On 2/22/2024 12:48 PM, Jordan Brown
wrote:
The C way is using EC_get_builtin_curves().
But caution: I found that not all of the curves returned were actually usable. I don't remember the details, but I found that several could not be used to create keys, and a few could be used to create keys but then could not be used to sign certificate signing requests. And Oakley-EC2N-4 appeared particularly toxic; it appeared to corrupt memory. I derived a usable-curves list by attempting to build keys with each, and then attempting to build CSRs with each, plus manual filtering for the Oakley curve.
It may be relevant that I am using OpenSSL 3.0.x in FIPS-140 mode. (Don't know what micro. I'm on 12 now, but did the curve work several months ago.)
-- Jordan Brown, Oracle ZFS Storage Appliance, Oracle Solaris
