public class SecurityProviderLoader extends Object
java.security.Provider
either by some generic name
(i.e., Provider.getName()
) or by a fully-qualified class name.
It is intended to be called dynamically by an application to add a
specific JCE provider at runtime.
If the ESAPI.properties
file has a the property
ESAPI.PreferredJCEProvider
defined to either a recognized
JCE provider (see below for list) or a fully qualified path name of
that JCE provider's Provider
class, then the reference implementation
of ESAPI cryptography (org.owasp.esapi.reference.crypto.JavaEncryptor
)
tries to load this specified JCE provider via
insertProviderAt(String,int)
.
Constructor and Description |
---|
SecurityProviderLoader() |
Modifier and Type | Method and Description |
---|---|
static int |
insertProviderAt(String algProvider,
int pos)
This methods adds a provider to the
SecurityManager
either by some generic name or by the class name. |
static int |
loadESAPIPreferredJCEProvider()
Load the preferred JCE provider for ESAPI based on the ESAPI.properties
property
Encryptor.PreferredJCEProvider . |
public static int insertProviderAt(String algProvider, int pos) throws NoSuchProviderException
SecurityManager
either by some generic name or by the class name.
The following generic JCE provider names are built-in:
ESAPI.properties
property Encryptor.cipher_modes.combined_modes
for details.)
For those working in the U.S. federal government, it should be noted that none of the providers listed here are considered validated by NIST's Cryptographic Module Validation Program and are therefore not considered FIPS 140-2 compliant. There are a few approved JCE compatible Java libraries that are on NIST's CMVP list, but this list changes constantly so they are not listed here. For further details on NIST's CMVP, see "http://csrc.nist.gov/groups/STM/cmvp/index.html".
Finally, if you wish to use some other JCE provider not recognized above, you must specify the provider's fully-qualified class name (which in turn must have a public, no argument constructor).
The application must be given the SecurityPermission
with a
value of insertProvider.<provider_name>
(where
<provider_name> is the name of the algorithm provider if
a security manager is installed.
algProvider
- Name of the JCE algorithm provider. If the name
contains a ".", this is interpreted as the name
of a java.security.Provider
class name.pos
- The preference position (starting at 1) that the
caller would like for this provider. If you wish
for it to be installed as the last provider
(as of the time of this call), set pos
to -1.NoSuchProviderException
- - thrown if the provider class
could not be loaded or added to the SecurityManager
or
any other reason for failure.public static int loadESAPIPreferredJCEProvider() throws NoSuchProviderException
Encryptor.PreferredJCEProvider
. If this property is null
(i.e., unset) or set to an empty string, then no JCE provider is inserted
at the "preferred" position and thus the Java VM continues to use whatever
the default it was using for this (generally specified in the file
$JAVA_HOME/jre/security/java.security
).Encryptor.PreferredJCEProvider
was not set
or set to an empty string, i.e., if the application has no
preferred JCE provider.NoSuchProviderException
- - thrown if the provider class
could not be loaded or added to the SecurityManager
or
any other reason for failure.Copyright © 2016 The Open Web Application Security Project (OWASP). All rights reserved.