Category Archives: Misc

Java + SAML: Illegal Key Size


When attempting to decrypt the SAML response from IdP, the following exception occurs:- Illegal key size
Original Exception was Illegal key size
	at org.opensaml.xml.encryption.Decrypter.decryptDataToDOM(
	at org.opensaml.xml.encryption.Decrypter.decryptUsingResolvedEncryptedKey(
	at org.opensaml.xml.encryption.Decrypter.decryptDataToDOM(
	at org.opensaml.xml.encryption.Decrypter.decryptDataToList(
	at org.opensaml.xml.encryption.Decrypter.decryptData(
	at org.opensaml.saml2.encryption.Decrypter.decryptData(
	at org.opensaml.saml2.encryption.Decrypter.decrypt(


When inspecting the SAML response payload below, the data is encrypted with AES-256:-

<?xml version="1.0" encoding="UTF-8"?>
        IssueInstant="2016-02-18T15:28:43.473Z" Version="2.0" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
    <Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">http://adfs-server/adfs/services/trust</Issuer>
        <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
    <EncryptedAssertion xmlns="urn:oasis:names:tc:SAML:2.0:assertion">
        <xenc:EncryptedData Type="" xmlns:xenc="">
            <xenc:EncryptionMethod Algorithm=""/>
            <KeyInfo xmlns="">
                <e:EncryptedKey xmlns:e="">
                    <e:EncryptionMethod Algorithm="">
                        <DigestMethod Algorithm=""/>
                        <ds:X509Data xmlns:ds="">

By default, Java’s keysize is limited to 128-bit key due to US export laws and a few countries’ import laws.

To fix this…

  • Determine the Java version.
  • Download Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files – Java 7 or Java 8.
  • Inflate the zip file.
  • Copy local_policy.jar and US_export_policy.jar to [JAVA_HOME]/jre/lib/security.

TurboTax… FAIL

As I was filing my taxes today, I stumbled upon this bug in TurboTax.


Although this may not be a fatal bug, as a consumer of the product, I can only wonder how many more bugs that are left uncovered and whether or not my taxes are done correctly this year.


The moral of the story is… always write test cases and automate the test executions.

Yes, single-page apps are getting very popular these days, but that doesn’t give you the excuse for not testing your client-side code.

If you write code, whether it is server-side code or client-side code, you have to write test cases… end of story.