Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8235184

Deprecate the legacy elliptic curves for removal


    • Type: CSR
    • Status: Closed
    • Priority: P3
    • Resolution: Approved
    • Fix Version/s: 14
    • Component/s: security-libs
    • Labels:
    • Subcomponent:
    • Compatibility Risk:
    • Compatibility Risk Description:
      There is no compatibility risk until they are actually removed.
    • Interface Kind:
    • Scope:



      Deprecate the elliptic curves that are currently supported by the native implementation of the SunEC provider with the intention of removing or replacing (a small number of) them in a subsequent JDK release.


      These curves are not implemented using modern formulas and techniques. We have already replaced some of these curves (secp256r1, secp384r1, and secp512r1) with a more modern implementation -- see JDK-8208698 for more details. With a few exceptions, the remaining curves are rarely used in practice. It does not make sense to invest what would be a significant amount of resources to replace them. Most of the curves have also been deprecated or obsoleted by TLS specifications - see RFC 8446 and RFC 8422.


      Since the curves are implementation-specific features, we cannot use the standard Deprecated annotation. Instead we will document the deprecation in the JDK Providers Guide and Release Notes.

      The names of the curves that will be deprecated is:

      • brainpoolP256r1
      • brainpoolP320r1
      • brainpoolP384r1
      • brainpoolP512r1
      • secp112r1
      • secp112r2
      • secp128r1
      • secp128r2
      • secp160k1
      • secp160r1
      • secp160r2
      • secp192k1
      • secp192r1
      • secp224k1
      • secp224r1
      • secp256k1
      • sect113r1
      • sect113r2
      • sect131r1
      • sect131r2
      • sect163k1
      • sect163r1
      • sect163r2
      • sect193r1
      • sect193r2
      • sect233k1
      • sect233r1
      • sect239k1
      • sect283k1
      • sect283r1
      • sect409k1
      • sect409r1
      • sect571k1
      • sect571r1
      • X9.62 c2tnb191v1
      • X9.62 c2tnb191v2
      • X9.62 c2tnb191v3
      • X9.62 c2tnb239v1
      • X9.62 c2tnb239v2
      • X9.62 c2tnb239v3
      • X9.62 c2tnb359v1
      • X9.62 c2tnb431r1
      • X9.62 prime192v2
      • X9.62 prime192v3
      • X9.62 prime239v1
      • X9.62 prime239v2
      • X9.62 prime239v3

      If time and resources permit, a few of the curves (specifically the brainpool curves and the secp256k1 curve) may be replaced with more modern implementations instead of being removed.


      These curves are already marked as legacy in the SunEC section of the JDK Providers Guide. This section will be updated to note that the curves are officially deprecated and will be removed or replaced in the next JDK release. A release note will also be published.


          Issue Links



              • Assignee:
                mullan Sean Mullan
                mullan Sean Mullan
                Reviewed By:
                Xue-Lei Fan
              • Votes:
                0 Vote for this issue
                1 Start watching this issue


                • Created: