Setup Unlimited Strength Jurisdiction Policy Files - Yash-777/Java_Mail GitHub Wiki
Setup Unlimited Strength Jurisdiction Policy Files baeldung.com
The standard Java installation is limited in terms of strength for cryptographic functions, this is due to policies prohibiting the use of a key with a size that exceeds certain values e.g. 128 for AES.
To overcome this limitation, we need to configure the unlimited strength jurisdiction policy files.
In order to do that, we first need to download the package by following this link. Afterwards, we need to extract the zipped file into a directory of our choice – which contains two jar files:
- local_policy.jar
- US_export_policy.jar
Finally, we need to look for the {JAVA_HOME}/lib/security folder and replace the existing policy files with the ones that we’ve extracted here.
Note that in Java 9, we no longer need to download the policy files package, setting the crypto.policy property to unlimited is enough:
Security.setProperty("crypto.policy", "unlimited");Once done, we need to check that the configuration is working correctly:
int maxKeySize = javax.crypto.Cipher.getMaxAllowedKeyLength("AES");
System.out.println("Max Key Size for AES : " + maxKeySize);As a result:
Max Key Size for AES : 2147483647
Based on the maximum key size returned by the getMaxAllowedKeyLength() method, we can safely say that the unlimited strength policy files have been installed correctly.
If the returned value is equal to 128, we need to make sure that we’ve installed the files into the JVM where we’re running the code.
import java.security.*;
import javax.servlet.*;
import org.apache.commons.logging.*;
/**
* Installs BouncyCastle SSL and JSSE upon startup of the Web-Application.
* <p>
* Note that this class will not remove BC classes upon contextDestroyed as
* other Web-Applications might use them as well.
* </p>
* @author yashwanth
*/
public class BouncyCastleListener implements ServletContextListener {
private final static Log log = LogFactory.getLog(BouncyCastleListener.class);
public void contextInitialized(ServletContextEvent event) {
String name = event.getServletContext( ).getServletContextName( );
//log request of the INFO level
log.info("ServletContext shut down: " + (name == null ? "" : name ));
log.info("Web-App Class loader : Adding BouncyCastle provider at server start up.");
addBCProvider();
}
public void addBCProvider() {
Security.addProvider(new org.bouncycastle.jce.provider.BouncyCastleProvider());
// java.security.NoSuchProviderException: no such provider: BC
/*if (Security.getProvider(org.bouncycastle.jce.provider.BouncyCastleProvider.PROVIDER_NAME) == null) {
log.info("JVM Installing BouncyCastle Security Providers to the Runtime");
Security.addProvider(new org.bouncycastle.jce.provider.BouncyCastleProvider());
} else {
log.info("JVM Installed with BouncyCastle Security Providers");
}*/
configure_JCE_UnlimitedStrength();
// List of providers and their preference orders () security.provider.<n>=<className>
Provider[] pArr = Security.getProviders();
int i = 0;
for (Provider p : pArr) {
log.info((i++) + " - provider ::" + p.getName());
System.out.println((i++) + " - provider ::" + p.getName());
}
}
/*
Cryptographic Jurisdiction Policy defaults [<java-home>/lib/security/java.security]
#
# Import and export control rules on cryptographic software vary from
# country to country. By default, the JDK provides two different sets of cryptographic policy files:
#
# unlimited: These policy files contain no restrictions on cryptographic strengths or algorithms.
#
# limited: These policy files contain more restricted cryptographic
# strengths, and are still available if your country or
# usage requires the traditional restrictive policy.
If the "crypto.policy" property is not set and the traditional
# US_export_policy.jar and local_policy.jar files
# (e.g. limited/unlimited) are found in the legacy
# <java-home>/lib/security directory, then the rules embedded within
# those jar files will be used. This helps preserve compatibility
# for users upgrading from an older installation.
# 3. If the jar files are not present in the legacy location
# and the "crypto.policy" Security property is not defined,
# then the JDK will use the unlimited settings (equivalent to
# crypto.policy=unlimited)
*/
public void configure_JCE_UnlimitedStrength() {
log.info("Java Cryptography Extension Unlimited Strength Jurisdiction Policy Files");
try {
int maxKeySize = javax.crypto.Cipher.getMaxAllowedKeyLength("AES");
log.info("Max Key Size for AES : " + maxKeySize); // Default-128
if (maxKeySize == 128) { // For java versio less than 9
log.info("Link: http://www.oracle.com/technetwork/java/javase/downloads/jce8-download-2133166.html");
log.info("Download these jars(local_policy.jar,US_export_policy.jar) and replace in {JAVA_HOME}/lib/security.");
}
Security.setProperty("crypto.policy", "unlimited");
} catch (java.security.NoSuchAlgorithmException e) {
e.printStackTrace();
}
}
public void contextDestroyed(ServletContextEvent event) {
}
}Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files UnlimitedJCEPolicyJDK8C:\Softwares\JDK\jdk1.8.0_121\jre\lib\security
we need to extract the zipped file into a directory of our choice – which contains two jar files: local_policy.jar, US_export_policy.jar
Finally, we need to look for the {JAVA_HOME}/lib/security folder and replace the existing policy files with the ones that we’ve extracted here.
Java KeyStores (
*.jks, *.keystore, *.jceks, *.ks) PKCS #12 Keystores (*.pfx, *.p12) Bouncy Castle Keystores (*.bks, *.uber)
Baeldung.com Preparing Certificate And Private Key Baeldung.cer, Baeldung.p12 (password = “password”)
Symmetric Key encryption: The private keys and corresponding certificates are stored in files ending with ".p12". These are PKCS12 files with password
passwd.
KeyStore Explorer
github KeyStore Explorer is an open-source GUI replacement for the Java command-line utilities keytool and jarsigner.