8

I'm trying to create a keystore using keytool with a keyalg ECC.

This should be possible according to Oracle. I quote:

Area: Tools

Synopsis: The keytool and jarsigner tools now support the ECC algorithm in keypair generation and jar signing.

RFE: 6870812

I'm using the 32-bit version 1.7.0_07, and I've tried keytool with -keyalg ECC, ECIES, ECDSA,... but I always get Cannot derive signature algorithm.

Am I using the wrong Java version? Am I using the wrong name for ECC?

Community
  • 1
  • 1
Bruno Lowagie
  • 75,994
  • 9
  • 109
  • 165

2 Answers2

8

Here is the source for the algorithm selection. The allowed values are DSA, RSA and EC. These values are not documented anywhere as far as I can tell.

mcdizzle
  • 5,205
  • 1
  • 14
  • 4
  • 1
    For future reference, here's the official documentation of the allowed values: https://docs.oracle.com/javase/8/docs/technotes/tools/windows/keytool.html – Ti Strga May 15 '18 at 19:15
4

I believe you have to install the unlimited strength policy for JCE to work with all algorithims. If you haven't done so already, it's at the bottom of this page: http://www.oracle.com/technetwork/java/javase/downloads/index.html

monitorjbl
  • 4,280
  • 3
  • 36
  • 45
  • Sorry, but I had already installed those (and tested by creating an RSA keystore), so there must be something else I'm missing. – Bruno Lowagie Sep 06 '12 at 15:23
  • OK, I found the problem, but it's a strange one. When I do "java -version", I get java version "1.7.0_07", but apparently, when I use keytool, I'm using the keytool from a different JDK on my machine. I found out by changing "keytool" into "./keytool.exe". Strange... The correct command is: keytool -genkeypair -keyalg EC -keysize 160 -keystore .keystore – Bruno Lowagie Sep 06 '12 at 15:37
  • In general ECC is safe to use with smaller key sizes, but 160 bit is pushing it. I'd rather go for 256, ECC is fast enough anyway. – Maarten Bodewes Sep 06 '12 at 19:47
  • Thanks. I needed the keystore only for testing purposes, but you're right. Even in a test environment, there's no reason not to use a key size of 256. – Bruno Lowagie Sep 07 '12 at 10:03