Package org.wildfly.security.ssl
Class CipherSuiteSelector
- java.lang.Object
-
- org.wildfly.security.ssl.CipherSuiteSelector
-
public abstract class CipherSuiteSelector extends Object
An immutable filter for SSL/TLS cipher suites.- Author:
- David M. Lloyd
-
-
Method Summary
All Methods Static Methods Instance Methods Concrete Methods Modifier and Type Method Description CipherSuiteSelector
add(String cipherSuiteName)
A convenience method to add a cipher suite by name.CipherSuiteSelector
add(CipherSuitePredicate predicate)
Add all cipher suites which are matched by the given predicate.CipherSuiteSelector
deleteFully(String cipherSuiteName)
A convenience method to permanently delete a cipher suite by name.CipherSuiteSelector
deleteFully(CipherSuitePredicate predicate)
Permanently delete all cipher suites which are matched by the given predicate.static CipherSuiteSelector
empty()
Get the basic empty SSL cipher suite selector.String[]
evaluate(String[] supportedMechanisms)
Evaluate this selector against the given list of JSSE supported mechanisms.static CipherSuiteSelector
fromString(String string)
Create a cipher suite selector from the given OpenSSL-style cipher list string.static CipherSuiteSelector
openSslAll()
Get the cipher selector which OpenSSL defines asALL
.static CipherSuiteSelector
openSslDefault()
Get the cipher selector which OpenSSL defines asDEFAULT
.CipherSuiteSelector
pushToEnd(String cipherSuiteName)
A convenience method to push a cipher suite by name to the end of the enabled ciphers list.CipherSuiteSelector
pushToEnd(CipherSuitePredicate predicate)
Push all cipher suites which are matched by the given predicate to the end of the enabled ciphers list.CipherSuiteSelector
remove(String cipherSuiteName)
A convenience method to remove a cipher suite by name.CipherSuiteSelector
remove(CipherSuitePredicate predicate)
Remove all cipher suites which are matched by the given predicate.CipherSuiteSelector
sortByAlgorithmKeyLength()
Sort all of the enabled ciphers by decreasing key length.String
toString()
-
-
-
Method Detail
-
empty
public static CipherSuiteSelector empty()
Get the basic empty SSL cipher suite selector.- Returns:
- the empty selector
-
openSslDefault
public static CipherSuiteSelector openSslDefault()
Get the cipher selector which OpenSSL defines asDEFAULT
.- Returns:
- the selector
- See Also:
CipherSuitePredicate.matchOpenSslDefaultDeletes()
-
openSslAll
public static CipherSuiteSelector openSslAll()
Get the cipher selector which OpenSSL defines asALL
.- Returns:
- the selector
- See Also:
CipherSuitePredicate.matchOpenSslAll()
-
deleteFully
public CipherSuiteSelector deleteFully(CipherSuitePredicate predicate)
Permanently delete all cipher suites which are matched by the given predicate. Matching ciphers cannot be re-added by a later rule (such rules will be ignored).- Parameters:
predicate
- the predicate to match- Returns:
- a new selector which includes the new rule
-
deleteFully
public CipherSuiteSelector deleteFully(String cipherSuiteName)
A convenience method to permanently delete a cipher suite by name. This is a shortcut for callingdeleteFully(Predicate.matchName(cipherSuiteName))
. The cipher suite name must be a standard or OpenSSL-style mechanism name identifying a single mechanism.- Parameters:
cipherSuiteName
- the cipher suite name- Returns:
- a new selector which includes the new rule
-
remove
public CipherSuiteSelector remove(CipherSuitePredicate predicate)
Remove all cipher suites which are matched by the given predicate. Matching ciphers may be re-added by a later rule.- Parameters:
predicate
- the predicate to match- Returns:
- a new selector which includes the new rule
-
remove
public CipherSuiteSelector remove(String cipherSuiteName)
A convenience method to remove a cipher suite by name. This is a shortcut for callingremove(Predicate.matchName(cipherSuiteName))
. The cipher suite name must be a standard or OpenSSL-style mechanism name identifying a single mechanism.- Parameters:
cipherSuiteName
- the cipher suite name- Returns:
- a new selector which includes the new rule
-
add
public CipherSuiteSelector add(CipherSuitePredicate predicate)
Add all cipher suites which are matched by the given predicate. The cipher suites are added in a reasonably logical order. Any suites which are not supported by the underlying socket layer will not be added.- Parameters:
predicate
- the predicate to match- Returns:
- a new selector which includes the new rule
-
add
public CipherSuiteSelector add(String cipherSuiteName)
A convenience method to add a cipher suite by name. If the underlying socket layer does not support the named cipher suite, or if the cipher suite is invalid, it will not be added. This is a shortcut for callingadd(Predicate.matchName(cipherSuiteName))
. The cipher suite name must be a standard or OpenSSL-style mechanism name identifying a single mechanism.- Parameters:
cipherSuiteName
- the cipher suite name- Returns:
- a new selector which includes the new rule
-
pushToEnd
public CipherSuiteSelector pushToEnd(CipherSuitePredicate predicate)
Push all cipher suites which are matched by the given predicate to the end of the enabled ciphers list. Only cipher suites which are already enabled will be moved; no cipher suites are added by this transformation.- Parameters:
predicate
- the predicate to match- Returns:
- a new selector which includes the new rule
-
pushToEnd
public CipherSuiteSelector pushToEnd(String cipherSuiteName)
A convenience method to push a cipher suite by name to the end of the enabled ciphers list. This is a shortcut for callingpushToEnd(Predicate.matchName(cipherSuiteName))
. In particular, no cipher suites are added by this transformation. The cipher suite name must be a standard or OpenSSL-style mechanism name identifying a single mechanism.- Parameters:
cipherSuiteName
- the cipher suite name- Returns:
- a new selector which includes the new rule
-
sortByAlgorithmKeyLength
public CipherSuiteSelector sortByAlgorithmKeyLength()
Sort all of the enabled ciphers by decreasing key length. Only the ciphers which were added by previous rules will be sorted.- Returns:
- a new selector which includes the sort
-
evaluate
public final String[] evaluate(String[] supportedMechanisms)
Evaluate this selector against the given list of JSSE supported mechanisms.- Parameters:
supportedMechanisms
- the supported mechanisms- Returns:
- the enabled mechanisms (not
null
)
-
fromString
public static CipherSuiteSelector fromString(String string) throws IllegalArgumentException
Create a cipher suite selector from the given OpenSSL-style cipher list string. The rules of the string are as follows:- Each item is separated from the other items by a colon (":"), though for compatibility, commas (",") or spaces (" ") are allowed delimiters as well.
- The items are evaluated in order from left to right.
-
Each item may consist of one of the following:
- An OpenSSL-style cipher suite name like
DH-RSA-AES256-SHA256
, which adds the named cipher suite to the end of the list (if it is supported and not already present). - A standard SSL/TLS cipher suite name like
TLS_DH_RSA_WITH_AES_256_CBC_SHA256
, which adds the named cipher suite to the end of the list (if it is supported and not already present). -
Any of the following special keywords:
HIGH
, which matches all supported cipher suites with "high" encryption, presently defined as all cipher suites with key lengths larger than 128 bits, and some with key lengths of exactly 128 bits (seeSecurityLevel.HIGH
).MEDIUM
, which matches all supported cipher suites with "medium" encryption, presently defined as some cipher suites with 128 bit keys (seeSecurityLevel.MEDIUM
).LOW
, which matches all supported cipher suites with "low" encryption, presently defined as cipher suites which use 64- or 56-bit encryption but excluding export cipher suites (seeSecurityLevel.LOW
).EXP
orEXPORT
, which matches supported cipher suites using export algorithms, presently defined as cipher suites which include those that use 56- or 40-bit encryption algorithms (seeSecurityLevel.EXP40
andSecurityLevel.EXP56
) .
EXPORT40
, which matches supported cipher suites using export algorithms with 40-bit encryption (seeSecurityLevel.EXP40
).EXPORT56
, which matches supported cipher suites using export algorithms with 56-bit encryption (seeSecurityLevel.EXP56
).eNULL
orNULL
, which matches supported cipher suites without encryption (seeEncryption.NULL
).aNULL
, which matches supported cipher suites without authentication (i.e. they are anonymous) (seeAuthentication.NULL
).kRSA
, which matches supported cipher suites using RSA key exchange (seeKeyAgreement.RSA
).aRSA
, which matches supported cipher suites using RSA authentication (seeAuthentication.RSA
).RSA
, which matches supported cipher suites using either RSA key exchange or RSA authentication.kDHr
, which matches supported cipher suites using DH key agreement with DH certificates signed with a RSA key (seeKeyAgreement.DHr
).kDHd
, which matches supported cipher suites using DH key agreement with DH certificates signed with a DSS key (seeKeyAgreement.DHd
).kDH
, which matches any supported cipher suite using DH key agreement.kDHE
orkEDH
, which matches supported cipher suites using ephemeral DH key agreement (including anonymous cipher suites; seeKeyAgreement.DHE
).DHE
orEDH
, which matches supported cipher suites using non-anonymous ephemeral DH key agreement.ADH
, which matches supported cipher suites using anonymous DH, not including anonymous elliptic curve suites.DH
, which matches any supported cipher suite using DH.kECDHr
, which matches supported cipher suites using fixed ECDH key agreement signed using RSA keys (seeKeyAgreement.ECDHr
).kECDHe
, which matches supported cipher suites using fixed ECDH key agreement signed by ECDSA keys (seeKeyAgreement.ECDHe
).kECDH
, which matches supported cipher suites using fixed ECDH key agreement.kEECDH
orkECDHE
, which matches supported cipher suites using ephemeral ECDH key agreement (including anonymous cipher suites; seeKeyAgreement.ECDHE
).ECDHE
orEECDHE
, which matches supported cipher suites using authenticated (non-anonymous) ephemeral ECDH key agreement.AECDH
, which matches supported cipher suites using anonymous ephemeral ECDH key agreement.ECDH
, which matches all supported cipher suites using ECDH key agreement.aDSS
orDSS
, which matches supported cipher suites using DSS authentication (seeAuthentication.DSS
).aDH
, which matches supported cipher suites using DH authentication (seeAuthentication.DH
).aECDH
, which matches supported cipher suites using ECDH authentication (seeAuthentication.ECDH
).aECDSA
orECDSA
, which matches supported cipher suites using ECDSA authentication (seeAuthentication.ECDSA
).kFZA
, which matches supported cipher suites using Fortezza key agreement (seeKeyAgreement.FZA
).aFZA
, which matches supported cipher suites using Fortezza authentication (seeAuthentication.FZA
).eFZA
, which matches supported cipher suites using Fortezza encryption (seeEncryption.FZA
).FZA
, which matches all supported cipher suites using any Fortezza algorithm.TLSv1.2
, which matches supported cipher suites defined in TLS v1.2 (seeProtocol.TLSv1_2
).TLSv1
, which matches supported cipher suites defined in TLS v1 (seeProtocol.TLSv1
).SSLv3
, which matches supported cipher suites defined in SSL v3.0 (seeProtocol.SSLv3
).SSLv2
, which matches supported cipher suites defined in SSL v2.0 (seeProtocol.SSLv2
).AES256
, which matches supported cipher suites using 256-bit AES (seeEncryption.AES256
).AES128
, which matches supported cipher suites using 128-bit AES (seeEncryption.AES128
).AES
, which matches all supported cipher suites using AES.AESGCM
, which matches supported cipher suites using AES in Galois Counter Mode (GCM) (seeEncryption.AES256GCM
andEncryption.AES128GCM
).CAMELLIA256
, which matches supported cipher suites using 256-bit Camellia encryption (seeEncryption.CAMELLIA256
).CAMELLIA128
, which matches supported cipher suites using 128-bit Camellia encryption (seeEncryption.CAMELLIA128
).CAMELLIA
, which matches all supported cipher suites using any Camellia encryption.3DES
, which matches supported cipher suites using triple DES encryption (seeEncryption._3DES
).DES
, which matches supported cipher suites using plain DES encryption (seeEncryption.DES
).RC4
, which matches supported cipher suites using RC4 encryption (seeEncryption.RC4
).RC2
, which matches supported cipher suites using RC2 encryption (seeEncryption.RC2
).IDEA
, which matches supported cipher suites using IDEA encryption (seeEncryption.IDEA
).SEED
, which matches supported cipher suites using SEED encryption (seeEncryption.SEED
).MD5
, which matches supported cipher suites using the MD5 digest algorithm (seeDigest.MD5
).SHA1
orSHA
, which matches supported cipher suites using the SHA-1 digest algorithm (seeDigest.SHA1
).SHA256
, which matches supported cipher suites using the SHA-256 digest algorithm (seeDigest.SHA256
).SHA384
, which matches supported cipher suites using the SHA-384 digest algorithm (seeDigest.SHA384
).aGOST
, which matches supported cipher suites using GOST authentication.aGOST01
, which matches supported cipher suites using GOST R 34.10-2001 authentication (seeAuthentication.GOST01
).aGOST94
, which matches supported cipher suites using GOST R 34.10-94 authentication (seeAuthentication.GOST94
).kGOST
, which matches supported cipher suites using VKO 34.10 key exchange (seeKeyAgreement.GOST
).GOST94
, which matches supported cipher suites using GOST R 34.11-94 based HMAC (seeDigest.GOST94
).GOST89MAC
, which matches supported cipher suites using GOST 28147-89 based MAC (not HMAC) (seeDigest.GOST89MAC
).kPSK
, which matches supported cipher suites using pre-shared keys key agreement (seeKeyAgreement.PSK
).aPSK
, which matches supported cipher suites using pre-shared keys authentication (seeAuthentication.PSK
).PSK
, which matches supported cipher suites using pre-shared keys (seeAuthentication.PSK
andKeyAgreement.PSK
).RSAPSK
orkRSAPSK
, which matches supported cipher suites using RSA-based pre-shared keys (seeKeyAgreement.RSAPSK
).kEDHPSK
,kDHEPSK
,EDHPSK
orDHEPSK
, which matches supported cipher suites using ephemeral DH-based pre-shared keys (seeKeyAgreement.DHEPSK
).kEECDHPSK
,EECDHPSK
,kECDHEPSK
orECDHEPSK
, which matches supported cipher suites using ephemeral elliptic-curve DH-based pre-shared keys (seeKeyAgreement.ECDHEPSK
).
- More than one of any of the above keywords or cipher suite names joined by
+
symbols, which indicates that all of the items must be matched (i.e. a logical "and" operation). - The special unary
!
operator followed by any of the above keywords or cipher names, which removes the matching cipher suite(s) from the enabled list and also deletes it from the supported list, preventing any matching cipher suites from being re-added by a later rule. - The special unary
-
operator followed by any of the above keywords or cipher names, which removes the matching cipher suite(s) from the enabled list (though they may still be re-added). - The special unary
+
operator followed by any of the above keywords or cipher names, which causes any of the matching cipher suite(s) to be moved to the end of the list of enabled cipher suites. - The special
ALL
keyword, which includes all cipher suites (except for encryptionless suites; in other words, this keyword implies-eNULL
). - The special
COMPLEMENTOFALL
keyword, which is presently equivalent toeNULL
. - The special
DEFAULT
keyword, which is equivalent toALL:!EXPORT:!LOW:!aNULL:!eNULL:!SSLv2
. - The special
COMPLEMENTOFDEFAULT
keyword, which presently includes any anonymous cipher suites (but excludes those without encryption, which must always be enabled manually). - The special
@STRENGTH
keyword, which causes all the mechanisms enabled thus far to be automatically sorted by encryption algorithm key length in descending order.
- An OpenSSL-style cipher suite name like
- Parameters:
string
- the string to parse- Returns:
- the parsed cipher suite selector
- Throws:
IllegalArgumentException
- if the given string is not valid
-
-