Package org.owasp.esapi.crypto

Class SecurityProviderLoader

  • public class SecurityProviderLoader
extends java.lang.Object
    This class provides a generic static method that loads a java.security.Provider either by some generic name (i.e., Provider.getName()) or by a fully-qualified class name. It is intended to be called dynamically by an application to add a specific JCE provider at runtime.

    If the ESAPI.properties file has a the property ESAPI.PreferredJCEProvider defined to either a recognized JCE provider (see below for list) or a fully qualified path name of that JCE provider's Provider class, then the reference implementation of ESAPI cryptography (org.owasp.esapi.reference.crypto.JavaEncryptor) tries to load this specified JCE provider via insertProviderAt(String,int).

    • Method Summary

      All Methods Static Methods Concrete Methods 
      Modifier and Type Method Description
      static int insertProviderAt​(java.lang.String algProvider, int pos)
      This methods adds a provider to the SecurityManager either by some generic name or by the class name.
      static int loadESAPIPreferredJCEProvider()
      Load the preferred JCE provider for ESAPI based on the ESAPI.properties property Encryptor.PreferredJCEProvider.

      • Methods inherited from class java.lang.Object

        clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

    • Constructor Detail

      • SecurityProviderLoader

        public SecurityProviderLoader()

    • Method Detail

      • insertProviderAt

        public static int insertProviderAt​(java.lang.String algProvider,
                                   int pos)
                            throws java.security.NoSuchProviderException
        This methods adds a provider to the SecurityManager either by some generic name or by the class name.

        The following generic JCE provider names are built-in:

        • SunJCE
        • IBMJCE [for WebSphere]
        • GnuCrypto [for use with GNU Compiler for Java, i.e., gcj]
        • BC [i.e., Bouncy Castle]
        • IAIK
        • CryptixCrypto (or Cryptix)
        • ABA
        Note that neither Cryptix or ABA are actively maintained so it is recommended that you do not start using them for ESAPI unless your application already has a dependency on them. Furthermore, the Cryptix JCE jars likely will not work as the Cryptix code signing certificate has expired as of August 28, 2009. (This likely is true for ABA, but I can't even find a copy to download!). Lastly, the IAIK provider is no longer offered as free, open source. It is not a commercial product. See {@link "http://jce.iaik.tugraz.at/"} for details. While some older versions were offered free, it is not clear whether the accompanying license still allows you to use it, and if it does, whether or not the code signing certificate used to sign their JCE jar(s) has expired are not. Therefore, if you are looking for a FOSS alternative to SunJCE, Bouncy Castle ({@link "http://www.bouncycastle.org/"} is probably your best bet. The BC provider does support many the "combined cipher modes" that provide both confidentiality and authenticity. (See the ESAPI.properties property Encryptor.cipher_modes.combined_modes for details.)

        For those working in the U.S. federal government, it should be noted that none of the providers listed here are considered validated by NIST's Cryptographic Module Validation Program and are therefore not considered FIPS 140-2 compliant. There are a few approved JCE compatible Java libraries that are on NIST's CMVP list, but this list changes constantly so they are not listed here. For further details on NIST's CMVP, see {@link "http://csrc.nist.gov/groups/STM/cmvp/index.html"}.

        Finally, if you wish to use some other JCE provider not recognized above, you must specify the provider's fully-qualified class name (which in turn must have a public, no argument constructor).

        The application must be given the SecurityPermission with a value of insertProvider.&lt;provider_name&gt; (where <provider_name> is the name of the algorithm provider if a security manager is installed.

        Parameters:
        algProvider - Name of the JCE algorithm provider. If the name contains a ".", this is interpreted as the name of a java.security.Provider class name.
        pos - The preference position (starting at 1) that the caller would like for this provider. If you wish for it to be installed as the last provider (as of the time of this call), set pos to -1.
        Returns:
        The actual preference position at which the provider was added, or -1 if the provider was not added because it is already installed.
        Throws:
        java.security.NoSuchProviderException - - thrown if the provider class could not be loaded or added to the SecurityManager or any other reason for failure.

      • loadESAPIPreferredJCEProvider

        public static int loadESAPIPreferredJCEProvider()
                                         throws java.security.NoSuchProviderException
        Load the preferred JCE provider for ESAPI based on the ESAPI.properties property Encryptor.PreferredJCEProvider. If this property is null (i.e., unset) or set to an empty string, then no JCE provider is inserted at the "preferred" position and thus the Java VM continues to use whatever the default it was using for this (generally specified in the file $JAVA_HOME/jre/security/java.security).
        Returns:
        The actual preference position at which the provider was added, (which is expected to be 1) or -1 if the provider was not added because it is already installed at some other position. -1 is also returned if the Encryptor.PreferredJCEProvider was not set or set to an empty string, i.e., if the application has no preferred JCE provider.
        Throws:
        java.security.NoSuchProviderException - - thrown if the provider class could not be loaded or added to the SecurityManager or any other reason for failure.
        See Also:
        ESAPI 2.0 Symmetric Encryption User Guide