问题描述
我有一个测试,它在我的开发 MacBook Pro 上运行良好,但无法在持续集成 TeamCity 服务器中运行.
错误如下:
java.security.InvalidKeyException:非法密钥大小在 javax.crypto.Cipher.a(DashoA13*..)在 javax.crypto.Cipher.init(DashoA13*..)在 javax.crypto.Cipher.init(DashoA13*..)
开发盒和 TeamCity 都使用 Java 1.6,我使用 BouncyCastle 库来满足特殊 AES 加密的需要.
代码如下:
private byte[] aesEncryptedInfo(String info) throws UnsupportedEncodingException, IllegalBlockSizeException, BadPaddingException, InvalidKeyException, NoSuchAlgorithmException, NoSuchPaddingException, InvalidParameterSpecException, InvalidAlgorithmParameterException, NoSuchProviderException {Security.addProvider(new BouncyCastleProvider());SecretKey secret = new SecretKeySpec(CUSTOMLONGSECRETKEY.substring(0, 32).getBytes(), "AES");Cipher cipher = Cipher.getInstance("AES/CBC/PKCS7Padding", "BC");cipher.init(Cipher.ENCRYPT_MODE, secret, new IvParameterSpec(VECTOR_SECRET_KEY.getBytes()));返回 cipher.doFinal(info.getBytes("UTF-8"));}
更新
看起来根据选择的答案,我必须在我的 TeamCity 安装上修改某些内容,这可能会影响某些用户安装 - 所以这不是一个好的选择,我必须切换到另一个加密库才能不受限制地做到这一点.所以充气城堡可能会有所帮助.
更新 2
我实际上改用 BouncyCastle 来避免这种限制.请注意,这仅在您直接使用自己的 BC 类而不是 BC 提供程序时才有效.
此错误意味着您的 Java 虚拟机使用的策略仅允许受美国出口法律限制的加密密钥大小.
Java 9 及更高版本
Unlimited Strength Jurisdiction Policy Files 包含在 Java 9 中并默认使用(参见 Java 9 迁移指南中的安全更新).
如果您在 Java 9 中遇到此错误,则可能意味着策略配置已更改为更严格的策略 (limited
),请参阅迁移指南中的说明:
JCE 管辖权政策文件默认为无限制
如果您的应用程序以前需要 Java Cryptography扩展 (JCE) 无限强度管辖权政策文件,然后您不再需要下载或安装它们.他们被列入JDK 和默认激活.
如果您的国家/地区或用途需要更严格的政策,则有限的 Java 加密策略文件仍然可用.
如果您的要求不符合任何一项政策默认提供的文件,然后您可以自定义这些策略文件以满足您的需求.
查看 crypto.policy
安全属性/conf/security/java.security
文件,或Java 平台中的密码强度配置,标准版安全开发者指南.
Java 8 及更早版本
Java 8 更新 161 及更高版本
从 Java 8 Update 161 开始,Java 8 默认采用 Unlimited Strength Jurisdiction Policy.如果您收到此错误,则可能表示配置已更改为 limited
.请参阅下一节 Java 8 Update 151 或上一节 Java 9 中的说明,将其改回 unlimited
.
Java 8 更新 151 及更高版本
从 Java 8 Update 151 开始,Unlimited Strength Jurisdiction Policy 包含在 Java 8 中,但默认情况下不使用.要启用它,您需要编辑 /jre/lib/security
(对于 JDK)或 中的
(对于 JRE).取消注释(或包含)该行java.security
文件./lib/security
crypto.policy=无限制
确保使用以管理员身份运行的编辑器编辑文件.
策略更改仅在重新启动 JVM 后生效(这对于 Tomcat 等长时间运行的服务器进程尤其重要).
为了向后兼容,安装下一节中记录的策略文件仍然有效.
Java 8 更新 151 之前
对于 Java 8 Update 144 及更早版本,您需要安装 Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files(可在 Oracle).
要安装这些文件(来自下载中的README.txt
):
下载无限强度 JCE 策略文件.
解压并解压下载的文件.
这将创建一个名为 jce 的子目录.该目录包含以下文件:
README.txt 这个文件local_policy.jar 无限强度本地策略文件US_export_policy.jar 无限强度美国出口政策文件
安装无限强度策略 JAR 文件.
如果你后来决定恢复到原来的强"但有限的策略版本,首先复制原始的 JCE策略文件(US_export_policy.jar 和 local_policy.jar).然后用无限强度替换强大的策略文件上一步中提取的版本.
JCE 管辖政策 JAR 文件的标准位置是:
/lib/security [Unix]<java-home>libsecurity [Windows]
请注意 JDK 位于 jre/lib/security 中.
新的策略文件只有在重启 JVM 后才会生效(这对于像 Tomcat 这样长时间运行的服务器进程尤其重要).
I have a test which runs great on my development MacBook Pro, but fails to run in continuous integration TeamCity server.
The error is following:
java.security.InvalidKeyException: Illegal key size
at javax.crypto.Cipher.a(DashoA13*..)
at javax.crypto.Cipher.init(DashoA13*..)
at javax.crypto.Cipher.init(DashoA13*..)
Both development box and TeamCity uses Java 1.6 and I use BouncyCastle library for the need of special AES encryption.
The code is following:
private byte[] aesEncryptedInfo(String info) throws UnsupportedEncodingException, IllegalBlockSizeException, BadPaddingException, InvalidKeyException, NoSuchAlgorithmException, NoSuchPaddingException, InvalidParameterSpecException, InvalidAlgorithmParameterException, NoSuchProviderException {
Security.addProvider(new BouncyCastleProvider());
SecretKey secret = new SecretKeySpec(CUSTOMLONGSECRETKEY.substring(0, 32).getBytes(), "AES");
Cipher cipher = Cipher.getInstance("AES/CBC/PKCS7Padding", "BC");
cipher.init(Cipher.ENCRYPT_MODE, secret, new IvParameterSpec(VECTOR_SECRET_KEY.getBytes()));
return cipher.doFinal(info.getBytes("UTF-8"));
}
UPDATE
Looks like according to the selected answer I have to modify something on my TeamCity installation and it will possibly affect some user installations - so its not a good choice I have to switch to another crypto library to do that without limitations. So probably bouncy castle will help.
UPDATE 2
I actually switched to use BouncyCastle to avoid this limitation. Note this only works if you use own BC classes directly, not the BC provider.
This error means that your Java virtual machine uses a policy that only allows restricted cryptography key sizes due to US export laws.
Java 9 and higher
The Unlimited Strength Jurisdiction Policy Files are included with Java 9 and used by default (see Security Updates in the Java 9 Migration Guide).
If you get this error with Java 9, it might mean the policy configuration has been changed to a more restrictive policy (limited
), see the instructions from the migration guide:
Java 8 and earlier
Java 8 Update 161 and higher
Starting with Java 8 Update 161, Java 8 defaults to the Unlimited Strength Jurisdiction Policy. If you receive this error, it could indicate the configuration has been changed to limited
. See instructions in the next section on Java 8 Update 151, or the previous section on Java 9, for changing this back to unlimited
.
Java 8 Update 151 and higher
Starting with Java 8 Update 151, the Unlimited Strength Jurisdiction Policy is included with Java 8 but not used by default. To enable it, you need to edit the java.security
file in <java_home>/jre/lib/security
(for JDK) or <java_home>/lib/security
(for JRE). Uncomment (or include) the line
crypto.policy=unlimited
Make sure you edit the file using an editor run as administrator.
The policy change only takes effect after restarting the JVM (this is especially important for long-running server processes like Tomcat).
For backwards compatibility, installing the policy files as documented in the next section will still work as well.
Before Java 8 Update 151
For Java 8 Update 144 and earlier, you need to install the Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files (available at Oracle).
To install these files (from the README.txt
in the download):
Note for the JDK it is in jre/lib/security.
The new policy file only takes effect after restarting the JVM (this is especially important for long-running server processes like Tomcat).
这篇关于InvalidKeyException 非法密钥大小的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!