Set up elliptic curve cryptography encoding in Identity Manager

This article includes updates for Smart ID 23.10.3 and later.

This article describes how to set up Elliptic Curve Cryptography (ECC) encoding in Smart ID Identity Manager.

For more information, see Set up card encoding description template in Identity Manager.

Prerequisites

The type of the created keys is coded into the KeySize property. Supported curves are limited by Bouncy Castle, the PKCS#11 middleware, and the certificate authority.

The PKCS10SigningAlgorithm must be specified when using elliptic curves cryptography.
Supported CAs:
- Smart ID Certificate Manager
- EJBCA
- QuoVadis
- D-Trust
Supported middlewares:
- Cryptovision
- CardOS 5.5.5 and later
- TCOS, see Encoding using T-Systems TCOS middleware in Identity Manager

Set up elliptic curve cryptography encoding

Edit the encoding description in which you want to use ECC and do the following:

Use the KeySize property to code the type of the created keys. Set the value to ECC/ plus a curve name, for example, KeySize=ECC/prime256v1.
Specify a suitable PKCS10SigningAlgorithm supported by the given card/middleware combination. Preferably, choose a SHA-2-based algorithm. SHA1_ECDSA should be used only if better options are unavailable.

Example: ECC encodings

[Application_A]
CertTempl=SigCert
KeySize=ECC/prime256v1
PKCS10SigningAlgorithm=SHA256_ECDSA
 
[Application_B]
CertTempl=AuthCert
KeySize=ECC/brainpoolP256r1
PKCS10SigningAlgorithm=SHA256_ECDSA

Supported PKCS10SigningAlgorithms

	Cryptovision 8 middleware with CardOS 5.0/5.3 cards	TCOS 3 middleware with TCOS 3 cards	TCOS 4 middleware with TCOS 3/4 cards	CardOS API 5.5.5 with CardOS 5.0/5.3 cards
ECDSA_SHA1
ECDSA_SHA224
ECDSA_SHA256
ECDSA_SHA384
ECDSA_SHA512

Supported curves

The table below contains a subset of the supported curves. This is not an exhaustive list, there are many other curves that may or may not be supported.

Curve name (alternative names)	Cryptovision 8 middleware with CardOS 5.0 cards	Cryptovision 8 middleware with CardOS 5.3 cards	TCOS 3 middleware with TCOS 3 cards	TCOS 4 middleware with TCOS 3/4 cards	CardOS API 5.5.5 with CardOS 5.0 cards	CardOS API 5.5.5 with CardOS 5.3 cards
prime256v1 P-256 secp256r1
P-224 secp224r1
P-384 secp384r1
P-521 secp521r1
brainpoolP160t1
brainpoolP256t1
brainpoolP384t1
brainpoolP512t1
brainpoolIP192r1
brainpoolIP256r1
brainpoolIP320r1
brainpoolIP512r1
secp256k1