On 11/6/2018 2:18 AM, Weijun Wang wrote:
On Nov 6, 2018, at 1:06 PM, Xuelei Fan <xuelei....@oracle.com> wrote:
If the option "-keysize 256 -curvename sect163k1" work, I may think that the
key size if 256 bits. I want to create a 256 bits sect163k1 EC key, and the tool allows
this behavior, so I should get a 256 bits sect163k1 EC key. Sure, that's incorrect, but
I don't know it is incorrect as the tool ignore the key size. What's the problem of the
command, I don't know either unless I clearly understand sect163k1 is not 256 bits. The
next question to me, what's the key size actually is? 256 bits or 163 bits? which
option are used? It adds more confusing to me.
Well explained. I've updated the CSR and this will be an error.
This is a good improvement. If you like, you could even go one step
further and error out any time -curvename and -keysize are used at the
same time, even if the size is correct. This would simplify things and
discourage use of -keysize for EC keys.
(curve ambiguity issue with -keysize)
Thanks
Max
I don't think it is worthwhile to add any code to choose some particular
curve when only -keysize is used (or KeyPairGenerator.init(int)).
Keeping the current behavior and choosing an arbitrary curve of the
specified size is fine. Emitting a warning is a good idea, and if you
plan to do this, you might want to emit a warning any time -keysize is
used with an EC key, regardless of whether there are (currently)
multiple curves of the specified size.
