Monday, April 9, 2012

Cryptography & Invalid Key Size Exception

You might find this known but I thought would add a quick note on this topic. Recently I was debugging one of the issue reported, which turned out to be related.

When using cryptography functions you might get "InvalidKeyException Illegal key size" exception. This is not an error due to wrong API or in correct configurations.

To fix this problem, you will need to install the Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files (available at Oracle). If you don't, the keysize is limited due to US export laws. Hence many algorithms like AES etc will produce "Invalid key size" exception.

Install these policy files, as follows:

1. Download the policy files for the JDK being used.
2. Unzip the file.
3. Copy these files to the <JDK_HOME>jre/lib/security directory.
4. Start server.

This will fix your server. Read further to know how to check for these policy files.

How To Check For Unlimited Strength or Unrestricted Jurisdiction Policy Files

When you install or update JDK, the default jurisdiction policy files are installed. These files allow limited cryptography. Your applications may require you to install unrestricted versions of these files (local_policy.jar and US_export_policy.jar).
To check if you are using unrestricted version or not, copy these files from /jre/lib/security to a temporary location and use these commands

jar -xvf /local_policy.jar
jar -xvf /US_export_policy.jar

Read default_local.policy and default_US_export.policy to find out the jurisdiction policy that is being used. If you see grant { permission javax.crypto.CryptoAllPermission; }; entry in the file then you are using unrestricted version.


  1. Hi

    Where are those files for Java 1.7 ?

    I am on CF 10 64 bit. If I use the Oracle version my server crashes.


  2. Hi,

    These files can be found on Oracle's website. I installed from these and it works for me. Is there any specific error you see?



You can subscribe to the comments by licking on "Subscribe by email".