Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8157561 Ship the unlimited policy files in JDK Updates
  3. JDK-8169716

Release Note: New Security property to control crypto policy



    • generic
    • generic
    • Verified



        This release introduces a new feature whereby the JCE jurisdiction policy files used by the JDK can be controlled via a new Security property. In older releases, JCE jurisdiction files had to be downloaded and installed separately to allow unlimited cryptography to be used by the JDK. The download and install steps are no longer necessary. To enable unlimited cryptography, one can use the new `crypto.policy` Security property. If the new Security property (crypto.policy) is set in the java.security file, or has been set dynamically using the Security.setProperty() call before the JCE framework has been initialized, that setting will be honored. By default, the property will be undefined. If the property is undefined and the legacy JCE jurisdiction files don't exist in the legacy lib/security directory, then the default cryptographic level will remain at 'limited'. To configure the JDK to use unlimited cryptography, set the crypto.policy to a value of 'unlimited'. See the notes in the java.security file shipping with this release for more information.

        Note : On Solaris, it's recommended that you remove the old SVR4 packages before installing the new JDK updates. If an SVR4 based upgrade (without uninstalling the old packages) is being done on a JDK release earlier than 6u131, 7u121, 8u111, then you should set the new crypto.policy Security property in the java.security file.

        Because the old JCE jurisdiction files are left in `<java-home>/lib/security`, they may not meet the latest security JAR signing standards, which were refreshed in 6u131, 7u121, 8u111, and later updates. An exception similar to the following might be seen if the old files are used :
        Caused by: java.lang.SecurityException: Jurisdiction policy files are not signed by trusted signers!
                at javax.crypto.JceSecurity.loadPolicies(JceSecurity.java:593)
                at javax.crypto.JceSecurity.setupJurisdictionPolicies(JceSecurity.java:524)


          Issue Links



                coffeys Sean Coffey
                coffeys Sean Coffey
                0 Vote for this issue
                2 Start watching this issue