public static boolean isUnlimitedStrengthCryptoSupported() { try { return (Cipher.getMaxAllowedKeyLength("AES") > DEFAULT_MAX_ALLOWED_KEY_LENGTH); } catch (NoSuchAlgorithmException e) { return false; } }
private static String getDefaultProviderKey() { try { return "aes/gcm/" + (Cipher.getMaxAllowedKeyLength("AES") > 128 ? "256" : "128"); } catch (NoSuchAlgorithmException e) { return "aes/gcm/128"; } }
/** * Determines if unlimited-strength cryptography is allowed, i.e. if this JRE has then the unlimited strength policy * files installed. * * @return true if unlimited strength cryptography is allowed, otherwise false */ public static boolean isUnlimitedStrengthAllowed() { try { return Cipher.getMaxAllowedKeyLength("AES") >= 256; } catch (NoSuchAlgorithmException e) { return false; } } }
public static boolean isUnlimitedStrengthCryptoAvailable() { try { return Cipher.getMaxAllowedKeyLength("AES") > 128; } catch (NoSuchAlgorithmException e) { logger.warn("Tried to determine if unlimited strength crypto is available but the AES algorithm is not available"); return false; } }
private static int calcAESKeyLength() { int maxKeyLen; try { maxKeyLen = Cipher.getMaxAllowedKeyLength("AES"); } catch (NoSuchAlgorithmException e) { throw U.rte(e); } return maxKeyLen > 256 ? 256 : 128; }
private static List<Integer> getValidKeyLengths() { List<Integer> validLengths = new ArrayList<>(); validLengths.add(128); try { if (Cipher.getMaxAllowedKeyLength("AES") > 128) { validLengths.add(192); validLengths.add(256); } else { logger.warn("JCE Unlimited Strength Cryptography Jurisdiction policies are not available, so the max key length is 128 bits"); } } catch (NoSuchAlgorithmException e) { logger.warn("Encountered an error determining the max key length", e); } return validLengths; }
public static int getMaxAllowedKeyLength(final String algorithm) { if (StringUtils.isEmpty(algorithm)) { return DEFAULT_MAX_ALLOWED_KEY_LENGTH; } String parsedCipher = CipherUtility.parseCipherFromAlgorithm(algorithm); try { return Cipher.getMaxAllowedKeyLength(parsedCipher); } catch (NoSuchAlgorithmException e) { // Default algorithm max key length on unmodified JRE return DEFAULT_MAX_ALLOWED_KEY_LENGTH; } }
public static int getMaxAllowedKeyLength(final String algorithm) { if (StringUtils.isEmpty(algorithm)) { return DEFAULT_MAX_ALLOWED_KEY_LENGTH; } String parsedCipher = CipherUtility.parseCipherFromAlgorithm(algorithm); try { return Cipher.getMaxAllowedKeyLength(parsedCipher); } catch (NoSuchAlgorithmException e) { // Default algorithm max key length on unmodified JRE return DEFAULT_MAX_ALLOWED_KEY_LENGTH; } }
private static Cipher getCipher(Key key, int mode, byte[] parameters) { try { Cipher cipher = Cipher.getInstance(TYPE); cipher.init(mode, key, new IvParameterSpec(parameters)); return cipher; } catch (Exception e) { String msg = "Unable to load key using transformation: " + TYPE; if (e instanceof InvalidKeyException) { try { int maxAllowedLen = Cipher.getMaxAllowedKeyLength(TYPE); if (maxAllowedLen < 256) { msg += "; Warning: Maximum allowed key length = " + maxAllowedLen + " with the available JCE security policy files. Have you" + " installed the JCE unlimited strength jurisdiction policy" + " files?"; } } catch (NoSuchAlgorithmException ex) { msg += "; Unable to find specified algorithm?"; } } LOG.error(msg, e); throw Throwables.propagate(e); } } }
/** * Initializes the crypto provider ("Bouncy Castle") and tests whether the unlimited * strength policy has been enabled. Unlimited crypto allows for stronger crypto algorithms * such as AES-256 or Twofish-256. * * <p>The method is called in the <tt>static</tt> block of this class and hence initialized * whenever then class is used. * * @see <a href="www.oracle.com/technetwork/java/javase/downloads/jce-6-download-429243.html">Java Cryptography Extension (JCE) Unlimited Strength</a> */ public static synchronized void init() { if (!initialized.get()) { // Bouncy Castle if (Security.getProvider(CRYPTO_PROVIDER_ID) == null) { Security.addProvider(CRYPTO_PROVIDER); } // Unlimited strength try { unlimitedStrengthEnabled.set(Cipher.getMaxAllowedKeyLength("AES") > 128); } catch (NoSuchAlgorithmException e) { logger.log(Level.FINE, "No such transformation found", e); unlimitedStrengthEnabled.set(false); } initialized.set(true); } }
int aesKeyLength = Cipher.getMaxAllowedKeyLength("AES"); if (aesKeyLength <= 128) { log.warn(
@Inject public CookieEncryption(NinjaProperties properties) { Optional<SecretKeySpec> secretKeySpec = Optional.empty(); if (properties.getBooleanWithDefault(NinjaConstant.applicationCookieEncrypted, false)) { String secret = properties.getOrDie(NinjaConstant.applicationSecret); try { int maxKeyLengthBits = Cipher.getMaxAllowedKeyLength(ALGORITHM); if (maxKeyLengthBits == Integer.MAX_VALUE) { maxKeyLengthBits = 256; } secretKeySpec = Optional.of( new SecretKeySpec(secret.getBytes(), 0, maxKeyLengthBits / Byte.SIZE, ALGORITHM)); logger.info("Ninja session encryption is using {} / {} bit.", secretKeySpec.get().getAlgorithm(), maxKeyLengthBits); } catch (Exception exception) { logger.error("Can not create class to encrypt cookie.", exception); throw new RuntimeException(exception); } } this.secretKeySpec = secretKeySpec; }
/** * Fail fast on a JVM without JCE installed. * * This is a recurrent problem * (that is: it keeps creeping back with JVM updates); * a fast failure is the best tactic. * @throws NoSuchAlgorithmException */ protected void validateKeyLength() throws NoSuchAlgorithmException { int aesLen = Cipher.getMaxAllowedKeyLength("AES"); println("Maximum AES encryption key length %d bits", aesLen); verify(minKeyLength <= aesLen, CAT_JVM, "Java Cryptography Extensions are not installed on this JVM." + " Maximum supported key length %s - minimum required %d", aesLen, minKeyLength); }
if (Cipher.getMaxAllowedKeyLength(cipherAlgorithm.jceId) < keySizeInBytes*8) { throw new EncryptedDocumentException("Export Restrictions in place - please install JCE Unlimited Strength Jurisdiction Policy files");
if (Cipher.getMaxAllowedKeyLength(cipherAlgorithm.jceId) < keySizeInBytes*8) { throw new EncryptedDocumentException("Export Restrictions in place - please install JCE Unlimited Strength Jurisdiction Policy files");
private static void assumeAes256(CipherAlgorithm cipherAlgorithm) { boolean aes256Available = false; try { Cipher.getInstance(cipherAlgorithm.toString()); aes256Available = Cipher.getMaxAllowedKeyLength("AES") >= 256; } catch (NoSuchAlgorithmException e) { throw new AssumptionViolatedException( cipherAlgorithm + " not available, skipping test", e); } catch (NoSuchPaddingException e) { throw new AssumptionViolatedException( cipherAlgorithm + " padding not available, skipping test", e); } Assume.assumeTrue( "AES key length of 256 not allowed, skipping test", aes256Available); }
@Test public void testAesEnc192Bin() throws HiveException, NoSuchAlgorithmException { int maxKeyLen = Cipher.getMaxAllowedKeyLength("AES"); // skip the test if Java Cryptography Extension (JCE) Unlimited Strength // Jurisdiction Policy Files not installed if (maxKeyLen < 192) { return; } GenericUDFAesEncrypt udf = new GenericUDFAesEncrypt(); ObjectInspector valueOI0 = PrimitiveObjectInspectorFactory.writableBinaryObjectInspector; ObjectInspector valueOI1 = PrimitiveObjectInspectorFactory.writableBinaryObjectInspector; ObjectInspector[] arguments = { valueOI0, valueOI1 }; udf.initialize(arguments); BytesWritable keyWr = new BytesWritable(("1234567890123456" + "12345678").getBytes()); runAndVerifyBin(new byte[] { 65, 66, 67 }, keyWr, "ucvvpP9r2/LfQ6BilQuFtA==", udf); runAndVerifyBin(new byte[0], keyWr, "KqMT3cF6VwSISMaUVUB4Qw==", udf); // null runAndVerifyBin(null, keyWr, null, udf); }
@Test public void testAesDec192Bin() throws HiveException, NoSuchAlgorithmException { int maxKeyLen = Cipher.getMaxAllowedKeyLength("AES"); // skip the test if Java Cryptography Extension (JCE) Unlimited Strength // Jurisdiction Policy Files not installed if (maxKeyLen < 192) { return; } GenericUDFAesDecrypt udf = new GenericUDFAesDecrypt(); ObjectInspector valueOI0 = PrimitiveObjectInspectorFactory.writableBinaryObjectInspector; ObjectInspector valueOI1 = PrimitiveObjectInspectorFactory.writableBinaryObjectInspector; ObjectInspector[] arguments = { valueOI0, valueOI1 }; udf.initialize(arguments); BytesWritable keyWr = new BytesWritable(("1234567890123456" + "12345678").getBytes()); runAndVerifyBin("ucvvpP9r2/LfQ6BilQuFtA==", keyWr, "ABC", udf); runAndVerifyBin("KqMT3cF6VwSISMaUVUB4Qw==", keyWr, "", udf); // null runAndVerifyBin(null, keyWr, null, udf); }
@Test public void testAesDec256ConstStr() throws HiveException, NoSuchAlgorithmException { int maxKeyLen = Cipher.getMaxAllowedKeyLength("AES"); // skip the test if Java Cryptography Extension (JCE) Unlimited Strength // Jurisdiction Policy Files not installed if (maxKeyLen < 256) { return; } GenericUDFAesDecrypt udf = new GenericUDFAesDecrypt(); ObjectInspector valueOI0 = PrimitiveObjectInspectorFactory.writableBinaryObjectInspector; Text keyWr = new Text("1234567890123456" + "1234567890123456"); ObjectInspector valueOI1 = PrimitiveObjectInspectorFactory .getPrimitiveWritableConstantObjectInspector(TypeInfoFactory.stringTypeInfo, keyWr); ObjectInspector[] arguments = { valueOI0, valueOI1 }; udf.initialize(arguments); runAndVerifyStr("nYfCuJeRd5eD60yXDw7WEA==", keyWr, "ABC", udf); runAndVerifyStr("mVClVqZ6W4VF6b842FOgCA==", keyWr, "", udf); // null runAndVerifyStr(null, keyWr, null, udf); }
@Test public void testAesEnc256ConstStr() throws HiveException, NoSuchAlgorithmException { int maxKeyLen = Cipher.getMaxAllowedKeyLength("AES"); // skip the test if Java Cryptography Extension (JCE) Unlimited Strength // Jurisdiction Policy Files not installed if (maxKeyLen < 256) { return; } GenericUDFAesEncrypt udf = new GenericUDFAesEncrypt(); ObjectInspector valueOI0 = PrimitiveObjectInspectorFactory.writableStringObjectInspector; Text keyWr = new Text("1234567890123456" + "1234567890123456"); ObjectInspector valueOI1 = PrimitiveObjectInspectorFactory .getPrimitiveWritableConstantObjectInspector(TypeInfoFactory.stringTypeInfo, keyWr); ObjectInspector[] arguments = { valueOI0, valueOI1 }; udf.initialize(arguments); runAndVerifyStr("ABC", keyWr, "nYfCuJeRd5eD60yXDw7WEA==", udf); runAndVerifyStr("", keyWr, "mVClVqZ6W4VF6b842FOgCA==", udf); // null runAndVerifyStr(null, keyWr, null, udf); }