mina-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From lgoldst...@apache.org
Subject [35/51] [abbrv] mina-sshd git commit: [SSHD-842] Split common utilities code from sshd-core into sshd-common (new artifact)
Date Thu, 06 Sep 2018 16:03:45 GMT
http://git-wip-us.apache.org/repos/asf/mina-sshd/blob/10de190e/sshd-common/src/main/java/org/apache/sshd/common/util/security/AbstractSecurityProviderRegistrar.java
----------------------------------------------------------------------
diff --git a/sshd-common/src/main/java/org/apache/sshd/common/util/security/AbstractSecurityProviderRegistrar.java b/sshd-common/src/main/java/org/apache/sshd/common/util/security/AbstractSecurityProviderRegistrar.java
new file mode 100644
index 0000000..b665166
--- /dev/null
+++ b/sshd-common/src/main/java/org/apache/sshd/common/util/security/AbstractSecurityProviderRegistrar.java
@@ -0,0 +1,129 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.sshd.common.util.security;
+
+import java.security.Provider;
+import java.security.Security;
+import java.util.HashMap;
+import java.util.Map;
+import java.util.TreeMap;
+import java.util.concurrent.atomic.AtomicReference;
+
+import org.apache.sshd.common.util.ValidateUtils;
+import org.apache.sshd.common.util.logging.AbstractLoggingBean;
+
+/**
+ * @author <a href="mailto:dev@mina.apache.org">Apache MINA SSHD Project</a>
+ */
+public abstract class AbstractSecurityProviderRegistrar
+                extends AbstractLoggingBean
+                implements SecurityProviderRegistrar {
+    protected final Map<String, Object> props = new TreeMap<>(String.CASE_INSENSITIVE_ORDER);
+    protected final Map<Class<?>, Map<String, Boolean>> supportedEntities = new HashMap<>();
+    protected final AtomicReference<Provider> providerHolder = new AtomicReference<>(null);
+
+    private final String name;
+
+    protected AbstractSecurityProviderRegistrar(String name) {
+        this.name = ValidateUtils.checkNotNullAndNotEmpty(name, "No name provided");
+    }
+
+    @Override
+    public final String getName() {
+        return name;
+    }
+
+    @Override
+    public Map<String, Object> getProperties() {
+        return props;
+    }
+
+    @Override
+    public boolean isSecurityEntitySupported(Class<?> entityType, String name) {
+        Map<String, Boolean> supportMap;
+        synchronized (supportedEntities) {
+            supportMap = supportedEntities.computeIfAbsent(
+                    entityType, k -> new TreeMap<>(String.CASE_INSENSITIVE_ORDER));
+        }
+
+        Boolean supportFlag;
+        synchronized (supportMap) {
+            supportFlag = supportMap.computeIfAbsent(
+                    name, k -> SecurityProviderRegistrar.super.isSecurityEntitySupported(entityType, name));
+        }
+
+        return supportFlag;
+    }
+
+    /**
+     * Attempts to see if a provider with this name already registered. If not,
+     * then uses reflection API in order to load and instantiate the specified
+     * <tt>providerClassName</tt>
+     *
+     * @param providerClassName The fully-qualified class name to instantiate
+     * if a provider not already registered
+     * @return The resolved {@link Provider} instance - <B>Note:</B> the result
+     * is <U>cached</U> - i.e., successful resolution result will not cause
+     * the code to re-resolve the provider
+     * @throws ReflectiveOperationException If failed to instantiate the provider
+     * @throws UnsupportedOperationException If registrar not supported
+     * @see #isSupported()
+     * @see Security#getProvider(String)
+     * @see #createProviderInstance(String)
+     */
+    protected Provider getOrCreateProvider(String providerClassName) throws ReflectiveOperationException {
+        if (!isSupported()) {
+            throw new UnsupportedOperationException("Provider not supported");
+        }
+
+        Provider provider;
+        boolean created = false;
+        synchronized (providerHolder) {
+            provider = providerHolder.get();
+            if (provider != null) {
+                return provider;
+            }
+
+            provider = Security.getProvider(getName());
+            if (provider == null) {
+                provider = createProviderInstance(providerClassName);
+                created = true;
+            }
+            providerHolder.set(provider);
+        }
+
+        if (created) {
+            log.info("getOrCreateProvider({}) created instance of {}", getName(), providerClassName);
+        } else {
+            log.info("getOrCreateProvider({}) resolved instance of {}", getName(), provider.getClass().getName());
+        }
+
+        return provider;
+    }
+
+    protected Provider createProviderInstance(String providerClassName) throws ReflectiveOperationException {
+        return SecurityProviderChoice.createProviderInstance(getClass(), providerClassName);
+    }
+
+    @Override
+    public String toString() {
+        return getClass().getSimpleName() + "[" + getName() + "]";
+    }
+}

http://git-wip-us.apache.org/repos/asf/mina-sshd/blob/10de190e/sshd-common/src/main/java/org/apache/sshd/common/util/security/SecurityEntityFactory.java
----------------------------------------------------------------------
diff --git a/sshd-common/src/main/java/org/apache/sshd/common/util/security/SecurityEntityFactory.java b/sshd-common/src/main/java/org/apache/sshd/common/util/security/SecurityEntityFactory.java
new file mode 100644
index 0000000..94b9454
--- /dev/null
+++ b/sshd-common/src/main/java/org/apache/sshd/common/util/security/SecurityEntityFactory.java
@@ -0,0 +1,194 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.sshd.common.util.security;
+
+import java.lang.reflect.Method;
+import java.security.GeneralSecurityException;
+import java.security.Provider;
+import java.util.Objects;
+
+import org.apache.sshd.common.util.GenericUtils;
+import org.apache.sshd.common.util.ValidateUtils;
+
+/**
+ * @param <T> Type of security entity being generated by this factory
+ * @author <a href="mailto:dev@mina.apache.org">Apache MINA SSHD Project</a>
+ */
+public interface SecurityEntityFactory<T> {
+    Class<T> getEntityType();
+
+    T getInstance(String algorithm) throws GeneralSecurityException;
+
+    /**
+     * Uses reflection in order to wrap the {@code getInstance} method(s)
+     * as a security entity factory.
+     *
+     * @param <F> Type of entity being generated by the factor
+     * @param entityType The entity type class
+     * @param registrar The {@code SecurityProviderRegistrar} to use - if
+     * {@code null} then default provider is used (if specified).
+     * @param defaultProvider Default provider choice to use if no registrar
+     * provided. If {@code null}/empty then JCE default is used
+     * @return The {@link SecurityEntityFactory} for the entity
+     * @throws ReflectiveOperationException If failed to create the factory
+     * @see #toDefaultFactory(Class)
+     * @see #toNamedProviderFactory(Class, String)
+     * @see #toProviderInstanceFactory(Class, Provider)
+     * @see SecurityProviderChoice#isNamedProviderUsed()
+     * @see SecurityProviderChoice#getSecurityProvider()
+     */
+    static <F> SecurityEntityFactory<F> toFactory(
+            Class<F> entityType, SecurityProviderChoice registrar, SecurityProviderChoice defaultProvider)
+            throws ReflectiveOperationException {
+        if (registrar == null) {
+            if ((defaultProvider == null) || (defaultProvider == SecurityProviderChoice.EMPTY)) {
+                return toDefaultFactory(entityType);
+            } else if (defaultProvider.isNamedProviderUsed()) {
+                return toNamedProviderFactory(entityType, defaultProvider.getName());
+            } else {
+                return toProviderInstanceFactory(entityType, defaultProvider.getSecurityProvider());
+            }
+        } else if (registrar.isNamedProviderUsed()) {
+            return toNamedProviderFactory(entityType, registrar.getName());
+        } else {
+            return toProviderInstanceFactory(entityType, registrar.getSecurityProvider());
+        }
+    }
+
+    static <F> SecurityEntityFactory<F> toDefaultFactory(Class<F> entityType)
+            throws ReflectiveOperationException {
+        Method m = entityType.getDeclaredMethod("getInstance", String.class);
+        return new SecurityEntityFactory<F>() {
+            private final String s = SecurityEntityFactory.class.getSimpleName()
+                    + "[" + entityType.getSimpleName() + "]"
+                    + "[default]";
+
+            @Override
+            public Class<F> getEntityType() {
+                return entityType;
+            }
+
+            @Override
+            public F getInstance(String algorithm) throws GeneralSecurityException {
+                try {
+                    Object value = m.invoke(null, algorithm);
+                    return entityType.cast(value);
+                } catch (ReflectiveOperationException t) {
+                    Throwable e = GenericUtils.peelException(t);
+                    if (e instanceof GeneralSecurityException) {
+                        throw (GeneralSecurityException) e;
+                    } else if (e instanceof RuntimeException) {
+                        throw (RuntimeException) e;
+                    } else if (e instanceof Error) {
+                        throw (Error) e;
+                    } else {
+                        throw new GeneralSecurityException(e);
+                    }
+                }
+            }
+
+            @Override
+            public String toString() {
+                return s;
+            }
+        };
+    }
+
+    static <F> SecurityEntityFactory<F> toNamedProviderFactory(Class<F> entityType, String name)
+            throws ReflectiveOperationException {
+        ValidateUtils.checkNotNullAndNotEmpty(name, "No provider name specified");
+        Method m = entityType.getDeclaredMethod("getInstance", String.class, String.class);
+        return new SecurityEntityFactory<F>() {
+            private final String s = SecurityEntityFactory.class.getSimpleName()
+                    + "[" + entityType.getSimpleName() + "]"
+                    + "[" + name + "]";
+
+            @Override
+            public Class<F> getEntityType() {
+                return entityType;
+            }
+
+            @Override
+            public F getInstance(String algorithm) throws GeneralSecurityException {
+                try {
+                    Object value = m.invoke(null, algorithm, name);
+                    return entityType.cast(value);
+                } catch (ReflectiveOperationException t) {
+                    Throwable e = GenericUtils.peelException(t);
+                    if (e instanceof GeneralSecurityException) {
+                        throw (GeneralSecurityException) e;
+                    } else if (e instanceof RuntimeException) {
+                        throw (RuntimeException) e;
+                    } else if (e instanceof Error) {
+                        throw (Error) e;
+                    } else {
+                        throw new GeneralSecurityException(e);
+                    }
+                }
+            }
+
+            @Override
+            public String toString() {
+                return s;
+            }
+        };
+    }
+
+    static <F> SecurityEntityFactory<F> toProviderInstanceFactory(Class<F> entityType, Provider provider)
+            throws ReflectiveOperationException {
+        Objects.requireNonNull(provider, "No provider instance");
+        Method m = entityType.getDeclaredMethod("getInstance", String.class, Provider.class);
+        return new SecurityEntityFactory<F>() {
+            private final String s = SecurityEntityFactory.class.getSimpleName()
+                    + "[" + entityType.getSimpleName() + "]"
+                    + "[" + Provider.class.getSimpleName() + "]"
+                    + "[" + provider.getName() + "]";
+
+            @Override
+            public Class<F> getEntityType() {
+                return entityType;
+            }
+
+            @Override
+            public F getInstance(String algorithm) throws GeneralSecurityException {
+                try {
+                    Object value = m.invoke(null, algorithm, provider);
+                    return entityType.cast(value);
+                } catch (ReflectiveOperationException t) {
+                    Throwable e = GenericUtils.peelException(t);
+                    if (e instanceof GeneralSecurityException) {
+                        throw (GeneralSecurityException) e;
+                    } else if (e instanceof RuntimeException) {
+                        throw (RuntimeException) e;
+                    } else if (e instanceof Error) {
+                        throw (Error) e;
+                    } else {
+                        throw new GeneralSecurityException(e);
+                    }
+                }
+            }
+
+            @Override
+            public String toString() {
+                return s;
+            }
+        };
+    }
+}

http://git-wip-us.apache.org/repos/asf/mina-sshd/blob/10de190e/sshd-common/src/main/java/org/apache/sshd/common/util/security/SecurityProviderChoice.java
----------------------------------------------------------------------
diff --git a/sshd-common/src/main/java/org/apache/sshd/common/util/security/SecurityProviderChoice.java b/sshd-common/src/main/java/org/apache/sshd/common/util/security/SecurityProviderChoice.java
new file mode 100644
index 0000000..c12e747
--- /dev/null
+++ b/sshd-common/src/main/java/org/apache/sshd/common/util/security/SecurityProviderChoice.java
@@ -0,0 +1,130 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.sshd.common.util.security;
+
+import java.security.Provider;
+import java.util.Objects;
+
+import org.apache.sshd.common.NamedResource;
+import org.apache.sshd.common.util.ValidateUtils;
+import org.apache.sshd.common.util.threads.ThreadUtils;
+
+/**
+ * @author <a href="mailto:dev@mina.apache.org">Apache MINA SSHD Project</a>
+ */
+public interface SecurityProviderChoice extends NamedResource {
+    SecurityProviderChoice EMPTY = new SecurityProviderChoice() {
+        @Override
+        public String getName() {
+            return null;
+        }
+
+        @Override
+        public boolean isNamedProviderUsed() {
+            return false;
+        }
+
+        @Override
+        public Provider getSecurityProvider() {
+            return null;
+        }
+
+        @Override
+        public String toString() {
+            return "EMPTY";
+        }
+    };
+
+    /**
+     * @return {@code true} if to use the provider's name rather than its
+     * {@link Provider} instance - default={@code true}.
+     */
+    default boolean isNamedProviderUsed() {
+        return true;
+    }
+
+    /**
+     * @return The security {@link Provider} to use in case {@link #isNamedProviderUsed()}
+     * is {@code false}. Can be {@code null} if {@link #isNamedProviderUsed()} is {@code true},
+     * but not recommended.
+     */
+    Provider getSecurityProvider();
+
+    static SecurityProviderChoice toSecurityProviderChoice(String name) {
+        ValidateUtils.checkNotNullAndNotEmpty(name, "No name provided");
+        return new SecurityProviderChoice() {
+            private final String s = SecurityProviderChoice.class.getSimpleName() + "[" + name + "]";
+
+            @Override
+            public String getName() {
+                return name;
+            }
+
+            @Override
+            public boolean isNamedProviderUsed() {
+                return true;
+            }
+
+            @Override
+            public Provider getSecurityProvider() {
+                return null;
+            }
+
+            @Override
+            public String toString() {
+                return s;
+            }
+        };
+    }
+
+    static SecurityProviderChoice toSecurityProviderChoice(Provider provider) {
+        Objects.requireNonNull(provider, "No provider instance");
+        return new SecurityProviderChoice() {
+            private final String s = SecurityProviderChoice.class.getSimpleName()
+                    + "[" + Provider.class.getSimpleName() + "]"
+                    + "[" + provider.getName() + "]";
+
+            @Override
+            public String getName() {
+                return provider.getName();
+            }
+
+            @Override
+            public boolean isNamedProviderUsed() {
+                return false;
+            }
+
+            @Override
+            public Provider getSecurityProvider() {
+                return provider;
+            }
+
+            @Override
+            public String toString() {
+                return s;
+            }
+        };
+    }
+
+    static Provider createProviderInstance(Class<?> anchor, String providerClassName)
+            throws ReflectiveOperationException {
+        return ThreadUtils.createDefaultInstance(anchor, Provider.class, providerClassName);
+    }
+}

http://git-wip-us.apache.org/repos/asf/mina-sshd/blob/10de190e/sshd-common/src/main/java/org/apache/sshd/common/util/security/SecurityProviderRegistrar.java
----------------------------------------------------------------------
diff --git a/sshd-common/src/main/java/org/apache/sshd/common/util/security/SecurityProviderRegistrar.java b/sshd-common/src/main/java/org/apache/sshd/common/util/security/SecurityProviderRegistrar.java
new file mode 100644
index 0000000..31e428b
--- /dev/null
+++ b/sshd-common/src/main/java/org/apache/sshd/common/util/security/SecurityProviderRegistrar.java
@@ -0,0 +1,337 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.sshd.common.util.security;
+
+import java.security.KeyFactory;
+import java.security.KeyPairGenerator;
+import java.security.MessageDigest;
+import java.security.Provider;
+import java.security.Security;
+import java.security.Signature;
+import java.security.cert.CertificateFactory;
+import java.util.Arrays;
+import java.util.Collection;
+import java.util.Collections;
+import java.util.List;
+import java.util.Map;
+import java.util.Objects;
+import java.util.function.Predicate;
+
+import javax.crypto.Cipher;
+import javax.crypto.KeyAgreement;
+import javax.crypto.Mac;
+
+import org.apache.sshd.common.OptionalFeature;
+import org.apache.sshd.common.PropertyResolver;
+import org.apache.sshd.common.PropertyResolverUtils;
+import org.apache.sshd.common.SyspropsMapWrapper;
+import org.apache.sshd.common.util.GenericUtils;
+import org.apache.sshd.common.util.IgnoringEmptyMap;
+import org.apache.sshd.common.util.ValidateUtils;
+
+/**
+ * @author <a href="mailto:dev@mina.apache.org">Apache MINA SSHD Project</a>
+ */
+public interface SecurityProviderRegistrar extends SecurityProviderChoice, OptionalFeature, PropertyResolver {
+    /**
+     * Base name for configuration properties related to security providers
+     */
+    String CONFIG_PROP_BASE = "org.apache.sshd.security.provider";
+
+    /**
+     * Property used to configure whether the provider is enabled regardless of
+     * whether it is supported.
+     *
+     * @see #isEnabled()
+     */
+    String ENABLED_PROPERTY = "enabled";
+
+    /**
+     * Property used to configure whether to use the provider's name rather than its
+     * {@link Provider} instance
+     *
+     * @see #isNamedProviderUsed()
+     */
+    String NAMED_PROVIDER_PROPERTY = "useNamed";
+
+    String ALL_OPTIONS_VALUE = "all";
+    String ALL_OPTIONS_WILDCARD = "*";
+
+    String NO_OPTIONS_VALUE = "none";
+
+    /**
+     * All the entities that are used in calls to {@link #isSecurityEntitySupported(Class, String)}
+     */
+    List<Class<?>> SECURITY_ENTITIES =
+            Collections.unmodifiableList(
+                    Arrays.asList(
+                            Cipher.class, KeyFactory.class, MessageDigest.class,
+                            KeyPairGenerator.class, KeyAgreement.class, Mac.class,
+                            Signature.class, CertificateFactory.class));
+
+    default String getBasePropertyName() {
+        return CONFIG_PROP_BASE + "." + getName();
+    }
+
+    default String getConfigurationPropertyName(String name) {
+        return getBasePropertyName() + "." + name;
+    }
+
+    /**
+     * @return {@code true} if the provider is enabled regardless of
+     * whether it is supported - default={@code true}. <B>Note:</B>
+     * checks if the provider has been <U>programmatically</U> disabled
+     * via {@link SecurityUtils#setAPrioriDisabledProvider(String, boolean)}
+     * @see #ENABLED_PROPERTY
+     */
+    default boolean isEnabled() {
+        if (SecurityUtils.isAPrioriDisabledProvider(getName())) {
+            return false;
+        }
+
+        return this.getBooleanProperty(getConfigurationPropertyName(ENABLED_PROPERTY), true);
+    }
+
+    @Override
+    default PropertyResolver getParentPropertyResolver() {
+        return SyspropsMapWrapper.SYSPROPS_RESOLVER;
+    }
+
+    @Override
+    default Map<String, Object> getProperties() {
+        return IgnoringEmptyMap.getInstance();
+    }
+
+    /**
+     * @param transformation The requested {@link Cipher} transformation
+     * @return {@code true} if this security provider supports the transformation
+     * @see #isSecurityEntitySupported(Class, String)
+     */
+    default boolean isCipherSupported(String transformation) {
+        return isSecurityEntitySupported(Cipher.class, transformation);
+    }
+
+    /**
+     * @param algorithm The {@link KeyFactory} algorithm
+     * @return {@code true} if this security provider supports the algorithm
+     * @see #isSecurityEntitySupported(Class, String)
+     */
+    default boolean isKeyFactorySupported(String algorithm) {
+        return isSecurityEntitySupported(KeyFactory.class, algorithm);
+    }
+
+    /**
+     * @param algorithm The {@link MessageDigest} algorithm
+     * @return {@code true} if this security provider supports the algorithm
+     * @see #isSecurityEntitySupported(Class, String)
+     */
+    default boolean isMessageDigestSupported(String algorithm) {
+        return isSecurityEntitySupported(MessageDigest.class, algorithm);
+    }
+
+    /**
+     * @param algorithm The {@link KeyPairGenerator} algorithm
+     * @return {@code true} if this security provider supports the algorithm
+     * @see #isSecurityEntitySupported(Class, String)
+     */
+    default boolean isKeyPairGeneratorSupported(String algorithm) {
+        return isSecurityEntitySupported(KeyPairGenerator.class, algorithm);
+    }
+
+    /**
+     * @param algorithm The {@link KeyAgreement} algorithm
+     * @return {@code true} if this security provider supports the algorithm
+     * @see #isSecurityEntitySupported(Class, String)
+     */
+    default boolean isKeyAgreementSupported(String algorithm) {
+        return isSecurityEntitySupported(KeyAgreement.class, algorithm);
+    }
+
+    /**
+     * @param algorithm The {@link Mac} algorithm
+     * @return {@code true} if this security provider supports the algorithm
+     * @see #isSecurityEntitySupported(Class, String)
+     */
+    default boolean isMacSupported(String algorithm) {
+        return isSecurityEntitySupported(Mac.class, algorithm);
+    }
+
+    /**
+     * @param algorithm The {@link Signature} algorithm
+     * @return {@code true} if this security provider supports the algorithm
+     * @see #isSecurityEntitySupported(Class, String)
+     */
+    default boolean isSignatureSupported(String algorithm) {
+        return isSecurityEntitySupported(Signature.class, algorithm);
+    }
+
+    /**
+     * @param type The {@link CertificateFactory} type
+     * @return {@code true} if this security provider supports the algorithm
+     * @see #isSecurityEntitySupported(Class, String)
+     */
+    default boolean isCertificateFactorySupported(String type) {
+        return isSecurityEntitySupported(CertificateFactory.class, type);
+    }
+
+    /**
+     * @param entityType The requested entity type - its simple name serves to
+     * build the configuration property name.
+     * @return Configuration value to use if no specific configuration provided
+     * - default=empty
+     * @see #isSecurityEntitySupported(Class, String)
+     */
+    default String getDefaultSecurityEntitySupportValue(Class<?> entityType) {
+        return "";
+    }
+
+    default boolean isSecurityEntitySupported(Class<?> entityType, String name) {
+        String defaultValue = getDefaultSecurityEntitySupportValue(entityType);
+        return isSecurityEntitySupported(this, entityType, name, defaultValue);
+    }
+
+    /**
+     * @return {@code true} if to use the provider's name rather than its
+     * {@link Provider} instance - default={@code true}
+     * @see #NAMED_PROVIDER_PROPERTY
+     * @see #getSecurityProvider()
+     * @see #registerSecurityProvider(SecurityProviderRegistrar)
+     */
+    @Override
+    default boolean isNamedProviderUsed() {
+        return PropertyResolverUtils.getBooleanProperty(this,
+                getConfigurationPropertyName(NAMED_PROVIDER_PROPERTY),
+                SecurityProviderChoice.super.isNamedProviderUsed());
+    }
+
+    /**
+     * @param v Value to be examined
+     * @return {@code true} if the value equals (case insensitive) to
+     * either {@link #ALL_OPTIONS_VALUE} or {@link #ALL_OPTIONS_WILDCARD}
+     */
+    static boolean isAllOptionsValue(String v) {
+        return ALL_OPTIONS_VALUE.equalsIgnoreCase(v)
+            || ALL_OPTIONS_WILDCARD.equalsIgnoreCase(v);
+    }
+
+    /**
+     * Checks whether the requested entity type algorithm/name is listed
+     * as supported by the registrar's configuration
+     *
+     * @param registrar The {@link SecurityProviderRegistrar}
+     * @param entityType The requested entity type - its simple name serves to
+     * build the configuration property name.
+     * @param name The requested algorithm/name - <B>Note:</B> if the requested
+     * entity is a {@link Cipher} then the argument is assumed to be a possible
+     * &quot;/&quot; separated transformation and parsed as such in order to
+     * retrieve the pure cipher name
+     * @param defaultValue Configuration value to use if no specific configuration provided
+     * @return {@code true} registrar is supported and the value is listed
+     * (case <U>insensitive</U>) or * the property is one of the &quot;all&quot; markers
+     * @see SecurityProviderRegistrar#isSupported()
+     * @see #isAllOptionsValue(String)
+     */
+    static boolean isSecurityEntitySupported(SecurityProviderRegistrar registrar, Class<?> entityType, String name, String defaultValue) {
+        return Objects.requireNonNull(registrar, "No registrar instance").isSupported()
+            && isSecurityEntitySupported(registrar, registrar.getConfigurationPropertyName(entityType.getSimpleName()), entityType, name, defaultValue);
+    }
+
+    static boolean isSecurityEntitySupported(PropertyResolver resolver, String propName, Class<?> entityType, String name, String defaultValue) {
+        if (GenericUtils.isEmpty(name)) {
+            return false;
+        }
+
+        String propValue = resolver.getString(propName);
+        if (GenericUtils.isEmpty(propValue)) {
+            propValue = defaultValue;
+        }
+
+        if (NO_OPTIONS_VALUE.equalsIgnoreCase(propValue)) {
+            return false;
+        }
+
+        String[] values = GenericUtils.split(propValue, ',');
+        if (GenericUtils.isEmpty(values)) {
+            return false;
+        }
+
+        if ((values.length == 1) && isAllOptionsValue(values[0])) {
+            return true;
+        }
+
+        String effectiveName = getEffectiveSecurityEntityName(entityType, name);
+        int index = Arrays.binarySearch(values, effectiveName, String.CASE_INSENSITIVE_ORDER);
+        return index >= 0;
+    }
+
+    /**
+     * Determines the &quot;pure&quot; security entity name - e.g., for {@link Cipher}s
+     * it strips the trailing transformation specification in order to extract the
+     * base cipher name - e.g., &quot;AES/CBC/NoPadding&quot; =&gt; &quot;AES&quot;
+     *
+     * @param entityType The security entity type - ignored if {@code null}
+     * @param name The effective name - ignored if {@code null}/empty
+     * @return The resolved name
+     */
+    static String getEffectiveSecurityEntityName(Class<?> entityType, String name) {
+        if ((entityType == null) || GenericUtils.isEmpty(name) || (!Cipher.class.isAssignableFrom(entityType))) {
+            return name;
+        }
+
+        int pos = name.indexOf('/');
+        return (pos > 0) ? name.substring(0, pos) : name;
+    }
+
+    /**
+     * Attempts to register the security provider represented by the registrar
+     * if not already registered. <B>Note:</B> if {@link SecurityProviderRegistrar#isNamedProviderUsed()}
+     * is {@code true} then the generated provider will be added to the system's
+     * list of known providers.
+     *
+     * @param registrar The {@link SecurityProviderRegistrar}
+     * @return {@code true} if no provider was previously registered
+     * @see Security#getProvider(String)
+     * @see SecurityProviderRegistrar#getSecurityProvider()
+     * @see Security#addProvider(Provider)
+     */
+    static boolean registerSecurityProvider(SecurityProviderRegistrar registrar) {
+        String name = ValidateUtils.checkNotNullAndNotEmpty(
+                (registrar == null) ? null : registrar.getName(), "No name for registrar=%s", registrar);
+        Provider p = Security.getProvider(name);
+        if (p != null) {
+            return false;
+        }
+
+        p = ValidateUtils.checkNotNull(
+                registrar.getSecurityProvider(), "No provider created for registrar of %s", name);
+        if (registrar.isNamedProviderUsed()) {
+            Security.addProvider(p);
+        }
+
+        return true;
+    }
+
+    static SecurityProviderRegistrar findSecurityProviderRegistrarBySecurityEntity(
+            Predicate<? super SecurityProviderRegistrar> entitySelector,
+            Collection<? extends SecurityProviderRegistrar> registrars) {
+        return GenericUtils.findFirstMatchingMember(
+            r -> r.isEnabled() && r.isSupported() && entitySelector.test(r), registrars);
+    }
+}

http://git-wip-us.apache.org/repos/asf/mina-sshd/blob/10de190e/sshd-common/src/main/java/org/apache/sshd/common/util/security/SecurityUtils.java
----------------------------------------------------------------------
diff --git a/sshd-common/src/main/java/org/apache/sshd/common/util/security/SecurityUtils.java b/sshd-common/src/main/java/org/apache/sshd/common/util/security/SecurityUtils.java
new file mode 100644
index 0000000..ee755e6
--- /dev/null
+++ b/sshd-common/src/main/java/org/apache/sshd/common/util/security/SecurityUtils.java
@@ -0,0 +1,759 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.sshd.common.util.security;
+
+import java.io.IOException;
+import java.io.InputStream;
+import java.math.BigInteger;
+import java.nio.file.Path;
+import java.security.GeneralSecurityException;
+import java.security.InvalidKeyException;
+import java.security.Key;
+import java.security.KeyFactory;
+import java.security.KeyPair;
+import java.security.KeyPairGenerator;
+import java.security.MessageDigest;
+import java.security.NoSuchAlgorithmException;
+import java.security.NoSuchProviderException;
+import java.security.PrivateKey;
+import java.security.PublicKey;
+import java.security.Signature;
+import java.security.cert.CertificateFactory;
+import java.security.spec.InvalidKeySpecException;
+import java.util.Arrays;
+import java.util.Collection;
+import java.util.Collections;
+import java.util.HashMap;
+import java.util.LinkedHashMap;
+import java.util.List;
+import java.util.Map;
+import java.util.Objects;
+import java.util.Set;
+import java.util.TreeMap;
+import java.util.TreeSet;
+import java.util.concurrent.atomic.AtomicBoolean;
+import java.util.concurrent.atomic.AtomicInteger;
+import java.util.concurrent.atomic.AtomicReference;
+import java.util.function.Predicate;
+
+import javax.crypto.Cipher;
+import javax.crypto.KeyAgreement;
+import javax.crypto.Mac;
+import javax.crypto.spec.DHParameterSpec;
+
+import org.apache.sshd.common.config.keys.FilePasswordProvider;
+import org.apache.sshd.common.config.keys.KeyUtils;
+import org.apache.sshd.common.config.keys.PrivateKeyEntryDecoder;
+import org.apache.sshd.common.config.keys.PublicKeyEntryDecoder;
+import org.apache.sshd.common.config.keys.loader.KeyPairResourceParser;
+import org.apache.sshd.common.config.keys.loader.openssh.OpenSSHKeyPairResourceParser;
+import org.apache.sshd.common.config.keys.loader.pem.PEMResourceParserUtils;
+import org.apache.sshd.common.keyprovider.KeyPairProvider;
+import org.apache.sshd.common.random.JceRandomFactory;
+import org.apache.sshd.common.random.RandomFactory;
+import org.apache.sshd.common.util.GenericUtils;
+import org.apache.sshd.common.util.ValidateUtils;
+import org.apache.sshd.common.util.buffer.Buffer;
+import org.apache.sshd.common.util.security.bouncycastle.BouncyCastleGeneratorHostKeyProvider;
+import org.apache.sshd.common.util.security.bouncycastle.BouncyCastleKeyPairResourceParser;
+import org.apache.sshd.common.util.security.bouncycastle.BouncyCastleRandomFactory;
+import org.apache.sshd.common.util.security.eddsa.EdDSASecurityProviderUtils;
+import org.apache.sshd.common.util.threads.ThreadUtils;
+import org.apache.sshd.server.keyprovider.AbstractGeneratorHostKeyProvider;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+/**
+ * Specific security providers related code
+ *
+ * @author <a href="mailto:dev@mina.apache.org">Apache MINA SSHD Project</a>
+ */
+public final class SecurityUtils {
+    /**
+     * Bouncycastle JCE provider name
+     */
+    public static final String BOUNCY_CASTLE = "BC";
+
+    /**
+     * EDDSA support - should match {@code EdDSAKey.KEY_ALGORITHM}
+     */
+    public static final String EDDSA = "EdDSA";
+
+    // A copy-paste from the original, but we don't want to drag the classes into the classpath
+    // See EdDSAEngine.SIGNATURE_ALGORITHM
+    public static final String CURVE_ED25519_SHA512 = "NONEwithEdDSA";
+
+    /**
+     * System property used to configure the value for the maximum supported Diffie-Hellman
+     * Group Exchange key size. If not set, then an internal auto-discovery mechanism is employed.
+     * If set to negative value then Diffie-Hellman Group Exchange is disabled. If set to a
+     * negative value then Diffie-Hellman Group Exchange is disabled
+     */
+    public static final String MAX_DHGEX_KEY_SIZE_PROP = "org.apache.sshd.maxDHGexKeySize";
+
+    /**
+     * The min. key size value used for testing whether Diffie-Hellman Group Exchange
+     * is supported or not. According to <A HREF="https://tools.ietf.org/html/rfc4419">RFC 4419</A>
+     * section 3: &quot;Servers and clients SHOULD support groups with a modulus length of k
+     * bits, where 1024 <= k <= 8192&quot;.
+     * </code>
+     */
+    public static final int MIN_DHGEX_KEY_SIZE = 1024;
+    // Keys of size > 1024 are not support by default with JCE
+    public static final int DEFAULT_DHGEX_KEY_SIZE = MIN_DHGEX_KEY_SIZE;
+    public static final int PREFERRED_DHGEX_KEY_SIZE = 4096;
+    public static final int MAX_DHGEX_KEY_SIZE = 8192;
+
+    /**
+     * Comma separated list of fully qualified {@link SecurityProviderRegistrar}s
+     * to automatically register
+     */
+    public static final String SECURITY_PROVIDER_REGISTRARS = "org.apache.sshd.security.registrars";
+    public static final List<String> DEFAULT_SECURITY_PROVIDER_REGISTRARS =
+            Collections.unmodifiableList(
+                    Arrays.asList(
+                            "org.apache.sshd.common.util.security.bouncycastle.BouncyCastleSecurityProviderRegistrar",
+                            "org.apache.sshd.common.util.security.eddsa.EdDSASecurityProviderRegistrar"));
+
+
+    /**
+     * System property used to control whether to automatically register the
+     * {@code Bouncyastle} JCE provider
+     * @deprecated Please use &quot;org.apache.sshd.security.provider.BC.enabled&quot;
+     */
+    @Deprecated
+    public static final String REGISTER_BOUNCY_CASTLE_PROP = "org.apache.sshd.registerBouncyCastle";
+
+    /**
+     * System property used to control whether Elliptic Curves are supported or not.
+     * If not set then the support is auto-detected. <B>Note:</B> if set to {@code true}
+     * it is up to the user to make sure that indeed there is a provider for them
+     */
+    public static final String ECC_SUPPORTED_PROP = "org.apache.sshd.eccSupport";
+
+    /**
+     * System property used to decide whether EDDSA curves are supported or not
+     * (in addition or even in spite of {@link #isEDDSACurveSupported()}). If not
+     * set or set to {@code true}, then the existence of the optional support classes
+     * determines the support.
+     * @deprecated Please use &quot;org.apache.sshd.security.provider.EdDSA.enabled&qupt;
+     */
+    @Deprecated
+    public static final String EDDSA_SUPPORTED_PROP = "org.apache.sshd.eddsaSupport";
+
+    public static final String PROP_DEFAULT_SECURITY_PROVIDER = "org.apache.sshd.security.defaultProvider";
+
+    private static final AtomicInteger MAX_DHG_KEY_SIZE_HOLDER = new AtomicInteger(0);
+
+    /*
+     * NOTE: we use a LinkedHashMap in order to preserve registration order
+     * in case several providers support the same security entity
+     */
+    private static final Map<String, SecurityProviderRegistrar> REGISTERED_PROVIDERS = new LinkedHashMap<>();
+    private static final AtomicReference<KeyPairResourceParser> KEYPAIRS_PARSER_HODLER = new AtomicReference<>();
+    // If an entry already exists for the named provider, then it overrides its SecurityProviderRegistrar#isEnabled()
+    private static final Set<String> APRIORI_DISABLED_PROVIDERS = new TreeSet<>();
+    private static final AtomicBoolean REGISTRATION_STATE_HOLDER = new AtomicBoolean(false);
+    private static final Map<Class<?>, Map<String, SecurityEntityFactory<?>>> SECURITY_ENTITY_FACTORIES = new HashMap<>();
+
+    private static final AtomicReference<SecurityProviderChoice> DEFAULT_PROVIDER_HOLDER = new AtomicReference<>();
+
+    private static Boolean hasEcc;
+
+    private SecurityUtils() {
+        throw new UnsupportedOperationException("No instance");
+    }
+
+    /**
+     * @param name The provider's name - never {@code null}/empty
+     * @return {@code true} if the provider is marked as disabled a-priori
+     * @see #setAPrioriDisabledProvider(String, boolean)
+     */
+    public static boolean isAPrioriDisabledProvider(String name) {
+        ValidateUtils.checkNotNullAndNotEmpty(name, "No provider name specified");
+        synchronized (APRIORI_DISABLED_PROVIDERS) {
+            return APRIORI_DISABLED_PROVIDERS.contains(name);
+        }
+    }
+
+    /**
+     * Marks a provider's registrar as &quot;a-priori&quot; <U>programatically</U>
+     * so that when its {@link SecurityProviderRegistrar#isEnabled()} is eventually
+     * consulted it will return {@code false} regardless of the configured value for
+     * the specific provider registrar instance. <B>Note:</B> has no effect if the
+     * provider has already been registered.
+     *
+     * @param name The provider's name - never {@code null}/empty
+     * @param disabled {@code true} whether to disable it a-priori
+     * @see #isAPrioriDisabledProvider(String)
+     */
+    public static void setAPrioriDisabledProvider(String name, boolean disabled) {
+        ValidateUtils.checkNotNullAndNotEmpty(name, "No provider name specified");
+        synchronized (APRIORI_DISABLED_PROVIDERS) {
+            if (disabled) {
+                APRIORI_DISABLED_PROVIDERS.add(name);
+            } else {
+                APRIORI_DISABLED_PROVIDERS.remove(name);
+            }
+        }
+    }
+
+    /**
+     * @return A <U>copy</U> if the current a-priori disabled providers names
+     */
+    public static Set<String> getAPrioriDisabledProviders() {
+        synchronized (APRIORI_DISABLED_PROVIDERS) {
+            return new TreeSet<>(APRIORI_DISABLED_PROVIDERS);
+        }
+    }
+
+    /**
+     * @return {@code true} if Elliptic Curve Cryptography is supported
+     * @see #ECC_SUPPORTED_PROP
+     */
+    public static boolean isECCSupported() {
+        if (hasEcc == null) {
+            String propValue = System.getProperty(ECC_SUPPORTED_PROP);
+            if (GenericUtils.isEmpty(propValue)) {
+                try {
+                    getKeyPairGenerator(KeyUtils.EC_ALGORITHM);
+                    hasEcc = Boolean.TRUE;
+                } catch (Throwable t) {
+                    hasEcc = Boolean.FALSE;
+                }
+            } else {
+                Logger logger = LoggerFactory.getLogger(SecurityUtils.class);
+                logger.info("Override ECC support value: " + propValue);
+                hasEcc = Boolean.valueOf(propValue);
+            }
+        }
+
+        return hasEcc;
+    }
+
+    /**
+     * @return {@code true} if Diffie-Hellman Group Exchange is supported
+     * @see #getMaxDHGroupExchangeKeySize()
+     */
+    public static boolean isDHGroupExchangeSupported() {
+        return getMaxDHGroupExchangeKeySize() > 0;
+    }
+
+    /**
+     * @param keySize The expected key size
+     * @return {@code true} if Oakely Diffie-Hellman Group Exchange is supported
+     * for the specified key size
+     * @see #getMaxDHGroupExchangeKeySize()
+     */
+    public static boolean isDHOakelyGroupSupported(int keySize) {
+        return getMaxDHGroupExchangeKeySize() >= keySize;
+    }
+
+    /**
+     * @return The maximum supported Diffie-Hellman Group Exchange key size,
+     * or non-positive if not supported
+     */
+    public static int getMaxDHGroupExchangeKeySize() {
+        int maxSupportedKeySize;
+        synchronized (MAX_DHG_KEY_SIZE_HOLDER) {
+            maxSupportedKeySize = MAX_DHG_KEY_SIZE_HOLDER.get();
+            if (maxSupportedKeySize != 0) { // 1st time we are called ?
+                return maxSupportedKeySize;
+            }
+
+            String propValue = System.getProperty(MAX_DHGEX_KEY_SIZE_PROP);
+            if (GenericUtils.isEmpty(propValue)) {
+                maxSupportedKeySize = -1;
+                // Go down from max. to min. to ensure we stop at 1st maximum value success
+                for (int testKeySize = MAX_DHGEX_KEY_SIZE; testKeySize >= MIN_DHGEX_KEY_SIZE; testKeySize -= 1024) {
+                    if (isDHGroupExchangeSupported(testKeySize)) {
+                        maxSupportedKeySize = testKeySize;
+                        break;
+                    }
+                }
+            } else {
+                Logger logger = LoggerFactory.getLogger(SecurityUtils.class);
+                logger.info("Override max. DH group exchange key size: " + propValue);
+                maxSupportedKeySize = Integer.parseInt(propValue);
+                // negative is OK - means user wants to disable DH group exchange
+                ValidateUtils.checkTrue(maxSupportedKeySize != 0,
+                        "Configured " + MAX_DHGEX_KEY_SIZE_PROP + " value must be non-zero: %d", maxSupportedKeySize);
+            }
+
+            MAX_DHG_KEY_SIZE_HOLDER.set(maxSupportedKeySize);
+        }
+
+        return maxSupportedKeySize;
+    }
+
+    /**
+     * Set programmatically the reported value for {@link #getMaxDHGroupExchangeKeySize()}
+     * @param keySize The reported key size - if zero, then it will be auto-detected, if
+     * negative then DH group exchange will be disabled
+     */
+    public static void setMaxDHGroupExchangeKeySize(int keySize) {
+        synchronized (MAX_DHG_KEY_SIZE_HOLDER) {
+            MAX_DHG_KEY_SIZE_HOLDER.set(keySize);
+        }
+    }
+
+    public static boolean isDHGroupExchangeSupported(int maxKeySize) {
+        ValidateUtils.checkTrue(maxKeySize > Byte.SIZE, "Invalid max. key size: %d", maxKeySize);
+
+        try {
+            BigInteger r = new BigInteger("0").setBit(maxKeySize - 1);
+            DHParameterSpec dhSkipParamSpec = new DHParameterSpec(r, r);
+            KeyPairGenerator kpg = getKeyPairGenerator("DH");
+            kpg.initialize(dhSkipParamSpec);
+            return true;
+        } catch (GeneralSecurityException t) {
+            return false;
+        }
+    }
+
+    public static SecurityProviderChoice getDefaultProviderChoice() {
+        SecurityProviderChoice choice;
+        synchronized (DEFAULT_PROVIDER_HOLDER) {
+            choice = DEFAULT_PROVIDER_HOLDER.get();
+            if (choice != null) {
+                return choice;
+            }
+
+            String name = System.getProperty(PROP_DEFAULT_SECURITY_PROVIDER);
+            choice = (GenericUtils.isEmpty(name) || "none".equalsIgnoreCase(name))
+                    ? SecurityProviderChoice.EMPTY
+                    : SecurityProviderChoice.toSecurityProviderChoice(name);
+            DEFAULT_PROVIDER_HOLDER.set(choice);
+        }
+
+        return choice;
+    }
+
+    public static void setDefaultProviderChoice(SecurityProviderChoice choice) {
+        DEFAULT_PROVIDER_HOLDER.set(choice);
+    }
+
+    /**
+     * @return A <U>copy</U> of the currently registered security providers
+     */
+    public static Set<String> getRegisteredProviders() {
+        // returns a COPY of the providers in order to avoid modifications
+        synchronized (REGISTERED_PROVIDERS) {
+            return new TreeSet<>(REGISTERED_PROVIDERS.keySet());
+        }
+    }
+
+    public static boolean isBouncyCastleRegistered() {
+        register();
+        return isProviderRegistered(BOUNCY_CASTLE);
+    }
+
+    public static boolean isProviderRegistered(String provider) {
+        return getRegisteredProvider(provider) != null;
+    }
+
+    public static SecurityProviderRegistrar getRegisteredProvider(String provider) {
+        ValidateUtils.checkNotNullAndNotEmpty(provider, "No provider name specified");
+        synchronized (REGISTERED_PROVIDERS) {
+            return REGISTERED_PROVIDERS.get(provider);
+        }
+    }
+
+    public static boolean isRegistrationCompleted() {
+        return REGISTRATION_STATE_HOLDER.get();
+    }
+
+    private static void register() {
+        synchronized (REGISTRATION_STATE_HOLDER) {
+            if (REGISTRATION_STATE_HOLDER.get()) {
+                return;
+            }
+
+            String regsList = System.getProperty(SECURITY_PROVIDER_REGISTRARS,
+                    GenericUtils.join(DEFAULT_SECURITY_PROVIDER_REGISTRARS, ','));
+            boolean bouncyCastleRegistered = false;
+            if ((GenericUtils.length(regsList) > 0) && (!"none".equalsIgnoreCase(regsList))) {
+                String[] classes = GenericUtils.split(regsList, ',');
+                Logger logger = LoggerFactory.getLogger(SecurityUtils.class);
+                boolean debugEnabled = logger.isDebugEnabled();
+                for (String registrarClass : classes) {
+                    SecurityProviderRegistrar r;
+                    try {
+                        r = ThreadUtils.createDefaultInstance(SecurityUtils.class, SecurityProviderRegistrar.class, registrarClass);
+                    } catch (ReflectiveOperationException t) {
+                        Throwable e = GenericUtils.peelException(t);
+                        logger.error("Failed ({}) to create default {} registrar instance: {}",
+                                     e.getClass().getSimpleName(), registrarClass, e.getMessage());
+                        if (e instanceof RuntimeException) {
+                            throw (RuntimeException) e;
+                        } else if (e instanceof Error) {
+                            throw (Error) e;
+                        } else {
+                            throw new RuntimeException(e);
+                        }
+                    }
+
+                    String name = r.getName();
+                    SecurityProviderRegistrar registeredInstance = registerSecurityProvider(r);
+                    if (registeredInstance == null) {
+                        if (debugEnabled) {
+                            logger.debug("register({}) not registered - enabled={}, supported={}",
+                                         name, r.isEnabled(), r.isSupported());
+                        }
+                        continue;   // provider not registered - e.g., disabled, not supported
+                    }
+
+                    if (BOUNCY_CASTLE.equalsIgnoreCase(name)) {
+                        bouncyCastleRegistered = true;
+                    }
+                }
+            }
+
+            SecurityProviderChoice choice = getDefaultProviderChoice();
+            if (((choice == null) || (choice == SecurityProviderChoice.EMPTY)) && bouncyCastleRegistered) {
+                setDefaultProviderChoice(SecurityProviderChoice.toSecurityProviderChoice(BOUNCY_CASTLE));
+            }
+
+            REGISTRATION_STATE_HOLDER.set(true);
+        }
+    }
+
+    /**
+     * @param registrar The registrar instance to register
+     * @return The registered instance - may be different than required
+     * if already registered. Returns {@code null} if not already registered
+     * and not enabled or not supported registrar.
+     */
+    public static SecurityProviderRegistrar registerSecurityProvider(SecurityProviderRegistrar registrar) {
+        Objects.requireNonNull(registrar, "No registrar instance to register");
+        String name = registrar.getName();
+        SecurityProviderRegistrar registeredInstance = getRegisteredProvider(name);
+        if ((registeredInstance == null) && registrar.isEnabled() && registrar.isSupported()) {
+            try {
+                SecurityProviderRegistrar.registerSecurityProvider(registrar);
+                synchronized (REGISTERED_PROVIDERS) {
+                    REGISTERED_PROVIDERS.put(name, registrar);
+                }
+
+                return registrar;
+            } catch (Throwable t) {
+                Logger logger = LoggerFactory.getLogger(SecurityUtils.class);
+                logger.error("Failed {} to register {} as a JCE provider: {}",
+                             t.getClass().getSimpleName(), name, t.getMessage());
+                throw new RuntimeException("Failed to register " + name + " as a JCE provider", t);
+            }
+        }
+
+        return registeredInstance;
+    }
+
+    ///////////////// Bouncycastle specific implementations //////////////////
+
+    /* -------------------------------------------------------------------- */
+
+    /**
+     * @param resourceKey An identifier of the key being loaded - used as
+     *                    argument to the {@link FilePasswordProvider#getPassword(String)}
+     *                    invocation
+     * @param inputStream The {@link InputStream} for the <U>private</U> key
+     * @param provider    A {@link FilePasswordProvider} - may be {@code null}
+     *                    if the loaded key is <U>guaranteed</U> not to be encrypted
+     * @return The loaded {@link KeyPair}
+     * @throws IOException              If failed to read/parse the input stream
+     * @throws GeneralSecurityException If failed to generate the keys
+     */
+    public static KeyPair loadKeyPairIdentity(String resourceKey, InputStream inputStream, FilePasswordProvider provider)
+            throws IOException, GeneralSecurityException {
+        KeyPairResourceParser parser = getKeyPairResourceParser();
+        if (parser == null) {
+            throw new NoSuchProviderException("No registered key-pair resource parser");
+        }
+
+        Collection<KeyPair> ids = parser.loadKeyPairs(resourceKey, provider, inputStream);
+        int numLoaded = GenericUtils.size(ids);
+        if (numLoaded <= 0) {
+            throw new InvalidKeyException("Unsupported private key file format: " + resourceKey);
+        }
+        if (numLoaded != 1) {
+            throw new InvalidKeySpecException("Multiple private key pairs N/A: " + resourceKey);
+        }
+
+        return ids.iterator().next();
+    }
+
+    /* -------------------------------------------------------------------- */
+
+    public static AbstractGeneratorHostKeyProvider createGeneratorHostKeyProvider(Path path) {
+        ValidateUtils.checkTrue(isBouncyCastleRegistered(), "BouncyCastle not registered");
+        return new BouncyCastleGeneratorHostKeyProvider(path);
+    }
+
+    public static KeyPairResourceParser getBouncycastleKeyPairResourceParser() {
+        ValidateUtils.checkTrue(isBouncyCastleRegistered(), "BouncyCastle not registered");
+        return BouncyCastleKeyPairResourceParser.INSTANCE;
+    }
+
+    /**
+     * @return If {@link #isBouncyCastleRegistered()} then a {@link BouncyCastleRandomFactory}
+     * instance, otherwise a {@link JceRandomFactory} one
+     */
+    public static RandomFactory getRandomFactory() {
+        if (isBouncyCastleRegistered()) {
+            return BouncyCastleRandomFactory.INSTANCE;
+        } else {
+            return JceRandomFactory.INSTANCE;
+        }
+    }
+
+    ///////////////////////////// ED25519 support ///////////////////////////////
+
+    /**
+     * @return {@code true} if EDDSA curves (e.g., {@code ed25519}) are supported
+     */
+    public static boolean isEDDSACurveSupported() {
+        register();
+
+        SecurityProviderRegistrar r = getRegisteredProvider(EDDSA);
+        return (r != null) && r.isEnabled() && r.isSupported();
+    }
+
+    /* -------------------------------------------------------------------- */
+
+    public static PublicKeyEntryDecoder<? extends PublicKey, ? extends PrivateKey> getEDDSAPublicKeyEntryDecoder() {
+        if (!isEDDSACurveSupported()) {
+            throw new UnsupportedOperationException(EDDSA + " provider N/A");
+        }
+
+        return EdDSASecurityProviderUtils.getEDDSAPublicKeyEntryDecoder();
+    }
+
+    public static PrivateKeyEntryDecoder<? extends PublicKey, ? extends PrivateKey> getOpenSSHEDDSAPrivateKeyEntryDecoder() {
+        if (!isEDDSACurveSupported()) {
+            throw new UnsupportedOperationException(EDDSA + " provider N/A");
+        }
+
+        return EdDSASecurityProviderUtils.getOpenSSHEDDSAPrivateKeyEntryDecoder();
+    }
+
+    public static org.apache.sshd.common.signature.Signature getEDDSASigner() {
+        if (isEDDSACurveSupported()) {
+            return EdDSASecurityProviderUtils.getEDDSASignature();
+        }
+
+        throw new UnsupportedOperationException(EDDSA + " Signer not available");
+    }
+
+    public static int getEDDSAKeySize(Key key) {
+        return EdDSASecurityProviderUtils.getEDDSAKeySize(key);
+    }
+
+    public static Class<? extends PublicKey> getEDDSAPublicKeyType() {
+        return isEDDSACurveSupported() ? EdDSASecurityProviderUtils.getEDDSAPublicKeyType() : PublicKey.class;
+    }
+
+    public static Class<? extends PrivateKey> getEDDSAPrivateKeyType() {
+        return isEDDSACurveSupported() ? EdDSASecurityProviderUtils.getEDDSAPrivateKeyType() : PrivateKey.class;
+    }
+
+    public static boolean compareEDDSAPPublicKeys(PublicKey k1, PublicKey k2) {
+        return isEDDSACurveSupported() ? EdDSASecurityProviderUtils.compareEDDSAPPublicKeys(k1, k2) : false;
+    }
+
+    public static boolean compareEDDSAPrivateKeys(PrivateKey k1, PrivateKey k2) {
+        return isEDDSACurveSupported() ? EdDSASecurityProviderUtils.compareEDDSAPrivateKeys(k1, k2) : false;
+    }
+
+    public static PublicKey recoverEDDSAPublicKey(PrivateKey key) throws GeneralSecurityException {
+        if (!isEDDSACurveSupported()) {
+            throw new NoSuchAlgorithmException(EDDSA + " provider not supported");
+        }
+
+        return EdDSASecurityProviderUtils.recoverEDDSAPublicKey(key);
+    }
+
+    public static PublicKey generateEDDSAPublicKey(String keyType, byte[] seed) throws GeneralSecurityException {
+        if (!KeyPairProvider.SSH_ED25519.equals(keyType)) {
+            throw new InvalidKeyException("Unsupported key type: " + keyType);
+        }
+
+        if (!isEDDSACurveSupported()) {
+            throw new NoSuchAlgorithmException(EDDSA + " provider not supported");
+        }
+
+        return EdDSASecurityProviderUtils.generateEDDSAPublicKey(seed);
+    }
+
+    public static <B extends Buffer> B putRawEDDSAPublicKey(B buffer, PublicKey key) {
+        if (!isEDDSACurveSupported()) {
+            throw new UnsupportedOperationException(EDDSA + " provider not supported");
+        }
+
+        return EdDSASecurityProviderUtils.putRawEDDSAPublicKey(buffer, key);
+    }
+
+    public static <B extends Buffer> B putEDDSAKeyPair(B buffer, KeyPair kp) {
+        return putEDDSAKeyPair(buffer, Objects.requireNonNull(kp, "No key pair").getPublic(), kp.getPrivate());
+    }
+
+    public static <B extends Buffer> B putEDDSAKeyPair(B buffer, PublicKey pubKey, PrivateKey prvKey) {
+        if (!isEDDSACurveSupported()) {
+            throw new UnsupportedOperationException(EDDSA + " provider not supported");
+        }
+
+        return EdDSASecurityProviderUtils.putEDDSAKeyPair(buffer, pubKey, prvKey);
+    }
+
+    public static KeyPair extractEDDSAKeyPair(Buffer buffer, String keyType) throws GeneralSecurityException {
+        if (!KeyPairProvider.SSH_ED25519.equals(keyType)) {
+            throw new InvalidKeyException("Unsupported key type: " + keyType);
+        }
+
+        if (!isEDDSACurveSupported()) {
+            throw new NoSuchAlgorithmException(EDDSA + " provider not supported");
+        }
+
+        throw new GeneralSecurityException("Full SSHD-440 implementation N/A");
+    }
+
+    //////////////////////////////////////////////////////////////////////////
+
+    public static KeyPairResourceParser getKeyPairResourceParser() {
+        KeyPairResourceParser parser;
+        synchronized (KEYPAIRS_PARSER_HODLER) {
+            parser = KEYPAIRS_PARSER_HODLER.get();
+            if (parser != null) {
+                return parser;
+            }
+
+            parser = KeyPairResourceParser.aggregate(
+                    PEMResourceParserUtils.PROXY,
+                    OpenSSHKeyPairResourceParser.INSTANCE);
+            KEYPAIRS_PARSER_HODLER.set(parser);
+        }
+
+        return parser;
+    }
+
+    /**
+     * @param parser The system-wide {@code KeyPairResourceParser} to use.
+     * If set to {@code null}, then the default parser will be re-constructed
+     * on next call to {@link #getKeyPairResourceParser()}
+     */
+    public static void setKeyPairResourceParser(KeyPairResourceParser parser) {
+        synchronized (KEYPAIRS_PARSER_HODLER) {
+            KEYPAIRS_PARSER_HODLER.set(parser);
+        }
+    }
+
+    //////////////////////////// Security entities factories /////////////////////////////
+
+    @SuppressWarnings("unchecked")
+    public static <T> SecurityEntityFactory<T> resolveSecurityEntityFactory(
+            Class<T> entityType, String algorithm, Predicate<? super SecurityProviderRegistrar> entitySelector) {
+        Map<String, SecurityEntityFactory<?>> factoriesMap;
+        synchronized (SECURITY_ENTITY_FACTORIES) {
+            factoriesMap =
+                    SECURITY_ENTITY_FACTORIES.computeIfAbsent(
+                            entityType, k -> new TreeMap<>(String.CASE_INSENSITIVE_ORDER));
+        }
+
+        String effectiveName = SecurityProviderRegistrar.getEffectiveSecurityEntityName(entityType, algorithm);
+        SecurityEntityFactory<?> factoryEntry;
+        synchronized (factoriesMap) {
+            factoryEntry =
+                    factoriesMap.computeIfAbsent(
+                            effectiveName, k -> createSecurityEntityFactory(entityType, entitySelector));
+        }
+
+        return (SecurityEntityFactory<T>) factoryEntry;
+    }
+
+    public static <T> SecurityEntityFactory<T> createSecurityEntityFactory(
+            Class<T> entityType, Predicate<? super SecurityProviderRegistrar> entitySelector) {
+        register();
+
+        SecurityProviderRegistrar registrar;
+        synchronized (REGISTERED_PROVIDERS) {
+            registrar =
+                 SecurityProviderRegistrar.findSecurityProviderRegistrarBySecurityEntity(
+                         entitySelector, REGISTERED_PROVIDERS.values());
+        }
+
+        try {
+            return SecurityEntityFactory.toFactory(entityType, registrar, getDefaultProviderChoice());
+        } catch (ReflectiveOperationException t) {
+            Throwable e = GenericUtils.peelException(t);
+            if (e instanceof RuntimeException) {
+                throw (RuntimeException) e;
+            } else if (e instanceof Error) {
+                throw (Error) e;
+            } else {
+                throw new RuntimeException(e);
+            }
+        }
+    }
+
+    public static KeyFactory getKeyFactory(String algorithm) throws GeneralSecurityException {
+        SecurityEntityFactory<KeyFactory> factory =
+                resolveSecurityEntityFactory(KeyFactory.class, algorithm, r -> r.isKeyFactorySupported(algorithm));
+        return factory.getInstance(algorithm);
+    }
+
+    public static Cipher getCipher(String transformation) throws GeneralSecurityException {
+        SecurityEntityFactory<Cipher> factory =
+                resolveSecurityEntityFactory(Cipher.class, transformation, r -> r.isCipherSupported(transformation));
+        return factory.getInstance(transformation);
+    }
+
+    public static MessageDigest getMessageDigest(String algorithm) throws GeneralSecurityException {
+        SecurityEntityFactory<MessageDigest> factory =
+                resolveSecurityEntityFactory(MessageDigest.class, algorithm, r -> r.isMessageDigestSupported(algorithm));
+        return factory.getInstance(algorithm);
+    }
+
+    public static KeyPairGenerator getKeyPairGenerator(String algorithm) throws GeneralSecurityException {
+        SecurityEntityFactory<KeyPairGenerator> factory =
+                resolveSecurityEntityFactory(KeyPairGenerator.class, algorithm, r -> r.isKeyPairGeneratorSupported(algorithm));
+        return factory.getInstance(algorithm);
+    }
+
+    public static KeyAgreement getKeyAgreement(String algorithm) throws GeneralSecurityException {
+        SecurityEntityFactory<KeyAgreement> factory =
+                resolveSecurityEntityFactory(KeyAgreement.class, algorithm, r -> r.isKeyAgreementSupported(algorithm));
+        return factory.getInstance(algorithm);
+    }
+
+    public static Mac getMac(String algorithm) throws GeneralSecurityException {
+        SecurityEntityFactory<Mac> factory =
+                resolveSecurityEntityFactory(Mac.class, algorithm, r -> r.isMacSupported(algorithm));
+        return factory.getInstance(algorithm);
+    }
+
+    public static Signature getSignature(String algorithm) throws GeneralSecurityException {
+        SecurityEntityFactory<Signature> factory =
+                resolveSecurityEntityFactory(Signature.class, algorithm, r -> r.isSignatureSupported(algorithm));
+        return factory.getInstance(algorithm);
+    }
+
+    public static CertificateFactory getCertificateFactory(String type) throws GeneralSecurityException {
+        SecurityEntityFactory<CertificateFactory> factory =
+                resolveSecurityEntityFactory(CertificateFactory.class, type, r -> r.isCertificateFactorySupported(type));
+        return factory.getInstance(type);
+    }
+}

http://git-wip-us.apache.org/repos/asf/mina-sshd/blob/10de190e/sshd-common/src/main/java/org/apache/sshd/common/util/security/bouncycastle/BouncyCastleGeneratorHostKeyProvider.java
----------------------------------------------------------------------
diff --git a/sshd-common/src/main/java/org/apache/sshd/common/util/security/bouncycastle/BouncyCastleGeneratorHostKeyProvider.java b/sshd-common/src/main/java/org/apache/sshd/common/util/security/bouncycastle/BouncyCastleGeneratorHostKeyProvider.java
new file mode 100644
index 0000000..3716719
--- /dev/null
+++ b/sshd-common/src/main/java/org/apache/sshd/common/util/security/bouncycastle/BouncyCastleGeneratorHostKeyProvider.java
@@ -0,0 +1,48 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.sshd.common.util.security.bouncycastle;
+
+import java.io.IOException;
+import java.io.OutputStream;
+import java.io.OutputStreamWriter;
+import java.nio.charset.StandardCharsets;
+import java.nio.file.Path;
+import java.security.GeneralSecurityException;
+import java.security.KeyPair;
+
+import org.apache.sshd.server.keyprovider.AbstractGeneratorHostKeyProvider;
+
+/**
+ * @author <a href="mailto:dev@mina.apache.org">Apache MINA SSHD Project</a>
+ */
+public class BouncyCastleGeneratorHostKeyProvider extends AbstractGeneratorHostKeyProvider {
+    public BouncyCastleGeneratorHostKeyProvider(Path path) {
+        setPath(path);
+    }
+
+    @SuppressWarnings("deprecation")
+    @Override
+    protected void doWriteKeyPair(String resourceKey, KeyPair kp, OutputStream outputStream) throws IOException, GeneralSecurityException {
+        try (org.bouncycastle.openssl.PEMWriter w =
+                     new org.bouncycastle.openssl.PEMWriter(new OutputStreamWriter(outputStream, StandardCharsets.UTF_8))) {
+            w.writeObject(kp);
+            w.flush();
+        }
+    }
+}
\ No newline at end of file

http://git-wip-us.apache.org/repos/asf/mina-sshd/blob/10de190e/sshd-common/src/main/java/org/apache/sshd/common/util/security/bouncycastle/BouncyCastleKeyPairResourceParser.java
----------------------------------------------------------------------
diff --git a/sshd-common/src/main/java/org/apache/sshd/common/util/security/bouncycastle/BouncyCastleKeyPairResourceParser.java b/sshd-common/src/main/java/org/apache/sshd/common/util/security/bouncycastle/BouncyCastleKeyPairResourceParser.java
new file mode 100644
index 0000000..4c8722a
--- /dev/null
+++ b/sshd-common/src/main/java/org/apache/sshd/common/util/security/bouncycastle/BouncyCastleKeyPairResourceParser.java
@@ -0,0 +1,130 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.sshd.common.util.security.bouncycastle;
+
+import java.io.ByteArrayInputStream;
+import java.io.IOException;
+import java.io.InputStream;
+import java.io.InputStreamReader;
+import java.nio.charset.StandardCharsets;
+import java.security.GeneralSecurityException;
+import java.security.KeyPair;
+import java.security.NoSuchProviderException;
+import java.util.Arrays;
+import java.util.Collection;
+import java.util.Collections;
+import java.util.List;
+
+import org.apache.sshd.common.config.keys.FilePasswordProvider;
+import org.apache.sshd.common.config.keys.loader.AbstractKeyPairResourceParser;
+import org.apache.sshd.common.util.ValidateUtils;
+import org.apache.sshd.common.util.io.IoUtils;
+import org.apache.sshd.common.util.security.SecurityProviderRegistrar;
+import org.apache.sshd.common.util.security.SecurityUtils;
+import org.bouncycastle.openssl.PEMDecryptorProvider;
+import org.bouncycastle.openssl.PEMEncryptedKeyPair;
+import org.bouncycastle.openssl.PEMKeyPair;
+import org.bouncycastle.openssl.PEMParser;
+import org.bouncycastle.openssl.jcajce.JcaPEMKeyConverter;
+import org.bouncycastle.openssl.jcajce.JcePEMDecryptorProviderBuilder;
+
+/**
+ * @author <a href="mailto:dev@mina.apache.org">Apache MINA SSHD Project</a>
+ */
+public class BouncyCastleKeyPairResourceParser extends AbstractKeyPairResourceParser {
+    public static final List<String> BEGINNERS =
+            Collections.unmodifiableList(
+                    Arrays.asList(
+                            "BEGIN RSA PRIVATE KEY",
+                            "BEGIN DSA PRIVATE KEY",
+                            "BEGIN EC PRIVATE KEY"));
+
+    public static final List<String> ENDERS =
+            Collections.unmodifiableList(
+                    Arrays.asList(
+                            "END RSA PRIVATE KEY",
+                            "END DSA PRIVATE KEY",
+                            "END EC PRIVATE KEY"));
+
+    public static final BouncyCastleKeyPairResourceParser INSTANCE = new BouncyCastleKeyPairResourceParser();
+
+    public BouncyCastleKeyPairResourceParser() {
+        super(BEGINNERS, ENDERS);
+    }
+
+    @Override
+    public Collection<KeyPair> extractKeyPairs(
+            String resourceKey, String beginMarker, String endMarker, FilePasswordProvider passwordProvider, List<String> lines)
+                    throws IOException, GeneralSecurityException {
+        StringBuilder writer = new StringBuilder(beginMarker.length() + endMarker.length() + lines.size() * 80);
+        writer.append(beginMarker).append(IoUtils.EOL);
+        lines.forEach(l -> writer.append(l).append(IoUtils.EOL));
+        writer.append(endMarker).append(IoUtils.EOL);
+
+        String data = writer.toString();
+        byte[] dataBytes = data.getBytes(StandardCharsets.UTF_8);
+        try (InputStream bais = new ByteArrayInputStream(dataBytes)) {
+            return extractKeyPairs(resourceKey, beginMarker, endMarker, passwordProvider, bais);
+        }
+    }
+
+    @Override
+    public Collection<KeyPair> extractKeyPairs(
+            String resourceKey, String beginMarker, String endMarker, FilePasswordProvider passwordProvider, InputStream stream)
+                    throws IOException, GeneralSecurityException {
+        KeyPair kp = loadKeyPair(resourceKey, stream, passwordProvider);
+        return (kp == null) ? Collections.emptyList() : Collections.singletonList(kp);
+    }
+
+    public static KeyPair loadKeyPair(String resourceKey, InputStream inputStream, FilePasswordProvider provider)
+            throws IOException, GeneralSecurityException {
+        try (PEMParser r = new PEMParser(new InputStreamReader(inputStream, StandardCharsets.UTF_8))) {
+            Object o = r.readObject();
+
+            SecurityProviderRegistrar registrar = SecurityUtils.getRegisteredProvider(SecurityUtils.BOUNCY_CASTLE);
+            if (registrar == null) {
+                throw new NoSuchProviderException(SecurityUtils.BOUNCY_CASTLE + " registrar not available");
+            }
+
+            JcaPEMKeyConverter pemConverter = new JcaPEMKeyConverter();
+            if (registrar.isNamedProviderUsed()) {
+                pemConverter.setProvider(registrar.getName());
+            } else {
+                pemConverter.setProvider(registrar.getSecurityProvider());
+            }
+            if (o instanceof PEMEncryptedKeyPair) {
+                ValidateUtils.checkNotNull(provider, "No password provider for resource=%s", resourceKey);
+
+                String password = ValidateUtils.checkNotNullAndNotEmpty(provider.getPassword(resourceKey), "No password provided for resource=%s", resourceKey);
+                JcePEMDecryptorProviderBuilder decryptorBuilder = new JcePEMDecryptorProviderBuilder();
+                PEMDecryptorProvider pemDecryptor = decryptorBuilder.build(password.toCharArray());
+                o = ((PEMEncryptedKeyPair) o).decryptKeyPair(pemDecryptor);
+            }
+
+            if (o instanceof PEMKeyPair) {
+                return pemConverter.getKeyPair((PEMKeyPair) o);
+            } else if (o instanceof KeyPair) {
+                return (KeyPair) o;
+            } else {
+                throw new IOException("Failed to read " + resourceKey + " - unknown result object: " + o);
+            }
+        }
+    }
+}

http://git-wip-us.apache.org/repos/asf/mina-sshd/blob/10de190e/sshd-common/src/main/java/org/apache/sshd/common/util/security/bouncycastle/BouncyCastleRandom.java
----------------------------------------------------------------------
diff --git a/sshd-common/src/main/java/org/apache/sshd/common/util/security/bouncycastle/BouncyCastleRandom.java b/sshd-common/src/main/java/org/apache/sshd/common/util/security/bouncycastle/BouncyCastleRandom.java
new file mode 100644
index 0000000..36c23e7
--- /dev/null
+++ b/sshd-common/src/main/java/org/apache/sshd/common/util/security/bouncycastle/BouncyCastleRandom.java
@@ -0,0 +1,88 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.sshd.common.util.security.bouncycastle;
+
+import java.security.SecureRandom;
+
+import org.apache.sshd.common.random.AbstractRandom;
+import org.apache.sshd.common.util.ValidateUtils;
+import org.apache.sshd.common.util.security.SecurityUtils;
+import org.bouncycastle.crypto.prng.RandomGenerator;
+import org.bouncycastle.crypto.prng.VMPCRandomGenerator;
+
+/**
+ * BouncyCastle <code>Random</code>.
+ * This pseudo random number generator uses the a very fast PRNG from BouncyCastle.
+ * The JRE random will be used when creating a new generator to add some random
+ * data to the seed.
+ *
+ * @author <a href="mailto:dev@mina.apache.org">Apache MINA SSHD Project</a>
+ */
+public final class BouncyCastleRandom extends AbstractRandom {
+    public static final String NAME = SecurityUtils.BOUNCY_CASTLE;
+    private final RandomGenerator random;
+
+    public BouncyCastleRandom() {
+        ValidateUtils.checkTrue(SecurityUtils.isBouncyCastleRegistered(), "BouncyCastle not registered");
+        this.random = new VMPCRandomGenerator();
+        byte[] seed = new SecureRandom().generateSeed(8);
+        this.random.addSeedMaterial(seed);
+    }
+
+    @Override
+    public String getName() {
+        return NAME;
+    }
+
+    @Override
+    public void fill(byte[] bytes, int start, int len) {
+        this.random.nextBytes(bytes, start, len);
+    }
+
+    /**
+     * Returns a pseudo-random uniformly distributed {@code int}
+     * in the half-open range [0, n).
+     */
+    @Override
+    public int random(int n) {
+        ValidateUtils.checkTrue(n > 0, "Limit must be positive: %d", n);
+        if ((n & -n) == n) {
+            return (int) ((n * (long) next(31)) >> 31);
+        }
+
+        int bits;
+        int val;
+        do {
+            bits = next(31);
+            val = bits % n;
+        } while (bits - val + (n - 1) < 0);
+        return val;
+    }
+
+    private int next(int numBits) {
+        int bytes = (numBits + 7) / 8;
+        byte next[] = new byte[bytes];
+        int ret = 0;
+        random.nextBytes(next);
+        for (int i = 0; i < bytes; i++) {
+            ret = (next[i] & 0xFF) | (ret << 8);
+        }
+        return ret >>> (bytes * 8 - numBits);
+    }
+}
\ No newline at end of file

http://git-wip-us.apache.org/repos/asf/mina-sshd/blob/10de190e/sshd-common/src/main/java/org/apache/sshd/common/util/security/bouncycastle/BouncyCastleRandomFactory.java
----------------------------------------------------------------------
diff --git a/sshd-common/src/main/java/org/apache/sshd/common/util/security/bouncycastle/BouncyCastleRandomFactory.java b/sshd-common/src/main/java/org/apache/sshd/common/util/security/bouncycastle/BouncyCastleRandomFactory.java
new file mode 100644
index 0000000..720c7a5
--- /dev/null
+++ b/sshd-common/src/main/java/org/apache/sshd/common/util/security/bouncycastle/BouncyCastleRandomFactory.java
@@ -0,0 +1,45 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.sshd.common.util.security.bouncycastle;
+
+import org.apache.sshd.common.random.AbstractRandomFactory;
+import org.apache.sshd.common.random.Random;
+import org.apache.sshd.common.util.security.SecurityUtils;
+
+/**
+ * Named factory for the BouncyCastle <code>Random</code>
+ */
+public final class BouncyCastleRandomFactory extends AbstractRandomFactory {
+    public static final String NAME = "bouncycastle";
+    public static final BouncyCastleRandomFactory INSTANCE = new BouncyCastleRandomFactory();
+
+    public BouncyCastleRandomFactory() {
+        super(NAME);
+    }
+
+    @Override
+    public boolean isSupported() {
+        return SecurityUtils.isBouncyCastleRegistered();
+    }
+
+    @Override
+    public Random create() {
+        return new BouncyCastleRandom();
+    }
+}
\ No newline at end of file

http://git-wip-us.apache.org/repos/asf/mina-sshd/blob/10de190e/sshd-common/src/main/java/org/apache/sshd/common/util/security/bouncycastle/BouncyCastleSecurityProviderRegistrar.java
----------------------------------------------------------------------
diff --git a/sshd-common/src/main/java/org/apache/sshd/common/util/security/bouncycastle/BouncyCastleSecurityProviderRegistrar.java b/sshd-common/src/main/java/org/apache/sshd/common/util/security/bouncycastle/BouncyCastleSecurityProviderRegistrar.java
new file mode 100644
index 0000000..b47ca80
--- /dev/null
+++ b/sshd-common/src/main/java/org/apache/sshd/common/util/security/bouncycastle/BouncyCastleSecurityProviderRegistrar.java
@@ -0,0 +1,128 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.sshd.common.util.security.bouncycastle;
+
+import java.security.KeyFactory;
+import java.security.KeyPairGenerator;
+import java.security.Provider;
+import java.security.Signature;
+import java.util.Objects;
+import java.util.concurrent.atomic.AtomicReference;
+
+import org.apache.sshd.common.util.GenericUtils;
+import org.apache.sshd.common.util.ReflectionUtils;
+import org.apache.sshd.common.util.security.AbstractSecurityProviderRegistrar;
+import org.apache.sshd.common.util.security.SecurityUtils;
+import org.apache.sshd.common.util.threads.ThreadUtils;
+
+/**
+ * @author <a href="mailto:dev@mina.apache.org">Apache MINA SSHD Project</a>
+ */
+public class BouncyCastleSecurityProviderRegistrar extends AbstractSecurityProviderRegistrar {
+    // We want to use reflection API so as not to require BouncyCastle to be present in the classpath
+    public static final String PROVIDER_CLASS = "org.bouncycastle.jce.provider.BouncyCastleProvider";
+    // Do not define a static registrar instance to minimize class loading issues
+    private final AtomicReference<Boolean> supportHolder = new AtomicReference<>(null);
+    private final AtomicReference<String> allSupportHolder = new AtomicReference<>();
+
+    public BouncyCastleSecurityProviderRegistrar() {
+        super(SecurityUtils.BOUNCY_CASTLE);
+    }
+
+    @Override
+    public boolean isEnabled() {
+        if (!super.isEnabled()) {
+            return false;
+        }
+
+        // For backward compatibility
+        return this.getBooleanProperty(SecurityUtils.REGISTER_BOUNCY_CASTLE_PROP, true);
+    }
+
+    @Override
+    public Provider getSecurityProvider() {
+        try {
+            return getOrCreateProvider(PROVIDER_CLASS);
+        } catch (ReflectiveOperationException t) {
+            Throwable e = GenericUtils.peelException(t);
+            log.error("getSecurityProvider({}) failed ({}) to instantiate {}: {}",
+                      getName(), e.getClass().getSimpleName(), PROVIDER_CLASS, e.getMessage());
+            if (e instanceof RuntimeException) {
+                throw (RuntimeException) e;
+            }
+
+            throw new RuntimeException(e);
+        }
+    }
+
+    @Override
+    public String getDefaultSecurityEntitySupportValue(Class<?> entityType) {
+        String allValue = allSupportHolder.get();
+        if (GenericUtils.length(allValue) > 0) {
+            return allValue;
+        }
+
+        String propName = getConfigurationPropertyName("supportAll");
+        allValue = this.getStringProperty(propName, ALL_OPTIONS_VALUE);
+        if (GenericUtils.isEmpty(allValue)) {
+            allValue = NO_OPTIONS_VALUE;
+        }
+
+        allSupportHolder.set(allValue);
+        return allValue;
+    }
+
+    @Override
+    public boolean isSecurityEntitySupported(Class<?> entityType, String name) {
+        if (!isSupported()) {
+            return false;
+        }
+
+        // Some known values it does not support
+        if (KeyPairGenerator.class.isAssignableFrom(entityType)
+                || KeyFactory.class.isAssignableFrom(entityType)) {
+            if (Objects.compare(name, SecurityUtils.EDDSA, String.CASE_INSENSITIVE_ORDER) == 0) {
+                return false;
+            }
+        } else if (Signature.class.isAssignableFrom(entityType)) {
+            if (Objects.compare(name, SecurityUtils.CURVE_ED25519_SHA512, String.CASE_INSENSITIVE_ORDER) == 0) {
+                return false;
+            }
+        }
+
+        return super.isSecurityEntitySupported(entityType, name);
+    }
+
+    @Override
+    public boolean isSupported() {
+        Boolean supported;
+        synchronized (supportHolder) {
+            supported = supportHolder.get();
+            if (supported != null) {
+                return supported.booleanValue();
+            }
+
+            ClassLoader cl = ThreadUtils.resolveDefaultClassLoader(getClass());
+            supported = ReflectionUtils.isClassAvailable(cl, PROVIDER_CLASS);
+            supportHolder.set(supported);
+        }
+
+        return supported.booleanValue();
+    }
+}


Mime
View raw message