Jurisdiction Policy File Format

A jurisdiction policy file consists of a very basic "grant entry" containing one or more "permission entries."
grant {
 <permission entries>;
};
The format of a permission entry in a jurisdiction policy file is:
permission <crypto permission class name>[ <alg_name>
 [[, <exemption mechanism name>][, <maxKeySize>
 [, <AlgorithmParameterSpec class name>,
 <parameters for constructing an 
 AlgorithmParameterSpec object>]]]];
A sample jurisdiction policy file that includes restricting the "DES" algorithm to maximum key sizes of 64 bits is:
grant {
 permission javax.crypto.CryptoPermission "DES", 64;
 . . .;
};

A permission entry must begin with the word permission. The <crypto permission class name> in the template shown previously would actually be a specific permission class name, such as javax.crypto.CryptoPermission. A crypto permission class reflects the ability of an application/applet to use certain algorithms with certain key sizes in certain environments. There are two crypto permission classes: CryptoPermission and CryptoAllPermission. The special CryptoAllPermission class implies all cryptography-related permissions, that is, it specifies that there are no cryptography-related restrictions.

The <alg_name>, when utilized, is a string in quotation marks specifying the standard name of a cryptography algorithm, such as "DES" or "RSA".

The <exemption mechanism name>, when specified, is a string in quotation marks indicating an exemption mechanism which, if enforced, enables a reduction in cryptographic restrictions. The exemption mechanism names that can be used are "KeyRecovery" "KeyEscrow", and "KeyWeakening".

<maxKeySize> is an integer specifying the maximum key size (in bits) allowed for the specified algorithm.

For some algorithms it might not be sufficient to specify the algorithm strength in terms of just a key size. For example, in the case of the "RC5" algorithm, the number of rounds must also be considered. For algorithms whose strength needs to be expressed as more than a key size, the permission entry should also specify an AlgorithmParameterSpec class name (such as javax.crypto.spec.RC5ParameterSpec) and a list of parameters for constructing the specified AlgorithmParameterSpec object.

Items that appear in a permission entry must appear in the specified order. An entry is terminated with a semicolon.

Case is unimportant for the identifiers (grant, permission) but is significant for the <crypto permission class name> or for any string that is passed in as a value.

Note: An "*" can be used as a wildcard for any permission entry option. For example, an "*" (without the quotation) for an <alg_name> option means "all algorithms."