Say goodbye to different JDK versions!
introductory
During Java development, we often encounter a variety of security-related problems. One of the common problems is the "Illegal key size or default parameters" error encountered when using Java's encryption features. This article describes how to solve this problem in detail, including the background of the problem, cause analysis, solution, and practical steps.
Background to the issue
Since the introduction of JCE (Java Cryptography Extension) in Java 1.4, to comply with U.S. export control laws, Oracle has set restrictions on the cryptographic algorithms in the default JRE, where the maximum key length for the AES algorithm is limited to 128 bits. This means that if you try to use a 192-bit or 256-bit AES key, the above exception will occur.
This limitation affects a number of versions from Java 1.4 up to and including, but not limited to, Java 8. Although the concept of JCE has been watered down in Java 11 and later versions and is no longer available as a separate extension, the key length limitation remains, only later optimized to support longer keys by default.
For example, for the AES encryption algorithm, only 128-bit key lengths are allowed by default. This can lead to : Illegal key size or default parameters exceptions during actual development.
Version affected by the problem
This issue first appeared in Java 6 and Java 7 because those versions had a strict limit on key sizes by default, and this exception would also be triggered when using key lengths larger than 128 bits. Starting with JDK 8 Update 131, this issue has been resolved by default, which means that larger key sizes are supported by default.
caveat
JDK 8 Update 131 and later include unlimited JCE policy files by default. The above problem should not occur.
Ensure that you understand the relevant security and compliance requirements before installing an unrestricted policy file, especially in regulated environments.
If you are using OpenJDK or another non-Oracle JDK distribution, you may need to manually install these policy files, even if your JDK version is higher than JDK 8 Update 131.I didn't try it. You can verify the problem yourself.
Example of an error log
Assuming you encountered this problem while using AES encryption, the error log might look like the following:
1 .InvalidKeyException: Illegal key size or default parameters 2 at (:1026) 3 at (:801) 4 at (:864) 5 at (:1249) 6 at (:1186) 7 at (:204) 8 at (:57)
prescription
To resolve this issue, you need to download and install the Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction policy file. Below are the detailed steps:
Determine your Java version:
Open the command line tool and run java -version command to confirm the version of Java you are using.
Download the JCE Unlimited Strength Jurisdiction Policy file:
Visit the official Oracle Web site to download the JCE files for your version of Java.
For Java 8, you can access thehere areDownload.
For Java 11 or later, unlimited key lengths are supported by default, and there is no need to download and configure the appropriate JCE unlimited policy file.
Replace the existing policy file:
Find yours.Java Installation Directorylower lib/security folder. The path is usually%JAVA_HOME%\jre\lib\security(Windows)maybe $JAVA_HOME/jre/lib/security(Linux/Mac)。
In that directory, you will see two files:local_policy.jar cap (a poem)US_export_policy.jar。
Replace these two files with the corresponding files downloaded from Oracle. (Be careful to back up the original file)
Restart the application:
After replacing the file, make sure to restart your application to apply the new policy file.
Run your program again and see if the exception has disappeared.