org.owasp.esapi.crypto
Class SecurityProviderLoader

java.lang.Object
  extended by org.owasp.esapi.crypto.SecurityProviderLoader

public class SecurityProviderLoader
extends java.lang.Object

This class provides a generic static method that loads a java.security.Provider either by some generic name (i.e., Provider.getName()) or by a fully-qualified class name. It is intended to be called dynamically by an application to add a specific JCE provider at runtime.

If the ESAPI.properties file has a the property ESAPI.PreferredJCEProvider defined to either a recognized JCE provider (see below for list) or a fully qualified path name of that JCE provider's Provider class, then the reference implementation of ESAPI cryptography (org.owasp.esapi.reference.crypto.JavaEncryptor) tries to load this specified JCE provider via insertProviderAt(String,int).


Constructor Summary
SecurityProviderLoader()
           
 
Method Summary
static int insertProviderAt(java.lang.String algProvider, int pos)
          This methods adds a provider to the SecurityManager either by some generic name or by the class name.
static int loadESAPIPreferredJCEProvider()
          Load the preferred JCE provider for ESAPI based on the ESAPI.properties property Encryptor.PreferredJCEProvider.
 
Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
 

Constructor Detail

SecurityProviderLoader

public SecurityProviderLoader()
Method Detail

insertProviderAt

public static int insertProviderAt(java.lang.String algProvider,
                                   int pos)
                            throws java.security.NoSuchProviderException
This methods adds a provider to the SecurityManager either by some generic name or by the class name.

The following generic JCE provider names are built-in:

Note that neither Cryptix or ABA are actively maintained so it is recommended that you do not start using them for ESAPI unless your application already has a dependency on them. Furthermore, the Cryptix JCE jars likely will not work as the Cryptix code signing certificate has expired as of August 28, 2009. (This likely is true for ABA, but I can't even find a copy to download!). Lastly, the IAIK provider is no longer offered as free, open source. It is not a commercial product. See http://jce.iaik.tugraz.at/ for details. While some older versions were offered free, it is not clear whether the accompanying license still allows you to use it, and if it does, whether or not the code signing certificate used to sign their JCE jar(s) has expired are not. Therefore, if you are looking for a FOSS alternative to SunJCE, Bouncy Castle (http://www.bouncycastle.org/ is probably your best bet. The BC provider does support many the "combined cipher modes" that provide both confidentiality and authenticity. (See the ESAPI.properties property Encryptor.cipher_modes.combined_modes for details.)

For those working in the U.S. federal government, it should be noted that none of the providers listed here are considered validated by NIST's Cryptographic Module Validation Program and are therefore not considered FIPS 140-2 compliant. There are a few approved JCE compatible Java libraries that are on NIST's CMVP list, but this list changes constantly so they are not listed here. For futher details on NIST's CMVP, see http://csrc.nist.gov/groups/STM/cmvp/index.html.

Finally, if you wish to use some other JCE provider not recognized above, you must specify the provider's fully-qualified class name (which in turn must have a public, no argument constructor).

The application must be given the SecurityPermission with a value of insertProvider.&lt;provider_name&gt; (where <provider_name> is the name of the algorithm provider if a security manager is installed.

Parameters:
algProvider - Name of the JCE algorithm provider. If the name contains a ".", this is interpreted as the name of a java.security.Provider class name.
pos - The preference position (starting at 1) that the caller would like for this provider. If you wish for it to be installed as the last provider (as of the time of this call), set pos to -1.
Returns:
The actual preference position at which the provider was added, or -1 if the provider was not added because it is already installed.
Throws:
java.security.NoSuchProviderException - - thrown if the provider class could not be loaded or added to the SecurityManager or any other reason for failure.

loadESAPIPreferredJCEProvider

public static int loadESAPIPreferredJCEProvider()
                                         throws java.security.NoSuchProviderException
Load the preferred JCE provider for ESAPI based on the ESAPI.properties property Encryptor.PreferredJCEProvider. If this property is null (i.e., unset) or set to an empty string, then no JCE provider is inserted at the "preferred" position and thus the Java VM continues to use whatever the default it was using for this (generally specified in the file $JAVA_HOME/jre/security/java.security).

Returns:
The actual preference position at which the provider was added, (which is expected to be 1) or -1 if the provider was not added because it is already installed at some other position. -1 is also returned if the Encryptor.PreferredJCEProvider was not set or set to an empty string, i.e., if the application has no preferred JCE provider.
Throws:
java.security.NoSuchProviderException - - thrown if the provider class could not be loaded or added to the SecurityManager or any other reason for failure.
See Also:
ESAPI 2.0 Symmetric Encryption User Guide


Copyright © 2011 The Open Web Application Security Project (OWASP). All Rights Reserved.