private static void runTest(boolean isUnlimited) throws Exception {
System.out.println("Testing " + (isUnlimited ? "un" : "") + "limited policy...");
String algo = "Blowfish";
int keyLength = Cipher.getMaxAllowedKeyLength(algo);
AlgorithmParameterSpec spec = Cipher.getMaxAllowedParameterSpec(algo);
if (isUnlimited) {
if ((keyLength != Integer.MAX_VALUE) || (spec != null)) {
throw new Exception("Check for " + algo + " failed under unlimited policy");
}
} else {
if ((keyLength != 128) || (spec != null)) {
throw new Exception("Check for " + algo + " failed under default policy");
}
}
algo = "RC5";
keyLength = Cipher.getMaxAllowedKeyLength(algo);
RC5ParameterSpec rc5param = (RC5ParameterSpec) Cipher.getMaxAllowedParameterSpec(algo);
if (isUnlimited) {
if ((keyLength != Integer.MAX_VALUE) || (rc5param != null)) {
throw new Exception("Check for " + algo + " failed under unlimited policy");
}
} else {
if ((keyLength != 128)
|| (rc5param.getRounds() != 12)
|| (rc5param.getVersion() != Integer.MAX_VALUE)
|| (rc5param.getWordSize() != Integer.MAX_VALUE)) {
throw new Exception("Check for " + algo + " failed under default policy");
}
}
System.out.println("All tests passed");
}
// Evaluate an unlimited strength algorithm to determine if we support the capability we have on
// the system
static {
try {
isUnlimitedStrengthCryptographyEnabled =
(Cipher.getMaxAllowedKeyLength("AES") > DEFAULT_MAX_ALLOWED_KEY_LENGTH);
} catch (NoSuchAlgorithmException e) {
// if there are issues with this, we default back to the value established
isUnlimitedStrengthCryptographyEnabled = false;
}
}
private static void crashIfJCEMissing() throws NoSuchAlgorithmException, Exception {
int size = Cipher.getMaxAllowedKeyLength("AES");
Integer expected = Integer.MAX_VALUE;
if (size < expected) {
String msg =
"Max key size is "
+ size
+ ", but expected "
+ expected
+ ". Unfortunately, you have a security policy that limits your encryption "
+ "strength. Please either use OpenJDK or allow yourself to use strong crypto\n"
+ "by installing the according JCE files:\n"
+ "http://stackoverflow.com/questions/6481627/java-security-illegal-key-size-or-default-parameters";
throw new Exception(msg);
}
}
public static synchronized void init() {
if (!initialized) {
logger.log(Level.INFO, "Initializing crypto settings and security provider ...");
// Bouncy Castle
if (Security.getProvider(PROVIDER) == null) {
Security.addProvider(new BouncyCastleProvider());
}
// Unlimited strength
try {
unlimitedStrengthEnabled = Cipher.getMaxAllowedKeyLength("AES") > 128;
} catch (Exception e) {
unlimitedStrengthEnabled = false;
}
initialized = true;
}
}
public static void main(String[] args) throws Exception {
try {
Set<String> algorithms = Security.getAlgorithms("Cipher");
for (String algorithm : algorithms) {
int max;
max = Cipher.getMaxAllowedKeyLength(algorithm);
System.out.printf("%-22s: %dbit%n", algorithm, max);
}
} catch (NoSuchAlgorithmException e) {
e.printStackTrace();
}
String originalPassword = "******";
System.out.println("Original password: "******"Encrypted password: "******"Decrypted password: " + decryptedPassword);
}
public void afterPropertiesSet() throws Exception {
// Check preconditions: Maximum key length
try {
if (Cipher.getMaxAllowedKeyLength("AES") < Integer.MAX_VALUE) {
String tutorialUrl =
"http://www.javamex.com/tutorials/cryptography/unrestricted_policy_files.shtml";
// throw new CryptoException(
// "Your system has a restriction on the encryption algorithm key length. Please
// remove this restriction. For more info, see "
// + tutorialUrl);
}
} catch (NoSuchAlgorithmException e) {
throw new CryptoException("No AES provider is installed on your system ?!", e);
}
activeProvider =
new DefaultCryptoProvider(
cryptoProperties.getSimpleKeystore(),
cryptoProperties.getSimplePassword(),
cryptoProperties.getCreateKeystoreFileIfNotExist());
}
@Test
public void verifyUnlimitedJcePolicy() throws NoSuchAlgorithmException {
assertTrue(Cipher.getMaxAllowedKeyLength("AES") >= 256);
}
@Test
public void checkUnlimitedStrength() throws NoSuchAlgorithmException {
log.info("Max allowed key length is {} bits for AES", Cipher.getMaxAllowedKeyLength("AES"));
assertFalse(
"Unlimited cryptographic strength unavailable", Cipher.getMaxAllowedKeyLength("AES") < 256);
}
public static void contributeApplicationDefaults(
MappedConfiguration<String, String> configuration) {
// Contributions to ApplicationDefaults will override any contributions to
// FactoryDefaults (with the same key). Here we're restricting the supported
// locales to just "en" (English). As you add localised message catalogs and other assets,
// you can extend this list of locales (it's a comma separated series of locale names;
// the first locale name is the default when there's no reasonable match).
// The factory default is true but during the early stages of an application
// overriding to false is a good idea. In addition, this is often overridden
// on the command line as -Dtapestry.production-mode=false
if (!isProduction) {
configuration.add(SymbolConstants.PRODUCTION_MODE, "false");
configuration.add(SymbolConstants.COMPONENT_RENDER_TRACING_ENABLED, "false");
configuration.add(SymbolConstants.COMPACT_JSON, "false");
configuration.add(SymbolConstants.COMPRESS_WHITESPACE, "false");
configuration.add(SymbolConstants.MINIFICATION_ENABLED, "false");
} else {
// LINK_PATH_PERMISSIONS[0][0] = null;
configuration.add(SymbolConstants.PRODUCTION_MODE, "true");
configuration.add(SymbolConstants.COMPONENT_RENDER_TRACING_ENABLED, "false");
configuration.add(SymbolConstants.COMPACT_JSON, "true");
configuration.add(SymbolConstants.COMPRESS_WHITESPACE, "true");
configuration.add(SymbolConstants.MINIFICATION_ENABLED, "true");
}
// todo check
// http://apache-tapestry-mailing-list-archives.1045711.n5.nabble.com/HMAC-Passphrase-Could-Be-Much-More-Useful-Correct-Me-If-I-m-Wrong-td5724606.html
configuration.add(SymbolConstants.HMAC_PASSPHRASE, RandomStringUtils.randomAscii(10));
configuration.add(SymbolConstants.JAVASCRIPT_INFRASTRUCTURE_PROVIDER, "jquery");
configuration.add(SymbolConstants.SESSION_LOCKING_ENABLED, "true");
configuration.add(SymbolConstants.SUPPORTED_LOCALES, "en,fr");
// configuration.add(SymbolConstants.DEFAULT_STYLESHEET, "context:styles/empty.css");
// The application version number is incorporated into URLs for some
// assets. Web browsers will cache assets because of the far future expires
// header. If existing assets are changed, the version number should also
// change, to force the browser to download new versions.
configuration.add(SymbolConstants.APPLICATION_VERSION, "1.0");
configuration.add(SymbolConstants.START_PAGE_NAME, "SEC");
configuration.add(SymbolConstants.SECURE_ENABLED, "true");
configuration.add(SymbolConstants.HOSTPORT, "8080");
configuration.add(SymbolConstants.HOSTPORT_SECURE, "8443");
// Tynamo's tapestry-security module configuration
configuration.add(SecuritySymbols.LOGIN_URL, URL_LOGIN);
configuration.add(SecuritySymbols.SUCCESS_URL, URL_SUCCESS);
configuration.add(SecuritySymbols.UNAUTHORIZED_URL, URL_UNAUTHORIZED);
configuration.add(SymbolConstants.TAPESTRY_VERSION, "false");
// Check JCE Unlimited StrengthJurisdictionPolicyFilesInstalled
try {
if (Cipher.getMaxAllowedKeyLength("AES") < 2147483647) {
LOG.error(
"### JCE Unlimited Strength Jurisdiction Policy Files is NOT Installed.\n"
+ "http://www.oracle.com/technetwork/java/javase/downloads/jce8-download-2133166.html http://www.oracle.com/technetwork/java/javase/downloads/jce-7-download-432124.html");
}
} catch (NoSuchAlgorithmException e) {
LOG.error(
"### JCA JSSE JCE API not found. - http://www.oracle.com/technetwork/java/javase/tech/index-jsp-136007.html");
}
}
