Discussion:
Salt length parameter between PSSSignatureSpi and PSSSigner
christophecg .
2014-07-31 08:42:21 UTC
Permalink
Hello,

I'm using bouncycastle 1.51 and I want to use RSASSA-PSS algorithm to sign
a message. My RSA private key is RSA 4096, the hash function is SHA-512,
the MGF is MGF1 with SHA512 and the salt length is 512 bits. Here is an
little example :

final KeyPairGenerator kpg = KeyPairGenerator.getInstance("RSA");
kpg.initialize(4096);

final KeyPair kp = kpg.genKeyPair();
final RSAPublicKey publicKey = (RSAPublicKey) kp.getPublic();
final RSAPrivateKey privateKey = (RSAPrivateKey)
kp.getPrivate();
System.out.println(publicKey);
System.out.println(privateKey);

Security.addProvider(new BouncyCastleProvider());

// BC pour BouncyCastle
final Signature signer = Signature.getInstance("RSASSA-PSS",
"BC");
signer.setParameter(new PSSParameterSpec("SHA-512", "MGF1", new
MGF1ParameterSpec("SHA-512"), 512, 1));
final String messageClair = "Hello World !!";
System.out.println("On prepare la signature du message : " +
messageClair);

signer.initSign(privateKey);
signer.update(messageClair.getBytes());
final byte[] sign = signer.sign();

When I launch the program, I have this error :
java.lang.IllegalArgumentException: key too small for specified hash and
salt lengths
at org.bouncycastle.crypto.signers.PSSSigner.init(Unknown Source)
at
org.bouncycastle.jcajce.provider.asymmetric.rsa.PSSSignatureSpi.engineInitSign(Unknown
Source)
at
java.security.Signature$Delegate.engineInitSign(Signature.java:1098)
at java.security.Signature.initSign(Signature.java:485)

It seems there is a problem of conversion : PSSSignatureSpi have a key
length in bits, and the constructor of PSSSigner wants a key length in
bytes. Indeed, the saltl length of PSSParameterSpec is in bits, and in the
constructor of PSSSignatureSp, there is the above code :
this.saltLength = paramSpec.getSaltLength();

And in the engineInitSign function of PSSSignatureSpi :
pss = new org.bouncycastle.crypto.signers.PSSSigner(signer, contentDigest,
mgfDigest, saltLength, trailer);

=> There is no conversion to the salt length. I think it is a bug.

Regards,

Christophe
David Hook
2014-07-31 10:12:32 UTC
Permalink
Try this:

System.err.println(PSSParameterSpec.DEFAULT.getSaltLength());

I'd agree it's a bug, but not where it seems.

The intro JavaDoc is correct, but the JavaDoc later claims that it's
meant to be in bits, although the DEFAULT parameter is clearly returning
the length in bytes. To the best of my knowledge this has been like this
since JDK 1.5 but it's never been fixed.

Regards,

David
Post by christophecg .
Hello,
I'm using bouncycastle 1.51 and I want to use RSASSA-PSS algorithm to
sign a message. My RSA private key is RSA 4096, the hash function is
SHA-512, the MGF is MGF1 with SHA512 and the salt length is 512 bits.
final KeyPairGenerator kpg = KeyPairGenerator.getInstance("RSA");
kpg.initialize(4096);
final KeyPair kp = kpg.genKeyPair();
final RSAPublicKey publicKey = (RSAPublicKey) kp.getPublic();
final RSAPrivateKey privateKey = (RSAPrivateKey)
kp.getPrivate();
System.out.println(publicKey);
System.out.println(privateKey);
Security.addProvider(new BouncyCastleProvider());
// BC pour BouncyCastle
final Signature signer =
Signature.getInstance("RSASSA-PSS", "BC");
signer.setParameter(new PSSParameterSpec("SHA-512",
"MGF1", new MGF1ParameterSpec("SHA-512"), 512, 1));
final String messageClair = "Hello World !!";
System.out.println("On prepare la signature du message : "
+ messageClair);
signer.initSign(privateKey);
signer.update(messageClair.getBytes());
final byte[] sign = signer.sign();
java.lang.IllegalArgumentException: key too small for specified hash
and salt lengths
at org.bouncycastle.crypto.signers.PSSSigner.init(Unknown Source)
at
org.bouncycastle.jcajce.provider.asymmetric.rsa.PSSSignatureSpi.engineInitSign(Unknown
Source)
at
java.security.Signature$Delegate.engineInitSign(Signature.java:1098)
at java.security.Signature.initSign(Signature.java:485)
It seems there is a problem of conversion : PSSSignatureSpi have a key
length in bits, and the constructor of PSSSigner wants a key length in
bytes. Indeed, the saltl length of PSSParameterSpec is in bits, and in
this.saltLength = paramSpec.getSaltLength();
pss = new org.bouncycastle.crypto.signers.PSSSigner(signer,
contentDigest, mgfDigest, saltLength, trailer);
=> There is no conversion to the salt length. I think it is a bug.
Regards,
Christophe
christophecg .
2014-07-31 14:17:04 UTC
Permalink
So if I want to have a salt length of 512 bits in PSSSigner, I must
initialize PSSParameterSpec with a salt length of 64 ? And correct the code
if a release of PSSParameterSpec will come ?

Regards,

Christophe
Post by David Hook
System.err.println(PSSParameterSpec.DEFAULT.getSaltLength());
I'd agree it's a bug, but not where it seems.
The intro JavaDoc is correct, but the JavaDoc later claims that it's meant
to be in bits, although the DEFAULT parameter is clearly returning the
length in bytes. To the best of my knowledge this has been like this since
JDK 1.5 but it's never been fixed.
Regards,
David
Post by christophecg .
Hello,
I'm using bouncycastle 1.51 and I want to use RSASSA-PSS algorithm to
sign a message. My RSA private key is RSA 4096, the hash function is
SHA-512, the MGF is MGF1 with SHA512 and the salt length is 512 bits. Here
final KeyPairGenerator kpg = KeyPairGenerator.getInstance("RSA");
kpg.initialize(4096);
final KeyPair kp = kpg.genKeyPair();
final RSAPublicKey publicKey = (RSAPublicKey) kp.getPublic();
final RSAPrivateKey privateKey = (RSAPrivateKey)
kp.getPrivate();
System.out.println(publicKey);
System.out.println(privateKey);
Security.addProvider(new BouncyCastleProvider());
// BC pour BouncyCastle
final Signature signer = Signature.getInstance("RSASSA-PSS",
"BC");
signer.setParameter(new PSSParameterSpec("SHA-512", "MGF1",
new MGF1ParameterSpec("SHA-512"), 512, 1));
final String messageClair = "Hello World !!";
System.out.println("On prepare la signature du message : " +
messageClair);
signer.initSign(privateKey);
signer.update(messageClair.getBytes());
final byte[] sign = signer.sign();
java.lang.IllegalArgumentException: key too small for specified hash and
salt lengths
at org.bouncycastle.crypto.signers.PSSSigner.init(Unknown Source)
at org.bouncycastle.jcajce.provider.asymmetric.rsa.
PSSSignatureSpi.engineInitSign(Unknown Source)
at java.security.Signature$Delegate.engineInitSign(
Signature.java:1098)
at java.security.Signature.initSign(Signature.java:485)
It seems there is a problem of conversion : PSSSignatureSpi have a key
length in bits, and the constructor of PSSSigner wants a key length in
bytes. Indeed, the saltl length of PSSParameterSpec is in bits, and in the
this.saltLength = paramSpec.getSaltLength();
pss = new org.bouncycastle.crypto.signers.PSSSigner(signer,
contentDigest, mgfDigest, saltLength, trailer);
=> There is no conversion to the salt length. I think it is a bug.
Regards,
Christophe
David Hook
2014-07-31 21:01:03 UTC
Permalink
Yes, I'd use 64. The "good news" is it's the JavaDoc that's wrong, not
the code in this case - the PSSParameterSpec is based on an ASN.1
structure that uses a byte length for the salt. It doesn't really make
sense to express it in bits.

Regards,

David
Post by christophecg .
So if I want to have a salt length of 512 bits in PSSSigner, I must
initialize PSSParameterSpec with a salt length of 64 ? And correct the
code if a release of PSSParameterSpec will come ?
Regards,
Christophe
System.err.println(PSSParameterSpec.DEFAULT.getSaltLength());
I'd agree it's a bug, but not where it seems.
The intro JavaDoc is correct, but the JavaDoc later claims that
it's meant to be in bits, although the DEFAULT parameter is
clearly returning the length in bytes. To the best of my knowledge
this has been like this since JDK 1.5 but it's never been fixed.
Regards,
David
Hello,
I'm using bouncycastle 1.51 and I want to use RSASSA-PSS
algorithm to sign a message. My RSA private key is RSA 4096,
the hash function is SHA-512, the MGF is MGF1 with SHA512 and
final KeyPairGenerator kpg = KeyPairGenerator.getInstance("RSA");
kpg.initialize(4096);
final KeyPair kp = kpg.genKeyPair();
final RSAPublicKey publicKey = (RSAPublicKey) kp.getPublic();
final RSAPrivateKey privateKey = (RSAPrivateKey)
kp.getPrivate();
System.out.println(publicKey);
System.out.println(privateKey);
Security.addProvider(new BouncyCastleProvider());
// BC pour BouncyCastle
final Signature signer =
Signature.getInstance("RSASSA-PSS", "BC");
signer.setParameter(new
PSSParameterSpec("SHA-512", "MGF1", new
MGF1ParameterSpec("SHA-512"), 512, 1));
final String messageClair = "Hello World !!";
System.out.println("On prepare la signature du
message : " + messageClair);
signer.initSign(privateKey);
signer.update(messageClair.getBytes());
final byte[] sign = signer.sign();
java.lang.IllegalArgumentException: key too small for
specified hash and salt lengths
at
org.bouncycastle.crypto.signers.PSSSigner.init(Unknown Source)
at
org.bouncycastle.jcajce.provider.asymmetric.rsa.PSSSignatureSpi.engineInitSign(Unknown
Source)
at
java.security.Signature$Delegate.engineInitSign(Signature.java:1098)
at java.security.Signature.initSign(Signature.java:485)
It seems there is a problem of conversion : PSSSignatureSpi
have a key length in bits, and the constructor of PSSSigner
wants a key length in bytes. Indeed, the saltl length of
PSSParameterSpec is in bits, and in the constructor of
this.saltLength = paramSpec.getSaltLength();
pss = new org.bouncycastle.crypto.signers.PSSSigner(signer,
contentDigest, mgfDigest, saltLength, trailer);
=> There is no conversion to the salt length. I think it is a bug.
Regards,
Christophe
Loading...