Table of Contents
- Title and Copyright Information
- Preface
-
1
General Security
- Terms and Definitions
- Java Security Overview
-
Java SE Platform Security Architecture
- Introduction
- Protection Mechanisms – Overview of Basic Concepts
-
Permissions and Security Policy
-
The Permission Classes
- java.security.Permission
- java.security.PermissionCollection
- java.security.Permissions
- java.security.UnresolvedPermission
- java.io.FilePermission
- java.net.SocketPermission
- java.security.BasicPermission
- java.util.PropertyPermission
- java.lang.RuntimePermission
- java.awt.AWTPermission
- java.net.NetPermission
- java.lang.reflect.ReflectPermission
- java.io.SerializablePermission
- java.security.SecurityPermission
- java.security.AllPermission
- javax.security.auth.AuthPermission
- Discussion of Permission Implications
- How To Create New Types of Permissions
- java.security.CodeSource
- java.security.Policy
- java.security.GeneralSecurityException
-
The Permission Classes
- Access Control Mechanisms and Algorithms
- Secure Class Loading
- Security Management
- GuardedObject and SignedObject
- Discussion and Future Directions
- Appendix A: API for Privileged Blocks
- Appendix B: Acknowledgments
- Appendix C: References
- Standard Algorithm Names
-
Permissions in the JDK
- Permission Descriptions and Risks
- Default Policy Implementation and Policy File Syntax
- Appendix A: FilePermission Path Name Canonicalization Disabled By Default
- Troubleshooting Security
-
2
Java Cryptography Architecture (JCA) Reference Guide
- Introduction to Java Cryptography Architecture
-
Core Classes and Interfaces
- The Provider Class
- The Security Class
- The SecureRandom Class
- The MessageDigest Class
- The Signature Class
- The Cipher Class
- Other Cipher-based Classes
- The Mac Class
- The KEM Class
- Key Interfaces
- The KeyPair Class
- Key Specification Interfaces and Classes
- Generators and Factories
- The KeyAgreement Class
- Key Management
- Algorithm Parameters Classes
- The CertificateFactory Class
- How the JCA Might Be Used in a SSL/TLS Implementation
- Cryptographic Strength Configuration
- Jurisdiction Policy File Format
- How to Make Applications Exempt from Cryptographic Restrictions
- Standard Names
- Packaging Your Application
-
Additional JCA Code Samples
- Computing a MessageDigest Object
- Generating a Pair of Keys
- Generating and Verifying a Signature Using Generated Keys
- Generating/Verifying Signatures Using Key Specifications and KeyFactory
- Generating Random Numbers
- Determining If Two Keys Are Equal
- Reading Base64-Encoded Certificates
- Parsing a Certificate Reply
- Using Encryption
- Using Password-Based Encryption
- Encapsulating and Decapsulating Keys
- Sample Programs for Diffie-Hellman Key Exchange, AES/GCM, and HMAC-SHA256
-
3
How to Implement a Provider in the Java Cryptography Architecture
- Who Should Read This Document
- Notes on Terminology
- Introduction to Implementing Providers
- Engine Classes and Corresponding Service Provider Interface Classes
-
Steps to Implement and Integrate a Provider
- Step 1: Write your Service Implementation Code
- Step 2: Give your Provider a Name
- Step 3: Write Your Master Class, a Subclass of Provider
- Step 4: Create a Module Declaration for Your Provider
- Step 5: Compile Your Code
- Step 6: Place Your Provider in a JAR File
- Step 7: Sign Your JAR File, If Necessary
- Step 8: Prepare for Testing
- Step 9: Write and Compile Your Test Programs
- Step 10: Run Your Test Programs
- Step 11: Apply for U.S. Government Export Approval If Required
- Step 12: Document Your Provider and Its Supported Services
- Step 13: Make Your Class Files and Documentation Available to Clients
-
Further Implementation Details and Requirements
- Alias Names
- Service Interdependencies
- Default Initialization
- Default Key Pair Generator Parameter Requirements
- The Provider.Service Class
- Signature Formats
- DSA Interfaces and their Required Implementations
- RSA Interfaces and their Required Implementations
- Diffie-Hellman Interfaces and their Required Implementations
- Interfaces for Other Algorithm Types
- Algorithm Parameter Specification Interfaces and Classes
- Key Specification Interfaces and Classes Required by Key Factories
- Secret-Key Generation
- Adding New Object Identifiers
- Ensuring Exportability
- Sample Code for MyProvider
-
4
JDK Providers Documentation
- Introduction to JDK Providers
- Import Limits on Cryptographic Algorithms
- Cipher Transformations
- SecureRandom Implementations
- The SunPKCS11 Provider
- The SUN Provider
- The SunRsaSign Provider
- The SunJSSE Provider
- The SunJCE Provider
- The SunJGSS Provider
- The SunSASL Provider
- The XMLDSig Provider
- The SunPCSC Provider
- The SunMSCAPI Provider
- The SunEC Provider
- The Apple Provider
- The JdkLDAP Provider
- The JdkSASL Provider
-
5
PKCS#11 Reference Guide
- SunPKCS11 Provider
- SunPKCS11 Requirements
- SunPKCS11 Configuration
- Accessing Network Security Services (NSS)
- Troubleshooting PKCS#11
- Disabling PKCS#11 Providers and/or Individual PKCS#11 Mechanisms
- Application Developers
- Using keytool and jarsigner with PKCS#11 Tokens
- Keystore Entry Syntax in Policy File
- Provider Developers
- SunPKCS11 Provider Supported Algorithms
- SunPKCS11 Provider KeyStore Requirements
- Example Provider
-
6
Java Authentication and Authorization Service (JAAS)
-
Java Authentication and Authorization Service (JAAS) Reference Guide
- Who Should Read This Document
- Related Documentation
- Core Classes and Interfaces
- JAAS Tutorials and Sample Programs
- Appendix A: JAAS Settings in the java.security Security Properties File
- Appendix B: JAAS Login Configuration File
- JAAS Tutorials
-
Java Authentication and Authorization Service (JAAS): LoginModule Developer's Guide
- Introduction to LoginModule
-
Steps to Implement a LoginModule
- Step 1: Understand the Authentication Technology
- Step 2: Name the LoginModule Implementation
- Step 3: Implement the LoginModule Interface
- Step 4: Choose or Write a Sample Application
- Step 5: Compile the LoginModule and Application
- Step 6: Prepare for Testing
- Step 7: Test Use of the LoginModule
- Step 8: Document Your LoginModule Implementation
- Step 9: Make LoginModule JAR File and Documents Available
-
Java Authentication and Authorization Service (JAAS) Reference Guide
-
7
Java Generic Security Services (Java GSS-API)
-
Introduction to JAAS and Java GSS-API Tutorials
- When to Use Java GSS-API Versus JSSE
-
Use of Java GSS-API for Secure Message Exchanges Without JAAS Programming
- Overview of the Client and Server Applications
- The SampleClient and SampleServer Code
- Kerberos User and Service Principal Names
- The Login Configuration File
- The useSubjectCredsOnly System Property
- Running the SampleClient and SampleServer Programs
- JAAS Authentication
- JAAS Authorization
- Use of JAAS Login Utility
- Use of JAAS Login Utility and Java GSS-API for Secure Message Exchanges
- More Things You Can Do with Java GSS-API and JAAS
- Kerberos Requirements
- Troubleshooting
- Source Code for JAAS and Java GSS-API Tutorials
- Related Documentation
- Accessing Native GSS-API
- Single Sign-on Using Kerberos in Java
-
Advanced Security Programming in Java SE Authentication, Secure Communication and Single Sign-On
- Part I : Secure Authentication using the Java Authentication and Authorization Service (JAAS)
- Part II : Secure Communications using the Java SE Security API
- Part III : Deploying for Single Sign-On in a Kerberos Environment
- Part IV : Secure Communications Using Stronger Encryption Algorithms
- Part V : Secure Authentication Using SPNEGO Java GSS Mechanism
- Part VI: HTTP/SPNEGO Authentication
- Source Code for Advanced Security Programming in Java SE Authentication, Secure Communication and Single Sign-On
- Appendix A: Setting up Kerberos Accounts
- The Kerberos 5 GSS-API Mechanism
-
Introduction to JAAS and Java GSS-API Tutorials
-
8
Java Secure Socket Extension (JSSE) Reference Guide
- Introduction to JSSE
- Transport Layer Security (TLS) Protocol Overview
-
JSSE Classes and Interfaces
- JSSE Core Classes and Interfaces
- SocketFactory and ServerSocketFactory Classes
- SSLSocketFactory and SSLServerSocketFactory Classes
- SSLSocket and SSLServerSocket Classes
- SSLEngine Class
- SSLSession and ExtendedSSLSession
- HttpsURLConnection Class
- Support Classes and Interfaces
-
Secondary Support Classes and Interfaces
- SSLParameters Class
- SSLSessionContext Interface
- SSLSessionBindingListener Interface
- SSLSessionBindingEvent Class
- HandShakeCompletedListener Interface
- HandShakeCompletedEvent Class
- HostnameVerifier Interface
- X509Certificate Class
- AlgorithmConstraints Interface
- StandardConstants Class
- SNIServerName Class
- SNIMatcher Class
- SNIHostName Class
-
Customizing JSSE
- How to Specify a java.lang.System Property
- How to Specify a java.security.Security Property
- Customizing the X509Certificate Implementation
- Specifying Default Enabled Cipher Suites
- Specifying an Alternative HTTPS Protocol Implementation
- Customizing the Provider Implementation
- Registering the Cryptographic Provider Statically
- Registering the Cryptographic Service Provider Dynamically
- Provider Configuration
- Configuring the Preferred Provider for Specific Algorithms
- Customizing the Default Keystores and Truststores, Store Types, and Store Passwords
- Customizing the Default Key Managers and Trust Managers
- Disabled and Restricted Cryptographic Algorithms
- Legacy Cryptographic Algorithms
- Customizing the Encryption Algorithm Providers
- Customizing the Size of Ephemeral Diffie-Hellman Keys
- Customizing the Maximum Fragment Length Negotiation (MFLN) Extension
- Configuring the Maximum and Minimum Packet Size
- Limiting Amount of Data Algorithms May Encrypt with a Set of Keys
- Resuming Session Without Server-Side State
- Specifying That close_notify Alert Is Sent When One Is Received
- Enabling certificate_authorities Extension for Server Certificate Selection
- SunJSSE Renegotiation Interoperability Modes
- Client-Driven OCSP and OCSP Stapling
- Configuring Default Extensions
- Specifying Signature Schemes That Can Be Used over the TLS/DTLS Protocols
- Customizing the Supported Named Groups for TLS/DTLS Key Exchange
- Hardware Acceleration and Smartcard Support
- Additional Keystore Formats (PKCS12)
- Server Name Indication (SNI) Extension
- TLS Application Layer Protocol Negotiation
-
Troubleshooting JSSE
-
Configuration Problems
- SSLHandshakeException: No Available Authentication Scheme, Handshake Failure
- CertificateException While Handshaking
- Runtime Exception: SSL Service Not Available
- Runtime Exception: "No available certificate corresponding to the SSL cipher suites which are enabled"
- Runtime Exception: No Cipher Suites in Common
- Socket Disconnected After Sending ClientHello Message
- SunJSSE Cannot Find a JCA Provider That Supports a Required Algorithm and Causes a NoSuchAlgorithmException
- Exception Thrown When Obtaining Application Resources from a Virtual Host Web Server that Requires an SNI Extension
- IllegalArgumentException When RC4 Cipher Suites are Configured for DTLS
- Debugging Utilities
-
Configuration Problems
- Compatibility Risks and Known Issues
- Code Examples
- Standard Names
- Provider Pluggability
-
9
Java PKI Programmer's
Guide
- PKI Programmer's Guide Overview
-
Core Classes and Interfaces
- Basic Certification Path Classes
- Certification Path Validation Classes
- Certification Path Building Classes
- Certificate/CRL Storage Classes
- PKIX Classes
- Implementing a Service Provider
- Appendix A: Standard Names
- Appendix B: CertPath Implementation in SUN Provider
- Appendix C: OCSP Support
- Appendix D: CertPath Implementation in JdkLDAP Provider
- Appendix E: Disabling Cryptographic Algorithms
- 10 Java SASL API Programming and Deployment Guide
- 11 XML Digital Signature API Overview and Tutorial
-
12
Java API for XML Processing (JAXP)
Security Guide
- Security Issues in XML Processing
-
Configuring JAXP for Secure XML
Processing
- JAXP APIs
- Factories and Processors
- Configuring with JAXP Properties
- Security-Related Properties
- Using Resolvers and Catalogs
- Handling Errors from JAXP Properties
- General Recommendations for JAXP Security
- Relationship with Security Manager
- Appendix A: Glossary of Java API for XML Processing Terms and Definitions
- Appendix B: Java and JDK XML Features and Properties Naming Convention
- 13 Security API Specification
- 14 Related Security Topics