Search code examples
javawindowskeystorejce

Don't want to use unlimited strength policy files

I want to make a Java application that makes signatures but have run into the problem with the unlimited strength policy files, discussed in many posts, e.g. How to avoid installing "Unlimited Strength" JCE policy files when deploying an application?

Everything works fine of course when I switch the policy files but I would rather avoid this and since I don't plan to use symmetric encryption my guess was that it would be possible. My problem is that that I get the Illegal key size exception already in the load method of KeyStore.

My questions:

1) Can I do anything about the internal encryption in the keystore so the key size limitation doesn't require users to change policy files?

2) I have understood that the BouncyCastle Lightweight API could be an option. If so, how do I load a keystore with that API?

Security.addProvider(new BouncyCastleProvider());           

//Get private key
KeyStore keyStore = KeyStore.getInstance("PKCS12","BC");
String pwd = "password";
FileInputStream finJKS = new FileInputStream("C:\\TEMP\\host.p12");
keyStore.load(finJKS,pwd.toCharArray());

run: java.io.IOException: exception decrypting data - java.security.InvalidKeyException: Illegal key size

Running jre in JDK 7u51 on Netbeans 7.4 on Windows.

Best regards

Solution

  • Your code snippet throws an InvalidKeyException despite using BouncyCastle, because you are not using the BC Lightweight API. If you access BC through the JCE API then the same limits on crypto strength apply as with Sun/Oracle providers.

    PKCS#12 files are usually encrypted with 3DES (pbeWithSHA1And3-KeyTripleDES-CBC), which is not restricted by the default policy file. However, PKCS#12 allows the use of arbitrary encryption algorithms, so it seems like you got a p12 file that is encrypted with another algorithm. You can check this with openssl:

    openssl pkcs12 -in host.p12 -info -noout

    The encryption algorithm should change when you convert the keystore to JKS or JCEKS (more secure) with keytool:

    keytool -importkeystore -srckeystore host.p12 -srcstoretype PKCS12 -deststoretype JCEKS -destkeystore host.jks

    Of course you will have to adapt your code then:

    KeyStore keyStore = KeyStore.getInstance("JCEKS");

    You could even convert the JCEKS keystore back to PKCS12 with keytool. Keytool generates PKCS12 files with pbeWithSHA1And3-KeyTripleDES-CBC.