1

I want to make a Java application that makes signatures but have run into the problem with the unlimited strength policy files, discussed in many posts, e.g. How to avoid installing "Unlimited Strength" JCE policy files when deploying an application?

Everything works fine of course when I switch the policy files but I would rather avoid this and since I don't plan to use symmetric encryption my guess was that it would be possible. My problem is that that I get the Illegal key size exception already in the load method of KeyStore.

My questions:

1) Can I do anything about the internal encryption in the keystore so the key size limitation doesn't require users to change policy files?

2) I have understood that the BouncyCastle Lightweight API could be an option. If so, how do I load a keystore with that API?

Security.addProvider(new BouncyCastleProvider());           

//Get private key
KeyStore keyStore = KeyStore.getInstance("PKCS12","BC");
String pwd = "password";
FileInputStream finJKS = new FileInputStream("C:\\TEMP\\host.p12");
keyStore.load(finJKS,pwd.toCharArray());

run: java.io.IOException: exception decrypting data - java.security.InvalidKeyException: Illegal key size

Running jre in JDK 7u51 on Netbeans 7.4 on Windows.

Best regards

Community
  • 1
  • 1
L.Fuentes
  • 35
  • 1
  • 5

1 Answers1

2

Your code snippet throws an InvalidKeyException despite using BouncyCastle, because you are not using the BC Lightweight API. If you access BC through the JCE API then the same limits on crypto strength apply as with Sun/Oracle providers.

PKCS#12 files are usually encrypted with 3DES (pbeWithSHA1And3-KeyTripleDES-CBC), which is not restricted by the default policy file. However, PKCS#12 allows the use of arbitrary encryption algorithms, so it seems like you got a p12 file that is encrypted with another algorithm. You can check this with openssl:

openssl pkcs12 -in host.p12 -info -noout

The encryption algorithm should change when you convert the keystore to JKS or JCEKS (more secure) with keytool:

keytool -importkeystore -srckeystore host.p12 -srcstoretype PKCS12 -deststoretype JCEKS -destkeystore host.jks

Of course you will have to adapt your code then:

KeyStore keyStore = KeyStore.getInstance("JCEKS");

You could even convert the JCEKS keystore back to PKCS12 with keytool. Keytool generates PKCS12 files with pbeWithSHA1And3-KeyTripleDES-CBC.

Omikron
  • 4,072
  • 1
  • 27
  • 28
  • Thanks a lot for the valuable information. I tested my p12 file and it actually used the pbeWithSHA1And3-KeyTripleDES-CBC algorithm. Anyway when I tested without BouncyCastle: KeyStore keyStore = KeyStore.getInstance("PKCS12"); I then didn't get any trouble with the policy files. The same applied when I converted the keystore according to your example and used the "JCEKS" instance. – L.Fuentes Jan 12 '15 at 14:20
  • Well, this is the expected behavior. There seems to be a strange issue with BC and your p12 file, because it should make no difference if you use BC or not (I actually just tried it with one of my p12 files). – Omikron Jan 12 '15 at 15:09