JDK加密解密Key长度限制解决方法
问题描述
用SHA1算法进行加密后产生的160位散列值作为Blowfish算法的用户密钥,初始化Blowfish加密算法,再用初始化完成后的Blowfish算法对用户信息进行加密时,出现java.security.InvalidKeyException: Illegal key size异常:
java.security.InvalidKeyException: Illegal key size
at javax.crypto.Cipher.checkCryptoPerm(Cipher.java:1038)
at javax.crypto.Cipher.implInit(Cipher.java:804)
at javax.crypto.Cipher.chooseProvider(Cipher.java:863)
at javax.crypto.Cipher.init(Cipher.java:1395)
at javax.crypto.Cipher.init(Cipher.java:1326)
问题原因
由于出口限制等方面的原因, JDK 8u151 之前的版本限制了一些加密算法的key最大长度,秘钥长度超过128位会报异常。
解决方法
JDK 8u151之前的版本
需要替换 $JAVA_HOME/jre/lib/security 下面中 US_export_policy.jar 和 local_policy.jar 两个文件,这2个文件中原始的内容如下,限制了各种算法的最大key的位数。
// local_policy.jar中内容
grant {
permission javax.crypto.CryptoPermission "DES", 64;
permission javax.crypto.CryptoPermission "DESede", *;
permission javax.crypto.CryptoPermission "RC2", 128,
"javax.crypto.spec.RC2ParameterSpec", 128;
permission javax.crypto.CryptoPermission "RC4", 128;
permission javax.crypto.CryptoPermission "RC5", 128,
"javax.crypto.spec.RC5ParameterSpec", *, 12, *;
permission javax.crypto.CryptoPermission "RSA", *;
permission javax.crypto.CryptoPermission *, 128;
};
// US_export_policy.jar中内容
grant {
// There is no restriction to any algorithms.
permission javax.crypto.CryptoAllPermission;
};
不同jdk版本替换文件的下载地址:
java6: http://www.oracle.com/technetwork/java/javase/downloads/jce-6-download-429243.html
java7: http://www.oracle.com/technetwork/java/javase/downloads/jce-7-download-432124.html
java8: http://www.oracle.com/technetwork/java/javase/downloads/jce8-download-2133166.html
把 US_export_policy.jar 和 local_policy.jar 两个文件复制到 $JAVA_HOME/jre/lib/security 下面。jar包中内容如下:
// US_export_policy.jar 和 local_policy.jar 都为以下内容
grant {
// There is no restriction to any algorithms.
permission javax.crypto.CryptoAllPermission;
};
JDK 8u151到JDK 8u161之间的版本解决方法
修改JDK配置:
$JAVA_HOME/jre/lib/security/java.security 文件中的 crypto.policy 配置修改为 unlimited
或者运行时修改属性
Security.setProperty("crypto.policy", "unlimited");
JDK 8u161 之后默认使用了不限制的Policy