How to generate an 2048-bit DSA key pair for Java?

Question

I tried the following methods to generate a DSA private (and public) key with a 2048-bit key length:

Via keytool

keytool -genkeypair -alias MyKeyPair -keyalg DSA -keysize 2048 -validity 365 -keystore MyKeyStore.ks

Resulting in:

keytool error: java.lang.IllegalArgumentException: Modulus size must range from 512 to 1024 and be a multiple of 64

Via code

KeyPairGenerator keyGen = KeyPairGenerator.getInstance(keyAlgorithm,"BC");
keyGen.initialize(numBits);

Resulting in:

Exception in thread "main" java.security.InvalidParameterException: strength must be from 512 - 1024 and a multiple of 64
    at org.bouncycastle.jcajce.provider.asymmetric.dsa.KeyPairGeneratorSpi.initialize(Unknown Source)
    at java.security.KeyPairGenerator.initialize(KeyPairGenerator.java:340)

Above example uses Bouncy Castle's implementation because somewhere I read it should support 2048-bit DSA keys. I also tried the default one with the same error.

I installed the (JCE) Unlimited Strength Jurisdiction Policy Files. According to this output, you would expect large keys should be possible:

System.out.println("DSA Max key length: " + Cipher.getMaxAllowedKeyLength("DSA"));
DSA Max key length: 2147483647

But if you echeck the Keysize Restrictions in the JCE Providers Docs, 1024-bit is the max.

Who can tell if 2048 bit private key simply not supported in Java 7? Or if there is another way to create a key of this size and import it into a Java Keystore?

The Java 8 API gives away it will support bigger keys. So we might need to wait until next year.

Answer 1

Java 8 fixes this: http://docs.oracle.com/javase/8/docs/technotes/guides/security/enhancements-8.html "SUN provider: Support for 2048-bit DSA key pair generation and additional signature algorithms for 2048-bit DSA keys such as SHA224withDSA and SHA256withDSA."

Answer 2

Because the maximum length of key allowed is 1024bits. you getting an exception "Modulus size must be between 512..1024.." which means Key Size. You can download the JCE with Unlimited Jurisdiction Policy files for your Java version (7 or 8) from oracle's link: Oracle's official site. But you should know that 1024 bits is enough for digital signature algorithms.