-
Sub-task
-
Resolution: Delivered
-
P4
-
9
-
Verified
Default signature algorithms for `jarsigner` and `keytool` are determined by both the algorithm and the key size of the private key which makes use of comparable strengths as defined in Tables 2 and 3 of [NIST SP 800-57 Part 1-Rev.4](http://dx.doi.org/10.6028/NIST.SP.800-57pt1r4). Specifically, for a DSA or RSA key with a key size greater than 7680 bits, or an EC key with a key size greater than or equal to 512 bits, SHA-512 will be used as the hash function for the signature algorithm. For a DSA or RSA key with a key size greater than 3072 bits, or an EC key with a key size greater than or equal to 384 bits, SHA-384 will be used. Otherwise, SHA-256 will be used. The value may change in the future.
For DSA keys, the default key size for `keytool` has changed from 1024 bits to 2048 bits.
There are a few potential compatibility risks associated with these changes:
1. If you use `jarsigner` to sign JARs with the new defaults, previous versions (than this release) might not support the stronger defaults and will not be able to verify the JAR. `jarsigner -verify` on such a release will output the following error:
```
jar is unsigned. (signatures missing or not parsable)
```
If you add `-J-Djava.security.debug=jar` to the `jarsigner` command line, the cause will be output:
```
jar: processEntry caught: java.security.NoSuchAlgorithmException: SHA256withDSA Signature not available
```
If compatibility with earlier releases is important, you can, at your own risk, use the `-sigalg` option of `jarsigner` and specify the weaker SHA1withDSA algorithm.
2. If you use a `PKCS11` keystore, the SunPKCS11 provider may not support the `SHA256withDSA` algorithm. `jarsigner` and some `keytool` commands may fail with the following exception if `PKCS11` is specified with the `-storetype` option, ex:
```
keytool error: java.security.InvalidKeyException: No installed provider supports this key: sun.security.pkcs11.P11Key$P11PrivateKey
```
A similar error may occur if you are using NSS with the SunPKCS11 provider.
The workaround is to use the `-sigalg` option of `keytool` and specify SHA1withDSA.
3. If you have a script that uses the default key size of `keytool` to generate a DSA keypair but then subsequently specifies a specific signature algorithm, ex:
```
keytool -genkeypair -keyalg DSA -keystore keystore -alias mykey ...
keytool -certreq -sigalg SHA1withDSA -keystore keystore -alias mykey ...
```
it will fail with one of the following exceptions, because the new 2048-bit keysize default is too strong for SHA1withDSA:
```
keytool error: java.security.InvalidKeyException: The security strength of SHA-1 digest algorithm is not sufficient for this key size
keytool error: java.security.InvalidKeyException: DSA key must be at most 1024 bits
```
You will see a similar error if you use `jarsigner` to sign JARs using the new 2048-bit DSA key with `-sigalg SHA1withDSA` set.
The workaround is to remove the `-sigalg` option and use the stronger SHA256withDSA default or, at your own risk, use the `-keysize` option of `keytool` to create new keys of a smaller key size (1024).
SeeJDK-8057810, JDK-8056174 and JDK-8138766 for more details.
For DSA keys, the default key size for `keytool` has changed from 1024 bits to 2048 bits.
There are a few potential compatibility risks associated with these changes:
1. If you use `jarsigner` to sign JARs with the new defaults, previous versions (than this release) might not support the stronger defaults and will not be able to verify the JAR. `jarsigner -verify` on such a release will output the following error:
```
jar is unsigned. (signatures missing or not parsable)
```
If you add `-J-Djava.security.debug=jar` to the `jarsigner` command line, the cause will be output:
```
jar: processEntry caught: java.security.NoSuchAlgorithmException: SHA256withDSA Signature not available
```
If compatibility with earlier releases is important, you can, at your own risk, use the `-sigalg` option of `jarsigner` and specify the weaker SHA1withDSA algorithm.
2. If you use a `PKCS11` keystore, the SunPKCS11 provider may not support the `SHA256withDSA` algorithm. `jarsigner` and some `keytool` commands may fail with the following exception if `PKCS11` is specified with the `-storetype` option, ex:
```
keytool error: java.security.InvalidKeyException: No installed provider supports this key: sun.security.pkcs11.P11Key$P11PrivateKey
```
A similar error may occur if you are using NSS with the SunPKCS11 provider.
The workaround is to use the `-sigalg` option of `keytool` and specify SHA1withDSA.
3. If you have a script that uses the default key size of `keytool` to generate a DSA keypair but then subsequently specifies a specific signature algorithm, ex:
```
keytool -genkeypair -keyalg DSA -keystore keystore -alias mykey ...
keytool -certreq -sigalg SHA1withDSA -keystore keystore -alias mykey ...
```
it will fail with one of the following exceptions, because the new 2048-bit keysize default is too strong for SHA1withDSA:
```
keytool error: java.security.InvalidKeyException: The security strength of SHA-1 digest algorithm is not sufficient for this key size
keytool error: java.security.InvalidKeyException: DSA key must be at most 1024 bits
```
You will see a similar error if you use `jarsigner` to sign JARs using the new 2048-bit DSA key with `-sigalg SHA1withDSA` set.
The workaround is to remove the `-sigalg` option and use the stronger SHA256withDSA default or, at your own risk, use the `-keysize` option of `keytool` to create new keys of a smaller key size (1024).
See
- relates to
-
JDK-8138768 Tooldoc for JDK-8138766 and JDK-8056174
-
- Closed
-