Categories
Programming

Installing Unlimited Strength Jurisdiction Policy Files for your JRE

Today in work, I had to use AES encryption to basically encrypt and secret text and store it somewhere. This is with Ruby language so I ended up using ‘aes’ gem as it is build on top of OpenSSL and provides simple set of methods that can be used to encrypt and decrypt strings.

Following is the Git repository location which also has some guidelines on using the gem.

https://github.com/chicks/aes

Client wanted to use something similar to AES and we researched a bit and found it is easy to use for the situation. Basically in AES the key that is used for to encrypt is used to decrypt and get the original text.

secret-key

However during execution when encryption and decryption methods are called, the following Java encryption key size limitation policy issue was occurred:

Error occurred when decrypting encrypted string with key: Illegal key size: possibly you need to install Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files for your JRE (RuntimeError)

 

As it turns out that the Cipher class will generally not allow encryption with a key size of more than 128 bits. The apparent reason behind this is that some countries (although increasingly fewer) have restrictions on the permitted key strength of imported encryption software.

Ref: http://www.javamex.com/tutorials/cryptography/unrestricted_policy_files.shtml

 

Basically this is a forced restriction set by Java and can easily be fixed and there are two different solutions for this issue as mentioned in https://github.com/jruby/jruby/wiki/UnlimitedStrengthCrypto.

 

Method 1 – Install the “Unlimited Strength” policy files from Oracle

In this approach it is required to install unlimited strength cryptography in the JVM, corresponding to Jenkins machine running java version:

http://www.oracle.com/technetwork/java/javase/downloads/jce-6-download-429243.html

http://www.oracle.com/technetwork/java/javase/downloads/jce-7-download-432124.html

http://www.oracle.com/technetwork/java/javase/downloads/jce8-download-2133166.html

After downloading the relevant zip file, the JAR files located in that should be replaced with the same JAR files found in “<java-home>/lib/security” . A detailed installation instruction should be also included in the zip file.

 

Method 2 – Disable the crypto restriction programmatically

There’s also a gem called ‘unlimited-strength-crypto’ that programmatically disables this limitation.

Ref: https://rubygems.org/gems/unlimited-strength-crypto

However as specified in the document (https://github.com/jruby/jruby/wiki/UnlimitedStrengthCrypto), this approach may apply to Java 7+ only.

 

As I see method 2 appears to be better as the situation is handled by a gem and easy to use. However as mentioned above, it is necessary to update the Java 7 or upper version.