generateSecretKey defaulting to 256?

KabutoTX1 · September 18, 2025, 8:21pm

I was tracking a problem down I have had lately. I have an AES encrypt function I sometimes use. I started to get a “Wrong IV length” error (I think after 6.2.2 re-install). Finally spent some time to look into it. I wrote some test code on trycf that worked fine but gives the Wrong IV length on my server. I found generateSecretKey(“AES”) was giving me a 256 bit key on my server but not trycf. Adding the keysize argument fixed my problem. I noticed trycf is using the same Lucee version but JAVA 17. I use the new JAVA 21 after the re-install. Could JAVA be the difference?

Test Code:

<cfscript>
saltiv = generateSecretKey("AES");
writeDump(saltiv);
penc = encrypt("TestMe", "SUq9aM+ROxcNyt6eXsDUiQ==", 'AES/CBC/PKCS5Padding', 'Base64', binaryDecode(saltiv, "base64"));
writeDump(penc);
</cfscript>

Zackster · September 18, 2025, 8:28pm

Yeah that’s possibly the root cause

Java 21 things stabilised a bit more, we jumped from 11 to 21 in terms of our focus. The unicode date stuff was quite a moving target in between

I’ve asked for that to be cleaned up on trycf

KabutoTX1 · September 18, 2025, 9:06pm

Yep. Found it. Was Java 19. (JDK-8267319)

AES will default to 256, if available and 128 as fall-back.
Coldfusion 2025 seems to do the same thing.