3

Are the JCE policy files (in {java.home}/lib/security) overwritten with the standard strength policy files after a JRE update? or are these left alone on JRE update?

EDIT: Does anyone know if the Mac OS X JRE ships with the unlimited policy files?

Thanks

Jon

Jon
  • 365
  • 2
  • 13
  • see here also: http://stackoverflow.com/questions/6481627/java-security-illegal-key-size-or-default-parameters – atom88 Mar 30 '15 at 19:27

1 Answers1

2

In my experience using JCE policy files, it did replace the files and I was frustrated. I ended up replacing the files at first run.

But at the end, using Bouncy Castle API was more appropriate, there was no need to have the unlimited strength files. It was a cleaner solution.

http://www.bouncycastle.org/

Mohamed Mansour
  • 39,445
  • 10
  • 116
  • 90
  • Thanks Mohamed, I'll take another look at bouncycastle, is it straightforward enough to retrofit from using JCE? – Jon Mar 09 '11 at 23:47
  • Just curious, what approach have you taken? I believe the recent versions of Java fixed the issue of auto update (the previous low 6 versions overwritten it) – Mohamed Mansour Mar 16 '11 at 00:06
  • I did some testing and found that updates didn't get replaced. Thanks for the bouncycastle info. – Jon Mar 18 '11 at 16:31
  • 2
    I found that it is needed when using ElGamal keys even with Bouncycastle. The thing I notice was the Oracle (Sun) JDK needs the two additional jars. For OpenJDK this is not needed. This page could be useful to understand the issues: http://www.eyrie.org/~eagle/notes/debian/jce-policy.html – рüффп Feb 01 '12 at 16:08
  • 2
    @Jon Having to replace the policy files on every computer or skipping the JCE entirely are not always satisfactory. Here's another approach to the issue: http://stackoverflow.com/questions/1179672/unlimited-strength-jce-policy-files/22492582#22492582 – ntoskrnl Mar 19 '14 at 17:27
  • I am facing the key-length issue with Java SE 8 Update 144. My web application has been live for over a year now, and changing the encryption code is not an option. I can however replace the policy files. My question is, if I replace existing policy files with unlimited ones, will it wreak havoc on my already encrypted data? IMO, it should not, but I want to be 100% sure before I go about replacing. – Meet K. Jan 09 '19 at 11:40