Bug ID: JDK-7193096 keytool issue: not able to specify the provider for key generation

Type: Bug
Component: security-libs
Sub-Component: java.security
Affected Version: 8

Priority: P3
Status: Resolved
Resolution: Not an Issue
OS: solaris
CPU: x86

Submitted: 2012-08-21
Updated: 2017-05-19
Resolved: 2013-05-23

When running:
keytool -genkey -alias xx -keysize 1024 -keyalg DSA -keystore xxxx -storetype jks -providerName SUN"

The keystore and key could be generated successfully.

Then do:
keytool -list -v -keystore xxxx -storepass xxxxxx

We can see the Keystore provider is SUN, but not able to know the provider for the key.


Looks like there is no way to specify a specific provider for key generation in keytool.

If do:
keytool -genkey -alias xx -keysize 2048 -keyalg DSA -keystore xxxx -storetype jks -providerName SUN
Enter keystore password:
Re-enter new password:
What is your first and last name?
  [Unknown]:  x
What is the name of your organizational unit?
  [Unknown]:  x
What is the name of your organization?
  [Unknown]:  x
What is the name of your City or Locality?
  [Unknown]:  x
What is the name of your State or Province?
  [Unknown]:  x
What is the two-letter country code for this unit?
  [Unknown]:  x
Is CN=x, OU=x, O=x, L=x, ST=x, C=x correct?
  [no]:  y

keytool error: java.security.ProviderException: sun.security.pkcs11.wrapper.PKCS11Exception: CKR_KEY_SIZE_RANGE

From the error message, looks like the provider for key generation is not SUN but pkcs11. There should be a way to do that. Especially since we have plan to support 2048 DSA key in SUN provider in JDK 8, we should be able to specify using SUN as the key generation provider.

Keytool uses SHA1withDSA signature algorithm by default when generating DSA keypairs. This SHA1withDSA signature algorithm can only accommodate DSA key sizes up to 1024 bit. Thus it leads to the reported keytool error, i.e. java.security.ProviderException: sun.security.pkcs11.wrapper.PKCS11Exception: CKR_KEY_SIZE_RANGE This error would go away if we switch to SHA256withDSA (or SHA224withDSA) signature algorithm by default for DSA keys or if callers explicitly specify an appropriate signature algorithms using the -sigalg arguments. Will close this as "Not an Issue".

23-05-2013

One more note, when generating 2048-bit DSA key pairs, you will need to explicitly specify signature algorithm to be either SHA224withDSA or SHA256withDSA. Otherwise, according to keytool documentation, the default signature algorithm for DSA key pair generation is SHAwithDSA which can only handle up to 1024-bit DSA keys and the keytool command would fail with the following stack trace: keytool error: java.security.InvalidKeyException: Key is too long for this algorithm java.security.InvalidKeyException: Key is too long for this algorithm at sun.security.provider.DSA$LegacyDSA.checkKey(DSA.java:487) at sun.security.provider.DSA.engineInitSign(DSA.java:120) at java.security.Signature$Delegate.engineInitSign(Signature.java:1128) at java.security.Signature.initSign(Signature.java:511) at sun.security.x509.X509CertImpl.sign(X509CertImpl.java:560) at sun.security.tools.keytool.CertAndKeyGen.getSelfCertificate(CertAndKeyGen.java:272) at sun.security.tools.keytool.Main.doGenKeyPair(Main.java:1530) at sun.security.tools.keytool.Main.doCommands(Main.java:953) at sun.security.tools.keytool.Main.run(Main.java:334) at sun.security.tools.keytool.Main.main(Main.java:327) However, once the appropriate signature algorithm is specified, i.e. either SHA224withDSA or SHA256withDSA, then the keytool command should pass, e.g. % keytool -genkeypair -alias xx -keysize 2048 -keyalg DSA -sigalg SHA224withDSA -keystore xxxx -storetype jks -providerName SUN -v

12-04-2013

Hmm, the key pair is generated using the supplied provider. However, when trying to generate self-signed certificate, the supplied provider name is not used which leads to the PKCS11Exception: CKR_KEY_SIZE_RANGE since the more preferred provider, i.e. SunPKCS11, only supports upto 1024-bit DSA.

11-04-2013