RSA Key Generation: computation of iterations for MR Primality Test
Standard FIPS PUB 186-4 defines the necessary rounds of M-R testing when generating primes for use in RSA digital signature. The implementation of RsaKeyPairGenerator contains a method that is responsible to provide the number of required rounds to ensure an error probability of 2^(-100) according to FIPS PUB 186-4, Table C.3 (RsaKeyPairGenerator::getNumberOfIterations())
The error occurs in the use of the method RsaKeyPairGenerator::getNumberOfIterations(). This method expects in parameter 1 the bitlength of the number to be tested. Instead the implementation uses the length of the key to be generated (e.g. 1024 Bit), but FIPS 186-4, Table C.3 makes a statement about the length of the prime factors p and q. They usually should have something like key_length/2. Especially for keys less than 2048 bit key length, the required iterations should be 7, instead the implementation delivers a value of 4 (which would be in our opinion correct for key sizes from 2048 Bit).
In RsaKeyPairGenerator::init() the use of RsaKeyPairGenerator::getNumberOfIterations() should be corrected to use an estimated bitlength of p and q or the estimation should be computed when p and q have been generated.