InvalidKeyException Illegal Key Size - Java code throwing exception for encryption class - how to fix

Question

I ve been trying to get some working Java code to use for encrypting Paypal buttons  This is no easy task  Even when I get some code  from Paypal  I m faced with errors  ugh    So here is what I have so far  that I think will work eventually   I downloaded the Java zip file from Paypal s website  Within it are two classes - ClientSide java and ButtonEncryption java  The Problem - I m getting an InvalidKeyException   Illegal key size error   Questions 1  How do I resolve this issue  2  What line of code is throwing the error   C  jakarta-tomcat webapps PlanB WEB-INF classes gt java palmb servlets paypal ButtonEncryption java io IOException  exception decrypting data - java security InvalidKeyException  Illegal key size         at org bouncycastle jce provider JDKPKCS12KeyStore cryptData Unknown Source          at org bouncycastle jce provider JDKPKCS12KeyStore engineLoad Unknown Source          at java security KeyStore load Unknown Source          at palmb servlets paypal ClientSide getButtonEncryptionValue ClientSide java 63          at palmb servlets paypal ButtonEncryption main ButtonEncryption java 81      ClientSide class  package palmb servlets paypal   import java io ByteArrayOutputStream  import java io FileInputStream  import java io IOException  import java io PrintWriter  import java security InvalidAlgorithmParameterException  import java security KeyStore  import java security KeyStoreException  import java security NoSuchAlgorithmException  import java security NoSuchProviderException  import java security PrivateKey  import java security UnrecoverableKeyException  import java security cert CertStore  import java security cert CertStoreException  import java security cert CertificateException  import java security cert CertificateFactory  import java security cert CollectionCertStoreParameters  import java security cert X509Certificate  import java util ArrayList  import java util Enumeration   import org bouncycastle cms CMSEnvelopedData  import org bouncycastle cms CMSEnvelopedDataGenerator  import org bouncycastle cms CMSException  import org bouncycastle cms CMSProcessableByteArray  import org bouncycastle cms CMSSignedData  import org bouncycastle cms CMSSignedDataGenerator  import org bouncycastle openssl PEMReader  import org bouncycastle util encoders Base64           public class ClientSide        private String  keyPath      private String  certPath      private String  paypalCertPath      private String  keyPass       public ClientSide  String keyPath  String certPath  String paypalCertPath  String keyPass                 this keyPath   keyPath          this certPath   certPath          this paypalCertPath   paypalCertPath          this keyPass   keyPass                public String getButtonEncryptionValue String  data  String  privateKeyPath  String  certPath  String  payPalCertPath                                              String  keyPass  throws IOException CertificateException KeyStoreException                                              UnrecoverableKeyException InvalidAlgorithmParameterException NoSuchAlgorithmException                                              NoSuchProviderException CertStoreException CMSException            data    data replace        n            CertificateFactory cf   CertificateFactory getInstance  X509    BC                Read the Private Key         KeyStore ks   KeyStore getInstance  PKCS12    BC            ks load  new FileInputStream  privateKeyPath    keyPass toCharArray               String keyAlias   null          Enumeration aliases   ks aliases            while  aliases hasMoreElements                  keyAlias    String  aliases nextElement                       PrivateKey privateKey    PrivateKey  ks getKey  keyAlias   keyPass toCharArray                  Read the Certificate         X509Certificate certificate    X509Certificate  cf generateCertificate  new FileInputStream  certPath                 Read the PayPal Cert         X509Certificate payPalCert    X509Certificate  cf generateCertificate  new FileInputStream  payPalCertPath                 Create the Data         byte   data    data getBytes                Sign the Data with my signing only key pair         CMSSignedDataGenerator signedGenerator   new CMSSignedDataGenerator             signedGenerator addSigner  privateKey  certificate  CMSSignedDataGenerator DIGEST SHA1             ArrayList certList   new ArrayList            certList add certificate           CertStore certStore   CertStore getInstance   Collection   new CollectionCertStoreParameters certList             signedGenerator addCertificatesAndCRLs certStore            CMSProcessableByteArray cmsByteArray   new CMSProcessableByteArray data           ByteArrayOutputStream baos   new ByteArrayOutputStream            cmsByteArray write baos           System out println   CMSProcessableByteArray contains      baos toString                     CMSSignedData signedData   signedGenerator generate cmsByteArray  true   BC             byte   signed   signedData getEncoded             CMSEnvelopedDataGenerator envGenerator   new CMSEnvelopedDataGenerator            envGenerator addKeyTransRecipient payPalCert           CMSEnvelopedData envData   envGenerator generate  new CMSProcessableByteArray signed                   CMSEnvelopedDataGenerator DES EDE3 CBC   BC              byte   pkcs7Bytes   envData getEncoded              return new String  DERtoPEM pkcs7Bytes   PKCS7                  public static byte   DERtoPEM byte   bytes  String headfoot                 ByteArrayOutputStream pemStream   new ByteArrayOutputStream            PrintWriter writer   new PrintWriter pemStream            byte   stringBytes   Base64 encode bytes            System out println  Converting     stringBytes length     bytes             String encoded   new String stringBytes            if  headfoot    null                writer print  -----BEGIN     headfoot    ----- n                          write 64 chars per line till done         int i   0          while   i   1    64  lt  encoded length                  writer print encoded substring i   64   i   1    64                writer print   n                i                      if  encoded length     64    0                writer print encoded substring i   64       write remainder             writer print   n                      if  headfoot    null                writer print  -----END     headfoot    ----- n                      writer flush            return pemStream toByteArray                 ButtonEncryption class  package palmb servlets paypal     import com paypal crypto sample     import palmb servlets paypal ClientSide   import java io    import java security InvalidAlgorithmParameterException  import java security KeyStoreException  import java security NoSuchAlgorithmException  import java security NoSuchProviderException  import java security Security  import java security UnrecoverableKeyException  import java security cert CertStoreException  import java security cert CertificateException  import org bouncycastle cms CMSException           public class ButtonEncryption           path to public cert     private static String certPath    C  jakarta-tomcat webapps PlanB Certs public-cert pem          path to private key in PKCS12 format     private static String keyPath    C  jakarta-tomcat webapps PlanB Certs my pkcs12 p12          path to Paypal s public cert     private static String paypalCertPath    C  jakarta-tomcat webapps PlanB Certs paypal cert pem txt          private key password     private static String keyPass    password     will be replaced with actual password when compiled and executed        the button command  properties parameters     private static String cmdText    cmd  xclick nbusiness buyer hotmail com nitem name vase nitemprice 25 00      cmd  xclick business sample paypal com amount 1 00 currency code USD        output file for form code     private static String output    test html         public static void main String   args                 Security addProvider new org bouncycastle jce provider BouncyCastleProvider                String stage    sandbox            try                        ClientSide client side   new ClientSide  keyPath  certPath  paypalCertPath  keyPass                 String result   client side getButtonEncryptionValue  cmdText  keyPath  certPath  paypalCertPath  keyPass                 File outputFile   new File  output                if   outputFile exists                     outputFile delete                 if   result    null  amp  amp  result                                      try                               OutputStream fout  new FileOutputStream  output                        OutputStream bout  new BufferedOutputStream fout                       OutputStreamWriter out   new OutputStreamWriter bout   US-ASCII                         out write    lt form action   https   www                          out write  stage                        out write   paypal com cgi-bin webscr   method   post   gt                            out write    lt input type   hidden   name   cmd   value    s-xclick   gt                             out write    lt input type   image   src   https   www                          out write  stage                        out write   paypal com en US i btn x-click-but23 gif   border   0   name   submit                            out write   alt   Make payments with PayPal - it s fast  free and secure    gt                          out write    lt input type   hidden   name   encrypted   value                            out write  result                        out write      gt                          out write    lt  form gt                          out flush        Don t forget to flush                      out close                                          catch  UnsupportedEncodingException e                        System out println                        This VM does not support the ASCII character set                                                                catch  IOException e                        System out println e getMessage                                                                  catch  NoSuchAlgorithmException e                            TODO Auto-generated catch block             e printStackTrace                       catch  NoSuchProviderException e                            TODO Auto-generated catch block             e printStackTrace                       catch  IOException e                            TODO Auto-generated catch block             e printStackTrace                       catch  CMSException e                            TODO Auto-generated catch block             e printStackTrace                       catch  CertificateException e                            TODO Auto-generated catch block             e printStackTrace                       catch  KeyStoreException e                            TODO Auto-generated catch block             e printStackTrace                       catch  UnrecoverableKeyException e                            TODO Auto-generated catch block             e printStackTrace                       catch  InvalidAlgorithmParameterException e                            TODO Auto-generated catch block             e printStackTrace                       catch  CertStoreException e                            TODO Auto-generated catch block             e printStackTrace                          Edited   info about keys certificates  I generated the Private Key and Public Certificate with OpenSSL via the following commands   Private Key openssl genrsa -out private-key pem 1024  Public Certificate openssl req -new -key private-key pem -x509 -days 1095 -out public-cert pem  Created PKCS12 File openssl pkcs12 -export -in public-cert pem -inkey private-key pem -out my pkcs12 p12   Additionally  I had to download the Paypal Public Certificate from the Paypal website     Edited - adding compilation warnings - BouncyCastle  C  jakarta-tomcat webapps PlanB WEB-INF classes gt javac   palmb servlets paypal ClientSide java -Xlint   palmb servlets paypal ClientSide java 85  warning   deprecation  addSigner java security PrivateKey java security cert X509Certificate java lang String  in org bouncycastle cms CMSSignedDataGenerator has been deprecated                 signedGenerator addSigner  privateKey  certificate  CMSSignedDat aGenerator DIGEST SHA1                                       palmb servlets paypal ClientSide java 88  warning   unchecked  unchecked call to add E  as a member of the raw type java util ArrayList                 certList add certificate                                   palmb servlets paypal ClientSide java 90  warning   deprecation  addCertificatesAndCRLs java security cert CertStore  in org bouncycastle cms CMSSignedGenerat or has been deprecated                 signedGenerator addCertificatesAndCRLs certStore                                      palmb servlets paypal ClientSide java 97  warning   deprecation  generate org  bouncycastle cms CMSProcessable boolean java lang String  in org bouncycastle cm s CMSSignedDataGenerator has been deprecated                 CMSSignedData signedData   signedGenerator generate cmsByteArray  true   BC                                                                  palmb servlets paypal ClientSide java 102  warning   deprecation  addKeyTransR ecipient java security cert X509Certificate  in org bouncycastle cms CMSEnvelope dGenerator has been deprecated                 envGenerator addKeyTransRecipient payPalCert                                   palmb servlets paypal ClientSide java 103  warning   deprecation  generate org bouncycastle cms CMSProcessable java lang String java lang String  in org bouncycastle cms CMSEnvelopedDataGenerator has been deprecated                 CMSEnvelopedData envData   envGenerator generate  new CMSProcess ableByteArray signed                                                            6 warnings     JCE policy file installation steps  These are the steps I took to installing the JCE Unlimited Strength Policy files  1  Went to Java JCE Download Page on Oracle  2  Extracted files from zip  3  Placed local policy jar and US export policy jar files in C  Java jdk1 6 0 22 jre lib security folder   Note  C  Java jdk1 6 0 22 is set as  JAVA HOME    4  Updated system classpath to include location of jars   Note  There are other files  that came with the JDK 1 6 within the security folder  including   java policy  java security  javaws policy  trusted libraries - but those probably have nothing to do with the JCE files  right      Edit 6 23 2011 - results after further configuration  I went to Bouncy Castle page at http   www bouncycastle org specifications html install Scroll down to 5 0 Bouncy Castle Provider then read info under 5 1 Example  It makes mention of adding a parameter for the Bouncy Castle Provider to the java security file  My file is under C  Java jdk1 6 0 22 jre lib security  I added the following line to my file - security provider 10 org bouncycastle jce provider BouncyCastleProvider   In addition  I discovered that I hadn t added the Bouncy Castle jars to the classpath  so I went ahead and did so    Now after making these changes  recompiling and attempting to execute ClientSide java I m given the same exception   but maybe the focus should be on the part of the exception where it says this about bouncycastle provider -  at org bouncycastle jce provider JDKPKCS12KeyStore cryptData Unknown Source  at org bouncycastle jce provider JDKPKCS12KeyStore engineLoad Unknown Source     PeteyB - I m certain that I installed the policy files correctly  Based on what I ve stated here  is there anything else you can suggest I try  Can you look at the Bouncy Castle site   http   www bouncycastle org specifications html install and see if there is something I m missing

User · Answer

The error seems to be thrown when you try and load they keystore from "C:/jakarta-tomcat/webapps/PlanB/Certs/my_pkcs12.p12" here:

ks.load( new FileInputStream(_privateKeyPath), _keyPass.toCharArray() );

Have you tried replaceing "/" with "\\" in your file path? If that doesn't help it probably has to do with Java's Unlimited Strength Jurisdiction Policy Files. You could check this by writing a little program that does AES encryption. Try encrypting with a 128 bit key, then if that works, try with a 256 bit key and see if it fails.

Code that does AES encyrption:

import java.io.UnsupportedEncodingException;
import java.security.InvalidAlgorithmParameterException;
import java.security.InvalidKeyException;
import java.security.NoSuchAlgorithmException;
import java.security.NoSuchProviderException;

import javax.crypto.BadPaddingException;
import javax.crypto.Cipher;
import javax.crypto.IllegalBlockSizeException;
import javax.crypto.KeyGenerator;
import javax.crypto.NoSuchPaddingException;
import javax.crypto.SecretKey;
import javax.crypto.spec.IvParameterSpec;
import javax.crypto.spec.SecretKeySpec;

public class Test 
{
    final String ALGORITHM = "AES";                       //symmetric algorithm for data encryption
    final String PADDING_MODE = "/CBC/PKCS5Padding";      //Padding for symmetric algorithm
    final String CHAR_ENCODING = "UTF-8";                 //character encoding
    //final String CRYPTO_PROVIDER = "SunMSCAPI";             //provider for the crypto

    int AES_KEY_SIZE = 256;  //symmetric key size (128, 192, 256) if using 256 you must have the Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files  installed

    private String doCrypto(String plainText) throws NoSuchAlgorithmException, NoSuchProviderException, NoSuchPaddingException, InvalidKeyException, IllegalBlockSizeException, BadPaddingException, InvalidAlgorithmParameterException, UnsupportedEncodingException
    {
        byte[] dataToEncrypt = plainText.getBytes(CHAR_ENCODING);

        //get the symmetric key generator
        KeyGenerator keyGen = KeyGenerator.getInstance(ALGORITHM);
        keyGen.init(AES_KEY_SIZE); //set the key size

        //generate the key
        SecretKey skey = keyGen.generateKey();

        //convert to binary
        byte[] rawAesKey = skey.getEncoded();

        //initialize the secret key with the appropriate algorithm
        SecretKeySpec skeySpec = new SecretKeySpec(rawAesKey, ALGORITHM);

        //get an instance of the symmetric cipher
        Cipher aesCipher = Cipher.getInstance(ALGORITHM + PADDING_MODE);

        //set it to encrypt mode, with the generated key
        aesCipher.init(Cipher.ENCRYPT_MODE, skeySpec);

        //get the initialization vector being used (to be returned)
        byte[] aesIV = aesCipher.getIV();

        //encrypt the data
        byte[] encryptedData = aesCipher.doFinal(dataToEncrypt);    

        //initialize the secret key with the appropriate algorithm
        SecretKeySpec skeySpecDec = new SecretKeySpec(rawAesKey, ALGORITHM);

        //get an instance of the symmetric cipher
        Cipher aesCipherDec = Cipher.getInstance(ALGORITHM +PADDING_MODE);

        //set it to decrypt mode with the AES key, and IV
        aesCipherDec.init(Cipher.DECRYPT_MODE, skeySpecDec, new IvParameterSpec(aesIV));

        //decrypt and return the data
        byte[] decryptedData = aesCipherDec.doFinal(encryptedData);

        return new String(decryptedData, CHAR_ENCODING);
    }

    public static void main(String[] args)
    {
        String text = "Lets encrypt me";

        Test test = new Test();

        try {
            System.out.println(test.doCrypto(text));
        } catch (InvalidKeyException e) {
            // TODO Auto-generated catch block
            e.printStackTrace();
        } catch (NoSuchAlgorithmException e) {
            // TODO Auto-generated catch block
            e.printStackTrace();
        } catch (NoSuchProviderException e) {
            // TODO Auto-generated catch block
            e.printStackTrace();
        } catch (NoSuchPaddingException e) {
            // TODO Auto-generated catch block
            e.printStackTrace();
        } catch (IllegalBlockSizeException e) {
            // TODO Auto-generated catch block
            e.printStackTrace();
        } catch (BadPaddingException e) {
            // TODO Auto-generated catch block
            e.printStackTrace();
        } catch (InvalidAlgorithmParameterException e) {
            // TODO Auto-generated catch block
            e.printStackTrace();
        } catch (UnsupportedEncodingException e) {
            // TODO Auto-generated catch block
            e.printStackTrace();
        }
    }
}

Does this code work for you?

You might also want to try specifying your bouncy castle provider in this line:

Cipher.getInstance(ALGORITHM +PADDING_MODE, "YOUR PROVIDER");

And see if it could be an error associated with bouncy castle.

User · Answer

So the problem must be with your JCE Unlimited Strength installation    Be sure you overwrite the local policy jar and US export policy jar in both your JDK s jdk1 6 0 25 jre lib security  and in your JRE s lib security  folder   In my case I would place the new  jars in   C  Program Files Java jdk1 6 0 25 jre lib security  and  C  Program Files Java jre6 lib security    If you are running Java 8 and you encounter this issue  Below steps should help   Go to your JRE installation  e g - jre1 8 0 181 lib security policy unlimited  copy local policy jar and replace it with  local policy jar  in your JDK installation directory  e g - jdk1 8 0 141 jre lib security

User · Answer

If you are still recieving the InvalidKeyException when running my AES encryption program with 256 bit keys  but not with 128 bit keys  it is because you have not installed the new policy JAR files correctly  and has nothing to do with BouncyCastle  which is also restrained by those policy files   Try uninstalling  then re-installing java and then replaceing the old jar s with the new unlimited strength ones  Other than that  I m out of ideas  best of luck   You can see the policy files themselves if you open up the lib security local policy jar and US export policy jar files in winzip and look at the conatined   policy files in notepad and make sure they look like this   default local policy          Country-specific policy file for countries with no limits on crypto strength  grant          There is no restriction to any algorithms      permission javax crypto CryptoAllPermission        default US export policy      Manufacturing policy file  grant          There is no restriction to any algorithms      permission javax crypto CryptoAllPermission

User · Answer

I faced the same issue  Tried adding the US export policy jar and local policy jar in the java security folder first but the issue persisted  Then added the below in java opts inside tomcat setenv shfile and it worked   -Djdk tls ephemeralDHKeySize 2048   Please check this link for further info

User · Answer

Add below code in your client code    static       Security insertProviderAt new BouncyCastleProvider   1        with this there is no need to add any entry in java security file

[java] InvalidKeyException : Illegal Key Size - Java code throwing exception for encryption class - how to fix?

Examples related to java

Examples related to security

Examples related to exception

Examples related to encryption

Examples related to paypal