JDK-8210755 : Define standard names for EC curves and TLS signature schemes
  • Type: Enhancement
  • Component: security-libs
  • Sub-Component: javax.crypto
  • Priority: P3
  • Status: Resolved
  • Resolution: Fixed
  • Submitted: 2018-09-14
  • Updated: 2019-10-24
  • Resolved: 2019-08-06
The Version table provides details related to the release that this issue/RFE will be addressed.

Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.

To download the current JDK release, click here.
JDK 14
14 b09Fixed
Related Reports
Blocks :  
JDK-8226307 - Curve names should be case-insensitive
CSR :  
JDK-8228752 - Define standard names for EC curves and TLS signature schemes
Relates :  
JDK-8208156 - Each JCE provider should document the EC curves that they support
Relates :  
JDK-8080704 - Support the retrieval of standard names for EC parameters
Relates :  
JDK-8213400 - Support choosing group name in keytool keypair generation
Relates :  
JDK-8226374 - Restrict TLS signature schemes and named groups
Description
In the SunJSSE provider, the jdk.tls.namedGroups can be used to customize the supported groups.  But there are no standard names defined for them.  They can also be used in the ECGenParameterSpec API. We should define these named groups in the Standard Names Specification, or document the link to IANA page if the IANA names are used.

Also we are extending the scope of the jdk.tls.disabledAlgorithms security property (see JDK-8226374) to allow you to restrict signature schemes, as specified in the TLS RFCs. We should add a section to the standard names specification listing the standard scheme names.
Comments
URL: https://hg.openjdk.java.net/jdk/jdk/rev/a95e92c449bf User: mullan Date: 2019-08-06 13:28:13 +0000
06-08-2019
Re-targeting to 14 since we need to fix a bug first which is not critical for 13.
19-06-2019
Changed the bug summary to be more specific. This is going to be focused on defining standard curve names for EC keys only right now since that is what is exposed via the standard API (ECGenParameterSpec). The jdk.tls.namedGroups property is JDK-specific (thus other implementations do not have to support it), and also includes names for finite-field groups which are not directly exposed via any standard API that I am aware of.
17-06-2019
The list accepted in JSSE (TLS) is: http://hg.openjdk.java.net/jdk/jdk/file/946f7f2d321c/src/java.base/share/classes/sun/security/ssl/NamedGroup.java which were defined in the IANA TLS parameters page: https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-parameters-8
17-06-2019
I suggest that we standardize a naming format, rather than a list of names. The definition of strings in that format should be maintained by some standards body, and the provider documentation can list which names are supported. For example, we can say that the standard format is OIDs of the form "1.2.3.4". A provider could also support other names/aliases, and list them in its documentation.
22-01-2019
Both `keytool -groupname` and `ECGenParameterSpec` also accept non-standard names. For example, both "NIST P-192", "X9.62 prime192v1" are actually "secp192r1". Are we going to officially support them as aliases? Also, these names always have an org name as a prefix. Shall we keep them?
15-11-2018
We would probably want to make this a standard property (and not implementation-specific) if we were going to standardize the names. Or introduce a new standard API for setting/getting the groups, see https://bugs.openjdk.java.net/browse/JDK-8080704.
14-09-2018