加载秘钥InvalidKeySpecException: java.security.InvalidKeyException: IOException: Short read of DERl 异常处理
1:用如下方法加载私钥时,可能会抛出java.security.InvalidKeyException: IOException : Short read of DER length:
private static final String RSA_PRIVATE_KEY = "...";
private static final String RSA_PUBLIC_KEY = "...";
/**
* 生成token
* @param payload token携带的信息
* @return token字符串
*/
public static String getTokenRsa(Map<String,String> payload){
// 指定token过期时间为7天
Calendar calendar = Calendar.getInstance();
calendar.add(Calendar.DATE, 7);
JWTCreator.Builder builder = JWT.create();
// 构建payload
payload.forEach(builder::withClaim);
// 利用hutool创建RSA
RSA rsa = new RSA(RSA_PRIVATE_KEY, null);
// 获取私钥
RSAPrivateKey privateKey = (RSAPrivateKey) rsa.getPrivateKey();
// 签名时传入私钥
String token = builder.withExpiresAt(calendar.getTime()).sign(Algorithm.RSA256(null, privateKey));
return token;
}
/**
* 解析token
* @param token token字符串
* @return 解析后的token
*/
public static DecodedJWT decodeRsa(String token){
// 利用hutool创建RSA
RSA rsa = new RSA(null, RSA_PUBLIC_KEY);
// 获取RSA公钥
RSAPublicKey publicKey = (RSAPublicKey) rsa.getPublicKey();
// 验签时传入公钥
JWTVerifier jwtVerifier = JWT.require(Algorithm.RSA256(publicKey, null)).build();
DecodedJWT decodedJWT = jwtVerifier.verify(token);
return decodedJWT;
}
}
异常报错原因如下:
cn.hutool.crypto.CryptoException: InvalidKeySpecException: java.security.InvalidKeyException: IOException: Short read of DER length
at cn.hutool.crypto.KeyUtil.generatePublicKey(KeyUtil.java:355)
at cn.hutool.crypto.KeyUtil.generatePublicKey(KeyUtil.java:335)
at cn.hutool.crypto.asymmetric.AsymmetricCrypto.<init>(AsymmetricCrypto.java:136)
at cn.hutool.crypto.asymmetric.AsymmetricCrypto.<init>(AsymmetricCrypto.java:83)
at cn.hutool.crypto.asymmetric.RSA.<init>(RSA.java:86)
at com.example.demotest.utils.JWTUtils.decodeRsa(JWTUtils.java:54)
at com.example.demotest.lanjieqi.JWTInterceptor.preHandle(JWTInterceptor.java:41)
at org.springframework.web.servlet.HandlerExecutionChain.applyPreHandle(HandlerExecutionChain.java:148)
at org.springframework.web.servlet.DispatcherServlet.doDispatch(DispatcherServlet.java:1066)
at org.springframework.web.servlet.DispatcherServlet.doService(DispatcherServlet.java:964)
at org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:1006)
at org.springframework.web.servlet.FrameworkServlet.doPost(FrameworkServlet.java:909)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:696)
at org.springframework.web.servlet.FrameworkServlet.service(FrameworkServlet.java:883)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:779)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:227)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:162)
at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:53)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:189)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:162)
at org.springframework.web.filter.CorsFilter.doFilterInternal(CorsFilter.java:91)
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:117)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:189)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:162)
at org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:201)
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:117)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:189)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:162)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:177)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:97)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:541)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:135)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:92)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:78)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:360)
at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:399)
at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:65)
at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:891)
at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1784)
at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
at org.apache.tomcat.util.threads.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1191)
at org.apache.tomcat.util.threads.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:659)
at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
at java.lang.Thread.run(Thread.java:748)
Caused by: java.security.spec.InvalidKeySpecException: java.security.InvalidKeyException: IOException: Short read of DER length
at sun.security.rsa.RSAKeyFactory.engineGeneratePublic(RSAKeyFactory.java:205)
at java.security.KeyFactory.generatePublic(KeyFactory.java:334)
at cn.hutool.crypto.KeyUtil.generatePublicKey(KeyUtil.java:353)
... 43 more
Caused by: java.security.InvalidKeyException: IOException: Short read of DER length
at sun.security.x509.X509Key.decode(X509Key.java:398)
at sun.security.x509.X509Key.decode(X509Key.java:403)
at sun.security.rsa.RSAPublicKeyImpl.<init>(RSAPublicKeyImpl.java:84)
at sun.security.rsa.RSAKeyFactory.generatePublic(RSAKeyFactory.java:298)
at sun.security.rsa.RSAKeyFactory.engineGeneratePublic(RSAKeyFactory.java:201)
... 45 more
导致异常的原因通常有两种:第一,JDK加密算法问题,第二,秘钥内容自身问题。
JDK jar包问题
因为某些国家的进口管制限制,Java发布的运行环境包中的加解密有一定的限制。比如默认不允许256位密钥的AES加解密,解决方法就是修改策略文件。
下载与JDK或JRE对应版本的jce文件包,如jdk为1.8,所以下载 jce_policy-8.zip,官网下载地址:https://www.oracle.com/java/technologies/javase-jce8-downloads.html
下载解压后,把jar文件上传到需要安装jce机器上JDK或JRE的security目录下,覆盖源文件即可。
JDK:将两个jar文件放到%JDK_HOME%\jre\lib\security下
JRE:将两个jar文件放到%JRE_HOME%\lib\security下
覆盖之前,记得备份源文件,以防万一。
秘钥问题 :
秘钥自身问题就比较多,比如秘钥是否处理注释部分。或者秘钥存储是否完整等等。