Roni Roni - 4 months ago 20
Java Question

Choosing curve when generating ECDSA keypair with Java keytool

I am trying to understand how can I choose the ECDSA curve when generating a keypair using Java(7) keytool.

It would also help to find out what curve was used with the default settings.

Here is the command I use:

keytool -genkeypair -keyalg EC -alias myAlias -keystore myKeystore.jks -storepass myStorepass -keypass myKeypass -validity 730 -keysize 256 -dname "CN=myCn, OU=myOu, O=myO, C=myC" -v

Answer Source

The Oracle provided Java 7 implementation only uses the SEC curves. These are identical to the NIST standardized curves. In your case it is certain that P-256 was used. In Java however the original SEC name is used: "secp256r1".


So you could retrieve and encode the private key:

KeyStore store = KeyStore.getInstance("JKS");
store.load(new FileInputStream(args[0]), args[1].toCharArray());
ECPrivateKey key = (ECPrivateKey) store.getKey(args[2], args[3].toCharArray());
System.out.println(Base64.getEncoder().encodeToString(key.getEncoded()));

Then ASN.1 decode the contents:

SEQUENCE (3 elem)
  INTEGER 0
  SEQUENCE (2 elem)
    OBJECT IDENTIFIER 1.2.840.10045.2.1
    OBJECT IDENTIFIER 1.2.840.10045.3.1.7
  OCTET STRING (1 elem)
    SEQUENCE (2 elem)
      INTEGER 1
      OCTET STRING (32 byte) E935A4475D495ADA18A791C1222D5A3424CF540BDE42802F588C664082D10808

And then lookup the value for the second OBJECT IDENTIFIER (OID): 1.2.840.10045.3.1.7:

Covers "secp256r1", the elliptic curve domain listed in "SEC 2: Recommended Elliptic Curve Domain Parameters". The SEC (Standards for Efficient Cryptography) curves provide elliptic curve domain parameters at commonly required security levels for use by implementers of ECC standards like ANSI X9.62, ANSI X9.63, IEEE P1363, and other standards.