changeset 17416:28c6aa45df76

8186093: A comment in the java.security configuration file incorrectly says that strong but "limited" is the default value Reviewed-by: mullan
author wetmore
date Thu, 14 Sep 2017 15:37:37 -0700
parents e03ab7ed0f72
children 5d43e9f98ac8
files src/java.base/share/conf/security/java.security src/java.base/share/conf/security/policy/README.txt
diffstat 2 files changed, 68 insertions(+), 62 deletions(-) [+]
line wrap: on
line diff
--- a/src/java.base/share/conf/security/java.security	Thu Sep 14 15:36:00 2017 -0700
+++ b/src/java.base/share/conf/security/java.security	Thu Sep 14 15:37:37 2017 -0700
@@ -678,6 +678,7 @@
 jdk.tls.disabledAlgorithms=SSLv3, RC4, MD5withRSA, DH keySize < 1024, \
     EC keySize < 224
 
+#
 # Legacy algorithms for Secure Socket Layer/Transport Layer Security (SSL/TLS)
 # processing in JSSE implementation.
 #
@@ -742,6 +743,7 @@
         RC4_128, RC4_40, DES_CBC, DES40_CBC, \
         3DES_EDE_CBC
 
+#
 # The pre-defined default finite field Diffie-Hellman ephemeral (DHE)
 # parameters for Transport Layer Security (SSL/TLS/DTLS) processing.
 #
@@ -799,54 +801,38 @@
 #       EE386BFB 5A899FA5 AE9F2411 7C4B1FE6 49286651 ECE65381 \
 #       FFFFFFFF FFFFFFFF, 2}
 
+#
 # Cryptographic Jurisdiction Policy defaults
 #
-# Due to the import control restrictions of some countries, the default
-# JCE policy files allow for strong but "limited" cryptographic key
-# lengths to be used.  If your country's cryptographic regulations allow,
-# the "unlimited" strength policy files can be used instead, which contain
-# no restrictions on cryptographic strengths.
+# Import and export control rules on cryptographic software vary from
+# country to country.  By default, Java provides two different sets of
+# cryptographic policy files[1]:
 #
-# If your country has restrictions that don't fit either "limited" or
-# "unlimited", an appropriate set of policy files should be created and
-# configured before using this distribution.  The jurisdiction policy file
-# configuration must reflect the cryptographic restrictions appropriate
-# for your country.
+#     unlimited:  These policy files contain no restrictions on cryptographic
+#                 strengths or algorithms
+#
+#     limited:    These policy files contain more restricted cryptographic
+#                 strengths
+#
+# The default setting is determined by the value of the “crypto.policy”
+# Security property below. If your country or usage requires the
+# traditional restrictive policy, the “limited” Java cryptographic
+# policy is still available and may be appropriate for your environment.
+#
+# If you have restrictions that do not fit either use case mentioned
+# above, Java provides the capability to customize these policy files.
+# The “crypto.policy” security property points to a subdirectory
+# within <java-home>/conf/security/policy/ which can be customized.
+# Please see the <java-home>/conf/security/policy/README.txt file or consult
+# the Java Security Guide/JCA documentation for more information.
 #
 # YOU ARE ADVISED TO CONSULT YOUR EXPORT/IMPORT CONTROL COUNSEL OR ATTORNEY
 # TO DETERMINE THE EXACT REQUIREMENTS.
 #
-# The policy files are flat text files organized into subdirectories of
-# <java-home>/conf/security/policy.  Each directory contains a complete
-# set of policy files.
-#
-# The "crypto.policy" Security property controls the directory selection,
-# and thus the effective cryptographic policy.
-#
-# The default set of directories is:
-#
-#     limited | unlimited
-#
-# however other directories can be created and configured.
-#
-# Within a directory, the effective policy is the combined minimum
-# permissions of the grant statements in the file(s) with the filename
-# pattern "default_*.policy".  At least one grant is required.  For
-# example:
-#
-#     limited   =  Export (all) + Import (limited)  =  Limited
-#     unlimited =  Export (all) + Import (all)      =  Unlimited
-#
-# The effective exemption policy is the combined minimum permissions
-# of the grant statements in the file(s) with the filename pattern
-# "exempt_*.policy".  Exemption grants are optional.
-#
-#     limited   =  grants exemption permissions, by which the
-#                  effective policy can be circumvented.
-#                  e.g.  KeyRecovery/Escrow/Weakening.
-#
-# Please see the JCA documentation for additional information on these
-# files and formats.
+# [1] Please note that the JCE for Java SE, including the JCE framework,
+# cryptographic policy files, and standard JCE providers provided with
+# the Java SE, have been reviewed and approved for export as mass market
+# encryption item by the US Bureau of Industry and Security.
 #
 # Note: This property is currently used by the JDK Reference implementation.
 # It is not guaranteed to be examined and used by other implementations.
--- a/src/java.base/share/conf/security/policy/README.txt	Thu Sep 14 15:36:00 2017 -0700
+++ b/src/java.base/share/conf/security/policy/README.txt	Thu Sep 14 15:37:37 2017 -0700
@@ -5,30 +5,50 @@
                                README
 ------------------------------------------------------------------------
 
+Import and export control rules on cryptographic software vary from
+country to country.  The Java Cryptography Extension (JCE) architecture
+allows flexible cryptographic key strength to be configured via the
+jurisdiction policy files which are referenced by the “crypto.policy”
+security property in the <java-home>/conf/security/java.security file.
 
-The JCE architecture allows flexible cryptographic strength to be
-configured via the jurisdiction policy files contained within these
-directories.
+By default, Java provides two different sets of cryptographic policy
+files:
 
-The default JCE policy files bundled in this Java Runtime Environment
-allow for "unlimited" cryptographic strengths.  For convenience,
-this build also contains the historic "limited" strength policy files
-which contain restrictions on cryptographic strengths, but they must be
-specifically activated by updating the "crypto.policy" Security property
-(e.g. <java-home>/conf/security/java.security) to point to the appropriate
-directory.
+    unlimited:  These policy files contain no restrictions on cryptographic
+                strengths or algorithms
 
-Each subdirectory contains a complete policy configuration, and additional
-subdirectories can be added/removed to reflect local regulations.
+    limited:    These policy files contain more restricted cryptographic
+                strengths
 
-JCE for Java SE has been through the U.S. export review process.  The JCE
-framework, along with the various JCE providers that come standard with it
-(SunJCE, SunEC, SunPKCS11, SunMSCAPI, etc), is exportable from the
-United States.
+These files reside in <java-home>/conf/security/policy in the “unlimited”
+or “limited” subdirectories respectively.
 
-You are advised to consult your export/import control counsel or attorney
-to determine the exact requirements of your location, and what policy
-settings should be used.
+Each subdirectory contains a complete policy configuration,
+and subdirectories can be added/edited/removed to reflect your
+import or export control product requirements.
 
-Please see The Java(TM) Cryptography Architecture (JCA) Reference
-Guide and the java.security file for more information.
+Within a subdirectory, the effective policy is the combined minimum
+permissions of the grant statements in the file(s) matching the filename
+pattern "default_*.policy".  At least one grant is required.  For example:
+
+    limited   =  Export (all) + Import (limited)  =  Limited
+    unlimited =  Export (all) + Import (all)      =  Unlimited
+
+The effective exemption policy is the combined minimum permissions
+of the grant statements in the file(s) matching the filename pattern
+"exempt_*.policy".  Exemption grants are optional.  For example:
+
+    limited   =  grants exemption permissions, by which the
+                 effective policy can be circumvented.
+                 e.g.  KeyRecovery/KeyEscrow/KeyWeakening.
+
+Please see the Java Cryptography Architecture (JCA) documentation for
+additional information on these files and formats.
+
+YOU ARE ADVISED TO CONSULT YOUR EXPORT/IMPORT CONTROL COUNSEL OR ATTORNEY
+TO DETERMINE THE EXACT REQUIREMENTS.
+
+Please note that the JCE for Java SE, including the JCE framework,
+cryptographic policy files, and standard JCE providers provided with
+the Java SE, have been reviewed and approved for export as mass market
+encryption item by the US Bureau of Industry and Security.