Bug ID: JDK-7024850 Consider shipping Unlimited Crypto Policy files by default.

Type: Enhancement
Component: security-libs
Sub-Component: javax.crypto
Affected Version: 7

Priority: P3
Status: Resolved
Resolution: Duplicate
OS: generic
CPU: generic

Submitted: 2011-03-04
Updated: 2017-06-21
Resolved: 2017-06-21

Change to ship unlimited policy files by default.

A historical note.  This bug used to say:

    The files in jdk/make/closed/javax/crypto/doc are old and need to be updated.  There are still the old Sun 
    copyright and website links.

That was split into JDK-7042097.

JDK-8157561 adds the policy files in the distribution JDK-8170157 enables them by default.
21-06-2017
Both policy files ship in JDK 9, but limited is installed by default.
05-04-2016
Ran out of time to make this happen in JDK8 GA, see previous comment.
13-09-2013
The corresponding update installer bug.
05-12-2012
This was split off from this bug id.
05-12-2012
EVALUATION Proposed documentation changes, based on the almost-FCS state of the JDK7 docs. enhancements7.html ================== Add: ---begin--- The Oracle JDK implementation no longer restricts key lengths in its jurisdiction policy files. ---end--- You can point to the SunProviders documents if you like. SunProviders.html ================= In the section "Import Limits on Cryptographic Algorithms". ---begin--- The Oracle implementation's default jurisdiction policy files no longer limit the key length of cryptographic algorithms. It is the user's responsibility to ensure that use of the JDK is allowed under local regulations. ---end--- Then comment out the table, and add to the comment that "here are the previous values for those that might want to reuse this table.". CryptoSpec.html =============== Replace: ---begin--- The JCA framework includes an ability to enforce restrictions regarding the cryptographic algorithms and maximum cryptographic strengths available to applets/applications in different jurisdiction contexts (locations). Any such restrictions are specified in "jurisdiction policy files". Due to import control restrictions by the governments of a few countries, the jurisdiction policy files shipped with the Java SE Development Kit 6 from Sun Microsystems specify that "strong" but limited cryptography may be used. An "unlimited strength" version of these files indicating no restrictions on cryptographic strengths is available for those living in eligible countries (which is most countries). But only the "strong" version can be imported into those countries whose governments mandate restrictions. The JCA framework will enforce the restrictions specified in the installed jurisdiction policy files. ---end--- with: ---begin--- The JCA framework includes the ability to enforce restrictions regarding the cryptographic algorithms and maximum cryptographic strengths available to applets/applications in different jurisdiction contexts (locations). These restrictions are specified in "jurisdiction policy files". By default, the Oracle JDK implementation policy files no longer has such restrictions, but other implementations may continue to do so. Applications should always be coded to account for this possibility. ---end--- Then in Appendix C, change to say: "By default, the Oracle JDK implementation's policy files no longer restrict key sizes. For more info..." HowToImplAProvider ================== Remove: ---begin--- Due to import control restrictions by the governments of a few countries, the jurisdiction policy files shipped with the JDK 6 from Sun Microsystems specify that "strong" but limited cryptography may be used. An "unlimited" version of these files indicating no restrictions on cryptographic strengths is available for those living in eligible countries (which is most countries). But only the "strong" version can be imported into those countries whose governments mandate restrictions. The JCA framework will enforce the restrictions specified in the installed jurisdiction policy files. ---end-- JSSERefGuide.html ================= Remove this footnote and its anchor: 2 Cipher suites that use AES_256 require installation of the JCE Unlimited Strength Jurisdiction Policy Files. See Java SE Download Page. BTW, I noticed several references to Sun or Sun Microsystems in the docs. feel free to wordsmith that, it was very hastily written. I don't know if there is a better term than "the Oracle JDK implementation" to specify our implementation.
10-05-2011
EVALUATION Code is ready, just need to get approval to make the change.
05-05-2011
EVALUATION Will file a separate bug to track update of the unlimited policy text files.
05-05-2011
EVALUATION We have received approval to ship unlimited by default.
05-03-2011

Duplicate :	JDK-8157561 - Ship the unlimited policy files in JDK Updates
Duplicate :	JDK-8170157 - Enable unlimited cryptographic policy by default in Oracle JDK builds
Relates :	JDK-6914617 - JCE framework code signing certificate is expiring at the end of 2010.
Relates :	JDK-7042097 - JDK 7's Unlimited Cryptographic Policy bundle text files must be updated.
Relates :	JDK-8013035 - Improve error message reporting around use of strong crypto encryption requests