-
CSR
-
Resolution: Approved
-
P3
-
None
-
behavioral
-
minimal
-
This is a new option name. The only compatibility risk is that user will see a warning suggesting using the new -groupname option when only -keysize is specified when generating an EC key.
-
add/remove/modify command line option
-
JDK
Summary
Add a new -groupname
option to keytool -genkeypair
so user can specify an named group when generating a keypair. For example, an Elliptic Curve name.
Problem
In Elliptic Curve Cryptography, multiple curves can have the same field size (For example: both secp256r1 and brainpoolP256r1 are 256 bits). Therefore with only the -keysize
option, there is no way to precisely specify which curve should be used.
Other key algorithms might have the same problem when multiple named groups have the same keysize.
Solution
Add a new -groupname
option to keytool -genkeypair
. The user can specify a named group. Precisely:
- If both
-keysize
and-groupname
are specified, there will be an error. - If only
-groupname
is specified, the named group will be used. - If only
-keysize
is specified, an arbitrary named group matching the specified size is used. For some algorithms (for example, EC) a warning will be printed suggesting migrating to-groupname <the name>
. - If neither is specified, the current default (for EC, it's secp256r1) will be used.
Specification
In keytool -help -genkeypair
, add one line
-groupname <name> Group name. For example, an Elliptic Curve name.
In keytool.html the tooldoc, adding the following paragraph to the -genkeypair
command.
The
-groupname
value specifies the named group (For example, the standard or predefined name of an Elliptic Curve) of the key to be generated. Only one of-groupname
and-keysize
can be specified.
- csr of
-
JDK-8213400 Support choosing group name in keytool keypair generation
- Resolved
- relates to
-
JDK-8208156 Each JCE provider should document the EC curves that they support
- Resolved