signature algorithm, where only intermediate and end-entity certificates are impacted, fast math means we have to disable or remove all instances of 1024-bit moduli, including the root certificates.
Relevant key sizes:
According to NIST SP 800-57 the recommended algorithms and minimum key sizes are as follows: Through 2010 (minimum of 80 bits of strength) FFC (e.g., DSA, D-H) Minimum: L=1024; N=160 IFC (e.g., RSA) Minimum: k=1024 ECC (e.g. ECDSA) Minimum: f=160 Through 2030 (minimum of 112 bits of strength) FFC (e.g., DSA, D-H) Minimum: L=2048; N=224 IFC (e.g., RSA) Minimum: k=2048 ECC (e.g. ECDSA) Minimum: f=224 Beyond 2030 (minimum of 128 bits of strength) FFC (e.g., DSA, D-H) Minimum: L=3072; N=256 IFC (e.g., RSA) Minimum: k=3072 ECC (e.g. ECDSA) Minimum: f=256
Relevant signature algorithms:
The known weak signature algorithms are "MD2, MD4, MD5".
SHA-1 is considered too weak for new certificates, but is still allowed for verifying old certificates in the chain. The TLS and NIST'S Policy on Hash Functions blog post by one of the JSSE authors has more details, in particular the "Put it into practice" section.
Used for testing only.
Used for testing only. This relies on internal sun.security packages, so cannot be used in OpenJDK.