如何在 OpenJDK 11 中配置 Java 加密扩展 (JCE)
How can I configure Java Cryptography Extension (JCE) in OpenJDK 11
Java8 之前,需要在 JDK 下载并安装 JCE 才能使用它。我没有找到 Java 的可下载扩展 11. 有没有办法检查它是否默认配置?还是我应该通过配置手动激活它?
在 OpenJDK 11 中,无限加密策略由默认安装。你可以在我的电脑上用一个带有这个输出的小程序来检查:
Check for unlimited crypto policies
Java version: 11.0.6+8-b520.43
restricted cryptography: false Notice: 'false' means unlimited policies
Security properties: unlimited
Max AES key length = 2147483647
代码:
import javax.crypto.Cipher;
import java.security.NoSuchAlgorithmException;
import java.security.Security;
public class UnlimitedCryptoPoliciesCheck {
public static void main(String[] args) throws NoSuchAlgorithmException {
// Security.setProperty("crypto.policy", "limited"); // uncomment to switch to limited crypto policies
System.out.println("Check for unlimited crypto policies");
System.out.println("Java version: " + Runtime.version());
//Security.setProperty("crypto.policy", "limited"); // muss ganz am anfang gesetzt werden !
System.out.println("restricted cryptography: " + restrictedCryptography() + " Notice: 'false' means unlimited policies"); // false mean unlimited crypto
System.out.println("Security properties: " + Security.getProperty("crypto.policy"));
int maxKeyLen = Cipher.getMaxAllowedKeyLength("AES");
System.out.println("Max AES key length = " + maxKeyLen);
}
/**
* Determines if cryptography restrictions apply.
* Restrictions apply if the value of {@link Cipher#getMaxAllowedKeyLength(String)} returns a value smaller than {@link Integer#MAX_VALUE} if there are any restrictions according to the JavaDoc of the method.
* This method is used with the transform <code>"AES/CBC/PKCS5Padding"</code> as this is an often used algorithm that is <a href="https://docs.oracle.com/javase/8/docs/technotes/guides/security/StandardNames.html#impl">an implementation requirement for Java SE</a>.
*
* @return <code>true</code> if restrictions apply, <code>false</code> otherwise
* https://whosebug.com/posts/33849265/edit, author Maarten Bodewes
*/
public static boolean restrictedCryptography() {
try {
return Cipher.getMaxAllowedKeyLength("AES/CBC/PKCS5Padding") < Integer.MAX_VALUE;
} catch (final NoSuchAlgorithmException e) {
throw new IllegalStateException("The transform \"AES/CBC/PKCS5Padding\" is not available (the availability of this algorithm is mandatory for Java SE implementations)", e);
}
}
}
如果你想(或必须)从无限制的加密策略切换到有限的加密策略,你可以用放在第一位的一行代码来做到这一点(这意味着这行代码应该在你的程序开始后直接执行,否则它不会起作用 - 只需删除注释标记):
Security.setProperty("crypto.policy", "limited");
这是切换到“受限”时的结果:
Check for unlimited crypto policies
Java version: 11.0.6+8-b520.43
restricted cryptography: true Notice: 'false' means unlimited policies
Security properties: limited
Max AES key length = 128
Java8 之前,需要在 JDK 下载并安装 JCE 才能使用它。我没有找到 Java 的可下载扩展 11. 有没有办法检查它是否默认配置?还是我应该通过配置手动激活它?
在 OpenJDK 11 中,无限加密策略由默认安装。你可以在我的电脑上用一个带有这个输出的小程序来检查:
Check for unlimited crypto policies
Java version: 11.0.6+8-b520.43
restricted cryptography: false Notice: 'false' means unlimited policies
Security properties: unlimited
Max AES key length = 2147483647
代码:
import javax.crypto.Cipher;
import java.security.NoSuchAlgorithmException;
import java.security.Security;
public class UnlimitedCryptoPoliciesCheck {
public static void main(String[] args) throws NoSuchAlgorithmException {
// Security.setProperty("crypto.policy", "limited"); // uncomment to switch to limited crypto policies
System.out.println("Check for unlimited crypto policies");
System.out.println("Java version: " + Runtime.version());
//Security.setProperty("crypto.policy", "limited"); // muss ganz am anfang gesetzt werden !
System.out.println("restricted cryptography: " + restrictedCryptography() + " Notice: 'false' means unlimited policies"); // false mean unlimited crypto
System.out.println("Security properties: " + Security.getProperty("crypto.policy"));
int maxKeyLen = Cipher.getMaxAllowedKeyLength("AES");
System.out.println("Max AES key length = " + maxKeyLen);
}
/**
* Determines if cryptography restrictions apply.
* Restrictions apply if the value of {@link Cipher#getMaxAllowedKeyLength(String)} returns a value smaller than {@link Integer#MAX_VALUE} if there are any restrictions according to the JavaDoc of the method.
* This method is used with the transform <code>"AES/CBC/PKCS5Padding"</code> as this is an often used algorithm that is <a href="https://docs.oracle.com/javase/8/docs/technotes/guides/security/StandardNames.html#impl">an implementation requirement for Java SE</a>.
*
* @return <code>true</code> if restrictions apply, <code>false</code> otherwise
* https://whosebug.com/posts/33849265/edit, author Maarten Bodewes
*/
public static boolean restrictedCryptography() {
try {
return Cipher.getMaxAllowedKeyLength("AES/CBC/PKCS5Padding") < Integer.MAX_VALUE;
} catch (final NoSuchAlgorithmException e) {
throw new IllegalStateException("The transform \"AES/CBC/PKCS5Padding\" is not available (the availability of this algorithm is mandatory for Java SE implementations)", e);
}
}
}
如果你想(或必须)从无限制的加密策略切换到有限的加密策略,你可以用放在第一位的一行代码来做到这一点(这意味着这行代码应该在你的程序开始后直接执行,否则它不会起作用 - 只需删除注释标记):
Security.setProperty("crypto.policy", "limited");
这是切换到“受限”时的结果:
Check for unlimited crypto policies
Java version: 11.0.6+8-b520.43
restricted cryptography: true Notice: 'false' means unlimited policies
Security properties: limited
Max AES key length = 128