RFR CSR for 8213400: Support choosing curve name in keytool keypair generation
Xuelei Fan
xuelei.fan at oracle.com
Tue Nov 6 16:00:03 UTC 2018
As -curvename is a new option, I would second the comments that don't
allow mixing curve names and keysize at the same time.
Xuelei
On 11/5/2018 11:41 PM, Bernd Eckenfels wrote:
> Hello,
>
> I would agree ignoring an (conflicting) option adds confusion. When
> specifying a curve is a new feature we don’t need to worry about beeing
> compatible, therefore I would forbid mixing curve names and keysize at
> all (even when the size matches).
>
> I guess we cannot remove the option to only pass the keysize (to have
> the generator pick a curve) to stay compatible. But the chosen curve
> should be printed, and I would also deprecate this usage.
>
> I guess clarifying the keysize-only init() method would be a different
> topic, but something like deprecating it and restricting the selection
> to „SunEC only selects NIST prime curves“ would be a good thing.
>
> Gruss
> Bernd
>
>
>
> Gruss
> Bernd
> --
> http://bernd.eckenfels.net
> ------------------------------------------------------------------------
> *Von:* security-dev <security-dev-bounces at openjdk.java.net> im Auftrag
> von Xuelei Fan <xuelei.fan at oracle.com>
> *Gesendet:* Dienstag, November 6, 2018 7:38 AM
> *An:* Weijun Wang
> *Cc:* security-dev at openjdk.java.net
> *Betreff:* Re: RFR CSR for 8213400: Support choosing curve name in
> keytool keypair generation
> On 11/5/2018 8:37 PM, Weijun Wang wrote:
> >
> >> On Nov 6, 2018, at 12:12 PM, Xuelei Fan <xuelei.fan at oracle.com> wrote:
> >>
> >> On 11/5/2018 7:13 PM, Weijun Wang wrote:
> >>> Please take a review at the CSR at
> >>> https://bugs.openjdk.java.net/browse/JDK-8213401
> >>> As for implementation, I intend to report an error when -keyalg is
> not EC but -curvename is provided. If both -curvename and -keysize are
> provided, I intend to ignore -keysize no matter if they match or not.
> >> Why not use a strict mode: fail if not match. It might be misleading
> if ignoring unmatched options.
> >
> > We can do that, but misleading to what? That we treat -curvename and
> -keysize the same important?
> >
> If the option "-keysize 256 -curvename sect163k1" work, I may think that
> the key size if 256 bits. I want to create a 256 bits sect163k1 EC key,
> and the tool allows this behavior, so I should get a 256 bits sect163k1
> EC key. Sure, that's incorrect, but I don't know it is incorrect as the
> tool ignore the key size. What's the problem of the command, I don't
> know either unless I clearly understand sect163k1 is not 256 bits. The
> next question to me, what's the key size actually is? 256 bits or 163
> bits? which option are used? It adds more confusing to me.
>
> We can ignore the -keysize option, but it is complicated to me to use
> the tool.
>
> >>
> >>> Another question: in sun.security.util.CurveDB, we have
> >>> // Return EC parameters for the specified field size. If there are
> known
> >>> // NIST recommended parameters for the given length, they are
> returned.
> >>> // Otherwise, if there are multiple matches for the given size, an
> >>> // arbitrary one is returns.
> >>> // If no parameters are known, the method returns null.
> >>> // NOTE that this method returns both prime and binary curves.
> >>> static NamedCurve lookup(int length) {
> >>> return lengthMap.get(length);
> >>> }
> >>> FIPS 186-4 has 2 recommendations (K- and B-) for a binary curve
> field size. Do we have a choice?
> >>> In fact, CurveDB.java seems to have a bug when adding the curves:
> >>> add("sect163k1 [NIST K-163]", "1.3.132.0.1", BD,...
> >>> add("sect163r2 [NIST B-163]", "1.3.132.0.15", BD,... // Another
> default?
> >>> add("sect233k1 [NIST K-233]", "1.3.132.0.26", BD,...
> >>> add("sect233r1 [NIST B-233]", "1.3.132.0.27", B,...
> >>> and now 163 is sect163r2 and 233 is sect233k1.
> >>> I assume we should always prefer the K- one?
> >> TLS 1.3 uses secp256r1/secp384r1/secp521r1, no K- curves.
> >
> > There is no ambiguity for prime curves.
> >
> >>
> >> Do you mean if no -curvename option, there is a need to choose a
> named curve?
> >
> > ECKeyPairGenerator::initialize(int) will choose one and keytool will
> use it. I just meant if we have a bug here and if we should be more
> public on what curve is chosen.
> >
> I see your concerns.
>
> It might be a potential issue if we use a named curve if no curvename
> specified. If the compatibility is not serious, I may suggest supported
> named curves only, or use arbitrary curves but with a warning.
>
> Xuelei
More information about the security-dev
mailing list