Checking if Unlimited Cryptography is available
I think you could probably use Cipher.getMaxAllowedKeyLength(), while also comparing the cypher you're using to known lists of "good", secure cyphers, such as AES.
Here's a reference article that lists maximum key size jurisdiction limitations that were current as of Java 1.4 (these likely haven't changed, unless the law has also changed - see below).
If you are operating in a nation that has cryptographic export/import restrictions, you'd have to consult the law in your nation, but it's probably safe to assume in these situations that you don't have unlimited strength cryptography available (by default) in your JVM. Putting it another way, assuming you're using the official JVM from Oracle, and you happen to live in a nation against which the U.S. has leveled export restrictions for cryptography (and since Oracle is a United States company, it would be subject to these restrictions), then you could also assume in this case that you don't have unlimited strength available.
Of course, that doesn't stop you from building your own, and thereby granting yourself unlimited strength, but depending on your local laws, that might be illegal.
This article outlines the restrictions on export to other nations, from the Unites States.
How to check that Java Cryptography Extension is installed?
Here is a more modern Java implementation
import java.security.Provider;
import java.security.Security;
import java.util.Arrays;
public class ShowCryptoProviders
{
private static final String EOL = System.getProperty("line.separator");
public static void main(final String[] args)
{
final Provider[] providers = Security.getProviders();
final Boolean verbose = Arrays.asList(args).contains("-v");
for (final Provider p : providers)
{
System.out.format("%s %s%s", p.getName(), p.getVersion(), EOL);
for (final Object o : p.keySet())
{
if (verbose)
{
System.out.format("\t%s : %s%s", o, p.getProperty((String)o), EOL);
}
}
}
}
}
I can't imagine that something in here can't tell you what you need to know. If it doesn't just test for "Unlimited Strength" by checking the Cypher.getMaxAllowedKeyLength() it should return a very large number well above 128.
Use -v ( verbose ) to get the following output.
SunJCE 1.7
Cipher.Blowfish SupportedKeyFormats : RAW
AlgorithmParameters.DESede : com.sun.crypto.provider.DESedeParameters
AlgorithmParameters.DES : com.sun.crypto.provider.DESParameters
Cipher.DES SupportedPaddings : NOPADDING|PKCS5PADDING|ISO10126PADDING
AlgorithmParameters.Blowfish : com.sun.crypto.provider.BlowfishParameters
Cipher.DESedeWrap SupportedKeyFormats : RAW
Alg.Alias.KeyAgreement.1.2.840.113549.1.3.1 : DiffieHellman
AlgorithmParameterGenerator.DiffieHellman : com.sun.crypto.provider.DHParameterGenerator
Cipher.RSA SupportedPaddings : NOPADDING|PKCS1PADDING|OAEPWITHMD5ANDMGF1PADDING|OAEPWITHSHA1ANDMGF1PADDING|OAEPWITHSHA-1ANDMGF1PADDING|OAEPWITHSHA-256ANDMGF1PADDING|OAEPWITHSHA-384ANDMGF1PADDING|OAEPWITHSHA-512ANDMGF1PADDING
Alg.Alias.Cipher.TripleDES : DESede
Cipher.ARCFOUR SupportedModes : ECB
Mac.SslMacSHA1 SupportedKeyFormats : RAW
KeyGenerator.DES : com.sun.crypto.provider.DESKeyGenerator
Provider.id version : 1.7
KeyGenerator.DESede : com.sun.crypto.provider.DESedeKeyGenerator
Alg.Alias.SecretKeyFactory.PBE : PBEWithMD5AndDES
Alg.Alias.KeyFactory.1.2.840.113549.1.3.1 : DiffieHellman
Mac.HmacSHA1 : com.sun.crypto.provider.HmacSHA1
Cipher.PBEWithMD5AndDES : com.sun.crypto.provider.PBEWithMD5AndDESCipher
Cipher.AES SupportedModes : ECB|CBC|PCBC|CTR|CTS|CFB|OFB|CFB8|CFB16|CFB24|CFB32|CFB40|CFB48|CFB56|CFB64|OFB8|OFB16|OFB24|OFB32|OFB40|OFB48|OFB56|OFB64|CFB72|CFB80|CFB88|CFB96|CFB104|CFB112|CFB120|CFB128|OFB72|OFB80|OFB88|OFB96|OFB104|OFB112|OFB120|OFB128
Cipher.AESWrap SupportedModes : ECB
SecretKeyFactory.DESede : com.sun.crypto.provider.DESedeKeyFactory
KeyGenerator.SunTlsKeyMaterial : com.sun.crypto.provider.TlsKeyMaterialGenerator
AlgorithmParameters.OAEP : com.sun.crypto.provider.OAEPParameters
Cipher.AES SupportedKeyFormats : RAW
AlgorithmParameters.RC2 : com.sun.crypto.provider.RC2Parameters
AlgorithmParameters.PBE : com.sun.crypto.provider.PBEParameters
Alg.Alias.KeyPairGenerator.DH : DiffieHellman
Alg.Alias.KeyAgreement.OID.1.2.840.113549.1.3.1 : DiffieHellman
Cipher.AES : com.sun.crypto.provider.AESCipher
KeyGenerator.RC2 : com.sun.crypto.provider.KeyGeneratorCore$RC2KeyGenerator
Mac.HmacSHA512 : com.sun.crypto.provider.HmacCore$HmacSHA512
Provider.id info : SunJCE Provider (implements RSA, DES, Triple DES, AES, Blowfish, ARCFOUR, RC2, PBE, Diffie-Hellman, HMAC)
Cipher.AES SupportedPaddings : NOPADDING|PKCS5PADDING|ISO10126PADDING
Alg.Alias.AlgorithmParameters.OID.1.2.840.113549.1.12.1.6 : PBEWithSHA1AndRC2_40
Cipher.Blowfish SupportedPaddings : NOPADDING|PKCS5PADDING|ISO10126PADDING
Alg.Alias.AlgorithmParameters.OID.1.2.840.113549.1.12.1.3 : PBEWithSHA1AndDESede
Alg.Alias.KeyGenerator.SunTls12KeyMaterial : SunTlsKeyMaterial
KeyStore.JCEKS : com.sun.crypto.provider.JceKeyStore
Cipher.Blowfish SupportedModes : ECB|CBC|PCBC|CTR|CTS|CFB|OFB|CFB8|CFB16|CFB24|CFB32|CFB40|CFB48|CFB56|CFB64|OFB8|OFB16|OFB24|OFB32|OFB40|OFB48|OFB56|OFB64
Alg.Alias.SecretKeyFactory.1.2.840.113549.1.5.12 : PBKDF2WithHmacSHA1
Mac.HmacSHA384 SupportedKeyFormats : RAW
Cipher.DESedeWrap : com.sun.crypto.provider.DESedeWrapCipher
Cipher.ARCFOUR SupportedPaddings : NOPADDING
Alg.Alias.KeyPairGenerator.1.2.840.113549.1.3.1 : DiffieHellman
Cipher.PBEWithMD5AndTripleDES : com.sun.crypto.provider.PBEWithMD5AndTripleDESCipher
Alg.Alias.Cipher.1.2.840.113549.1.12.1.6 : PBEWithSHA1AndRC2_40
Alg.Alias.Cipher.1.2.840.113549.1.12.1.3 : PBEWithSHA1AndDESede
Mac.HmacSHA256 SupportedKeyFormats : RAW
Alg.Alias.KeyGenerator.SunTls12RsaPremasterSecret : SunTlsRsaPremasterSecret
Alg.Alias.AlgorithmParameterGenerator.1.2.840.113549.1.3.1 : DiffieHellman
Cipher.PBEWithSHA1AndDESede : com.sun.crypto.provider.PKCS12PBECipherCore$PBEWithSHA1AndDESede
Alg.Alias.KeyGenerator.SunTls12MasterSecret : SunTlsMasterSecret
SecretKeyFactory.PBEWithMD5AndDES : com.sun.crypto.provider.PBEKeyFactory$PBEWithMD5AndDES
KeyPairGenerator.DiffieHellman : com.sun.crypto.provider.DHKeyPairGenerator
Cipher.RC2 SupportedModes : ECB|CBC|PCBC|CTR|CTS|CFB|OFB|CFB8|CFB16|CFB24|CFB32|CFB40|CFB48|CFB56|CFB64|OFB8|OFB16|OFB24|OFB32|OFB40|OFB48|OFB56|OFB64
Alg.Alias.AlgorithmParameters.Rijndael : AES
KeyAgreement.DiffieHellman SupportedKeyClasses : javax.crypto.interfaces.DHPublicKey|javax.crypto.interfaces.DHPrivateKey
Mac.HmacMD5 SupportedKeyFormats : RAW
KeyGenerator.SunTlsRsaPremasterSecret : com.sun.crypto.provider.TlsRsaPremasterSecretGenerator
Cipher.AESWrap SupportedKeyFormats : RAW
SecretKeyFactory.DES : com.sun.crypto.provider.DESKeyFactory
Cipher.AESWrap SupportedPaddings : NOPADDING
Provider.id name : SunJCE
KeyGenerator.HmacSHA512 : com.sun.crypto.provider.KeyGeneratorCore$HmacSHA512KG
Mac.HmacSHA256 : com.sun.crypto.provider.HmacCore$HmacSHA256
Cipher.ARCFOUR SupportedKeyFormats : RAW
Cipher.DES SupportedModes : ECB|CBC|PCBC|CTR|CTS|CFB|OFB|CFB8|CFB16|CFB24|CFB32|CFB40|CFB48|CFB56|CFB64|OFB8|OFB16|OFB24|OFB32|OFB40|OFB48|OFB56|OFB64
Cipher.RSA SupportedKeyClasses : java.security.interfaces.RSAPublicKey|java.security.interfaces.RSAPrivateKey
SecretKeyFactory.PBEWithMD5AndTripleDES : com.sun.crypto.provider.PBEKeyFactory$PBEWithMD5AndTripleDES
Cipher.PBEWithSHA1AndRC2_40 : com.sun.crypto.provider.PKCS12PBECipherCore$PBEWithSHA1AndRC2_40
AlgorithmParameters.DiffieHellman : com.sun.crypto.provider.DHParameters
Mac.HmacMD5 : com.sun.crypto.provider.HmacMD5
Cipher.RSA : com.sun.crypto.provider.RSACipher
Mac.SslMacMD5 : com.sun.crypto.provider.SslMacCore$SslMacMD5
Alg.Alias.AlgorithmParameters.OID.1.2.840.113549.1.5.3 : PBEWithMD5AndDES
Cipher.DESede SupportedPaddings : NOPADDING|PKCS5PADDING|ISO10126PADDING
Alg.Alias.AlgorithmParameterGenerator.OID.1.2.840.113549.1.3.1 : DiffieHellman
Cipher.DESede : com.sun.crypto.provider.DESedeCipher
Alg.Alias.AlgorithmParameters.OID.1.2.840.113549.1.3.1 : DiffieHellman
Alg.Alias.AlgorithmParameters.1.2.840.113549.1.5.3 : PBEWithMD5AndDES
Mac.HmacSHA512 SupportedKeyFormats : RAW
Mac.HmacPBESHA1 SupportedKeyFormats : RAW
Alg.Alias.AlgorithmParameterGenerator.DH : DiffieHellman
Cipher.DESedeWrap SupportedPaddings : NOPADDING
Alg.Alias.SecretKeyFactory.OID.1.2.840.113549.1.5.12 : PBKDF2WithHmacSHA1
Alg.Alias.AlgorithmParameters.1.2.840.113549.1.3.1 : DiffieHellman
Mac.HmacPBESHA1 : com.sun.crypto.provider.HmacPKCS12PBESHA1
Cipher.DES SupportedKeyFormats : RAW
AlgorithmParameters.PBEWithMD5AndTripleDES : com.sun.crypto.provider.PBEParameters
Cipher.DESedeWrap SupportedModes : CBC
Alg.Alias.KeyFactory.OID.1.2.840.113549.1.3.1 : DiffieHellman
Alg.Alias.Cipher.OID.1.2.840.113549.1.5.3 : PBEWithMD5AndDES
AlgorithmParameters.AES : com.sun.crypto.provider.AESParameters
Alg.Alias.AlgorithmParameters.TripleDES : DESede
Alg.Alias.SecretKeyFactory.TripleDES : DESede
KeyGenerator.HmacSHA256 : com.sun.crypto.provider.KeyGeneratorCore$HmacSHA256KG
Alg.Alias.KeyGenerator.TripleDES : DESede
Alg.Alias.AlgorithmParameters.DH : DiffieHellman
KeyGenerator.AES : com.sun.crypto.provider.AESKeyGenerator
Cipher.RC2 SupportedPaddings : NOPADDING|PKCS5PADDING|ISO10126PADDING
Alg.Alias.Cipher.RC4 : ARCFOUR
Alg.Alias.KeyPairGenerator.OID.1.2.840.113549.1.3.1 : DiffieHellman
Mac.HmacSHA384 : com.sun.crypto.provider.HmacCore$HmacSHA384
SecretKeyFactory.PBKDF2WithHmacSHA1 : com.sun.crypto.provider.PBKDF2HmacSHA1Factory
Provider.id className : com.sun.crypto.provider.SunJCE
Cipher.DES : com.sun.crypto.provider.DESCipher
Cipher.Blowfish : com.sun.crypto.provider.BlowfishCipher
KeyGenerator.SunTlsMasterSecret : com.sun.crypto.provider.TlsMasterSecretGenerator
KeyGenerator.HmacSHA1 : com.sun.crypto.provider.HmacSHA1KeyGenerator
Alg.Alias.SecretKeyFactory.1.2.840.113549.1.5.3 : PBEWithMD5AndDES
KeyGenerator.SunTlsPrf : com.sun.crypto.provider.TlsPrfGenerator$V10
SecretKeyFactory.PBEWithSHA1AndDESede : com.sun.crypto.provider.PBEKeyFactory$PBEWithSHA1AndDESede
KeyGenerator.ARCFOUR : com.sun.crypto.provider.KeyGeneratorCore$ARCFOURKeyGenerator
Alg.Alias.KeyAgreement.DH : DiffieHellman
Alg.Alias.KeyGenerator.Rijndael : AES
AlgorithmParameters.PBEWithSHA1AndDESede : com.sun.crypto.provider.PBEParameters
Alg.Alias.KeyGenerator.RC4 : ARCFOUR
Alg.Alias.Cipher.OID.1.2.840.113549.1.12.1.6 : PBEWithSHA1AndRC2_40
Alg.Alias.Cipher.OID.1.2.840.113549.1.12.1.3 : PBEWithSHA1AndDESede
Mac.SslMacMD5 SupportedKeyFormats : RAW
Mac.HmacSHA1 SupportedKeyFormats : RAW
Cipher.DESede SupportedKeyFormats : RAW
Cipher.RC2 : com.sun.crypto.provider.RC2Cipher
KeyGenerator.SunTls12Prf : com.sun.crypto.provider.TlsPrfGenerator$V12
SecretKeyFactory.PBEWithSHA1AndRC2_40 : com.sun.crypto.provider.PBEKeyFactory$PBEWithSHA1AndRC2_40
KeyGenerator.HmacMD5 : com.sun.crypto.provider.HmacMD5KeyGenerator
AlgorithmParameters.PBEWithSHA1AndRC2_40 : com.sun.crypto.provider.PBEParameters
KeyGenerator.HmacSHA384 : com.sun.crypto.provider.KeyGeneratorCore$HmacSHA384KG
Alg.Alias.AlgorithmParameters.1.2.840.113549.1.12.1.6 : PBEWithSHA1AndRC2_40
KeyFactory.DiffieHellman : com.sun.crypto.provider.DHKeyFactory
Alg.Alias.AlgorithmParameters.1.2.840.113549.1.12.1.3 : PBEWithSHA1AndDESede
AlgorithmParameters.PBEWithMD5AndDES : com.sun.crypto.provider.PBEParameters
Alg.Alias.SecretKeyFactory.1.2.840.113549.1.12.1.6 : PBEWithSHA1AndRC2_40
Alg.Alias.SecretKeyFactory.1.2.840.113549.1.12.1.3 : PBEWithSHA1AndDESede
Cipher.AESWrap : com.sun.crypto.provider.AESWrapCipher
Alg.Alias.SecretKeyFactory.OID.1.2.840.113549.1.5.3 : PBEWithMD5AndDES
Alg.Alias.Cipher.Rijndael : AES
Cipher.RSA SupportedModes : ECB
Cipher.DESede SupportedModes : ECB|CBC|PCBC|CTR|CTS|CFB|OFB|CFB8|CFB16|CFB24|CFB32|CFB40|CFB48|CFB56|CFB64|OFB8|OFB16|OFB24|OFB32|OFB40|OFB48|OFB56|OFB64
Alg.Alias.SecretKeyFactory.OID.1.2.840.113549.1.12.1.6 : PBEWithSHA1AndRC2_40
Alg.Alias.SecretKeyFactory.OID.1.2.840.113549.1.12.1.3 : PBEWithSHA1AndDESede
Cipher.ARCFOUR : com.sun.crypto.provider.ARCFOURCipher
Alg.Alias.Cipher.1.2.840.113549.1.5.3 : PBEWithMD5AndDES
Mac.SslMacSHA1 : com.sun.crypto.provider.SslMacCore$SslMacSHA1
KeyAgreement.DiffieHellman : com.sun.crypto.provider.DHKeyAgreement
Cipher.RC2 SupportedKeyFormats : RAW
Alg.Alias.KeyFactory.DH : DiffieHellman
KeyGenerator.Blowfish : com.sun.crypto.provider.BlowfishKeyGenerator
I believe that checking for a specific keygenerator such as KeyGenerator.HmacSHA512 : com.sun.crypto.provider.KeyGeneratorCore$HmacSHA512KG may tell you the same thing without having to rely on the key length query.
How can I configure Java Cryptography Extension (JCE) in OpenJDK 11
In OpenJDK 11 the unlimited crypto policies are installed by default. You can check that with a little program with this output on my PC:
Check for unlimited crypto policies
Java version: 11.0.6+8-b520.43
restricted cryptography: false Notice: 'false' means unlimited policies
Security properties: unlimited
Max AES key length = 2147483647
code:
import javax.crypto.Cipher;
import java.security.NoSuchAlgorithmException;
import java.security.Security;
public class UnlimitedCryptoPoliciesCheck {
public static void main(String[] args) throws NoSuchAlgorithmException {
// Security.setProperty("crypto.policy", "limited"); // uncomment to switch to limited crypto policies
System.out.println("Check for unlimited crypto policies");
System.out.println("Java version: " + Runtime.version());
//Security.setProperty("crypto.policy", "limited"); // muss ganz am anfang gesetzt werden !
System.out.println("restricted cryptography: " + restrictedCryptography() + " Notice: 'false' means unlimited policies"); // false mean unlimited crypto
System.out.println("Security properties: " + Security.getProperty("crypto.policy"));
int maxKeyLen = Cipher.getMaxAllowedKeyLength("AES");
System.out.println("Max AES key length = " + maxKeyLen);
}
/**
* Determines if cryptography restrictions apply.
* Restrictions apply if the value of {@link Cipher#getMaxAllowedKeyLength(String)} returns a value smaller than {@link Integer#MAX_VALUE} if there are any restrictions according to the JavaDoc of the method.
* This method is used with the transform <code>"AES/CBC/PKCS5Padding"</code> as this is an often used algorithm that is <a href="https://docs.oracle.com/javase/8/docs/technotes/guides/security/StandardNames.html#impl">an implementation requirement for Java SE</a>.
*
* @return <code>true</code> if restrictions apply, <code>false</code> otherwise
* https://stackoverflow.com/posts/33849265/edit, author Maarten Bodewes
*/
public static boolean restrictedCryptography() {
try {
return Cipher.getMaxAllowedKeyLength("AES/CBC/PKCS5Padding") < Integer.MAX_VALUE;
} catch (final NoSuchAlgorithmException e) {
throw new IllegalStateException("The transform \"AES/CBC/PKCS5Padding\" is not available (the availability of this algorithm is mandatory for Java SE implementations)", e);
}
}
}
If you want (or have to) switch from unlimited to limited crypto policies you can do that with one line of code that is placed at first place (means this line should be executed direct after the start of your program otherwise it will not work - just remove the comment marks):
Security.setProperty("crypto.policy", "limited");
This is the result when switched to "limited":
Check for unlimited crypto policies
Java version: 11.0.6+8-b520.43
restricted cryptography: true Notice: 'false' means unlimited policies
Security properties: limited
Max AES key length = 128
Is it possible to check for a specific cipher block mode support without providing a whole transform?
Yes, you can traverse through the providers and services and look for a service that is a cipher and contains GCM in the name, e.g.
Provider[] provs = Security.getProviders();
for (Provider prov : provs) {
Set<Service> services = prov.getServices();
for (Service service : services) {
if (!service.getType().matches("(?i)Cipher")) {
break;
}
String algo = service.getAlgorithm();
if (algo.matches("(?i).*/GCM/.*")) {
System.out.println(service);
}
}
}
Beware that you may want to check for unlimited crypto for older Java runtimes, e.g. using my answer here.
You may want to consider that GCM is only valid for 128 bit ciphers, and that it is unlikely that you'll find implementations that do not use AES. Furthermore, there aren't any parameters other than "NoPadding" that make sense for GCM mode (in the algorithm string anyway, I'm not talking about GCCMParameterSpec of course).
Beware that later providers may not return "AES/GCM/NoPadding" but return "AES_128/GCM/NoPadding", "AES_192/GCM/NoPadding" and "AES_256/GCM/NoPadding" instead. This also influences, the Provider#getService(type, algorithm) call, rendering it useless in case you want to check for "AES/GCM/NoPadding", i.e. AES with any valid key size.
How to install Unlimited Strength Jurisdiction Policy Files?
You need to determine your Java home path (either via System.getenv("JAVA_HOME") from Java or $ echo $JAVA_HOME on the command line). It should be a path like the following:
C:\Program Files\Java\jre8on Windows/Library/Java/JavaVirtualMachines/jdk1.8.0_101.jdk/Contents/Homeon Mac OS X/usr/java/jdk1.8.0_101/bin/javaon *nix
You then need to copy the US_export_policy.jar and local_policy.jar files you downloaded into the directory: <JAVA_HOME>/jre/lib/security and overwrite the existing files of the same name.
Updated 05/17/17
The following code (for demonstration purposes only) will instruct the JVM that it is allowed to use AES-256 bit encryption and corresponding TLS ciphers regardless of the policy files installed. It is not recommended to employ this method.
if (Cipher.getMaxAllowedKeyLength("AES") < 256) {
try {
Field field = Class.forName("javax.crypto.JceSecurity").
getDeclaredField("isRestricted");
field.setAccessible(true);
field.set(null, java.lang.Boolean.FALSE);
} catch (Exception e) {
fail("Could not override JCE cryptography strength policy setting");
fail(e.getMessage());
}
}
Related Topics
Java: Split String When an Uppercase Letter Is Found
Apache Spark - Foreach VS Foreachpartition When to Use What
Java: Set Timeout on a Certain Block of Code
Is There a Priorityqueue Implementation with Fixed Capacity and Custom Comparator
Why Aren't Integers Cached in Java
Java Key Listener in Commandline
How to Implement Task Prioritization Using an Executorservice in Java 5
Java Type Generic as Argument for Gson
Javac Error: Class Names Are Only Accepted If Annotation Processing Is Explicitly Requested
Difference Between "This" And"Super" Keywords in Java
Why Does My Aes Encryption Throws an Invalidkeyexception