Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

local_policy.jar and US_export_policy.jar different with Unlimited Strength Vs Default.

Tags:

java

linux

jce

In java platform documentation http://www.oracle.com/technetwork/java/javase/jrereadme-182762.html. Regarding the comment about

/lib/security/local_policy.jar /lib/security/US_export_policy.jar


Unlimited Strength Java Cryptography Extension

Due to import control restrictions for some countries, the Java Cryptography Extension (JCE) policy files shipped with the Java SE Development Kit and the Java SE Runtime Environment allow strong but limited cryptography to be used.

An unlimited strength version of these files indicating no restrictions on cryptographic strengths is available on the JDK web site for those living in eligible countries. Those living in eligible countries may download the unlimited strength version and replace the strong cryptography jar files with the unlimited strength files. Questions

  1. Does every JDK bundle comes with local_policy.jar and US_export_policy.jar ?
  2. What is the limitation in default local_policy.jar and US_export_policy.jar. Is it the key size ?
  3. If I need to use 128 bit keys does it required to go for Unlimited Strength Java Cryptography
    Extension
  4. Is there a way I can keep these two jars in external path and load it. Because I have more 50 servers rather than coping in each JDK I would prefer to maintain it in a central place.
like image 769
John Peterson Avatar asked Sep 21 '14 13:09

John Peterson


People also ask

What is Local_policy jar and US_export_policy jar?

local_policy. jar, which is the unlimited strength local policy file. US_export_policy. jar, which is the unlimited strength US export policy file.

What is JCE unlimited strength?

Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files Download. The Java Cryptography Extension enables applications to use stronger versions of standard algorithms. Current versions of the JDK do not require these policy files. They are provided here for use with older version of the JDK.

Does OpenJDK include JCE?

The OpenJDK project contains a default implementation provider - the Java Cryptography Extension (JCE) - in the jdk.crypto.ec .


1 Answers

Does every JDK bundle comes with local_policy.jar and US_export_policy.jar ?

yup. JCE has been integrated into the Java 2 SDK since the 1.4 release.

What is the limitation in default local_policy.jar and US_export_policy.jar. Is it the key size ?

Yes it is the key size. I thing more than 128 bit is not allowed. You can check the maximum size of the algorithm using int maxKeyLen = Cipher.getMaxAllowedKeyLength("AES");

If I need to use 128 bit keys does it required to go for Unlimited Strength Java Cryptography Extension

For 128 bit key encryption I dont think you need Unlimited Strength Java Cryptography Extension jars. Default ones should work just fine.

Is there a way I can keep these two jars in external path and load it. Because I have more 50 servers rather than coping in each JDK I would prefer to maintain it in a central place.

As mentioned above this scenario should not occur if you are using 128 bit key for encryption but if you are using more lengthy key (Eg 256) you will need to get unlimited strength jars and replace them in $JAVA_HOME/jre/lib/security. As it is in the JDK/JRE itself you cannot make it centralized not in case of distributed servers. You will need to replace it on each of your servers.

Refer oracles reference guide.

Also if you don't want to do this you can refer to following thread for alternatives -

How to avoid installing “Unlimited Strength” JCE policy files when deploying an application?

Reflection is user in the thread as a work around. Though I would not recommend it you can take a look at it.

I have summarized everything in a post. You can refer that too -

How to install Java Cryptography Extension (JCE) unlimited strength jurisdiction policy files

like image 107
Aniket Thakur Avatar answered Sep 25 '22 22:09

Aniket Thakur