rcarlisle-spyrus
commented
4 years ago for example, when generating secp521r1 the EC PARAMS passed in during key gen are, (instead of the oid from above)
308201C3020101304D06072A8648CE3D0101024201FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF30819F044201FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFC04420051953EB9618E1C9A1F929A21A0B68540EEA2DA725B99B315F3B8B489918EF109E156193951EC7E937B1652C0BD3BB1BF073573DF883D2C34F1EF451FD46B503F00031500D09E8800291CB85396CC6717393284AAA0DA64BA0481850400C6858E06B70404E9CD9E3ECB662395B4429C648139053FB521F828AF606B4D3DBAA14B5E77EFE75928FE1DC127A2FFA8DE3348B3C1856A429BF97E7E31C2E5BD66011839296A789A3BC0045C8A5FB42C7D1BD998F54449579B446817AFBD17273E662C97EE72995EF42640C550B9013FAD0761353C7086A272C24088BE94769FD16650024201FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFA51868783BF2F966B7FCC0148F709A5D03BB5C9B8899C47AEBB6FB71E91386409020101
When using pkcs11/token interfaces, keys are generated by passing in the EC domain parameters (rather than the preferred oid). However, when the keys are later searched to generate a certificate the oid is used instead of the domain parameters. it would be better to be consistent and also use the recommended oid values instead of the domain parameters when generating the ecc keys on a token. e.g for nist curves,
/ DER encoded OIDs for EC supported curves / secp192r1 = '06082a8648ce3d030101'x / {1 2 840 10045 3 1 1} / secp224r1 = '06052b81040021'x / {1 3 132 0 33} / secp256r1 = '06082a8648ce3d030107'x / {1 2 840 10045 3 1 7} / secp384r1 = '06052b81040022'x / {1 3 132 0 34} / secp521r1 = '06052b81040023'x / {1 3 132 0 35} /