CVE-2016-1000343

In the Bouncy Castle JCE Provider version 1.55 and earlier the DSA key pair generator generates a weak private key if used with default values. If the JCA key pair generator is not explicitly initialised with DSA parameters, 1.55 and earlier generates a private value assuming a 1024 bit key size. In earlier releases this can be dealt with by explicitly passing parameters to the key pair generator.

References

Affected packages

Git / github.com/bcgit/bc-java

Affected ranges

Type: GIT
Repo: https://github.com/bcgit/bc-java
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

50a53068c094d6cff37659da33c9b4505becd389

Database specific

{
    "vanir_signatures": [
        {
            "id": "CVE-2016-1000343-205ba2dd",
            "signature_type": "Line",
            "digest": {
                "line_hashes": [
                    "272960272851457067213669225105609542617",
                    "40437591993253917580729287954800812592",
                    "244117597628187691213480854404577928477",
                    "256388720511189596835617265611611441182",
                    "144834174902876871041848359847103006795",
                    "109391545642665904104121926837062339161",
                    "329942142184009405323326196099659975311",
                    "44638415618053903489688011888839369597",
                    "279435678809771383110381504409095219915",
                    "149260297816348481157597294695995565899",
                    "135202963780410441307750029108679602867"
                ],
                "threshold": 0.9
            },
            "target": {
                "file": "prov/src/test/java/org/bouncycastle/jce/provider/test/DSATest.java"
            },
            "source": "https://github.com/bcgit/bc-java/commit/50a53068c094d6cff37659da33c9b4505becd389",
            "signature_version": "v1",
            "deprecated": false
        },
        {
            "id": "CVE-2016-1000343-394025c5",
            "signature_type": "Line",
            "digest": {
                "line_hashes": [
                    "13355290723725349368745329989347618543",
                    "132012456049536062486610142113253442680",
                    "266566135274626677248422357772359090099",
                    "67951718911132861200676972530867716392",
                    "123227893897903794997018758524343559168",
                    "125072645518652505202624749001375164121",
                    "107204242373676434483157988757460451279",
                    "234440885163403474179705305683870469747",
                    "227689743794388119601251283389931386220",
                    "46437445457244463402399530235552491256",
                    "233676737684436282642951948705719036399",
                    "262957240772312990909155497255796045702",
                    "161559031118209141837246876192847496487",
                    "124081888484579726664893620713637938254",
                    "258117312511801216931746282811598433286",
                    "155765287899303234545320164174264001128",
                    "177791379852089713076714863354421810584",
                    "71385015115912219243897975170110225611",
                    "216952351133835419405455233238767730185",
                    "318764821106349202931912140848248088135",
                    "89337051256361544191950482851091403204",
                    "117424738161216075649616111895930893878",
                    "293054463246076210814968644804689224777",
                    "145743308941858415062268333078653912371"
                ],
                "threshold": 0.9
            },
            "target": {
                "file": "prov/src/main/java/org/bouncycastle/jcajce/provider/asymmetric/dsa/KeyPairGeneratorSpi.java"
            },
            "source": "https://github.com/bcgit/bc-java/commit/50a53068c094d6cff37659da33c9b4505becd389",
            "signature_version": "v1",
            "deprecated": false
        },
        {
            "id": "CVE-2016-1000343-9d31b4a6",
            "signature_type": "Function",
            "digest": {
                "function_hash": "73808229874167972886948173315043521400",
                "length": 2337.0
            },
            "target": {
                "file": "prov/src/test/java/org/bouncycastle/jce/provider/test/DSATest.java",
                "function": "performTest"
            },
            "source": "https://github.com/bcgit/bc-java/commit/50a53068c094d6cff37659da33c9b4505becd389",
            "signature_version": "v1",
            "deprecated": false
        },
        {
            "id": "CVE-2016-1000343-ccf1950b",
            "signature_type": "Function",
            "digest": {
                "function_hash": "13749231353833127326132574748037856164",
                "length": 421.0
            },
            "target": {
                "file": "prov/src/main/java/org/bouncycastle/jcajce/provider/asymmetric/dsa/KeyPairGeneratorSpi.java",
                "function": "generateKeyPair"
            },
            "source": "https://github.com/bcgit/bc-java/commit/50a53068c094d6cff37659da33c9b4505becd389",
            "signature_version": "v1",
            "deprecated": false
        },
        {
            "id": "CVE-2016-1000343-e28e69a3",
            "signature_type": "Function",
            "digest": {
                "function_hash": "73127320062142693310826675929981259371",
                "length": 312.0
            },
            "target": {
                "file": "prov/src/main/java/org/bouncycastle/jcajce/provider/asymmetric/dsa/KeyPairGeneratorSpi.java",
                "function": "initialize"
            },
            "source": "https://github.com/bcgit/bc-java/commit/50a53068c094d6cff37659da33c9b4505becd389",
            "signature_version": "v1",
            "deprecated": false
        }
    ]
}