Incorrect key size ranges for SHA1withDSA signature implementation

RESOLVED INACTIVE

Status

NSS
Libraries
RESOLVED INACTIVE
5 years ago
a day ago

People

(Reporter: Valerie Peng, Unassigned)

Tracking

Firefox Tracking Flags

(Not tracked)

Details

(Reporter)

Description

5 years ago
User Agent: Mozilla/5.0 (X11; SunOS i86pc; rv:17.0) Gecko/20100101 Firefox/17.0 (Beta/Release)
Build ID: 20130308103912

Steps to reproduce:

While running my java app against NSS 3.15.3 release through JDK's PKCS11 provider, I noticed that the supported key size range for CKM_DSA_SHA1 is 512 to 3072 instead of the range of 512 to 1024. However, when I tried to use the signature w/ a 2048-bit DSA key pair, it only errors out with CKR_ARGUMENTS_BAD when signing/verification is performed.

Simple test app:
    public void main(String[] argv) throws Exception {
        // ... generate DSA 2048-bit key pair 
        KeyPair pair2048 = kpg.generateKeyPair();

        Signature sig = Signature.getInstance("SHA1withDSA", "SunPKCS11-NSS");
        try {
            sig.initSign(pair.getPrivate());
            status = false;
        } catch (InvalidKeyException ike) {
            System.out.println("Expected IKE thrown for initSign()");
        }
    }


Actual results:

Caused by: java.security.ProviderException: sun.security.pkcs11.wrapper.PKCS11Exception: CKR_ARGUMENTS_BAD
        at sun.security.pkcs11.P11Signature.engineSign(P11Signature.java:588)
        at java.security.Signature$Delegate.engineSign(Signature.java:1162)
        at java.security.Signature.sign(Signature.java:554)
        at TestDSAKeyLength.main(TestDSAKeyLength.java:65)
        ... 10 more
Caused by: sun.security.pkcs11.wrapper.PKCS11Exception: CKR_ARGUMENTS_BAD
        at sun.security.pkcs11.wrapper.PKCS11.C_SignFinal(Native Method)
        at sun.security.pkcs11.P11Signature.engineSign(P11Signature.java:550)
        ... 13 more




Expected results:

First of all, the supported key range for CKM_DSA_SHA1 should be 512 - 1024.
Secondly, if keys outside the supported range is given during initialization call, it should have failed with with an error code such as CKR_KEY_SIZE_RANGE, etc.

Comment 1

a day ago
Per policy at https://wiki.mozilla.org/Bug_Triage/Projects/Bug_Handling/Bug_Husbandry#Inactive_Bugs. If this bug is not an enhancement request or a bug not present in a supported release of Firefox, then it may be reopened.
Status: UNCONFIRMED → RESOLVED
Last Resolved: a day ago
Resolution: --- → INACTIVE
You need to log in before you can comment on or make changes to this bug.