000026184 - Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files

Document created by RSA Customer Support Employee on Jun 16, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000026184
Applies ToRSA Key Manager
RSA BSAFE Crypto-J
JDK 1.5
Java Cryptography Extension (JCE) Jurisdiction Policy Files
Issue

Customers often have trouble using algorithms with large key sizes and don?t know why.  If you change the key size in the AES.java sample to 256 you will get this:

 

[com.rsa.cryptoj.samples.jce.AES]  java.security.InvalidKeyException: Illegal key size

java.security.InvalidKeyException: Illegal key size

    at javax.crypto.Cipher.a(DashoA12275)

    at javax.crypto.Cipher.init(DashoA12275)

    at javax.crypto.Cipher.init(DashoA12275)

Exception in thread "main" java.security.InvalidKeyException: Illegal key size

    at javax.crypto.Cipher.a(DashoA12275)

    at javax.crypto.Cipher.init(DashoA12275)

    at javax.crypto.Cipher.init(DashoA12275)

    at com.rsa.cryptoj.samples.jce.AES.go(Unknown Source)

    at com.rsa.cryptoj.samples.jce.AES.go(Unknown Source)

    at com.rsa.cryptoj.samples.jce.AES.main(Unknown Source)

    at com.rsa.cryptoj.samples.jce.AES.main(Unknown Source)


When FIPS customers switch to a new JDK, they often get the following exception:

Exception in thread "main" java.security.NoSuchAlgorithmException: No such algorithm: AES/CBC/PKCS5Padding
at javax.crypto.Cipher.getInstance(DashoA13*..)
at javax.crypto.Cipher.getInstance(DashoA13*..)
at jce.symCipher.AES.go(AES.java:95)
at jce.symCipher.AES.main(AES.java:37)
Caused by: java.security.NoSuchAlgorithmException: Error constructing implementation (algorithm: AES, provider: JsafeJCE, class:
com.rsa.cryptoj.s.ik)
at
java.security.Provider$Service.newInstance(Provider.java:1245)
... 4 more
Caused by: java.lang.SecurityException: An internal FIPS 140 self-verification test has failed. Algorithm AES has been disabled.


http://java.sun.com/javase/downloads/index.jsp does not show a link to download the Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files for JDK 1.5 ( also known as 5.0)
CauseThe reason is that an algorithm being used has a key size outside of the range of the limited security policy.
When the RSA documentation was published, the page location was correct.  Subsequent changes on the Sun/Oracle website mean that the URL in the RSA documentation only points to the Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files for current versions of Java.
Resolution

To resolve this issue you must install the ?Unlimited Strength Jurisdiction Policy Files? found at the bottom of the Java  Downloads page.  Make sure to get version of the policy files that matches the JDK  you're using.  See the Crypto-J Installation Guide under "Binary Toolkit Installation" -> "JCE Jurisdiction Policy Files":

Table 1: JDK Versions and Jurisdiction Policy File Locations

1.4.2 http://java.sun.com/j2se/1.4.2/download.html

1.5 http://java.sun.com/javase/downloads/index_jdk5.jsp

1.6 http://java.sun.com/javase/downloads/index.jsp

UPDATE: Java SE Downloads page:
http://www.oracle.com/technetwork/java/javase/downloads/index.html

Java Platform Technology Downloads page (JCE policy files for 1.4.2, 5.0, and 6.0):
http://www.oracle.com/technetwork/java/javasebusiness/downloads/java-archive-downloads-java-plat-419418.html

Legacy Article IDa32864

Attachments

    Outcomes