JDK-8169716 : Release Note: New Security property to control crypto policy
  • Type: Sub-task
  • Component: security-libs
  • Sub-Component: javax.crypto
  • Affected Version: 6u171,7u161,8u151
  • Priority: P4
  • Status: Closed
  • Resolution: Delivered
  • OS: generic
  • CPU: generic
  • Submitted: 2016-11-15
  • Updated: 2017-11-28
  • Resolved: 2016-11-16
The Version table provides details related to the release that this issue/RFE will be addressed.

Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.

To download the current JDK release, click here.
6u171Resolved 7u161Resolved 8u151Resolved
This release introduces a new feature whereby the JCE jurisdiction policy files used by the JDK can be controlled via a new Security property. In older releases, JCE jurisdiction files had to be downloaded and installed separately to allow unlimited cryptography to be used by the JDK. The download and install steps are no longer necessary. To enable unlimited cryptography, one can use the new `crypto.policy` Security property.  If the new Security property (crypto.policy) is set in the java.security file, or has been set dynamically using the Security.setProperty() call before the JCE framework has been initialized, that setting will be honored. By default, the property will be undefined. If the property is undefined and the legacy JCE jurisdiction files don't exist in the legacy lib/security directory, then the default cryptographic level will remain at 'limited'. To configure the JDK to use unlimited cryptography, set the crypto.policy to a value of 'unlimited'. See the notes in the java.security file shipping with this release for more information.

Note : On Solaris, it's recommended that you remove the old SVR4 packages before installing the new JDK updates. If an SVR4 based upgrade (without uninstalling the old packages) is being done on a JDK release earlier than 6u131, 7u121, 8u111, then you should set the new crypto.policy Security property in the java.security file.

Because the old JCE jurisdiction files are left in `<java-home>/lib/security`, they may not meet the latest security JAR signing standards, which were refreshed in 6u131, 7u121, 8u111, and later updates. An exception similar to the following might be seen if the old files are used : 
Caused by: java.lang.SecurityException: Jurisdiction policy files are not signed by trusted signers! 
        at javax.crypto.JceSecurity.loadPolicies(JceSecurity.java:593) 
        at javax.crypto.JceSecurity.setupJurisdictionPolicies(JceSecurity.java:524) 
email from Roger Calnan: "creating release notes for both the CPU and PSU for a particular release which is not what we want....remove the affectsversion vs. creating multiple release notes. For example: https://bugs.openjdk.java.net/browse/JDK-8169716 there should only be a release note for 8u151."