0

In my project I had some issues with cryptography which I fixed by using "JCE Unlimited Strength Jurisdiction Policy Files". On local machine I just replaced some JARs in the jre/lib/security directory. However, I also need my project to build (to be precise, to run tests) on a continuous integration build server (Teamcity in my case, but I guess it's not very important), which means patching jars in the JRE directory of every build agent, which is not a good option at all.

Is there a way of specifying these JCE policies without patching the JRE?

Community
  • 1
  • 1
karlicoss
  • 2,501
  • 4
  • 25
  • 29
  • Adding unlimited policy files to each build agent is perfectly fine. I would even suggest to have at least two separate JRE/JDK on each agent, one in pristine state and one with unlimited crypto, and run tests on both - your application/library should work predictably in both cases, and should test both cases. – Oleg Estekhin Aug 06 '14 at 04:03

2 Answers2

1

According to the Java Cryptography Architecture (JCA) Reference Guide under How to Make Applications "Exempt" from Cryptographic Restrictions, you could bundle a policy file stating exemptions with your application's JAR, but the JAR must then be signed and it is not even sure that Oracle's default crypto providers support this:

(NOTE: The SunJCE provider does not supply an implementation of the ExemptionMechanismSpi class.)

Needless to say, I have not tested this way... ;) This looks way more complicated than replacing two files. I always installed the jurisdiction policy files on all my JVMs, but I use the Debian Alternatives System to have those files automatically replace the ones provided with the JDK. That makes upgrades much less painful.

Kolargol00
  • 1,697
  • 2
  • 17
  • 21
  • To use exemption mechanism you will have to do "Step 3a: Apply for Government Approval From the Government Mandating Restrictions.". Good luck with that, especially if you just want to use unlimited crypto in "unrestricted" country. – Oleg Estekhin Aug 06 '14 at 04:01
  • @OlegEstekhin the thing is the app is actually an android app, and works fine on real devices (I guess Dalvik VM has another security policies, not sure why). The problem arose only on desktop JVM when I tried to mock some parts of the application to unit test them using Robolectic, so I'm not sure I should get government approval if I only run the testing code on my buildserver. – karlicoss Aug 06 '14 at 13:54
0

Okay, I was actually able to bypass the policies using java reflection: How to avoid installing "Unlimited Strength" JCE policy files when deploying an application?

Looks like a dirty hack, but does work and doesn't require any licensing, signing and all that stuff.

Community
  • 1
  • 1
karlicoss
  • 2,501
  • 4
  • 25
  • 29