今天在做微信上线调试的时候爆出了:
java.security.InvalidKeyException: Illegal key size
问题,但是在开发过程中却没有遇到过于是一顿查询
异常原因:如果密钥大于128, 会抛出java.security.InvalidKeyException: Illegal key size 异常. 因为密钥长度是受限制的, java运行时环境读到的是受限的policy文件. 文件位于${java_home}/jre/lib/security, 这种限制是因为美国对软件出口的控制.
解决方案:去官方下载JCE无限制权限策略文件。
jdk 5: http://www.oracle.com/technetwork/java/javasebusiness/downloads/java-archive-downloads-java-plat-419418.html#jce_policy-1.5.0-oth-JPR
jdk6: http://www.oracle.com/technetwork/java/javase/downloads/jce-6-download-429243.html
JDK7的下载地址: http://www.oracle.com/technetwork/java/javase/downloads/jce-7-download-432124.html
JDK8的下载地址: http://www.oracle.com/technetwork/java/javase/downloads/jce8-download-2133166.html
下载后解压,可以看到local_policy.jar和US_export_policy.jar以及readme.txt
如果安装了JRE,将两个jar文件放到%JRE_HOME%\lib\security目录下覆盖原来的文件
如果安装了JDK,还要将两个jar文件也放到%JDK_HOME%\jre\lib\security目录下覆盖原来文件。
特别注意之所以调试时没有问题,而线上调试出问题是应为线上环境使用的是 JDK8 早期的版本,而开发中使用的是 jdk8 181 版
新的 JDK8 中 %JDK_HOME%\jre\lib\security目录下的 policy 文件夹中并包含两种文件,并启用无限制版,
可以查看 %JDK_HOME%\jre\lib\security 中的 java.security 文件
# Cryptographic Jurisdiction Policy defaults
#
# Import and export control rules on cryptographic software vary from
# country to country. By default, the JDK provides two different sets of
# cryptographic policy files:
#
# unlimited: These policy files contain no restrictions on cryptographic
# strengths or algorithms.
#
# limited: These policy files contain more restricted cryptographic
# strengths, and are still available if your country or
# usage requires the traditional restrictive policy.
#
# The JDK JCE framework uses the unlimited policy files by default.
# However the user may explicitly choose a set either by defining the
# "crypto.policy" Security property or by installing valid JCE policy
# jar files into the traditional JDK installation location. To better
# support older JDK Update releases, the "crypto.policy" property is not
# defined by default. See below for more information.
#
# The following logic determines which policy files are used:
#
# refers to the directory where the JRE was
# installed and may be determined using the "java.home"
# System property.
#
# 1. If the Security property "crypto.policy" has been defined,
# then the following mechanism is used:
#
# The policy files are stored as jar files in subdirectories of
# /lib/security/policy. Each directory contains a complete
# set of policy files.
#
# The "crypto.policy" Security property controls the directory
# selection, and thus the effective cryptographic policy.
#
# The default set of directories is:
#
# limited | unlimited
#
# 2. If the "crypto.policy" property is not set and the traditional
# US_export_policy.jar and local_policy.jar files
# (e.g. limited/unlimited) are found in the legacy
# /lib/security directory, then the rules embedded within
# those jar files will be used. This helps preserve compatibility
# for users upgrading from an older installation.
#
# 3. If the jar files are not present in the legacy location
# and the "crypto.policy" Security property is not defined,
# then the JDK will use the unlimited settings (equivalent to
# crypto.policy=unlimited)
#
# Please see the JCA documentation for additional information on these
# files and formats.
#
# YOU ARE ADVISED TO CONSULT YOUR EXPORT/IMPORT CONTROL COUNSEL OR ATTORNEY
# TO DETERMINE THE EXACT REQUIREMENTS.
#
# Please note that the JCE for Java SE, including the JCE framework,
# cryptographic policy files, and standard JCE providers provided with
# the Java SE, have been reviewed and approved for export as mass market
# encryption item by the US Bureau of Industry and Security.
#
# Note: This property is currently used by the JDK Reference implementation.
# It is not guaranteed to be examined and used by other implementations.
#
#crypto.policy=unlimited