We have CF8 Developer edition installed and are trying to
utilize the FIPS140-2 compliant encryption features of JSafeJCE.
When try a simple encrypt with the basic install:
<cfset token = Encrypt(tokenString, tokenEncryptionKey,
"AES/CBC/PKCS5Padding", "Hex", tokenEncryptionIV)>
We get:
The key specified is not a valid key for this encryption:
Illegal key size. (incidentally, this occurs whether we provide the
key or use the generatesecretkey call)
If we then switch to the SUN strong encryption, the call
completes successfully. Why are we tied to the SUN provider? The
ColdFusion 8 Developer Security Guidelines document at
http://www.adobe.com/devnet/coldfusion/articles/dev_security/coldfusion_security_cf8.pdf
indicates that "The JSafeJCE provider replaces the Sun
provider for these algorithms in CF8 Enterprise: AES, DESEDE, DES,
RC2, RC4, PBEwithM". Replace to me means that the Sun provider is
not needed. Is that incorrect?
We also considered the possibility that we are running the
developer edition since all of the documentation explicitly states
"Enterprise Edition". We ruled that out based on the feature
comparison matrix that list Enterprise and developer in the same
column.
Has anyone experienced this issue?