JDK-8039921 : SHA1WithDSA with key > 1024 bits not working
  • Type: Bug
  • Component: security-libs
  • Sub-Component: java.security
  • Affected Version: 8
  • Priority: P3
  • Status: Resolved
  • Resolution: Fixed
  • OS: other
  • CPU: x86
  • Submitted: 2014-04-07
  • Updated: 2017-08-03
  • Resolved: 2014-12-30
The Version table provides details related to the release that this issue/RFE will be addressed.

Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.

To download the current JDK release, click here.
JDK 8 JDK 9 Other
8u40Fixed 9 b45Fixed openjdk7uFixed
Related Reports
Relates :  
JDK-7044060 - Need to support NSA Suite B Cryptography algorithms
Description
FULL PRODUCT VERSION :
java version "1.8.0"
Java(TM) SE Runtime Environment (build 1.8.0-b132)
Java HotSpot(TM) 64-Bit Server VM (build 25.0-b70, mixed mode)

ADDITIONAL OS VERSION INFORMATION :
Mac OSX 10.9.2

A DESCRIPTION OF THE PROBLEM :
When you have a certificate with a public key using SHA1WithDSA with more than 1024 bits, you get the following exception:
Exception in thread "main" java.security.InvalidKeyException: Key is too long for this algorithm
	at sun.security.provider.DSA$LegacyDSA.checkKey(DSA.java:487)
	at sun.security.provider.DSA.engineInitVerify(DSA.java:152)
	at java.security.Signature$Delegate.init(Signature.java:1104)
	at java.security.Signature$Delegate.chooseProvider(Signature.java:1067)
	at java.security.Signature$Delegate.engineInitVerify(Signature.java:1122)
	at java.security.Signature.initVerify(Signature.java:496)


This exactly same scenario works perfectly fine in java  1.7.0_21  1.7.0_25 1.7.0_40 at least.

REGRESSION.  Last worked in version 7u40

ADDITIONAL REGRESSION INFORMATION: 
java version "1.8.0"
Java(TM) SE Runtime Environment (build 1.8.0-b132)
Java HotSpot(TM) 64-Bit Server VM (build 25.0-b70, mixed mode)

And 

java version "1.7.0_40"
Java(TM) SE Runtime Environment (build 1.7.0_40-b43)
Java HotSpot(TM) 64-Bit Server VM (build 24.0-b56, mixed mode)


STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
run the following statement using a Public Key SHA1WithDSA with 2048 bits key.
Signature.getInstance("SHA1withDSA").initVerify(cert);

EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
The certificate should be accepted and no exception should be thrown
ACTUAL -
Exception in thread "main" java.security.InvalidKeyException: Key is too long for this algorithm
	at sun.security.provider.DSA$LegacyDSA.checkKey(DSA.java:487)
	at sun.security.provider.DSA.engineInitVerify(DSA.java:152)
	at java.security.Signature$Delegate.init(Signature.java:1104)
	at java.security.Signature$Delegate.chooseProvider(Signature.java:1067)
	at java.security.Signature$Delegate.engineInitVerify(Signature.java:1122)
	at java.security.Signature.initVerify(Signature.java:496)


ERROR MESSAGES/STACK TRACES THAT OCCUR :
Exception in thread "main" java.security.InvalidKeyException: Key is too long for this algorithm
	at sun.security.provider.DSA$LegacyDSA.checkKey(DSA.java:487)
	at sun.security.provider.DSA.engineInitVerify(DSA.java:152)
	at java.security.Signature$Delegate.init(Signature.java:1104)
	at java.security.Signature$Delegate.chooseProvider(Signature.java:1067)
	at java.security.Signature$Delegate.engineInitVerify(Signature.java:1122)
	at java.security.Signature.initVerify(Signature.java:496)


REPRODUCIBILITY :
This bug can be reproduced always.

---------- BEGIN SOURCE ----------
	@Test
		public void testCertWith2048bitsKey() throws Exception {
			X509Certificate cert = ... Cert with 2048 bits key... ;
			Signature.getInstance("SHA1withDSA").initVerify(cert);
		}
---------- END SOURCE ----------
Comments
Since there are existing apps using long DSA keys (>1024-bit) with SHA1withDSA signature, remove the key length check in order to maintain backward compatibility. Release note on this seems to be covered by https://bugs.openjdk.java.net/browse/JDK-8149394
03-08-2017
For SHA1withDSA signature, DSA keys less than 1024 bits are allowed for the sake of backward compatibility. As for 2048-bit DSA key pairs, they should be used with signature algorithms using the SHA-2 family of message digests as specified in FIPS 186-3. I don't think there is a bug here. Will close this.
17-04-2014
Suite B would have added more DSA support, not removed it. Also it says the key is too long which seems odd. My feeling is there is a bug.
10-04-2014
I believe it is expected behavior according to the standards, but I will let Valerie do the official evaluation since she was the RE for this feature.
10-04-2014
This change of behaviour is present in JDK 8 due to https://bugs.openjdk.java.net/browse/JDK-7044060 Can security Dev team confirm that the behaviour is correct? The new DSA.LegacyDSA inner class enforces this check. Is it documented in compatibility notes ?
10-04-2014