今天在做微信上线调试的时候爆出了:
java.security.InvalidKeyException: Illegal key size
问题,但是在开发过程中却没有遇到过于是一顿查询
异常原因:如果密钥大于128, 会抛出java.security.InvalidKeyException: Illegal key size 异常. 因为密钥长度是受限制的, java运行时环境读到的是受限的policy文件. 文件位于${java_home}/jre/lib/security, 这种限制是因为美国对软件出口的控制.
解决方案:去官方下载JCE无限制权限策略文件。
jdk 5: http://www.oracle.com/technetwork/java/javasebusiness/downloads/java-archive-downloads-java-plat-419418.html#jce_policy-1.5.0-oth-JPR
jdk6: http://www.oracle.com/technetwork/java/javase/downloads/jce-6-download-429243.html
JDK7的下载地址: http://www.oracle.com/technetwork/java/javase/downloads/jce-7-download-432124.html
JDK8的下载地址: http://www.oracle.com/technetwork/java/javase/downloads/jce8-download-2133166.html下载后解压,可以看到local_policy.jar和US_export_policy.jar以及readme.txt
如果安装了JRE,将两个jar文件放到%JRE_HOME%\lib\security目录下覆盖原来的文件 如果安装了JDK,还要将两个jar文件也放到%JDK_HOME%\jre\lib\security目录下覆盖原来文件。特别注意之所以调试时没有问题,而线上调试出问题是应为线上环境使用的是 JDK8 早期的版本,而开发中使用的是 jdk8 181 版
新的 JDK8 中 %JDK_HOME%\jre\lib\security目录下的 policy 文件夹中并包含两种文件,并启用无限制版,
可以查看 %JDK_HOME%\jre\lib\security 中的 java.security 文件
# Cryptographic Jurisdiction Policy defaults## Import and export control rules on cryptographic software vary from# country to country. By default, the JDK provides two different sets of# cryptographic policy files:## unlimited: These policy files contain no restrictions on cryptographic# strengths or algorithms.## limited: These policy files contain more restricted cryptographic# strengths, and are still available if your country or# usage requires the traditional restrictive policy.## The JDK JCE framework uses the unlimited policy files by default.# However the user may explicitly choose a set either by defining the# "crypto.policy" Security property or by installing valid JCE policy# jar files into the traditional JDK installation location. To better# support older JDK Update releases, the "crypto.policy" property is not# defined by default. See below for more information.## The following logic determines which policy files are used:##refers to the directory where the JRE was# installed and may be determined using the "java.home"# System property.## 1. If the Security property "crypto.policy" has been defined,# then the following mechanism is used:## The policy files are stored as jar files in subdirectories of# /lib/security/policy. Each directory contains a complete# set of policy files.## The "crypto.policy" Security property controls the directory# selection, and thus the effective cryptographic policy.## The default set of directories is:## limited | unlimited## 2. If the "crypto.policy" property is not set and the traditional# US_export_policy.jar and local_policy.jar files# (e.g. limited/unlimited) are found in the legacy# /lib/security directory, then the rules embedded within# those jar files will be used. This helps preserve compatibility# for users upgrading from an older installation.## 3. If the jar files are not present in the legacy location# and the "crypto.policy" Security property is not defined,# then the JDK will use the unlimited settings (equivalent to# crypto.policy=unlimited)## Please see the JCA documentation for additional information on these# files and formats.## YOU ARE ADVISED TO CONSULT YOUR EXPORT/IMPORT CONTROL COUNSEL OR ATTORNEY# TO DETERMINE THE EXACT REQUIREMENTS.## Please note that the JCE for Java SE, including the JCE framework,# cryptographic policy files, and standard JCE providers provided with# the Java SE, have been reviewed and approved for export as mass market# encryption item by the US Bureau of Industry and Security.## Note: This property is currently used by the JDK Reference implementation.# It is not guaranteed to be examined and used by other implementations.##crypto.policy=unlimited