org.h2.security

Class CipherFactory

java.lang.Object

org.h2.security.CipherFactory

public class CipherFactory
extends java.lang.Object

A factory to create new block cipher objects.

Field Summary

Fields

Modifier and Type	Field and Description
static java.lang.String	DEFAULT_LEGACY_ALGORITHMS The value of "jdk.tls.legacyAlgorithms" security property at the time of class initialization.
static java.lang.String	KEYSTORE_PASSWORD The default password to use for the .h2.keystore file
static java.lang.String	LEGACY_ALGORITHMS_SECURITY_KEY The security property which can prevent anonymous TLS connections.

Method Summary

Modifier and Type	Method and Description
static java.net.ServerSocket	createServerSocket(int port, java.net.InetAddress bindAddress) Create a secure server socket.
static java.net.Socket	createSocket(java.net.InetAddress address, int port) Create a secure client socket that is connected to the given address and port.
static BlockCipher	getBlockCipher(java.lang.String algorithm) Get a new block cipher object for the given algorithm.
static java.security.KeyStore	getKeyStore(java.lang.String password) Get the keystore object using the given password.
static java.lang.String	getLegacyAlgorithmsSilently() Returns the security property "jdk.tls.legacyAlgorithms".
static void	removeAnonFromLegacyAlgorithms() Attempts to weaken the security properties to allow anonymous TLS.
static java.lang.String	removeDhAnonFromCommaSeparatedList(java.lang.String list) Removes DH_anon and ECDH_anon from a comma separated list of ciphers.
static void	resetDefaultLegacyAlgorithms() Attempts to resets the security property to the default value.

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Detail

KEYSTORE_PASSWORD

public static final java.lang.String KEYSTORE_PASSWORD

The default password to use for the .h2.keystore file

See Also:

Constant Field Values

LEGACY_ALGORITHMS_SECURITY_KEY

public static final java.lang.String LEGACY_ALGORITHMS_SECURITY_KEY

The security property which can prevent anonymous TLS connections. Introduced into Java 6, 7, 8 in updates from July 2015.

See Also:

Constant Field Values

DEFAULT_LEGACY_ALGORITHMS

public static final java.lang.String DEFAULT_LEGACY_ALGORITHMS

The value of "jdk.tls.legacyAlgorithms" security property at the time of class initialization. Null if it is not set.

Method Detail

getBlockCipher

public static BlockCipher getBlockCipher(java.lang.String algorithm)

Get a new block cipher object for the given algorithm.

Parameters:

algorithm - the algorithm

Returns:

a new cipher object

createSocket

public static java.net.Socket createSocket(java.net.InetAddress address,
                                           int port)
                                    throws java.io.IOException

Create a secure client socket that is connected to the given address and port.

Parameters:

address - the address to connect to

port - the port

Returns:

the socket

Throws:

java.io.IOException

createServerSocket

public static java.net.ServerSocket createServerSocket(int port,
                                                       java.net.InetAddress bindAddress)
                                                throws java.io.IOException

Create a secure server socket. If a bind address is specified, the socket is only bound to this address. If h2.enableAnonymousTLS is true, an attempt is made to modify the security property jdk.tls.legacyAlgorithms (in newer JVMs) to allow anonymous TLS. This system change is effectively permanent for the lifetime of the JVM.

Parameters:

port - the port to listen on

bindAddress - the address to bind to, or null to bind to all addresses

Returns:

the server socket

Throws:

java.io.IOException

See Also:

removeAnonFromLegacyAlgorithms()

removeDhAnonFromCommaSeparatedList

public static java.lang.String removeDhAnonFromCommaSeparatedList(java.lang.String list)

Removes DH_anon and ECDH_anon from a comma separated list of ciphers. Only the first occurrence is removed. If there is nothing to remove, returns the reference to the argument.

Parameters:

list - a list of names separated by commas (and spaces)

Returns:

a new string without DH_anon and ECDH_anon items, or the original if none were found

removeAnonFromLegacyAlgorithms

public static void removeAnonFromLegacyAlgorithms()

Attempts to weaken the security properties to allow anonymous TLS. New JREs would not choose an anonymous cipher suite in a TLS handshake if server-side security property "jdk.tls.legacyAlgorithms" were not modified from the default value.

NOTE: In current (as of 2016) default implementations of JSSE which use this security property, the value is permanently cached inside the ServerHandshake class upon its first use. Therefore the modification accomplished by this method has to be done before the first use of a server SSL socket. Later changes to this property will not have any effect on server socket behavior.

resetDefaultLegacyAlgorithms

public static void resetDefaultLegacyAlgorithms()

Attempts to resets the security property to the default value. The default value of "jdk.tls.legacyAlgorithms" was obtained at time of class initialization.

NOTE: Resetting the property might not have any effect on server socket behavior.

See Also:

removeAnonFromLegacyAlgorithms()

getLegacyAlgorithmsSilently

public static java.lang.String getLegacyAlgorithmsSilently()

Returns the security property "jdk.tls.legacyAlgorithms". Ignores security exceptions.

Returns:

the value of the security property, or null if not set or not accessible

getKeyStore

public static java.security.KeyStore getKeyStore(java.lang.String password)
                                          throws java.io.IOException

Get the keystore object using the given password.

Parameters:

password - the keystore password

Returns:

the keystore

Throws:

java.io.IOException