How to get AES secret key from DH secret key

Question

I have the following code that converts a DH secret key to AES secret key. This used to work until Oracle JRE 8u161 when they started restricting creation of DH keys < 1024 i

Answer 1

Generally key size requirements are checked in the Cipher and KeyAgreement class itself rather than the service implementation by the provider. It is of course try to test another provider such as the Bouncy Castle provider regardless [EDIT: this seems to work in this case, so the key size restraints are in the default provider delivered with the Java runtime, using the "BC" provider seems to work fine, see the comment below the answer].

If using another provider doesn't work then use the Bouncy Castle lightweight API (org.bouncycastle.** classes) to use another software implementation of DH, bypassing the KeyAgreement class altogether. Stepping outside the JCA / KeyAgreement should however be avoided.

Needless to say, the requirements of not using < 1024 bits keys are there for a reason, they are not considered secure anymore. Upgrade your security ASAP!