Vladimir Vladimir - 5 months ago 89
Java Question

InvalidKeyException Illegal key size

I have a test which runs great on my development MacBook Pro, but fails to run in continuous integration TeamCity server.

The error is following:

java.security.InvalidKeyException: Illegal key size
at javax.crypto.Cipher.a(DashoA13*..)
at javax.crypto.Cipher.init(DashoA13*..)
at javax.crypto.Cipher.init(DashoA13*..)

Both development box and TeamCity uses Java 1.6 and I use BouncyCastle library for the need of special AES encryption.

The code is following:

private byte[] aesEncryptedInfo(String info) throws UnsupportedEncodingException, IllegalBlockSizeException, BadPaddingException, InvalidKeyException, NoSuchAlgorithmException, NoSuchPaddingException, InvalidParameterSpecException, InvalidAlgorithmParameterException, NoSuchProviderException {
Security.addProvider(new BouncyCastleProvider());
SecretKey secret = new SecretKeySpec(CUSTOMLONGSECRETKEY.substring(0, 32).getBytes(), "AES");
Cipher cipher = Cipher.getInstance("AES/CBC/PKCS7Padding", "BC");
cipher.init(Cipher.ENCRYPT_MODE, secret, new IvParameterSpec(VECTOR_SECRET_KEY.getBytes()));
return cipher.doFinal(info.getBytes("UTF-8"));


Looks like according to the selected answer I have to modify something on my TeamCity installation and it will possibly affect some user installations - so its not a good choice I have to switch to another crypto library to do that without limitations. So probably bouncy castle will help.


I actually switched to use BouncyCastle to avoid this limitation. Note this only works if you use own BC classes directly, not the BC provider.

Answer Source

You need to install the Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files (available at Oracle).

If you don't, the keysize is limited due to US export laws.

To install these files (from the README.txt in the download):

  1. Download the unlimited strength JCE policy files.

  2. Uncompress and extract the downloaded file.

    This will create a subdirectory called jce. This directory contains the following files:

    README.txt                   This file
    local_policy.jar             Unlimited strength local policy file
    US_export_policy.jar         Unlimited strength US export policy file
  3. Install the unlimited strength policy JAR files.

    In case you later decide to revert to the original "strong" but limited policy versions, first make a copy of the original JCE policy files (US_export_policy.jar and local_policy.jar). Then replace the strong policy files with the unlimited strength versions extracted in the previous step.

    The standard place for JCE jurisdiction policy JAR files is:

    <java-home>/lib/security           [Unix]
    <java-home>\lib\security           [Windows]

Note for the JDK it is in jre/lib/security.

The new policy file only takes effect after restarting the JVM (this is especially important for long-running server processes like Tomcat).

This answer applies to Java 8 and earlier; it looks like the Unlimited Strength Jurisdiction Policy Files are no longer necessary with Java 9.

Recommended from our users: Dynamic Network Monitoring from WhatsUp Gold from IPSwitch. Free Download