946504 - Incorrect key size ranges for SHA1withDSA signature implementation

Status: RESOLVED WONTFIX

(NSS :: Libraries, defect)

Description

[Valerie Peng]

User Agent: Mozilla/5.0 (X11; SunOS i86pc; rv:17.0) Gecko/20100101 Firefox/17.0 (Beta/Release)
Build ID: 20130308103912

Steps to reproduce:

While running my java app against NSS 3.15.3 release through JDK's PKCS11 provider, I noticed that the supported key size range for CKM_DSA_SHA1 is 512 to 3072 instead of the range of 512 to 1024. However, when I tried to use the signature w/ a 2048-bit DSA key pair, it only errors out with CKR_ARGUMENTS_BAD when signing/verification is performed.

Simple test app:
    public void main(String[] argv) throws Exception {
        // ... generate DSA 2048-bit key pair 
        KeyPair pair2048 = kpg.generateKeyPair();

        Signature sig = Signature.getInstance("SHA1withDSA", "SunPKCS11-NSS");
        try {
            sig.initSign(pair.getPrivate());
            status = false;
        } catch (InvalidKeyException ike) {
            System.out.println("Expected IKE thrown for initSign()");
        }
    }


Actual results:

Caused by: java.security.ProviderException: sun.security.pkcs11.wrapper.PKCS11Exception: CKR_ARGUMENTS_BAD
        at sun.security.pkcs11.P11Signature.engineSign(P11Signature.java:588)
        at java.security.Signature$Delegate.engineSign(Signature.java:1162)
        at java.security.Signature.sign(Signature.java:554)
        at TestDSAKeyLength.main(TestDSAKeyLength.java:65)
        ... 10 more
Caused by: sun.security.pkcs11.wrapper.PKCS11Exception: CKR_ARGUMENTS_BAD
        at sun.security.pkcs11.wrapper.PKCS11.C_SignFinal(Native Method)
        at sun.security.pkcs11.P11Signature.engineSign(P11Signature.java:550)
        ... 13 more




Expected results:

First of all, the supported key range for CKM_DSA_SHA1 should be 512 - 1024.
Secondly, if keys outside the supported range is given during initialization call, it should have failed with with an error code such as CKR_KEY_SIZE_RANGE, etc.