JDK-8213401 : Support choosing group name in keytool keypair generation
  • Type: CSR
  • Component: security-libs
  • Sub-Component: java.security
  • Priority: P3
  • Status: Closed
  • Resolution: Approved
  • Fix Versions: 12
  • Submitted: 2018-11-06
  • Updated: 2018-11-13
  • Resolved: 2018-11-13
Related Reports
CSR :  
Relates :  
Sub Tasks
JDK-8213492 :  

Add a new `-groupname` option to `keytool -genkeypair` so user can specify an named group when generating a keypair. For example, an Elliptic Curve name.


In Elliptic Curve Cryptography, multiple curves can have the same field size (For example: both secp256r1 and brainpoolP256r1 are 256 bits). Therefore with only the `-keysize` option, there is no way to precisely specify which curve should be used.

Other key algorithms might have the same problem when multiple named groups have the same keysize.


Add a new `-groupname` option to `keytool -genkeypair`. The user can specify a named group. Precisely:

 1. If both `-keysize` and `-groupname` are specified, there will be an error.
 1. If only `-groupname` is specified, the named group will be used.
 1. If only `-keysize` is specified, an arbitrary named group matching the specified size is used. For some algorithms (for example, EC) a warning will be printed suggesting migrating to `-groupname <the name>`.
 1. If neither is specified, the current default (for EC, it's secp256r1) will be used.


In `keytool -help -genkeypair`, add one line

    -groupname <name>     Group name. For example, an Elliptic Curve name.

In keytool.html the tooldoc, adding the following paragraph to the `-genkeypair` command.

> The `-groupname` value specifies the named group (For example, the standard or predefined name of an Elliptic Curve) of the key to be generated. Only one of `-groupname` and `-keysize` can be specified.
Moving to Approved.

Doesn't seem all the friendly to the user, but acceptable.

We thought about it but later decide to forbid specifying both at all. Reasons: 1. Simple. There are 2 KeyPairGenerator.initialize methods that take either a keysize or a NamedParameterSpec. We just call the one we have and do not need to check for consistency first. 2. We want to discourage people using -keysize when generating an EC keypair. 3. In the future, there might be algorithms that do not have a keysize attribute.

Is there harm in allowing redundant but consistent information to be specified for the algorithm name and key size? Moving to Provisional.