Jurisdiction Policy File Format
grant {
<permission entries>;
};
permission <crypto permission class name>[ <alg_name>
[[, <exemption mechanism name>][, <maxKeySize>
[, <AlgorithmParameterSpec class name>,
<parameters for constructing an
AlgorithmParameterSpec object>]]]];
grant {
permission javax.crypto.CryptoPermission "DES", 64;
. . .;
};
A permission entry must begin with the word permission
.
The <crypto permission class name>
in the template
shown previously would actually be a specific permission class name,
such as javax.crypto.CryptoPermission
. A crypto permission
class reflects the ability of an application/applet to use certain
algorithms with certain key sizes in certain environments. There are
two crypto permission classes: CryptoPermission
and CryptoAllPermission
.
The special CryptoAllPermission
class implies all
cryptography-related permissions, that is, it specifies that there
are no cryptography-related restrictions.
The <alg_name>, when utilized, is a string in quotation marks specifying the standard name of a cryptography algorithm, such as "DES" or "RSA".
The <exemption mechanism name>, when specified, is a string in quotation marks indicating an exemption mechanism which, if enforced, enables a reduction in cryptographic restrictions. The exemption mechanism names that can be used are "KeyRecovery" "KeyEscrow", and "KeyWeakening".
<maxKeySize> is an integer specifying the maximum key size (in bits) allowed for the specified algorithm.
For some algorithms it might not be sufficient to specify the algorithm
strength in terms of just a key size. For example, in the case of
the "RC5" algorithm, the number of rounds must also be considered.
For algorithms whose strength needs to be expressed as more than a
key size, the permission entry should also specify an AlgorithmParameterSpec
class name (such as javax.crypto.spec.RC5ParameterSpec
)
and a list of parameters for constructing the specified AlgorithmParameterSpec
object.
Items that appear in a permission entry must appear in the specified order. An entry is terminated with a semicolon.
Case is unimportant for the identifiers (grant
, permission
)
but is significant for the <crypto permission class name>
or
for any string that is passed in as a value.
Note: An "*" can be used as a wildcard for any permission entry option. For example, an "*" (without the quotation) for an <alg_name> option means "all algorithms."