1Conscrypt's Capabilities
2========================================
3
4Conscrypt is relatively selective in choosing the set of primitives to provide, focusing
5on the most important and widely-used algorithms.  Following is a list of JCA algorithm names
6and other identifiers that are supported by Conscrypt.
7
8## TLS
9
10### Protocol Versions
11
12* `SSLv3` (ignored)
13* `TLSv1`
14* `TLSv1.1`
15* `TLSv1.2`
16* `TLSv1.3`
17
18Conscrypt supports TLS v1.0-1.3.  For backwards compatibility it will accept
19`SSLv3` in calls to methods like
20[`setEnabledProtocols()`](https://docs.oracle.com/javase/9/docs/api/javax/net/ssl/SSLSocket.html#setEnabledProtocols-java.lang.String:A-)
21but will ignore it.
22
23### SSLContext
24
25* `Default`
26* `SSL`
27* `TLS`
28* `TLSv1`
29* `TLSv1.1`
30* `TLSv1.2`
31* `TLSv1.3`
32
33Conscrypt provides the above set of SSLContext algorithm names for JSSE
34purposes, including the special value `Default`, which is used to determine the
35value of
36[`SSLContext.getDefault()`](https://docs.oracle.com/javase/9/docs/api/javax/net/ssl/SSLContext.html#getDefault--).
37The `Default`, `SSL`, `TLS`, and `TLSv1.3` values return a context where TLS
38v1.0-1.3 are all enabled; the others return a context with TLS v1.0-1.2 enabled.
39
40### Cipher Suites
41
42#### Enabled
43* TLS 1.0-1.2
44  * `TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA`
45  * `TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256`
46  * `TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA`
47  * `TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384`
48  * `TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256`
49  * `TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA`
50  * `TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256`
51  * `TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA`
52  * `TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384`
53  * `TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256`
54  * `TLS_RSA_WITH_AES_128_CBC_SHA`
55  * `TLS_RSA_WITH_AES_128_GCM_SHA256`
56  * `TLS_RSA_WITH_AES_256_CBC_SHA`
57  * `TLS_RSA_WITH_AES_256_GCM_SHA384`
58* TLS 1.3
59  * `TLS_AES_128_GCM_SHA256`
60  * `TLS_AES_256_GCM_SHA384`
61  * `TLS_CHACHA20_POLY1305_SHA256`
62
63The above cipher suites are enabled by default when the associated version of
64the protocol is enabled.  The TLS 1.3 cipher suites cannot be customized; they
65are always enabled when TLS 1.3 is enabled, and any attempt to disable them via
66a call to
67[`setEnabledCipherSuites()`](https://docs.oracle.com/javase/9/docs/api/javax/net/ssl/SSLSocket.html#setEnabledCipherSuites-java.lang.String:A-)
68is ignored.
69
70#### Supported But Not Enabled
71* TLS 1.0-1.2
72  * `SSL_RSA_WITH_3DES_EDE_CBC_SHA`
73  * `TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA`
74  * `TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA`
75  * `TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256`
76  * `TLS_PSK_WITH_AES_128_CBC_SHA`
77  * `TLS_PSK_WITH_AES_256_CBC_SHA`
78
79The above cipher suites are supported, but not enabled by default.  TLS 1.3
80cipher suites cannot be customized, so there are no cipher suites that are
81supported but not enabled.
82
83## Cryptography
84
85### Cipher
86
87* `AES/CBC/NoPadding`
88* `AES/CBC/PKCS5Padding`
89* `AES/CTR/NoPadding`
90* `AES/ECB/NoPadding`
91* `AES/ECB/PKCS5Padding`
92
93AES with 128, 192, or 256-bit keys.
94
95* `AES/GCM/NoPadding`
96
97AES/GCM with 128 or 256-bit keys.
98
99* `AES_128/CBC/NoPadding`
100* `AES_128/CBC/PKCS5Padding`
101* `AES_128/ECB/NoPadding`
102* `AES_128/ECB/PKCS5Padding`
103* `AES_128/GCM/NoPadding`
104* `AES_256/CBC/NoPadding`
105* `AES_256/CBC/PKCS5Padding`
106* `AES_256/ECB/NoPadding`
107* `AES_256/ECB/PKCS5Padding`
108* `AES_256/GCM/NoPadding`
109
110Key-restricted versions of the AES ciphers.
111
112* `ARC4`
113
114The RC4 stream cipher.
115
116* `ChaCha20/NONE/NoPadding`
117* `ChaCha20/Poly1305/NoPadding`
118
119ChaCha with 20 rounds, 96-bit nonce, and 32-bit counter as described in
120[RFC 7539](https://tools.ietf.org/html/rfc7539), either with or without a Poly1305 AEAD
121authenticator.
122
123* `DESEDE/CBC/NoPadding`
124* `DESEDE/CBC/PKCS5Padding`
125
126Triple DES with either two or three intermediate keys.
127
128* `RSA/ECB/NoPadding`
129* `RSA/ECB/OAEPPadding`
130* `RSA/ECB/OAEPWithSHA-1AndMGF1Padding`
131* `RSA/ECB/OAEPWithSHA-224AndMGF1Padding`
132* `RSA/ECB/OAEPWithSHA-256AndMGF1Padding`
133* `RSA/ECB/OAEPWithSHA-384AndMGF1Padding`
134* `RSA/ECB/OAEPWithSHA-512AndMGF1Padding`
135* `RSA/ECB/PKCS1Padding`
136
137Conscrypt's OAEP ciphers (eg, `RSA/ECB/OAEPWithSHA-256AndMGF1Padding`) use the named digest for
138both the main digest and the MGF1 digest.  This differs from the behavior of some other
139providers, including the ones bundled with OpenJDK, which always use SHA-1 for the MGF1 digest.
140For maximum compatibility, you should use `RSA/ECB/OAEPPadding` and initialize it with an
141[`OAEPParameterSpec`](https://docs.oracle.com/javase/9/docs/api/javax/crypto/spec/OAEPParameterSpec.html).
142
143### AlgorithmParameters
144* `AES`
145* `ChaCha20`
146* `DESEDE`
147* `EC`
148* `GCM`
149* `OAEP`
150* `PSS`
151
152Conscrypt's EC AlgorithmParameters implementation only supports named curves.
153
154### CertificateFactory
155* `X509`
156
157### KeyAgreement
158* `ECDH`
159
160### KeyFactory
161* `EC`
162* `RSA`
163
164### KeyGenerator
165* `AES`
166* `ARC4`
167* `ChaCha20`
168* `DESEDE`
169* `HmacMD5`
170* `HmacSHA1`
171* `HmacSHA224`
172* `HmacSHA256`
173* `HmacSHA384`
174* `HmacSHA512`
175
176### KeyPairGenerator
177* `EC`
178* `RSA`
179
180### Mac
181* `HmacMD5`
182* `HmacSHA1`
183* `HmacSHA224`
184* `HmacSHA256`
185* `HmacSHA384`
186* `HmacSHA512`
187
188### MessageDigest
189* `MD5`
190* `SHA-1`
191* `SHA-224`
192* `SHA-256`
193* `SHA-384`
194* `SHA-512`
195
196### SecretKeyFactory
197* `DESEDE`
198
199### SecureRandom
200* `SHA1PRNG`
201
202### Signature
203* `MD5withRSA`
204* `NONEwithECDSA`
205* `NONEwithRSA`
206* `SHA1withRSA`
207* `SHA1withECDSA`
208* `SHA1withRSA/PSS`
209* `SHA224withRSA`
210* `SHA224withECDSA`
211* `SHA224withRSA/PSS`
212* `SHA256withRSA`
213* `SHA256withECDSA`
214* `SHA256withRSA/PSS`
215* `SHA384withRSA`
216* `SHA384withECDSA`
217* `SHA384withRSA/PSS`
218* `SHA512withRSA`
219* `SHA512withECDSA`
220* `SHA512withRSA/PSS`
221
222### Elliptic Curves
223
224Conscrypt supports the following curves:
225
226* secp224r1
227* prime256v1 (aka secp256r1)
228* secp384r1
229* secp521r1
230