JDK-8039921: SHA1WithDSA with key > 1024 bits not working

[Atsuhiko Yamanaka]

Hi there,

We have been developing pure java SSH2 client library named as JSch,
and you may know that it has been integrated and used in Eclipse, NetBeans,
IntelliJ IDEA, ant, Ivy, JGit, etc.

Recently we have received feed backs that JSch has failed to connect
to some sshd on Java8.
After some investigations, we have found that the problem been caused
by a problem  reported at JDK-8039921[1].

It seems some sshds have been using long key for Digital Signature(SHA1WithDSA),
and JSch can handle those key successfully on Java7, but, due to a
change by JDK-8039921 on Java8,
it can not connect to those sshds any more on Java8.  It means
Eclipse, NetBeans, IntelliJ IDEA, ant, Ivy, JGit, etc,
can not work for those sshds anymore.  That change has made huge
impacts to those software.

Some developer at Oracle has commented as follows[2],
    For SHA1withDSA signature, DSA keys less than 1024 bits are allowed
    for the sake of backward compatibility.  As for 2048-bit DSA key pairs,
    they should be used with signature algorithms using the SHA-2 family
    of message digests as specified in FIPS 186-3.

>From my understanding, FIPS 186-3 is the standard to use Digital
Signature in Federal Government entities.
So, if JDK's JCE(SunJCE) has been used in other entities, it should
been not influenced by that standard.



[1] https://bugs.openjdk.java.net/browse/JDK-8039921
[2] https://bugs.openjdk.java.net/browse/JDK-8039921?focusedCommentId=13486968&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-13486968