How to get your users to install JCE

In every Java project where I need to do strong cryptography, I run into these dreaded unreadable stacktraces which send you into the woods. After a long search I usually discover that the Unlimited Strength Java Cryptography Extensions are not installed. To prevent frustration of users of your software, you can simply add a bit of informative logging to help him/her solve it when the solution is known.

Add the following code to help your admins solve the limited cryptography problem without having to ask you:

public static void validateJCEUnlimited() {
  final int unlimited = 2_147_483_647; /* 32 bit max int */

  // Ciphers to check for installation of the Java 
  // Cryptography Extension (JCE) unlimited strength 
  // jurisdiction policy files
  final String[] ciphers = {
    &quot;AES&quot;, &quot;BouncyCastle&quot;, &quot;X.509&quot;,
    &quot;PKCS12&quot;, &quot;BCPKCS12&quot;, &quot;PKCS12-DEF&quot;,
    &quot;DES&quot;, &quot;DESEDE&quot;, &quot;RSA&quot;, &quot;DSA&quot;,
    &quot;SHA-1&quot;, &quot;SHA-256&quot;, &quot;SHA-512&quot;
  };

  for (String cipher : ciphers) {
    int keyLength = 0;
    try {
      keyLength = Cipher.getMaxAllowedKeyLength(cipher);
    } catch (NoSuchAlgorithmException e) {
      throw new RuntimeException(&quot;Problem while checking the maximum key length of cipher &quot; + cipher + &quot;.&quot;, e);
    }

    if (keyLength &lt; unlimited) {
      String msg = String.format(&quot;The maximum allowed key length for cipher %s was %d.\n&quot; +
        &quot;This indicates that you might not have installed the Java Cryptography \n&quot; +
        &quot;Extension (JCE) unlimited strength jurisdiction policy files in your JVM.\n&quot; +
        &quot;To do so, download these policy files at:\n\n&quot; +
        &quot;Java 6: http://www.oracle.com/technetwork/java/javase/downloads/jce-6-download-429243.html\n&quot; +
        &quot;Java 7: http://www.oracle.com/technetwork/java/javase/downloads/jce-7-download-432124.html\n&quot; +
        &quot;Java 8: http://www.oracle.com/technetwork/java/javase/downloads/jce8-download-2133166.html\n\n&quot; +
        &quot;Then, copy local_policy.jar and US_export_policy.jar extracted from above zip file to\n&quot; +
        &quot;the $JAVA_HOME/jre/lib/security directory.\n&quot;, cipher, keyLength);
      throw new RuntimeException(msg);
    }
  }
}

Happy coding,
Rolf

Comments (3)

That’s a neat check.

Is it really necessary to check all these ciphers? Some are not in use anymore (DES, SHA1).

rolfje says:

2015-09-16 at 20:57

No you can choose whatever ciphers you will be using in your application. Usually checking just one is enough, as the JCE’s contain all of them. But I like to be on the safe side when trying to help people 🙂

Reply

This will get easier soon, JDK9 won’t have this restriction anymore, and this will be backported to 8, 7 and 6 according to this SO answer: https://stackoverflow.com/a/39889731

Comments (3) on “How to get your users to install JCE”

Guus says:

2015-09-16 at 20:51

That’s a neat check.

Is it really necessary to check all these ciphers? Some are not in use anymore (DES, SHA1).

1. rolfje says:
  
  2015-09-16 at 20:57
  
  No you can choose whatever ciphers you will be using in your application. Usually checking just one is enough, as the JCE’s contain all of them. But I like to be on the safe side when trying to help people 🙂
  
Joris says:

2017-09-20 at 09:36

This will get easier soon, JDK9 won’t have this restriction anymore, and this will be backported to 8, 7 and 6 according to this SO answer: https://stackoverflow.com/a/39889731

Comments (3) on “How to get your users to install JCE”

Leave a Reply Cancel reply