Document toolboxDocument toolbox

Nexus Documentation
CURL vulnerability information (CVE-2023-38545) - Nexus awareness advisory on Microsoft's update KB5014754

Set up elliptic curve cryptography encoding in Identity Manager

Owned by Ann Base (Deactivated)
Last updated: Dec 04, 2023 by Josefin Klang (Deactivated)Version comment
2 min read
This article includes updates for Smart ID 23.10.3 and later.

This article describes how to set up Elliptic Curve Cryptography (ECC) encoding in Smart ID Identity Manager.

For more information, see Set up card encoding description template in Identity Manager.

 Prerequisites
  • The type of the created keys is coded into the KeySize property. Supported curves are limited by Bouncy Castle, the PKCS#11 middleware, and the certificate authority. 

    The PKCS10SigningAlgorithm must be specified when using elliptic curves cryptography.

  • Supported CAs:
    • Smart ID Certificate Manager
    • EJBCA
    • QuoVadis
    • D-Trust
  • Supported middlewares:
 Set up elliptic curve cryptography encoding

Edit the encoding description in which you want to use ECC and do the following:

  1. Use the KeySize property to code the type of the created keys. Set the value to ECC/ plus a curve name, for example, KeySize=ECC/prime256v1.
  2. Specify a suitable PKCS10SigningAlgorithm supported by the given card/middleware combination. Preferably, choose a SHA-2-based algorithm. SHA1_ECDSA should be used only if better options are unavailable.
 Example: ECC encodings
Example: ECC encodings
[Application_A]
CertTempl=SigCert
KeySize=ECC/prime256v1
PKCS10SigningAlgorithm=SHA256_ECDSA
 
[Application_B]
CertTempl=AuthCert
KeySize=ECC/brainpoolP256r1
PKCS10SigningAlgorithm=SHA256_ECDSA
 Supported PKCS10SigningAlgorithms

Cryptovision 8 middleware
with CardOS 5.0/5.3 cards		TCOS 3 middleware
with TCOS 3 cards		TCOS 4 middleware
with TCOS 3/4 cards		CardOS API 5.5.5
with CardOS 5.0/5.3 cards
ECDSA_SHA1(tick) (tick)(tick) (tick) 
ECDSA_SHA224(tick)(error) (error) (error) 
ECDSA_SHA256(tick)(error)(tick) (error) 
ECDSA_SHA384(tick)(error)(error) (error) 
ECDSA_SHA512(tick)(error)(error) (error) 
 Supported curves

The table below contains a subset of the supported curves. This is not an exhaustive list, there are many other curves that may or may not be supported.

Curve name

(alternative names)

Cryptovision 8 middleware
with CardOS 5.0 cards		Cryptovision 8 middleware
with CardOS 5.3 cards		TCOS 3 middleware
with TCOS 3 cards		TCOS 4 middleware
with TCOS 3/4 cards		CardOS API 5.5.5
with CardOS 5.0 cards		CardOS API 5.5.5
with CardOS 5.3 cards

prime256v1

P-256

secp256r1

(tick)(tick)(tick)(tick)(tick)(tick)

P-224

secp224r1

(tick)(tick)(question)(question)(tick)(tick)
P-384
secp384r1		(tick)(tick)(tick)(tick)(tick)(tick)
P-521
secp521r1		(error)(tick)(error)(error)(tick)(tick)
brainpoolP160t1(tick)(tick)(question)(question)(error)(error)
brainpoolP256t1(tick)(tick)(tick)(tick)(error)(error)
brainpoolP384t1(tick)(tick)(tick)(tick)(error)(error)
brainpoolP512t1(error)(tick)(tick)(tick)(error)(error)

brainpoolIP192r1

(tick)(tick)(tick)(tick)(tick)(tick)

brainpoolIP256r1

(tick)(tick)(tick)(tick)(tick)(tick)

brainpoolIP320r1

(tick)(tick)(tick)(tick)(tick)(tick)

brainpoolIP512r1

(error)(tick)(tick)(tick)(tick)(tick)
secp256k1(error)(tick)(question)(question)(tick)(tick)

Copyright 2024 Technology Nexus Secured Business Solutions AB. All rights reserved.
Contact Nexus | https://www.nexusgroup.com | Disclaimer | Terms & Conditions