Class SecurityProviderLoader
- java.lang.Object
-
- org.owasp.esapi.crypto.SecurityProviderLoader
-
public class SecurityProviderLoader extends java.lang.Object
This class provides a generic static method that loads ajava.security.Provider
either by some generic name (i.e.,Provider.getName()
) or by a fully-qualified class name. It is intended to be called dynamically by an application to add a specific JCE provider at runtime.If the
ESAPI.properties
file has a the propertyESAPI.PreferredJCEProvider
defined to either a recognized JCE provider (see below for list) or a fully qualified path name of that JCE provider'sProvider
class, then the reference implementation of ESAPI cryptography (org.owasp.esapi.reference.crypto.JavaEncryptor
) tries to load this specified JCE provider viainsertProviderAt(String,int)
.
-
-
Constructor Summary
Constructors Constructor Description SecurityProviderLoader()
-
Method Summary
All Methods Static Methods Concrete Methods Modifier and Type Method Description static int
insertProviderAt(java.lang.String algProvider, int pos)
This methods adds a provider to theSecurityManager
either by some generic name or by the class name.static int
loadESAPIPreferredJCEProvider()
Load the preferred JCE provider for ESAPI based on the ESAPI.properties propertyEncryptor.PreferredJCEProvider
.
-
-
-
Method Detail
-
insertProviderAt
public static int insertProviderAt(java.lang.String algProvider, int pos) throws java.security.NoSuchProviderException
This methods adds a provider to theSecurityManager
either by some generic name or by the class name.The following generic JCE provider names are built-in:
- SunJCE
- IBMJCE [for WebSphere]
- GnuCrypto [for use with GNU Compiler for Java, i.e., gcj]
- BC [i.e., Bouncy Castle]
- IAIK
- CryptixCrypto (or Cryptix)
- ABA
ESAPI.properties
propertyEncryptor.cipher_modes.combined_modes
for details.)For those working in the U.S. federal government, it should be noted that none of the providers listed here are considered validated by NIST's Cryptographic Module Validation Program and are therefore not considered FIPS 140-2 compliant. There are a few approved JCE compatible Java libraries that are on NIST's CMVP list, but this list changes constantly so they are not listed here. For further details on NIST's CMVP, see {@link "http://csrc.nist.gov/groups/STM/cmvp/index.html"}.
Finally, if you wish to use some other JCE provider not recognized above, you must specify the provider's fully-qualified class name (which in turn must have a public, no argument constructor).
The application must be given the
SecurityPermission
with a value ofinsertProvider.<provider_name>
(where <provider_name> is the name of the algorithm provider if a security manager is installed.- Parameters:
algProvider
- Name of the JCE algorithm provider. If the name contains a ".", this is interpreted as the name of ajava.security.Provider
class name.pos
- The preference position (starting at 1) that the caller would like for this provider. If you wish for it to be installed as the last provider (as of the time of this call), setpos
to -1.- Returns:
- The actual preference position at which the provider was added, or -1 if the provider was not added because it is already installed.
- Throws:
java.security.NoSuchProviderException
- - thrown if the provider class could not be loaded or added to theSecurityManager
or any other reason for failure.
-
loadESAPIPreferredJCEProvider
public static int loadESAPIPreferredJCEProvider() throws java.security.NoSuchProviderException
Load the preferred JCE provider for ESAPI based on the ESAPI.properties propertyEncryptor.PreferredJCEProvider
. If this property is null (i.e., unset) or set to an empty string, then no JCE provider is inserted at the "preferred" position and thus the Java VM continues to use whatever the default it was using for this (generally specified in the file$JAVA_HOME/jre/security/java.security
).- Returns:
- The actual preference position at which the provider was added,
(which is expected to be 1) or -1 if the provider was not added
because it is already installed at some other position. -1 is also
returned if the
Encryptor.PreferredJCEProvider
was not set or set to an empty string, i.e., if the application has no preferred JCE provider. - Throws:
java.security.NoSuchProviderException
- - thrown if the provider class could not be loaded or added to theSecurityManager
or any other reason for failure.- See Also:
- ESAPI 2.0 Symmetric Encryption User Guide
-
-