I had asked a question about this earlier, but it didn't get answered right and led nowhere.
So I've clarified few details on the problem and I would really like to hear your ideas on how could I fix this or what should I try.
I have Java 1.6.0.12 installed on my Linux server and the code below runs just perfectly.
String key = "av45k1pfb024xa3bl359vsb4esortvks74sksr5oy4s5serondry84jsrryuhsr5ys49y5seri5shrdliheuirdygliurguiy5ru";
try {
Cipher c = Cipher.getInstance("ARCFOUR");
SecretKeySpec secretKeySpec = new SecretKeySpec(key.getBytes("UTF-8"), "ARCFOUR");
c.init(Cipher.DECRYPT_MODE, secretKeySpec);
return new String(c.doFinal(Hex.decodeHex(data.toCharArray())), "UTF-8");
} catch (InvalidKeyException e) {
throw new CryptoException(e);
}
Today I installed Java 1.6.0.26 on my server user and when I try to run my application, I get the following exception. My guess would be that it has something to do with the Java installation configuration because it works in the first one, but doesn't work in the later version.
Caused by: java.security.InvalidKeyException: Illegal key size or default parameters
at javax.crypto.Cipher.a(DashoA13*..) ~[na:1.6]
at javax.crypto.Cipher.a(DashoA13*..) ~[na:1.6]
at javax.crypto.Cipher.a(DashoA13*..) ~[na:1.6]
at javax.crypto.Cipher.init(DashoA13*..) ~[na:1.6]
at javax.crypto.Cipher.init(DashoA13*..) ~[na:1.6]
at my.package.Something.decode(RC4Decoder.java:25) ~[my.package.jar:na]
... 5 common frames omitted
Line 25 is:
c.init(Cipher.DECRYPT_MODE, secretKeySpec);
Notes:
* java.security on server's 1.6.0.12 java directory matches almost completely with the 1.6.0.26 java.security file. There are no additional providers in the first one.
* The previous question is here.
In Java, by default AES supports a 128 Bit key, if you plans to use 192 Bit or 256 Bit key, java complier will throw Illegal key size Exception, which you are getting.
The solution is as victor & James suggested, you will need to download JCE (Java Cryptography Extension) as per your JRE version,(java6, java7 or java8).
The JCE zip contains following JAR:
You need to replace these jar form your
<JAVA_HOME>/jre/lib/security
. if you are on a unix system the will probably refer to/home/urs/usr/lib/jvm/java-<version>-oracle/
Sometimes just replacing local_policy.jar, US_export_policy.jar in security folder doesn't work on unix, so I suggest to copy security folder to your desktop first, replace the jar's @Desktop/security folder, delete the security folder from /jre/lib/ & move the Desktop security folder to /jre/lib/.
eg :: sudo mv security
/usr/lib/jvm/java-7-oracle/jre/lib
I experienced the same error while using Windows 7 x64, Eclipse, and JDK 1.6.0_30. In the JDK installation folder there is a
jre
folder. This threw me off at first as I was adding the aforementioned jars to the JDK's lib/security folder with no luck. Full path:Download and extract the files contained in the
jce
folder of this archive into that folder.the problem is the content of the file default_local.policy in local_policy.jar in the folder jre\lib\security, if you install the JRE:
if you do not need worldwide valid settings you simply can edit this file and change the content to
this is what get if you download the JCE from Oracle.
"Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files 6"
http://www.oracle.com/technetwork/java/javase/downloads/jce-6-download-429243.html
With Java 9, Java 8u161, Java 7u171 and Java 6u181 the limitation is now disabled by default. See issue in Java Bug Database.
Beginning with Java 8u151 you can disable the limitation programmatically.
Instead you can now invoke the following line before first use of JCE classes (i.e. preferably right after application start):
For JAVA 7 the download link is jce-7-download
Copy the two downloaded jars in Java\jdk1.7.0_10\jre\lib\security
Take a backup of older jars to be on safer side.
For JAVA 8 the download link is jce-8-download
Copy the downloaded jars in Java\jdk1.8.0_45\jre\lib\security
Take a backup of older jars to be on safer side.