This article includes updates for Identity Manager 6.0.0.
This article describes how to set up Elliptic Curve Cryptography (ECC) encoding in Smart ID Identity Manager.
For more information, see Set up card encoding description template in Identity Manager.
Prerequisites
-
The type of the created keys is coded into the KeySize property. Supported curves are limited by Bouncy Castle, the PKCS#11 middleware, and the certificate authority.
The PKCS10SigningAlgorithm must be specified when using elliptic curves cryptography.
-
Supported CAs:
-
Smart ID Certificate Manager
-
EJBCA
-
QuoVadis
-
D-Trust
-
-
Supported middlewares:
-
Cryptovision
-
CardOS 5.5.5 and later
-
TCOS, see Encoding using T-Systems TCOS middleware in Identity Manager
-
IDplug 4.6.1 and later
-
Set up elliptic curve cryptography encoding
Edit the encoding description in which you want to use ECC and do the following:
-
Use the KeySize property to code the type of the created keys. Set the value to ECC/ plus a curve name, for example,
KeySize=ECC/prime256v1.See the “Supported curves“ section below for the valid curve names. -
Specify a suitable
PKCS10SigningAlgorithmsupported by the given card/middleware combination. Preferably, choose a SHA-2-based algorithm. SHA1_ECDSA should be used only if better options are unavailable. See the “Supported signing algorithms“ section below for the valid algorithm names.
Example: ECC encodings
[Application_A]
CertTempl=SigCert
KeySize=ECC/prime256v1
PKCS10SigningAlgorithm=SHA256_ECDSA
[Application_B]
CertTempl=AuthCert
KeySize=ECC/brainpoolP256r1
PKCS10SigningAlgorithm=SHA256_ECDSA
Supported curves
The table below contains a subset of the supported curves. This is not an exhaustive list, there are many other curves that may or may not be supported.
|
Curve name (alternative names) |
Cryptovision 8 middleware
|
Cryptovision 8 middleware
|
TCOS 3 middleware
|
TCOS 4 middleware
|
CardOS API 5.5.5
|
CardOS API 5.5.5
|
IDplug 4.6.1 with CosmoX R6 cards |
|---|---|---|---|---|---|---|---|
|
prime256v1 P-256 secp256r1 |
|
|
|
|
|
|
|
|
P-224 secp224r1 |
|
|
|
|
|
|
|
|
P-384
|
|
|
|
|
|
|
|
|
P-521
|
|
|
|
|
|
|
|
|
brainpoolP160t1 |
|
|
|
|
|
|
|
|
brainpoolP256t1 |
|
|
|
|
|
|
|
|
brainpoolP384t1 |
|
|
|
|
|
|
|
|
brainpoolP512t1 |
|
|
|
|
|
|
|
|
brainpoolIP192r1 |
|
|
|
|
|
|
|
|
brainpoolIP256r1 |
|
|
|
|
|
|
|
|
brainpoolIP320r1 |
|
|
|
|
|
|
|
|
brainpoolIP512r1 |
|
|
|
|
|
|
|
|
secp256k1 |
|
|
|
|
|
|
|
Supported signing algorithms
|
Algorithm name |
Cryptovision 8 middleware
|
TCOS 3 middleware
|
TCOS 4 middleware
|
CardOS API 5.5.5
|
IDplug 4.6.1 with CosmoX R6 cards |
|---|---|---|---|---|---|
|
SHA1_ECDSA |
|
|
|
|
|
|
SHA224_ECDSA |
|
|
|
|
|
|
SHA256_ECDSA |
|
|
|
|
|
|
SHA384_ECDSA |
|
|
|
|
|
|
SHA512_ECDSA |
|
|
|
|
|