changeset 8566:18a07ae9631c jdk7u161-b00

8157561: Ship the unlimited policy files in JDK Updates Reviewed-by: wetmore, erikj
author coffeys
date Mon, 27 Nov 2017 05:36:59 +0000
parents 66788c18c33b
children 14a055f3804c
files make/java/security/Makefile make/javax/crypto/Makefile make/tools/Makefile make/tools/customizesecurityfile/Makefile make/tools/src/build/tools/customizesecurityfile/CryptoLevel.java src/share/classes/javax/crypto/JceSecurity.java src/share/lib/security/java.security-linux src/share/lib/security/java.security-macosx src/share/lib/security/java.security-solaris src/share/lib/security/java.security-windows test/javax/crypto/CryptoPermission/TestUnlimited.java
diffstat 11 files changed, 592 insertions(+), 24 deletions(-) [+]
line wrap: on
line diff
--- a/make/java/security/Makefile	Mon Nov 27 03:39:06 2017 +0000
+++ b/make/java/security/Makefile	Mon Nov 27 05:36:59 2017 +0000
@@ -1,5 +1,6 @@
 #
 # Copyright (c) 1996, 2011, Oracle and/or its affiliates. All rights reserved.
+# Copyright 2017 Red Hat, Inc.
 # DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
 #
 # This code is free software; you can redistribute it and/or modify it
@@ -82,6 +83,8 @@
 
 FILES_class = $(FILES_java:%.java=$(CLASSBINDIR)/%.class)
 
+CRYPTOLEVEL_JARFILE = $(BUILDTOOLJARDIR)/cryptolevel.jar
+
 #
 # Rules
 #
@@ -107,8 +110,16 @@
 
 trustedlibs: classes $(TRUSTEDLIBS_BUILD)
 
-$(PROPS_BUILD): $(PROPS_SRC)
-	$(install-file)
+$(PROPS_BUILD): $(PROPS_SRC) $(CRYPTOLEVEL_JARFILE)
+	$(prep-target)
+	$(RM) -f $@.tmp
+	$(CP) $< $@.tmp
+ifeq ($(UNLIMITED_CRYPTO), true)
+	  $(BOOT_JAVA_CMD) -jar $(CRYPTOLEVEL_JARFILE) \
+	    $@.tmp $@.tmp2 unlimited
+	  $(MV) $@.tmp2 $@.tmp
+endif
+	$(MV) $@.tmp $@
 
 $(POLICY_BUILD): $(POLICY_SRC)
 	$(install-file)
--- a/make/javax/crypto/Makefile	Mon Nov 27 03:39:06 2017 +0000
+++ b/make/javax/crypto/Makefile	Mon Nov 27 05:36:59 2017 +0000
@@ -1,5 +1,6 @@
 #
 # Copyright (c) 2007, 2011, Oracle and/or its affiliates. All rights reserved.
+# Copyright 2017 Red Hat, Inc.
 # DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
 #
 # This code is free software; you can redistribute it and/or modify it
@@ -157,11 +158,7 @@
 #
 
 ifdef OPENJDK
-ifdef UNLIMITED_CRYPTO
-POLICY = install-unlimited
-else
-POLICY = install-limited
-endif
+POLICY = install-unlimited install-limited
 all: build-jar install-jar build-policy $(POLICY)
 else  # OPENJDK
 ifeq ($(strip $(FILES_java)),)
@@ -258,6 +255,8 @@
 #
 
 POLICY_DESTDIR			= $(LIBDIR)/security
+UNLIMITED_POLICY_DESTDIR	= $(POLICY_DESTDIR)/policy/unlimited
+LIMITED_POLICY_DESTDIR		= $(POLICY_DESTDIR)/policy/limited
 UNSIGNED_POLICY_BUILDDIR	= $(UNSIGNED_DIR)/policy
 
 build-policy: unlimited limited
@@ -432,11 +431,11 @@
 install-limited-jars: \
 	    $(INSTALL_POLICYDIR)/limited/US_export_policy.jar	\
 	    $(INSTALL_POLICYDIR)/limited/local_policy.jar
-	$(MKDIR) -p $(POLICY_DESTDIR)
+	$(MKDIR) -p $(LIMITED_POLICY_DESTDIR)
 	$(RM) \
-	    $(POLICY_DESTDIR)/US_export_policy.jar		\
-	    $(POLICY_DESTDIR)/local_policy.jar
-	$(CP) $^ $(POLICY_DESTDIR)
+	    $(LIMITED_POLICY_DESTDIR)/US_export_policy.jar		\
+	    $(LIMITED_POLICY_DESTDIR)/local_policy.jar
+	$(CP) $^ $(LIMITED_POLICY_DESTDIR)
 
 install-limited: install-limited-jars
 ifndef OPENJDK
@@ -446,11 +445,11 @@
 install-unlimited-jars: \
 	    $(INSTALL_POLICYDIR)/unlimited/US_export_policy.jar	\
 	    $(INSTALL_POLICYDIR)/unlimited/local_policy.jar 
-	$(MKDIR) -p $(POLICY_DESTDIR)
+	$(MKDIR) -p $(UNLIMITED_POLICY_DESTDIR)
 	$(RM) \
-	    $(POLICY_DESTDIR)/US_export_policy.jar		\
-	    $(POLICY_DESTDIR)/local_policy.jar
-	$(CP) $^ $(POLICY_DESTDIR)
+	    $(UNLIMITED_POLICY_DESTDIR)/US_export_policy.jar		\
+	    $(UNLIMITED_POLICY_DESTDIR)/local_policy.jar
+	$(CP) $^ $(UNLIMITED_POLICY_DESTDIR)
 
 install-unlimited: install-unlimited-jars
 ifndef OPENJDK
@@ -477,8 +476,11 @@
 #
 
 clobber clean::
-	$(RM) -r $(JAR_DESTFILE) $(POLICY_DESTDIR)/US_export_policy.jar \
-	    $(POLICY_DESTDIR)/local_policy.jar $(DELETE_DIRS) $(TEMPDIR) \
+	$(RM) -r $(JAR_DESTFILE) $(LIMITED_POLICY_DESTDIR)/US_export_policy.jar \
+	    $(LIMITED_POLICY_DESTDIR)/local_policy.jar \
+	    $(UNLIMITED_POLICY_DESTDIR)/US_export_policy.jar \
+	    $(UNLIMITED_POLICY_DESTDIR)/local_policy.jar \
+	    $(DELETE_DIRS) $(TEMPDIR) \
 	    $(JCE_BUILD_DIR)
 
 .PHONY: build-jar jar build-policy unlimited limited install-jar \
--- a/make/tools/Makefile	Mon Nov 27 03:39:06 2017 +0000
+++ b/make/tools/Makefile	Mon Nov 27 05:36:59 2017 +0000
@@ -37,6 +37,7 @@
   commentchecker            \
   compile_font_config       \
   compile_properties        \
+  customizesecurityfile     \
   dir_diff                  \
   dtdbuilder                \
   generate_break_iterator   \
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/make/tools/customizesecurityfile/Makefile	Mon Nov 27 05:36:59 2017 +0000
@@ -0,0 +1,43 @@
+#
+# Copyright 2017 Red Hat, Inc.
+# DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+#
+# This code is free software; you can redistribute it and/or modify it
+# under the terms of the GNU General Public License version 2 only, as
+# published by the Free Software Foundation.  Oracle designates this
+# particular file as subject to the "Classpath" exception as provided
+# by Oracle in the LICENSE file that accompanied this code.
+#
+# This code is distributed in the hope that it will be useful, but WITHOUT
+# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+# FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+# version 2 for more details (a copy is included in the LICENSE file that
+# accompanied this code).
+#
+# You should have received a copy of the GNU General Public License version
+# 2 along with this work; if not, write to the Free Software Foundation,
+# Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+#
+# Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+# or visit www.oracle.com if you need additional information or have any
+# questions.
+#
+
+#
+# Makefile for building the CryptoLevel tool
+#
+
+BUILDDIR = ../..
+PACKAGE = build.tools.customizesecurityfile
+PRODUCT = tools
+PROGRAM = cryptolevel
+include $(BUILDDIR)/common/Defs.gmk
+
+BUILDTOOL_SOURCE_ROOT = $(BUILDDIR)/tools/src
+BUILDTOOL_MAIN        = $(PKGDIR)/CryptoLevel.java
+
+#
+# Build tool jar rules.
+#
+include $(BUILDDIR)/common/BuildToolJar.gmk
+
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/make/tools/src/build/tools/customizesecurityfile/CryptoLevel.java	Mon Nov 27 05:36:59 2017 +0000
@@ -0,0 +1,94 @@
+/*
+ * Copyright (c) 2016, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.  Oracle designates this
+ * particular file as subject to the "Classpath" exception as provided
+ * by Oracle in the LICENSE file that accompanied this code.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+package build.tools.customizesecurityfile;
+
+import java.io.*;
+
+/**
+ * Alters the crypto.policy security property
+ * if --enable-unlimited-crypto is enabled.
+ */
+public class CryptoLevel {
+
+    private static final String PROP_NAME = "crypto.policy";
+
+    public static void main(String[] args) throws Exception {
+        boolean fileModified = false;
+
+        if (args.length < 3) {
+            System.err.println("Usage: java CryptoLevel" +
+                               "[input java.security file name] " +
+                               "[output java.security file name] " +
+                               "[unlimited|limited]");
+            System.exit(1);
+        }
+        if (!args[2].equals("unlimited") && !args[2].equals("limited")) {
+            System.err.println("CryptoLevel error: Unexpected " +
+                "input: " + args[2]);
+            System.exit(1);
+        }
+
+        FileReader fr = null;
+        BufferedReader br = null;
+        FileWriter fw = null;
+        BufferedWriter bw = null;
+        try {
+            fr = new FileReader(args[0]);
+            br = new BufferedReader(fr);
+            fw = new FileWriter(args[1]);
+            bw = new BufferedWriter(fw);
+            // parse the file line-by-line, looking for crypto.policy
+            String line = br.readLine();
+            while (line != null) {
+                if (line.startsWith('#' + PROP_NAME) ||
+                    line.startsWith(PROP_NAME)) {
+                    writeLine(bw, PROP_NAME + "=" + args[2]);
+                    fileModified = true;
+                } else {
+                    writeLine(bw, line);
+                }
+                line = br.readLine();
+            }
+            if (!fileModified) {
+                //no previous setting seen. Insert at end
+                writeLine(bw, PROP_NAME + "=" + args[2]);
+            }
+            bw.flush();
+        } finally {
+            if (br != null) { br.close(); }
+            if (bw != null) { bw.close(); }
+            if (fr != null) { fr.close(); }
+            if (fw != null) { fw.close(); }
+        }
+    }
+
+    private static void writeLine(BufferedWriter bw, String line)
+        throws IOException
+    {
+        bw.write(line);
+        bw.newLine();
+    }
+}
--- a/src/share/classes/javax/crypto/JceSecurity.java	Mon Nov 27 03:39:06 2017 +0000
+++ b/src/share/classes/javax/crypto/JceSecurity.java	Mon Nov 27 05:36:59 2017 +0000
@@ -29,12 +29,14 @@
 import java.util.jar.*;
 import java.io.*;
 import java.net.URL;
+import java.nio.file.*;
 import java.security.*;
 
 import java.security.Provider.Service;
 
 import sun.security.jca.*;
 import sun.security.jca.GetInstance.Instance;
+import sun.security.util.Debug;
 
 /**
  * This class instantiates implementations of JCE engine classes from
@@ -67,6 +69,9 @@
     // Set the default value. May be changed in the static initializer.
     private static boolean isRestricted = true;
 
+    private static final Debug debug =
+                        Debug.getInstance("jca", "Cipher");
+
     /*
      * Don't let anyone instantiate this.
      */
@@ -205,7 +210,7 @@
 
     static {
         try {
-            NULL_URL = new URL("http://null.sun.com/");
+            NULL_URL = new URL("http://null.oracle.com/");
         } catch (Exception e) {
             throw new RuntimeException(e);
         }
@@ -240,14 +245,70 @@
         }
     }
 
+    /*
+     * This is called from within an doPrivileged block.
+     *
+     * Following logic is used to decide what policy files are selected.
+     *
+     * If the new Security property (crypto.policy) is set in the
+     * java.security file, or has been set dynamically using the
+     * Security.setProperty() call before the JCE framework has
+     * been initialized, that setting will be used.
+     * Remember - this property is not defined by default. A conscious
+     * user edit or an application call is required.
+     *
+     * Otherwise, if user has policy jar files installed in the legacy
+     * jre/lib/security/ directory, the JDK will honor whatever
+     * setting is set by those policy files. (legacy/current behavior)
+     *
+     * If none of the above 2 conditions are met, the JDK will default
+     * to using the limited crypto policy files found in the
+     * jre/lib/security/policy/limited/ directory
+     */
     private static void setupJurisdictionPolicies() throws Exception {
-        String javaHomeDir = System.getProperty("java.home");
-        String sep = File.separator;
-        String pathToPolicyJar = javaHomeDir + sep + "lib" + sep +
-            "security" + sep;
+        // Sanity check the crypto.policy Security property.  Single
+        // directory entry, no pseudo-directories (".", "..", leading/trailing
+        // path separators). normalize()/getParent() will help later.
+        String javaHomeProperty = System.getProperty("java.home");
+        String cryptoPolicyProperty = Security.getProperty("crypto.policy");
+        Path cpPath = (cryptoPolicyProperty == null) ? null :
+                Paths.get(cryptoPolicyProperty);
 
-        File exportJar = new File(pathToPolicyJar, "US_export_policy.jar");
-        File importJar = new File(pathToPolicyJar, "local_policy.jar");
+        if ((cpPath != null) && ((cpPath.getNameCount() != 1) ||
+                (cpPath.compareTo(cpPath.getFileName())) != 0)) {
+            throw new SecurityException(
+                    "Invalid policy directory name format: " +
+                            cryptoPolicyProperty);
+        }
+
+        if (cpPath == null) {
+            // Security property is not set, use default path
+            cpPath = Paths.get(javaHomeProperty, "lib", "security");
+        } else {
+            // populate with java.home
+            cpPath = Paths.get(javaHomeProperty, "lib", "security",
+                    "policy", cryptoPolicyProperty);
+        }
+
+        if (debug != null) {
+            debug.println("crypto policy directory: " + cpPath);
+        }
+
+        File exportJar = new File(cpPath.toFile(),"US_export_policy.jar");
+        File importJar = new File(cpPath.toFile(),"local_policy.jar");
+
+        if (cryptoPolicyProperty == null && (!exportJar.exists() ||
+                !importJar.exists())) {
+            // Compatibility set up. If crypto.policy is not defined.
+            // check to see if legacy jars exist in lib directory. If
+            // they don't exist, we default to limited policy mode.
+            cpPath = Paths.get(
+                    javaHomeProperty, "lib", "security", "policy", "limited");
+            // point to the new jar files in limited directory
+            exportJar = new File(cpPath.toFile(),"US_export_policy.jar");
+            importJar = new File(cpPath.toFile(),"local_policy.jar");
+        }
+
         URL jceCipherURL = ClassLoader.getSystemResource
                 ("javax/crypto/Cipher.class");
 
--- a/src/share/lib/security/java.security-linux	Mon Nov 27 03:39:06 2017 +0000
+++ b/src/share/lib/security/java.security-linux	Mon Nov 27 05:36:59 2017 +0000
@@ -668,6 +668,71 @@
 #       EE386BFB 5A899FA5 AE9F2411 7C4B1FE6 49286651 ECE65381 \
 #       FFFFFFFF FFFFFFFF, 2}
 
+# Cryptographic Jurisdiction Policy defaults
+#
+# Due to the import control restrictions of some countries, the default
+# JCE policy files allow for strong but "limited" cryptographic key
+# lengths to be used.  If your country's cryptographic regulations allow,
+# the "unlimited" strength policy files can be used instead, which contain
+# no restrictions on cryptographic strengths.
+#
+# YOU ARE ADVISED TO CONSULT YOUR EXPORT/IMPORT CONTROL COUNSEL OR ATTORNEY
+# TO DETERMINE THE EXACT REQUIREMENTS.
+#
+# <java-home> (below) refers to the directory where the JRE was
+# installed. It is determined based on whether you are running JCE
+# on a JRE or a JRE contained within the Java Development Kit, or
+# JDK(TM). The JDK contains the JRE, but at a different level in the
+# file hierarchy. For example, if the JDK is installed in
+# /home/user1/jdk1.8.0 on Unix or in C:\jdk1.8.0 on Windows, then
+# <java-home> is:
+#
+#  /home/user1/jdk1.8.0/jre           [Unix]
+#  C:\jdk1.8.0\jre                    [Windows]
+#
+# If on the other hand the JRE is installed in /home/user1/jre1.8.0
+# on Unix or in C:\jre1.8.0 on Windows, and the JDK is not
+# installed, then <java-home> is:
+#
+#  /home/user1/jre1.8.0               [Unix]
+#  C:\jre1.8.0                        [Windows]
+#
+# On Windows, for each JDK installation, there may be additional
+# JREs installed under the "Program Files" directory. Please make
+# sure that you install the unlimited strength policy JAR files
+# for all JREs that you plan to use.
+#
+# The policy files are jar files organized into subdirectories of
+# <java-home>/lib/security/policy.  Each directory contains a complete
+# set of policy files.
+#
+# The "crypto.policy" Security property controls the directory selection,
+# and thus the effective cryptographic policy.
+#
+# The default set of directories is:
+#
+#     limited | unlimited
+#
+# however other directories can be created and configured.
+#
+# To support older JDK Update releases, the crypto.policy property
+# is not defined by default. When the property is not defined, an
+# update release binary aware of the new property will use the following
+# logic to decide what crypto policy files get used :
+#
+# * If the US_export_policy.jar and local_policy.jar files are located
+# in the (legacy) <java-home>/lib/security directory, then the rules
+# embedded in those jar files will be used. This helps preserve compatibility
+# for users upgrading from an older installation.
+#
+# * If crypto.policy is not defined and no such jar files are present in
+# the legacy locations, then the JDK will use the limited settings
+# (equivalent to crypto.policy=limited)
+#
+# Please see the JCA documentation for additional information on these
+# files and formats.
+#crypto.policy=unlimited
+
 #
 # The policy for the XML Signature secure validation mode. The mode is
 # enabled by setting the property "org.jcp.xml.dsig.secureValidation" to
--- a/src/share/lib/security/java.security-macosx	Mon Nov 27 03:39:06 2017 +0000
+++ b/src/share/lib/security/java.security-macosx	Mon Nov 27 05:36:59 2017 +0000
@@ -673,6 +673,71 @@
 #       EE386BFB 5A899FA5 AE9F2411 7C4B1FE6 49286651 ECE65381 \
 #       FFFFFFFF FFFFFFFF, 2}
 
+# Cryptographic Jurisdiction Policy defaults
+#
+# Due to the import control restrictions of some countries, the default
+# JCE policy files allow for strong but "limited" cryptographic key
+# lengths to be used.  If your country's cryptographic regulations allow,
+# the "unlimited" strength policy files can be used instead, which contain
+# no restrictions on cryptographic strengths.
+#
+# YOU ARE ADVISED TO CONSULT YOUR EXPORT/IMPORT CONTROL COUNSEL OR ATTORNEY
+# TO DETERMINE THE EXACT REQUIREMENTS.
+#
+# <java-home> (below) refers to the directory where the JRE was
+# installed. It is determined based on whether you are running JCE
+# on a JRE or a JRE contained within the Java Development Kit, or
+# JDK(TM). The JDK contains the JRE, but at a different level in the
+# file hierarchy. For example, if the JDK is installed in
+# /home/user1/jdk1.8.0 on Unix or in C:\jdk1.8.0 on Windows, then
+# <java-home> is:
+#
+#  /home/user1/jdk1.8.0/jre           [Unix]
+#  C:\jdk1.8.0\jre                    [Windows]
+#
+# If on the other hand the JRE is installed in /home/user1/jre1.8.0
+# on Unix or in C:\jre1.8.0 on Windows, and the JDK is not
+# installed, then <java-home> is:
+#
+#  /home/user1/jre1.8.0               [Unix]
+#  C:\jre1.8.0                        [Windows]
+#
+# On Windows, for each JDK installation, there may be additional
+# JREs installed under the "Program Files" directory. Please make
+# sure that you install the unlimited strength policy JAR files
+# for all JREs that you plan to use.
+#
+# The policy files are jar files organized into subdirectories of
+# <java-home>/lib/security/policy.  Each directory contains a complete
+# set of policy files.
+#
+# The "crypto.policy" Security property controls the directory selection,
+# and thus the effective cryptographic policy.
+#
+# The default set of directories is:
+#
+#     limited | unlimited
+#
+# however other directories can be created and configured.
+#
+# To support older JDK Update releases, the crypto.policy property
+# is not defined by default. When the property is not defined, an
+# update release binary aware of the new property will use the following
+# logic to decide what crypto policy files get used :
+#
+# * If the US_export_policy.jar and local_policy.jar files are located
+# in the (legacy) <java-home>/lib/security directory, then the rules
+# embedded in those jar files will be used. This helps preserve compatibility
+# for users upgrading from an older installation.
+#
+# * If crypto.policy is not defined and no such jar files are present in
+# the legacy locations, then the JDK will use the limited settings
+# (equivalent to crypto.policy=limited)
+#
+# Please see the JCA documentation for additional information on these
+# files and formats.
+#crypto.policy=unlimited
+
 #
 # The policy for the XML Signature secure validation mode. The mode is
 # enabled by setting the property "org.jcp.xml.dsig.secureValidation" to
--- a/src/share/lib/security/java.security-solaris	Mon Nov 27 03:39:06 2017 +0000
+++ b/src/share/lib/security/java.security-solaris	Mon Nov 27 05:36:59 2017 +0000
@@ -672,6 +672,71 @@
 #       EE386BFB 5A899FA5 AE9F2411 7C4B1FE6 49286651 ECE65381 \
 #       FFFFFFFF FFFFFFFF, 2}
 
+# Cryptographic Jurisdiction Policy defaults
+#
+# Due to the import control restrictions of some countries, the default
+# JCE policy files allow for strong but "limited" cryptographic key
+# lengths to be used.  If your country's cryptographic regulations allow,
+# the "unlimited" strength policy files can be used instead, which contain
+# no restrictions on cryptographic strengths.
+#
+# YOU ARE ADVISED TO CONSULT YOUR EXPORT/IMPORT CONTROL COUNSEL OR ATTORNEY
+# TO DETERMINE THE EXACT REQUIREMENTS.
+#
+# <java-home> (below) refers to the directory where the JRE was
+# installed. It is determined based on whether you are running JCE
+# on a JRE or a JRE contained within the Java Development Kit, or
+# JDK(TM). The JDK contains the JRE, but at a different level in the
+# file hierarchy. For example, if the JDK is installed in
+# /home/user1/jdk1.8.0 on Unix or in C:\jdk1.8.0 on Windows, then
+# <java-home> is:
+#
+#  /home/user1/jdk1.8.0/jre           [Unix]
+#  C:\jdk1.8.0\jre                    [Windows]
+#
+# If on the other hand the JRE is installed in /home/user1/jre1.8.0
+# on Unix or in C:\jre1.8.0 on Windows, and the JDK is not
+# installed, then <java-home> is:
+#
+#  /home/user1/jre1.8.0               [Unix]
+#  C:\jre1.8.0                        [Windows]
+#
+# On Windows, for each JDK installation, there may be additional
+# JREs installed under the "Program Files" directory. Please make
+# sure that you install the unlimited strength policy JAR files
+# for all JREs that you plan to use.
+#
+# The policy files are jar files organized into subdirectories of
+# <java-home>/lib/security/policy.  Each directory contains a complete
+# set of policy files.
+#
+# The "crypto.policy" Security property controls the directory selection,
+# and thus the effective cryptographic policy.
+#
+# The default set of directories is:
+#
+#     limited | unlimited
+#
+# however other directories can be created and configured.
+#
+# To support older JDK Update releases, the crypto.policy property
+# is not defined by default. When the property is not defined, an
+# update release binary aware of the new property will use the following
+# logic to decide what crypto policy files get used :
+#
+# * If the US_export_policy.jar and local_policy.jar files are located
+# in the (legacy) <java-home>/lib/security directory, then the rules
+# embedded in those jar files will be used. This helps preserve compatibility
+# for users upgrading from an older installation.
+#
+# * If crypto.policy is not defined and no such jar files are present in
+# the legacy locations, then the JDK will use the limited settings
+# (equivalent to crypto.policy=limited)
+#
+# Please see the JCA documentation for additional information on these
+# files and formats.
+#crypto.policy=unlimited
+
 #
 # The policy for the XML Signature secure validation mode. The mode is
 # enabled by setting the property "org.jcp.xml.dsig.secureValidation" to
--- a/src/share/lib/security/java.security-windows	Mon Nov 27 03:39:06 2017 +0000
+++ b/src/share/lib/security/java.security-windows	Mon Nov 27 05:36:59 2017 +0000
@@ -673,6 +673,71 @@
 #       EE386BFB 5A899FA5 AE9F2411 7C4B1FE6 49286651 ECE65381 \
 #       FFFFFFFF FFFFFFFF, 2}
 
+# Cryptographic Jurisdiction Policy defaults
+#
+# Due to the import control restrictions of some countries, the default
+# JCE policy files allow for strong but "limited" cryptographic key
+# lengths to be used.  If your country's cryptographic regulations allow,
+# the "unlimited" strength policy files can be used instead, which contain
+# no restrictions on cryptographic strengths.
+#
+# YOU ARE ADVISED TO CONSULT YOUR EXPORT/IMPORT CONTROL COUNSEL OR ATTORNEY
+# TO DETERMINE THE EXACT REQUIREMENTS.
+#
+# <java-home> (below) refers to the directory where the JRE was
+# installed. It is determined based on whether you are running JCE
+# on a JRE or a JRE contained within the Java Development Kit, or
+# JDK(TM). The JDK contains the JRE, but at a different level in the
+# file hierarchy. For example, if the JDK is installed in
+# /home/user1/jdk1.8.0 on Unix or in C:\jdk1.8.0 on Windows, then
+# <java-home> is:
+#
+#  /home/user1/jdk1.8.0/jre           [Unix]
+#  C:\jdk1.8.0\jre                    [Windows]
+#
+# If on the other hand the JRE is installed in /home/user1/jre1.8.0
+# on Unix or in C:\jre1.8.0 on Windows, and the JDK is not
+# installed, then <java-home> is:
+#
+#  /home/user1/jre1.8.0               [Unix]
+#  C:\jre1.8.0                        [Windows]
+#
+# On Windows, for each JDK installation, there may be additional
+# JREs installed under the "Program Files" directory. Please make
+# sure that you install the unlimited strength policy JAR files
+# for all JREs that you plan to use.
+#
+# The policy files are jar files organized into subdirectories of
+# <java-home>/lib/security/policy.  Each directory contains a complete
+# set of policy files.
+#
+# The "crypto.policy" Security property controls the directory selection,
+# and thus the effective cryptographic policy.
+#
+# The default set of directories is:
+#
+#     limited | unlimited
+#
+# however other directories can be created and configured.
+#
+# To support older JDK Update releases, the crypto.policy property
+# is not defined by default. When the property is not defined, an
+# update release binary aware of the new property will use the following
+# logic to decide what crypto policy files get used :
+#
+# * If the US_export_policy.jar and local_policy.jar files are located
+# in the (legacy) <java-home>/lib/security directory, then the rules
+# embedded in those jar files will be used. This helps preserve compatibility
+# for users upgrading from an older installation.
+#
+# * If crypto.policy is not defined and no such jar files are present in
+# the legacy locations, then the JDK will use the limited settings
+# (equivalent to crypto.policy=limited)
+#
+# Please see the JCA documentation for additional information on these
+# files and formats.
+#crypto.policy=unlimited
+
 #
 # The policy for the XML Signature secure validation mode. The mode is
 # enabled by setting the property "org.jcp.xml.dsig.secureValidation" to
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/test/javax/crypto/CryptoPermission/TestUnlimited.java	Mon Nov 27 05:36:59 2017 +0000
@@ -0,0 +1,96 @@
+/*
+ * Copyright (c) 2016, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.  Oracle designates this
+ * particular file as subject to the "Classpath" exception as provided
+ * by Oracle in the LICENSE file that accompanied this code.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+/**
+ * @test
+ * @bug 8157561
+ * @summary Ship the unlimited policy files in JDK Updates
+ * @run main/othervm TestUnlimited "" exception
+ * @run main/othervm TestUnlimited limited fail
+ * @run main/othervm TestUnlimited unlimited pass
+ * @run main/othervm TestUnlimited unlimited/ pass
+ * @run main/othervm TestUnlimited NosuchDir exception
+ * @run main/othervm TestUnlimited . exception
+ * @run main/othervm TestUnlimited /tmp/unlimited exception
+ * @run main/othervm TestUnlimited ../policy/unlimited exception
+ * @run main/othervm TestUnlimited ./unlimited exception
+ * @run main/othervm TestUnlimited /unlimited exception
+ */
+import javax.crypto.*;
+import java.security.Security;
+
+public class TestUnlimited {
+
+    public static void main(String[] args) throws Exception {
+        /*
+         * Override the Security property to allow for unlimited policy.
+         * Would need appropriate permissions if Security Manager were
+         * active.
+         */
+        if (args.length != 2) {
+            throw new Exception("Two args required");
+        }
+
+        boolean expected = args[1].equals("pass");
+        boolean exception = args[1].equals("exception");
+        boolean result = false;
+
+        System.out.println("Testing: " + args[0]);
+
+        if (args[0].equals("\"\"")) {
+            Security.setProperty("crypto.policy", "");
+        } else {
+            Security.setProperty("crypto.policy", args[0]);
+        }
+
+        /*
+         * Use the AES as the test Cipher
+         * If there is an error initializing, we will never get past here.
+         */
+        try {
+            int maxKeyLen = Cipher.getMaxAllowedKeyLength("AES");
+            System.out.println("max AES key len:" + maxKeyLen);
+            if (maxKeyLen > 128) {
+                System.out.println("Unlimited policy is active");
+                result = true;
+            } else {
+                System.out.println("Unlimited policy is NOT active");
+                result = false;
+            }
+        } catch (Throwable e) {
+            if (!exception) {
+                throw new Exception();
+            }
+        }
+
+        System.out.println(
+                "Expected:\t" + expected + "\nResult:\t\t" + result);
+        if (expected != result) {
+            throw new Exception();
+        }
+
+        System.out.println("DONE!");
+    }
+}