CVE-2016-1000343
Description
In the Bouncy Castle JCE Provider version 1.55 and earlier the DSA key pair generator generates a weak private key if used with default values. If the JCA key pair generator is not explicitly initialised with DSA parameters, 1.55 and earlier generates a private value assuming a 1024 bit key size. In earlier releases this can be dealt with by explicitly passing parameters to the key pair generator.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
DSA key pair generator in Bouncy Castle JCE Provider versions 1.55 and earlier produces weak private keys when not explicitly initialized, reducing security to 1024-bit keys.
Vulnerability
The DSA key pair generator in the Bouncy Castle JCE Provider version 1.55 and earlier generates a weak private key if used with default values. When the JCA key pair generator is not explicitly initialized with DSA parameters, versions 1.55 and earlier generate a private value assuming a 1024-bit key size, which is below modern security standards. This affects the default behavior of the provider, leading to insufficient cryptographic strength [4].
Exploitation
An attacker does not need any special network position or authentication to exploit this weakness; the vulnerability is triggered simply by using the default DSA key pair generation without providing explicit parameters. Any application relying on the Bouncy Castle JCE Provider to generate DSA keys with default settings will produce keys weaker than intended. The attacker can potentially mount offline attacks on the generated private key due to its reduced strength [4].
Impact
On successful exploitation, the attacker can recover the weak private key, leading to a complete compromise of the confidentiality and integrity of communications protected by that key. The attacker can forge signatures, decrypt messages, or impersonate the key owner. The security of the entire system relying on these keys is undermined [4].
Mitigation
Mitigation is available by explicitly passing parameters to the key pair generator before generating keys, ensuring a secure key size is used. The issue is fixed in Bouncy Castle JCE Provider version 1.56. Red Hat has released patches as part of RHSA-2018:2669 and RHSA-2018:2927 for affected products. Users should update to version 1.56 or later, or ensure that DSA parameters are always explicitly specified [1][3][4].
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.bouncycastle:bcprov-jdk14Maven | < 1.56 | 1.56 |
org.bouncycastle:bcprov-jdk15Maven | < 1.56 | 1.56 |
org.bouncycastle:bcprov-jdk15onMaven | < 1.56 | 1.56 |
Affected products
4- ghsa-coords4 versionspkg:maven/org.bouncycastle/bcprov-jdk14pkg:maven/org.bouncycastle/bcprov-jdk15pkg:maven/org.bouncycastle/bcprov-jdk15onpkg:rpm/opensuse/bouncycastle&distro=openSUSE%20Tumbleweed
< 1.56+ 3 more
- (no CPE)range: < 1.56
- (no CPE)range: < 1.56
- (no CPE)range: < 1.56
- (no CPE)range: < 1.68-3.2
Patches
150a53068c094updated default DSA parameters to follow 186-4
2 files changed · +114 −3
prov/src/main/java/org/bouncycastle/jcajce/provider/asymmetric/dsa/KeyPairGeneratorSpi.java+67 −3 modified@@ -6,18 +6,26 @@ import java.security.SecureRandom; import java.security.spec.AlgorithmParameterSpec; import java.security.spec.DSAParameterSpec; +import java.util.Hashtable; import org.bouncycastle.crypto.AsymmetricCipherKeyPair; +import org.bouncycastle.crypto.digests.SHA256Digest; import org.bouncycastle.crypto.generators.DSAKeyPairGenerator; import org.bouncycastle.crypto.generators.DSAParametersGenerator; import org.bouncycastle.crypto.params.DSAKeyGenerationParameters; +import org.bouncycastle.crypto.params.DSAParameterGenerationParameters; import org.bouncycastle.crypto.params.DSAParameters; import org.bouncycastle.crypto.params.DSAPrivateKeyParameters; import org.bouncycastle.crypto.params.DSAPublicKeyParameters; +import org.bouncycastle.util.Integers; +import org.bouncycastle.util.Properties; public class KeyPairGeneratorSpi extends java.security.KeyPairGenerator { + private static Hashtable params = new Hashtable(); + private static Object lock = new Object(); + DSAKeyGenerationParameters param; DSAKeyPairGenerator engine = new DSAKeyPairGenerator(); int strength = 1024; @@ -41,6 +49,7 @@ public void initialize( this.strength = strength; this.random = random; + this.initialised = false; } public void initialize( @@ -64,10 +73,65 @@ public KeyPair generateKeyPair() { if (!initialised) { - DSAParametersGenerator pGen = new DSAParametersGenerator(); + Integer paramStrength = Integers.valueOf(strength); + + if (params.containsKey(paramStrength)) + { + param = (DSAKeyGenerationParameters)params.get(paramStrength); + } + else + { + synchronized (lock) + { + // we do the check again in case we were blocked by a generator for + // our key size. + if (params.containsKey(paramStrength)) + { + param = (DSAKeyGenerationParameters)params.get(paramStrength); + } + else + { + DSAParametersGenerator pGen; + DSAParameterGenerationParameters dsaParams; + + // Typical combination of keysize and size of q. + // keysize = 1024, q's size = 160 + // keysize = 2048, q's size = 224 + // keysize = 2048, q's size = 256 + // keysize = 3072, q's size = 256 + // For simplicity if keysize is greater than 1024 then we choose q's size to be 256. + // For legacy keysize that is less than 1024-bit, we just use the 186-2 style parameters + if (strength == 1024) + { + pGen = new DSAParametersGenerator(); + if (Properties.isOverrideSet("org.bouncycastle.dsa.FIPS186-2for1024bits")) + { + pGen.init(strength, certainty, random); + } + else + { + dsaParams = new DSAParameterGenerationParameters(1024, 160, certainty, random); + pGen.init(dsaParams); + } + } + else if (strength > 1024) + { + dsaParams = new DSAParameterGenerationParameters(strength, 256, certainty, random); + pGen = new DSAParametersGenerator(new SHA256Digest()); + pGen.init(dsaParams); + } + else + { + pGen = new DSAParametersGenerator(); + pGen.init(strength, certainty, random); + } + param = new DSAKeyGenerationParameters(random, pGen.generateParameters()); + + params.put(paramStrength, param); + } + } + } - pGen.init(strength, certainty, random); - param = new DSAKeyGenerationParameters(random, pGen.generateParameters()); engine.init(param); initialised = true; }
prov/src/test/java/org/bouncycastle/jce/provider/test/DSATest.java+47 −0 modified@@ -20,6 +20,7 @@ import java.security.Security; import java.security.Signature; import java.security.SignatureException; +import java.security.interfaces.DSAParams; import java.security.interfaces.DSAPrivateKey; import java.security.interfaces.DSAPublicKey; import java.security.spec.DSAParameterSpec; @@ -1294,6 +1295,51 @@ private void testDSA2Parameters() } } + private void testKeyGeneration(int keysize) + throws Exception + { + KeyPairGenerator generator = KeyPairGenerator.getInstance("DSA", "BC"); + generator.initialize(keysize); + KeyPair keyPair = generator.generateKeyPair(); + DSAPrivateKey priv = (DSAPrivateKey)keyPair.getPrivate(); + DSAParams params = priv.getParams(); + isTrue("keysize mismatch", keysize == params.getP().bitLength()); + // The NIST standard does not fully specify the size of q that + // must be used for a given key size. Hence there are differences. + // For example if keysize = 2048, then OpenSSL uses 256 bit q's by default, + // but the SUN provider uses 224 bits. Both are acceptable sizes. + // The tests below simply asserts that the size of q does not decrease the + // overall security of the DSA. + int qsize = params.getQ().bitLength(); + switch (keysize) + { + case 1024: + isTrue("Invalid qsize for 1024 bit key:" + qsize, qsize >= 160); + break; + case 2048: + isTrue("Invalid qsize for 2048 bit key:" + qsize, qsize >= 224); + break; + case 3072: + isTrue("Invalid qsize for 3072 bit key:" + qsize, qsize >= 256); + break; + default: + fail("Invalid key size:" + keysize); + } + // Check the length of the private key. + // For example GPG4Browsers or the KJUR library derived from it use + // q.bitCount() instead of q.bitLength() to determine the size of the private key + // and hence would generate keys that are much too small. + isTrue("privkey error", priv.getX().bitLength() >= qsize - 32); + } + + private void testKeyGenerationAll() + throws Exception + { + testKeyGeneration(1024); + testKeyGeneration(2048); + testKeyGeneration(3072); + } + public void performTest() throws Exception { @@ -1331,6 +1377,7 @@ public void performTest() testNullParameters(); testValidate(); testModified(); + testKeyGenerationAll(); } protected BigInteger[] derDecode(
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
13- access.redhat.com/errata/RHSA-2018:2669ghsavendor-advisoryx_refsource_REDHATWEB
- access.redhat.com/errata/RHSA-2018:2927ghsavendor-advisoryx_refsource_REDHATWEB
- github.com/advisories/GHSA-rrvx-pwf8-p59pghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2016-1000343ghsaADVISORY
- usn.ubuntu.com/3727-1/mitrevendor-advisoryx_refsource_UBUNTU
- github.com/bcgit/bc-java/commit/50a53068c094d6cff37659da33c9b4505becd389ghsax_refsource_CONFIRMWEB
- lists.apache.org/thread.html/708d94141126eac03011144a971a6411fcac16d9c248d1d535a39451%40%3Csolr-user.lucene.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/708d94141126eac03011144a971a6411fcac16d9c248d1d535a39451@%3Csolr-user.lucene.apache.org%3EghsaWEB
- lists.debian.org/debian-lts-announce/2018/07/msg00009.htmlghsamailing-listx_refsource_MLISTWEB
- security.netapp.com/advisory/ntap-20181127-0004ghsaWEB
- security.netapp.com/advisory/ntap-20181127-0004/mitrex_refsource_CONFIRM
- usn.ubuntu.com/3727-1ghsaWEB
- www.oracle.com/security-alerts/cpuoct2020.htmlghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.