InvalidKeyException 非法密钥大小

发布于 2024-09-26 03:18:20 字数 1298 浏览 3 评论 0原文

我有一个测试，在我的开发 MacBook Pro 上运行良好，但在持续集成 TeamCity 服务器中运行失败。

错误如下：

java.security.InvalidKeyException: Illegal key size
    at javax.crypto.Cipher.a(DashoA13*..)
    at javax.crypto.Cipher.init(DashoA13*..)
    at javax.crypto.Cipher.init(DashoA13*..)

开发盒和TeamCity都使用Java 1.6，我使用BouncyCastle库来满足特殊AES加密的需要。

代码如下：

private byte[] aesEncryptedInfo(String info) throws UnsupportedEncodingException, IllegalBlockSizeException, BadPaddingException, InvalidKeyException, NoSuchAlgorithmException, NoSuchPaddingException, InvalidParameterSpecException, InvalidAlgorithmParameterException, NoSuchProviderException {
    Security.addProvider(new BouncyCastleProvider());
    SecretKey secret = new SecretKeySpec(CUSTOMLONGSECRETKEY.substring(0, 32).getBytes(), "AES");
    Cipher cipher = Cipher.getInstance("AES/CBC/PKCS7Padding", "BC");
    cipher.init(Cipher.ENCRYPT_MODE, secret, new IvParameterSpec(VECTOR_SECRET_KEY.getBytes()));
    return cipher.doFinal(info.getBytes("UTF-8"));
}

更新

看起来根据所选答案，我必须修改 TeamCity 安装上的某些内容，这可能会影响某些用户安装 - 所以这不是一个好的选择，我必须切换到另一个加密库可以无限制地做到这一点。所以充气城堡可能会有所帮助。

更新2

我实际上改用 BouncyCastle 来避免这个限制。请注意，这仅在您直接使用自己的 BC 类（而不是 BC 提供程序）时才有效。

原文

I have a test which runs great on my development MacBook Pro, but fails to run in continuous integration TeamCity server.

The error is following:

java.security.InvalidKeyException: Illegal key size
    at javax.crypto.Cipher.a(DashoA13*..)
    at javax.crypto.Cipher.init(DashoA13*..)
    at javax.crypto.Cipher.init(DashoA13*..)

Both development box and TeamCity uses Java 1.6 and I use BouncyCastle library for the need of special AES encryption.

The code is following:

private byte[] aesEncryptedInfo(String info) throws UnsupportedEncodingException, IllegalBlockSizeException, BadPaddingException, InvalidKeyException, NoSuchAlgorithmException, NoSuchPaddingException, InvalidParameterSpecException, InvalidAlgorithmParameterException, NoSuchProviderException {
    Security.addProvider(new BouncyCastleProvider());
    SecretKey secret = new SecretKeySpec(CUSTOMLONGSECRETKEY.substring(0, 32).getBytes(), "AES");
    Cipher cipher = Cipher.getInstance("AES/CBC/PKCS7Padding", "BC");
    cipher.init(Cipher.ENCRYPT_MODE, secret, new IvParameterSpec(VECTOR_SECRET_KEY.getBytes()));
    return cipher.doFinal(info.getBytes("UTF-8"));
}

UPDATE

Looks like according to the selected answer I have to modify something on my TeamCity installation and it will possibly affect some user installations - so its not a good choice I have to switch to another crypto library to do that without limitations. So probably bouncy castle will help.

UPDATE 2

I actually switched to use BouncyCastle to avoid this limitation. Note this only works if you use own BC classes directly, not the BC provider.

分享到QQ

分享到微博

如果你对这篇内容有疑问，欢迎到本站社区发帖提问参与讨论，获取更多帮助，或者扫码二维码加入 Web 技术交流群。

发布评论

需要登录才能够评论，你可以免费注册一个本站的账号。

孤独患者 2024-10-03 03:18:20

此错误意味着您的 Java 虚拟机使用的策略仅允许由于美国出口法律而受到限制的加密密钥大小。

Java 9 及更高版本

Java 9 中包含无限强度管辖策略文件并默认使用（请参阅 Java 9 迁移指南中的安全更新）。

如果您在 Java 9 中收到此错误，则可能意味着策略配置已更改为更严格的策略 (limited)，请参阅迁移指南中的说明：

JCE 管辖策略文件默认无限制
如果您的应用程序以前需要 Java 加密技术
扩展（JCE）无限强度管辖权政策文件，那么您
不再需要下载或安装它们。它们包含在
JDK 默认激活。
如果您所在的国家/地区或用途需要更严格的政策，
有限的 Java 加密策略文件仍然可用。
如果任何一项政策均无法满足您的要求
默认提供的文件，那么您可以自定义这些策略文件
满足您的需求。
查看crypto.policy中的安全属性
/conf/security/java.security 文件，或者
Java 平台中的加密强度配置，
标准版安全开发人员指南。

Java 8 及更早版本

Java 8 Update 161 及更高版本

从 Java 8 Update 161 开始，Java 8 默认采用无限强度管辖权策略。如果您收到此错误，则可能表示配置已更改为受限。请参阅下一节有关 Java 8 Update 151 的说明或上一节有关 Java 9 的说明，将其更改回无限制。

Java 8 Update 151 及更高版本

从 Java 8 Update 151 开始，无限强度管辖权策略包含在 Java 8 中，但默认情况下不使用。要启用它，您需要编辑 /jre/lib/security （对于 JDK）或 中的 java.security 文件。 /lib/security（对于 JRE）。取消注释（或包含）该行

crypto.policy=unlimited

确保您使用以管理员身份运行的编辑器编辑该文件。

策略更改仅在重新启动 JVM 后生效（这对于 Tomcat 等长时间运行的服务器进程尤其重要）。

为了向后兼容，安装下一节中记录的策略文件仍然有效。

在 Java 8 Update 151 之前

对于 Java 8 Update 144 及更早版本，您需要安装 Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction 策略文件（可从 Oracle）。

要安装这些文件（来自下载中的 README.txt）：

下载无限强度 JCE 策略文件。
解压缩并提取下载的文件。
这将创建一个名为 jce 的子目录。
该目录包含以下文件：
README.txt 这个文件
local_policy.jar 无限强度本地策略文件
US_export_policy.jar 无限强度美国出口政策文件
安装无限强度策略 JAR 文件。
如果您后来决定恢复原来的“强”，但是
保单版本有限，先复制一份JCE原件
策略文件（US_export_policy.jar 和 local_policy.jar）。然后
用无限的力量取代强大的政策文件
上一步中提取的版本。
JCE 管辖策略 JAR 文件的标准位置是：
/lib/security [Unix]
\lib\security [Windows]

注意，对于 JDK，它位于 jre/lib/security 中。

新的策略文件只有在重新启动 JVM 后才会生效（这对于 Tomcat 等长时间运行的服务器进程尤其重要）。

This error means that your Java virtual machine uses a policy that only allows restricted cryptography key sizes due to US export laws.

Java 9 and higher

The Unlimited Strength Jurisdiction Policy Files are included with Java 9 and used by default (see Security Updates in the Java 9 Migration Guide).

If you get this error with Java 9, it might mean the policy configuration has been changed to a more restrictive policy (limited), see the instructions from the migration guide:

JCE Jurisdiction Policy File Default is Unlimited
If your application previously required the Java Cryptography
Extension (JCE) Unlimited Strength Jurisdiction Policy Files, then you
no longer need to download or install them. They are included in the
JDK and are activated by default.
If your country or usage requires a more restrictive policy, the
limited Java cryptographic policy files are still available.
If you have requirements that are not met by either of the policy
files provided by default, then you can customize these policy files
to meet your needs.
See the crypto.policy Security property in the
<java-home>/conf/security/java.security file, or
Cryptographic Strength Configuration in the Java Platform,
Standard Edition Security Developer's Guide.

Java 8 and earlier

Java 8 Update 161 and higher

Starting with Java 8 Update 161, Java 8 defaults to the Unlimited Strength Jurisdiction Policy. If you receive this error, it could indicate the configuration has been changed to limited. See instructions in the next section on Java 8 Update 151, or the previous section on Java 9, for changing this back to unlimited.

Java 8 Update 151 and higher

Starting with Java 8 Update 151, the Unlimited Strength Jurisdiction Policy is included with Java 8 but not used by default. To enable it, you need to edit the java.security file in <java_home>/jre/lib/security (for JDK) or <java_home>/lib/security (for JRE). Uncomment (or include) the line

crypto.policy=unlimited

Make sure you edit the file using an editor run as administrator.

The policy change only takes effect after restarting the JVM (this is especially important for long-running server processes like Tomcat).

For backwards compatibility, installing the policy files as documented in the next section will still work as well.

Before Java 8 Update 151

For Java 8 Update 144 and earlier, you need to install the Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files (available at Oracle).

To install these files (from the README.txt in the download):

Download the unlimited strength JCE policy files.
Uncompress and extract the downloaded file.
This will create a subdirectory called jce.
This directory contains the following files:
README.txt                   This file
local_policy.jar             Unlimited strength local policy file
US_export_policy.jar         Unlimited strength US export policy file
Install the unlimited strength policy JAR files.
In case you later decide to revert to the original "strong" but
limited policy versions, first make a copy of the original JCE
policy files (US_export_policy.jar and local_policy.jar). Then
replace the strong policy files with the unlimited strength
versions extracted in the previous step.
The standard place for JCE jurisdiction policy JAR files is:
<java-home>/lib/security           [Unix]
<java-home>\lib\security           [Windows]

Note for the JDK it is in jre/lib/security.

The new policy file only takes effect after restarting the JVM (this is especially important for long-running server processes like Tomcat).

回复收藏 0 原文

迷爱 2024-10-03 03:18:20

我遇到了类似的问题，但就我而言，存在路径错误。

JAVA_HOME是jdk1.6.0_18，所以我将两个jar放入jdk1.6.0_18/lib/security中，但在jdk1.6.0_18内是jre目录。这两个文件都应该放在 jdk1.6.0_18/jre/lib/security 中。

回复收藏 0 原文

鸢与 2024-10-03 03:18:20

接受的答案假设您拥有管理员权限，可以以管理员身份修改文件和文件夹。

如果情况并非如此，对于 Java 8 Update 151 及更高版本，您可以执行以下操作：

创建一个包含一行 crypto.policy=unlimited 的本地文件。
将 -Djava.security.properties= 添加到您的 java 命令，其中是您创建的本地文件

此方法应该有效，除非 security .overridePropertiesFile 被显式禁用（默认情况下启用）。

参考：/jre/lib/security/java.security

#
# This is the "master security properties file".
#
# An alternate java.security properties file may be specified
# from the command line via the system property
#
#    -Djava.security.properties=<URL>
#
# This properties file appends to the master security properties file.
# If both properties files specify values for the same key, the value
# from the command-line properties file is selected, as it is the last
# one loaded.
#
# Also, if you specify
#
#    -Djava.security.properties==<URL> (2 equals),
#
# then that properties file completely overrides the master security
# properties file.
#
# To disable the ability to specify an additional properties file from
# the command line, set the key security.overridePropertiesFile
# to false in the master security properties file. It is set to true
# by default.
...

The accepted answer assumes that you have administrator permissions to modify files and folders as an administrator.

If that's not the case, for Java 8 Update 151 and higher you can do the following:

Create a local file with one line crypto.policy=unlimited.
Add -Djava.security.properties=<yourfile> to your java command where <yourfile> is the local file you created

This method should work unless security.overridePropertiesFile is explicitly disabled (enabled by default).

Reference: <java_home>/jre/lib/security/java.security

#
# This is the "master security properties file".
#
# An alternate java.security properties file may be specified
# from the command line via the system property
#
#    -Djava.security.properties=<URL>
#
# This properties file appends to the master security properties file.
# If both properties files specify values for the same key, the value
# from the command-line properties file is selected, as it is the last
# one loaded.
#
# Also, if you specify
#
#    -Djava.security.properties==<URL> (2 equals),
#
# then that properties file completely overrides the master security
# properties file.
#
# To disable the ability to specify an additional properties file from
# the command line, set the key security.overridePropertiesFile
# to false in the master security properties file. It is set to true
# by default.
...

回复收藏 0 原文

盗心人 2024-10-03 03:18:20

除了安装策略文件之外，还要确保 CUSTOMLONGSECRETKEY...getBytes() 确实生成 32 字节数组。我将使用 CUSTOMLONGSECRETKEY.getBytes(some encoding) 并从中获取前 32 个字节。更好的是，使用整个密钥来派生具有您需要的大小的 AES 密钥。

回复收藏 0 原文

冷默言语 2024-10-03 03:18:20

我在 jdk 1.8.0_151 中遇到了同样的问题-

对于这个及以上版本，您不需要下载与安全相关的 jar 文件。因为 local_policy.jar 和 US_export_policy.jar 已经包含在这些版本的路径下-
\jre\lib\security\policy (JAVA_HOME 指的是你当前的java安装文件夹)
您需要进行的唯一更改是在 /jre/lib/security 中存在的 java.security 文件中 -
取消注释该行 -
crypto.policy=无限制