views:

1632

answers:

4

I have an app that uses 256-bit AES encryption which is not supported by Java out of the box. I know to get this to function correctly I install the JCE unlimited strength jars in the security folder. This is fine for me being the developer, I can install them.

My question is since this app will be distributed, end users most likely will not have these policy files installed. Having the end user download these just to make the app function is not an attractive solution.

Is there a way to make my app run without overwriting files on the end user machine? A third party software that can handle it without the policy files installed? Or a way to just reference these policy files from within a JAR?

Thanks for any ideas.

A: 

The unlimited strength jurisdiction files must be installed relative to the JRE directory, at ${java.home}/lib/security/.

erickson
he stated this fact in his question, by the way.
djangofan
Yes, but sometimes wishing for an alternative doesn't mean there is one. You can't bypass the key strength limitations with a third-party provider, and the policy files have to be in this location; no embedded-in-a-jar trickery will work.
erickson
A: 

personally, i would write java code that extracts the jars from your apps jar archive and copies them to the local JRE and then restarts the JVM (on the first run of the app).

djangofan
"make my app run *without overwriting files* on the end user machine"
erickson
+1  A: 

For our application, we had a client server architecture and we only allowed decrypting/encrypting data in the server level. Hence the JCE files are only needed there.

We had another problem where we needed to update a security jar on the client machines, through JNLP, it overwrites the libraries in${java.home}/lib/security/ and the JVM on first run.

That made it work.

Mohamed Mansour
+2  A: 

For an alternative crypto provider, have a look at Bouncy Castle. They have AES and a lot else besides. And they're free.

Hollerith
They are a great crypto provider, but still require the unlimited strength JCE file in order to work with large keys.
John Meagher
If you use the Bouncy Castle API directly you don't need the unlimited strength files.
laz