5

Until Java 8, it was neccessary to download and install JCE in the JDK in order to use it. I do not find a downloadable extension for Java 11. Is there a way to check if it is configured by default? Or should I activate it manually via configuration?

Ara Kokeba
  • 149
  • 1
  • 4
  • 15
  • 2
    Does this help? [JCE in AdoptOpenJDK 11](https://stackoverflow.com/questions/57291941/jce-in-adoptopenjdk-11) – Abra Jul 10 '20 at 20:12
  • In Java 8, JCE was included, but before Java 8 update 151, you needed to download and install the unlimited strength cryptography policy files to enable strong encryption. Since Java 8 update 151 this requires only a configuration file change and since Java 8 update 161, it is enabled by default. See als [my answer on "InvalidKeyException Illegal key size"](https://stackoverflow.com/a/3864276/466862) – Mark Rotteveel Jul 11 '20 at 11:10

1 Answers1

14

In OpenJDK 11 the unlimited crypto policies are installed by default. You can check that with a little program with this output on my PC:

Check for unlimited crypto policies
Java version: 11.0.6+8-b520.43
restricted cryptography: false Notice: 'false' means unlimited policies
Security properties: unlimited
Max AES key length = 2147483647

code:

import javax.crypto.Cipher;
import java.security.NoSuchAlgorithmException;
import java.security.Security;

public class UnlimitedCryptoPoliciesCheck {
    public static void main(String[] args) throws NoSuchAlgorithmException {
        // Security.setProperty("crypto.policy", "limited"); // uncomment to switch to limited crypto policies
        System.out.println("Check for unlimited crypto policies");
        System.out.println("Java version: " + Runtime.version());
        //Security.setProperty("crypto.policy", "limited"); // muss ganz am anfang gesetzt werden !
        System.out.println("restricted cryptography: " + restrictedCryptography() + " Notice: 'false' means unlimited policies"); // false mean unlimited crypto
        System.out.println("Security properties: " + Security.getProperty("crypto.policy"));
        int maxKeyLen = Cipher.getMaxAllowedKeyLength("AES");
        System.out.println("Max AES key length = " + maxKeyLen);
    }

    /**
     * Determines if cryptography restrictions apply.
     * Restrictions apply if the value of {@link Cipher#getMaxAllowedKeyLength(String)} returns a value smaller than {@link Integer#MAX_VALUE} if there are any restrictions according to the JavaDoc of the method.
     * This method is used with the transform <code>"AES/CBC/PKCS5Padding"</code> as this is an often used algorithm that is <a href="https://docs.oracle.com/javase/8/docs/technotes/guides/security/StandardNames.html#impl">an implementation requirement for Java SE</a>.
     *
     * @return <code>true</code> if restrictions apply, <code>false</code> otherwise
     * https://stackoverflow.com/posts/33849265/edit, author Maarten Bodewes
     */
    public static boolean restrictedCryptography() {
        try {
            return Cipher.getMaxAllowedKeyLength("AES/CBC/PKCS5Padding") < Integer.MAX_VALUE;
        } catch (final NoSuchAlgorithmException e) {
            throw new IllegalStateException("The transform \"AES/CBC/PKCS5Padding\" is not available (the availability of this algorithm is mandatory for Java SE implementations)", e);
        }
    }
}

If you want (or have to) switch from unlimited to limited crypto policies you can do that with one line of code that is placed at first place (means this line should be executed direct after the start of your program otherwise it will not work - just remove the comment marks):

Security.setProperty("crypto.policy", "limited");

This is the result when switched to "limited":

Check for unlimited crypto policies
Java version: 11.0.6+8-b520.43
restricted cryptography: true Notice: 'false' means unlimited policies
Security properties: limited
Max AES key length = 128
Michael Fehr
  • 5,827
  • 2
  • 19
  • 40