How to generate an 2048-bit DSA key pair for Java?
I tried the following methods to generate a DSA private (and public) key with a 2048-bit key length:
Via keytool
keytool -genkeypair -alias MyKeyPair -keyalg DSA -keysize 2048 -validity 365 -keystore MyKeyStore.ks
Resulting in:
keytool error: java.lang.IllegalArgumentException: Modulus size must range from 512 to 1024 and be a multiple of 64
Via code
KeyPairGenerator keyGen = KeyPairGenerator.getInstance(keyAlgorithm,"BC");
keyGen.initialize(numBits);
Resulting in:
Exception in thread "main" java.security.InvalidParameterException: strength must be from 512 - 1024 and a multiple of 64
at org.bouncycastle.jcajce.provider.asymmetric.dsa.KeyPairGeneratorSpi.initialize(Unknown Source)
at java.security.KeyPairGenerator.initialize(KeyPairGenerator.java:340)
Above example uses Bouncy Castle's implementation because somewhere I read it should support 2048-bit DSA keys. I also tried the default one with the same error.
I installed the (JCE) Unlimited Strength Jurisdiction Policy Files. According to this output, you would expect large keys should be possible:
System.out.println("DSA Max key length: " + Cipher.getMaxAllowedKeyLength("DSA"));
DSA Max key length: 2147483647
But if you echeck the Keysize Restrictions in the JCE Providers Docs, 1024-bit is the max.
Who can tell if 2048 bit private key simply not supported in Java 7? Or if there is another way to create a key of this size and import it into a Java Keystore?
The Java 8 API gives away it will support bigger keys. So we might need to wait until next year.
Answer
Java 8 fixes this: http://docs.oracle.com/javase/8/docs/technotes/guides/security/enhancements-8.html "SUN provider: Support for 2048-bit DSA key pair generation and additional signature algorithms for 2048-bit DSA keys such as SHA224withDSA and SHA256withDSA."