当前位置: 文江博客话题详情

检查无限加密是否可用

发布于 2024-12-13 01:44:25 字数 42 浏览 5 评论 0原文

如何在 Java 代码中检查当前 JVM 是否具有无限强度的加密可用?

原文

How can I check, in Java code, if the current JVM have unlimited strength cryptography available?

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(9

隱形的亼 2024-12-20 01:44:25

本着与 Dan Cruz 的答案相同的精神,但只有一行代码并且不会出现异常:

boolean limit = Cipher.getMaxAllowedKeyLength("RC5")<256;

所以一个完整的程序可能是:

import javax.crypto.Cipher;

public class TestUCE {
  public static void main(String args[]) throws Exception {
    boolean unlimited =
      Cipher.getMaxAllowedKeyLength("RC5") >= 256;
    System.out.println("Unlimited cryptography enabled: " + unlimited);
  }
}

In the same spirit as the answer of Dan Cruz, but with a single line of code and without going trough exceptions:

boolean limit = Cipher.getMaxAllowedKeyLength("RC5")<256;

So a complete program might be:

import javax.crypto.Cipher;

public class TestUCE {
  public static void main(String args[]) throws Exception {
    boolean unlimited =
      Cipher.getMaxAllowedKeyLength("RC5") >= 256;
    System.out.println("Unlimited cryptography enabled: " + unlimited);
  }
}
回复 原文
丘比特射中我 2024-12-20 01:44:25

如果您使用的是Linux并且已经安装了JDK(但Beanshell不可用),您可以使用JDK附带的runscript命令进行检查。

jrunscript -e 'exit (javax.crypto.Cipher.getMaxAllowedKeyLength("RC5") >= 256 ? 0 : 1);'; echo $?

如果无限加密可用,则返回 0 状态代码;如果不可用,则返回 1 。零是 shell 函数的正确“成功”返回值,非零表示失败。

If you are on Linux and you have installed the JDK (but Beanshell is not available), you can check with the runscript command provided with the JDK.

jrunscript -e 'exit (javax.crypto.Cipher.getMaxAllowedKeyLength("RC5") >= 256 ? 0 : 1);'; echo $?

This returns a 0 status code if the Unlimited Cryptography is available, or 1 if not available. Zero is the correct 'success' return value for shell functions, and non-zero indicates a failure.

回复 原文
‖放下 2024-12-20 01:44:25

我想你可能会使用 Cipher.getMaxAllowedKeyLength(),同时还将您使用的密码与已知的“良好”安全密码列表(例如 AES)进行比较。

这是一篇参考文章列出了自 Java 1.4 起现行的最大密钥大小管辖限制(这些限制可能没有改变,除非法律也发生了改变 - 见下文)。

如果您在有加密进出口限制的国家/地区运营,则必须查阅您所在国家/地区的法律,但可以安全地假设在这些情况下您没有无限制的JVM 中可用的强度加密(默认情况下)。换句话说,假设您正在使用 Oracle 的官方 JVM,并且您碰巧生活在在美国对密码学实施出口限制的国家(由于 Oracle 是一家美国公司,因此它会受到这些限制),那么在这种情况下您也可以假设您没有无限的可用实力。

当然,这并不阻止您构建自己的,从而赋予自己无限的力量,但根据您当地的法律,这可能是非法的。

本文概述了从美国向其他国家/地区出口的限制。

I think you could probably use Cipher.getMaxAllowedKeyLength(), while also comparing the cypher you're using to known lists of "good", secure cyphers, such as AES.

Here's a reference article that lists maximum key size jurisdiction limitations that were current as of Java 1.4 (these likely haven't changed, unless the law has also changed - see below).

If you are operating in a nation that has cryptographic export/import restrictions, you'd have to consult the law in your nation, but it's probably safe to assume in these situations that you don't have unlimited strength cryptography available (by default) in your JVM. Putting it another way, assuming you're using the official JVM from Oracle, and you happen to live in a nation against which the U.S. has leveled export restrictions for cryptography (and since Oracle is a United States company, it would be subject to these restrictions), then you could also assume in this case that you don't have unlimited strength available.

Of course, that doesn't stop you from building your own, and thereby granting yourself unlimited strength, but depending on your local laws, that might be illegal.

This article outlines the restrictions on export to other nations, from the Unites States.

回复 原文
倦话 2024-12-20 01:44:25

如何检查限制是否适用的方法记录在方法 Cipher.getMaxAllowedKeyLength

如果安装了 JCE 无限强度管辖策略文件,将返回 Integer.MAX_VALUE

这意味着,如果返回除(或确实低于)Integer.MAX_VALUE 以外的任何值,则限制确实适用。

更多信息请参见以下方法的 JavaDoc:

/**
 * Determines if cryptography restrictions apply.
 * Restrictions apply if the value of {@link Cipher#getMaxAllowedKeyLength(String)} returns a value smaller than {@link Integer#MAX_VALUE} if there are any restrictions according to the JavaDoc of the method.
 * This method is used with the transform <code>"AES/CBC/PKCS5Padding"</code> as this is an often used algorithm that is <a href="https://docs.oracle.com/javase/8/docs/technotes/guides/security/StandardNames.html#impl">an implementation requirement for Java SE</a>.
 * 
 * @return <code>true</code> if restrictions apply, <code>false</code> otherwise
 */
public static boolean restrictedCryptography() {
    try {
        return Cipher.getMaxAllowedKeyLength("AES/CBC/PKCS5Padding") < Integer.MAX_VALUE;
    } catch (final NoSuchAlgorithmException e) {
        throw new IllegalStateException("The transform \"AES/CBC/PKCS5Padding\" is not available (the availability of this algorithm is mandatory for Java SE implementations)", e);
    }
}

请注意,自 Java 9 起,默认情况下会安装无限制的加密策略(受导入/导出法规影响的用户必须安装有限加密策略) 。因此,此代码主要是为了向后兼容性和/或其他运行时所必需的。

The way how to check if restrictions apply is documented in the method Cipher.getMaxAllowedKeyLength:

If JCE unlimited strength jurisdiction policy files are installed, Integer.MAX_VALUE will be returned.

This means that if any value other than (or indeed lower than) Integer.MAX_VALUE is returned that restrictions do apply.

Even more information is in the JavaDoc of the method below:

/**
 * Determines if cryptography restrictions apply.
 * Restrictions apply if the value of {@link Cipher#getMaxAllowedKeyLength(String)} returns a value smaller than {@link Integer#MAX_VALUE} if there are any restrictions according to the JavaDoc of the method.
 * This method is used with the transform <code>"AES/CBC/PKCS5Padding"</code> as this is an often used algorithm that is <a href="https://docs.oracle.com/javase/8/docs/technotes/guides/security/StandardNames.html#impl">an implementation requirement for Java SE</a>.
 * 
 * @return <code>true</code> if restrictions apply, <code>false</code> otherwise
 */
public static boolean restrictedCryptography() {
    try {
        return Cipher.getMaxAllowedKeyLength("AES/CBC/PKCS5Padding") < Integer.MAX_VALUE;
    } catch (final NoSuchAlgorithmException e) {
        throw new IllegalStateException("The transform \"AES/CBC/PKCS5Padding\" is not available (the availability of this algorithm is mandatory for Java SE implementations)", e);
    }
}

Note that since Java 9 the unlimited crypto policies are installed by default (with those affected by import / export regulations having to install the limited crypto policies instead). So this code would mainly be required for backwards compatibility and/or other runtimes.

回复 原文
空心↖ 2024-12-20 01:44:25

这是一个完整的复制粘贴版本,允许进行测试

import javax.crypto.Cipher;
import java.security.NoSuchAlgorithmException;

class Test {
    public static void main(String[] args) {
        int allowedKeyLength = 0;

        try {
            allowedKeyLength = Cipher.getMaxAllowedKeyLength("AES");
        } catch (NoSuchAlgorithmException e) {
            e.printStackTrace();
        }

        System.out.println("The allowed key length for AES is: " + allowedKeyLength);
    }
}

运行

javac Test.java

java Test

如果 JCE 不起作用输出:128
JCE 的工作类似于:2147483647

This is a complete copy paste version to allow for testing

import javax.crypto.Cipher;
import java.security.NoSuchAlgorithmException;

class Test {
    public static void main(String[] args) {
        int allowedKeyLength = 0;

        try {
            allowedKeyLength = Cipher.getMaxAllowedKeyLength("AES");
        } catch (NoSuchAlgorithmException e) {
            e.printStackTrace();
        }

        System.out.println("The allowed key length for AES is: " + allowedKeyLength);
    }
}

To run

javac Test.java

java Test

If JCE is not working output: 128
JCE is working something like: 2147483647

回复 原文
极度宠爱 2024-12-20 01:44:25

如果您使用的是 Linux,则可以使用此命令轻松检查

java -version ; \
echo 'System.err.println(javax.crypto.Cipher.getInstance("AES/CBC/PKCS5Padding").getMaxAllowedKeyLength("AES"));'  \
| java -cp /usr/share/java/bsh-*.jar bsh.Interpreter >/dev/null

如果输出是类似的内容,则无限强度加密不可用

java version "1.7.0_76"
Java(TM) SE Runtime Environment (build 1.7.0_76-b13)
Java HotSpot(TM) 64-Bit Server VM (build 24.76-b04, mixed mode)
128

If you are using Linux, you can check it easily with this command

java -version ; \
echo 'System.err.println(javax.crypto.Cipher.getInstance("AES/CBC/PKCS5Padding").getMaxAllowedKeyLength("AES"));'  \
| java -cp /usr/share/java/bsh-*.jar bsh.Interpreter >/dev/null

If the output is something like that, unlimited strength cryptography is not available

java version "1.7.0_76"
Java(TM) SE Runtime Environment (build 1.7.0_76-b13)
Java HotSpot(TM) 64-Bit Server VM (build 24.76-b04, mixed mode)
128
回复 原文
紧拥背影 2024-12-20 01:44:25

您可以使用 groovy 从命令行一步检查它:

groovysh -e 'javax.crypto.Cipher.getMaxAllowedKeyLength("AES")'

如果结果是 2147483647,则您拥有无限的加密。

在旧版本的 groovy 上,您必须删除 -e

groovysh 'javax.crypto.Cipher.getMaxAllowedKeyLength("AES")'

You can check it in one step from the command line by using groovy :

groovysh -e 'javax.crypto.Cipher.getMaxAllowedKeyLength("AES")'

If the result is 2147483647, you have unlimited cryptography.

On older version of groovy, you have to remove the -e :

groovysh 'javax.crypto.Cipher.getMaxAllowedKeyLength("AES")'
回复 原文
π浅易 2024-12-20 01:44:25

注意:请使用jefflunt的答案康斯坦丁·斯皮罗夫的回答。该答案不是有效答案,因为它始终返回 true。我将这个答案留在这里只是因为它在答案和评论中的其他地方引用,并且仅供参考。

您可以使用以下代码在某个地方初始化一个static final boolean,然后您可以使用它来测试无限的加密支持(因为仅在安装了无限制策略的情况下才支持 AES 256 位)。

boolean isUnlimitedSupported = false;
try {
    KeyGenerator kgen = KeyGenerator.getInstance("AES", "SunJCE");
    kgen.init(256);
    isUnlimitedSupported = true;
} catch (NoSuchAlgorithmException e) {
    isUnlimitedSupported = false;
} catch (NoSuchProviderException e) {
    isUnlimitedSupported = false;
}
System.out.println("isUnlimitedSupported=" + isUnlimitedSupported);
// set static final variable = isUnlimitedSupported;

NOTE: Please use jefflunt's answer or KonstantinSpirov's answer. This answer is not a valid answer since it will always return true. I am leaving this answer here only because it is referenced elsewhere in answers and comments and is useful as a reference only.

You could use the following to initialize a static final boolean somewhere that you can then use for testing unlimited crypto support (since AES 256-bit is only supported if the unrestricted policy is installed).

boolean isUnlimitedSupported = false;
try {
    KeyGenerator kgen = KeyGenerator.getInstance("AES", "SunJCE");
    kgen.init(256);
    isUnlimitedSupported = true;
} catch (NoSuchAlgorithmException e) {
    isUnlimitedSupported = false;
} catch (NoSuchProviderException e) {
    isUnlimitedSupported = false;
}
System.out.println("isUnlimitedSupported=" + isUnlimitedSupported);
// set static final variable = isUnlimitedSupported;
回复 原文
抚你发端 2024-12-20 01:44:25

我最近不得不添加 JCE 检查,我的解决方案演变为以下代码片段。这是一个 groovy 脚本,但应该很容易通过 try catch 转换为标准 java 方法。这已经用 Java 7 和 Java 7 进行了测试。 Java 8。

import javax.crypto.Cipher;
import javax.crypto.spec.SecretKeySpec;
import javax.crypto.SecretKey;

// Make a blank 256 Bit AES Key
final SecretKey secretKey = new SecretKeySpec(new byte[32], "AES");
final Cipher encryptCipher = Cipher.getInstance("AES/CBC/PKCS5Padding");
// This line will throw a invalid key length exception if you don't have
// JCE Unlimited strength installed
encryptCipher.init(Cipher.ENCRYPT_MODE, secretKey);
// If it makes it here, you have JCE installed

I recently had to do add a JCE check and my solution evolved to the following snippet. This was a groovy script, but it should be easy to convert to standard java method with a try catch. This has been tested with Java 7 & Java 8.

import javax.crypto.Cipher;
import javax.crypto.spec.SecretKeySpec;
import javax.crypto.SecretKey;

// Make a blank 256 Bit AES Key
final SecretKey secretKey = new SecretKeySpec(new byte[32], "AES");
final Cipher encryptCipher = Cipher.getInstance("AES/CBC/PKCS5Padding");
// This line will throw a invalid key length exception if you don't have
// JCE Unlimited strength installed
encryptCipher.init(Cipher.ENCRYPT_MODE, secretKey);
// If it makes it here, you have JCE installed
回复 原文
~没有更多了~

关于作者

远山浅

暂无简介

文章
评论
27 人气
发私信

相关话题

更多

热门标签

操作系统 程序设计 IT运维 Linux系统管理 JavaScript 服务器应用 solaris C/C++ PHP Shell BSD Vue.js aix Oracle Python HTML 系统管理 HTML5 CSS 前端
更多

推荐作者

十二

文章 0 评论 0

飞烟轻若梦

文章 0 评论 0

OPleyuhuo

文章 0 评论 0

wxb0109

文章 0 评论 0

旧城空念

文章 0 评论 0

-小熊_

文章 0 评论 0

更多

友情链接

文江博客
    我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
    原文