Generating digital certificate:InvalidKeyException: Illegal key size

Question

Writing code to generate digital certificate

Here is the piece of code causing problem

 PBEKeySpec keySpec = new PBEKeySpec(password);

 SecretKeyFactory keyFactory = SecretKeyFactory
        .getInstance("PBEWITHMD5ANDTRIPLEDES"/* "PBEWithSHAAndTwofish-CBC" */);

 SecretKey key = keyFactory.generateSecret(keySpec);

 PBEParameterSpec paramSpec = new PBEParameterSpec(salt,
                    MD5_ITERATIONS);

Cipher cipher = Cipher.getInstance("PBEWITHMD5ANDTRIPLEDES");
            cipher.init(Cipher.ENCRYPT_MODE, key, paramSpec);//here Ex.

byte[] ciphertext = cipher.doFinal(plaintext);

Facing the exception

java.security.InvalidKeyException: Illegal key size
    at javax.crypto.Cipher.checkCryptoPerm(Cipher.java:1023)
    at javax.crypto.Cipher.implInit(Cipher.java:789)
    at javax.crypto.Cipher.chooseProvider(Cipher.java:848)
    at javax.crypto.Cipher.init(Cipher.java:1347)
    at javax.crypto.Cipher.init(Cipher.java:1281)
    at chapter4.GenSig.passwordEncrypt(GenSig.java:290)
    at chapter4.GenSig.generateKeyPair(GenSig.java:92)
    at chapter4.GenSig.main(GenSig.java:48)

As I tried to search on internet with the exception name ,Almost all solution said one solution (install JCE) add the below jars in security folder of jre and jdk i'm using

local_policy.jar
US_export_policy

Added those jar's and restarted my machine,Still the same issue and posting.

Let me know If you need further details.

FULL CODE HERE

Thanks for your time.

if password is string you have to use password.toCharArray(). What is the value of MD5_ITERATIONS? Try initializing salt this way. byte[] salt = new byte[8]; Random r = new Random(); r.nextBytes(salt); — Satish, Oct 08 '13 at 12:46
Check my other 2 suggestions of top comment. Try 1000 for testing instead of MD5_ITERATIONS. — Satish, Oct 08 '13 at 12:49
@Satish Thanks for looking into this: I shifted to [Java7](http://www.oracle.com/technetwork/java/javase/downloads/jce-7-download-432124.html) and no error produced but when I'm installing the certificate in broser, It's not asking the given password. Any Ideas?? — Suresh Atta, Oct 08 '13 at 12:53
The code which you have shown is encrypting the String `plaintext` using key generated using PBE. I am confused what `certificate` you are trying to install as per your comment. Please forgive me for my ignorance. Please explain — Satish, Oct 08 '13 at 12:58
@Satish I added the link to full code. If you don't mind can you please spend some time to look in to that. I'm really new to encryption. — Suresh Atta, Oct 08 '13 at 13:06
I am in office and that site pastebin.com is blocked by proxy! Can you put it on wordpress? — Satish, Oct 08 '13 at 13:07
@Satish Here is IDE one link https://ideone.com/kYcHtN ,My only problem now is after generating the `encryptedPrivateKeyBytes` from method `passwordEncrypt` I want to set that password to that certificate. How can I proceed for that. — Suresh Atta, Oct 08 '13 at 13:37
generateKeyPair() will generate public, private key and generateCertificate() combines these two and generates X509 certificate. newpass.cer ->X509 certificate. You can use this certificate in server. RimaPub.der->public key pvtkey.der->private key. So while running this program you are getting exception as given in your main question? I downloaded the file. Let me compile and check — Satish, Oct 08 '13 at 13:43
Here is the [link](http://stackoverflow.com/questions/9432518/what-is-the-key-size-for-pbewithmd5andtripledes) to your problem. It has been suggested not to use PBEWITHMD5ANDTRIPLEDES. I changed to PBEWithSHA1AndDESede in your code it worked. But the link suggests to follow [this](http://stackoverflow.com/questions/992019/java-256-bit-aes-password-based-encryption/992413#992413) solution. — Satish, Oct 08 '13 at 13:55
Now that exception resolved after I shifted to `Java7` ,and moving to next set of tasks on the same certificate. I'm from Andhra :) — Suresh Atta, Oct 08 '13 at 13:59

score 2 · Answer 1 · answered Oct 08 '13 at 12:16

2

The error about an illegal key size is usually due to the restrictions in the policy files. Your found solutions are correct.

You said, that you added the files to the security folder. Adding is not correct. You must replace them, as they are already there. If you really added them, then something was wrong.

Additionally, take care of the Java version. The policy files differ, when being replaced for Java 6 or Java 7.

Last, but not least: You might not have copied the policy files to the correct folder. On my machine, I have both - Java 6 and Java 7 installed. So my program files directory contains the four folders jdk6, jre6, jdk7, jre7. A folder named jre also exists in the jdk6 and in the jdk7 folder. You should replace the policy files in all jre folders.

I also have several embedded jre folders on my disk. If you have that also ... replace the files there, too. And that is maybe a good solution for deployment: Add an embedded JRE, so you can replace whatever files you want in that JRE.

answered Oct 08 '13 at 12:16

Seelenvirtuose

20,273
6
37
66

Yes I overriden the files and in all the jre's. I'm using jdk6. So any special link to download? Thanks though for looking into this. Downloaded from here http://www.oracle.com/technetwork/java/javase/downloads/index.html – Suresh Atta Oct 08 '13 at 12:17
Your download link is for Java 7. Try it with http://www.oracle.com/technetwork/java/javase/downloads/jce-6-download-429243.html. – Seelenvirtuose Oct 08 '13 at 12:23
No luck, The same problem. I downloaded from the same link and tried once again and remained with same error. – Suresh Atta Oct 08 '13 at 12:32
Maybe your key has indeed a size that is too large. Maybe debugging will help you to find that out? Otherwise ... I do not really have another idea. :-( – Seelenvirtuose Oct 08 '13 at 12:34
I shifted to [Java7](http://www.oracle.com/technetwork/java/javase/downloads/jce-7-download-432124.html) and no error produced but when I'm installing the certificate in broser, It's not asking the given password. Any Ideas?? – Suresh Atta Oct 08 '13 at 12:53
No, no idea. But it also seems to better be another question. – Seelenvirtuose Oct 08 '13 at 13:40

Martin Spamer · Answer 2 · 2013-10-08T12:27:33.177

2

secretKeyFactory.getInstance(String algorithm) where the name is the algorithm has the AND as "And" and "TRIPLEDES" seems to be "DESede". So try PBEWithMD5AndDESede.

Also Java (by default) doesn't contain any actual implementations it directs the request to the underlying platform, so they are dependent on what is supported by your OS.

edited Oct 08 '13 at 12:27

answered Oct 08 '13 at 12:21

Martin Spamer

5,437
28
44

Bah!! `java.security.NoSuchAlgorithmException: PBEWithMD5AndDESede SecretKeyFactory not available`, Thanks though. – Suresh Atta Oct 08 '13 at 12:25
Also the Java 7 Documentation is a lot clearer than the Java 6 Docs. – Martin Spamer Oct 08 '13 at 12:32
I shifted to [Java7](http://www.oracle.com/technetwork/java/javase/downloads/jce-7-download-432124.html) and no error produced but when I'm installing the certificate in broser, It's not asking the given password. Any Ideas?? – Suresh Atta Oct 08 '13 at 12:52
You'll be using the public part of the cert in the Browser, generally you only need a pass phrase to access the private key. – Martin Spamer Oct 11 '13 at 08:53

Generating digital certificate:InvalidKeyException: Illegal key size

2 Answers2