Cannot create CA with SHA512withECDSA signingAlgorithm on Version 7.11.0

[floriankoenig-work]

On creation of a CA (even self-signed) using SHA512withECDSA signing Algorithm ans "ROOTCA" profile (everything allowed), I get the following error:

Error: No matching curve for ECDSA signing algorithm. 

Digging throug the source, I found on line 383 of modules/admin-gui/src/org/ejbca/ui/web/admin/cainterface/CAInterfaceBean.java:

                    if(caInfoDto.getSignatureAlgorithmParam().contains("384")) {
                        // for SHA384withECDSA
                        caSignKeySpec = "brainpoolP384R1";
                    } else if(caInfoDto.getSignatureAlgorithmParam().contains("256")){
                        // for SHA256withECDSA
                        caSignKeySpec = "secp256r1";
                    } else {
                        log.error("No matching curve for signing algorithm: " + caInfoDto.getSignatureAlgorithmParam());
                        throw new Exception("No matching curve for ECDSA signing algorithm.");
                    }

"512" is not mentioned here. Could this be the cause?

[primetomas]

SHA512 matches the P521 curve. I just tried creating a P-521 key on a crypto token, and then creating a new RootCA with SHA512WithECDSA, using the default ROOTCA certificate profile.
(note that we recommend to clone the ROOTCA profile into something new that you can edit and modify for your use)

[primetomas]

I could also create a CSR from this CA, to send to an external CA. That code you found is for a more "test" case, when you select "create a new crypto token with default keys" instead of selecting an existing crypto token.
So, perhaps that's your mistake. First create a crypto token with the keys you want to use, second you create a CA selecting this crypto token.

[primetomas]

(converted to a discussion)

[floriankoenig-work]

Thanks for clarification. I usually dont use the ROOTCA profile but a clone.
I just used it during troubleshooting.

I did indeed "Create a new soft Crypto Token with recommended key pairs".
In my opionion it's still a bug as i don't see why it should work with 256bit, but not with 512.

[primetomas]

You could also see it as that we don't recommend to use SHA512WithECDSA...
I would like to create an issue to remove "Create a new soft Crypto Token with recommended key pairs", I think it may cause more bad than good. Would you be ok with removing that altogether?

[floriankoenig-work]

That would at least deliver a consistent UX