How to generate an 2048-bit DSA key pair for Java?

Clouren picture Clouren · Sep 19, 2013 · Viewed 11.3k times · Source

I tried the following methods to generate a DSA private (and public) key with a 2048-bit key length:

Via keytool

keytool -genkeypair -alias MyKeyPair -keyalg DSA -keysize 2048 -validity 365 -keystore MyKeyStore.ks

Resulting in:

keytool error: java.lang.IllegalArgumentException: Modulus size must range from 512 to 1024 and be a multiple of 64

Via code

KeyPairGenerator keyGen = KeyPairGenerator.getInstance(keyAlgorithm,"BC");
keyGen.initialize(numBits);

Resulting in:

Exception in thread "main" java.security.InvalidParameterException: strength must be from 512 - 1024 and a multiple of 64
    at org.bouncycastle.jcajce.provider.asymmetric.dsa.KeyPairGeneratorSpi.initialize(Unknown Source)
    at java.security.KeyPairGenerator.initialize(KeyPairGenerator.java:340)

Above example uses Bouncy Castle's implementation because somewhere I read it should support 2048-bit DSA keys. I also tried the default one with the same error.

I installed the (JCE) Unlimited Strength Jurisdiction Policy Files. According to this output, you would expect large keys should be possible:

System.out.println("DSA Max key length: " + Cipher.getMaxAllowedKeyLength("DSA"));
DSA Max key length: 2147483647

But if you echeck the Keysize Restrictions in the JCE Providers Docs, 1024-bit is the max.

Who can tell if 2048 bit private key simply not supported in Java 7? Or if there is another way to create a key of this size and import it into a Java Keystore?

The Java 8 API gives away it will support bigger keys. So we might need to wait until next year.

Answer

Paul Crowley picture Paul Crowley · Sep 11, 2014

Java 8 fixes this: http://docs.oracle.com/javase/8/docs/technotes/guides/security/enhancements-8.html "SUN provider: Support for 2048-bit DSA key pair generation and additional signature algorithms for 2048-bit DSA keys such as SHA224withDSA and SHA256withDSA."