changeset 12033:e164409e5948

8157561: Ship the unlimited policy files in JDK Updates Reviewed-by: wetmore, erikj
author coffeys
date Wed, 09 Nov 2016 21:09:10 +0000
parents 1c3b5a7eb5e5
children 15b22e564f41
files make/CopyFiles.gmk make/CreateSecurityJars.gmk make/Tools.gmk make/profile-includes.txt make/src/classes/build/tools/addtorestrictedpkgs/AddToRestrictedPkgs.java make/src/classes/build/tools/customizesecurityfile/AddToRestrictedPkgs.java make/src/classes/build/tools/customizesecurityfile/CryptoLevel.java src/share/classes/javax/crypto/JceSecurity.java src/share/lib/security/java.security-aix src/share/lib/security/java.security-linux src/share/lib/security/java.security-macosx src/share/lib/security/java.security-solaris src/share/lib/security/java.security-windows test/javax/crypto/CryptoPermission/TestUnlimited.java
diffstat 14 files changed, 730 insertions(+), 148 deletions(-) [+]
line wrap: on
line diff
--- a/make/CopyFiles.gmk	Wed Nov 09 14:22:45 2016 +0000
+++ b/make/CopyFiles.gmk	Wed Nov 09 21:09:10 2016 +0000
@@ -1,5 +1,5 @@
 #
-# Copyright (c) 2011, 2015, Oracle and/or its affiliates. All rights reserved.
+# Copyright (c) 2011, 2016, Oracle and/or its affiliates. All rights reserved.
 # DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
 #
 # This code is free software; you can redistribute it and/or modify it
@@ -357,18 +357,21 @@
 RESTRICTED_PKGS_SRC := $(JDK_TOPDIR)/src/closed/share/lib/security/restricted.pkgs
 RESTRICTED_PKGS := $(shell $(CAT) $(RESTRICTED_PKGS_SRC) | $(TR) "\n" " ")
 
+endif
+
 $(PROPS_DST): $(PROPS_SRC)
 	$(MKDIR) -p $(@D)
-	$(TOOL_ADDTORESTRICTEDPKGS) $^ $@.tmp $(RESTRICTED_PKGS)
+        ifndef OPENJDK
+	  $(TOOL_ADDTORESTRICTEDPKGS) $^ $@.tmp $(RESTRICTED_PKGS)
+        else
+	  $(CP) $^ $@.tmp
+        endif
+        ifeq ($(UNLIMITED_CRYPTO), true)
+	  $(TOOL_CRYPTOLEVEL) $@.tmp $@.tmp2 unlimited
+	  $(MV) $@.tmp2 $@.tmp
+        endif
 	$(MV) $@.tmp $@
 
-else
-
-$(PROPS_DST): $(PROPS_SRC)
-	$(call install-file)
-
-endif
-
 COPY_FILES += $(PROPS_DST)
 
 ##########################################################################################
--- a/make/CreateSecurityJars.gmk	Wed Nov 09 14:22:45 2016 +0000
+++ b/make/CreateSecurityJars.gmk	Wed Nov 09 21:09:10 2016 +0000
@@ -1,5 +1,5 @@
 #
-# Copyright (c) 2013, Oracle and/or its affiliates. All rights reserved.
+# Copyright (c) 2013, 2016, Oracle and/or its affiliates. All rights reserved.
 # DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
 #
 # This code is free software; you can redistribute it and/or modify it
@@ -178,7 +178,10 @@
 
 ##########################################################################################
 
-US_EXPORT_POLICY_JAR_DST := $(JDK_OUTPUTDIR)/lib/security/US_export_policy.jar
+US_EXPORT_POLICY_JAR_UNLIMITED_DST := \
+    $(JDK_OUTPUTDIR)/lib/security/policy/unlimited/US_export_policy.jar
+US_EXPORT_POLICY_JAR_LIMITED_DST := \
+    $(JDK_OUTPUTDIR)/lib/security/policy/limited/US_export_policy.jar
 
 ifneq ($(BUILD_CRYPTO), no)
 
@@ -220,27 +223,29 @@
 endif
 
 ifndef OPENJDK
-  ifeq ($(UNLIMITED_CRYPTO), true)
-    $(error No prebuilt unlimited crypto jars available)
-  endif
-  $(US_EXPORT_POLICY_JAR_DST): $(JDK_TOPDIR)/make/closed/tools/crypto/jce/US_export_policy.jar
+  $(US_EXPORT_POLICY_JAR_UNLIMITED_DST): \
+    $(JDK_TOPDIR)/make/closed/tools/crypto/jce/unlimited/US_export_policy.jar
+	$(ECHO) $(LOG_INFO) Copying prebuilt $(@F)
+	$(install-file)
+  $(US_EXPORT_POLICY_JAR_LIMITED_DST): \
+    $(JDK_TOPDIR)/make/closed/tools/crypto/jce/limited/US_export_policy.jar
 	$(ECHO) $(LOG_INFO) Copying prebuilt $(@F)
 	$(install-file)
 else
-  ifeq ($(UNLIMITED_CRYPTO), true)
-    $(US_EXPORT_POLICY_JAR_DST): $(US_EXPORT_POLICY_JAR_UNLIMITED_UNSIGNED)
+  $(US_EXPORT_POLICY_JAR_UNLIMITED_DST): $(US_EXPORT_POLICY_JAR_UNLIMITED_UNSIGNED)
 	$(install-file)
-  else
-    $(US_EXPORT_POLICY_JAR_DST): $(US_EXPORT_POLICY_JAR_LIMITED_UNSIGNED)
+  $(US_EXPORT_POLICY_JAR_LIMITED_DST): $(US_EXPORT_POLICY_JAR_LIMITED_UNSIGNED)
 	$(install-file)
   endif
-endif
 
-TARGETS += $(US_EXPORT_POLICY_JAR_DST)
+TARGETS += $(US_EXPORT_POLICY_JAR_UNLIMITED_DST) $(US_EXPORT_POLICY_JAR_LIMITED_DST)
 
 ##########################################################################################
 
-LOCAL_POLICY_JAR_DST := $(JDK_OUTPUTDIR)/lib/security/local_policy.jar
+LOCAL_POLICY_JAR_LIMITED_DST := \
+    $(JDK_OUTPUTDIR)/lib/security/policy/limited/local_policy.jar
+LOCAL_POLICY_JAR_UNLIMITED_DST := \
+    $(JDK_OUTPUTDIR)/lib/security/policy/unlimited/local_policy.jar
 
 ifneq ($(BUILD_CRYPTO), no)
 
@@ -293,20 +298,20 @@
 endif
 
 ifndef OPENJDK
-  $(LOCAL_POLICY_JAR_DST): $(JDK_TOPDIR)/make/closed/tools/crypto/jce/local_policy.jar
+  $(LOCAL_POLICY_JAR_UNLIMITED_DST): $(JDK_TOPDIR)/make/closed/tools/crypto/jce/unlimited/local_policy.jar
+	$(ECHO) $(LOG_INFO) Copying prebuilt $(@F)
+	$(install-file)
+  $(LOCAL_POLICY_JAR_LIMITED_DST): $(JDK_TOPDIR)/make/closed/tools/crypto/jce/limited/local_policy.jar
 	$(ECHO) $(LOG_INFO) Copying prebuilt $(@F)
 	$(install-file)
 else
-  ifeq ($(UNLIMITED_CRYPTO), true)
-    $(LOCAL_POLICY_JAR_DST): $(LOCAL_POLICY_JAR_UNLIMITED_UNSIGNED)
+  $(LOCAL_POLICY_JAR_UNLIMITED_DST): $(LOCAL_POLICY_JAR_UNLIMITED_UNSIGNED)
 	$(install-file)
-  else
-    $(LOCAL_POLICY_JAR_DST): $(LOCAL_POLICY_JAR_LIMITED_UNSIGNED)
+  $(LOCAL_POLICY_JAR_LIMITED_DST): $(LOCAL_POLICY_JAR_LIMITED_UNSIGNED)
 	$(install-file)
   endif
-endif
 
-TARGETS += $(LOCAL_POLICY_JAR_DST)
+TARGETS += $(LOCAL_POLICY_JAR_UNLIMITED_DST) $(LOCAL_POLICY_JAR_LIMITED_DST)
 
 ##########################################################################################
 
--- a/make/Tools.gmk	Wed Nov 09 14:22:45 2016 +0000
+++ b/make/Tools.gmk	Wed Nov 09 21:09:10 2016 +0000
@@ -1,5 +1,5 @@
 #
-# Copyright (c) 2011, 2014, Oracle and/or its affiliates. All rights reserved.
+# Copyright (c) 2011, 2016, Oracle and/or its affiliates. All rights reserved.
 # DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
 #
 # This code is free software; you can redistribute it and/or modify it
@@ -132,7 +132,10 @@
     build.tools.deps.CheckDeps
 
 TOOL_ADDTORESTRICTEDPKGS=$(JAVA_SMALL) -cp $(JDK_OUTPUTDIR)/btclasses \
-    build.tools.addtorestrictedpkgs.AddToRestrictedPkgs
+    build.tools.customizesecurityfile.AddToRestrictedPkgs
+
+TOOL_CRYPTOLEVEL=$(JAVA_SMALL) -cp $(JDK_OUTPUTDIR)/btclasses \
+    build.tools.customizesecurityfile.CryptoLevel
 
 ##########################################################################################
 
--- a/make/profile-includes.txt	Wed Nov 09 14:22:45 2016 +0000
+++ b/make/profile-includes.txt	Wed Nov 09 21:09:10 2016 +0000
@@ -1,5 +1,5 @@
 #
-# Copyright (c) 2012, 2014, Oracle and/or its affiliates. All rights reserved.
+# Copyright (c) 2012, 2016, Oracle and/or its affiliates. All rights reserved.
 # DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
 #
 # This code is free software; you can redistribute it and/or modify it
@@ -183,13 +183,15 @@
     net.properties \
     resources.jar \
     rt.jar \
-    security/US_export_policy.jar \
+    security/policy/limited/US_export_policy.jar \
+    security/policy/unlimited/US_export_policy.jar \
     security/blacklist \
     security/blacklisted.certs \
     security/cacerts \
     security/java.policy \
     security/java.security \
-    security/local_policy.jar \
+    security/policy/limited/local_policy.jar \
+    security/policy/unlimited/local_policy.jar \
     security/trusted.libraries \
     tzdb.dat
 
@@ -218,8 +220,10 @@
     jsse.jar \
     resources.jar \
     rt.jar \
-    security/US_export_policy.jar \
-    security/local_policy.jar
+    security/policy/limited/US_export_policy.jar \
+    security/policy/unlimited/US_export_policy.jar \
+    security/policy/limited/local_policy.jar \
+    security/policy/unlimited/local_policy.jar
 
 
 PROFILE_2_JRE_BIN_FILES := \
--- a/make/src/classes/build/tools/addtorestrictedpkgs/AddToRestrictedPkgs.java	Wed Nov 09 14:22:45 2016 +0000
+++ /dev/null	Thu Jan 01 00:00:00 1970 +0000
@@ -1,105 +0,0 @@
-/*
- * Copyright (c) 2013, Oracle and/or its affiliates. All rights reserved.
- * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
- *
- * This code is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License version 2 only, as
- * published by the Free Software Foundation.  Oracle designates this
- * particular file as subject to the "Classpath" exception as provided
- * by Oracle in the LICENSE file that accompanied this code.
- *
- * This code is distributed in the hope that it will be useful, but WITHOUT
- * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
- * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * version 2 for more details (a copy is included in the LICENSE file that
- * accompanied this code).
- *
- * You should have received a copy of the GNU General Public License version
- * 2 along with this work; if not, write to the Free Software Foundation,
- * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
- *
- * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
- * or visit www.oracle.com if you need additional information or have any
- * questions.
- */
-
-package build.tools.addtorestrictedpkgs;
-
-import java.io.*;
-
-/**
- * Adds additional packages to the package.access and package.definition
- * security properties.
- */
-public class AddToRestrictedPkgs {
-
-    private static final String PKG_ACC = "package.access";
-    private static final String PKG_DEF = "package.definition";
-    private static final int PKG_ACC_INDENT = 15;
-    private static final int PKG_DEF_INDENT = 19;
-
-    public static void main(String[] args) throws Exception {
-
-        if (args.length < 3) {
-            System.err.println("Usage: java AddToRestrictedPkgs " +
-                               "[input java.security file name] " +
-                               "[output java.security file name] " +
-                               "[packages ...]");
-            System.exit(1);
-        }
-
-        try (FileReader fr = new FileReader(args[0]);
-             BufferedReader br = new BufferedReader(fr);
-             FileWriter fw = new FileWriter(args[1]);
-             BufferedWriter bw = new BufferedWriter(fw))
-        {
-            // parse the file line-by-line, looking for pkg access properties
-            String line = br.readLine();
-            while (line != null) {
-                if (line.startsWith(PKG_ACC)) {
-                    writePackages(br, bw, line, PKG_ACC_INDENT, args);
-                } else if (line.startsWith(PKG_DEF)) {
-                    writePackages(br, bw, line, PKG_DEF_INDENT, args);
-                } else {
-                    writeLine(bw, line);
-                }
-                line = br.readLine();
-            }
-            bw.flush();
-        }
-    }
-
-    private static void writePackages(BufferedReader br, BufferedWriter bw,
-                                      String line, int numSpaces,
-                                      String[] args) throws IOException {
-        // parse property until EOL, not including line breaks
-        while (line.endsWith("\\")) {
-            writeLine(bw, line);
-            line = br.readLine();
-        }
-        // append comma and line-break to last package
-        writeLine(bw, line + ",\\");
-        // add new packages, one per line
-        for (int i = 2; i < args.length - 1; i++) {
-            indent(bw, numSpaces);
-            writeLine(bw, args[i] + ",\\");
-        }
-        indent(bw, numSpaces);
-        writeLine(bw, args[args.length - 1]);
-    }
-
-    private static void writeLine(BufferedWriter bw, String line)
-        throws IOException
-    {
-        bw.write(line);
-        bw.newLine();
-    }
-
-    private static void indent(BufferedWriter bw, int numSpaces)
-        throws IOException
-    {
-        for (int i = 0; i < numSpaces; i++) {
-            bw.append(' ');
-        }
-    }
-}
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/make/src/classes/build/tools/customizesecurityfile/AddToRestrictedPkgs.java	Wed Nov 09 21:09:10 2016 +0000
@@ -0,0 +1,105 @@
+/*
+ * Copyright (c) 2013, 2016, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.  Oracle designates this
+ * particular file as subject to the "Classpath" exception as provided
+ * by Oracle in the LICENSE file that accompanied this code.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+package build.tools.customizesecurityfile;
+
+import java.io.*;
+
+/**
+ * Adds additional packages to the package.access and package.definition
+ * security properties.
+ */
+public class AddToRestrictedPkgs {
+
+    private static final String PKG_ACC = "package.access";
+    private static final String PKG_DEF = "package.definition";
+    private static final int PKG_ACC_INDENT = 15;
+    private static final int PKG_DEF_INDENT = 19;
+
+    public static void main(String[] args) throws Exception {
+
+        if (args.length < 3) {
+            System.err.println("Usage: java AddToRestrictedPkgs " +
+                               "[input java.security file name] " +
+                               "[output java.security file name] " +
+                               "[packages ...]");
+            System.exit(1);
+        }
+
+        try (FileReader fr = new FileReader(args[0]);
+             BufferedReader br = new BufferedReader(fr);
+             FileWriter fw = new FileWriter(args[1]);
+             BufferedWriter bw = new BufferedWriter(fw))
+        {
+            // parse the file line-by-line, looking for pkg access properties
+            String line = br.readLine();
+            while (line != null) {
+                if (line.startsWith(PKG_ACC)) {
+                    writePackages(br, bw, line, PKG_ACC_INDENT, args);
+                } else if (line.startsWith(PKG_DEF)) {
+                    writePackages(br, bw, line, PKG_DEF_INDENT, args);
+                } else {
+                    writeLine(bw, line);
+                }
+                line = br.readLine();
+            }
+            bw.flush();
+        }
+    }
+
+    private static void writePackages(BufferedReader br, BufferedWriter bw,
+                                      String line, int numSpaces,
+                                      String[] args) throws IOException {
+        // parse property until EOL, not including line breaks
+        while (line.endsWith("\\")) {
+            writeLine(bw, line);
+            line = br.readLine();
+        }
+        // append comma and line-break to last package
+        writeLine(bw, line + ",\\");
+        // add new packages, one per line
+        for (int i = 2; i < args.length - 1; i++) {
+            indent(bw, numSpaces);
+            writeLine(bw, args[i] + ",\\");
+        }
+        indent(bw, numSpaces);
+        writeLine(bw, args[args.length - 1]);
+    }
+
+    private static void writeLine(BufferedWriter bw, String line)
+        throws IOException
+    {
+        bw.write(line);
+        bw.newLine();
+    }
+
+    private static void indent(BufferedWriter bw, int numSpaces)
+        throws IOException
+    {
+        for (int i = 0; i < numSpaces; i++) {
+            bw.append(' ');
+        }
+    }
+}
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/make/src/classes/build/tools/customizesecurityfile/CryptoLevel.java	Wed Nov 09 21:09:10 2016 +0000
@@ -0,0 +1,85 @@
+/*
+ * Copyright (c) 2016, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.  Oracle designates this
+ * particular file as subject to the "Classpath" exception as provided
+ * by Oracle in the LICENSE file that accompanied this code.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+package build.tools.customizesecurityfile;
+
+import java.io.*;
+
+/**
+ * Alters the crypto.policy security property
+ * if --enable-unlimited-crypto is enabled.
+ */
+public class CryptoLevel {
+
+    private static final String PROP_NAME = "crypto.policy";
+
+    public static void main(String[] args) throws Exception {
+        boolean fileModified = false;
+
+        if (args.length < 3) {
+            System.err.println("Usage: java CryptoLevel" +
+                               "[input java.security file name] " +
+                               "[output java.security file name] " +
+                               "[unlimited|limited]");
+            System.exit(1);
+        }
+        if (!args[2].equals("unlimited") && !args[2].equals("limited")) {
+            System.err.println("CryptoLevel error: Unexpected " +
+                "input: " + args[2]);
+            System.exit(1);
+        }
+
+        try (FileReader fr = new FileReader(args[0]);
+             BufferedReader br = new BufferedReader(fr);
+             FileWriter fw = new FileWriter(args[1]);
+             BufferedWriter bw = new BufferedWriter(fw))
+        {
+            // parse the file line-by-line, looking for crypto.policy
+            String line = br.readLine();
+            while (line != null) {
+                if (line.startsWith('#' + PROP_NAME) ||
+                    line.startsWith(PROP_NAME)) {
+                    writeLine(bw, PROP_NAME + "=" + args[2]);
+                    fileModified = true;
+                } else {
+                    writeLine(bw, line);
+                }
+                line = br.readLine();
+            }
+            if (!fileModified) {
+                //no previous setting seen. Insert at end
+                writeLine(bw, PROP_NAME + "=" + args[2]);
+            }
+            bw.flush();
+        }
+    }
+
+    private static void writeLine(BufferedWriter bw, String line)
+        throws IOException
+    {
+        bw.write(line);
+        bw.newLine();
+    }
+}
--- a/src/share/classes/javax/crypto/JceSecurity.java	Wed Nov 09 14:22:45 2016 +0000
+++ b/src/share/classes/javax/crypto/JceSecurity.java	Wed Nov 09 21:09:10 2016 +0000
@@ -29,12 +29,14 @@
 import java.util.jar.*;
 import java.io.*;
 import java.net.URL;
+import java.nio.file.*;
 import java.security.*;
 
 import java.security.Provider.Service;
 
 import sun.security.jca.*;
 import sun.security.jca.GetInstance.Instance;
+import sun.security.util.Debug;
 
 /**
  * This class instantiates implementations of JCE engine classes from
@@ -66,6 +68,9 @@
 
     private static final boolean isRestricted;
 
+    private static final Debug debug =
+                        Debug.getInstance("jca", "Cipher");
+
     /*
      * Don't let anyone instantiate this.
      */
@@ -204,7 +209,7 @@
 
     static {
         try {
-            NULL_URL = new URL("http://null.sun.com/");
+            NULL_URL = new URL("http://null.oracle.com/");
         } catch (Exception e) {
             throw new RuntimeException(e);
         }
@@ -239,14 +244,70 @@
         }
     }
 
+    /*
+     * This is called from within an doPrivileged block.
+     *
+     * Following logic is used to decide what policy files are selected.
+     *
+     * If the new Security property (crypto.policy) is set in the
+     * java.security file, or has been set dynamically using the
+     * Security.setProperty() call before the JCE framework has
+     * been initialized, that setting will be used.
+     * Remember - this property is not defined by default. A conscious
+     * user edit or an application call is required.
+     *
+     * Otherwise, if user has policy jar files installed in the legacy
+     * jre/lib/security/ directory, the JDK will honor whatever
+     * setting is set by those policy files. (legacy/current behavior)
+     *
+     * If none of the above 2 conditions are met, the JDK will default
+     * to using the limited crypto policy files found in the
+     * jre/lib/security/policy/limited/ directory
+     */
     private static void setupJurisdictionPolicies() throws Exception {
-        String javaHomeDir = System.getProperty("java.home");
-        String sep = File.separator;
-        String pathToPolicyJar = javaHomeDir + sep + "lib" + sep +
-            "security" + sep;
+        // Sanity check the crypto.policy Security property.  Single
+        // directory entry, no pseudo-directories (".", "..", leading/trailing
+        // path separators). normalize()/getParent() will help later.
+        String javaHomeProperty = System.getProperty("java.home");
+        String cryptoPolicyProperty = Security.getProperty("crypto.policy");
+        Path cpPath = (cryptoPolicyProperty == null) ? null :
+                Paths.get(cryptoPolicyProperty);
 
-        File exportJar = new File(pathToPolicyJar, "US_export_policy.jar");
-        File importJar = new File(pathToPolicyJar, "local_policy.jar");
+        if ((cpPath != null) && ((cpPath.getNameCount() != 1) ||
+                (cpPath.compareTo(cpPath.getFileName())) != 0)) {
+            throw new SecurityException(
+                    "Invalid policy directory name format: " +
+                            cryptoPolicyProperty);
+        }
+
+        if (cpPath == null) {
+            // Security property is not set, use default path
+            cpPath = Paths.get(javaHomeProperty, "lib", "security");
+        } else {
+            // populate with java.home
+            cpPath = Paths.get(javaHomeProperty, "lib", "security",
+                    "policy", cryptoPolicyProperty);
+        }
+
+        if (debug != null) {
+            debug.println("crypto policy directory: " + cpPath);
+        }
+
+        File exportJar = new File(cpPath.toFile(),"US_export_policy.jar");
+        File importJar = new File(cpPath.toFile(),"local_policy.jar");
+
+        if (cryptoPolicyProperty == null && (!exportJar.exists() ||
+                !importJar.exists())) {
+            // Compatibility set up. If crypto.policy is not defined.
+            // check to see if legacy jars exist in lib directory. If
+            // they don't exist, we default to limited policy mode.
+            cpPath = Paths.get(
+                    javaHomeProperty, "lib", "security", "policy", "limited");
+            // point to the new jar files in limited directory
+            exportJar = new File(cpPath.toFile(),"US_export_policy.jar");
+            importJar = new File(cpPath.toFile(),"local_policy.jar");
+        }
+
         URL jceCipherURL = ClassLoader.getSystemResource
                 ("javax/crypto/Cipher.class");
 
--- a/src/share/lib/security/java.security-aix	Wed Nov 09 14:22:45 2016 +0000
+++ b/src/share/lib/security/java.security-aix	Wed Nov 09 21:09:10 2016 +0000
@@ -661,3 +661,68 @@
 #       E485B576 625E7EC6 F44C42E9 A637ED6B 0BFF5CB6 F406B7ED \
 #       EE386BFB 5A899FA5 AE9F2411 7C4B1FE6 49286651 ECE65381 \
 #       FFFFFFFF FFFFFFFF, 2}
+
+# Cryptographic Jurisdiction Policy defaults
+#
+# Due to the import control restrictions of some countries, the default
+# JCE policy files allow for strong but "limited" cryptographic key
+# lengths to be used.  If your country's cryptographic regulations allow,
+# the "unlimited" strength policy files can be used instead, which contain
+# no restrictions on cryptographic strengths.
+#
+# YOU ARE ADVISED TO CONSULT YOUR EXPORT/IMPORT CONTROL COUNSEL OR ATTORNEY
+# TO DETERMINE THE EXACT REQUIREMENTS.
+#
+# <java-home> (below) refers to the directory where the JRE was
+# installed. It is determined based on whether you are running JCE
+# on a JRE or a JRE contained within the Java Development Kit, or
+# JDK(TM). The JDK contains the JRE, but at a different level in the
+# file hierarchy. For example, if the JDK is installed in
+# /home/user1/jdk1.8.0 on Unix or in C:\jdk1.8.0 on Windows, then
+# <java-home> is:
+#
+#  /home/user1/jdk1.8.0/jre           [Unix]
+#  C:\jdk1.8.0\jre                    [Windows]
+#
+# If on the other hand the JRE is installed in /home/user1/jre1.8.0
+# on Unix or in C:\jre1.8.0 on Windows, and the JDK is not
+# installed, then <java-home> is:
+#
+#  /home/user1/jre1.8.0               [Unix]
+#  C:\jre1.8.0                        [Windows]
+#
+# On Windows, for each JDK installation, there may be additional
+# JREs installed under the "Program Files" directory. Please make
+# sure that you install the unlimited strength policy JAR files
+# for all JREs that you plan to use.
+#
+# The policy files are jar files organized into subdirectories of
+# <java-home>/lib/security/policy.  Each directory contains a complete
+# set of policy files.
+#
+# The "crypto.policy" Security property controls the directory selection,
+# and thus the effective cryptographic policy.
+#
+# The default set of directories is:
+#
+#     limited | unlimited
+#
+# however other directories can be created and configured.
+#
+# To support older JDK Update releases, the crypto.policy property
+# is not defined by default. When the property is not defined, an
+# update release binary aware of the new property will use the following
+# logic to decide what crypto policy files get used :
+#
+# * If the US_export_policy.jar and local_policy.jar files are located
+# in the (legacy) <java-home>/lib/security directory, then the rules
+# embedded in those jar files will be used. This helps preserve compatibility
+# for users upgrading from an older installation.
+#
+# * If crypto.policy is not defined and no such jar files are present in
+# the legacy locations, then the JDK will use the limited settings
+# (equivalent to crypto.policy=limited)
+#
+# Please see the JCA documentation for additional information on these
+# files and formats.
+#crypto.policy=unlimited
--- a/src/share/lib/security/java.security-linux	Wed Nov 09 14:22:45 2016 +0000
+++ b/src/share/lib/security/java.security-linux	Wed Nov 09 21:09:10 2016 +0000
@@ -661,3 +661,68 @@
 #       E485B576 625E7EC6 F44C42E9 A637ED6B 0BFF5CB6 F406B7ED \
 #       EE386BFB 5A899FA5 AE9F2411 7C4B1FE6 49286651 ECE65381 \
 #       FFFFFFFF FFFFFFFF, 2}
+
+# Cryptographic Jurisdiction Policy defaults
+#
+# Due to the import control restrictions of some countries, the default
+# JCE policy files allow for strong but "limited" cryptographic key
+# lengths to be used.  If your country's cryptographic regulations allow,
+# the "unlimited" strength policy files can be used instead, which contain
+# no restrictions on cryptographic strengths.
+#
+# YOU ARE ADVISED TO CONSULT YOUR EXPORT/IMPORT CONTROL COUNSEL OR ATTORNEY
+# TO DETERMINE THE EXACT REQUIREMENTS.
+#
+# <java-home> (below) refers to the directory where the JRE was
+# installed. It is determined based on whether you are running JCE
+# on a JRE or a JRE contained within the Java Development Kit, or
+# JDK(TM). The JDK contains the JRE, but at a different level in the
+# file hierarchy. For example, if the JDK is installed in
+# /home/user1/jdk1.8.0 on Unix or in C:\jdk1.8.0 on Windows, then
+# <java-home> is:
+#
+#  /home/user1/jdk1.8.0/jre           [Unix]
+#  C:\jdk1.8.0\jre                    [Windows]
+#
+# If on the other hand the JRE is installed in /home/user1/jre1.8.0
+# on Unix or in C:\jre1.8.0 on Windows, and the JDK is not
+# installed, then <java-home> is:
+#
+#  /home/user1/jre1.8.0               [Unix]
+#  C:\jre1.8.0                        [Windows]
+#
+# On Windows, for each JDK installation, there may be additional
+# JREs installed under the "Program Files" directory. Please make
+# sure that you install the unlimited strength policy JAR files
+# for all JREs that you plan to use.
+#
+# The policy files are jar files organized into subdirectories of
+# <java-home>/lib/security/policy.  Each directory contains a complete
+# set of policy files.
+#
+# The "crypto.policy" Security property controls the directory selection,
+# and thus the effective cryptographic policy.
+#
+# The default set of directories is:
+#
+#     limited | unlimited
+#
+# however other directories can be created and configured.
+#
+# To support older JDK Update releases, the crypto.policy property
+# is not defined by default. When the property is not defined, an
+# update release binary aware of the new property will use the following
+# logic to decide what crypto policy files get used :
+#
+# * If the US_export_policy.jar and local_policy.jar files are located
+# in the (legacy) <java-home>/lib/security directory, then the rules
+# embedded in those jar files will be used. This helps preserve compatibility
+# for users upgrading from an older installation.
+#
+# * If crypto.policy is not defined and no such jar files are present in
+# the legacy locations, then the JDK will use the limited settings
+# (equivalent to crypto.policy=limited)
+#
+# Please see the JCA documentation for additional information on these
+# files and formats.
+#crypto.policy=unlimited
--- a/src/share/lib/security/java.security-macosx	Wed Nov 09 14:22:45 2016 +0000
+++ b/src/share/lib/security/java.security-macosx	Wed Nov 09 21:09:10 2016 +0000
@@ -664,3 +664,68 @@
 #       E485B576 625E7EC6 F44C42E9 A637ED6B 0BFF5CB6 F406B7ED \
 #       EE386BFB 5A899FA5 AE9F2411 7C4B1FE6 49286651 ECE65381 \
 #       FFFFFFFF FFFFFFFF, 2}
+
+# Cryptographic Jurisdiction Policy defaults
+#
+# Due to the import control restrictions of some countries, the default
+# JCE policy files allow for strong but "limited" cryptographic key
+# lengths to be used.  If your country's cryptographic regulations allow,
+# the "unlimited" strength policy files can be used instead, which contain
+# no restrictions on cryptographic strengths.
+#
+# YOU ARE ADVISED TO CONSULT YOUR EXPORT/IMPORT CONTROL COUNSEL OR ATTORNEY
+# TO DETERMINE THE EXACT REQUIREMENTS.
+#
+# <java-home> (below) refers to the directory where the JRE was
+# installed. It is determined based on whether you are running JCE
+# on a JRE or a JRE contained within the Java Development Kit, or
+# JDK(TM). The JDK contains the JRE, but at a different level in the
+# file hierarchy. For example, if the JDK is installed in
+# /home/user1/jdk1.8.0 on Unix or in C:\jdk1.8.0 on Windows, then
+# <java-home> is:
+#
+#  /home/user1/jdk1.8.0/jre           [Unix]
+#  C:\jdk1.8.0\jre                    [Windows]
+#
+# If on the other hand the JRE is installed in /home/user1/jre1.8.0
+# on Unix or in C:\jre1.8.0 on Windows, and the JDK is not
+# installed, then <java-home> is:
+#
+#  /home/user1/jre1.8.0               [Unix]
+#  C:\jre1.8.0                        [Windows]
+#
+# On Windows, for each JDK installation, there may be additional
+# JREs installed under the "Program Files" directory. Please make
+# sure that you install the unlimited strength policy JAR files
+# for all JREs that you plan to use.
+#
+# The policy files are jar files organized into subdirectories of
+# <java-home>/lib/security/policy.  Each directory contains a complete
+# set of policy files.
+#
+# The "crypto.policy" Security property controls the directory selection,
+# and thus the effective cryptographic policy.
+#
+# The default set of directories is:
+#
+#     limited | unlimited
+#
+# however other directories can be created and configured.
+#
+# To support older JDK Update releases, the crypto.policy property
+# is not defined by default. When the property is not defined, an
+# update release binary aware of the new property will use the following
+# logic to decide what crypto policy files get used :
+#
+# * If the US_export_policy.jar and local_policy.jar files are located
+# in the (legacy) <java-home>/lib/security directory, then the rules
+# embedded in those jar files will be used. This helps preserve compatibility
+# for users upgrading from an older installation.
+#
+# * If crypto.policy is not defined and no such jar files are present in
+# the legacy locations, then the JDK will use the limited settings
+# (equivalent to crypto.policy=limited)
+#
+# Please see the JCA documentation for additional information on these
+# files and formats.
+#crypto.policy=unlimited
--- a/src/share/lib/security/java.security-solaris	Wed Nov 09 14:22:45 2016 +0000
+++ b/src/share/lib/security/java.security-solaris	Wed Nov 09 21:09:10 2016 +0000
@@ -663,3 +663,68 @@
 #       E485B576 625E7EC6 F44C42E9 A637ED6B 0BFF5CB6 F406B7ED \
 #       EE386BFB 5A899FA5 AE9F2411 7C4B1FE6 49286651 ECE65381 \
 #       FFFFFFFF FFFFFFFF, 2}
+
+# Cryptographic Jurisdiction Policy defaults
+#
+# Due to the import control restrictions of some countries, the default
+# JCE policy files allow for strong but "limited" cryptographic key
+# lengths to be used.  If your country's cryptographic regulations allow,
+# the "unlimited" strength policy files can be used instead, which contain
+# no restrictions on cryptographic strengths.
+#
+# YOU ARE ADVISED TO CONSULT YOUR EXPORT/IMPORT CONTROL COUNSEL OR ATTORNEY
+# TO DETERMINE THE EXACT REQUIREMENTS.
+#
+# <java-home> (below) refers to the directory where the JRE was
+# installed. It is determined based on whether you are running JCE
+# on a JRE or a JRE contained within the Java Development Kit, or
+# JDK(TM). The JDK contains the JRE, but at a different level in the
+# file hierarchy. For example, if the JDK is installed in
+# /home/user1/jdk1.8.0 on Unix or in C:\jdk1.8.0 on Windows, then
+# <java-home> is:
+#
+#  /home/user1/jdk1.8.0/jre           [Unix]
+#  C:\jdk1.8.0\jre                    [Windows]
+#
+# If on the other hand the JRE is installed in /home/user1/jre1.8.0
+# on Unix or in C:\jre1.8.0 on Windows, and the JDK is not
+# installed, then <java-home> is:
+#
+#  /home/user1/jre1.8.0               [Unix]
+#  C:\jre1.8.0                        [Windows]
+#
+# On Windows, for each JDK installation, there may be additional
+# JREs installed under the "Program Files" directory. Please make
+# sure that you install the unlimited strength policy JAR files
+# for all JREs that you plan to use.
+#
+# The policy files are jar files organized into subdirectories of
+# <java-home>/lib/security/policy.  Each directory contains a complete
+# set of policy files.
+#
+# The "crypto.policy" Security property controls the directory selection,
+# and thus the effective cryptographic policy.
+#
+# The default set of directories is:
+#
+#     limited | unlimited
+#
+# however other directories can be created and configured.
+#
+# To support older JDK Update releases, the crypto.policy property
+# is not defined by default. When the property is not defined, an
+# update release binary aware of the new property will use the following
+# logic to decide what crypto policy files get used :
+#
+# * If the US_export_policy.jar and local_policy.jar files are located
+# in the (legacy) <java-home>/lib/security directory, then the rules
+# embedded in those jar files will be used. This helps preserve compatibility
+# for users upgrading from an older installation.
+#
+# * If crypto.policy is not defined and no such jar files are present in
+# the legacy locations, then the JDK will use the limited settings
+# (equivalent to crypto.policy=limited)
+#
+# Please see the JCA documentation for additional information on these
+# files and formats.
+#crypto.policy=unlimited
--- a/src/share/lib/security/java.security-windows	Wed Nov 09 14:22:45 2016 +0000
+++ b/src/share/lib/security/java.security-windows	Wed Nov 09 21:09:10 2016 +0000
@@ -664,3 +664,68 @@
 #       E485B576 625E7EC6 F44C42E9 A637ED6B 0BFF5CB6 F406B7ED \
 #       EE386BFB 5A899FA5 AE9F2411 7C4B1FE6 49286651 ECE65381 \
 #       FFFFFFFF FFFFFFFF, 2}
+
+# Cryptographic Jurisdiction Policy defaults
+#
+# Due to the import control restrictions of some countries, the default
+# JCE policy files allow for strong but "limited" cryptographic key
+# lengths to be used.  If your country's cryptographic regulations allow,
+# the "unlimited" strength policy files can be used instead, which contain
+# no restrictions on cryptographic strengths.
+#
+# YOU ARE ADVISED TO CONSULT YOUR EXPORT/IMPORT CONTROL COUNSEL OR ATTORNEY
+# TO DETERMINE THE EXACT REQUIREMENTS.
+#
+# <java-home> (below) refers to the directory where the JRE was
+# installed. It is determined based on whether you are running JCE
+# on a JRE or a JRE contained within the Java Development Kit, or
+# JDK(TM). The JDK contains the JRE, but at a different level in the
+# file hierarchy. For example, if the JDK is installed in
+# /home/user1/jdk1.8.0 on Unix or in C:\jdk1.8.0 on Windows, then
+# <java-home> is:
+#
+#  /home/user1/jdk1.8.0/jre           [Unix]
+#  C:\jdk1.8.0\jre                    [Windows]
+#
+# If on the other hand the JRE is installed in /home/user1/jre1.8.0
+# on Unix or in C:\jre1.8.0 on Windows, and the JDK is not
+# installed, then <java-home> is:
+#
+#  /home/user1/jre1.8.0               [Unix]
+#  C:\jre1.8.0                        [Windows]
+#
+# On Windows, for each JDK installation, there may be additional
+# JREs installed under the "Program Files" directory. Please make
+# sure that you install the unlimited strength policy JAR files
+# for all JREs that you plan to use.
+#
+# The policy files are jar files organized into subdirectories of
+# <java-home>/lib/security/policy.  Each directory contains a complete
+# set of policy files.
+#
+# The "crypto.policy" Security property controls the directory selection,
+# and thus the effective cryptographic policy.
+#
+# The default set of directories is:
+#
+#     limited | unlimited
+#
+# however other directories can be created and configured.
+#
+# To support older JDK Update releases, the crypto.policy property
+# is not defined by default. When the property is not defined, an
+# update release binary aware of the new property will use the following
+# logic to decide what crypto policy files get used :
+#
+# * If the US_export_policy.jar and local_policy.jar files are located
+# in the (legacy) <java-home>/lib/security directory, then the rules
+# embedded in those jar files will be used. This helps preserve compatibility
+# for users upgrading from an older installation.
+#
+# * If crypto.policy is not defined and no such jar files are present in
+# the legacy locations, then the JDK will use the limited settings
+# (equivalent to crypto.policy=limited)
+#
+# Please see the JCA documentation for additional information on these
+# files and formats.
+#crypto.policy=unlimited
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/test/javax/crypto/CryptoPermission/TestUnlimited.java	Wed Nov 09 21:09:10 2016 +0000
@@ -0,0 +1,96 @@
+/*
+ * Copyright (c) 2016, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.  Oracle designates this
+ * particular file as subject to the "Classpath" exception as provided
+ * by Oracle in the LICENSE file that accompanied this code.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+/**
+ * @test
+ * @bug 8157561
+ * @summary Ship the unlimited policy files in JDK Updates
+ * @run main/othervm TestUnlimited "" exception
+ * @run main/othervm TestUnlimited limited fail
+ * @run main/othervm TestUnlimited unlimited pass
+ * @run main/othervm TestUnlimited unlimited/ pass
+ * @run main/othervm TestUnlimited NosuchDir exception
+ * @run main/othervm TestUnlimited . exception
+ * @run main/othervm TestUnlimited /tmp/unlimited exception
+ * @run main/othervm TestUnlimited ../policy/unlimited exception
+ * @run main/othervm TestUnlimited ./unlimited exception
+ * @run main/othervm TestUnlimited /unlimited exception
+ */
+import javax.crypto.*;
+import java.security.Security;
+
+public class TestUnlimited {
+
+    public static void main(String[] args) throws Exception {
+        /*
+         * Override the Security property to allow for unlimited policy.
+         * Would need appropriate permissions if Security Manager were
+         * active.
+         */
+        if (args.length != 2) {
+            throw new Exception("Two args required");
+        }
+
+        boolean expected = args[1].equals("pass");
+        boolean exception = args[1].equals("exception");
+        boolean result = false;
+
+        System.out.println("Testing: " + args[0]);
+
+        if (args[0].equals("\"\"")) {
+            Security.setProperty("crypto.policy", "");
+        } else {
+            Security.setProperty("crypto.policy", args[0]);
+        }
+
+        /*
+         * Use the AES as the test Cipher
+         * If there is an error initializing, we will never get past here.
+         */
+        try {
+            int maxKeyLen = Cipher.getMaxAllowedKeyLength("AES");
+            System.out.println("max AES key len:" + maxKeyLen);
+            if (maxKeyLen > 128) {
+                System.out.println("Unlimited policy is active");
+                result = true;
+            } else {
+                System.out.println("Unlimited policy is NOT active");
+                result = false;
+            }
+        } catch (Throwable e) {
+            if (!exception) {
+                throw new Exception();
+            }
+        }
+
+        System.out.println(
+                "Expected:\t" + expected + "\nResult:\t\t" + result);
+        if (expected != result) {
+            throw new Exception();
+        }
+
+        System.out.println("DONE!");
+    }
+}