JDK-8039921: SHA1WithDSA with key > 1024 bits not working

Atsuhiko Yamanaka atsuhiko.yamanaka at gmail.com
Thu Sep 18 08:50:29 UTC 2014 

Hi there,

We have been developing pure java SSH2 client library named as JSch,
and you may know that it has been integrated and used in Eclipse, NetBeans,
IntelliJ IDEA, ant, Ivy, JGit, etc.

Recently, we have received feed backs that JSch has failed to connect
to some sshds on Java8. After some
investigations, we have found that the problem has been caused by a
problem reported at JDK-8039921[1].

It seems some sshds have been using long key for Digital Signature(SHA1WithDSA).
On Java7(and previous) JSch can handle such a long key successfully,
but on Java8 it can not on Java8,
due to a change by JDK-8039921.  It means Eclipse, NetBeans, IntelliJ
IDEA, ant, Ivy, JGit, etc,
can not connect to those sshds anymore on Java8.  That change has made
huge impacts to those software.

Some developer at Oracle has commented as follows[2],
    For SHA1withDSA signature, DSA keys less than 1024 bits are allowed
    for the sake of backward compatibility.  As for 2048-bit DSA key pairs,
    they should be used with signature algorithms using the SHA-2 family
    of message digests as specified in FIPS 186-3.

>From my understanding, FIPS 186-3 is the standard to use Digital
Signature in Federal Government entities.
So, if JDK's JCE(SunJCE) is used in other entities, it should not been
influenced by that standard.
IMHO, the original motivation of JDK-7044060[3] is to add algorithms
required by Suite B Cryptography,
and it must not intend to force JDK's JCE to be functional only for
Federal Government entities.

Please reopen JDK-8039921, and reconsider to allow to use longer key
for SHA1WithDSA.


[1] https://bugs.openjdk.java.net/browse/JDK-8039921
[2] https://bugs.openjdk.java.net/browse/JDK-8039921?focusedCommentId=13486968&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-13486968
[3] https://bugs.openjdk.java.net/browse/JDK-7044060


Sincerely,
--
Atsuhiko Yamanaka
JCraft,Inc.
1-14-20 HONCHO AOBA-KU,
SENDAI, MIYAGI 980-0014 Japan.
Tel +81-22-723-2150
Skype callto://jcraft/
Twitter: http://twitter.com/ymnk
Facebook: http://facebook.com/aymnk

More information about the security-dev mailing list