unboundid-ldapsdk mutual TLS usage examples in Java

[sherry442]

Hi, Are there any examples on how to unboundid-ldapsdk in Java for mutual TLS? Could you please provide information on which version of unboundid-ldapsdk supports mutual TLS?

[dirmgr]

I assume that you’re asking about writing LDAP clients. In that case, the LDAP SDK has always supported mutual TLS. To use it, you need to have access to a key store containing the client certificate chain. If you’re using the SSLUtil class, then you can do that by providing an appropriate key manager to the SSLUtil constructor, and then use that SSLUtil object to create an SSLSocketFactory for use when creating an LDAPConnection or LDAPConnectionPool. For example:

KeyStoreKeyManager keyManager = new KeyStoreKeyManager(pathToKeyStore,
     keyStorePIN, keyStoreFormat, certificateAlias);

TrustStoreTrustManager trustManager = new TrustStoreTrustManager(
     (pathToTrustStore, trustStorePIN, trustStoreFormat,
     examineValidityDates);

SSLUtil sslUtil = new SSLUtil(keyManager, trustManager);

LDAPConnection conn = new LDAPConnection(sslUtil.createSSLSocketFactory(),
     serverAddress, serverPort);

There are several places in the LDAP SDK where we do something like this, but one good place to look for an example would be the LDAPCommandLineTool.createSSLUtil method. That method creates an SSLUtil object based on the arguments provided when running a command-line tool.

Note that the above code will just cause the client to send a certificate chain to the server if one is requested. If you actually want to use that certificate chain for LDAP authentication, then you need to perform a SASL bind on that connection with the EXTERNAL mechanism. That is as simple as:

BindResult bindResult = conn.bind(new EXTERNALBindRequest());

If you’re asking about the in-memory directory server that the LDAP SDK provides, then support for mutual TLS authentication was only added fairly recently, in the 5.1.2 release. In that case, you should use the requestClientCertificate and requireClientCertificate arguments when creating an InMemoryListenerConfig object for the TLS-enabled listener.

[sherry442]

@dirmgr Thanks for the information.
I am asking for Ldap client related only. Have some more queries

We have following files from which need to generate key store and trust store.

1. clientcert.pem (client certificate)
2. clientkey.pem (client private key)
3. cacert.pem (CA certificate)

Is there anyway dynamically generate keystore and truststore using above pem files?

If we are using SSLUtil class to create SSLContext() then how to pass allowed ciphers and we want to use startTLS feature. If you can guid eit would be helpful.

[dirmgr]

At present, the LDAP SDK doesn’t directly support using PEM files as a key or trust store. However, it does provide a manage-certificates tool that you can use either from the command line or programmatically to import data from PEM files into key and trust stores.

To create the key store, you would use a command like the following:

tools/manage-certificates import-certificate \
     --keystore {pathToKeyStore} \
     --prompt-for-keystore-password \
     --alias client-cert \
     --certificate-file clientcert.pem \
     --certificate-file cacert.pem \
     --private-key-file clientkey.pem

The {pathToKeyStore} argument should be replaced with the path or name to the key store file that you want to create or update. The key store needs a password (sometimes called a PIN) to protect its contents, so you’ll need to provide that, too (alternatively, you can provide it directly on the command line with the --keystore-password argument, or you can point to a file containing the password with the --keystore-password-file argument).

To create the trust store, you should just need to import the CA certificate. The command to do that will look something like:

tools/manage-certificates import-certificate \
     --keystore {pathToTrustStore} \
     --prompt-for-keystore-password \
     --alias ca-cert \
     --certificate-file cacert.pem

Both key and trust store files use the same format, but key stores need the full certificate chain with a private key, whereas trust store files just need the issuer certificates.

Note that if you want, you can also invoke the tool programmatically to create the key and trust store files on the fly. Just call the com.unboundid.util.ssl.cert.ManageCertificates.main method that takes input and output streams and an appropriate array of arguments.

Once you have the key and trust store files, then you can create an SSLUtil instance like I pointed out in my earlier comment. By default, the LDAP SDK does a pretty good job of picking the cipher suites that should be used, but you can override that by calling SSLUtil.setEnabledSSLCipherSuites. There is also a setEnabledSSLProtocols method if you want to control the protocol versions.

If you’re going to use StartTLS, then there are a couple of ways to accomplish that. If you’re using a standalone connection, then you should create a new com.unboundid.ldap.sdk.extensions.StartTLSExtendedRequest using an SSLSocketFactory created from the SSLUtil instance. If you’re going to use a connection pool, then you should create the pool with a StartTLSPostConnectProcessor, as that will ensure that all new connections created for use in the pool have the StartTLS extended request invoked automatically to secure the connections as soon as they have been established.

[sherry442]

Just want to confirm the understanding is correct or not.

SSLUtil sslUtil = new SSLUtil(keyStoreManager, trustStoreManager); // Here client provides its certificate to server for validation and client validates server certificates against trustStoreManager

SSLUtil sslUtil = new SSLUtil(keyManager, new TrustAllTrustManager()); // Here client provides its certificates to server for validation but client doesn't validate server certificate.

[dirmgr]

Yes, that is correct. Although I would not recommend using the latter because it increases the potential for the client to be tricked into connecting to an impostor rather than the legitimate server.

[sherry442]

During the TLS handshake, the Java LDAP client-instances must verify the server-certificate (validity, signature …) and check the identity presented by the server in the certificate. How to check the server identity?

Note: We are using startTLS method like below.

            SSLUtil sslUtil = new SSLUtil(keyStoreManager, trustStoreManager);
            SSLContext sslContext = sslUtil.createSSLContext();
            StartTLSExtendedRequest startTLSRequest = new StartTLSExtendedRequest(sslContext); 
            ExtendedResult startTLSResult = connection.processExtendedOperation(startTLSRequest);
            if (startTLSResult.getResultCode() != ResultCode.SUCCESS) {
                logger.error("MTLS secure connection failed");
            else{
            logger.info("Secured the connection");
            }

[dirmgr]

The trust manager is responsible for verifying that the certificate is valid and should be trusted. Since it looks like you're using a trust store trust manager, then that's the component that is responsible for ensuring that the presented certificate chain is valid and signed by a trusted issuer.

[sherry442]

@dirmgr Thanks for the information.

We have further queries on this topic.

1. Does unbounded library supports X.509v3 certificate ?
2. For RSA certificate a) supported key length ? Example : 2048 b) which signature algorithms are supported or which are not supported ? Example : SHA256withRSA
3. Does unbounded library supports below extensions ? keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment extendedKeyUsage = clientAuth authorityKeyIdentifier=keyid,issuer basicConstraints=CA:FALSE
4. Which all ECC certificate curves are supported by unbounded library ? Example : secp256k1,prime256v1.....
5. For ECC certificate which signature algorithms are supported or which are not supported ?

[dirmgr]

The LDAP SDK doesn't directly implement support for TLS, but rather uses the TLS implementation provided by the underlying JVM. As such, you should consult the documentation for the particular version of Java that you're using.

I can't imagine that any version of that the LDAP SDK will run on doesn't support X509v3, RSA keys of at least 2048 and 4096 bits, and all of the extensions that you referenced.

For the algorithms, you should be able to determine some of this programmatically by getting the list of Provider instances and looking at the Service instances that it supports. Here's a sample program that can do that:

import java.security.Provider;
import java.security.Security;

public class ListJavaProviderServices
{
  public static void main(final String... args)
         throws Exception
  {
    for (final Provider provider : Security.getProviders())
    {
      System.out.println("Provider:  " + provider.getName() + " (" +
           provider.getClass().getName() + ")");
      for (final Provider.Service service : provider.getServices())
      {
        System.out.println("     Type=" + service.getType() + ", Algorithm=" +
             service.getAlgorithm());
      }

      System.out.println();
    }
  }
}

And here's the output that I get when running on the Java 16 with the Azul Zulu JVM:

Provider:  SUN (sun.security.provider.Sun)
     Type=MessageDigest, Algorithm=SHA3-224
     Type=Signature, Algorithm=NONEwithDSA
     Type=KeyFactory, Algorithm=DSA
     Type=Configuration, Algorithm=JavaLoginConfig
     Type=Signature, Algorithm=SHA3-512withDSA
     Type=MessageDigest, Algorithm=SHA3-384
     Type=MessageDigest, Algorithm=SHA3-256
     Type=Signature, Algorithm=SHA1withDSA
     Type=Signature, Algorithm=SHA512withDSA
     Type=CertificateFactory, Algorithm=X.509
     Type=MessageDigest, Algorithm=SHA-1
     Type=KeyStore, Algorithm=CaseExactJKS
     Type=MessageDigest, Algorithm=SHA-512/256
     Type=KeyStore, Algorithm=DKS
     Type=Signature, Algorithm=SHA3-384withDSA
     Type=AlgorithmParameters, Algorithm=DSA
     Type=CertStore, Algorithm=Collection
     Type=Signature, Algorithm=SHA3-224withDSA
     Type=Signature, Algorithm=SHA3-256withDSA
     Type=Signature, Algorithm=SHA384withDSA
     Type=Signature, Algorithm=SHA384withDSAinP1363Format
     Type=Signature, Algorithm=SHA224withDSA
     Type=MessageDigest, Algorithm=SHA-384
     Type=Signature, Algorithm=SHA256withDSA
     Type=MessageDigest, Algorithm=SHA-256
     Type=MessageDigest, Algorithm=SHA-512/224
     Type=MessageDigest, Algorithm=SHA-224
     Type=MessageDigest, Algorithm=SHA-512
     Type=MessageDigest, Algorithm=MD5
     Type=CertPathBuilder, Algorithm=PKIX
     Type=KeyPairGenerator, Algorithm=DSA
     Type=MessageDigest, Algorithm=MD2
     Type=AlgorithmParameterGenerator, Algorithm=DSA
     Type=SecureRandom, Algorithm=SHA1PRNG
     Type=Signature, Algorithm=NONEwithDSAinP1363Format
     Type=Signature, Algorithm=SHA3-512withDSAinP1363Format
     Type=Signature, Algorithm=SHA256withDSAinP1363Format
     Type=Signature, Algorithm=SHA3-224withDSAinP1363Format
     Type=SecureRandom, Algorithm=NativePRNGNonBlocking
     Type=KeyStore, Algorithm=PKCS12
     Type=Signature, Algorithm=SHA224withDSAinP1363Format
     Type=SecureRandom, Algorithm=DRBG
     Type=SecureRandom, Algorithm=NativePRNGBlocking
     Type=MessageDigest, Algorithm=SHA3-512
     Type=CertStore, Algorithm=com.sun.security.IndexedCollection
     Type=Policy, Algorithm=JavaPolicy
     Type=KeyStore, Algorithm=JKS
     Type=Signature, Algorithm=SHA3-384withDSAinP1363Format
     Type=CertPathValidator, Algorithm=PKIX
     Type=Signature, Algorithm=SHA512withDSAinP1363Format
     Type=Signature, Algorithm=SHA3-256withDSAinP1363Format
     Type=Signature, Algorithm=SHA1withDSAinP1363Format
     Type=SecureRandom, Algorithm=NativePRNG

Provider:  SunRsaSign (sun.security.rsa.SunRsaSign)
     Type=KeyFactory, Algorithm=RSA
     Type=KeyPairGenerator, Algorithm=RSA
     Type=KeyFactory, Algorithm=RSASSA-PSS
     Type=Signature, Algorithm=SHA256withRSA
     Type=KeyPairGenerator, Algorithm=RSASSA-PSS
     Type=Signature, Algorithm=SHA1withRSA
     Type=Signature, Algorithm=SHA3-384withRSA
     Type=Signature, Algorithm=SHA3-256withRSA
     Type=Signature, Algorithm=SHA3-512withRSA
     Type=Signature, Algorithm=SHA3-224withRSA
     Type=Signature, Algorithm=MD2withRSA
     Type=Signature, Algorithm=RSASSA-PSS
     Type=Signature, Algorithm=MD5withRSA
     Type=Signature, Algorithm=SHA512withRSA
     Type=Signature, Algorithm=SHA512/224withRSA
     Type=Signature, Algorithm=SHA224withRSA
     Type=Signature, Algorithm=SHA384withRSA
     Type=Signature, Algorithm=SHA512/256withRSA
     Type=AlgorithmParameters, Algorithm=RSASSA-PSS

Provider:  SunEC (sun.security.ec.SunEC)
     Type=Signature, Algorithm=SHA3-384withECDSA
     Type=KeyPairGenerator, Algorithm=Ed448
     Type=Signature, Algorithm=SHA3-224withECDSA
     Type=KeyPairGenerator, Algorithm=Ed25519
     Type=KeyFactory, Algorithm=Ed25519
     Type=Signature, Algorithm=SHA224withECDSA
     Type=Signature, Algorithm=SHA512withECDSA
     Type=Signature, Algorithm=NONEwithECDSAinP1363Format
     Type=Signature, Algorithm=Ed448
     Type=Signature, Algorithm=SHA384withECDSA
     Type=Signature, Algorithm=SHA3-384withECDSAinP1363Format
     Type=Signature, Algorithm=NONEwithECDSA
     Type=Signature, Algorithm=SHA3-224withECDSAinP1363Format
     Type=Signature, Algorithm=SHA256withECDSA
     Type=Signature, Algorithm=SHA3-512withECDSA
     Type=KeyAgreement, Algorithm=XDH
     Type=Signature, Algorithm=SHA3-256withECDSA
     Type=KeyFactory, Algorithm=XDH
     Type=KeyFactory, Algorithm=Ed448
     Type=Signature, Algorithm=Ed25519
     Type=KeyPairGenerator, Algorithm=X448
     Type=Signature, Algorithm=SHA3-512withECDSAinP1363Format
     Type=Signature, Algorithm=SHA384withECDSAinP1363Format
     Type=Signature, Algorithm=SHA512withECDSAinP1363Format
     Type=Signature, Algorithm=SHA1withECDSA
     Type=KeyPairGenerator, Algorithm=X25519
     Type=KeyPairGenerator, Algorithm=EC
     Type=KeyAgreement, Algorithm=ECDH
     Type=Signature, Algorithm=SHA1withECDSAinP1363Format
     Type=KeyAgreement, Algorithm=X448
     Type=KeyAgreement, Algorithm=X25519
     Type=KeyFactory, Algorithm=X25519
     Type=KeyFactory, Algorithm=EC
     Type=KeyFactory, Algorithm=X448
     Type=AlgorithmParameters, Algorithm=EC
     Type=Signature, Algorithm=EdDSA
     Type=Signature, Algorithm=SHA224withECDSAinP1363Format
     Type=KeyPairGenerator, Algorithm=EdDSA
     Type=Signature, Algorithm=SHA256withECDSAinP1363Format
     Type=Signature, Algorithm=SHA3-256withECDSAinP1363Format
     Type=KeyPairGenerator, Algorithm=XDH
     Type=KeyFactory, Algorithm=EdDSA

Provider:  SunJSSE (sun.security.ssl.SunJSSE)
     Type=SSLContext, Algorithm=TLSv1
     Type=SSLContext, Algorithm=DTLSv1.2
     Type=TrustManagerFactory, Algorithm=PKIX
     Type=KeyManagerFactory, Algorithm=NewSunX509
     Type=SSLContext, Algorithm=DTLS
     Type=SSLContext, Algorithm=DTLSv1.0
     Type=SSLContext, Algorithm=TLS
     Type=SSLContext, Algorithm=Default
     Type=SSLContext, Algorithm=TLSv1.1
     Type=Signature, Algorithm=MD5andSHA1withRSA
     Type=KeyStore, Algorithm=PKCS12
     Type=SSLContext, Algorithm=TLSv1.3
     Type=TrustManagerFactory, Algorithm=SunX509
     Type=SSLContext, Algorithm=TLSv1.2
     Type=KeyManagerFactory, Algorithm=SunX509

Provider:  SunJCE (com.sun.crypto.provider.SunJCE)
     Type=Cipher, Algorithm=AES_192/CBC/NoPadding
     Type=Cipher, Algorithm=AES_192/OFB/NoPadding
     Type=SecretKeyFactory, Algorithm=PBEWithSHA1AndDESede
     Type=Cipher, Algorithm=AES_192/CFB/NoPadding
     Type=SecretKeyFactory, Algorithm=PBEWithSHA1AndRC2_40
     Type=Mac, Algorithm=HmacSHA3-256
     Type=Cipher, Algorithm=AESWrap_192
     Type=SecretKeyFactory, Algorithm=PBEWithSHA1AndRC2_128
     Type=Cipher, Algorithm=PBEWithHmacSHA224AndAES_256
     Type=KeyPairGenerator, Algorithm=DiffieHellman
     Type=Cipher, Algorithm=AES_192/ECB/NoPadding
     Type=SecretKeyFactory, Algorithm=PBKDF2WithHmacSHA1
     Type=KeyGenerator, Algorithm=HmacSHA384
     Type=KeyGenerator, Algorithm=SunTlsKeyMaterial
     Type=Cipher, Algorithm=AES_192/GCM/NoPadding
     Type=KeyAgreement, Algorithm=DiffieHellman
     Type=AlgorithmParameters, Algorithm=PBEWithMD5AndDES
     Type=SecretKeyFactory, Algorithm=PBEWithMD5AndDES
     Type=Mac, Algorithm=PBEWithHmacSHA512
     Type=Cipher, Algorithm=ChaCha20-Poly1305
     Type=Cipher, Algorithm=PBEWithHmacSHA384AndAES_128
     Type=Cipher, Algorithm=AES_128/ECB/NoPadding
     Type=KeyGenerator, Algorithm=AES
     Type=Cipher, Algorithm=AES_128/OFB/NoPadding
     Type=KeyGenerator, Algorithm=SunTlsMasterSecret
     Type=Cipher, Algorithm=AES_128/CBC/NoPadding
     Type=Cipher, Algorithm=AESWrap_128
     Type=Cipher, Algorithm=AES_128/CFB/NoPadding
     Type=SecretKeyFactory, Algorithm=PBKDF2WithHmacSHA512
     Type=Cipher, Algorithm=AES_128/GCM/NoPadding
     Type=KeyGenerator, Algorithm=SunTlsRsaPremasterSecret
     Type=SecretKeyFactory, Algorithm=PBEWithHmacSHA224AndAES_128
     Type=Mac, Algorithm=HmacPBESHA512
     Type=KeyGenerator, Algorithm=HmacSHA256
     Type=Mac, Algorithm=HmacSHA3-384
     Type=Cipher, Algorithm=AES_256/GCM/NoPadding
     Type=SecretKeyFactory, Algorithm=PBEWithHmacSHA384AndAES_128
     Type=AlgorithmParameters, Algorithm=DESede
     Type=Mac, Algorithm=HmacSHA512/224
     Type=KeyGenerator, Algorithm=ARCFOUR
     Type=KeyGenerator, Algorithm=HmacSHA512/224
     Type=AlgorithmParameters, Algorithm=PBES2
     Type=SecretKeyFactory, Algorithm=PBEWithSHA1AndRC4_40
     Type=SecretKeyFactory, Algorithm=PBEWithSHA1AndRC4_128
     Type=Cipher, Algorithm=AES_256/CFB/NoPadding
     Type=Cipher, Algorithm=AESWrap_256
     Type=KeyGenerator, Algorithm=DES
     Type=Cipher, Algorithm=PBEWithMD5AndDES
     Type=Mac, Algorithm=HmacSHA3-224
     Type=Cipher, Algorithm=AES_256/ECB/NoPadding
     Type=Cipher, Algorithm=AES_256/CBC/NoPadding
     Type=SecretKeyFactory, Algorithm=PBEWithHmacSHA224AndAES_256
     Type=Cipher, Algorithm=AES_256/OFB/NoPadding
     Type=AlgorithmParameters, Algorithm=AES
     Type=Mac, Algorithm=HmacSHA3-512
     Type=KeyGenerator, Algorithm=HmacSHA512/256
     Type=Mac, Algorithm=HmacSHA512/256
     Type=KeyGenerator, Algorithm=HmacSHA3-224
     Type=Cipher, Algorithm=DESedeWrap
     Type=AlgorithmParameters, Algorithm=DiffieHellman
     Type=Cipher, Algorithm=PBEWithHmacSHA224AndAES_128
     Type=AlgorithmParameters, Algorithm=PBEWithSHA1AndRC2_128
     Type=Mac, Algorithm=HmacPBESHA512/224
     Type=KeyGenerator, Algorithm=DESede
     Type=Cipher, Algorithm=AES
     Type=KeyGenerator, Algorithm=HmacSHA1
     Type=KeyGenerator, Algorithm=HmacSHA224
     Type=Mac, Algorithm=HmacSHA1
     Type=Mac, Algorithm=HmacSHA224
     Type=Mac, Algorithm=HmacSHA256
     Type=KeyGenerator, Algorithm=HmacSHA3-384
     Type=KeyGenerator, Algorithm=HmacSHA3-512
     Type=KeyGenerator, Algorithm=HmacSHA3-256
     Type=Cipher, Algorithm=ChaCha20
     Type=Mac, Algorithm=HmacPBESHA1
     Type=KeyFactory, Algorithm=DiffieHellman
     Type=AlgorithmParameters, Algorithm=PBEWithSHA1AndRC4_40
     Type=AlgorithmParameters, Algorithm=ChaCha20-Poly1305
     Type=AlgorithmParameterGenerator, Algorithm=DiffieHellman
     Type=Mac, Algorithm=SslMacMD5
     Type=Cipher, Algorithm=DESede
     Type=Cipher, Algorithm=PBEWithHmacSHA512AndAES_128
     Type=AlgorithmParameters, Algorithm=OAEP
     Type=AlgorithmParameters, Algorithm=DES
     Type=SecretKeyFactory, Algorithm=PBEWithMD5AndTripleDES
     Type=Cipher, Algorithm=PBEWithSHA1AndRC2_128
     Type=Cipher, Algorithm=PBEWithSHA1AndRC2_40
     Type=Cipher, Algorithm=PBEWithSHA1AndDESede
     Type=Cipher, Algorithm=PBEWithSHA1AndRC4_128
     Type=Cipher, Algorithm=PBEWithSHA1AndRC4_40
     Type=KeyGenerator, Algorithm=HmacSHA512
     Type=Mac, Algorithm=PBEWithHmacSHA384
     Type=SecretKeyFactory, Algorithm=PBKDF2WithHmacSHA384
     Type=Mac, Algorithm=PBEWithHmacSHA1
     Type=AlgorithmParameters, Algorithm=PBEWithHmacSHA224AndAES_256
     Type=Cipher, Algorithm=PBEWithHmacSHA512AndAES_256
     Type=Cipher, Algorithm=ARCFOUR
     Type=AlgorithmParameters, Algorithm=PBEWithHmacSHA224AndAES_128
     Type=AlgorithmParameters, Algorithm=PBEWithSHA1AndDESede
     Type=Mac, Algorithm=HmacSHA384
     Type=Mac, Algorithm=HmacSHA512
     Type=Mac, Algorithm=HmacPBESHA512/256
     Type=Cipher, Algorithm=PBEWithHmacSHA256AndAES_256
     Type=AlgorithmParameters, Algorithm=RC2
     Type=AlgorithmParameters, Algorithm=PBEWithSHA1AndRC4_128
     Type=Mac, Algorithm=HmacPBESHA384
     Type=Cipher, Algorithm=AESWrap
     Type=SecretKeyFactory, Algorithm=PBKDF2WithHmacSHA256
     Type=Cipher, Algorithm=RSA
     Type=SecretKeyFactory, Algorithm=PBEWithHmacSHA384AndAES_256
     Type=Cipher, Algorithm=RC2
     Type=AlgorithmParameters, Algorithm=PBEWithSHA1AndRC2_40
     Type=Cipher, Algorithm=PBEWithHmacSHA256AndAES_128
     Type=Mac, Algorithm=HmacPBESHA256
     Type=SecretKeyFactory, Algorithm=PBEWithHmacSHA256AndAES_256
     Type=AlgorithmParameters, Algorithm=PBEWithHmacSHA256AndAES_128
     Type=Cipher, Algorithm=PBEWithHmacSHA1AndAES_128
     Type=Cipher, Algorithm=DES
     Type=Mac, Algorithm=SslMacSHA1
     Type=SecretKeyFactory, Algorithm=PBEWithHmacSHA256AndAES_128
     Type=Mac, Algorithm=PBEWithHmacSHA224
     Type=AlgorithmParameters, Algorithm=PBEWithHmacSHA256AndAES_256
     Type=Cipher, Algorithm=PBEWithMD5AndTripleDES
     Type=SecretKeyFactory, Algorithm=PBKDF2WithHmacSHA224
     Type=SecretKeyFactory, Algorithm=PBEWithHmacSHA1AndAES_128
     Type=KeyGenerator, Algorithm=SunTls12Prf
     Type=KeyGenerator, Algorithm=Blowfish
     Type=Mac, Algorithm=HmacPBESHA224
     Type=Mac, Algorithm=PBEWithHmacSHA256
     Type=KeyGenerator, Algorithm=HmacMD5
     Type=Mac, Algorithm=HmacMD5
     Type=SecretKeyFactory, Algorithm=PBEWithHmacSHA1AndAES_256
     Type=AlgorithmParameters, Algorithm=PBEWithHmacSHA512AndAES_128
     Type=AlgorithmParameters, Algorithm=PBEWithHmacSHA1AndAES_128
     Type=SecretKeyFactory, Algorithm=DES
     Type=Cipher, Algorithm=PBEWithHmacSHA1AndAES_256
     Type=SecretKeyFactory, Algorithm=DESede
     Type=AlgorithmParameters, Algorithm=PBEWithHmacSHA512AndAES_256
     Type=AlgorithmParameters, Algorithm=PBEWithHmacSHA1AndAES_256
     Type=KeyGenerator, Algorithm=SunTlsPrf
     Type=KeyGenerator, Algorithm=RC2
     Type=KeyStore, Algorithm=JCEKS
     Type=AlgorithmParameters, Algorithm=GCM
     Type=AlgorithmParameters, Algorithm=Blowfish
     Type=KeyGenerator, Algorithm=ChaCha20
     Type=AlgorithmParameters, Algorithm=PBEWithHmacSHA384AndAES_256
     Type=SecretKeyFactory, Algorithm=PBEWithHmacSHA512AndAES_128
     Type=SecretKeyFactory, Algorithm=PBEWithHmacSHA512AndAES_256
     Type=AlgorithmParameters, Algorithm=PBEWithHmacSHA384AndAES_128
     Type=AlgorithmParameters, Algorithm=PBEWithMD5AndTripleDES
     Type=Cipher, Algorithm=Blowfish
     Type=Cipher, Algorithm=PBEWithHmacSHA384AndAES_256

Provider:  SunJGSS (sun.security.jgss.SunProvider)
     Type=GssApiMechanism, Algorithm=1.2.840.113554.1.2.2
     Type=GssApiMechanism, Algorithm=1.3.6.1.5.5.2

Provider:  SunSASL (com.sun.security.sasl.Provider)
     Type=SaslClientFactory, Algorithm=DIGEST-MD5
     Type=SaslServerFactory, Algorithm=DIGEST-MD5
     Type=SaslClientFactory, Algorithm=EXTERNAL
     Type=SaslClientFactory, Algorithm=NTLM
     Type=SaslServerFactory, Algorithm=NTLM
     Type=SaslClientFactory, Algorithm=PLAIN
     Type=SaslClientFactory, Algorithm=CRAM-MD5
     Type=SaslServerFactory, Algorithm=CRAM-MD5

Provider:  XMLDSig (org.jcp.xml.dsig.internal.dom.XMLDSigRI)
     Type=TransformService, Algorithm=http://www.w3.org/TR/2001/REC-xml-c14n-20010315#WithComments
     Type=TransformService, Algorithm=http://www.w3.org/2000/09/xmldsig#enveloped-signature
     Type=TransformService, Algorithm=http://www.w3.org/2001/10/xml-exc-c14n#WithComments
     Type=TransformService, Algorithm=http://www.w3.org/2001/10/xml-exc-c14n#
     Type=TransformService, Algorithm=http://www.w3.org/2002/06/xmldsig-filter2
     Type=TransformService, Algorithm=http://www.w3.org/TR/1999/REC-xslt-19991116
     Type=TransformService, Algorithm=http://www.w3.org/2006/12/xml-c14n11
     Type=TransformService, Algorithm=http://www.w3.org/TR/1999/REC-xpath-19991116
     Type=KeyInfoFactory, Algorithm=DOM
     Type=TransformService, Algorithm=http://www.w3.org/2000/09/xmldsig#base64
     Type=TransformService, Algorithm=http://www.w3.org/2006/12/xml-c14n11#WithComments
     Type=XMLSignatureFactory, Algorithm=DOM
     Type=TransformService, Algorithm=http://www.w3.org/TR/2001/REC-xml-c14n-20010315

Provider:  SunPCSC (sun.security.smartcardio.SunPCSC)
     Type=TerminalFactory, Algorithm=PC/SC

Provider:  JdkLDAP (sun.security.provider.certpath.ldap.JdkLDAP)
     Type=CertStore, Algorithm=LDAP

Provider:  JdkSASL (com.sun.security.sasl.gsskerb.JdkSASL)
     Type=SaslClientFactory, Algorithm=GSSAPI
     Type=SaslServerFactory, Algorithm=GSSAPI

Provider:  SunPKCS11 (sun.security.pkcs11.SunPKCS11)