Home/ Questions/Q 3217962
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-17T15:28:20+00:00

I have a test which runs great on my development MacBook Pro, but fails

  • 0

I have a test which runs great on my development MacBook Pro, but fails to run in continuous integration TeamCity server.

The error is following:

java.security.InvalidKeyException: Illegal key size
    at javax.crypto.Cipher.a(DashoA13*..)
    at javax.crypto.Cipher.init(DashoA13*..)
    at javax.crypto.Cipher.init(DashoA13*..)

Both development box and TeamCity uses Java 1.6 and I use BouncyCastle library for the need of special AES encryption.

The code is following:

private byte[] aesEncryptedInfo(String info) throws UnsupportedEncodingException, IllegalBlockSizeException, BadPaddingException, InvalidKeyException, NoSuchAlgorithmException, NoSuchPaddingException, InvalidParameterSpecException, InvalidAlgorithmParameterException, NoSuchProviderException {
    Security.addProvider(new BouncyCastleProvider());
    SecretKey secret = new SecretKeySpec(CUSTOMLONGSECRETKEY.substring(0, 32).getBytes(), "AES");
    Cipher cipher = Cipher.getInstance("AES/CBC/PKCS7Padding", "BC");
    cipher.init(Cipher.ENCRYPT_MODE, secret, new IvParameterSpec(VECTOR_SECRET_KEY.getBytes()));
    return cipher.doFinal(info.getBytes("UTF-8"));
}

UPDATE

Looks like according to the selected answer I have to modify something on my TeamCity installation and it will possibly affect some user installations – so its not a good choice I have to switch to another crypto library to do that without limitations. So probably bouncy castle will help.

UPDATE 2

I actually switched to use BouncyCastle to avoid this limitation. Note this only works if you use own BC classes directly, not the BC provider.

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    This error means that your Java virtual machine uses a policy that only allows restricted cryptography key sizes due to US export laws.

    Java 9 and higher

    The Unlimited Strength Jurisdiction Policy Files are included with Java 9 and used by default (see Security Updates in the Java 9 Migration Guide).

    If you get this error with Java 9, it might mean the policy configuration has been changed to a more restrictive policy (limited), see the instructions from the migration guide:

    JCE Jurisdiction Policy File Default is Unlimited

    If your application previously required the Java Cryptography
    Extension (JCE) Unlimited Strength Jurisdiction Policy Files, then you
    no longer need to download or install them. They are included in the
    JDK and are activated by default.

    If your country or usage requires a more restrictive policy, the
    limited Java cryptographic policy files are still available.

    If you have requirements that are not met by either of the policy
    files provided by default, then you can customize these policy files
    to meet your needs.

    See the crypto.policy Security property in the
    <java-home>/conf/security/java.security file, or
    Cryptographic Strength Configuration in the Java Platform,
    Standard Edition Security Developer’s Guide.

    Java 8 and earlier

    Java 8 Update 161 and higher

    Starting with Java 8 Update 161, Java 8 defaults to the Unlimited Strength Jurisdiction Policy. If you receive this error, it could indicate the configuration has been changed to limited. See instructions in the next section on Java 8 Update 151, or the previous section on Java 9, for changing this back to unlimited.

    Java 8 Update 151 and higher

    Starting with Java 8 Update 151, the Unlimited Strength Jurisdiction Policy is included with Java 8 but not used by default. To enable it, you need to edit the java.security file in <java_home>/jre/lib/security (for JDK) or <java_home>/lib/security (for JRE). Uncomment (or include) the line

    crypto.policy=unlimited

    Make sure you edit the file using an editor run as administrator.

    The policy change only takes effect after restarting the JVM (this is especially important for long-running server processes like Tomcat).

    For backwards compatibility, installing the policy files as documented in the next section will still work as well.

    Before Java 8 Update 151

    For Java 8 Update 144 and earlier, you need to install the Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files (available at Oracle).

    To install these files (from the README.txt in the download):

    1. Download the unlimited strength JCE policy files.

    2. Uncompress and extract the downloaded file.

      This will create a subdirectory called jce.
      This directory contains the following files:

      README.txt                   This file
local_policy.jar             Unlimited strength local policy file
US_export_policy.jar         Unlimited strength US export policy file

    3. Install the unlimited strength policy JAR files.

      In case you later decide to revert to the original “strong” but
      limited policy versions, first make a copy of the original JCE
      policy files (US_export_policy.jar and local_policy.jar). Then
      replace the strong policy files with the unlimited strength
      versions extracted in the previous step.

      The standard place for JCE jurisdiction policy JAR files is:

      <java-home>/lib/security           [Unix]
<java-home>\lib\security           [Windows]

    Note for the JDK it is in jre/lib/security.

    The new policy file only takes effect after restarting the JVM (this is especially important for long-running server processes like Tomcat).

    • 0