Errata Search
RFC Number:		Errata ID:
Source of RFC		Status:	All/Any Verified+Reported Verified Reported Held for Document Update Rejected
Area Acronym:	All/Any app art gen int ops rai rtg sec tsv wit	Type:	All/Any Editorial Technical
WG Acronym:		Submitter Name:
Other:	All/Any IAB INDEPENDENT IRTF Legacy Editorial	Date Submitted:
Summary Table Full Records

RFC 5915, "Elliptic Curve Private Key Structure", June 2010

Source of RFC: IETF - NON WORKING GROUP
Area Assignment: sec

---

Errata ID: 5008
Status: Reported
Type: Technical
Publication Format(s) : TEXT
Reported By: Brian Smith
Date Reported: 2017-04-30

Section 3 says:

Though the ASN.1 indicates that the parameters field is OPTIONAL,
implementations that conform to this document MUST always include
the parameters field.

It should say:

Though the ASN.1 indicates that the parameters field is OPTIONAL,
whether the parameters field is optional, required, or forbidden
depends on the context. When serializing an ECPrivateKey into a PKCS#8
file, the parameters field MUST NOT be included in the serialization.
(This is required to interoperate with PKCS#11.)

When parsing an ECPrivateKey within a PKCS#8 file, when the parser
encounters an ECPrivateKey without a parameters field, the parser MUST
use the parameters from the PKCS#8 privateKeyAlgorithm field, and MUST
NOT reject the key solely due to the missing parameters field.

When parsing an ECPrivateKey within a PKCS#8 file, when the parser 
encounters an ECPrivateKey with a parameters field present, the parser
SHOULD reject the key if the ECPrivateKey parameters do not exactly
match the the PKCS#8 privateKeyAlgorithm parameters.

More generally, these rules should be followed whenever parsing an
ECPrivateKey within a larger structure that contains the parameters.

Notes:

Section 1 notes that we must put "id-ecPublicKey, id-ecDH, or id-ecMQV (from [RFC5480]) with the namedCurve as the parameters in the privateKeyAlgorithm field;"

Thus, in a PKCS#8 file containing an ECC private key, there's no need to include the parameters in the ECPrivateKey field, because they are already in the privateKeyAlgorithm field.

PKCS#11 says "Since the EC domain parameters are placed in the PKCS #8’s privateKeyAlgorithm field, the optional parameters field in an ECPrivateKey must be omitted." - http://docs.oasis-open.org/pkcs11/pkcs11-curr/v2.40/pkcs11-curr-v2.40.pdf

Further, with OpenSSL 1.0.2h and the OpenSSL trunk, the `openssl genpkey` command only encode the parameters in the PKCS#8 privateKeyAlgorithm, not in the parameters field of the ECPrivateKey:

openssl genpkey -algorithm EC \
-pkeyopt ec_paramgen_curve:P-256 \
-pkeyopt ec_param_enc:named_curve | \
openssl pkcs8 -topk8 -nocrypt -outform der > p256-private-key.pk8

Thus, a parser that wishes to interoperate with OpenSSL cannot enforce the MUST requirement here.

Report New Errata