0

Please read full question before mark it as duplicate or down vote. I need to add AES 256 encryption in my project. so according here have added security jars in my jre and jdk's lib security folder. now if I run code using main method it is working but if I deploy it in tomcat. it is throwing me error

java.security.InvalidKeyException: Illegal key size or default parameters
        at javax.crypto.Cipher.checkCryptoPerm(Cipher.java:1026)
        at javax.crypto.Cipher.implInit(Cipher.java:801)
        at javax.crypto.Cipher.chooseProvider(Cipher.java:864)
        at javax.crypto.Cipher.init(Cipher.java:1249)
        at javax.crypto.Cipher.init(Cipher.java:1186)
        at com.infy.encrypt.Encryption.encrypt(Encryption.java:36)
        at com.infy.service.UserServiceImpl.addUser(UserServiceImpl.java:24)
        at com.infy.controller.UserController.addUser(UserController.java:44)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
        at java.lang.reflect.Method.invoke(Unknown Source)
        at org.springframework.web.method.support.InvocableHandlerMethod.invoke(InvocableHandlerMethod.java:215)
        at org.springframework.web.method.support.InvocableHandlerMethod.invokeForRequest(InvocableHandlerMethod.java:132)
        at org.springframework.web.servlet.mvc.method.annotation.ServletInvocableHandlerMethod.invokeAndHandle(ServletInvocableHandlerMethod.java:104)

I think my tomcat is not reading updated policy files. aI tried by killing jvm proccesses but no luck.

below is my encryption code

 public String encrypt(String word) throws Exception {

        byte[] ivBytes;
        String password="Hello"; 
    /*you can give whatever you want for password. This is for testing purpose*/

        SecureRandom random = new SecureRandom();
        byte bytes[] = new byte[20];
        random.nextBytes(bytes);
        byte[] saltBytes = bytes;

        // Derive the key
       SecretKeyFactory factory = SecretKeyFactory.getInstance("PBKDF2WithHmacSHA1");

        PBEKeySpec spec = new PBEKeySpec(password.toCharArray(),saltBytes,65556,256);

         SecretKey secretKey = factory.generateSecret(spec);
        SecretKeySpec secret = new SecretKeySpec(secretKey.getEncoded(), "AES");

         //encrypting the word

         Cipher cipher = Cipher.getInstance("AES/CBC/PKCS5Padding");
         cipher.init(Cipher.ENCRYPT_MODE, secret);
         AlgorithmParameters params = cipher.getParameters();
         ivBytes =   params.getParameterSpec(IvParameterSpec.class).getIV();

         byte[] encryptedTextBytes =  cipher.doFinal(word.getBytes("UTF-8"));

         //prepend salt and vi

          byte[] buffer = new byte[saltBytes.length + ivBytes.length + encryptedTextBytes.length];

          System.arraycopy(saltBytes, 0, buffer, 0, saltBytes.length);
          System.arraycopy(ivBytes, 0, buffer, saltBytes.length, ivBytes.length);

           System.arraycopy(encryptedTextBytes, 0, buffer, saltBytes.length + ivBytes.length, encryptedTextBytes.length);

           return new Base64().encodeToString(buffer);

        }

below is the result for Test method

public static void main(String[] args) throws Exception {

        Encryption en=new Encryption();
        String encryptedWord=en.encrypt("Test"); 
        System.out.println("Encrypted word is : " + encryptedWord);
        Decryption de =new Decryption();
        System.out.println("Decrypted word is : " +    de.decrypt(encryptedWord));  
    }

output

Encrypted word is : o73KvJpuI/QdJlswEsBqf/Cz0PDdUdX0emADyTMxqVeHDP1QSkH+YR0HlWAMb+dNGDjy3w==

But if I hit same thing by deploying in tomcat it is not working below is my controller class

@RequestMapping(value = "/register/add", method = RequestMethod.POST,produces=MediaType.APPLICATION_JSON_VALUE,consumes=MediaType.APPLICATION_JSON_VALUE)       
        public @ResponseBody UserMVC addUser(@RequestBody UserMVC p) {
System.out.println("inside controller");
/*          if (p.getId() == 0) {
                // new user, add it
                this.userService.addUser(p);
            } else {
                // existing user, call update
                this.userService.updateUser(p);
            }*/
            User user=new User();
            user.setFirstname(p.getFirstName());
            user.setLastname(p.getLastName());
            user.setPassword(p.getPassword());
            user.setUsername(p.getUserName());
            this.userService.addUser(user);
            return p;

        }

and adduser metthod of dao

public void addUser(User p) {
        try {
            Encryption en=new Encryption();
            p.setPassword(en.encrypt(p.getPassword()));
            System.out.println("password:"+p.getPassword());
            this.userDao.addUser(p);
        } catch (Exception e) {
            // TODO Auto-generated catch block
            e.printStackTrace();
        }
    }
Sanidhya
  • 101
  • 1
  • 2
  • 5
  • 1
    Which means that the JRE Tomcat is running with doesn't have these policy files. – Artjom B. Jul 10 '17 at 19:21
  • @ArtjomB.may be but I only have one jre installed in my pc – Sanidhya Jul 10 '17 at 19:22
  • "if I run code using main method it is working but if I deploy it in tomcat...error" - what does that tell you? Tomcat doesn't see these jars. Put in logs in your code to dump all system and environment variables at startup, and compare those. – Abhijit Sarkar Jul 10 '17 at 19:31
  • @AbhijitSarkar:didn't get you..tomcat an see these jars right means if we enable SSL and all? – Sanidhya Jul 10 '17 at 19:35
  • If you have a JDK installed, then you have at least two JREs. The JDK has an internal JRE. – Artjom B. Jul 10 '17 at 19:36
  • @ArtjomB.yes and both has that security JARS and as I mentioned if I run through only JDK but if I deploy it tomcat then it is giving error – Sanidhya Jul 10 '17 at 19:39

0 Answers0