I have a web application that is accessible only with HTTPS protocol. One of the pages has an applet. When I try to access that page I get the error below. I can successfully access this page if I use JRE 1.3.1_16 on the client browser, but fails with this error with all 1.4.xx JREs and with JRE 1.5.0_04. What is wrong ?
Thanks in advance.
javax.net.ssl.SSLProtocolException: java.io.IOException: subject key, Unknown key spec: Invalid RSA modulus size.
at com.sun.net.ssl.internal.ssl.HandshakeMessage$CertificateMsg.<init>(Unknown Source)
at com.sun.net.ssl.internal.ssl.SunJSSE_az.a(Unknown Source)
at com.sun.net.ssl.internal.ssl.SunJSSE_ax.a(Unknown Source)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(Unknown Source)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.j(Unknown Source)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(Unknown Source)
at sun.net.www.protocol.https.HttpsClient.afterConnect(Unknown Source)
at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.setNewClient(Unknown Source)
at sun.net.www.protocol.https.PluginDelegateHttpsURLConnection.superConnect(Unknown Source)
at sun.net.www.protocol.https.PluginDelegateHttpsURLConnection.connect(Unknown Source)
at sun.net.www.protocol.https.PluginDelegateHttpsURLConnection.getInputStream(Unknown Source)
at java.net.HttpURLConnection.getResponseCode(Unknown Source)
at sun.net.www.protocol.https.HttpsURLConnectionImpl.getResponseCode(Unknown Source)
at sun.plugin.cache.CachedFileLoader.load(Unknown Source)
at sun.plugin.cache.FileCache.get(Unknown Source)
at sun.net.www.protocol.https.PluginDelegateHttpsURLConnection.connectWithCache(Unknown Source)
at sun.net.www.protocol.https.PluginDelegateHttpsURLConnection.connect(Unknown Source)
at sun.net.www.protocol.https.PluginDelegateHttpsURLConnection.getInputStream(Unknown Source)
at java.net.HttpURLConnection.getResponseCode(Unknown Source)
at sun.net.www.protocol.https.HttpsURLConnectionImpl.getResponseCode(Unknown Source)
at sun.applet.AppletClassLoader.getBytes(Unknown Source)
at sun.applet.AppletClassLoader.access$100(Unknown Source)
at sun.applet.AppletClassLoader$1.run(Unknown Source)
at java.security.AccessController.doPrivileged(Native Method)
at sun.applet.AppletClassLoader.findClass(Unknown Source)
at java.lang.ClassLoader.loadClass(Unknown Source)
at sun.applet.AppletClassLoader.loadClass(Unknown Source)
at java.lang.ClassLoader.loadClass(Unknown Source)
at sun.applet.AppletClassLoader.loadCode(Unknown Source)
at sun.applet.AppletPanel.createApplet(Unknown Source)
at sun.plugin.AppletViewer.createApplet(Unknown Source)
at sun.applet.AppletPanel.runLoader(Unknown Source)
at sun.applet.AppletPanel.run(Unknown Source)
at java.lang.Thread.run(Unknown Source)
Caused by: java.security.cert.CertificateParsingException: java.io.IOException: subject key, Unknown key spec: Invalid RSA modulus size.
at sun.security.x509.X509CertInfo.<init>(Unknown Source)
at sun.security.x509.X509CertImpl.parse(Unknown Source)
at sun.security.x509.X509CertImpl.<init>(Unknown Source)
at sun.security.provider.X509Factory.engineGenerateCertificate(Unknown Source)
at java.security.cert.CertificateFactory.generateCertificate(Unknown Source)
... 34 more
Caused by: java.io.IOException: subject key, Unknown key spec: Invalid RSA modulus size.
at sun.security.x509.X509Key.parse(Unknown Source)
at sun.security.x509.CertificateX509Key.<init>(Unknown Source)
at sun.security.x509.X509CertInfo.parse(Unknown Source)
... 39 more
It is most likely cause you have not installed the so called
Unlimited Strength Java(TM) Cryptography Extension Policy Files
for the Java(TM) 2 SDK, Standard Edition, v 1.4.2
goto
http://java.sun.com/products/jce/javase.html
to get more info about it. download the files and deploy them to remove the restrictions on your key sizes.
It is most likely cause you have not installed the so
called
Unlimited Strength Java(TM) Cryptography Extension
Policy Files
for the Java(TM) 2 SDK, Standard Edition, v
ition, v 1.4.2
goto
http://java.sun.com/products/jce/javase.html
to get more info about it. download the files and
deploy them to remove the restrictions on your key
sizes.
My problem, seems like, is related to the size of the key. The certificate in my key store is of size 4096. JDK can handle the sizes upto 2048. Will this problem be solved if I use the Cryptography package ?
I have solved the problem by using a SSL certificate with key size 1024.
Earlier I was using a SSL certificate with key size 4096, I think it is the problem with JDK, it can handle certificates of size <= 2048.
I am having the same problem..i.e., my CA's key is also greater than 2048 . So I want to know whether there is any way so that we can work with modulo greater than 2048 in java? I am using java.security package for the first time. Thank You..
I have the same problem... but I cannot change the key (it is the key from our customer). How can I do?
I will try to use another JCE provider (like bouncycastle) but it didn't seem so easy to configure in place of the default SUN implementation.
i have encoutred the same problem while attempting to launch a signed java applet under an ssl envirenement (https://) ...
With version 1.40 and 1.42 of jre, installed on the client side, the error message was not as clear as in the 1.5 version, wich talks clearly about "invalid key spec" ...
In my case ... that was a problem of key attributions :
I have generated a selfcert with default java keytool, and signed the applet with it ... Clearly this key has not the attribution of signing code ... and that explains the error i had ...
The same problem could be encoutred if the applet is not signed at all ... This case is treated as the one where the applet is "bad-signed" ... and the same error is displayed ...
-> I resolved the problem by using a key that have this attribution ...
(take a look at this sample key : http://www.aimencrypt.com/)
An other possible problem :
While setting in your ssl configuration file (httpd.conf and/or ssl.conf if using apache) the variable SSLClientVerify to a the value "2" (certificate required) ... and with jre version older than 1.5, a problem may occure ...
The only solution i found for that was ... migrating all the clients to jre 1.5 : (
Even I have encountered a same problem , when I post my request to third party URL that uses https protocol. When I post my document it gives me " javax.net.ssl.SSLProtocolException: java.io.IOException: subject key, java.security.spec.InvalidKeySpecException: Unknown key spec." This can be due to restriction with key length of 4096 with JDK 1.4. Can anybody explain me how exactly I can overcome this problem.
In fact there's a 'bug' on the JCE Provider integrated in the Sun Java 1.4.2, which supports cryptography for certificates with key size no longer than 2048 bytes.
An ideal solution would be upgrade to the JRE 5.0, which fully supports RSA cryptography (http://java.sun.com/products/jce/javase.html).
Another solution is to install an additional JCE Provider for the 1.4.2, which substitutes some of the crypto algorithms of the default JCE.
I tried the Bouncy Castle Provider (http://www.bouncycastle.org/java.html), and everything works.
The installation instructions are here: http://www.bouncycastle.org/specifications.html
Just 2 notes:
1 - You do have to install the JCE 'unrestricted policy files'.
2 - In my $JAVA_HOME/jre/lib/security/java.security file, I used the Bouncy Castle with priority 2:
security.provider.2=org.bouncycastle.jce.provider.BouncyCastleProvider
Email this Topic
Edit this Topic
