Java InvalidKeyException 非法密钥大小
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/3862800/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
InvalidKeyException Illegal key size
提问by Vladimir
I have a test which runs great on my development MacBook Pro, but fails to run in continuous integration TeamCity server.
我有一个测试,它在我的开发 MacBook Pro 上运行良好,但无法在持续集成 TeamCity 服务器中运行。
The error is following:
错误如下:
java.security.InvalidKeyException: Illegal key size
at javax.crypto.Cipher.a(DashoA13*..)
at javax.crypto.Cipher.init(DashoA13*..)
at javax.crypto.Cipher.init(DashoA13*..)
Both development box and TeamCity uses Java 1.6 and I use BouncyCastle library for the need of special AES encryption.
开发盒和 TeamCity 都使用 Java 1.6,我使用 BouncyCastle 库来满足特殊 AES 加密的需要。
The code is following:
代码如下:
private byte[] aesEncryptedInfo(String info) throws UnsupportedEncodingException, IllegalBlockSizeException, BadPaddingException, InvalidKeyException, NoSuchAlgorithmException, NoSuchPaddingException, InvalidParameterSpecException, InvalidAlgorithmParameterException, NoSuchProviderException {
Security.addProvider(new BouncyCastleProvider());
SecretKey secret = new SecretKeySpec(CUSTOMLONGSECRETKEY.substring(0, 32).getBytes(), "AES");
Cipher cipher = Cipher.getInstance("AES/CBC/PKCS7Padding", "BC");
cipher.init(Cipher.ENCRYPT_MODE, secret, new IvParameterSpec(VECTOR_SECRET_KEY.getBytes()));
return cipher.doFinal(info.getBytes("UTF-8"));
}
UPDATE
更新
Looks like according to the selected answer I have to modify something on my TeamCity installation and it will possibly affect some user installations - so its not a good choice I have to switch to another crypto library to do that without limitations. So probably bouncy castle will help.
看起来根据选择的答案,我必须在我的 TeamCity 安装上修改某些内容,这可能会影响某些用户安装 - 所以这不是一个好的选择,我必须切换到另一个加密库才能不受限制地做到这一点。因此,充气城堡可能会有所帮助。
UPDATE 2
更新 2
I actually switched to use BouncyCastle to avoid this limitation. Note this only works if you use own BC classes directly, not the BC provider.
我实际上改用 BouncyCastle 来避免这种限制。请注意,这仅在您直接使用自己的 BC 类而不是 BC 提供程序时才有效。
采纳答案by Mark Rotteveel
This error means that your Java virtual machine uses a policy that only allows restricted cryptography key sizes due to US export laws.
此错误意味着您的 Java 虚拟机使用的策略仅允许受美国出口法律限制的加密密钥大小。
Java 9 and higher
Java 9 及更高版本
The Unlimited Strength Jurisdiction Policy Files are included with Java 9 and used by default (see Security Updates in the Java 9 Migration Guide).
Unlimited Strength Jurisdiction Policy Files 包含在 Java 9 中并默认使用(请参阅Java 9 迁移指南中的安全更新)。
If you get this error with Java 9, it might mean the policy configuration has been changed to a more restrictive policy (limited), see the instructions from the migration guide:
如果您在 Java 9 中遇到此错误,则可能意味着策略配置已更改为限制性更强的策略 ( limited),请参阅迁移指南中的说明:
JCE Jurisdiction Policy File Default is Unlimited
If your application previously required the Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files, then you no longer need to download or install them. They are included in the JDK and are activated by default.
If your country or usage requires a more restrictive policy, the limited Java cryptographic policy files are still available.
If you have requirements that are not met by either of the policy files provided by default, then you can customize these policy files to meet your needs.
See the
crypto.policySecurity property in the<java-home>/conf/security/java.securityfile, or Cryptographic Strength Configurationin the Java Platform, Standard Edition Security Developer's Guide.
JCE 管辖权政策文件默认为无限
如果您的应用程序之前需要 Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files,则您不再需要下载或安装它们。它们包含在 JDK 中并默认激活。
如果您的国家或用途需要更严格的策略,则仍然可以使用有限的 Java 加密策略文件。
如果默认情况下提供的任何一个策略文件都不能满足您的要求,那么您可以自定义这些策略文件以满足您的需要。
请参阅文件中的
crypto.policySecurity 属性<java-home>/conf/security/java.security,或 Java Platform, Standard Edition Security Developer's Guide 中的加密强度配置。
Java 8 and earlier
Java 8 及更早版本
Java 8 Update 161 and higher
Java 8 更新 161 及更高版本
Starting with Java 8 Update 161, Java 8 defaults to the Unlimited Strength Jurisdiction Policy. If you receive this error, it could indicate the configuration has been changed to limited. See instructions in the next section on Java 8 Update 151, or the previous section on Java 9, for changing this back to unlimited.
从 Java 8 Update 161 开始,Java 8 默认采用 Unlimited Strength Jurisdiction Policy。如果您收到此错误,则可能表示配置已更改为limited。请参阅下一节 Java 8 Update 151 或上一节 Java 9 中的说明,将其改回unlimited.
Java 8 Update 151 and higher
Java 8 更新 151 及更高版本
Starting with Java 8 Update 151, the Unlimited Strength Jurisdiction Policy is included with Java 8 but not used by default. To enable it, you need to edit the java.securityfile in <java_home>/jre/lib/security(for JDK) or <java_home>/lib/security(for JRE). Uncomment (or include) the line
从 Java 8 Update 151 开始,Java 8 中包含 Unlimited Strength Jurisdiction Policy,但默认情况下不使用。要启用它,您需要java.security在<java_home>/jre/lib/security(对于 JDK)或<java_home>/lib/security(对于 JRE)中编辑文件。取消注释(或包括)该行
crypto.policy=unlimited
Make sure you edit the file using an editor run as administrator.
确保使用以管理员身份运行的编辑器编辑文件。
The policy change only takes effect after restarting the JVM (this is especially important for long-running server processes like Tomcat).
策略更改仅在重新启动 JVM 后生效(这对于 Tomcat 等长时间运行的服务器进程尤其重要)。
For backwards compatibility, installing the policy files as documented in the next section will still work as well.
为了向后兼容,安装下一节中记录的策略文件仍然可以正常工作。
Before Java 8 Update 151
Java 8 更新 151 之前
For Java 8 Update 144 and earlier, you need to install the Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files (available at Oracle).
对于 Java 8 Update 144 及更早版本,您需要安装 Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files(可从Oracle 获得)。
To install these files (from the README.txtin the download):
要安装这些文件(从README.txt下载中的 ):
Download the unlimited strength JCE policy files.
Uncompress and extract the downloaded file.
This will create a subdirectory called jce. This directory contains the following files:
README.txt This file local_policy.jar Unlimited strength local policy file US_export_policy.jar Unlimited strength US export policy fileInstall the unlimited strength policy JAR files.
In case you later decide to revert to the original "strong" but limited policy versions, first make a copy of the original JCE policy files (US_export_policy.jar and local_policy.jar). Then replace the strong policy files with the unlimited strength versions extracted in the previous step.
The standard place for JCE jurisdiction policy JAR files is:
<java-home>/lib/security [Unix] <java-home>\lib\security [Windows]
下载无限强度 JCE 策略文件。
解压并解压下载的文件。
这将创建一个名为 jce 的子目录。该目录包含以下文件:
README.txt This file local_policy.jar Unlimited strength local policy file US_export_policy.jar Unlimited strength US export policy file安装无限强度策略 JAR 文件。
如果您以后决定恢复到原始的“强”但有限的策略版本,请首先复制原始 JCE 策略文件(US_export_policy.jar 和 local_policy.jar)。然后用上一步中提取的无限强度版本替换强策略文件。
JCE 管辖政策 JAR 文件的标准位置是:
<java-home>/lib/security [Unix] <java-home>\lib\security [Windows]
Note for the JDK it is in jre/lib/security.
请注意,对于 JDK,它位于 jre/lib/security 中。
The new policy file only takes effect after restarting the JVM (this is especially important for long-running server processes like Tomcat).
新的策略文件只有在重启 JVM 后才会生效(这对于像 Tomcat 这样长时间运行的服务器进程尤其重要)。
回答by Peter ?tibrany
In addition to installing policy files, also make sure that CUSTOMLONGSECRETKEY...getBytes()does indeed produce 32 bytes array. I would use CUSTOMLONGSECRETKEY.getBytes(some encoding)and get first 32 bytes from that. Better yet, use whole secret key to derive keys for AES with the size that you need.
除了安装策略文件之外,还要确保CUSTOMLONGSECRETKEY...getBytes()确实产生了 32 字节的数组。我会使用CUSTOMLONGSECRETKEY.getBytes(some encoding)并从中获取前 32 个字节。更好的是,使用整个秘密密钥为 AES 派生您需要的大小的密钥。
回答by oopexpert
I had a similar problem, but in my case, there was a path error.
我遇到了类似的问题,但就我而言,存在路径错误。
JAVA_HOME was jdk1.6.0_18, so I put the two jars into jdk1.6.0_18/lib/security, but within jdk1.6.0_18 is the jredirectory. Both files should have been put in jdk1.6.0_18/jre/lib/security.
JAVA_HOME是jdk1.6.0_18,所以我把这两个jar包放进去了jdk1.6.0_18/lib/security,但是jdk1.6.0_18里面是jre目录。这两个文件都应该放在jdk1.6.0_18/jre/lib/security.
回答by Juan Carlos Alafita
Make sure you know the path to JAVA_HOME that your IDE uses. In order to copy to the correct path.
确保您知道 IDE 使用的 JAVA_HOME 路径。为了复制到正确的路径。
In my case I use IntelliJ: /Library/Java/JavaVirtualMachines/jdk1.8.0_112.jdk/Contents/Home/jre/lib/security
就我而言,我使用 IntelliJ:/Library/Java/JavaVirtualMachines/jdk1.8.0_112.jdk/Contents/Home/jre/lib/security
Instead of when i show the $JAVA_HOME in the console. /Users/myuser/.sdkman/candidates/java/current/jre/lib/security
而不是当我在控制台中显示 $JAVA_HOME 时。/Users/myuser/.sdkman/candidates/java/current/jre/lib/security
回答by vikash singh
I was facing the same issue for jdk 1.8.0_151-
我在 jdk 1.8.0_151 上遇到了同样的问题-
For this and above version, you do not need to download the jar files related to security.Because, local_policy.jar and US_export_policy.jar is already included in these versions under the path- \jre\lib\security\policy (JAVA_HOME refers to your current java installation folder) The only chng you need to make is in java.security file which is present in /jre/lib/security - uncomment the line - crypto.policy=unlimited
此及以上版本无需下载安全相关的jar文件,因为local_policy.jar和US_export_policy.jar已经包含在这些版本的路径-\jre\lib\security\policy下(JAVA_HOME是指您当前的 java 安装文件夹)您需要进行的唯一更改是在 /jre/lib/security 中的 java.security 文件中 - 取消注释该行 - crypto.policy=unlimited
