RFR CSR for 8213400: Support choosing curve name in keytool keypair generation

Weijun Wang weijun.wang at oracle.com
Thu Nov 8 03:05:48 UTC 2018

In CurveDB.java, we have

add("secp256r1 [NIST P-256, X9.62 prime256v1]", "1.2.840.10045.3.1.7", PD,
    1, nameSplitPattern);

So the aliases of secp256r1 are now "NIST P-256" and "X9.62 prime256v1". Do we really want to keep the organization name prefix after JDK-8208156? The alias can be used in ECGenParameterSpec and the proposed keytool -groupname option.

The following shows this behavior.

> jshell> KeyPairGenerator.getInstance("EC")
> $3 ==> java.security.KeyPairGenerator$Delegate at 64bfbc86
> jshell> $3.initialize(new ECGenParameterSpec("secp256r1"))
> jshell> $3.initialize(new ECGenParameterSpec("prime256v1"))
> |  Exception java.security.InvalidAlgorithmParameterException: Unknown curve name: prime256v1
> |        at ECKeyPairGenerator.initialize (ECKeyPairGenerator.java:103)
> |        at KeyPairGenerator$Delegate.initialize (KeyPairGenerator.java:699)
> |        at KeyPairGenerator.initialize (KeyPairGenerator.java:436)
> |        at (#6:1)
> jshell> $3.initialize(new ECGenParameterSpec("X9.62 prime256v1"))


> On Nov 7, 2018, at 11:48 PM, Weijun Wang <weijun.wang at oracle.com> wrote:
> CSR updated. With such a generalized option, I won't recommend -groupname over -keysize now, although I still intend to print some warning for EC.
> Please take a review.
> Thanks
> Max

More information about the security-dev mailing list