0

In my current project I need to use a strong PBE encryption algorithm, as asked by the client. But for that to work, I would need to install JCE Policy Files on each machine I want to deploy on. Based on the amount of machines, that is NOT a valid option for it to be "copy-and-run deployment".

How to avoid installing "Unlimited Strength" JCE policy files when deploying an application? The solution there provided by using reflection to override JCE validations works perfectly, but only on J7 or above. However, the entire project is designed for Java6 (we have already tried to upgrade it, without success). So the elements used in the reflection solution are not even present.

I'm currently using Jasypt + BouncyCastle for a StandardPBEStringEncryptor, with PBEWITHSHA256AND256BITAES-CBC-BC.

Is there a way to bypass the JCE restriction on Java6 by using reflection (or any other method that does not involve patching the JVM or getting an international Government Approval)?

Community
  • 1
  • 1
Daniel
  • 209
  • 1
  • 3
  • 12
  • The question you asked is already asked and answered in the link you provide. Therefore you are just the same question again – President James K. Polk Aug 16 '14 at 01:36
  • possible duplicate of ["Unlimited Strength" JCE Policy Files](http://stackoverflow.com/questions/1179672/unlimited-strength-jce-policy-files) – President James K. Polk Aug 16 '14 at 01:36
  • @GregS - I'm not sure this is a duplicate. Daniel cited the dup and explained why it was not a fit for his situation. Why Java 6 is being supported is a different story (its well into [End of Life](http://www.oracle.com/us/technologies/java/eol-135779.html)), but that's his decision. – jww Aug 16 '14 at 07:56
  • @jww: Read the duplicate question. The dup is not specific to Java 7, nor are the answers. – President James K. Polk Aug 16 '14 at 11:34
  • @GregS The dup is not specific to Java7, but none of the provided answers are suitable for my situation (wich is specific to Java6). None of them meet my requirements. The only answer close to what I would need IS specific to Java7 or superior, therefore not suitable. – Daniel Aug 17 '14 at 19:21
  • The reflection workaround described in the linked question works on Java 6 as well with minor modifications. The JCE classes are obfuscated, but the names are consistent so they can still be hardcoded. – ntoskrnl Sep 15 '14 at 12:51
  • I had already tried that. But Java throws a ClassNotFoundException. – Daniel Sep 17 '14 at 20:10
  • I ended up using BouncyCastle's Cypher: Cipher.getInstance("PBEWithSHA256And256BitAES-CBC-BC"). And heavily borrowed their base example, plus some modifications, to instantiate and use some classes needed, such as PaddedBufferedBlockCipher, ParametersWithIV, CBCBlockCipher, PKCS12ParametersGenerator, etc. – Daniel Sep 17 '14 at 20:14

0 Answers0