236 lines
5.8 KiB
Markdown
236 lines
5.8 KiB
Markdown
Conscrypt's Capabilities
|
|
========================================
|
|
|
|
Conscrypt is relatively selective in choosing the set of primitives to provide, focusing
|
|
on the most important and widely-used algorithms. Following is a list of JCA algorithm names
|
|
and other identifiers that are supported by Conscrypt.
|
|
|
|
## TLS
|
|
|
|
### Protocol Versions
|
|
|
|
* `SSLv3` (ignored)
|
|
* `TLSv1`
|
|
* `TLSv1.1`
|
|
* `TLSv1.2`
|
|
* `TLSv1.3`
|
|
|
|
Conscrypt supports TLS v1.0-1.3. For backwards compatibility it will accept
|
|
`SSLv3` in calls to methods like
|
|
[`setEnabledProtocols()`](https://docs.oracle.com/javase/9/docs/api/javax/net/ssl/SSLSocket.html#setEnabledProtocols-java.lang.String:A-)
|
|
but will ignore it.
|
|
|
|
### SSLContext
|
|
|
|
* `Default`
|
|
* `SSL`
|
|
* `TLS`
|
|
* `TLSv1`
|
|
* `TLSv1.1`
|
|
* `TLSv1.2`
|
|
* `TLSv1.3`
|
|
|
|
Conscrypt provides the above set of SSLContext algorithm names for JSSE
|
|
purposes, including the special value `Default`, which is used to determine the
|
|
value of
|
|
[`SSLContext.getDefault()`](https://docs.oracle.com/javase/9/docs/api/javax/net/ssl/SSLContext.html#getDefault--).
|
|
The `Default`, `SSL`, `TLS`, and `TLSv1.3` values return a context where TLS
|
|
v1.0-1.3 are all enabled; the others return a context with TLS v1.0-1.2 enabled.
|
|
|
|
### Cipher Suites
|
|
|
|
#### Enabled
|
|
* TLS 1.0-1.2
|
|
* `TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA`
|
|
* `TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256`
|
|
* `TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA`
|
|
* `TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384`
|
|
* `TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256`
|
|
* `TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA`
|
|
* `TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256`
|
|
* `TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA`
|
|
* `TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384`
|
|
* `TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256`
|
|
* `TLS_RSA_WITH_AES_128_CBC_SHA`
|
|
* `TLS_RSA_WITH_AES_128_GCM_SHA256`
|
|
* `TLS_RSA_WITH_AES_256_CBC_SHA`
|
|
* `TLS_RSA_WITH_AES_256_GCM_SHA384`
|
|
* TLS 1.3
|
|
* `TLS_AES_128_GCM_SHA256`
|
|
* `TLS_AES_256_GCM_SHA384`
|
|
* `TLS_CHACHA20_POLY1305_SHA256`
|
|
|
|
The above cipher suites are enabled by default when the associated version of
|
|
the protocol is enabled. The TLS 1.3 cipher suites cannot be customized; they
|
|
are always enabled when TLS 1.3 is enabled, and any attempt to disable them via
|
|
a call to
|
|
[`setEnabledCipherSuites()`](https://docs.oracle.com/javase/9/docs/api/javax/net/ssl/SSLSocket.html#setEnabledCipherSuites-java.lang.String:A-)
|
|
is ignored.
|
|
|
|
#### Supported But Not Enabled
|
|
* TLS 1.0-1.2
|
|
* `SSL_RSA_WITH_3DES_EDE_CBC_SHA`
|
|
* `TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA`
|
|
* `TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA`
|
|
* `TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256`
|
|
* `TLS_PSK_WITH_AES_128_CBC_SHA`
|
|
* `TLS_PSK_WITH_AES_256_CBC_SHA`
|
|
|
|
The above cipher suites are supported, but not enabled by default. TLS 1.3
|
|
cipher suites cannot be customized, so there are no cipher suites that are
|
|
supported but not enabled.
|
|
|
|
## Cryptography
|
|
|
|
### Cipher
|
|
|
|
* `AES/CBC/NoPadding`
|
|
* `AES/CBC/PKCS5Padding`
|
|
* `AES/CTR/NoPadding`
|
|
* `AES/ECB/NoPadding`
|
|
* `AES/ECB/PKCS5Padding`
|
|
* `AES/GCM-SIV/NoPadding`
|
|
|
|
AES with 128, 192, or 256-bit keys.
|
|
|
|
* `AES/GCM/NoPadding`
|
|
|
|
AES/GCM with 128 or 256-bit keys.
|
|
|
|
* `AES_128/CBC/NoPadding`
|
|
* `AES_128/CBC/PKCS5Padding`
|
|
* `AES_128/ECB/NoPadding`
|
|
* `AES_128/ECB/PKCS5Padding`
|
|
* `AES_128/GCM/NoPadding`
|
|
* `AES_128/GCM-SIV/NoPadding`
|
|
* `AES_256/CBC/NoPadding`
|
|
* `AES_256/CBC/PKCS5Padding`
|
|
* `AES_256/ECB/NoPadding`
|
|
* `AES_256/ECB/PKCS5Padding`
|
|
* `AES_256/GCM/NoPadding`
|
|
* `AES_256/GCM-SIV/NoPadding`
|
|
|
|
Key-restricted versions of the AES ciphers.
|
|
|
|
* `ARC4`
|
|
|
|
The RC4 stream cipher.
|
|
|
|
* `ChaCha20/NONE/NoPadding`
|
|
* `ChaCha20/Poly1305/NoPadding`
|
|
|
|
ChaCha with 20 rounds, 96-bit nonce, and 32-bit counter as described in
|
|
[RFC 7539](https://tools.ietf.org/html/rfc7539), either with or without a Poly1305 AEAD
|
|
authenticator.
|
|
|
|
* `DESEDE/CBC/NoPadding`
|
|
* `DESEDE/CBC/PKCS5Padding`
|
|
|
|
Triple DES with either two or three intermediate keys.
|
|
|
|
* `RSA/ECB/NoPadding`
|
|
* `RSA/ECB/OAEPPadding`
|
|
* `RSA/ECB/OAEPWithSHA-1AndMGF1Padding`
|
|
* `RSA/ECB/OAEPWithSHA-224AndMGF1Padding`
|
|
* `RSA/ECB/OAEPWithSHA-256AndMGF1Padding`
|
|
* `RSA/ECB/OAEPWithSHA-384AndMGF1Padding`
|
|
* `RSA/ECB/OAEPWithSHA-512AndMGF1Padding`
|
|
* `RSA/ECB/PKCS1Padding`
|
|
|
|
Conscrypt's OAEP ciphers (eg, `RSA/ECB/OAEPWithSHA-256AndMGF1Padding`) use the named digest for
|
|
both the main digest and the MGF1 digest. This differs from the behavior of some other
|
|
providers, including the ones bundled with OpenJDK, which always use SHA-1 for the MGF1 digest.
|
|
For maximum compatibility, you should use `RSA/ECB/OAEPPadding` and initialize it with an
|
|
[`OAEPParameterSpec`](https://docs.oracle.com/javase/9/docs/api/javax/crypto/spec/OAEPParameterSpec.html).
|
|
|
|
### AlgorithmParameters
|
|
* `AES`
|
|
* `ChaCha20`
|
|
* `DESEDE`
|
|
* `EC`
|
|
* `GCM`
|
|
* `OAEP`
|
|
* `PSS`
|
|
|
|
Conscrypt's EC AlgorithmParameters implementation only supports named curves.
|
|
|
|
### CertificateFactory
|
|
* `X509`
|
|
|
|
### KeyAgreement
|
|
* `ECDH`
|
|
|
|
### KeyFactory
|
|
* `EC`
|
|
* `RSA`
|
|
|
|
### KeyGenerator
|
|
* `AES`
|
|
* `ARC4`
|
|
* `ChaCha20`
|
|
* `DESEDE`
|
|
* `HmacMD5`
|
|
* `HmacSHA1`
|
|
* `HmacSHA224`
|
|
* `HmacSHA256`
|
|
* `HmacSHA384`
|
|
* `HmacSHA512`
|
|
|
|
### KeyPairGenerator
|
|
* `EC`
|
|
* `RSA`
|
|
|
|
### Mac
|
|
* `HmacMD5`
|
|
* `HmacSHA1`
|
|
* `HmacSHA224`
|
|
* `HmacSHA256`
|
|
* `HmacSHA384`
|
|
* `HmacSHA512`
|
|
|
|
### MessageDigest
|
|
* `MD5`
|
|
* `SHA-1`
|
|
* `SHA-224`
|
|
* `SHA-256`
|
|
* `SHA-384`
|
|
* `SHA-512`
|
|
|
|
### SecretKeyFactory
|
|
* `DESEDE`
|
|
|
|
### SecureRandom
|
|
* `SHA1PRNG`
|
|
|
|
### Signature
|
|
* `MD5withRSA`
|
|
* `NONEwithECDSA`
|
|
* `NONEwithRSA`
|
|
* `SHA1withRSA`
|
|
* `SHA1withECDSA`
|
|
* `SHA1withRSA/PSS`
|
|
* `SHA224withRSA`
|
|
* `SHA224withECDSA`
|
|
* `SHA224withRSA/PSS`
|
|
* `SHA256withRSA`
|
|
* `SHA256withECDSA`
|
|
* `SHA256withRSA/PSS`
|
|
* `SHA384withRSA`
|
|
* `SHA384withECDSA`
|
|
* `SHA384withRSA/PSS`
|
|
* `SHA512withRSA`
|
|
* `SHA512withECDSA`
|
|
* `SHA512withRSA/PSS`
|
|
|
|
### Elliptic Curves
|
|
|
|
Conscrypt supports the following curves in EC crypto operations (such as ECDSA signatures) and TLS:
|
|
|
|
| Curve | EC Crypto | TLS |
|
|
| ----- | :-------: | :---: |
|
|
| secp224r1 | X | |
|
|
| prime256v1<br/>(aka secp256r1) | X | X |
|
|
| secp384r1 | X | X |
|
|
| secp521r1 | X | |
|
|
| x25519 | | X |
|