java 1.62 - JCE Unlimited Strength Jurisdiction Policy

492 views
Skip to first unread message

William E.

unread,
Apr 10, 2018, 9:58:19 AM4/10/18
to CAS Community
Has anyone run into a problem with the JCE files on newer JDK's?  It is my understanding that jdk 1.8.161 and later includes the jce unlimited cryptography libs by default, and command line testing seems to confirm this, but CAS 5.2.3 fails with the following:

Caused by: java.lang.RuntimeException: Is JCE Unlimited Strength Jurisdiction Policy installed? AES is an unknown, unsupported or unavailable enc algorithm (not one of [A128CBC-HS256, A192CBC-HS384, A256CBC-HS512, A128GCM, A192GCM, A256GCM]).

CAS startup shows the correct JDK is being used and JCE is present:

CAS Version: 5.2.3 
CAS Commit Id: 14850a4ef16ef32ce6390f62fda566fdb8fa3948 
CAS Build Date/Time: 2018-03-07T20:08:12Z 
Spring Boot Version: 1.5.8.RELEASE 
------------------------------------------------------------ 
Java Home: /usr/java/jdk1.8.0_162/jre 
Java Vendor: Oracle Corporation 
Java Version: 1.8.0_162 
..............
JCE Installed: Yes 
..............


Command line testing shows it is enabled:

$ env | grep JAVA
JAVA_HOME=/usr/java/jdk1.8.0_162

$ which jrunscript
/usr/java/jdk1.8.0_162/bin/jrunscript

$ jrunscript -e "print (javax.crypto.Cipher.getMaxAllowedKeyLength('AES') >= 256)"
true


I am at a loss...

Anyone have ideas??

Out of desperation I downloaded the jce files from oracle and put them in the usual place(/jre/lib/security) and restarted tomcat but still same error.  Using openjdk 8 which should also include the jce unlimited jars also gives the same cas error.

Thanks,
William



Michael A Grady

unread,
Apr 10, 2018, 10:45:41 AM4/10/18
to cas-...@apereo.org
The easiest way to get the latest versions of Java to use unlimited strength algorithms is to:

 Modify the file (within the Java directory):

      jre/lib/security/java.security 

 change the commented out property, near the end of the file:

      #crypto.policy=unlimited

by simply removing the comment marker:

      crypto.policy=unlimited

--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/718bdd24-4d97-4723-8f00-a156f7c79757%40apereo.org.

--
Michael A. Grady
IAM Architect, Unicon, Inc.



signature.asc

William E.

unread,
Apr 10, 2018, 11:05:14 AM4/10/18
to CAS Community, mgr...@unicon.net
Hi Mike,

Thanks for replying.  

1. Cas startup says "JCE Installed: Yes " but fails to find AES??

2. Isn't unlimited the default and verified by the jsunscript test?

From the 1.8.162 java.security file you reference:

# Cryptographic Jurisdiction Policy defaults
#
# Import and export control rules on cryptographic software vary from
# country to country.  By default, the JDK provides two different sets of
# cryptographic policy files:
#
#     unlimited:  These policy files contain no restrictions on cryptographic
#                 strengths or algorithms.
#
#     limited:    These policy files contain more restricted cryptographic
#                 strengths, and are still available if your country or
#                 usage requires the traditional restrictive policy.
#
# The JDK JCE framework uses the unlimited policy files by default.
# However the user may explicitly choose a set either by defining the
# "crypto.policy" Security property or by installing valid JCE policy
# jar files into the traditional JDK installation location.  To better
# support older JDK Update releases, the "crypto.policy" property is not
# defined by default.  See below for more information.
#
# The following logic determines which policy files are used:
#
#         <java-home> refers to the directory where the JRE was
#         installed and may be determined using the "java.home"
#         System property.
#
# 1.  If the Security property "crypto.policy" has been defined,
#     then the following mechanism is used:
#
#     The policy files are stored as jar files in subdirectories of
# <java-home>/lib/security/policy.  Each directory contains a complete
# set of policy files.
#
#     The "crypto.policy" Security property controls the directory
#     selection, and thus the effective cryptographic policy.
#
# The default set of directories is:
#
#     limited | unlimited
#
# 2.  If the "crypto.policy" property is not set and the traditional
#     US_export_policy.jar and local_policy.jar files
#     (e.g. limited/unlimited) are found in the legacy
#     <java-home>/lib/security directory, then the rules embedded within
#     those jar files will be used. This helps preserve compatibility
# for users upgrading from an older installation.
#
# 3.  If the jar files are not present in the legacy location
#     and the "crypto.policy" Security property is not defined,
#     then the JDK will use the unlimited settings (equivalent to
#     crypto.policy=unlimited)
#
# Please see the JCA documentation for additional information on these
# files and formats.
#
# YOU ARE ADVISED TO CONSULT YOUR EXPORT/IMPORT CONTROL COUNSEL OR ATTORNEY
# TO DETERMINE THE EXACT REQUIREMENTS.
#
# Please note that the JCE for Java SE, including the JCE framework,
# cryptographic policy files, and standard JCE providers provided with
# the Java SE, have been reviewed and approved for export as mass market
# encryption item by the US Bureau of Industry and Security.
#
# Note: This property is currently used by the JDK Reference implementation.
# It is not guaranteed to be examined and used by other implementations.
#
#crypto.policy=unlimited



# pwd; find .
/usr/java/jdk1.8.0_162/jre/lib/security
.
./cacerts
./javaws.policy
./trusted.libraries
./java.security
./blacklisted.certs
./java.policy
./blacklist
./policy
./policy/limited
./policy/limited/US_export_policy.jar
./policy/limited/local_policy.jar
./policy/unlimited
./policy/unlimited/US_export_policy.jar
./policy/unlimited/local_policy.jar



-William

William E.

unread,
Apr 10, 2018, 12:23:46 PM4/10/18
to CAS Community, mgr...@unicon.net
I think I've resolved it and it appears to be unrelated to the JCE libs.  Using jdk 1.8.162 as-is, with #crypto.policy=unlimited comment out as is delivered.

I was using cas-management to add the jwt properties and added one too many.  When my service has the below, it works without jce error:

.............
  properties:
  {
    @class: java.util.LinkedHashMap
    jwtAsServiceTicket:
    {
      @class: org.apereo.cas.services.DefaultRegisteredServiceProperty
      values:
      [
        java.util.HashSet
        [
          "true"
        ]
      ]
    }
  }


But when it has these two entries, it fails with jce error which was apparently a JCE red herring.

  properties:
  {
    @class: java.util.LinkedHashMap
    jwtAsServiceTicket:
    {
      @class: org.apereo.cas.services.DefaultRegisteredServiceProperty
      values:
      [
        java.util.HashSet
        [
          "true"
        ]
      ]
    }
    jwtAsResponse:
    {
      @class: org.apereo.cas.services.DefaultRegisteredServiceProperty
      values:
      [
        java.util.HashSet
        [
          "true"
        ]
      ]
Reply all
Reply to author
Forward
0 new messages