How to use PBEWITHHMACSHA256ANDAES_256 algorithm from JCE

Question

I'd like to use the PBEWITHHMACSHA256ANDAES_256 algorithm from the SunJCE provider in Java8.

It looks like the jars and all of the config is in place out-of-the-box in Java8 but I'm not able to use the PBEWITHHMACSHA256ANDAES_256 algorithm.

I have these two jars:

jdk1.8.0_40\jre\lib\jce.jar
jdk1.8.0_40\jre\lib\ext\sunjce_provider.jar

There's this entry in jdk1.8.0_40\jre\lib\security\java.security

security.provider.5=com.sun.crypto.provider.SunJCE

There's this entry in jdk1.8.0_40\jre\lib\security\java.policy

grant codeBase "file:${{java.ext.dirs}}/*" {
    permission java.security.AllPermission;
};

I can see com.sun.crypto.provider.SunJCE in the array when I call Security.getProviders()

But the following code throws EncryptionOperationNotPossibleException

import org.jasypt.encryption.pbe.StandardPBEStringEncryptor;
import org.jasypt.encryption.pbe.config.SimpleStringPBEConfig;
import org.jasypt.exceptions.EncryptionOperationNotPossibleException;
import org.junit.Assert;
import org.junit.Test;

public class EncryptionTest {
    @Test
    public void test() {
        SimpleStringPBEConfig pbeConfig = new SimpleStringPBEConfig();
        pbeConfig.setAlgorithm("PBEWITHHMACSHA256ANDAES_256");
        pbeConfig.setPassword("changeme");
        StandardPBEStringEncryptor encryptor = new StandardPBEStringEncryptor();
        encryptor.setConfig(pbeConfig);

        String encrypted = encryptor.encrypt("foo");
        String decrypted = encryptor.decrypt(encrypted);
        Assert.assertEquals("foo", decrypted);
    }
}

Exception

org.jasypt.exceptions.EncryptionOperationNotPossibleException: Encryption raised an exception. A possible cause is you are using strong encryption algorithms and you have not installed the Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files in this Java Virtual Machine
    at org.jasypt.encryption.pbe.StandardPBEByteEncryptor.handleInvalidKeyException(StandardPBEByteEncryptor.java:999)
    at org.jasypt.encryption.pbe.StandardPBEByteEncryptor.encrypt(StandardPBEByteEncryptor.java:868)
    at org.jasypt.encryption.pbe.StandardPBEStringEncryptor.encrypt(StandardPBEStringEncryptor.java:642)
    at foo.bar.EncryptionTest.test(EncryptionTest.java:40)

Any ideas why PBEWITHHMACSHA256ANDAES_256 is throwing EncryptionOperationNotPossibleException?

score 3 · Accepted Answer · edited May 23 '17 at 12:16

3

The exception mentions:

Encryption raised an exception. A possible cause is you are using strong encryption algorithms and you have not installed the Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files in this Java Virtual Machine

This answer only tries to fix that issue. I've written another answer to help the following issue, since these are totally different.

If you live in a country that does allow it, you can go and download it from Oracle's website.

Then, to install these unlimited strength packages, go into your $JAVA_HOME/jre/lib/security/ folder (assuming you have a JDK).

There, backup your local_policy.jar and US_export_policy.jar.

Now unzip the local_policy.jar and US_export_policy.jar files from the zip file you downloaded into that folder, and restart your application. Your application now have access to unlimited strength JCE capabilities.

If anything goes wrong, revert the two files to their backup versions.

Please note that each JVM that will have to run this code must be "patched" this way.

edited May 23 '17 at 12:16

Community

1
1

answered Nov 02 '16 at 10:06

Olivier Grégoire

33,839
23
96
137

This will require every developer to customise their jre and will require changes to the jre's on all of the servers. Is there a dynamic solution where I can do this at runtime? – lance-java Nov 02 '16 at 10:10
No. It's a known restriction to the export rules of Java out from the USA. You should consider this as an extra step of the installation of Java and document it. It's really easy to forget this. You can ease this by providing a script and the two jar files to each developer so that they do it properly. But first make sure then that they all run JDK/JRE for Java 8 (by running `$JAVA_HOME/bin/java -version`, for instance). If you install on a Java 7 JDK or JRE, it will break that JDK. – Olivier Grégoire Nov 02 '16 at 10:14
A real alternative, though is to implement the algorithm yourself, with your own provider. I would strongly recommend *against* it. Your profile says you live in the UK, you normally have legal access to that package and should use it. – Olivier Grégoire Nov 02 '16 at 10:16
Thanks for your help... I downloaded `jce_policy-8.zip` from oracle, extracted it and copied the two jars to `jre/lib/security`. My test still throws `EncryptionOperationNotPossibleException` but the message is no longer populated on the exception (looks like the message is null/empty). I'm guessing that might be progress? – lance-java Nov 02 '16 at 10:22
I don't know that jasypt library you use, so I cannot say. I based my answer exclusively on the message returned by the exception: `A possible cause is you are using strong encryption algorithms and you have not installed the Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files in this Java Virtual Machine`. Though it's worth noting jasypt.org says "they don't want to reveal too much" [in their FAQ](http://jasypt.org/faq.html#i-keep-on-receiving-encryption-operation-not-possible). You should try to debug the application, having removed the unlimited strength issue. – Olivier Grégoire Nov 02 '16 at 10:27
@LanceJava if you check the error, now the issue comes from the `decrypt` method instead of the `encrypt` one. The problem is entirely different and you have actually progressed. After a few more tests, the problem seems limited to this algorithm, as I can properly test for other algorithms (I haven't tested them all, though). – Olivier Grégoire Nov 02 '16 at 11:00
Ah, very good spotting... I hadn't noticed that encrypt started working and it's now decrypt that's throwing the exception. I'm currently googling Initialization Vectors – lance-java Nov 02 '16 at 11:20

score 2 · Answer 2 · edited May 23 '17 at 12:16

Sorry to write another answer, but it seems we've progressed since the last answer. The problem is now slightly different, but enough to deserve another answer.

As you say, you "only" get an empty exception message now.

The problem seems to reside with the algorithm: using PBEWITHHMACSHA256ANDAES_256 always throws an exception.

This is because AES requires extra parameters, namely the IV. I found that IV are not supported by Jasypt.

If you want to go further with that specific algorithm, I suggest you implement it manually without Jasypt. An implementation is present in the above link.

How to use PBEWITHHMACSHA256ANDAES_256 algorithm from JCE

2 Answers2