Interesting post came out today on Coder’s Revolution. It appears that cfcatch is not locally scoped.
I’ve put together what I believe is the Java equivalent of CF’s GenerateSecretKey, Encrypt, and Decrypt functions.
Unfortunately these encrypt and decrypt functions still do not work in CF7 so there must be something else besides the US_export_policy.jar & local_policy.jar files that would need to be upgraded in order to allow for strong encryption to work in CF7.
I’ve posted the code below in hopes that someone will tell me I’ve made a mistake and that we could get this to work in CF7.
The code is based on this article from Sun.
This does not get enough attention.
Out of the box Coldfusion does not have strong encryption and will not generate keys higher than 128 bits. You must upgrade the underlying Java library in order to gain access to strong encryption. Currently the Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files 6 download is located here. Download the file, decompress it, and then replace the existing US_export_policy.jar & local_policy.jar files from your Coldfusion install with the ones that you’ve just downloaded. After restarting Coldfusion you will be able to use the GenerateSecretKey function to create keys stronger than 128 bits.
This has been tested to work with CF8 & CF9.
Replacing the files did not cause errors in CF7, but in CF7 the GenerateSecretKey function only takes one argument which is the encryption algorithm and does not allow for a key length to be specified. Perhaps those of you who know java will be able to access the underlying encryption library directly and still get it to work in CF7?
UPDATE: I tried this and it still seems to not work.
UPDATE: Per Jason Dean’s comment below: for this to work in CF7 you need to use a different library. The strong encryption library for CF7 can be downloaded here.