Frequently Asked Questions

Is CTR cipher mode compatible with Java?

Yes. When you instantiate your AES cipher in Java:

Cipher  cipher = Cipher.getInstance("AES/CTR/NoPadding");

SecretKeySpec keySpec = new SecretKeySpec(new byte[16], "AES");
IvParameterSpec ivSpec = new IvParameterSpec(new byte[16]);

cipher.init(Cipher.ENCRYPT_MODE, keySpec, ivSpec);

You are effectively using CTR mode without a fixed nonce and with a 128-bit big endian counter starting at 0. The counter will wrap around only after 2¹²⁸ blocks.

You can replicate the same keystream in PyCryptodome with:

ivSpec = b'\x00' * 16
ctr =, AES.MODE_CTR, initial_value=ivSpec, nonce=b'')

Are RSASSA-PSS signatures compatible with Java?

Yes. For Java, you must consider that by default the mask is generated by MGF1 with SHA-1 (regardless of how you hash the message) and the salt is 20 bytes long.

If you want to use another algorithm or another salt length, you must instantiate a PSSParameterSpec object, for instance:

Signature ss = Signature.getInstance("SHA256withRSA/PSS");
AlgorithmParameters pss1 = ss.getParameters();
PSSParameterSpec pssParameterSpec = new PSSParameterSpec("SHA-256", "MGF1", new MGF1ParameterSpec("SHA-256"), 32, 0xBC);

Are RSASSA-PSS signatures compatible with OpenSSL?

Yes, but one quirk of OpenSSL (and of a few other libraries, especially if they are wrappers to OpenSSL) is that the salt length is computed in two possible ways:

Salt length

Value for EVP_PKEY_CTX_set_rsa_pss_saltlen()

openssl pkeyutl command

Same as digest size


-pkeyopt rsa_pss_saltlen:digest



-pkeyopt rsa_pss_saltlen:max

In PyCryptodome, the salt length matches the digest size by default (which is what RFC8017 recommends). However, you can also maximize the salt length with:

key = RSA.import_key(open('privkey.der').read())
h =
max_salt_bytes = key.size_in_bytes() - h.digest_size - 2
signature =, salt_bytes=max_salt_bytes).sign(h)

Why do I get the error No module named Crypto on Windows?

Check the directory where Python packages are installed, like:


You might find a directory named crypto, with all the PyCryptodome files in it.

The most likely cause is described here and you can fix the problem with:

pip uninstall crypto
pip uninstall pycryptodome
pip install pycryptodome

The root cause is that, in the past, you most likely have installed an unrelated but similarly named package called crypto, which happens to operate under the namespace crypto.

The Windows filesystem is case-insensitive so crypto and Crypto are effectively considered the same thing. When you subsequently install pycryptodome, pip finds that a directory named with the target namespace already exists (under the rules of the underlying filesystem), and therefore installs all the sub-packages of pycryptodome in it. This is probably a reasonable behavior, if it wasn’t that pip does not issue any warning even if it could detect the issue.

Why does strxor raise TypeError: argument 2 must be bytes, not bytearray?

Most probably you have installed both the pycryptodome and the old pycrypto packages.

Run pip uninstall pycrypto and try again.

The old PyCrypto shipped with a strxor module written as a native library (.so or .dll file). If you install pycryptodome, the old native module will still take priority over the new Python extension that comes in the latter.

Why do I get a translation_unit_or_empty undefined error with pycparser?

Unfortunately,``pycparser`` does not work with optimzed (-O) Python builds, which strips out the docstrings, causing this error. This is a known issue and it will not be fixed.

The possible workarounds are:

  • Do not run Python iwth -O

  • Remove cffi and cparser. PyCryptodome will fall back to ctypes for interfacing with the native modules.

  • Use an earlier version of cparser (2.14)