How to get your users to install JCE

220px-Lorenz-SZ42-2In every Java project where I need to do strong cryptography, I run into these dreaded unreadable stacktraces which send you into the woods. After a long search I usually discover that the Unlimited Strength Java Cryptography Extensions are not installed. To prevent frustration of users of your software, you can simply add a bit of informative logging to help him/her solve it when the solution is known.

Add the following code to help your admins solve the limited cryptography problem without having to ask you:

public static void validateJCEUnlimited() {
  final int unlimited = 2_147_483_647; /* 32 bit max int */

  // Ciphers to check for installation of the Java 
  // Cryptography Extension (JCE) unlimited strength 
  // jurisdiction policy files
  final String[] ciphers = {
    "AES", "BouncyCastle", "X.509",
    "PKCS12", "BCPKCS12", "PKCS12-DEF",
    "DES", "DESEDE", "RSA", "DSA",
    "SHA-1", "SHA-256", "SHA-512"

  for (String cipher : ciphers) {
    int keyLength = 0;
    try {
      keyLength = Cipher.getMaxAllowedKeyLength(cipher);
    } catch (NoSuchAlgorithmException e) {
      throw new RuntimeException("Problem while checking the maximum key length of cipher " + cipher + ".", e);

    if (keyLength < unlimited) {
      String msg = String.format("The maximum allowed key length for cipher %s was %d.\n" +
        "This indicates that you might not have installed the Java Cryptography \n" +
        "Extension (JCE) unlimited strength jurisdiction policy files in your JVM.\n" +
        "To do so, download these policy files at:\n\n" +
        "Java 6:\n" +
        "Java 7:\n" +
        "Java 8:\n\n" +
        "Then, copy local_policy.jar and US_export_policy.jar extracted from above zip file to\n" +
        "the $JAVA_HOME/jre/lib/security directory.\n", cipher, keyLength);
      throw new RuntimeException(msg);

Happy coding,


3 Responses to How to get your users to install JCE

  1. Guus says:

    That’s a neat check.

    Is it really necessary to check all these ciphers? Some are not in use anymore (DES, SHA1).

  2. Joris says:

    This will get easier soon, JDK9 won’t have this restriction anymore, and this will be backported to 8, 7 and 6 according to this SO answer:

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s