java jce配置_java JCE 不限密钥长度解决办法

java jce配置_java JCE 不限密钥长度解决办法()转自http://opensourceforgeeks.blogspot.com/2014/09/how-to-install-java-cryptography.html另外,在StackOverflow上也有相关讨论,并提供了反射实现代码https://stackoverflow.com/questions/25959948/local-policy-jar-and-us-export-p…

大家好,又见面了,我是你们的朋友全栈君。

()转自http://opensourceforgeeks.blogspot.com/2014/09/how-to-install-java-cryptography.html

另外,在StackOverflow上也有相关讨论,并提供了反射实现代码

https://stackoverflow.com/questions/25959948/local-policy-jar-and-us-export-policy-jar-different-with-unlimited-strength-vs-d

https://stackoverflow.com/questions/1179672/how-to-avoid-installing-unlimited-strength-jce-policy-files-when-deploying-an

前言

因为是需要,把英文原文复制了过来。

总结一下下面的内容:

1.java 8 161以上已经不再限制密钥长度

2.java 8 151以上,需要修改security文件,修改配置,重启jvm

3.java 8 151之前的,需要替换jar,重启jvm

4.不想替换jar,需要使用反射,来实现动态(作者不推荐)

How to install Java Cryptography Extension (JCE) unlimited strength jurisdiction policy files

Problem

JCE has been integrated into the Java 2 SDK since the 1.4 release.

Below diagram shows a general overview of Java cryptographic architecture. What we are discussing in this post is related to JCE implementation provided by Sun/Oracle.

As per the Oracle documentation –

Due to import control restrictions by the governments of a few countries, the jurisdiction policy files shipped with the JDK 5.0 from Sun Microsystems specify that “strong” but limited cryptography may be used.

That mean JDK has a deliberate key size restriction by default. So you cannot perform an encryption with key more than 128 bits (16 bytes). If you do you will get an error something like –

Caused by: java.security.InvalidKeyException: Illegal key size or default parameters

If you get this Exception there is nothing wrong that you are doing. It’s just the restriction on the encryption key that comes built into the JDK.

The reason for this is that some countries have restrictions on the permitted key strength used in encryption algorithms.

Again as per the documentation –

An “unlimited strength” version of these files indicating no restrictions on cryptographic strengths is available for those living in eligible countries (which is most countries). But only the “strong” version can be imported into those countries whose governments mandate restrictions. The JCE framework will enforce the restrictions specified in the installed jurisdiction policy files.

Update –  Updates Since Java 8 and Java 9

There have been multiple updates since Java 8 and 9. Before you dive down into more details review this section based on the Java version you are using. I have shown how to resolve this issue with various Java versions in the video below.

Java 9 and higher :

The Unlimited Strength Jurisdiction Policy Files are included with Java 9 and used by default (see Security Updates in the Java 9 Migration Guide).

If you get this error with Java 9, it might mean the policy configuration has been changed to a more restrictive policy (limited), see the instructions from the migration guide:

It states –

JCE Jurisdiction Policy File Default is Unlimited

If your application previously required the Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files, then you no longer need to download or install them. They are included in the JDK and are activated by default.

If your country or usage requires a more restrictive policy, the limited Java cryptographic policy files are still available.

If you have requirements that are not met by either of the policy files provided by default, then you can customize these policy files to meet your needs.

See the crypto.policy Security property in the  /conf/security/java.security file, or Cryptographic Strength Configurationin the Java Platform, Standard Edition Security Developer’s Guide.

Java 8 Update 161 and higher

Starting with Java 8 Update 161, Java 8 defaults to the Unlimited Strength Jurisdiction Policy. If you receive this error, it could indicate the configuration has been changed to limited. See instructions in the next section on Java 8 Update 151, or the previous section on Java 9, for changing this back to unlimited.

Java 8 Update 151 and higher

Starting with Java 8 Update 151, the Unlimited Strength Jurisdiction Policy is included with Java 8 but not used by default. To enable it, you need to edit the java.security file in /jre/lib/security (for JDK) or /lib/security (for JRE). Uncomment (or include) the line

crypto.policy=unlimited

Make sure you edit the file using an editor run as administrator.

The policy change only takes effect after restarting the JVM (this is especially important for long-running server processes like Tomcat).

For backward compatibility, installing the policy files as documented in the next section will still work as well.

Before Java 8 Update 151 – Removing the maximum key size restriction

You can remove the maximum key restriction by replacing the existing JCE jars with unlimited strength policy jars.

Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files 6

Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files 7 Download

Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files 8 Download

Download the zip file extract the jars and replace them in your JDK/JRE.

For this Copy local_policy.jar and US_export_policy.jarextracted from above zip file to the $JAVA_HOME/jre/lib/security

Note: These jars will already be present there so you will have to overwrite them.

Then simply restart your java application and the Exception should be gone.

NOTE: If you are using Ubuntu and the webupd8 PPA, you can simply run –

apt-get install oracle-java8-unlimited-jce-policy

An alternate way to maximum encryption key size problem

This way is really a workaround. In fact, this approach is the workaround to all problems and it’s not straightforward. Yeah you must have guessed it by now – Reflection

You can override the restriction with Reflection as follows –

1

2

3

4

5

6

7

try {

Field field = Class.forName(“javax.crypto.JceSecurity”).getDeclaredField(“isRestricted”);

field.setAccessible(true);

field.set(null, java.lang.Boolean.FALSE);

}catch (Exception ex) {

ex.printStackTrace();

}

Note 1: I do not recommend the Reflection approach as it’s hacky. If you are using it keep it for testing only. Don’t put it in production code :)

Note 2:As the change of replacing policy files is in JDK itself you will have to do it in all your servers. Also, you will have to ask all your clients to do so.

Finding the maximum possible key length

To find maximum key length allowed by an encryption algorithm you can useCipher.getMaxAllowedKeyLength() method.  For example, for AES algorithm you can do –

int maxKeyLength = Cipher.getMaxAllowedKeyLength(“AES”);

Related Links

Oracle JCE documentation

How to avoid installing “Unlimited Strength” JCE policy files when deploying an application?

Java Security: Illegal key size or default parameters?

版权声明:本文内容由互联网用户自发贡献,该文观点仅代表作者本人。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌侵权/违法违规的内容, 请发送邮件至 举报,一经查实,本站将立刻删除。

发布者:全栈程序员-用户IM,转载请注明出处:https://javaforall.cn/150509.html原文链接:https://javaforall.cn

【正版授权,激活自己账号】: Jetbrains全家桶Ide使用,1年售后保障,每天仅需1毛

【官方授权 正版激活】: 官方授权 正版激活 支持Jetbrains家族下所有IDE 使用个人JB账号...

(0)


相关推荐

  • STM32中文参考手册_STM32读取ESP8266数据

    STM32中文参考手册_STM32读取ESP8266数据http://blog.csdn.net/u012722571/article/details/47295245lanmanck原创】这篇文章已经说了STM32的启动过程:http://blog.csdn.net/lanmanck/article/details/8252560我们也知道怎么跳到main函数了,那么,中断发生后,又是怎么跑到中断入口地址的呢?从stm

    2022年10月25日
  • 对团队中“这是某某某的问题”引起的思考[通俗易懂]

    对团队中“这是某某某的问题”引起的思考

  • 软件看门狗与硬件看门狗_电脑看门狗是什么意思

    软件看门狗与硬件看门狗_电脑看门狗是什么意思软件看门狗和硬件看门狗的作用和区别工业级无线路由器,作为无线组网中非常重要的设备,洞察客户应用场景,只要是关乎无线组网可靠性的需求,即使是最细微的技术应用都要做到极致,比如看门狗。为什么工业级无线路由器这么重视软硬件看门狗,今天我们就来看看软硬件看门狗区别。看门狗,又叫watchdogtimer,是一个定时器电路,一般有一个输入,叫喂狗,一个输出到MCU的RST端,MCU正常工作的时候,每隔…

    2022年10月24日
  • java从入门到精通_学习Java最好的10本书,从入门到精通

    java从入门到精通_学习Java最好的10本书,从入门到精通在当代,学习Java等编程课程的主要方式是视频资源。如果你想学,在网上五分钟之内就可以找到一堆学习视频,瞬间将你的硬盘填满。但是这些课程质量良莠不齐,对于小白来说,的确让人头痛不已。但是,书籍不同。对于书籍而言,它们都是出自业内大牛和资深的大学教授的精心编写,内容好坏与否,有很多同领域的网友都能帮你把关。所以说,如果你选对了学习的书籍,就可以不用担心自己在编程中,埋下错误的种子,同时还可以更深入的…

  • java找不到符号解决办法

    java找不到符号解决办法一、java找不到符号如果你的代码里没有报错,明明是存在的。但是java报错找不到符号。像下面这样子。二、解决步骤1.清除编码工具缓存本人用的idea,eclipse清除缓存方式有需要的可以百度一下!2.如果是mavne项目的先clean再package总结提示:一定要package本人刚开始就是知道clean了,没有package导致问题一直没有解决。在此记录一下!…

  • Python-opencv读取深度图像

    Python-opencv读取深度图像由于实验需要用到Kinect2.0采集的深度图像,但是用以下程序读取深度图片的时候显不方便观察temp_img=’cup_depth.png’depth_filename=os.path.join(image_dir,depth_img)temp_filename=os.path.join(image_dir,temp_img)im…

发表回复

您的电子邮箱地址不会被公开。

关注全栈程序员社区公众号