Throw SecurityException when use instrumented javax.crypto.JarVerifier.verifyPolicySIgned() API.

Question

Throw SecurityException when use instrumented javax.crypto.JarVerifier.verifyPolicySIgned() API.

Closed this issue 5 years ago · 1 comments

My jdk version is 1.8.0_231.
When I invoke an encryption API: javax.crypto.KeyGenerator.getInstance(), the program throw an exception:
java.lang.ExceptionInInitializerError
at javax.crypto.KeyGenerator.nextSpi$$PHOSPHORTAGGED(KeyGenerator.java:340)
at javax.crypto.KeyGenerator.(KeyGenerator.java:168)
at javax.crypto.KeyGenerator.getInstance(KeyGenerator.java:223)
Caused by: java.lang.SecurityException: Can not initialize cryptographic mechanism
at javax.crypto.JceSecurity.(JceSecurity.java:93)
... 13 more
Caused by: java.lang.SecurityException: The jurisdiction policy files are not signed by the expected signer! (Policy files are specific per major JDK release.Ensure the correct version is installed.)
at javax.crypto.JarVerifier.verifyPolicySigned(JarVerifier.java:328)
at javax.crypto.JceSecurity.loadPolicies(JceSecurity.java:378)
at javax.crypto.JceSecurity.setupJurisdictionPolicies(JceSecurity.java:323)
at javax.crypto.JceSecurity.access$000(JceSecurity.java:50)
at javax.crypto.JceSecurity$1.run(JceSecurity.java:85)
at java.security.AccessController.doPrivileged(Native Method)
at javax.crypto.JceSecurity.(JceSecurity.java:82)
... 13 more

I think there may be something wrong with the JDK verification after instrument.

Answer 1 · 2019-12-02T18:11:03.000Z

Oracle's JVM requires that the jar that contains all of the cryptography routines (jce.jar) be signed by Oracle, for export control purposes. OpenJDK does not. When Phosphor instruments the JVM, it will break these signatures. Hence, it is not possible to use Phosphor with Oracle's JDK and use the cryptography functionality of the JVM without some extra work. The first option is (if you have been granted a signing key by Oracle), you can sign the resulting jar. The more attainable option is to instead use the OpenJDK jce.jar file with your Oracle JVM, which will not have the signature checks, and will work just fine (instrument an OpenJDK jce.jar file and replace the Oracle jce.jar file with the OpenJDK one). Alternatively, if this is too complicated (and you need cryptography support), you can just choose to use OpenJDK entirely (which does not have this check).

I've added a note to this effect in the README.