CipherSuite.java revision 0
2362N/A * Copyright 2002-2007 Sun Microsystems, Inc. All Rights Reserved. 0N/A * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. 0N/A * This code is free software; you can redistribute it and/or modify it 0N/A * under the terms of the GNU General Public License version 2 only, as 2362N/A * published by the Free Software Foundation. Sun designates this 0N/A * particular file as subject to the "Classpath" exception as provided 2362N/A * by Sun in the LICENSE file that accompanied this code. 0N/A * This code is distributed in the hope that it will be useful, but WITHOUT 0N/A * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or 0N/A * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License 0N/A * version 2 for more details (a copy is included in the LICENSE file that 0N/A * accompanied this code). 0N/A * You should have received a copy of the GNU General Public License version 0N/A * 2 along with this work; if not, write to the Free Software Foundation, 0N/A * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. 2362N/A * Please contact Sun Microsystems, Inc., 4150 Network Circle, Santa Clara, 2362N/A * CA 95054 USA or visit www.sun.com if you need additional information or 0N/A * An SSL/TLS CipherSuite. Constants for the standard key exchange, cipher, 0N/A * and mac algorithms are also defined in this class. 0N/A * The CipherSuite class and the inner classes defined in this file roughly 0N/A * follow the type safe enum pattern described in Effective Java. This means: 0N/A * . instances are immutable, classes are final 0N/A * . there is a unique instance of every value, i.e. there are never two 0N/A * instances representing the same CipherSuite, etc. This means equality 0N/A * tests can be performed using == instead of equals() (although that works 0N/A * as well). [A minor exception are *unsupported* CipherSuites read from a 0N/A * handshake message, but this is usually irrelevant] 0N/A * . instances are obtained using the static valueOf() factory methods. 0N/A * . properties are defined as final variables and made available as 0N/A * package private variables without method accessors 0N/A * . if the member variable allowed is false, the given algorithm is either 0N/A * unavailable or disabled at compile time 0N/A // minimum priority for supported CipherSuites 0N/A // minimum priority for default enabled CipherSuites 0N/A // Flag indicating if CipherSuite availability can change dynamically. 0N/A // This is the case when we rely on a JCE cipher implementation that 0N/A // may not be available in the installed JCE providers. 0N/A // It is true because we do not have a Java ECC implementation. 0N/A (
"com.sun.net.ssl.enableECC",
true);
0N/A // Map Integer(id) -> CipherSuite 0N/A // contains all known CipherSuites 0N/A // Map String(name) -> CipherSuite 0N/A // contains only supported CipherSuites (i.e. allowed == true) 0N/A // Protocol defined CipherSuite name, e.g. SSL_RSA_WITH_RC4_128_MD5 0N/A // we use TLS_* only for new CipherSuites, still SSL_* for old ones 0N/A // id in 16 bit MSB format, i.e. 0x0004 for SSL_RSA_WITH_RC4_128_MD5 0N/A // priority for the internal default preference order. the higher the 0N/A // better. Each supported CipherSuite *must* have a unique priority. 0N/A // Ciphersuites with priority >= DEFAULT_SUITES_PRIORITY are enabled 0N/A // key exchange, bulk cipher, and mac algorithms. See those classes below. 0N/A // whether a CipherSuite qualifies as exportable under 512/40 bit rules. 0N/A // true iff implemented and enabled at compile time 0N/A (
"Unknown MAC algorithm for ciphersuite " +
name);
0N/A * Return whether this CipherSuite is available for use. A 0N/A * CipherSuite may be unavailable even if it is supported 0N/A * (i.e. allowed == true) if the required JCE cipher is not installed. 0N/A * In some configuration, this situation may change over time, call 0N/A * CipherSuiteList.clearAvailableCache() before this method to obtain 0N/A * the most current status. 0N/A * Compares CipherSuites based on their priority. Has the effect of 0N/A * sorting CipherSuites when put in a sorted collection, which is 0N/A * used by CipherSuiteList. Follows standard Comparable contract. 0N/A * Note that for unsupported CipherSuites parsed from a handshake 0N/A * message we violate the equals() contract. 0N/A * Returns this.name. 0N/A * Return a CipherSuite for the given name. The returned CipherSuite 0N/A * is supported by this implementation but may not actually be 0N/A * currently useable. See isAvailable(). 0N/A * @exception IllegalArgumentException if the CipherSuite is unknown or * Return a CipherSuite with the given ID. A temporary object is * constructed if the ID is unknown. Use isAvailable() to verify that * the CipherSuite can actually be used. // for use by CipherSuiteList only * An SSL/TLS key exchange algorithm. // key exchange algorithms // Kerberos cipher suites // name of the key exchange algorithm, e.g. DHE_DSS * An SSL/TLS bulk cipher algorithm. One instance per combination of * Also contains a factory method to obtain in initialized CipherBox // Map BulkCipher -> Boolean(available) // descriptive name including key size, e.g. AES/128 // algorithm name, e.g. AES // supported and compile time enabled. Also see isAvailable() // number of bytes of entropy in the key // length of the actual cipher key in bytes. // for non-exportable ciphers, this is the same as keySize // size of the IV (also block size) // exportable under 512/40 bit rules * Return an initialized CipherBox for this BulkCipher. * IV must be null for stream ciphers. * @exception NoSuchAlgorithmException if anything goes wrong * Test if this bulk cipher is available. For use by CipherSuite. * Currently all supported ciphers except AES are always available * via the JSSE internal implementations. We also assume AES/128 * is always available since it is shipped with the SunJCE provider. * However, AES/256 is unavailable when the default JCE policy * jurisdiction files are installed because of key length restrictions. // for use by CipherSuiteList.clearAvailableCache(); * An SSL/TLS key MAC algorithm. * Also contains a factory method to obtain in initialized MAC // descriptive name, e.g. MD5 // size of the MAC value (and MAC key) in bytes * Return an initialized MAC for this MacAlg. ProtocolVersion * must either be SSL30 (SSLv3 custom MAC) or TLS10 (std. HMAC). * @exception NoSuchAlgorithmException if anything goes wrong // export strength ciphers // domestic strength ciphers // N: ciphersuites only allowed if we are not in FIPS mode // Definition of the CipherSuites that are enabled by default. // They are listed in preference order, most preferred first. // Definition of the CipherSuites that are supported but not enabled // They are listed in preference order, preferred first. // Anonymous key exchange and the NULL ciphers // Supported Kerberos ciphersuites from RFC2712 // Register the names of a few additional CipherSuites. // Makes them show up as names instead of numbers in // remaining unsupported ciphersuites defined in RFC2246. add(
"SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5",
0x0006);
add(
"SSL_RSA_WITH_IDEA_CBC_SHA",
0x0007);
add(
"SSL_DH_DSS_EXPORT_WITH_DES40_CBC_SHA",
0x000b);
add(
"SSL_DH_DSS_WITH_DES_CBC_SHA",
0x000c);
add(
"SSL_DH_DSS_WITH_3DES_EDE_CBC_SHA",
0x000d);
add(
"SSL_DH_RSA_EXPORT_WITH_DES40_CBC_SHA",
0x000e);
add(
"SSL_DH_RSA_WITH_DES_CBC_SHA",
0x000f);
add(
"SSL_DH_RSA_WITH_3DES_EDE_CBC_SHA",
0x0010);
// SSL 3.0 Fortezza ciphersuites add(
"SSL_FORTEZZA_DMS_WITH_NULL_SHA",
0x001c);
add(
"SSL_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA",
0x001d);
// 1024/56 bit exportable ciphersuites from expired internet draft add(
"SSL_RSA_EXPORT1024_WITH_DES_CBC_SHA",
0x0062);
add(
"SSL_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA",
0x0063);
add(
"SSL_RSA_EXPORT1024_WITH_RC4_56_SHA",
0x0064);
add(
"SSL_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA",
0x0065);
add(
"SSL_DHE_DSS_WITH_RC4_128_SHA",
0x0066);
// Netscape old and new SSL 3.0 FIPS ciphersuites add(
"NETSCAPE_RSA_FIPS_WITH_3DES_EDE_CBC_SHA",
0xffe0);
add(
"NETSCAPE_RSA_FIPS_WITH_DES_CBC_SHA",
0xffe1);
add(
"SSL_RSA_FIPS_WITH_DES_CBC_SHA",
0xfefe);
add(
"SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA",
0xfeff);
// Unsupported Kerberos cipher suites from RFC 2712 add(
"TLS_KRB5_WITH_IDEA_CBC_SHA",
0x0021);
add(
"TLS_KRB5_WITH_IDEA_CBC_MD5",
0x0025);
add(
"TLS_KRB5_EXPORT_WITH_RC2_CBC_40_SHA",
0x0027);
add(
"TLS_KRB5_EXPORT_WITH_RC2_CBC_40_MD5",
0x002a);
// ciphersuite SSL_NULL_WITH_NULL_NULL