118 |
118 |
119 |
119 |
120 # |
120 # |
121 # Sun Provider SecureRandom seed source. |
121 # Sun Provider SecureRandom seed source. |
122 # |
122 # |
123 # Select the primary source of seed data for the "SHA1PRNG" and |
123 # Select the primary source of seed data for the "NativePRNG", "SHA1PRNG" |
124 # "NativePRNG" SecureRandom implementations in the "Sun" provider. |
124 # and "DRBG" SecureRandom implementations in the "Sun" provider. |
125 # (Other SecureRandom implementations might also use this property.) |
125 # (Other SecureRandom implementations might also use this property.) |
126 # |
126 # |
127 # On Unix-like systems (for example, Solaris/Linux/MacOS), the |
127 # On Unix-like systems (for example, Solaris/Linux/MacOS), the |
128 # "NativePRNG" and "SHA1PRNG" implementations obtains seed data from |
128 # "NativePRNG", "SHA1PRNG" and "DRBG" implementations obtains seed data from |
129 # special device files such as file:/dev/random. |
129 # special device files such as file:/dev/random. |
130 # |
130 # |
131 # On Windows systems, specifying the URLs "file:/dev/random" or |
131 # On Windows systems, specifying the URLs "file:/dev/random" or |
132 # "file:/dev/urandom" will enable the native Microsoft CryptoAPI seeding |
132 # "file:/dev/urandom" will enable the native Microsoft CryptoAPI seeding |
133 # mechanism for SHA1PRNG. |
133 # mechanism for SHA1PRNG and DRBG. |
134 # |
134 # |
135 # By default, an attempt is made to use the entropy gathering device |
135 # By default, an attempt is made to use the entropy gathering device |
136 # specified by the "securerandom.source" Security property. If an |
136 # specified by the "securerandom.source" Security property. If an |
137 # exception occurs while accessing the specified URL: |
137 # exception occurs while accessing the specified URL: |
138 # |
|
139 # SHA1PRNG: |
|
140 # the traditional system/thread activity algorithm will be used. |
|
141 # |
138 # |
142 # NativePRNG: |
139 # NativePRNG: |
143 # a default value of /dev/random will be used. If neither |
140 # a default value of /dev/random will be used. If neither |
144 # are available, the implementation will be disabled. |
141 # are available, the implementation will be disabled. |
145 # "file" is the only currently supported protocol type. |
142 # "file" is the only currently supported protocol type. |
146 # |
143 # |
|
144 # SHA1PRNG and DRBG: |
|
145 # the traditional system/thread activity algorithm will be used. |
|
146 # |
147 # The entropy gathering device can also be specified with the System |
147 # The entropy gathering device can also be specified with the System |
148 # property "java.security.egd". For example: |
148 # property "java.security.egd". For example: |
149 # |
149 # |
150 # % java -Djava.security.egd=file:/dev/random MainClass |
150 # % java -Djava.security.egd=file:/dev/random MainClass |
151 # |
151 # |
152 # Specifying this System property will override the |
152 # Specifying this System property will override the |
153 # "securerandom.source" Security property. |
153 # "securerandom.source" Security property. |
154 # |
154 # |
155 # In addition, if "file:/dev/random" or "file:/dev/urandom" is |
155 # In addition, if "file:/dev/random" or "file:/dev/urandom" is |
156 # specified, the "NativePRNG" implementation will be more preferred than |
156 # specified, the "NativePRNG" implementation will be more preferred than |
157 # SHA1PRNG in the Sun provider. |
157 # DRBG and SHA1PRNG in the Sun provider. |
158 # |
158 # |
159 securerandom.source=file:/dev/random |
159 securerandom.source=file:/dev/random |
160 |
160 |
161 # |
161 # |
162 # A list of known strong SecureRandom implementations. |
162 # A list of known strong SecureRandom implementations. |
167 # |
167 # |
168 # This is a comma-separated list of algorithm and/or algorithm:provider |
168 # This is a comma-separated list of algorithm and/or algorithm:provider |
169 # entries. |
169 # entries. |
170 # |
170 # |
171 #ifdef windows |
171 #ifdef windows |
172 securerandom.strongAlgorithms=Windows-PRNG:SunMSCAPI,SHA1PRNG:SUN |
172 securerandom.strongAlgorithms=Windows-PRNG:SunMSCAPI,DRBG:SUN |
173 #endif |
173 #endif |
174 #ifndef windows |
174 #ifndef windows |
175 securerandom.strongAlgorithms=NativePRNGBlocking:SUN |
175 securerandom.strongAlgorithms=NativePRNGBlocking:SUN,DRBG:SUN |
176 #endif |
176 #endif |
|
177 |
|
178 # |
|
179 # Sun provider DRBG configuration and default instantiation request. |
|
180 # |
|
181 # NIST SP 800-90Ar1 lists several DRBG mechanisms. Each can be configured |
|
182 # with a DRBG algorithm name, and can be instantiated with a security strength, |
|
183 # prediction resistance support, etc. This property defines the configuration |
|
184 # and the default instantiation request of "DRBG" SecureRandom implementations |
|
185 # in the SUN provider. (Other DRBG implementations can also use this property.) |
|
186 # Applications can request different instantiation parameters like security |
|
187 # strength, capability, personalization string using one of the |
|
188 # getInstance(...,SecureRandomParameters,...) methods with a |
|
189 # DrbgParameters.Instantiation argument, but other settings such as the |
|
190 # mechanism and DRBG algorithm names are not currently configurable by any API. |
|
191 # |
|
192 # Please note that the SUN implementation of DRBG always supports reseeding. |
|
193 # |
|
194 # The value of this property is a comma-separated list of all configurable |
|
195 # aspects. The aspects can appear in any order but the same aspect can only |
|
196 # appear at most once. Its BNF-style definition is: |
|
197 # |
|
198 # Value: |
|
199 # aspect { "," aspect } |
|
200 # |
|
201 # aspect: |
|
202 # mech_name | algorithm_name | strength | capability | df |
|
203 # |
|
204 # // The DRBG mechanism to use. Default "Hash_DRBG" |
|
205 # mech_name: |
|
206 # "Hash_DRBG" | "HMAC_DRBG" | "CTR_DRBG" |
|
207 # |
|
208 # // The DRBG algorithm name. The "SHA-***" names are for Hash_DRBG and |
|
209 # // HMAC_DRBG, default "SHA-256". "3KeyTDEA" and "AES-***" names are for |
|
210 # // CTR_DRBG, default "AES-128" when using the limited cryptographic |
|
211 # // or "AES-256" when using the unlimited. |
|
212 # algorithm_name: |
|
213 # "SHA-1" | "SHA-224" | "SHA-512/224" | "SHA-256" | |
|
214 # "SHA-512/256" | "SHA-384" | "SHA-512" | |
|
215 # "3KeyTDEA" | "AES-128" | "AES-192" | "AES-256" |
|
216 # |
|
217 # // Security strength requested. Default "128", or "112" |
|
218 # // if mech_name is CTR_DRBG and algorithm_name is "3KeyTDEA" |
|
219 # strength: |
|
220 # "112" | "128" | "192" | "256" |
|
221 # |
|
222 # // Prediction resistance and reseeding request. Default "none" |
|
223 # // "pr_and_reseed" - Both prediction resistance and reseeding |
|
224 # // support requested |
|
225 # // "reseed_only" - Only reseeding support requested |
|
226 # // "none" - Neither prediction resistance not reseeding |
|
227 # // support requested |
|
228 # pr: |
|
229 # "pr_and_reseed" | "reseed_only" | "none" |
|
230 # |
|
231 # // Whether a derivation function should be used. only applicable |
|
232 # // to CTR_DRBG. Default "use_df" |
|
233 # df: |
|
234 # "use_df" | "no_df" |
|
235 # |
|
236 # Examples, |
|
237 # securerandom.drbg.config=Hash_DRBG,SHA-1,112,none |
|
238 # securerandom.drbg.config=CTR_DRBG,AES-256,192,pr_and_reseed,use_df |
|
239 # |
|
240 # The default value is an empty string, which is equivalent to |
|
241 # securerandom.drbg.config=Hash_DRBG,SHA-256,128,none |
|
242 securerandom.drbg.config= |
177 |
243 |
178 # |
244 # |
179 # Class to instantiate as the javax.security.auth.login.Configuration |
245 # Class to instantiate as the javax.security.auth.login.Configuration |
180 # provider. |
246 # provider. |
181 # |
247 # |