Proper way to check for JCE Unlimited Strength Jurisdiction Policy files

Kevin W. Wall kevin.w.wall at
Wed Nov 25 09:08:26 EST 2009

FWIW, my implementation of this for OWASP ESAPI is at:

The main() is there just for stand-alone testing. From the ESAPI JUnit tests,
I call:
  if ( keySize > 128 && !CryptoPolicy.isUnlimitedStrengthCryptoAvailable() )
    System.out.println("Skipping test for " + cipherXform + " where key size " +
                       "is " + keySize + "; install JCE Unlimited Strength " +
                       "Jurisdiction Policy files to run this test.");

Would appreciate it if someone could take 5 min to look at this CryptoPolicy
source to see if it looks correct. It's only 90 lines including comments and
white space. It tried to check the exemption mechanism but am not sure I
am understanding it correctly.


-----Original Message-----
Kevin W. Wall wrote:
> Hi list...hope there are some Java developers out there and that this is not
> too off topic for this list's charter.
> Does anyone know the *proper* (and portable) way to check if a Java VM is
> using the Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction
> Policy files (e.g., for JDK 6, see
> <>.)
> I would like something that works with at least Java 5 and later and that does
> not have any false positives or negatives. I also would _prefer_ some test
> that does not require locating and parsing the policy files within the JVM's
> installed JCE local_policy.jar and US_export_policy.jar files as that seems
> kludgey and might not work with future JDKs.
> My first thought was just to try a naive dummy encryption of a test string
> using a 256-bit AES key. However, I realized that this might still succeed
> without having the JCE Unlimited Strength Jurisdiction Policy files installed
> if the JCE provider being used implemented some exemption mechanism (i.e., see
> javax.crypto.ExemptionMechanism) such as key recovery, key weakening, or
> key escrow.
> Then I saw that javax.crypto.Cipher class has a getExemptionMechanism() method
> that returns either an ExemptionMechanism object associated with the Cipher
> object OR null if there is no exemption mechanism being used.  So I figured
> I could then do the naive encryption of some dummy string using 256-bit
> AES/CBC/NoPadding and if that succeeded AND cipher.getExemptionMechanism()
> returned null, THEN I could assume that the JCE Unlimited Strength Jurisdiction
> Policy files were installed. (When the default "strong" JCE jurisdiction
> policy files are installed, the max allowed AES key size is 128-bits.)
> Does that seem like a sound plan or is there more that I need to check? If
> not, please explain what else I will need to do.
> Thanks in advance,
> -kevin wall

Kevin W. Wall
"The most likely way for the world to be destroyed, most experts agree,
is by accident. That's where we come in; we're computer professionals.
We cause accidents."        -- Nathaniel Borenstein, co-creator of MIME

The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at

More information about the cryptography mailing list