Java Cryptography Support

Limited cryptography support in Java

Some functionality in S/Notify may be affected by cryptography limitations in older Java versions. This document explains the consequences you should know about and how to avoid them.

TL;DR

To avoid any Java cryptography limitations, we recommend that you use at least Atlassian Jira 7.13.1 (ships with Java 1.8.0 _181) and Atlassian Confluence 6.13.1 (ships with Java 1.8.0_162).

Older versions of Jira and Confluence are now out of maintenance anyway, so you should not be affected any more by any of the limitations explained on this page.

Background

Oracle used to ship Java with limited cryptography support. Up to Java 1.8, encryption was limited to a maximum key length of 128 bits by default. Beginning with Java 1.9, Oracle ships Java with unlimited cryptography. However, to make things a bit more complicated, support of unlimited cryptography has been back-ported to Java 1.8 in update 162. But even before that, support was there, but hidden, or not there, but could be added by updating policy files. Please read below for details about which version requires which steps to enable unlimited cryptography.

Problem symptoms

Limited cryptography will not necessarily cause any failures. For example, if the Java runtime limits cryptography, S/Notify automatically falls back to using AES-128 encryption. However, this may not be what you want.

Another symptom of the limited cryptography support can be that S/Notify cannot load your key store, with the log displaying messages like these:

[n.s.s.a.mailer.decryptor.ASmimeMailDecryptor] Could not load secret key. Error message: error constructing MAC: java.lang.SecurityException: JCE cannot authenticate the provider SAVIGNANO-BC
java.io.IOException: error constructing MAC: java.lang.SecurityException: JCE cannot authenticate the provider SAVIGNANO-BC
        at net.savignano.thirdparty.org.bouncycastle.jcajce.provider.keystore.pkcs12.PKCS12KeyStoreSpi.engineLoad(PKCS12KeyStoreSpi.java:856)

How to enable unlimited cryptography support

Java 1.8 prior to update 151

Before Java 1.8_151, it was necessary to download the Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files. Unzip the archive and replace local_policy.jar and US_export_policy.jar in your<java-home>/lib/security directory.

Java 1.8 from update 151 and before update 162

From Java 1.8_151, Oracle started to ship the unlimited policy files with Java by default. However, they were not active by default. To activate them, edit <jre_home>/lib/security/java.security, search for the line #crypto.policy=unlimited and remove the # character to uncomment it.

Java 1.8 update 162 and later

From Java 1.8_162, unlimited policy files are shipped, and the cryptography policy is set to unlimited by default, so no modifications should be necessary.

Java 1.9

In Java 1.9, unlimited policy files are shipped, and the cryptography policy is set to unlimited by default, so no modifications should be necessary.




The S/Notify Email Encryption apps are brought to you by savignano software solutions, a small yet savvy IT solutions company in Germany. Click here for legal information.