diff --git a/certs/ecc/bp256r1-key.der b/certs/ecc/bp256r1-key.der new file mode 100644 index 000000000..86b9407ef Binary files /dev/null and b/certs/ecc/bp256r1-key.der differ diff --git a/certs/ecc/bp256r1-key.pem b/certs/ecc/bp256r1-key.pem new file mode 100644 index 000000000..165d0a867 --- /dev/null +++ b/certs/ecc/bp256r1-key.pem @@ -0,0 +1,5 @@ +-----BEGIN EC PRIVATE KEY----- +MHgCAQEEIALRjSn7gQicLnRopI92xvo14rrdLVl0IEzDB40t3Pa7oAsGCSskAwMC +CAEBB6FEA0IABC7vJ8tXOtxiJba1QlzuKVbjqM6GbkRSIxXIQ8BiEBYeSsuI0HXg +OGuAhGSfcKrYuzOQwduBRq7pgckDabXOres= +-----END EC PRIVATE KEY----- diff --git a/certs/ecc/client-bp256r1-cert.der b/certs/ecc/client-bp256r1-cert.der new file mode 100644 index 000000000..2a70bc9fe Binary files /dev/null and b/certs/ecc/client-bp256r1-cert.der differ diff --git a/certs/ecc/client-bp256r1-cert.pem b/certs/ecc/client-bp256r1-cert.pem new file mode 100644 index 000000000..bdc13916e --- /dev/null +++ b/certs/ecc/client-bp256r1-cert.pem @@ -0,0 +1,57 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: + 23:c2:32:32:87:c0:20:35:77:e6:56:4b:ba:d3:ba:19:de:0e:ed:9e + Signature Algorithm: ecdsa-with-SHA256 + Issuer: C = US, ST = Washington, L = Seattle, O = Eliptic, OU = ECC256BPR1-CLI, CN = www.wolfssl.com, emailAddress = info@wolfssl.com + Validity + Not Before: Oct 15 20:13:58 2020 GMT + Not After : Oct 13 20:13:58 2030 GMT + Subject: C = US, ST = Washington, L = Seattle, O = Eliptic, OU = ECC256BPR1-CLI, CN = www.wolfssl.com, emailAddress = info@wolfssl.com + Subject Public Key Info: + Public Key Algorithm: id-ecPublicKey + Public-Key: (256 bit) + pub: + 04:2e:ef:27:cb:57:3a:dc:62:25:b6:b5:42:5c:ee: + 29:56:e3:a8:ce:86:6e:44:52:23:15:c8:43:c0:62: + 10:16:1e:4a:cb:88:d0:75:e0:38:6b:80:84:64:9f: + 70:aa:d8:bb:33:90:c1:db:81:46:ae:e9:81:c9:03: + 69:b5:ce:ad:eb + ASN1 OID: brainpoolP256r1 + X509v3 extensions: + X509v3 Basic Constraints: + CA:FALSE + Netscape Cert Type: + SSL Client, S/MIME + X509v3 Subject Key Identifier: + B4:1B:3B:4F:65:F2:BF:9E:8A:8F:E3:33:96:44:1F:67:EA:B3:34:D5 + X509v3 Authority Key Identifier: + keyid:B4:1B:3B:4F:65:F2:BF:9E:8A:8F:E3:33:96:44:1F:67:EA:B3:34:D5 + + X509v3 Key Usage: critical + Digital Signature, Non Repudiation, Key Encipherment + X509v3 Extended Key Usage: + TLS Web Client Authentication, E-mail Protection + Signature Algorithm: ecdsa-with-SHA256 + 30:44:02:20:28:b6:b4:eb:ae:c1:9b:71:0a:15:92:93:d6:2d: + 12:a6:ff:2d:2a:f5:23:a8:e2:df:6c:d9:33:d4:7f:e9:2e:08: + 02:20:33:eb:45:aa:c1:7c:36:c1:60:52:09:0e:2d:e4:2a:49: + 1d:d8:b2:c5:79:3e:be:d4:61:c5:14:d0:b6:f2:42:d4 +-----BEGIN CERTIFICATE----- +MIICyTCCAnCgAwIBAgIUI8IyMofAIDV35lZLutO6Gd4O7Z4wCgYIKoZIzj0EAwIw +gZoxCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApXYXNoaW5ndG9uMRAwDgYDVQQHDAdT +ZWF0dGxlMRAwDgYDVQQKDAdFbGlwdGljMRcwFQYDVQQLDA5FQ0MyNTZCUFIxLUNM +STEYMBYGA1UEAwwPd3d3LndvbGZzc2wuY29tMR8wHQYJKoZIhvcNAQkBFhBpbmZv +QHdvbGZzc2wuY29tMB4XDTIwMTAxNTIwMTM1OFoXDTMwMTAxMzIwMTM1OFowgZox +CzAJBgNVBAYTAlVTMRMwEQYDVQQIDApXYXNoaW5ndG9uMRAwDgYDVQQHDAdTZWF0 +dGxlMRAwDgYDVQQKDAdFbGlwdGljMRcwFQYDVQQLDA5FQ0MyNTZCUFIxLUNMSTEY +MBYGA1UEAwwPd3d3LndvbGZzc2wuY29tMR8wHQYJKoZIhvcNAQkBFhBpbmZvQHdv +bGZzc2wuY29tMFowFAYHKoZIzj0CAQYJKyQDAwIIAQEHA0IABC7vJ8tXOtxiJba1 +QlzuKVbjqM6GbkRSIxXIQ8BiEBYeSsuI0HXgOGuAhGSfcKrYuzOQwduBRq7pgckD +abXOreujgZAwgY0wCQYDVR0TBAIwADARBglghkgBhvhCAQEEBAMCBaAwHQYDVR0O +BBYEFLQbO09l8r+eio/jM5ZEH2fqszTVMB8GA1UdIwQYMBaAFLQbO09l8r+eio/j +M5ZEH2fqszTVMA4GA1UdDwEB/wQEAwIF4DAdBgNVHSUEFjAUBggrBgEFBQcDAgYI +KwYBBQUHAwQwCgYIKoZIzj0EAwIDRwAwRAIgKLa0667Bm3EKFZKT1i0Spv8tKvUj +qOLfbNkz1H/pLggCIDPrRarBfDbBYFIJDi3kKkkd2LLFeT6+1GHFFNC28kLU +-----END CERTIFICATE----- diff --git a/certs/ecc/client-secp256k1-cert.der b/certs/ecc/client-secp256k1-cert.der new file mode 100644 index 000000000..1185dc21e Binary files /dev/null and b/certs/ecc/client-secp256k1-cert.der differ diff --git a/certs/ecc/client-secp256k1-cert.pem b/certs/ecc/client-secp256k1-cert.pem new file mode 100644 index 000000000..0d03c0889 --- /dev/null +++ b/certs/ecc/client-secp256k1-cert.pem @@ -0,0 +1,57 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: + 3d:12:fd:a2:a8:15:63:d8:4e:3f:48:81:46:92:ae:65:f3:27:7f:f2 + Signature Algorithm: ecdsa-with-SHA256 + Issuer: C = US, ST = Washington, L = Seattle, O = Eliptic, OU = ECC256K1-CLI, CN = www.wolfssl.com, emailAddress = info@wolfssl.com + Validity + Not Before: Oct 15 20:13:49 2020 GMT + Not After : Oct 13 20:13:49 2030 GMT + Subject: C = US, ST = Washington, L = Seattle, O = Eliptic, OU = ECC256K1-CLI, CN = www.wolfssl.com, emailAddress = info@wolfssl.com + Subject Public Key Info: + Public Key Algorithm: id-ecPublicKey + Public-Key: (256 bit) + pub: + 04:d7:0d:0b:f1:0e:22:88:fe:fb:d5:e5:e1:09:a4: + 3e:90:76:b3:29:cb:d9:13:60:b7:ea:88:82:d7:8c: + b6:db:21:dc:93:0f:e9:58:bb:c5:f2:a2:c2:f5:23: + 36:c5:d5:eb:24:a6:24:db:ee:02:b0:05:31:a6:33: + 1f:cd:79:82:10 + ASN1 OID: secp256k1 + X509v3 extensions: + X509v3 Basic Constraints: + CA:FALSE + Netscape Cert Type: + SSL Client, S/MIME + X509v3 Subject Key Identifier: + 44:6A:D8:71:6D:AB:62:18:21:02:27:23:90:BF:1D:77:B6:79:4B:77 + X509v3 Authority Key Identifier: + keyid:44:6A:D8:71:6D:AB:62:18:21:02:27:23:90:BF:1D:77:B6:79:4B:77 + + X509v3 Key Usage: critical + Digital Signature, Non Repudiation, Key Encipherment + X509v3 Extended Key Usage: + TLS Web Client Authentication, E-mail Protection + Signature Algorithm: ecdsa-with-SHA256 + 30:45:02:20:73:08:4a:18:d1:ad:81:f6:5c:59:27:da:36:9a: + cd:fb:4e:97:5a:58:b3:61:fe:b0:ec:7e:76:ca:0c:5a:d3:c1: + 02:21:00:a5:05:b4:f5:2f:d3:bf:71:d4:0c:fb:bf:a0:64:0b: + cd:bb:18:ef:df:92:bc:5c:cc:6c:74:82:c8:52:5a:f6:46 +-----BEGIN CERTIFICATE----- +MIICwjCCAmigAwIBAgIUPRL9oqgVY9hOP0iBRpKuZfMnf/IwCgYIKoZIzj0EAwIw +gZgxCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApXYXNoaW5ndG9uMRAwDgYDVQQHDAdT +ZWF0dGxlMRAwDgYDVQQKDAdFbGlwdGljMRUwEwYDVQQLDAxFQ0MyNTZLMS1DTEkx +GDAWBgNVBAMMD3d3dy53b2xmc3NsLmNvbTEfMB0GCSqGSIb3DQEJARYQaW5mb0B3 +b2xmc3NsLmNvbTAeFw0yMDEwMTUyMDEzNDlaFw0zMDEwMTMyMDEzNDlaMIGYMQsw +CQYDVQQGEwJVUzETMBEGA1UECAwKV2FzaGluZ3RvbjEQMA4GA1UEBwwHU2VhdHRs +ZTEQMA4GA1UECgwHRWxpcHRpYzEVMBMGA1UECwwMRUNDMjU2SzEtQ0xJMRgwFgYD +VQQDDA93d3cud29sZnNzbC5jb20xHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNz +bC5jb20wVjAQBgcqhkjOPQIBBgUrgQQACgNCAATXDQvxDiKI/vvV5eEJpD6QdrMp +y9kTYLfqiILXjLbbIdyTD+lYu8XyosL1IzbF1eskpiTb7gKwBTGmMx/NeYIQo4GQ +MIGNMAkGA1UdEwQCMAAwEQYJYIZIAYb4QgEBBAQDAgWgMB0GA1UdDgQWBBREathx +batiGCECJyOQvx13tnlLdzAfBgNVHSMEGDAWgBREathxbatiGCECJyOQvx13tnlL +dzAOBgNVHQ8BAf8EBAMCBeAwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwME +MAoGCCqGSM49BAMCA0gAMEUCIHMIShjRrYH2XFkn2jaazftOl1pYs2H+sOx+dsoM +WtPBAiEApQW09S/Tv3HUDPu/oGQLzbsY79+SvFzMbHSCyFJa9kY= +-----END CERTIFICATE----- diff --git a/certs/ecc/genecc.sh b/certs/ecc/genecc.sh index 025072b38..752440e5f 100755 --- a/certs/ecc/genecc.sh +++ b/certs/ecc/genecc.sh @@ -88,6 +88,39 @@ rm ./certs/client-ecc384-req.pem rm ./certs/client-ecc384-key.par +# Generate ECC Kerberos Keys +if [ -f ./certs/ecc/secp256k1-key.pem ]; then + openssl ecparam -name secp256k1 -genkey -noout -out ./certs/ecc/secp256k1-key.pem + openssl ec -in ./certs/ecc/secp256k1-key.pem -inform PEM -out ./certs/ecc/secp256k1-key.der -outform DER +fi +# Create self-signed ECC Kerberos certificates +openssl req -config ./certs/ecc/wolfssl.cnf -sha256 -new -key ./certs/ecc/secp256k1-key.pem -out ./certs/ecc/server-secp256k1-req.pem -subj "/C=US/ST=Washington/L=Seattle/O=Eliptic/OU=ECC256K1-SRV/CN=www.wolfssl.com/emailAddress=info@wolfssl.com/" +openssl x509 -req -in ./certs/ecc/server-secp256k1-req.pem -days 3650 -extfile ./certs/ecc/wolfssl.cnf -extensions server_cert -signkey ./certs/ecc/secp256k1-key.pem -text -out ./certs/ecc/server-secp256k1-cert.pem +openssl x509 -inform pem -in ./certs/ecc/server-secp256k1-cert.pem -outform der -out ./certs/ecc/server-secp256k1-cert.der +rm ./certs/ecc/server-secp256k1-req.pem + +openssl req -config ./certs/ecc/wolfssl.cnf -sha256 -new -key ./certs/ecc/secp256k1-key.pem -out ./certs/ecc/client-secp256k1-req.pem -subj "/C=US/ST=Washington/L=Seattle/O=Eliptic/OU=ECC256K1-CLI/CN=www.wolfssl.com/emailAddress=info@wolfssl.com/" +openssl x509 -req -in ./certs/ecc/client-secp256k1-req.pem -days 3650 -extfile ./certs/ecc/wolfssl.cnf -extensions usr_cert -signkey ./certs/ecc/secp256k1-key.pem -text -out ./certs/ecc/client-secp256k1-cert.pem +openssl x509 -inform pem -in ./certs/ecc/client-secp256k1-cert.pem -outform der -out ./certs/ecc/client-secp256k1-cert.der +rm ./certs/ecc/client-secp256k1-req.pem + +# Generate ECC Brainpool Keys +if [ -f ./certs/ecc/bp256r1-key.pem ]; then + openssl ecparam -name brainpoolP256r1 -genkey -noout -out ./certs/ecc/bp256r1-key.pem + openssl ec -in ./certs/ecc/bp256r1-key.pem -inform PEM -out ./certs/ecc/bp256r1-key.der -outform DER +fi +# Create self-signed ECC Brainpool certificates +openssl req -config ./certs/ecc/wolfssl.cnf -sha256 -new -key ./certs/ecc/bp256r1-key.pem -out ./certs/ecc/server-bp256r1-req.pem -subj "/C=US/ST=Washington/L=Seattle/O=Eliptic/OU=ECC256BPR1-SRV/CN=www.wolfssl.com/emailAddress=info@wolfssl.com/" +openssl x509 -req -in ./certs/ecc/server-bp256r1-req.pem -days 3650 -extfile ./certs/ecc/wolfssl.cnf -extensions server_cert -signkey ./certs/ecc/bp256r1-key.pem -text -out ./certs/ecc/server-bp256r1-cert.pem +openssl x509 -inform pem -in ./certs/ecc/server-bp256r1-cert.pem -outform der -out ./certs/ecc/server-bp256r1-cert.der +rm ./certs/ecc/server-bp256r1-req.pem + +openssl req -config ./certs/ecc/wolfssl.cnf -sha256 -new -key ./certs/ecc/bp256r1-key.pem -out ./certs/ecc/client-bp256r1-req.pem -subj "/C=US/ST=Washington/L=Seattle/O=Eliptic/OU=ECC256BPR1-CLI/CN=www.wolfssl.com/emailAddress=info@wolfssl.com/" +openssl x509 -req -in ./certs/ecc/client-bp256r1-req.pem -days 3650 -extfile ./certs/ecc/wolfssl.cnf -extensions usr_cert -signkey ./certs/ecc/bp256r1-key.pem -text -out ./certs/ecc/client-bp256r1-cert.pem +openssl x509 -inform pem -in ./certs/ecc/client-bp256r1-cert.pem -outform der -out ./certs/ecc/client-bp256r1-cert.der +rm ./certs/ecc/client-bp256r1-req.pem + + # Also manually need to: # 1. Copy ./certs/server-ecc.der into ./certs/test/server-cert-ecc-badsig.der `cp ./certs/server-ecc.der ./certs/test/server-cert-ecc-badsig.der` # 2. Modify last byte so its invalidates signature in ./certs/test/server-cert-ecc-badsig.der diff --git a/certs/ecc/include.am b/certs/ecc/include.am index b9897c1c2..c5a4f858a 100644 --- a/certs/ecc/include.am +++ b/certs/ecc/include.am @@ -6,3 +6,21 @@ EXTRA_DIST += \ certs/ecc/genecc.sh \ certs/ecc/wolfssl.cnf \ certs/ecc/wolfssl_384.cnf + +# Koblitz Curves +EXTRA_DIST += \ + certs/ecc/secp256k1-key.der \ + certs/ecc/secp256k1-key.pem \ + certs/ecc/client-secp256k1-cert.der \ + certs/ecc/client-secp256k1-cert.pem \ + certs/ecc/server-secp256k1-cert.der \ + certs/ecc/server-secp256k1-cert.pem + +# Brainpool Curves +EXTRA_DIST += \ + certs/ecc/bp256r1-key.der \ + certs/ecc/bp256r1-key.pem \ + certs/ecc/client-bp256r1-cert.der \ + certs/ecc/client-bp256r1-cert.pem \ + certs/ecc/server-bp256r1-cert.der \ + certs/ecc/server-bp256r1-cert.pem diff --git a/certs/ecc/secp256k1-key.der b/certs/ecc/secp256k1-key.der new file mode 100644 index 000000000..6a80d8bdf Binary files /dev/null and b/certs/ecc/secp256k1-key.der differ diff --git a/certs/ecc/secp256k1-key.pem b/certs/ecc/secp256k1-key.pem new file mode 100644 index 000000000..be4b4889a --- /dev/null +++ b/certs/ecc/secp256k1-key.pem @@ -0,0 +1,5 @@ +-----BEGIN EC PRIVATE KEY----- +MHQCAQEEILlFjaVww/Q8MLWZOcmS3ZCx3VCJWWoNXxRYRA3e4IApoAcGBSuBBAAK +oUQDQgAE1w0L8Q4iiP771eXhCaQ+kHazKcvZE2C36oiC14y22yHckw/pWLvF8qLC +9SM2xdXrJKYk2+4CsAUxpjMfzXmCEA== +-----END EC PRIVATE KEY----- diff --git a/certs/ecc/server-bp256r1-cert.der b/certs/ecc/server-bp256r1-cert.der new file mode 100644 index 000000000..2115e0572 Binary files /dev/null and b/certs/ecc/server-bp256r1-cert.der differ diff --git a/certs/ecc/server-bp256r1-cert.pem b/certs/ecc/server-bp256r1-cert.pem new file mode 100644 index 000000000..217d21c55 --- /dev/null +++ b/certs/ecc/server-bp256r1-cert.pem @@ -0,0 +1,63 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: + 2f:f8:fa:8b:cf:ec:8f:2c:bc:40:fb:95:a0:3e:04:db:dd:c5:7f:08 + Signature Algorithm: ecdsa-with-SHA256 + Issuer: C = US, ST = Washington, L = Seattle, O = Eliptic, OU = ECC256BPR1-SRV, CN = www.wolfssl.com, emailAddress = info@wolfssl.com + Validity + Not Before: Oct 15 20:13:55 2020 GMT + Not After : Oct 13 20:13:55 2030 GMT + Subject: C = US, ST = Washington, L = Seattle, O = Eliptic, OU = ECC256BPR1-SRV, CN = www.wolfssl.com, emailAddress = info@wolfssl.com + Subject Public Key Info: + Public Key Algorithm: id-ecPublicKey + Public-Key: (256 bit) + pub: + 04:2e:ef:27:cb:57:3a:dc:62:25:b6:b5:42:5c:ee: + 29:56:e3:a8:ce:86:6e:44:52:23:15:c8:43:c0:62: + 10:16:1e:4a:cb:88:d0:75:e0:38:6b:80:84:64:9f: + 70:aa:d8:bb:33:90:c1:db:81:46:ae:e9:81:c9:03: + 69:b5:ce:ad:eb + ASN1 OID: brainpoolP256r1 + X509v3 extensions: + X509v3 Basic Constraints: + CA:FALSE + Netscape Cert Type: + SSL Server + X509v3 Subject Key Identifier: + B4:1B:3B:4F:65:F2:BF:9E:8A:8F:E3:33:96:44:1F:67:EA:B3:34:D5 + X509v3 Authority Key Identifier: + keyid:B4:1B:3B:4F:65:F2:BF:9E:8A:8F:E3:33:96:44:1F:67:EA:B3:34:D5 + DirName:/C=US/ST=Washington/L=Seattle/O=Eliptic/OU=ECC256BPR1-SRV/CN=www.wolfssl.com/emailAddress=info@wolfssl.com + serial:2F:F8:FA:8B:CF:EC:8F:2C:BC:40:FB:95:A0:3E:04:DB:DD:C5:7F:08 + + X509v3 Key Usage: critical + Digital Signature, Key Encipherment, Key Agreement + X509v3 Extended Key Usage: + TLS Web Server Authentication + Signature Algorithm: ecdsa-with-SHA256 + 30:45:02:21:00:81:37:b3:f7:a7:e7:9d:1b:62:3f:25:20:02: + 45:93:45:5c:91:23:1b:8b:bc:09:0c:f7:ef:51:29:a4:90:ec: + 91:02:20:74:dd:26:c3:eb:24:e1:33:ce:b4:c6:f8:5f:9f:99: + 6d:2b:9a:ee:ac:33:d8:08:29:19:3c:00:f1:83:de:a6:af +-----BEGIN CERTIFICATE----- +MIIDfjCCAySgAwIBAgIUL/j6i8/sjyy8QPuVoD4E293FfwgwCgYIKoZIzj0EAwIw +gZoxCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApXYXNoaW5ndG9uMRAwDgYDVQQHDAdT +ZWF0dGxlMRAwDgYDVQQKDAdFbGlwdGljMRcwFQYDVQQLDA5FQ0MyNTZCUFIxLVNS +VjEYMBYGA1UEAwwPd3d3LndvbGZzc2wuY29tMR8wHQYJKoZIhvcNAQkBFhBpbmZv +QHdvbGZzc2wuY29tMB4XDTIwMTAxNTIwMTM1NVoXDTMwMTAxMzIwMTM1NVowgZox +CzAJBgNVBAYTAlVTMRMwEQYDVQQIDApXYXNoaW5ndG9uMRAwDgYDVQQHDAdTZWF0 +dGxlMRAwDgYDVQQKDAdFbGlwdGljMRcwFQYDVQQLDA5FQ0MyNTZCUFIxLVNSVjEY +MBYGA1UEAwwPd3d3LndvbGZzc2wuY29tMR8wHQYJKoZIhvcNAQkBFhBpbmZvQHdv +bGZzc2wuY29tMFowFAYHKoZIzj0CAQYJKyQDAwIIAQEHA0IABC7vJ8tXOtxiJba1 +QlzuKVbjqM6GbkRSIxXIQ8BiEBYeSsuI0HXgOGuAhGSfcKrYuzOQwduBRq7pgckD +abXOreujggFDMIIBPzAJBgNVHRMEAjAAMBEGCWCGSAGG+EIBAQQEAwIGQDAdBgNV +HQ4EFgQUtBs7T2Xyv56Kj+MzlkQfZ+qzNNUwgdoGA1UdIwSB0jCBz4AUtBs7T2Xy +v56Kj+MzlkQfZ+qzNNWhgaCkgZ0wgZoxCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApX +YXNoaW5ndG9uMRAwDgYDVQQHDAdTZWF0dGxlMRAwDgYDVQQKDAdFbGlwdGljMRcw +FQYDVQQLDA5FQ0MyNTZCUFIxLVNSVjEYMBYGA1UEAwwPd3d3LndvbGZzc2wuY29t +MR8wHQYJKoZIhvcNAQkBFhBpbmZvQHdvbGZzc2wuY29tghQv+PqLz+yPLLxA+5Wg +PgTb3cV/CDAOBgNVHQ8BAf8EBAMCA6gwEwYDVR0lBAwwCgYIKwYBBQUHAwEwCgYI +KoZIzj0EAwIDSAAwRQIhAIE3s/en550bYj8lIAJFk0VckSMbi7wJDPfvUSmkkOyR +AiB03SbD6yThM860xvhfn5ltK5rurDPYCCkZPADxg96mrw== +-----END CERTIFICATE----- diff --git a/certs/ecc/server-secp256k1-cert.der b/certs/ecc/server-secp256k1-cert.der new file mode 100644 index 000000000..19f9ec7e8 Binary files /dev/null and b/certs/ecc/server-secp256k1-cert.der differ diff --git a/certs/ecc/server-secp256k1-cert.pem b/certs/ecc/server-secp256k1-cert.pem new file mode 100644 index 000000000..bc8d1952f --- /dev/null +++ b/certs/ecc/server-secp256k1-cert.pem @@ -0,0 +1,63 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: + 60:d5:b7:78:ff:06:14:3b:1e:c5:ba:8b:dd:5e:67:b2:16:aa:b2:c7 + Signature Algorithm: ecdsa-with-SHA256 + Issuer: C = US, ST = Washington, L = Seattle, O = Eliptic, OU = ECC256K1-SRV, CN = www.wolfssl.com, emailAddress = info@wolfssl.com + Validity + Not Before: Oct 15 20:13:46 2020 GMT + Not After : Oct 13 20:13:46 2030 GMT + Subject: C = US, ST = Washington, L = Seattle, O = Eliptic, OU = ECC256K1-SRV, CN = www.wolfssl.com, emailAddress = info@wolfssl.com + Subject Public Key Info: + Public Key Algorithm: id-ecPublicKey + Public-Key: (256 bit) + pub: + 04:d7:0d:0b:f1:0e:22:88:fe:fb:d5:e5:e1:09:a4: + 3e:90:76:b3:29:cb:d9:13:60:b7:ea:88:82:d7:8c: + b6:db:21:dc:93:0f:e9:58:bb:c5:f2:a2:c2:f5:23: + 36:c5:d5:eb:24:a6:24:db:ee:02:b0:05:31:a6:33: + 1f:cd:79:82:10 + ASN1 OID: secp256k1 + X509v3 extensions: + X509v3 Basic Constraints: + CA:FALSE + Netscape Cert Type: + SSL Server + X509v3 Subject Key Identifier: + 44:6A:D8:71:6D:AB:62:18:21:02:27:23:90:BF:1D:77:B6:79:4B:77 + X509v3 Authority Key Identifier: + keyid:44:6A:D8:71:6D:AB:62:18:21:02:27:23:90:BF:1D:77:B6:79:4B:77 + DirName:/C=US/ST=Washington/L=Seattle/O=Eliptic/OU=ECC256K1-SRV/CN=www.wolfssl.com/emailAddress=info@wolfssl.com + serial:60:D5:B7:78:FF:06:14:3B:1E:C5:BA:8B:DD:5E:67:B2:16:AA:B2:C7 + + X509v3 Key Usage: critical + Digital Signature, Key Encipherment, Key Agreement + X509v3 Extended Key Usage: + TLS Web Server Authentication + Signature Algorithm: ecdsa-with-SHA256 + 30:44:02:20:01:71:b5:5f:e4:5b:b7:95:b4:59:9a:b0:dc:ef: + 64:01:76:ef:04:07:d8:b4:44:e5:db:86:e4:05:8c:c1:22:19: + 02:20:3e:93:fb:30:f9:4c:89:39:35:df:b3:79:d5:29:bb:2b: + 08:84:8a:f8:55:7c:f9:68:d6:2c:11:28:af:a9:33:0f +-----BEGIN CERTIFICATE----- +MIIDczCCAxqgAwIBAgIUYNW3eP8GFDsexbqL3V5nshaqsscwCgYIKoZIzj0EAwIw +gZgxCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApXYXNoaW5ndG9uMRAwDgYDVQQHDAdT +ZWF0dGxlMRAwDgYDVQQKDAdFbGlwdGljMRUwEwYDVQQLDAxFQ0MyNTZLMS1TUlYx +GDAWBgNVBAMMD3d3dy53b2xmc3NsLmNvbTEfMB0GCSqGSIb3DQEJARYQaW5mb0B3 +b2xmc3NsLmNvbTAeFw0yMDEwMTUyMDEzNDZaFw0zMDEwMTMyMDEzNDZaMIGYMQsw +CQYDVQQGEwJVUzETMBEGA1UECAwKV2FzaGluZ3RvbjEQMA4GA1UEBwwHU2VhdHRs +ZTEQMA4GA1UECgwHRWxpcHRpYzEVMBMGA1UECwwMRUNDMjU2SzEtU1JWMRgwFgYD +VQQDDA93d3cud29sZnNzbC5jb20xHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNz +bC5jb20wVjAQBgcqhkjOPQIBBgUrgQQACgNCAATXDQvxDiKI/vvV5eEJpD6QdrMp +y9kTYLfqiILXjLbbIdyTD+lYu8XyosL1IzbF1eskpiTb7gKwBTGmMx/NeYIQo4IB +QTCCAT0wCQYDVR0TBAIwADARBglghkgBhvhCAQEEBAMCBkAwHQYDVR0OBBYEFERq +2HFtq2IYIQInI5C/HXe2eUt3MIHYBgNVHSMEgdAwgc2AFERq2HFtq2IYIQInI5C/ +HXe2eUt3oYGepIGbMIGYMQswCQYDVQQGEwJVUzETMBEGA1UECAwKV2FzaGluZ3Rv +bjEQMA4GA1UEBwwHU2VhdHRsZTEQMA4GA1UECgwHRWxpcHRpYzEVMBMGA1UECwwM +RUNDMjU2SzEtU1JWMRgwFgYDVQQDDA93d3cud29sZnNzbC5jb20xHzAdBgkqhkiG +9w0BCQEWEGluZm9Ad29sZnNzbC5jb22CFGDVt3j/BhQ7HsW6i91eZ7IWqrLHMA4G +A1UdDwEB/wQEAwIDqDATBgNVHSUEDDAKBggrBgEFBQcDATAKBggqhkjOPQQDAgNH +ADBEAiABcbVf5Fu3lbRZmrDc72QBdu8EB9i0ROXbhuQFjMEiGQIgPpP7MPlMiTk1 +37N51Sm7KwiEivhVfPlo1iwRKK+pMw8= +-----END CERTIFICATE----- diff --git a/tests/include.am b/tests/include.am index f6d2cd600..d1519b918 100644 --- a/tests/include.am +++ b/tests/include.am @@ -49,5 +49,6 @@ EXTRA_DIST += tests/test.conf \ tests/test-altchains.conf \ tests/test-trustpeer.conf \ tests/test-dhprime.conf \ - tests/test-p521.conf + tests/test-p521.conf \ + test-ecc-cust-curves.conf DISTCLEANFILES+= tests/.libs/unit.test diff --git a/tests/suites.c b/tests/suites.c index 288283333..f2d797af2 100644 --- a/tests/suites.c +++ b/tests/suites.c @@ -882,8 +882,8 @@ int SuiteTest(int argc, char** argv) goto exit; } #endif -#if (defined(HAVE_ECC521) || defined(HAVE_ALL_CURVES)) && \ - defined(WOLFSSL_SHA512) +#if defined(HAVE_ECC) && defined(WOLFSSL_SHA512) && \ + (defined(HAVE_ECC521) || defined(HAVE_ALL_CURVES)) /* add P-521 certificate cipher suite tests */ strcpy(argv0[1], "tests/test-p521.conf"); printf("starting P-521 extra cipher suite tests\n"); @@ -894,6 +894,18 @@ int SuiteTest(int argc, char** argv) goto exit; } #endif +#if defined(HAVE_ECC) && !defined(NO_SHA256) && defined(WOLFSSL_CUSTOM_CURVES) && \ + defined(HAVE_ECC_KOBLITZ) && defined(HAVE_ECC_BRAINPOOL) + /* TLS non-NIST curves (Koblitz / Brainpool) */ + strcpy(argv0[1], "tests/test-ecc-cust-curves.conf"); + printf("starting TLS test of non-NIST curves (Koblitz / Brainpool)\n"); + test_harness(&args); + if (args.return_code != 0) { + printf("error from script %d\n", args.return_code); + args.return_code = EXIT_FAILURE; + goto exit; + } +#endif #ifdef WOLFSSL_DTLS /* add dtls extra suites */ strcpy(argv0[1], "tests/test-dtls.conf"); diff --git a/tests/test-ecc-cust-curves.conf b/tests/test-ecc-cust-curves.conf new file mode 100644 index 000000000..697d96796 --- /dev/null +++ b/tests/test-ecc-cust-curves.conf @@ -0,0 +1,181 @@ +# ----- secp256k1 ------ +# server TLSv1.2 ECDHE-ECDSA-AES128-GCM-SHA256 +-v 3 +-l ECDHE-ECDSA-AES128-GCM-SHA256 +-c ./certs/ecc/server-secp256k1-cert.pem +-k ./certs/ecc/secp256k1-key.pem +-d + +# client TLSv1.2 ECDHE-ECDSA-AES128-GCM-SHA256 +-v 3 +-l ECDHE-ECDSA-AES128-GCM-SHA256 +-A ./certs/ecc/server-secp256k1-cert.pem +-x +-C + +# server TLSv1.2 ECDH-ECDSA-AES128-GCM-SHA256 (static) +-v 3 +-l ECDH-ECDSA-AES128-GCM-SHA256 +-c ./certs/ecc/server-secp256k1-cert.pem +-k ./certs/ecc/secp256k1-key.pem +-d + +# client TLSv1.2 ECDH-ECDSA-AES128-GCM-SHA256 (static) +-v 3 +-l ECDH-ECDSA-AES128-GCM-SHA256 +-A ./certs/ecc/server-secp256k1-cert.pem +-x +-C + +# server TLSv1.3 TLS13-AES128-GCM-SHA256 +-v 4 +-l TLS13-AES128-GCM-SHA256 +-c ./certs/ecc/server-secp256k1-cert.pem +-k ./certs/ecc/secp256k1-key.pem +-d + +# client TLSv1.3 TLS13-AES128-GCM-SHA256 +-v 4 +-l TLS13-AES128-GCM-SHA256 +-A ./certs/ecc/server-secp256k1-cert.pem +-x +-C + +# server TLSv1.2 ECDHE-ECDSA-AES128-GCM-SHA256 (mutual auth) +-v 3 +-l ECDHE-ECDSA-AES128-GCM-SHA256 +-c ./certs/ecc/server-secp256k1-cert.pem +-k ./certs/ecc/secp256k1-key.pem +-A ./certs/ecc/client-secp256k1-cert.pem +-V + +# client TLSv1.2 ECDHE-ECDSA-AES128-GCM-SHA256 (mutal auth) +-v 3 +-l ECDHE-ECDSA-AES128-GCM-SHA256 +-c ./certs/ecc/client-secp256k1-cert.pem +-k ./certs/ecc/secp256k1-key.pem +-A ./certs/ecc/server-secp256k1-cert.pem +-C + +# server TLSv1.2 ECDH-ECDSA-AES128-GCM-SHA256 (static - mutual auth) +-v 3 +-l ECDH-ECDSA-AES128-GCM-SHA256 +-c ./certs/ecc/server-secp256k1-cert.pem +-k ./certs/ecc/secp256k1-key.pem +-A ./certs/ecc/client-secp256k1-cert.pem +-V + +# client TLSv1.2 ECDH-ECDSA-AES128-GCM-SHA256 (static - mutal auth) +-v 3 +-l ECDH-ECDSA-AES128-GCM-SHA256 +-c ./certs/ecc/client-secp256k1-cert.pem +-k ./certs/ecc/secp256k1-key.pem +-A ./certs/ecc/server-secp256k1-cert.pem +-C + +# server TLSv1.3 TLS13-AES128-GCM-SHA256 (mutal auth) +-v 4 +-l TLS13-AES128-GCM-SHA256 +-c ./certs/ecc/server-secp256k1-cert.pem +-k ./certs/ecc/secp256k1-key.pem +-A ./certs/ecc/client-secp256k1-cert.pem +-V + +# client TLSv1.3 TLS13-AES128-GCM-SHA256 (mutal auth) +-v 4 +-l TLS13-AES128-GCM-SHA256 +-c ./certs/ecc/client-secp256k1-cert.pem +-k ./certs/ecc/secp256k1-key.pem +-A ./certs/ecc/server-secp256k1-cert.pem +-C + +# ----- bp256r1 ------ +# server TLSv1.2 ECDHE-ECDSA-AES128-GCM-SHA256 +-v 3 +-l ECDHE-ECDSA-AES128-GCM-SHA256 +-c ./certs/ecc/server-bp256r1-cert.pem +-k ./certs/ecc/bp256r1-key.pem +-d + +# client TLSv1.2 ECDHE-ECDSA-AES128-GCM-SHA256 +-v 3 +-l ECDHE-ECDSA-AES128-GCM-SHA256 +-A ./certs/ecc/server-bp256r1-cert.pem +-x +-C + +# server TLSv1.2 ECDH-ECDSA-AES128-GCM-SHA256 (static) +-v 3 +-l ECDH-ECDSA-AES128-GCM-SHA256 +-c ./certs/ecc/server-bp256r1-cert.pem +-k ./certs/ecc/bp256r1-key.pem +-d + +# client TLSv1.2 ECDH-ECDSA-AES128-GCM-SHA256 (static) +-v 3 +-l ECDH-ECDSA-AES128-GCM-SHA256 +-A ./certs/ecc/server-bp256r1-cert.pem +-x +-C + +# server TLSv1.3 TLS13-AES128-GCM-SHA256 +-v 4 +-l TLS13-AES128-GCM-SHA256 +-c ./certs/ecc/server-bp256r1-cert.pem +-k ./certs/ecc/bp256r1-key.pem +-d + +# client TLSv1.3 TLS13-AES128-GCM-SHA256 +-v 4 +-l TLS13-AES128-GCM-SHA256 +-A ./certs/ecc/server-bp256r1-cert.pem +-x +-C + +# server TLSv1.2 ECDHE-ECDSA-AES128-GCM-SHA256 (mutual auth) +-v 3 +-l ECDHE-ECDSA-AES128-GCM-SHA256 +-c ./certs/ecc/server-bp256r1-cert.pem +-k ./certs/ecc/bp256r1-key.pem +-A ./certs/ecc/client-bp256r1-cert.pem +-V + +# client TLSv1.2 ECDHE-ECDSA-AES128-GCM-SHA256 (mutal auth) +-v 3 +-l ECDHE-ECDSA-AES128-GCM-SHA256 +-c ./certs/ecc/client-bp256r1-cert.pem +-k ./certs/ecc/bp256r1-key.pem +-A ./certs/ecc/server-bp256r1-cert.pem +-C + +# server TLSv1.2 ECDH-ECDSA-AES128-GCM-SHA256 (static - mutual auth) +-v 3 +-l ECDH-ECDSA-AES128-GCM-SHA256 +-c ./certs/ecc/server-bp256r1-cert.pem +-k ./certs/ecc/bp256r1-key.pem +-A ./certs/ecc/client-bp256r1-cert.pem +-V + +# client TLSv1.2 ECDH-ECDSA-AES128-GCM-SHA256 (static - mutal auth) +-v 3 +-l ECDH-ECDSA-AES128-GCM-SHA256 +-c ./certs/ecc/client-bp256r1-cert.pem +-k ./certs/ecc/bp256r1-key.pem +-A ./certs/ecc/server-bp256r1-cert.pem +-C + +# server TLSv1.3 TLS13-AES128-GCM-SHA256 (mutal auth) +-v 4 +-l TLS13-AES128-GCM-SHA256 +-c ./certs/ecc/server-bp256r1-cert.pem +-k ./certs/ecc/bp256r1-key.pem +-A ./certs/ecc/client-bp256r1-cert.pem +-V + +# client TLSv1.3 TLS13-AES128-GCM-SHA256 (mutal auth) +-v 4 +-l TLS13-AES128-GCM-SHA256 +-c ./certs/ecc/client-bp256r1-cert.pem +-k ./certs/ecc/bp256r1-key.pem +-A ./certs/ecc/server-bp256r1-cert.pem +-C