8157561: Ship the unlimited policy files in JDK Updates

Reviewed-by: wetmore, erikj

8157561: Ship the unlimited policy files in JDK Updates
Reviewed-by: wetmore, erikj
b1916456 · coffeys · 8cc231ae · b1916456 · b1916456 · b1916456
13 changed file
--- a/make/CopyFiles.gmk
+++ b/make/CopyFiles.gmk
 #
-# Copyright (c) 2011, 2015, Oracle and/or its affiliates. All rights reserved.
+# Copyright (c) 2011, 2016, Oracle and/or its affiliates. All rights reserved.
 # DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
 #
 # This code is free software; you can redistribute it and/or modify it
@@ -357,18 +357,21 @@ ifndef OPENJDK
 RESTRICTED_PKGS_SRC := $(JDK_TOPDIR)/src/closed/share/lib/security/restricted.pkgs
 RESTRICTED_PKGS := $(shell $(CAT) $(RESTRICTED_PKGS_SRC) | $(TR) "\n" " ")

+endif
+
 $(PROPS_DST): $(PROPS_SRC)
 	$(MKDIR) -p $(@D)
+        ifndef OPENJDK
 	  $(TOOL_ADDTORESTRICTEDPKGS) $^ $@.tmp $(RESTRICTED_PKGS)
+        else
+	  $(CP) $^ $@.tmp
+        endif
+        ifeq ($(UNLIMITED_CRYPTO), true)
+	  $(TOOL_CRYPTOLEVEL) $@.tmp $@.tmp2 unlimited
+	  $(MV) $@.tmp2 $@.tmp
+        endif
 	$(MV) $@.tmp $@

-else
-
-$(PROPS_DST): $(PROPS_SRC)
-	$(call install-file)
-
-endif
-
 COPY_FILES += $(PROPS_DST)

 ##########################################################################################

--- a/make/CreateSecurityJars.gmk
+++ b/make/CreateSecurityJars.gmk
 #
-# Copyright (c) 2013, Oracle and/or its affiliates. All rights reserved.
+# Copyright (c) 2013, 2016, Oracle and/or its affiliates. All rights reserved.
 # DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
 #
 # This code is free software; you can redistribute it and/or modify it
@@ -178,7 +178,10 @@ TARGETS += $(JCE_JAR_DST)

 ##########################################################################################

-US_EXPORT_POLICY_JAR_DST := $(JDK_OUTPUTDIR)/lib/security/US_export_policy.jar
+US_EXPORT_POLICY_JAR_UNLIMITED_DST := \
+    $(JDK_OUTPUTDIR)/lib/security/policy/unlimited/US_export_policy.jar
+US_EXPORT_POLICY_JAR_LIMITED_DST := \
+    $(JDK_OUTPUTDIR)/lib/security/policy/limited/US_export_policy.jar

 ifneq ($(BUILD_CRYPTO), no)

@@ -220,27 +223,29 @@ ifneq ($(BUILD_CRYPTO), no)
 endif

 ifndef OPENJDK
-  ifeq ($(UNLIMITED_CRYPTO), true)
-    $(error No prebuilt unlimited crypto jars available)
-  endif
-  $(US_EXPORT_POLICY_JAR_DST): $(JDK_TOPDIR)/make/closed/tools/crypto/jce/US_export_policy.jar
+  $(US_EXPORT_POLICY_JAR_UNLIMITED_DST): \
+    $(JDK_TOPDIR)/make/closed/tools/crypto/jce/unlimited/US_export_policy.jar
+	$(ECHO) $(LOG_INFO) Copying prebuilt $(@F)
+	$(install-file)
+  $(US_EXPORT_POLICY_JAR_LIMITED_DST): \
+    $(JDK_TOPDIR)/make/closed/tools/crypto/jce/limited/US_export_policy.jar
 	$(ECHO) $(LOG_INFO) Copying prebuilt $(@F)
 	$(install-file)
 else
-  ifeq ($(UNLIMITED_CRYPTO), true)
-    $(US_EXPORT_POLICY_JAR_DST): $(US_EXPORT_POLICY_JAR_UNLIMITED_UNSIGNED)
+  $(US_EXPORT_POLICY_JAR_UNLIMITED_DST): $(US_EXPORT_POLICY_JAR_UNLIMITED_UNSIGNED)
 	$(install-file)
-  else
-    $(US_EXPORT_POLICY_JAR_DST): $(US_EXPORT_POLICY_JAR_LIMITED_UNSIGNED)
+  $(US_EXPORT_POLICY_JAR_LIMITED_DST): $(US_EXPORT_POLICY_JAR_LIMITED_UNSIGNED)
 	$(install-file)
  endif
-endif

-TARGETS += $(US_EXPORT_POLICY_JAR_DST)
+TARGETS += $(US_EXPORT_POLICY_JAR_UNLIMITED_DST) $(US_EXPORT_POLICY_JAR_LIMITED_DST)

 ##########################################################################################

-LOCAL_POLICY_JAR_DST := $(JDK_OUTPUTDIR)/lib/security/local_policy.jar
+LOCAL_POLICY_JAR_LIMITED_DST := \
+    $(JDK_OUTPUTDIR)/lib/security/policy/limited/local_policy.jar
+LOCAL_POLICY_JAR_UNLIMITED_DST := \
+    $(JDK_OUTPUTDIR)/lib/security/policy/unlimited/local_policy.jar

 ifneq ($(BUILD_CRYPTO), no)

@@ -293,20 +298,20 @@ ifneq ($(BUILD_CRYPTO), no)
 endif

 ifndef OPENJDK
-  $(LOCAL_POLICY_JAR_DST): $(JDK_TOPDIR)/make/closed/tools/crypto/jce/local_policy.jar
+  $(LOCAL_POLICY_JAR_UNLIMITED_DST): $(JDK_TOPDIR)/make/closed/tools/crypto/jce/unlimited/local_policy.jar
+	$(ECHO) $(LOG_INFO) Copying prebuilt $(@F)
+	$(install-file)
+  $(LOCAL_POLICY_JAR_LIMITED_DST): $(JDK_TOPDIR)/make/closed/tools/crypto/jce/limited/local_policy.jar
 	$(ECHO) $(LOG_INFO) Copying prebuilt $(@F)
 	$(install-file)
 else
-  ifeq ($(UNLIMITED_CRYPTO), true)
-    $(LOCAL_POLICY_JAR_DST): $(LOCAL_POLICY_JAR_UNLIMITED_UNSIGNED)
+  $(LOCAL_POLICY_JAR_UNLIMITED_DST): $(LOCAL_POLICY_JAR_UNLIMITED_UNSIGNED)
 	$(install-file)
-  else
-    $(LOCAL_POLICY_JAR_DST): $(LOCAL_POLICY_JAR_LIMITED_UNSIGNED)
+  $(LOCAL_POLICY_JAR_LIMITED_DST): $(LOCAL_POLICY_JAR_LIMITED_UNSIGNED)
 	$(install-file)
  endif
-endif

-TARGETS += $(LOCAL_POLICY_JAR_DST)
+TARGETS += $(LOCAL_POLICY_JAR_UNLIMITED_DST) $(LOCAL_POLICY_JAR_LIMITED_DST)

 ##########################################################################################


--- a/make/Tools.gmk
+++ b/make/Tools.gmk
 #
-# Copyright (c) 2011, 2014, Oracle and/or its affiliates. All rights reserved.
+# Copyright (c) 2011, 2016, Oracle and/or its affiliates. All rights reserved.
 # DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
 #
 # This code is free software; you can redistribute it and/or modify it
@@ -132,7 +132,10 @@ TOOL_CHECKDEPS = $(JAVA_SMALL) -Xbootclasspath/p:$(LANGTOOLS_OUTPUTDIR)/dist/boo
    build.tools.deps.CheckDeps

 TOOL_ADDTORESTRICTEDPKGS=$(JAVA_SMALL) -cp $(JDK_OUTPUTDIR)/btclasses \
-    build.tools.addtorestrictedpkgs.AddToRestrictedPkgs
+    build.tools.customizesecurityfile.AddToRestrictedPkgs
+
+TOOL_CRYPTOLEVEL=$(JAVA_SMALL) -cp $(JDK_OUTPUTDIR)/btclasses \
+    build.tools.customizesecurityfile.CryptoLevel

 ##########################################################################################


--- a/make/profile-includes.txt
+++ b/make/profile-includes.txt
 #
-# Copyright (c) 2012, 2014, Oracle and/or its affiliates. All rights reserved.
+# Copyright (c) 2012, 2016, Oracle and/or its affiliates. All rights reserved.
 # DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
 #
 # This code is free software; you can redistribute it and/or modify it
@@ -183,13 +183,15 @@ PROFILE_1_JRE_LIB_FILES += \
    net.properties \
    resources.jar \
    rt.jar \
-    security/US_export_policy.jar \
+    security/policy/limited/US_export_policy.jar \
+    security/policy/unlimited/US_export_policy.jar \
    security/blacklist \
    security/blacklisted.certs \
    security/cacerts \
    security/java.policy \
    security/java.security \
-    security/local_policy.jar \
+    security/policy/limited/local_policy.jar \
+    security/policy/unlimited/local_policy.jar \
    security/trusted.libraries \
    tzdb.dat

@@ -218,8 +220,10 @@ PROFILE_1_JRE_JAR_FILES := \
    jsse.jar \
    resources.jar \
    rt.jar \
-    security/US_export_policy.jar \
-    security/local_policy.jar
+    security/policy/limited/US_export_policy.jar \
+    security/policy/unlimited/US_export_policy.jar \
+    security/policy/limited/local_policy.jar \
+    security/policy/unlimited/local_policy.jar


 PROFILE_2_JRE_BIN_FILES := \

--- a/make/src/classes/build/tools/addtorestrictedpkgs/AddToRestrictedPkgs.java
+++ b/make/src/classes/build/tools/addtorestrictedpkgs/AddToRestrictedPkgs.java
 /*
- * Copyright (c) 2013, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2013, 2016, Oracle and/or its affiliates. All rights reserved.
 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
 *
 * This code is free software; you can redistribute it and/or modify it
@@ -23,7 +23,7 @@
 * questions.
 */

-package build.tools.addtorestrictedpkgs;
+package build.tools.customizesecurityfile;

 import java.io.*;


--- a/make/src/classes/build/tools/customizesecurityfile/CryptoLevel.java
+++ b/make/src/classes/build/tools/customizesecurityfile/CryptoLevel.java
+/*
+ * Copyright (c) 2016, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.  Oracle designates this
+ * particular file as subject to the "Classpath" exception as provided
+ * by Oracle in the LICENSE file that accompanied this code.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+package build.tools.customizesecurityfile;
+
+import java.io.*;
+
+/**
+ * Alters the crypto.policy security property
+ * if --enable-unlimited-crypto is enabled.
+ */
+public class CryptoLevel {
+
+    private static final String PROP_NAME = "crypto.policy";
+
+    public static void main(String[] args) throws Exception {
+        boolean fileModified = false;
+
+        if (args.length < 3) {
+            System.err.println("Usage: java CryptoLevel" +
+                               "[input java.security file name] " +
+                               "[output java.security file name] " +
+                               "[unlimited|limited]");
+            System.exit(1);
+        }
+        if (!args[2].equals("unlimited") && !args[2].equals("limited")) {
+            System.err.println("CryptoLevel error: Unexpected " +
+                "input: " + args[2]);
+            System.exit(1);
+        }
+
+        try (FileReader fr = new FileReader(args[0]);
+             BufferedReader br = new BufferedReader(fr);
+             FileWriter fw = new FileWriter(args[1]);
+             BufferedWriter bw = new BufferedWriter(fw))
+        {
+            // parse the file line-by-line, looking for crypto.policy
+            String line = br.readLine();
+            while (line != null) {
+                if (line.startsWith('#' + PROP_NAME) ||
+                    line.startsWith(PROP_NAME)) {
+                    writeLine(bw, PROP_NAME + "=" + args[2]);
+                    fileModified = true;
+                } else {
+                    writeLine(bw, line);
+                }
+                line = br.readLine();
+            }
+            if (!fileModified) {
+                //no previous setting seen. Insert at end
+                writeLine(bw, PROP_NAME + "=" + args[2]);
+            }
+            bw.flush();
+        }
+    }
+
+    private static void writeLine(BufferedWriter bw, String line)
+        throws IOException
+    {
+        bw.write(line);
+        bw.newLine();
+    }
+}
--- a/src/share/classes/javax/crypto/JceSecurity.java
+++ b/src/share/classes/javax/crypto/JceSecurity.java
@@ -29,12 +29,14 @@ import java.util.*;
 import java.util.jar.*;
 import java.io.*;
 import java.net.URL;
+import java.nio.file.*;
 import java.security.*;

 import java.security.Provider.Service;

 import sun.security.jca.*;
 import sun.security.jca.GetInstance.Instance;
+import sun.security.util.Debug;

 /**
 * This class instantiates implementations of JCE engine classes from
@@ -66,6 +68,9 @@ final class JceSecurity {

    private static final boolean isRestricted;

+    private static final Debug debug =
+                        Debug.getInstance("jca", "Cipher");
+
    /*
     * Don't let anyone instantiate this.
     */
@@ -204,7 +209,7 @@ final class JceSecurity {

    static {
        try {
-            NULL_URL = new URL("http://null.sun.com/");
+            NULL_URL = new URL("http://null.oracle.com/");
        } catch (Exception e) {
            throw new RuntimeException(e);
        }
@@ -239,14 +244,70 @@ final class JceSecurity {
        }
    }

+    /*
+     * This is called from within an doPrivileged block.
+     *
+     * Following logic is used to decide what policy files are selected.
+     *
+     * If the new Security property (crypto.policy) is set in the
+     * java.security file, or has been set dynamically using the
+     * Security.setProperty() call before the JCE framework has
+     * been initialized, that setting will be used.
+     * Remember - this property is not defined by default. A conscious
+     * user edit or an application call is required.
+     *
+     * Otherwise, if user has policy jar files installed in the legacy
+     * jre/lib/security/ directory, the JDK will honor whatever
+     * setting is set by those policy files. (legacy/current behavior)
+     *
+     * If none of the above 2 conditions are met, the JDK will default
+     * to using the limited crypto policy files found in the
+     * jre/lib/security/policy/limited/ directory
+     */
    private static void setupJurisdictionPolicies() throws Exception {
-        String javaHomeDir = System.getProperty("java.home");
-        String sep = File.separator;
-        String pathToPolicyJar = javaHomeDir + sep + "lib" + sep +
-            "security" + sep;
+        // Sanity check the crypto.policy Security property.  Single
+        // directory entry, no pseudo-directories (".", "..", leading/trailing
+        // path separators). normalize()/getParent() will help later.
+        String javaHomeProperty = System.getProperty("java.home");
+        String cryptoPolicyProperty = Security.getProperty("crypto.policy");
+        Path cpPath = (cryptoPolicyProperty == null) ? null :
+                Paths.get(cryptoPolicyProperty);
+
+        if ((cpPath != null) && ((cpPath.getNameCount() != 1) ||
+                (cpPath.compareTo(cpPath.getFileName())) != 0)) {
+            throw new SecurityException(
+                    "Invalid policy directory name format: " +
+                            cryptoPolicyProperty);
+        }
+
+        if (cpPath == null) {
+            // Security property is not set, use default path
+            cpPath = Paths.get(javaHomeProperty, "lib", "security");
+        } else {
+            // populate with java.home
+            cpPath = Paths.get(javaHomeProperty, "lib", "security",
+                    "policy", cryptoPolicyProperty);
+        }
+
+        if (debug != null) {
+            debug.println("crypto policy directory: " + cpPath);
+        }
+
+        File exportJar = new File(cpPath.toFile(),"US_export_policy.jar");
+        File importJar = new File(cpPath.toFile(),"local_policy.jar");
+
+        if (cryptoPolicyProperty == null && (!exportJar.exists() ||
+                !importJar.exists())) {
+            // Compatibility set up. If crypto.policy is not defined.
+            // check to see if legacy jars exist in lib directory. If
+            // they don't exist, we default to limited policy mode.
+            cpPath = Paths.get(
+                    javaHomeProperty, "lib", "security", "policy", "limited");
+            // point to the new jar files in limited directory
+            exportJar = new File(cpPath.toFile(),"US_export_policy.jar");
+            importJar = new File(cpPath.toFile(),"local_policy.jar");
+        }

-        File exportJar = new File(pathToPolicyJar, "US_export_policy.jar");
-        File importJar = new File(pathToPolicyJar, "local_policy.jar");
        URL jceCipherURL = ClassLoader.getSystemResource
                ("javax/crypto/Cipher.class");


--- a/src/share/lib/security/java.security-aix
+++ b/src/share/lib/security/java.security-aix
@@ -661,3 +661,68 @@ jdk.tls.legacyAlgorithms= \
 #       E485B576 625E7EC6 F44C42E9 A637ED6B 0BFF5CB6 F406B7ED \
 #       EE386BFB 5A899FA5 AE9F2411 7C4B1FE6 49286651 ECE65381 \
 #       FFFFFFFF FFFFFFFF, 2}
+
+# Cryptographic Jurisdiction Policy defaults
+#
+# Due to the import control restrictions of some countries, the default
+# JCE policy files allow for strong but "limited" cryptographic key
+# lengths to be used.  If your country's cryptographic regulations allow,
+# the "unlimited" strength policy files can be used instead, which contain
+# no restrictions on cryptographic strengths.
+#
+# YOU ARE ADVISED TO CONSULT YOUR EXPORT/IMPORT CONTROL COUNSEL OR ATTORNEY
+# TO DETERMINE THE EXACT REQUIREMENTS.
+#
+# <java-home> (below) refers to the directory where the JRE was
+# installed. It is determined based on whether you are running JCE
+# on a JRE or a JRE contained within the Java Development Kit, or
+# JDK(TM). The JDK contains the JRE, but at a different level in the
+# file hierarchy. For example, if the JDK is installed in
+# /home/user1/jdk1.8.0 on Unix or in C:\jdk1.8.0 on Windows, then
+# <java-home> is:
+#
+#  /home/user1/jdk1.8.0/jre           [Unix]
+#  C:\jdk1.8.0\jre                    [Windows]
+#
+# If on the other hand the JRE is installed in /home/user1/jre1.8.0
+# on Unix or in C:\jre1.8.0 on Windows, and the JDK is not
+# installed, then <java-home> is:
+#
+#  /home/user1/jre1.8.0               [Unix]
+#  C:\jre1.8.0                        [Windows]
+#
+# On Windows, for each JDK installation, there may be additional
+# JREs installed under the "Program Files" directory. Please make
+# sure that you install the unlimited strength policy JAR files
+# for all JREs that you plan to use.
+#
+# The policy files are jar files organized into subdirectories of
+# <java-home>/lib/security/policy.  Each directory contains a complete
+# set of policy files.
+#
+# The "crypto.policy" Security property controls the directory selection,
+# and thus the effective cryptographic policy.
+#
+# The default set of directories is:
+#
+#     limited | unlimited
+#
+# however other directories can be created and configured.
+#
+# To support older JDK Update releases, the crypto.policy property
+# is not defined by default. When the property is not defined, an
+# update release binary aware of the new property will use the following
+# logic to decide what crypto policy files get used :
+#
+# * If the US_export_policy.jar and local_policy.jar files are located
+# in the (legacy) <java-home>/lib/security directory, then the rules
+# embedded in those jar files will be used. This helps preserve compatibility
+# for users upgrading from an older installation.
+#
+# * If crypto.policy is not defined and no such jar files are present in
+# the legacy locations, then the JDK will use the limited settings
+# (equivalent to crypto.policy=limited)
+#
+# Please see the JCA documentation for additional information on these
+# files and formats.
+#crypto.policy=unlimited
--- a/src/share/lib/security/java.security-linux
+++ b/src/share/lib/security/java.security-linux
@@ -661,3 +661,68 @@ jdk.tls.legacyAlgorithms= \
 #       E485B576 625E7EC6 F44C42E9 A637ED6B 0BFF5CB6 F406B7ED \
 #       EE386BFB 5A899FA5 AE9F2411 7C4B1FE6 49286651 ECE65381 \
 #       FFFFFFFF FFFFFFFF, 2}
+
+# Cryptographic Jurisdiction Policy defaults
+#
+# Due to the import control restrictions of some countries, the default
+# JCE policy files allow for strong but "limited" cryptographic key
+# lengths to be used.  If your country's cryptographic regulations allow,
+# the "unlimited" strength policy files can be used instead, which contain
+# no restrictions on cryptographic strengths.
+#
+# YOU ARE ADVISED TO CONSULT YOUR EXPORT/IMPORT CONTROL COUNSEL OR ATTORNEY
+# TO DETERMINE THE EXACT REQUIREMENTS.
+#
+# <java-home> (below) refers to the directory where the JRE was
+# installed. It is determined based on whether you are running JCE
+# on a JRE or a JRE contained within the Java Development Kit, or
+# JDK(TM). The JDK contains the JRE, but at a different level in the
+# file hierarchy. For example, if the JDK is installed in
+# /home/user1/jdk1.8.0 on Unix or in C:\jdk1.8.0 on Windows, then
+# <java-home> is:
+#
+#  /home/user1/jdk1.8.0/jre           [Unix]
+#  C:\jdk1.8.0\jre                    [Windows]
+#
+# If on the other hand the JRE is installed in /home/user1/jre1.8.0
+# on Unix or in C:\jre1.8.0 on Windows, and the JDK is not
+# installed, then <java-home> is:
+#
+#  /home/user1/jre1.8.0               [Unix]
+#  C:\jre1.8.0                        [Windows]
+#
+# On Windows, for each JDK installation, there may be additional
+# JREs installed under the "Program Files" directory. Please make
+# sure that you install the unlimited strength policy JAR files
+# for all JREs that you plan to use.
+#
+# The policy files are jar files organized into subdirectories of
+# <java-home>/lib/security/policy.  Each directory contains a complete
+# set of policy files.
+#
+# The "crypto.policy" Security property controls the directory selection,
+# and thus the effective cryptographic policy.
+#
+# The default set of directories is:
+#
+#     limited | unlimited
+#
+# however other directories can be created and configured.
+#
+# To support older JDK Update releases, the crypto.policy property
+# is not defined by default. When the property is not defined, an
+# update release binary aware of the new property will use the following
+# logic to decide what crypto policy files get used :
+#
+# * If the US_export_policy.jar and local_policy.jar files are located
+# in the (legacy) <java-home>/lib/security directory, then the rules
+# embedded in those jar files will be used. This helps preserve compatibility
+# for users upgrading from an older installation.
+#
+# * If crypto.policy is not defined and no such jar files are present in
+# the legacy locations, then the JDK will use the limited settings
+# (equivalent to crypto.policy=limited)
+#
+# Please see the JCA documentation for additional information on these
+# files and formats.
+#crypto.policy=unlimited
--- a/src/share/lib/security/java.security-macosx
+++ b/src/share/lib/security/java.security-macosx
@@ -664,3 +664,68 @@ jdk.tls.legacyAlgorithms= \
 #       E485B576 625E7EC6 F44C42E9 A637ED6B 0BFF5CB6 F406B7ED \
 #       EE386BFB 5A899FA5 AE9F2411 7C4B1FE6 49286651 ECE65381 \
 #       FFFFFFFF FFFFFFFF, 2}
+
+# Cryptographic Jurisdiction Policy defaults
+#
+# Due to the import control restrictions of some countries, the default
+# JCE policy files allow for strong but "limited" cryptographic key
+# lengths to be used.  If your country's cryptographic regulations allow,
+# the "unlimited" strength policy files can be used instead, which contain
+# no restrictions on cryptographic strengths.
+#
+# YOU ARE ADVISED TO CONSULT YOUR EXPORT/IMPORT CONTROL COUNSEL OR ATTORNEY
+# TO DETERMINE THE EXACT REQUIREMENTS.
+#
+# <java-home> (below) refers to the directory where the JRE was
+# installed. It is determined based on whether you are running JCE
+# on a JRE or a JRE contained within the Java Development Kit, or
+# JDK(TM). The JDK contains the JRE, but at a different level in the
+# file hierarchy. For example, if the JDK is installed in
+# /home/user1/jdk1.8.0 on Unix or in C:\jdk1.8.0 on Windows, then
+# <java-home> is:
+#
+#  /home/user1/jdk1.8.0/jre           [Unix]
+#  C:\jdk1.8.0\jre                    [Windows]
+#
+# If on the other hand the JRE is installed in /home/user1/jre1.8.0
+# on Unix or in C:\jre1.8.0 on Windows, and the JDK is not
+# installed, then <java-home> is:
+#
+#  /home/user1/jre1.8.0               [Unix]
+#  C:\jre1.8.0                        [Windows]
+#
+# On Windows, for each JDK installation, there may be additional
+# JREs installed under the "Program Files" directory. Please make
+# sure that you install the unlimited strength policy JAR files
+# for all JREs that you plan to use.
+#
+# The policy files are jar files organized into subdirectories of
+# <java-home>/lib/security/policy.  Each directory contains a complete
+# set of policy files.
+#
+# The "crypto.policy" Security property controls the directory selection,
+# and thus the effective cryptographic policy.
+#
+# The default set of directories is:
+#
+#     limited | unlimited
+#
+# however other directories can be created and configured.
+#
+# To support older JDK Update releases, the crypto.policy property
+# is not defined by default. When the property is not defined, an
+# update release binary aware of the new property will use the following
+# logic to decide what crypto policy files get used :
+#
+# * If the US_export_policy.jar and local_policy.jar files are located
+# in the (legacy) <java-home>/lib/security directory, then the rules
+# embedded in those jar files will be used. This helps preserve compatibility
+# for users upgrading from an older installation.
+#
+# * If crypto.policy is not defined and no such jar files are present in
+# the legacy locations, then the JDK will use the limited settings
+# (equivalent to crypto.policy=limited)
+#
+# Please see the JCA documentation for additional information on these
+# files and formats.
+#crypto.policy=unlimited
--- a/src/share/lib/security/java.security-solaris
+++ b/src/share/lib/security/java.security-solaris
@@ -663,3 +663,68 @@ jdk.tls.legacyAlgorithms= \
 #       E485B576 625E7EC6 F44C42E9 A637ED6B 0BFF5CB6 F406B7ED \
 #       EE386BFB 5A899FA5 AE9F2411 7C4B1FE6 49286651 ECE65381 \
 #       FFFFFFFF FFFFFFFF, 2}
+
+# Cryptographic Jurisdiction Policy defaults
+#
+# Due to the import control restrictions of some countries, the default
+# JCE policy files allow for strong but "limited" cryptographic key
+# lengths to be used.  If your country's cryptographic regulations allow,
+# the "unlimited" strength policy files can be used instead, which contain
+# no restrictions on cryptographic strengths.
+#
+# YOU ARE ADVISED TO CONSULT YOUR EXPORT/IMPORT CONTROL COUNSEL OR ATTORNEY
+# TO DETERMINE THE EXACT REQUIREMENTS.
+#
+# <java-home> (below) refers to the directory where the JRE was
+# installed. It is determined based on whether you are running JCE
+# on a JRE or a JRE contained within the Java Development Kit, or
+# JDK(TM). The JDK contains the JRE, but at a different level in the
+# file hierarchy. For example, if the JDK is installed in
+# /home/user1/jdk1.8.0 on Unix or in C:\jdk1.8.0 on Windows, then
+# <java-home> is:
+#
+#  /home/user1/jdk1.8.0/jre           [Unix]
+#  C:\jdk1.8.0\jre                    [Windows]
+#
+# If on the other hand the JRE is installed in /home/user1/jre1.8.0
+# on Unix or in C:\jre1.8.0 on Windows, and the JDK is not
+# installed, then <java-home> is:
+#
+#  /home/user1/jre1.8.0               [Unix]
+#  C:\jre1.8.0                        [Windows]
+#
+# On Windows, for each JDK installation, there may be additional
+# JREs installed under the "Program Files" directory. Please make
+# sure that you install the unlimited strength policy JAR files
+# for all JREs that you plan to use.
+#
+# The policy files are jar files organized into subdirectories of
+# <java-home>/lib/security/policy.  Each directory contains a complete
+# set of policy files.
+#
+# The "crypto.policy" Security property controls the directory selection,
+# and thus the effective cryptographic policy.
+#
+# The default set of directories is:
+#
+#     limited | unlimited
+#
+# however other directories can be created and configured.
+#
+# To support older JDK Update releases, the crypto.policy property
+# is not defined by default. When the property is not defined, an
+# update release binary aware of the new property will use the following
+# logic to decide what crypto policy files get used :
+#
+# * If the US_export_policy.jar and local_policy.jar files are located
+# in the (legacy) <java-home>/lib/security directory, then the rules
+# embedded in those jar files will be used. This helps preserve compatibility
+# for users upgrading from an older installation.
+#
+# * If crypto.policy is not defined and no such jar files are present in
+# the legacy locations, then the JDK will use the limited settings
+# (equivalent to crypto.policy=limited)
+#
+# Please see the JCA documentation for additional information on these
+# files and formats.
+#crypto.policy=unlimited
--- a/src/share/lib/security/java.security-windows
+++ b/src/share/lib/security/java.security-windows
@@ -664,3 +664,68 @@ jdk.tls.legacyAlgorithms= \
 #       E485B576 625E7EC6 F44C42E9 A637ED6B 0BFF5CB6 F406B7ED \
 #       EE386BFB 5A899FA5 AE9F2411 7C4B1FE6 49286651 ECE65381 \
 #       FFFFFFFF FFFFFFFF, 2}
+
+# Cryptographic Jurisdiction Policy defaults
+#
+# Due to the import control restrictions of some countries, the default
+# JCE policy files allow for strong but "limited" cryptographic key
+# lengths to be used.  If your country's cryptographic regulations allow,
+# the "unlimited" strength policy files can be used instead, which contain
+# no restrictions on cryptographic strengths.
+#
+# YOU ARE ADVISED TO CONSULT YOUR EXPORT/IMPORT CONTROL COUNSEL OR ATTORNEY
+# TO DETERMINE THE EXACT REQUIREMENTS.
+#
+# <java-home> (below) refers to the directory where the JRE was
+# installed. It is determined based on whether you are running JCE
+# on a JRE or a JRE contained within the Java Development Kit, or
+# JDK(TM). The JDK contains the JRE, but at a different level in the
+# file hierarchy. For example, if the JDK is installed in
+# /home/user1/jdk1.8.0 on Unix or in C:\jdk1.8.0 on Windows, then
+# <java-home> is:
+#
+#  /home/user1/jdk1.8.0/jre           [Unix]
+#  C:\jdk1.8.0\jre                    [Windows]
+#
+# If on the other hand the JRE is installed in /home/user1/jre1.8.0
+# on Unix or in C:\jre1.8.0 on Windows, and the JDK is not
+# installed, then <java-home> is:
+#
+#  /home/user1/jre1.8.0               [Unix]
+#  C:\jre1.8.0                        [Windows]
+#
+# On Windows, for each JDK installation, there may be additional
+# JREs installed under the "Program Files" directory. Please make
+# sure that you install the unlimited strength policy JAR files
+# for all JREs that you plan to use.
+#
+# The policy files are jar files organized into subdirectories of
+# <java-home>/lib/security/policy.  Each directory contains a complete
+# set of policy files.
+#
+# The "crypto.policy" Security property controls the directory selection,
+# and thus the effective cryptographic policy.
+#
+# The default set of directories is:
+#
+#     limited | unlimited
+#
+# however other directories can be created and configured.
+#
+# To support older JDK Update releases, the crypto.policy property
+# is not defined by default. When the property is not defined, an
+# update release binary aware of the new property will use the following
+# logic to decide what crypto policy files get used :
+#
+# * If the US_export_policy.jar and local_policy.jar files are located
+# in the (legacy) <java-home>/lib/security directory, then the rules
+# embedded in those jar files will be used. This helps preserve compatibility
+# for users upgrading from an older installation.
+#
+# * If crypto.policy is not defined and no such jar files are present in
+# the legacy locations, then the JDK will use the limited settings
+# (equivalent to crypto.policy=limited)
+#
+# Please see the JCA documentation for additional information on these
+# files and formats.
+#crypto.policy=unlimited
--- a/test/javax/crypto/CryptoPermission/TestUnlimited.java
+++ b/test/javax/crypto/CryptoPermission/TestUnlimited.java
+/*
+ * Copyright (c) 2016, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.  Oracle designates this
+ * particular file as subject to the "Classpath" exception as provided
+ * by Oracle in the LICENSE file that accompanied this code.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+/**
+ * @test
+ * @bug 8157561
+ * @summary Ship the unlimited policy files in JDK Updates
+ * @run main/othervm TestUnlimited "" exception
+ * @run main/othervm TestUnlimited limited fail
+ * @run main/othervm TestUnlimited unlimited pass
+ * @run main/othervm TestUnlimited unlimited/ pass
+ * @run main/othervm TestUnlimited NosuchDir exception
+ * @run main/othervm TestUnlimited . exception
+ * @run main/othervm TestUnlimited /tmp/unlimited exception
+ * @run main/othervm TestUnlimited ../policy/unlimited exception
+ * @run main/othervm TestUnlimited ./unlimited exception
+ * @run main/othervm TestUnlimited /unlimited exception
+ */
+import javax.crypto.*;
+import java.security.Security;
+
+public class TestUnlimited {
+
+    public static void main(String[] args) throws Exception {
+        /*
+         * Override the Security property to allow for unlimited policy.
+         * Would need appropriate permissions if Security Manager were
+         * active.
+         */
+        if (args.length != 2) {
+            throw new Exception("Two args required");
+        }
+
+        boolean expected = args[1].equals("pass");
+        boolean exception = args[1].equals("exception");
+        boolean result = false;
+
+        System.out.println("Testing: " + args[0]);
+
+        if (args[0].equals("\"\"")) {
+            Security.setProperty("crypto.policy", "");
+        } else {
+            Security.setProperty("crypto.policy", args[0]);
+        }
+
+        /*
+         * Use the AES as the test Cipher
+         * If there is an error initializing, we will never get past here.
+         */
+        try {
+            int maxKeyLen = Cipher.getMaxAllowedKeyLength("AES");
+            System.out.println("max AES key len:" + maxKeyLen);
+            if (maxKeyLen > 128) {
+                System.out.println("Unlimited policy is active");
+                result = true;
+            } else {
+                System.out.println("Unlimited policy is NOT active");
+                result = false;
+            }
+        } catch (Throwable e) {
+            if (!exception) {
+                throw new Exception();
+            }
+        }
+
+        System.out.println(
+                "Expected:\t" + expected + "\nResult:\t\t" + result);
+        if (expected != result) {
+            throw new Exception();
+        }
+
+        System.out.println("DONE!");
+    }
+}