Object

play.api.libs.ws.ssl

Algorithms

Related Doc: package ssl

Permalink

object Algorithms

This singleton object provides the code needed to check for minimum standards of an X.509 certificate. Over 95% of trusted leaf certificates and 95% of trusted signing certificates use NIST recommended key sizes. Play supports Java 1.6, which does not have built in certificate strength checking, so we roll our own here.

The default settings here are based off NIST SP 800-57, using Dates for Phasing out MD5-based signatures and 1024-bit moduli as a practical guide.

Note that the key sizes are checked on root CA certificates in the trust store. As the Mozilla document says:

The other concern that needs to be addressed is that of RSA1024 being too small a modulus to be robust against faster computers. Unlike a signature algorithm, where only intermediate and end-entity certificates are impacted, fast math means we have to disable or remove all instances of 1024-bit moduli, including the root certificates.

Relevant key sizes:

According to NIST SP 800-57 the recommended algorithms and minimum key sizes are as follows: Through 2010 (minimum of 80 bits of strength) FFC (e.g., DSA, D-H) Minimum: L=1024; N=160 IFC (e.g., RSA) Minimum: k=1024 ECC (e.g. ECDSA) Minimum: f=160 Through 2030 (minimum of 112 bits of strength) FFC (e.g., DSA, D-H) Minimum: L=2048; N=224 IFC (e.g., RSA) Minimum: k=2048 ECC (e.g. ECDSA) Minimum: f=224 Beyond 2030 (minimum of 128 bits of strength) FFC (e.g., DSA, D-H) Minimum: L=3072; N=256 IFC (e.g., RSA) Minimum: k=3072 ECC (e.g. ECDSA) Minimum: f=256

Relevant signature algorithms:

The known weak signature algorithms are "MD2, MD4, MD5".

SHA-1 is considered too weak for new certificates, but is still allowed for verifying old certificates in the chain. The TLS and NIST'S Policy on Hash Functions blog post by one of the JSSE authors has more details, in particular the "Put it into practice" section.

Source
Algorithms.scala
Linear Supertypes
AnyRef, Any
Ordering
  1. Alphabetic
  2. By inheritance
Inherited
  1. Algorithms
  2. AnyRef
  3. Any
  1. Hide All
  2. Show all
Visibility
  1. Public
  2. All

Value Members

  1. final def !=(arg0: Any): Boolean

    Permalink
    Definition Classes
    AnyRef → Any
  2. final def ##(): Int

    Permalink
    Definition Classes
    AnyRef → Any
  3. final def ==(arg0: Any): Boolean

    Permalink
    Definition Classes
    AnyRef → Any
  4. final def asInstanceOf[T0]: T0

    Permalink
    Definition Classes
    Any
  5. def clone(): AnyRef

    Permalink
    Attributes
    protected[java.lang]
    Definition Classes
    AnyRef
    Annotations
    @throws( ... )
  6. def decomposes(algorithm: String): Set[String]

    Permalink

    Decompose the standard algorithm name into sub-elements.

    Decompose the standard algorithm name into sub-elements.

    For example, we need to decompose "SHA1WithRSA" into "SHA1" and "RSA" so that we can check the "SHA1" and "RSA" algorithm constraints separately.

    Please override the method if need to support more name pattern.

  7. def disabledKeyAlgorithms: String

    Permalink

    Disabled key algorithms are applied to all certificates, including the root CAs.

    Disabled key algorithms are applied to all certificates, including the root CAs.

    returns

    "RSA keySize < 2048, DSA keySize < 2048, EC keySize < 224"

  8. def disabledSignatureAlgorithms: String

    Permalink

    Disabled signature algorithms are applied to signed certificates in a certificate chain, not including CA certs.

    Disabled signature algorithms are applied to signed certificates in a certificate chain, not including CA certs.

    returns

    "MD2, MD4, MD5"

  9. final def eq(arg0: AnyRef): Boolean

    Permalink
    Definition Classes
    AnyRef
  10. def equals(arg0: Any): Boolean

    Permalink
    Definition Classes
    AnyRef → Any
  11. def finalize(): Unit

    Permalink
    Attributes
    protected[java.lang]
    Definition Classes
    AnyRef
    Annotations
    @throws( classOf[java.lang.Throwable] )
  12. final def getClass(): Class[_]

    Permalink
    Definition Classes
    AnyRef → Any
  13. def getKeyAlgorithmName(pubk: Key): String

    Permalink
  14. def hashCode(): Int

    Permalink
    Definition Classes
    AnyRef → Any
  15. final def isInstanceOf[T0]: Boolean

    Permalink
    Definition Classes
    Any
  16. def keySize(key: Key): Option[Int]

    Permalink

    Returns the keySize of the given key, or None if no key exists.

  17. final def ne(arg0: AnyRef): Boolean

    Permalink
    Definition Classes
    AnyRef
  18. final def notify(): Unit

    Permalink
    Definition Classes
    AnyRef
  19. final def notifyAll(): Unit

    Permalink
    Definition Classes
    AnyRef
  20. final def synchronized[T0](arg0: ⇒ T0): T0

    Permalink
    Definition Classes
    AnyRef
  21. def toString(): String

    Permalink
    Definition Classes
    AnyRef → Any
  22. def translateECKey(pubk: Key): Key

    Permalink
  23. def translateKey(pubk: Key): Key

    Permalink
  24. final def wait(): Unit

    Permalink
    Definition Classes
    AnyRef
    Annotations
    @throws( ... )
  25. final def wait(arg0: Long, arg1: Int): Unit

    Permalink
    Definition Classes
    AnyRef
    Annotations
    @throws( ... )
  26. final def wait(arg0: Long): Unit

    Permalink
    Definition Classes
    AnyRef
    Annotations
    @throws( ... )

Inherited from AnyRef

Inherited from Any

Ungrouped