Add documentation and address feedback

corretto · Aug 14, 2023 · 3ea9e33 · 3ea9e33
1 parent 516d95a
commit 3ea9e33
Show file tree

Hide file tree

Showing 2 changed files with 16 additions and 8 deletions.
diff --git a/DIFFERENCES.md b/DIFFERENCES.md
@@ -40,6 +40,14 @@ ACCP cannot make any promises that its default key sizes match the defaults of *
 Because no providers have guarantees around the uninitialized behavior of `KeyPairGenerators` it is generally fragile for your application to use a `KeyPairGenerator` without initialization.
 For this reason, even if you don't use ACCP, we recommend that you always call the [KeyPairGenerator.initialize(AlgorithmParameterSpec params)](https://docs.oracle.com/javase/8/docs/api/java/security/KeyPairGenerator.html#initialize-java.security.spec.AlgorithmParameterSpec-) prior to generating a key pair.
 
+## Supported RSA key sizes for generation.
+Aws-lc (our underlying cryptographic implementation) does not support generating arbitrary RSA key sizes.
+Specifically, it requires that [bit-lengths are a multiple of 128](https://github.com/aws/aws-lc/blob/25260d785f6e2eaf3c5f5dce83cf92c272f0a8b1/crypto/fipsmodule/rsa/rsa_impl.c#L1168-L1171).
+For better compatibility with applications, when in *non-FIPS mode*, ACCP will round bit-lengths up to the nearest multiple of 128.
+This way we will not throw exceptions at runtime and will give our callers at least as much security as requested.
+This is different from the default JDK provider which will attempt to generate a key of the exact requested bit-length.
+In FIPS mode will will only return keys of the exact requested length.
+
 ## Elliptic Curve KeyPairGeneration by curve size
 Neither the JCE nor the default OpenJDK provider for Elliptic Curve Cryptography (SunEC) specify the effect of calling `KeyPairGenerator.initialize(int keysize)` with an arbitrary value.
 This behavior is fully specified only for values of 192, 224, 256, 384, and 521.

diff --git a/csrc/rsa_gen.cpp b/csrc/rsa_gen.cpp
@@ -21,14 +21,6 @@ JNIEXPORT jlong JNICALL Java_com_amazon_corretto_crypto_provider_RsaGen_generate
     try {
         raii_env env(pEnv);
 
-        // AWS-LC requires that the bitlength be a multiple of 128 and will round down.
-        // We want to guarantee that we return a key of at least the requested strength and so must
-        // round up.
-        jint rounded_bits = bits & ~127;
-        if (rounded_bits < bits) {
-            bits += 128;
-        }
-
         if (FIPS_mode() == 1) {
             // RSA_generate_key_fips performs extra checks so there is no need
             // to run post generation checks. This API generates keys with
@@ -38,6 +30,14 @@ JNIEXPORT jlong JNICALL Java_com_amazon_corretto_crypto_provider_RsaGen_generate
                 throw_openssl("Unable to generate key");
             }
         } else {
+            // AWS-LC requires that the bitlength be a multiple of 128 and will round down.
+            // We want to guarantee that we return a key of at least the requested strength and so must
+            // round up. We only do this in the non-FIPS branch because in FIPS mode we want to do
+            // exactly what the application requests.
+            if (bits % 128 != 0) {
+                bits += 128;
+            }
+
             BigNumObj bne;
             jarr2bn(env, pubExp, bne);