java illegal key size,java.security.InvalidKeyException: Illegal key size

今天在做微信上线调试的时候爆出了：

java.security.InvalidKeyException: Illegal key size

问题，但是在开发过程中却没有遇到过于是一顿查询

异常原因：如果密钥大于128, 会抛出java.security.InvalidKeyException: Illegal key size 异常. 因为密钥长度是受限制的, java运行时环境读到的是受限的policy文件. 文件位于${java_home}/jre/lib/security, 这种限制是因为美国对软件出口的控制.

解决方案：去官方下载JCE无限制权限策略文件。

jdk 5: http://www.oracle.com/technetwork/java/javasebusiness/downloads/java-archive-downloads-java-plat-419418.html#jce_policy-1.5.0-oth-JPR

jdk6: http://www.oracle.com/technetwork/java/javase/downloads/jce-6-download-429243.html

JDK7的下载地址: http://www.oracle.com/technetwork/java/javase/downloads/jce-7-download-432124.html

JDK8的下载地址: http://www.oracle.com/technetwork/java/javase/downloads/jce8-download-2133166.html

下载后解压，可以看到local_policy.jar和US_export_policy.jar以及readme.txt

如果安装了JRE，将两个jar文件放到%JRE_HOME%\lib\security目录下覆盖原来的文件

如果安装了JDK，还要将两个jar文件也放到%JDK_HOME%\jre\lib\security目录下覆盖原来文件。

特别注意之所以调试时没有问题，而线上调试出问题是应为线上环境使用的是 JDK8 早期的版本，而开发中使用的是 jdk8 181 版

新的 JDK8 中 %JDK_HOME%\jre\lib\security目录下的 policy 文件夹中并包含两种文件，并启用无限制版，

可以查看 %JDK_HOME%\jre\lib\security 中的 java.security 文件

# Cryptographic Jurisdiction Policy defaults

#

# Import and export control rules on cryptographic software vary from

# country to country. By default, the JDK provides two different sets of

# cryptographic policy files:

#

# unlimited: These policy files contain no restrictions on cryptographic

# strengths or algorithms.

#

# limited: These policy files contain more restricted cryptographic

# strengths, and are still available if your country or

# usage requires the traditional restrictive policy.

#

# The JDK JCE framework uses the unlimited policy files by default.

# However the user may explicitly choose a set either by defining the

# "crypto.policy" Security property or by installing valid JCE policy

# jar files into the traditional JDK installation location. To better

# support older JDK Update releases, the "crypto.policy" property is not

# defined by default. See below for more information.

#

# The following logic determines which policy files are used:

#

# refers to the directory where the JRE was

# installed and may be determined using the "java.home"

# System property.

#

# 1. If the Security property "crypto.policy" has been defined,

# then the following mechanism is used:

#

# The policy files are stored as jar files in subdirectories of

# /lib/security/policy. Each directory contains a complete

# set of policy files.

#

# The "crypto.policy" Security property controls the directory

# selection, and thus the effective cryptographic policy.

#

# The default set of directories is:

#

# limited | unlimited

#

# 2. If the "crypto.policy" property is not set and the traditional

# US_export_policy.jar and local_policy.jar files

# (e.g. limited/unlimited) are found in the legacy

# /lib/security directory, then the rules embedded within

# those jar files will be used. This helps preserve compatibility

# for users upgrading from an older installation.

#

# 3. If the jar files are not present in the legacy location

# and the "crypto.policy" Security property is not defined,

# then the JDK will use the unlimited settings (equivalent to

# crypto.policy=unlimited)

#

# Please see the JCA documentation for additional information on these

# files and formats.

#

# YOU ARE ADVISED TO CONSULT YOUR EXPORT/IMPORT CONTROL COUNSEL OR ATTORNEY

# TO DETERMINE THE EXACT REQUIREMENTS.

#

# Please note that the JCE for Java SE, including the JCE framework,

# cryptographic policy files, and standard JCE providers provided with

# the Java SE, have been reviewed and approved for export as mass market

# encryption item by the US Bureau of Industry and Security.

#

# Note: This property is currently used by the JDK Reference implementation.

# It is not guaranteed to be examined and used by other implementations.

#

#crypto.policy=unlimited