-
CSR
-
Resolution: Approved
-
P3
-
None
-
behavioral
-
minimal
-
This is a new option name. The only compatibility risk is that user will see a warning suggesting using the new -groupname option when only -keysize is specified when generating an EC key.
-
add/remove/modify command line option
-
JDK
Summary
Add a new -groupname option to keytool -genkeypair so user can specify an named group when generating a keypair. For example, an Elliptic Curve name.
Problem
In Elliptic Curve Cryptography, multiple curves can have the same field size (For example: both secp256r1 and brainpoolP256r1 are 256 bits). Therefore with only the -keysize option, there is no way to precisely specify which curve should be used.
Other key algorithms might have the same problem when multiple named groups have the same keysize.
Solution
Add a new -groupname option to keytool -genkeypair. The user can specify a named group. Precisely:
- If both
-keysizeand-groupnameare specified, there will be an error. - If only
-groupnameis specified, the named group will be used. - If only
-keysizeis specified, an arbitrary named group matching the specified size is used. For some algorithms (for example, EC) a warning will be printed suggesting migrating to-groupname <the name>. - If neither is specified, the current default (for EC, it's secp256r1) will be used.
Specification
In keytool -help -genkeypair, add one line
-groupname <name> Group name. For example, an Elliptic Curve name.In keytool.html the tooldoc, adding the following paragraph to the -genkeypair command.
The
-groupnamevalue specifies the named group (For example, the standard or predefined name of an Elliptic Curve) of the key to be generated. Only one of-groupnameand-keysizecan be specified.
- csr of
-
JDK-8252230 Support choosing group name in keytool keypair generation
-
- Resolved
-
-
-
- Resolved
-