RFR CSR for 8213400: Support choosing curve name in keytool keypair generation
Xuelei Fan
xuelei.fan at oracle.com
Thu Nov 8 03:31:35 UTC 2018
I don't think the underlying provider is ready to support named curves.
Additional RFEs may be required to standardize the names and improve the
underlying provider.
Xuelei
On 11/7/2018 7:05 PM, Weijun Wang wrote:
> In CurveDB.java, we have
>
> add("secp256r1 [NIST P-256, X9.62 prime256v1]", "1.2.840.10045.3.1.7", PD,
> "FFFFFFFF00000001000000000000000000000000FFFFFFFFFFFFFFFFFFFFFFFF",
> "FFFFFFFF00000001000000000000000000000000FFFFFFFFFFFFFFFFFFFFFFFC",
> "5AC635D8AA3A93E7B3EBBD55769886BC651D06B0CC53B0F63BCE3C3E27D2604B",
> "6B17D1F2E12C4247F8BCE6E563A440F277037D812DEB33A0F4A13945D898C296",
> "4FE342E2FE1A7F9B8EE7EB4A7C0F9E162BCE33576B315ECECBB6406837BF51F5",
> "FFFFFFFF00000000FFFFFFFFFFFFFFFFBCE6FAADA7179E84F3B9CAC2FC632551",
> 1, nameSplitPattern);
>
> So the aliases of secp256r1 are now "NIST P-256" and "X9.62 prime256v1". Do we really want to keep the organization name prefix after JDK-8208156? The alias can be used in ECGenParameterSpec and the proposed keytool -groupname option.
>
> The following shows this behavior.
>
>> jshell> KeyPairGenerator.getInstance("EC")
>> $3 ==> java.security.KeyPairGenerator$Delegate at 64bfbc86
>>
>> jshell> $3.initialize(new ECGenParameterSpec("secp256r1"))
>>
>> jshell> $3.initialize(new ECGenParameterSpec("prime256v1"))
>> | Exception java.security.InvalidAlgorithmParameterException: Unknown curve name: prime256v1
>> | at ECKeyPairGenerator.initialize (ECKeyPairGenerator.java:103)
>> | at KeyPairGenerator$Delegate.initialize (KeyPairGenerator.java:699)
>> | at KeyPairGenerator.initialize (KeyPairGenerator.java:436)
>> | at (#6:1)
>>
>> jshell> $3.initialize(new ECGenParameterSpec("X9.62 prime256v1"))
>
> Thanks
> Max
>
>> On Nov 7, 2018, at 11:48 PM, Weijun Wang <weijun.wang at oracle.com> wrote:
>>
>> CSR updated. With such a generalized option, I won't recommend -groupname over -keysize now, although I still intend to print some warning for EC.
>>
>> Please take a review.
>>
>> Thanks
>> Max
>>
>
More information about the security-dev
mailing list