diff --git a/Makefile.am b/Makefile.am index 60a5a57ae..1de2b3d11 100644 --- a/Makefile.am +++ b/Makefile.am @@ -19,6 +19,7 @@ dist_doc_DATA= dist_noinst_SCRIPTS = noinst_SCRIPTS = check_SCRIPTS = +noinst_DATA = #includes additional rules from aminclude.am @INC_AMINCLUDE@ diff --git a/certs/include.am b/certs/include.am index 7a425515c..920c49165 100644 --- a/certs/include.am +++ b/certs/include.am @@ -106,6 +106,7 @@ include certs/crl/include.am include certs/ecc/include.am include certs/ed25519/include.am include certs/ed448/include.am +include certs/p521/include.am include certs/external/include.am include certs/ocsp/include.am include certs/statickeys/include.am diff --git a/certs/p521/ca-p521-key.der b/certs/p521/ca-p521-key.der new file mode 100644 index 000000000..213b261ba Binary files /dev/null and b/certs/p521/ca-p521-key.der differ diff --git a/certs/p521/ca-p521-key.pem b/certs/p521/ca-p521-key.pem new file mode 100644 index 000000000..29b90810e --- /dev/null +++ b/certs/p521/ca-p521-key.pem @@ -0,0 +1,6 @@ +-----BEGIN PUBLIC KEY----- +MIGbMBAGByqGSM49AgEGBSuBBAAjA4GGAAQALRgkLeTbbMNpm9sYZzPxYGiUFM2R +Sldl7zb6JIKI7Mfwy0hFbpZff+t2vkRAwxnAM2jEBgSOwiWxloMiDnvHsvwBhpHt +Q1044AwljbPbsdzetyGAz4feZPQhPi2veb320ABLgXn69xCqGc1A1x51NFMpA+1I +VCHlj5W1m0GNX91y0lo= +-----END PUBLIC KEY----- diff --git a/certs/p521/ca-p521-priv.der b/certs/p521/ca-p521-priv.der new file mode 100644 index 000000000..e70f8ee62 Binary files /dev/null and b/certs/p521/ca-p521-priv.der differ diff --git a/certs/p521/ca-p521-priv.pem b/certs/p521/ca-p521-priv.pem new file mode 100644 index 000000000..a5eb5bc73 --- /dev/null +++ b/certs/p521/ca-p521-priv.pem @@ -0,0 +1,7 @@ +-----BEGIN EC PRIVATE KEY----- +MIHcAgEBBEIB29qI0BYpdJXJ61gEQtz5rWlWL8B+ZKslEzyZlA5Z2iAKjwKUxd6Q +js0MrD6yn1lne9FGISDUo+sjDDOiQvxx8F2gBwYFK4EEACOhgYkDgYYABAAtGCQt +5Ntsw2mb2xhnM/FgaJQUzZFKV2XvNvokgojsx/DLSEVull9/63a+REDDGcAzaMQG +BI7CJbGWgyIOe8ey/AGGke1DXTjgDCWNs9ux3N63IYDPh95k9CE+La95vfbQAEuB +efr3EKoZzUDXHnU0UykD7UhUIeWPlbWbQY1f3XLSWg== +-----END EC PRIVATE KEY----- diff --git a/certs/p521/ca-p521.der b/certs/p521/ca-p521.der new file mode 100644 index 000000000..8b964e419 Binary files /dev/null and b/certs/p521/ca-p521.der differ diff --git a/certs/p521/ca-p521.pem b/certs/p521/ca-p521.pem new file mode 100644 index 000000000..fa8962da3 --- /dev/null +++ b/certs/p521/ca-p521.pem @@ -0,0 +1,63 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 1 (0x1) + Signature Algorithm: ecdsa-with-SHA256 + Issuer: C = US, ST = Montana, L = Bozeman, O = wolfSSL_P521, OU = Root-P521, CN = www.wolfssl.com, emailAddress = info@wolfssl.com + Validity + Not Before: Sep 14 23:57:18 2020 GMT + Not After : Jun 11 23:57:18 2023 GMT + Subject: C = US, ST = Montana, L = Bozeman, O = wolfSSL_p521, OU = CA-p521, CN = www.wolfssl.com, emailAddress = info@wolfssl.com + Subject Public Key Info: + Public Key Algorithm: id-ecPublicKey + Public-Key: (521 bit) + pub: + 04:00:2d:18:24:2d:e4:db:6c:c3:69:9b:db:18:67: + 33:f1:60:68:94:14:cd:91:4a:57:65:ef:36:fa:24: + 82:88:ec:c7:f0:cb:48:45:6e:96:5f:7f:eb:76:be: + 44:40:c3:19:c0:33:68:c4:06:04:8e:c2:25:b1:96: + 83:22:0e:7b:c7:b2:fc:01:86:91:ed:43:5d:38:e0: + 0c:25:8d:b3:db:b1:dc:de:b7:21:80:cf:87:de:64: + f4:21:3e:2d:af:79:bd:f6:d0:00:4b:81:79:fa:f7: + 10:aa:19:cd:40:d7:1e:75:34:53:29:03:ed:48:54: + 21:e5:8f:95:b5:9b:41:8d:5f:dd:72:d2:5a + ASN1 OID: secp521r1 + NIST CURVE: P-521 + X509v3 extensions: + X509v3 Subject Key Identifier: + 40:89:1D:30:5E:0C:6E:D5:3D:C6:D5:25:90:DA:B6:42:67:ED:E9:82 + X509v3 Authority Key Identifier: + keyid:64:A7:68:95:53:33:18:A2:20:92:BC:64:55:A6:AB:CA:76:68:9B:C8 + + X509v3 Basic Constraints: critical + CA:TRUE + X509v3 Key Usage: critical + Digital Signature, Certificate Sign, CRL Sign + Signature Algorithm: ecdsa-with-SHA256 + 30:81:87:02:41:60:cd:fa:94:0d:23:c3:4e:3c:b1:6e:d9:b6: + 5b:0e:97:1e:a4:df:0a:7c:05:2e:61:0c:d7:c0:e5:86:16:0c: + 7b:01:a5:33:9a:e6:31:a0:62:91:da:dc:22:d1:ba:4f:75:43: + 94:43:67:91:20:08:66:96:27:53:b2:61:0e:59:0a:50:02:42: + 01:ec:87:8d:ca:6d:e0:bf:30:ba:ef:37:13:ad:f6:d1:c4:fc: + b5:e5:4b:96:c2:83:a0:d8:ed:04:73:85:8d:54:d7:e9:9a:67: + 8a:cf:11:36:4a:f2:2f:85:5a:24:5e:3c:79:e1:a7:c4:ec:78: + 82:7a:52:25:c4:55:57:95:0e:6f:c9:d5 +-----BEGIN CERTIFICATE----- +MIIDBzCCAmmgAwIBAgIBATAKBggqhkjOPQQDAjCBlzELMAkGA1UEBhMCVVMxEDAO +BgNVBAgMB01vbnRhbmExEDAOBgNVBAcMB0JvemVtYW4xFTATBgNVBAoMDHdvbGZT +U0xfUDUyMTESMBAGA1UECwwJUm9vdC1QNTIxMRgwFgYDVQQDDA93d3cud29sZnNz +bC5jb20xHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb20wHhcNMjAwOTE0 +MjM1NzE4WhcNMjMwNjExMjM1NzE4WjCBlTELMAkGA1UEBhMCVVMxEDAOBgNVBAgM +B01vbnRhbmExEDAOBgNVBAcMB0JvemVtYW4xFTATBgNVBAoMDHdvbGZTU0xfcDUy +MTEQMA4GA1UECwwHQ0EtcDUyMTEYMBYGA1UEAwwPd3d3LndvbGZzc2wuY29tMR8w +HQYJKoZIhvcNAQkBFhBpbmZvQHdvbGZzc2wuY29tMIGbMBAGByqGSM49AgEGBSuB +BAAjA4GGAAQALRgkLeTbbMNpm9sYZzPxYGiUFM2RSldl7zb6JIKI7Mfwy0hFbpZf +f+t2vkRAwxnAM2jEBgSOwiWxloMiDnvHsvwBhpHtQ1044AwljbPbsdzetyGAz4fe +ZPQhPi2veb320ABLgXn69xCqGc1A1x51NFMpA+1IVCHlj5W1m0GNX91y0lqjYzBh +MB0GA1UdDgQWBBRAiR0wXgxu1T3G1SWQ2rZCZ+3pgjAfBgNVHSMEGDAWgBRkp2iV +UzMYoiCSvGRVpqvKdmibyDAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIB +hjAKBggqhkjOPQQDAgOBiwAwgYcCQWDN+pQNI8NOPLFu2bZbDpcepN8KfAUuYQzX +wOWGFgx7AaUzmuYxoGKR2twi0bpPdUOUQ2eRIAhmlidTsmEOWQpQAkIB7IeNym3g +vzC67zcTrfbRxPy15UuWwoOg2O0Ec4WNVNfpmmeKzxE2SvIvhVokXjx54afE7HiC +elIlxFVXlQ5vydU= +-----END CERTIFICATE----- diff --git a/certs/p521/client-p521-key.der b/certs/p521/client-p521-key.der new file mode 100644 index 000000000..cee7431b2 Binary files /dev/null and b/certs/p521/client-p521-key.der differ diff --git a/certs/p521/client-p521-key.pem b/certs/p521/client-p521-key.pem new file mode 100644 index 000000000..c1837cc15 --- /dev/null +++ b/certs/p521/client-p521-key.pem @@ -0,0 +1,6 @@ +-----BEGIN PUBLIC KEY----- +MIGbMBAGByqGSM49AgEGBSuBBAAjA4GGAAQBYm7xAOzYmVibgGv+LPGy8MhI36zS +O3Epq/BmY9iOtcjC/JlE4kWxWnu5cwHaeeycJic0RSbViUtE/mlOchTji7wADwmi +A8Na3JWC9vn2nP+1a3WVS6QoXZ6QBNHAHtX9Q54eg8ARKysHbal6ENdn51E3JNi/ +Aw2LtUBcT9YTc0K8kdk= +-----END PUBLIC KEY----- diff --git a/certs/p521/client-p521-priv.der b/certs/p521/client-p521-priv.der new file mode 100644 index 000000000..882b3f473 Binary files /dev/null and b/certs/p521/client-p521-priv.der differ diff --git a/certs/p521/client-p521-priv.pem b/certs/p521/client-p521-priv.pem new file mode 100644 index 000000000..eec5e98f0 --- /dev/null +++ b/certs/p521/client-p521-priv.pem @@ -0,0 +1,7 @@ +-----BEGIN EC PRIVATE KEY----- +MIHcAgEBBEIBaJEzU+KQaBGPqqh2DPcqBxuSKqeCPfqDznDIwmCC/hiIaNpqg0Z4 +5OnpzFF/7YECMu4mh8ztYz85J/DXF3ehpDagBwYFK4EEACOhgYkDgYYABAFibvEA +7NiZWJuAa/4s8bLwyEjfrNI7cSmr8GZj2I61yML8mUTiRbFae7lzAdp57JwmJzRF +JtWJS0T+aU5yFOOLvAAPCaIDw1rclYL2+fac/7VrdZVLpChdnpAE0cAe1f1Dnh6D +wBErKwdtqXoQ12fnUTck2L8DDYu1QFxP1hNzQryR2Q== +-----END EC PRIVATE KEY----- diff --git a/certs/p521/client-p521.der b/certs/p521/client-p521.der new file mode 100644 index 000000000..3bc9aecf6 Binary files /dev/null and b/certs/p521/client-p521.der differ diff --git a/certs/p521/client-p521.pem b/certs/p521/client-p521.pem new file mode 100644 index 000000000..5fc68c016 --- /dev/null +++ b/certs/p521/client-p521.pem @@ -0,0 +1,73 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: + 24:9d:c6:98:df:09:87:30:42:bd:e6:4f:86:05:af:dc:82:89:d7:0e + Signature Algorithm: ecdsa-with-SHA256 + Issuer: C = US, ST = Montana, L = Bozeman, O = wolfSSL_p521, OU = Client-p521, CN = www.wolfssl.com, emailAddress = info@wolfssl.com + Validity + Not Before: Sep 14 23:57:18 2020 GMT + Not After : Jun 11 23:57:18 2023 GMT + Subject: C = US, ST = Montana, L = Bozeman, O = wolfSSL_p521, OU = Client-p521, CN = www.wolfssl.com, emailAddress = info@wolfssl.com + Subject Public Key Info: + Public Key Algorithm: id-ecPublicKey + Public-Key: (521 bit) + pub: + 04:01:62:6e:f1:00:ec:d8:99:58:9b:80:6b:fe:2c: + f1:b2:f0:c8:48:df:ac:d2:3b:71:29:ab:f0:66:63: + d8:8e:b5:c8:c2:fc:99:44:e2:45:b1:5a:7b:b9:73: + 01:da:79:ec:9c:26:27:34:45:26:d5:89:4b:44:fe: + 69:4e:72:14:e3:8b:bc:00:0f:09:a2:03:c3:5a:dc: + 95:82:f6:f9:f6:9c:ff:b5:6b:75:95:4b:a4:28:5d: + 9e:90:04:d1:c0:1e:d5:fd:43:9e:1e:83:c0:11:2b: + 2b:07:6d:a9:7a:10:d7:67:e7:51:37:24:d8:bf:03: + 0d:8b:b5:40:5c:4f:d6:13:73:42:bc:91:d9 + ASN1 OID: secp521r1 + NIST CURVE: P-521 + X509v3 extensions: + X509v3 Subject Key Identifier: + 20:E1:BF:57:E5:F3:C3:0C:72:84:6A:C6:DF:BC:22:D0:B7:25:E5:A4 + X509v3 Authority Key Identifier: + keyid:20:E1:BF:57:E5:F3:C3:0C:72:84:6A:C6:DF:BC:22:D0:B7:25:E5:A4 + DirName:/C=US/ST=Montana/L=Bozeman/O=wolfSSL_p521/OU=Client-p521/CN=www.wolfssl.com/emailAddress=info@wolfssl.com + serial:24:9D:C6:98:DF:09:87:30:42:BD:E6:4F:86:05:AF:DC:82:89:D7:0E + + X509v3 Basic Constraints: + CA:TRUE + X509v3 Subject Alternative Name: + DNS:example.com, IP Address:127.0.0.1 + X509v3 Extended Key Usage: + TLS Web Server Authentication, TLS Web Client Authentication + Signature Algorithm: ecdsa-with-SHA256 + 30:81:87:02:42:01:e1:85:a5:0e:81:ff:b0:2a:d3:b8:73:8c: + 1d:8e:1f:42:4c:de:cb:d1:63:69:ce:53:d0:2a:52:14:e4:7a: + 2f:1e:c4:0b:1b:db:1e:36:97:72:ed:9b:2f:d4:93:79:06:ec: + 41:6c:6c:18:28:99:56:b6:0b:58:c4:bc:47:db:64:a8:7e:02: + 41:2b:d0:32:2e:03:81:32:f3:9a:65:58:a4:51:7e:9a:ad:c2: + 99:bf:21:f1:a1:70:61:4b:ee:8e:df:3b:9c:79:e3:12:b4:3b: + 9e:64:da:d0:ef:5b:50:7b:a1:b0:30:8f:af:66:71:9d:41:20: + cf:e8:9c:bd:f5:3b:c4:fe:00:43:35:24 +-----BEGIN CERTIFICATE----- +MIIECTCCA2ugAwIBAgIUJJ3GmN8JhzBCveZPhgWv3IKJ1w4wCgYIKoZIzj0EAwIw +gZkxCzAJBgNVBAYTAlVTMRAwDgYDVQQIDAdNb250YW5hMRAwDgYDVQQHDAdCb3pl +bWFuMRUwEwYDVQQKDAx3b2xmU1NMX3A1MjExFDASBgNVBAsMC0NsaWVudC1wNTIx +MRgwFgYDVQQDDA93d3cud29sZnNzbC5jb20xHzAdBgkqhkiG9w0BCQEWEGluZm9A +d29sZnNzbC5jb20wHhcNMjAwOTE0MjM1NzE4WhcNMjMwNjExMjM1NzE4WjCBmTEL +MAkGA1UEBhMCVVMxEDAOBgNVBAgMB01vbnRhbmExEDAOBgNVBAcMB0JvemVtYW4x +FTATBgNVBAoMDHdvbGZTU0xfcDUyMTEUMBIGA1UECwwLQ2xpZW50LXA1MjExGDAW +BgNVBAMMD3d3dy53b2xmc3NsLmNvbTEfMB0GCSqGSIb3DQEJARYQaW5mb0B3b2xm +c3NsLmNvbTCBmzAQBgcqhkjOPQIBBgUrgQQAIwOBhgAEAWJu8QDs2JlYm4Br/izx +svDISN+s0jtxKavwZmPYjrXIwvyZROJFsVp7uXMB2nnsnCYnNEUm1YlLRP5pTnIU +44u8AA8JogPDWtyVgvb59pz/tWt1lUukKF2ekATRwB7V/UOeHoPAESsrB22pehDX +Z+dRNyTYvwMNi7VAXE/WE3NCvJHZo4IBSjCCAUYwHQYDVR0OBBYEFCDhv1fl88MM +coRqxt+8ItC3JeWkMIHZBgNVHSMEgdEwgc6AFCDhv1fl88MMcoRqxt+8ItC3JeWk +oYGfpIGcMIGZMQswCQYDVQQGEwJVUzEQMA4GA1UECAwHTW9udGFuYTEQMA4GA1UE +BwwHQm96ZW1hbjEVMBMGA1UECgwMd29sZlNTTF9wNTIxMRQwEgYDVQQLDAtDbGll +bnQtcDUyMTEYMBYGA1UEAwwPd3d3LndvbGZzc2wuY29tMR8wHQYJKoZIhvcNAQkB +FhBpbmZvQHdvbGZzc2wuY29tghQkncaY3wmHMEK95k+GBa/cgonXDjAMBgNVHRME +BTADAQH/MBwGA1UdEQQVMBOCC2V4YW1wbGUuY29thwR/AAABMB0GA1UdJQQWMBQG +CCsGAQUFBwMBBggrBgEFBQcDAjAKBggqhkjOPQQDAgOBiwAwgYcCQgHhhaUOgf+w +KtO4c4wdjh9CTN7L0WNpzlPQKlIU5HovHsQLG9seNpdy7Zsv1JN5BuxBbGwYKJlW +tgtYxLxH22SofgJBK9AyLgOBMvOaZVikUX6arcKZvyHxoXBhS+6O3zuceeMStDue +ZNrQ71tQe6GwMI+vZnGdQSDP6Jy99TvE/gBDNSQ= +-----END CERTIFICATE----- diff --git a/certs/p521/gen-p521-certs.sh b/certs/p521/gen-p521-certs.sh new file mode 100755 index 000000000..f13cd6fee --- /dev/null +++ b/certs/p521/gen-p521-certs.sh @@ -0,0 +1,105 @@ +#!/bin/bash + +check_result(){ + if [ $1 -ne 0 ]; then + echo "Failed at \"$2\", Abort" + exit 1 + else + echo "Step Succeeded!" + fi +} + +openssl pkey -in root-p521-priv.pem -noout >/dev/null 2>&1 +if [ $? -ne 0 ]; then + echo "OpenSSL does not support P521" + echo "Skipping P521 certificate renewal" + exit 0 +fi + +############################################################ +###### update the self-signed root-p521.pem ############### +############################################################ +echo "Updating root-p521.pem" +echo "" +#pipe the following arguments to openssl req... +echo -e "US\\nMontana\\nBozeman\\nwolfSSL_P521\\nRoot-P521\\nwww.wolfssl.com\\ninfo@wolfssl.com\\n.\\n.\\n" | \ +openssl req -new -key root-p521-priv.pem -config ../renewcerts/wolfssl.cnf -nodes -out root-p521.csr +check_result $? "Generate request" + +openssl x509 -req -in root-p521.csr -days 1000 -extfile ../renewcerts/wolfssl.cnf -extensions ca_ecc_cert -signkey root-p521-priv.pem -out root-p521.pem +check_result $? "Generate certificate" +rm root-p521.csr + +openssl x509 -in root-p521.pem -outform DER > root-p521.der +check_result $? "Convert to DER" +openssl x509 -in root-p521.pem -text > tmp.pem +check_result $? "Add text" +mv tmp.pem root-p521.pem +echo "End of section" +echo "---------------------------------------------------------------------" + +############################################################ +###### update ca-p521.pem signed by root ################## +############################################################ +echo "Updating ca-p521.pem" +echo "" +#pipe the following arguments to openssl req... +echo -e "US\\nMontana\\nBozeman\\nwolfSSL_p521\\nCA-p521\\nwww.wolfssl.com\\ninfo@wolfssl.com\\n\\n\\n\\n" | openssl req -new -key ca-p521-priv.pem -config ../renewcerts/wolfssl.cnf -nodes -out ca-p521.csr +check_result $? "Generate request" + +openssl x509 -req -in ca-p521.csr -days 1000 -extfile ../renewcerts/wolfssl.cnf -extensions ca_ecc_cert -CA root-p521.pem -CAkey root-p521-priv.pem -set_serial 01 -out ca-p521.pem +check_result $? "Generate certificate" +rm ca-p521.csr + +openssl x509 -in ca-p521.pem -outform DER > ca-p521.der +check_result $? "Convert to DER" +openssl x509 -in ca-p521.pem -text > tmp.pem +check_result $? "Add text" +mv tmp.pem ca-p521.pem +echo "End of section" +echo "---------------------------------------------------------------------" + +############################################################ +###### update server-p521.pem signed by ca ################ +############################################################ +echo "Updating server-p521.pem" +echo "" +#pipe the following arguments to openssl req... +echo -e "US\\nMontana\\nBozeman\\nwolfSSL_p521\\nServer-p521\\nwww.wolfssl.com\\ninfo@wolfssl.com\\n\\n\\n\\n" | openssl req -new -key server-p521-priv.pem -config ../renewcerts/wolfssl.cnf -nodes -out server-p521.csr +check_result $? "Generate request" + +openssl x509 -req -in server-p521.csr -days 1000 -extfile ../renewcerts/wolfssl.cnf -extensions server_ecc -CA ca-p521.pem -CAkey ca-p521-priv.pem -set_serial 01 -out server-p521-cert.pem +check_result $? "Generate certificate" +rm server-p521.csr + +openssl x509 -in server-p521-cert.pem -outform DER > server-p521.der +check_result $? "Convert to DER" +openssl x509 -in server-p521-cert.pem -text > tmp.pem +check_result $? "Add text" +mv tmp.pem server-p521-cert.pem +cat server-p521-cert.pem ca-p521.pem > server-p521.pem +check_result $? "Add CA into server cert" +echo "End of section" +echo "---------------------------------------------------------------------" + +############################################################ +###### update the self-signed client-p521.pem ############# +############################################################ +echo "Updating client-p521.pem" +echo "" +#pipe the following arguments to openssl req... +echo -e "US\\nMontana\\nBozeman\\nwolfSSL_p521\\nClient-p521\\nwww.wolfssl.com\\ninfo@wolfssl.com\\n\\n\\n\\n" | openssl req -new -key client-p521-priv.pem -config ../renewcerts/wolfssl.cnf -nodes -out client-p521.csr +check_result $? "Generate request" + +openssl x509 -req -in client-p521.csr -days 1000 -extfile ../renewcerts/wolfssl.cnf -extensions wolfssl_opts -signkey client-p521-priv.pem -out client-p521.pem +check_result $? "Generate certificate" +rm client-p521.csr + +openssl x509 -in client-p521.pem -outform DER > client-p521.der +check_result $? "Convert to DER" +openssl x509 -in client-p521.pem -text > tmp.pem +check_result $? "Add text" +mv tmp.pem client-p521.pem +echo "End of section" +echo "---------------------------------------------------------------------" + diff --git a/certs/p521/gen-p521-keys.sh b/certs/p521/gen-p521-keys.sh new file mode 100755 index 000000000..811c6af62 --- /dev/null +++ b/certs/p521/gen-p521-keys.sh @@ -0,0 +1,16 @@ +#!/bin/sh + +for key in root ca server client +do + + openssl ecparam -name secp521r1 -genkey -noout > ${key}-p521-priv.pem + + openssl pkey -in ${key}-p521-priv.pem -outform DER -out ${key}-p521-priv.der + + openssl pkey -in ${key}-p521-priv.pem -outform PEM -pubout -out ${key}-p521-key.pem + + openssl pkey -in ${key}-p521-priv.pem -outform DER -pubout -out ${key}-p521-key.der + +done + + diff --git a/certs/p521/include.am b/certs/p521/include.am new file mode 100644 index 000000000..fd2660b89 --- /dev/null +++ b/certs/p521/include.am @@ -0,0 +1,38 @@ +# vim:ft=automake +# All paths should be given relative to the root +# + +EXTRA_DIST += \ + certs/p521/ca-p521.der \ + certs/p521/ca-p521.pem \ + certs/p521/ca-p521-key.der \ + certs/p521/ca-p521-key.pem \ + certs/p521/ca-p521-priv.der \ + certs/p521/ca-p521-priv.pem \ + certs/p521/client-p521.der \ + certs/p521/client-p521.pem \ + certs/p521/client-p521-key.der \ + certs/p521/client-p521-key.pem \ + certs/p521/client-p521-priv.der \ + certs/p521/client-p521-priv.pem \ + certs/p521/root-p521.der \ + certs/p521/root-p521.pem \ + certs/p521/root-p521-key.der \ + certs/p521/root-p521-key.pem \ + certs/p521/root-p521-priv.der \ + certs/p521/root-p521-priv.pem \ + certs/p521/server-p521.der \ + certs/p521/server-p521.pem \ + certs/p521/server-p521-cert.pem \ + certs/p521/server-p521-key.der \ + certs/p521/server-p521-key.pem \ + certs/p521/server-p521-priv.der \ + certs/p521/server-p521-priv.pem + +if BUILD_FIPS_V2 +else +noinst_DATA+= \ + certs/p521/gen-p521-certs.sh \ + certs/p521/gen-p521-keys.sh +endif + diff --git a/certs/p521/root-p521-key.der b/certs/p521/root-p521-key.der new file mode 100644 index 000000000..6de44a228 Binary files /dev/null and b/certs/p521/root-p521-key.der differ diff --git a/certs/p521/root-p521-key.pem b/certs/p521/root-p521-key.pem new file mode 100644 index 000000000..e791da9ed --- /dev/null +++ b/certs/p521/root-p521-key.pem @@ -0,0 +1,6 @@ +-----BEGIN PUBLIC KEY----- +MIGbMBAGByqGSM49AgEGBSuBBAAjA4GGAAQBQWDU5cw32/RMEsz2ejLM8hy3UxW9 +X1Pvy3OpyBRsb33FfLS7jlbCQ0X7WBzGRT1/5U6AzETBBnp14WnJiqgBet8ARElz +nC9QP4OgHovRqvsIDJAFDQwXMVE+1oU7CRKC0aYIzchPalrIjI5dv9rMW5Wh6Fop +eCKyukmhhcZIinFTjYk= +-----END PUBLIC KEY----- diff --git a/certs/p521/root-p521-priv.der b/certs/p521/root-p521-priv.der new file mode 100644 index 000000000..404c3ac41 Binary files /dev/null and b/certs/p521/root-p521-priv.der differ diff --git a/certs/p521/root-p521-priv.pem b/certs/p521/root-p521-priv.pem new file mode 100644 index 000000000..20e078d5a --- /dev/null +++ b/certs/p521/root-p521-priv.pem @@ -0,0 +1,7 @@ +-----BEGIN EC PRIVATE KEY----- +MIHcAgEBBEIB+0L/Wo+9bKC8iEmkLdgQkDyeJkbDp0bmhUqOevrpeBqs/Q/0dtg9 +WFwp7ceTJkuLr/osgWrNpTxgVscecuiYRGSgBwYFK4EEACOhgYkDgYYABAFBYNTl +zDfb9EwSzPZ6MszyHLdTFb1fU+/Lc6nIFGxvfcV8tLuOVsJDRftYHMZFPX/lToDM +RMEGenXhacmKqAF63wBESXOcL1A/g6Aei9Gq+wgMkAUNDBcxUT7WhTsJEoLRpgjN +yE9qWsiMjl2/2sxblaHoWil4IrK6SaGFxkiKcVONiQ== +-----END EC PRIVATE KEY----- diff --git a/certs/p521/root-p521.der b/certs/p521/root-p521.der new file mode 100644 index 000000000..af8159cd2 Binary files /dev/null and b/certs/p521/root-p521.der differ diff --git a/certs/p521/root-p521.pem b/certs/p521/root-p521.pem new file mode 100644 index 000000000..75df22061 --- /dev/null +++ b/certs/p521/root-p521.pem @@ -0,0 +1,64 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: + 23:0c:f9:b8:9a:a1:1d:4f:ec:23:8f:4b:f2:20:5d:7d:ac:43:4e:98 + Signature Algorithm: ecdsa-with-SHA256 + Issuer: C = US, ST = Montana, L = Bozeman, O = wolfSSL_P521, OU = Root-P521, CN = www.wolfssl.com, emailAddress = info@wolfssl.com + Validity + Not Before: Sep 14 23:57:18 2020 GMT + Not After : Jun 11 23:57:18 2023 GMT + Subject: C = US, ST = Montana, L = Bozeman, O = wolfSSL_P521, OU = Root-P521, CN = www.wolfssl.com, emailAddress = info@wolfssl.com + Subject Public Key Info: + Public Key Algorithm: id-ecPublicKey + Public-Key: (521 bit) + pub: + 04:01:41:60:d4:e5:cc:37:db:f4:4c:12:cc:f6:7a: + 32:cc:f2:1c:b7:53:15:bd:5f:53:ef:cb:73:a9:c8: + 14:6c:6f:7d:c5:7c:b4:bb:8e:56:c2:43:45:fb:58: + 1c:c6:45:3d:7f:e5:4e:80:cc:44:c1:06:7a:75:e1: + 69:c9:8a:a8:01:7a:df:00:44:49:73:9c:2f:50:3f: + 83:a0:1e:8b:d1:aa:fb:08:0c:90:05:0d:0c:17:31: + 51:3e:d6:85:3b:09:12:82:d1:a6:08:cd:c8:4f:6a: + 5a:c8:8c:8e:5d:bf:da:cc:5b:95:a1:e8:5a:29:78: + 22:b2:ba:49:a1:85:c6:48:8a:71:53:8d:89 + ASN1 OID: secp521r1 + NIST CURVE: P-521 + X509v3 extensions: + X509v3 Subject Key Identifier: + 64:A7:68:95:53:33:18:A2:20:92:BC:64:55:A6:AB:CA:76:68:9B:C8 + X509v3 Authority Key Identifier: + keyid:64:A7:68:95:53:33:18:A2:20:92:BC:64:55:A6:AB:CA:76:68:9B:C8 + + X509v3 Basic Constraints: critical + CA:TRUE + X509v3 Key Usage: critical + Digital Signature, Certificate Sign, CRL Sign + Signature Algorithm: ecdsa-with-SHA256 + 30:81:87:02:41:55:16:68:aa:bc:e1:5e:b6:d3:4c:3e:aa:e6: + 64:e6:ca:94:ec:7d:0f:a8:ea:70:00:33:26:95:27:bd:23:ae: + 69:5b:29:60:28:1e:0d:fa:69:3d:21:36:f9:9d:80:74:b1:ae: + d0:2c:bd:12:13:ce:98:0c:69:39:ab:99:88:90:17:02:02:42: + 01:f7:b2:95:d0:bf:64:4d:f9:2e:0e:98:40:00:1c:a7:0a:b3: + 2e:09:f8:c2:27:56:3e:b4:2a:c0:fc:1a:3a:87:c6:6f:ac:20: + d4:df:90:f0:00:88:a0:a6:63:79:74:9c:91:c0:ce:7c:21:6b: + 65:64:a8:fb:83:48:78:eb:78:e0:51:95 +-----BEGIN CERTIFICATE----- +MIIDHDCCAn6gAwIBAgIUIwz5uJqhHU/sI49L8iBdfaxDTpgwCgYIKoZIzj0EAwIw +gZcxCzAJBgNVBAYTAlVTMRAwDgYDVQQIDAdNb250YW5hMRAwDgYDVQQHDAdCb3pl +bWFuMRUwEwYDVQQKDAx3b2xmU1NMX1A1MjExEjAQBgNVBAsMCVJvb3QtUDUyMTEY +MBYGA1UEAwwPd3d3LndvbGZzc2wuY29tMR8wHQYJKoZIhvcNAQkBFhBpbmZvQHdv +bGZzc2wuY29tMB4XDTIwMDkxNDIzNTcxOFoXDTIzMDYxMTIzNTcxOFowgZcxCzAJ +BgNVBAYTAlVTMRAwDgYDVQQIDAdNb250YW5hMRAwDgYDVQQHDAdCb3plbWFuMRUw +EwYDVQQKDAx3b2xmU1NMX1A1MjExEjAQBgNVBAsMCVJvb3QtUDUyMTEYMBYGA1UE +AwwPd3d3LndvbGZzc2wuY29tMR8wHQYJKoZIhvcNAQkBFhBpbmZvQHdvbGZzc2wu +Y29tMIGbMBAGByqGSM49AgEGBSuBBAAjA4GGAAQBQWDU5cw32/RMEsz2ejLM8hy3 +UxW9X1Pvy3OpyBRsb33FfLS7jlbCQ0X7WBzGRT1/5U6AzETBBnp14WnJiqgBet8A +RElznC9QP4OgHovRqvsIDJAFDQwXMVE+1oU7CRKC0aYIzchPalrIjI5dv9rMW5Wh +6FopeCKyukmhhcZIinFTjYmjYzBhMB0GA1UdDgQWBBRkp2iVUzMYoiCSvGRVpqvK +dmibyDAfBgNVHSMEGDAWgBRkp2iVUzMYoiCSvGRVpqvKdmibyDAPBgNVHRMBAf8E +BTADAQH/MA4GA1UdDwEB/wQEAwIBhjAKBggqhkjOPQQDAgOBiwAwgYcCQVUWaKq8 +4V6200w+quZk5sqU7H0PqOpwADMmlSe9I65pWylgKB4N+mk9ITb5nYB0sa7QLL0S +E86YDGk5q5mIkBcCAkIB97KV0L9kTfkuDphAABynCrMuCfjCJ1Y+tCrA/Bo6h8Zv +rCDU35DwAIigpmN5dJyRwM58IWtlZKj7g0h463jgUZU= +-----END CERTIFICATE----- diff --git a/certs/p521/server-p521-cert.pem b/certs/p521/server-p521-cert.pem new file mode 100644 index 000000000..7659ffae8 --- /dev/null +++ b/certs/p521/server-p521-cert.pem @@ -0,0 +1,68 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 1 (0x1) + Signature Algorithm: ecdsa-with-SHA256 + Issuer: C = US, ST = Montana, L = Bozeman, O = wolfSSL_p521, OU = CA-p521, CN = www.wolfssl.com, emailAddress = info@wolfssl.com + Validity + Not Before: Sep 14 23:57:18 2020 GMT + Not After : Jun 11 23:57:18 2023 GMT + Subject: C = US, ST = Montana, L = Bozeman, O = wolfSSL_p521, OU = Server-p521, CN = www.wolfssl.com, emailAddress = info@wolfssl.com + Subject Public Key Info: + Public Key Algorithm: id-ecPublicKey + Public-Key: (521 bit) + pub: + 04:00:de:70:69:f6:d1:9e:c4:fe:5f:82:52:98:ce: + 52:c1:6a:4c:12:22:0f:76:88:22:11:a5:0d:a6:02: + 47:91:ab:79:8d:f6:08:70:2d:20:14:15:df:1b:57: + 58:b3:51:ab:20:a8:2b:bd:6a:3f:a9:ee:c2:6d:ae: + 99:44:b4:a1:12:10:70:00:ca:1f:14:1d:b0:e7:0c: + 41:18:52:37:04:a7:84:53:a1:02:46:93:1f:d5:60: + 63:a6:2e:7d:8d:ea:3f:e0:5b:e5:c8:6e:1f:a7:d9: + a3:59:e5:96:27:22:f4:02:2b:af:5b:78:1f:13:a8: + 22:8b:ec:ae:01:7d:c0:61:13:a4:35:0a:21 + ASN1 OID: secp521r1 + NIST CURVE: P-521 + X509v3 extensions: + X509v3 Subject Key Identifier: + 85:86:9F:AE:73:5F:94:77:27:3B:15:15:C6:79:07:A8:42:4B:1E:F3 + X509v3 Authority Key Identifier: + keyid:40:89:1D:30:5E:0C:6E:D5:3D:C6:D5:25:90:DA:B6:42:67:ED:E9:82 + + X509v3 Basic Constraints: critical + CA:FALSE + X509v3 Key Usage: critical + Digital Signature, Key Encipherment, Key Agreement + X509v3 Extended Key Usage: + TLS Web Server Authentication + Netscape Cert Type: + SSL Server + Signature Algorithm: ecdsa-with-SHA256 + 30:81:88:02:42:01:95:31:ef:ac:8f:c7:79:c8:b1:27:21:70: + 24:d1:78:d6:d4:da:d0:1d:44:52:6f:3f:0a:f1:33:ac:70:14: + cf:62:e6:23:a8:a5:30:04:e1:40:7b:05:c5:45:c9:be:b0:32: + d5:00:77:c7:6b:1d:37:7a:2c:83:02:9d:ef:5d:9e:9c:91:02: + 42:01:f8:7c:5b:fc:b3:1a:26:2c:b4:41:c8:bf:0d:ae:74:5a: + 0d:25:10:7d:9d:33:ec:5c:29:c0:7c:6a:96:f3:28:b6:06:de: + 13:1f:b1:a1:76:38:ea:a1:db:81:21:b6:81:0c:8f:67:b7:3d: + 7b:6b:e0:72:67:e3:d1:71:11:92:8b:d0:f1 +-----BEGIN CERTIFICATE----- +MIIDMTCCApKgAwIBAgIBATAKBggqhkjOPQQDAjCBlTELMAkGA1UEBhMCVVMxEDAO +BgNVBAgMB01vbnRhbmExEDAOBgNVBAcMB0JvemVtYW4xFTATBgNVBAoMDHdvbGZT +U0xfcDUyMTEQMA4GA1UECwwHQ0EtcDUyMTEYMBYGA1UEAwwPd3d3LndvbGZzc2wu +Y29tMR8wHQYJKoZIhvcNAQkBFhBpbmZvQHdvbGZzc2wuY29tMB4XDTIwMDkxNDIz +NTcxOFoXDTIzMDYxMTIzNTcxOFowgZkxCzAJBgNVBAYTAlVTMRAwDgYDVQQIDAdN +b250YW5hMRAwDgYDVQQHDAdCb3plbWFuMRUwEwYDVQQKDAx3b2xmU1NMX3A1MjEx +FDASBgNVBAsMC1NlcnZlci1wNTIxMRgwFgYDVQQDDA93d3cud29sZnNzbC5jb20x +HzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb20wgZswEAYHKoZIzj0CAQYF +K4EEACMDgYYABADecGn20Z7E/l+CUpjOUsFqTBIiD3aIIhGlDaYCR5GreY32CHAt +IBQV3xtXWLNRqyCoK71qP6nuwm2umUS0oRIQcADKHxQdsOcMQRhSNwSnhFOhAkaT +H9VgY6YufY3qP+Bb5chuH6fZo1nllici9AIrr1t4HxOoIovsrgF9wGETpDUKIaOB +iTCBhjAdBgNVHQ4EFgQUhYafrnNflHcnOxUVxnkHqEJLHvMwHwYDVR0jBBgwFoAU +QIkdMF4MbtU9xtUlkNq2Qmft6YIwDAYDVR0TAQH/BAIwADAOBgNVHQ8BAf8EBAMC +A6gwEwYDVR0lBAwwCgYIKwYBBQUHAwEwEQYJYIZIAYb4QgEBBAQDAgZAMAoGCCqG +SM49BAMCA4GMADCBiAJCAZUx76yPx3nIsSchcCTReNbU2tAdRFJvPwrxM6xwFM9i +5iOopTAE4UB7BcVFyb6wMtUAd8drHTd6LIMCne9dnpyRAkIB+Hxb/LMaJiy0Qci/ +Da50Wg0lEH2dM+xcKcB8apbzKLYG3hMfsaF2OOqh24EhtoEMj2e3PXtr4HJn49Fx +EZKL0PE= +-----END CERTIFICATE----- diff --git a/certs/p521/server-p521-key.der b/certs/p521/server-p521-key.der new file mode 100644 index 000000000..db91e954c Binary files /dev/null and b/certs/p521/server-p521-key.der differ diff --git a/certs/p521/server-p521-key.pem b/certs/p521/server-p521-key.pem new file mode 100644 index 000000000..98ba0d1bd --- /dev/null +++ b/certs/p521/server-p521-key.pem @@ -0,0 +1,6 @@ +-----BEGIN PUBLIC KEY----- +MIGbMBAGByqGSM49AgEGBSuBBAAjA4GGAAQA3nBp9tGexP5fglKYzlLBakwSIg92 +iCIRpQ2mAkeRq3mN9ghwLSAUFd8bV1izUasgqCu9aj+p7sJtrplEtKESEHAAyh8U +HbDnDEEYUjcEp4RToQJGkx/VYGOmLn2N6j/gW+XIbh+n2aNZ5ZYnIvQCK69beB8T +qCKL7K4BfcBhE6Q1CiE= +-----END PUBLIC KEY----- diff --git a/certs/p521/server-p521-priv.der b/certs/p521/server-p521-priv.der new file mode 100644 index 000000000..dc139ed5f Binary files /dev/null and b/certs/p521/server-p521-priv.der differ diff --git a/certs/p521/server-p521-priv.pem b/certs/p521/server-p521-priv.pem new file mode 100644 index 000000000..8763564f9 --- /dev/null +++ b/certs/p521/server-p521-priv.pem @@ -0,0 +1,7 @@ +-----BEGIN EC PRIVATE KEY----- +MIHcAgEBBEIBA/UQ99abMXYOwp9KaXiqAj86ltsFQghlThjy9iBcnWkX1HwOvRd7 +cQFcIMmwK3LwktTPTcFOo0hgfvdwPKVlVJSgBwYFK4EEACOhgYkDgYYABADecGn2 +0Z7E/l+CUpjOUsFqTBIiD3aIIhGlDaYCR5GreY32CHAtIBQV3xtXWLNRqyCoK71q +P6nuwm2umUS0oRIQcADKHxQdsOcMQRhSNwSnhFOhAkaTH9VgY6YufY3qP+Bb5chu +H6fZo1nllici9AIrr1t4HxOoIovsrgF9wGETpDUKIQ== +-----END EC PRIVATE KEY----- diff --git a/certs/p521/server-p521.der b/certs/p521/server-p521.der new file mode 100644 index 000000000..593e4f54e Binary files /dev/null and b/certs/p521/server-p521.der differ diff --git a/certs/p521/server-p521.pem b/certs/p521/server-p521.pem new file mode 100644 index 000000000..13b15caed --- /dev/null +++ b/certs/p521/server-p521.pem @@ -0,0 +1,131 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 1 (0x1) + Signature Algorithm: ecdsa-with-SHA256 + Issuer: C = US, ST = Montana, L = Bozeman, O = wolfSSL_p521, OU = CA-p521, CN = www.wolfssl.com, emailAddress = info@wolfssl.com + Validity + Not Before: Sep 14 23:57:18 2020 GMT + Not After : Jun 11 23:57:18 2023 GMT + Subject: C = US, ST = Montana, L = Bozeman, O = wolfSSL_p521, OU = Server-p521, CN = www.wolfssl.com, emailAddress = info@wolfssl.com + Subject Public Key Info: + Public Key Algorithm: id-ecPublicKey + Public-Key: (521 bit) + pub: + 04:00:de:70:69:f6:d1:9e:c4:fe:5f:82:52:98:ce: + 52:c1:6a:4c:12:22:0f:76:88:22:11:a5:0d:a6:02: + 47:91:ab:79:8d:f6:08:70:2d:20:14:15:df:1b:57: + 58:b3:51:ab:20:a8:2b:bd:6a:3f:a9:ee:c2:6d:ae: + 99:44:b4:a1:12:10:70:00:ca:1f:14:1d:b0:e7:0c: + 41:18:52:37:04:a7:84:53:a1:02:46:93:1f:d5:60: + 63:a6:2e:7d:8d:ea:3f:e0:5b:e5:c8:6e:1f:a7:d9: + a3:59:e5:96:27:22:f4:02:2b:af:5b:78:1f:13:a8: + 22:8b:ec:ae:01:7d:c0:61:13:a4:35:0a:21 + ASN1 OID: secp521r1 + NIST CURVE: P-521 + X509v3 extensions: + X509v3 Subject Key Identifier: + 85:86:9F:AE:73:5F:94:77:27:3B:15:15:C6:79:07:A8:42:4B:1E:F3 + X509v3 Authority Key Identifier: + keyid:40:89:1D:30:5E:0C:6E:D5:3D:C6:D5:25:90:DA:B6:42:67:ED:E9:82 + + X509v3 Basic Constraints: critical + CA:FALSE + X509v3 Key Usage: critical + Digital Signature, Key Encipherment, Key Agreement + X509v3 Extended Key Usage: + TLS Web Server Authentication + Netscape Cert Type: + SSL Server + Signature Algorithm: ecdsa-with-SHA256 + 30:81:88:02:42:01:95:31:ef:ac:8f:c7:79:c8:b1:27:21:70: + 24:d1:78:d6:d4:da:d0:1d:44:52:6f:3f:0a:f1:33:ac:70:14: + cf:62:e6:23:a8:a5:30:04:e1:40:7b:05:c5:45:c9:be:b0:32: + d5:00:77:c7:6b:1d:37:7a:2c:83:02:9d:ef:5d:9e:9c:91:02: + 42:01:f8:7c:5b:fc:b3:1a:26:2c:b4:41:c8:bf:0d:ae:74:5a: + 0d:25:10:7d:9d:33:ec:5c:29:c0:7c:6a:96:f3:28:b6:06:de: + 13:1f:b1:a1:76:38:ea:a1:db:81:21:b6:81:0c:8f:67:b7:3d: + 7b:6b:e0:72:67:e3:d1:71:11:92:8b:d0:f1 +-----BEGIN CERTIFICATE----- +MIIDMTCCApKgAwIBAgIBATAKBggqhkjOPQQDAjCBlTELMAkGA1UEBhMCVVMxEDAO +BgNVBAgMB01vbnRhbmExEDAOBgNVBAcMB0JvemVtYW4xFTATBgNVBAoMDHdvbGZT +U0xfcDUyMTEQMA4GA1UECwwHQ0EtcDUyMTEYMBYGA1UEAwwPd3d3LndvbGZzc2wu +Y29tMR8wHQYJKoZIhvcNAQkBFhBpbmZvQHdvbGZzc2wuY29tMB4XDTIwMDkxNDIz +NTcxOFoXDTIzMDYxMTIzNTcxOFowgZkxCzAJBgNVBAYTAlVTMRAwDgYDVQQIDAdN +b250YW5hMRAwDgYDVQQHDAdCb3plbWFuMRUwEwYDVQQKDAx3b2xmU1NMX3A1MjEx +FDASBgNVBAsMC1NlcnZlci1wNTIxMRgwFgYDVQQDDA93d3cud29sZnNzbC5jb20x +HzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb20wgZswEAYHKoZIzj0CAQYF +K4EEACMDgYYABADecGn20Z7E/l+CUpjOUsFqTBIiD3aIIhGlDaYCR5GreY32CHAt +IBQV3xtXWLNRqyCoK71qP6nuwm2umUS0oRIQcADKHxQdsOcMQRhSNwSnhFOhAkaT +H9VgY6YufY3qP+Bb5chuH6fZo1nllici9AIrr1t4HxOoIovsrgF9wGETpDUKIaOB +iTCBhjAdBgNVHQ4EFgQUhYafrnNflHcnOxUVxnkHqEJLHvMwHwYDVR0jBBgwFoAU +QIkdMF4MbtU9xtUlkNq2Qmft6YIwDAYDVR0TAQH/BAIwADAOBgNVHQ8BAf8EBAMC +A6gwEwYDVR0lBAwwCgYIKwYBBQUHAwEwEQYJYIZIAYb4QgEBBAQDAgZAMAoGCCqG +SM49BAMCA4GMADCBiAJCAZUx76yPx3nIsSchcCTReNbU2tAdRFJvPwrxM6xwFM9i +5iOopTAE4UB7BcVFyb6wMtUAd8drHTd6LIMCne9dnpyRAkIB+Hxb/LMaJiy0Qci/ +Da50Wg0lEH2dM+xcKcB8apbzKLYG3hMfsaF2OOqh24EhtoEMj2e3PXtr4HJn49Fx +EZKL0PE= +-----END CERTIFICATE----- +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 1 (0x1) + Signature Algorithm: ecdsa-with-SHA256 + Issuer: C = US, ST = Montana, L = Bozeman, O = wolfSSL_P521, OU = Root-P521, CN = www.wolfssl.com, emailAddress = info@wolfssl.com + Validity + Not Before: Sep 14 23:57:18 2020 GMT + Not After : Jun 11 23:57:18 2023 GMT + Subject: C = US, ST = Montana, L = Bozeman, O = wolfSSL_p521, OU = CA-p521, CN = www.wolfssl.com, emailAddress = info@wolfssl.com + Subject Public Key Info: + Public Key Algorithm: id-ecPublicKey + Public-Key: (521 bit) + pub: + 04:00:2d:18:24:2d:e4:db:6c:c3:69:9b:db:18:67: + 33:f1:60:68:94:14:cd:91:4a:57:65:ef:36:fa:24: + 82:88:ec:c7:f0:cb:48:45:6e:96:5f:7f:eb:76:be: + 44:40:c3:19:c0:33:68:c4:06:04:8e:c2:25:b1:96: + 83:22:0e:7b:c7:b2:fc:01:86:91:ed:43:5d:38:e0: + 0c:25:8d:b3:db:b1:dc:de:b7:21:80:cf:87:de:64: + f4:21:3e:2d:af:79:bd:f6:d0:00:4b:81:79:fa:f7: + 10:aa:19:cd:40:d7:1e:75:34:53:29:03:ed:48:54: + 21:e5:8f:95:b5:9b:41:8d:5f:dd:72:d2:5a + ASN1 OID: secp521r1 + NIST CURVE: P-521 + X509v3 extensions: + X509v3 Subject Key Identifier: + 40:89:1D:30:5E:0C:6E:D5:3D:C6:D5:25:90:DA:B6:42:67:ED:E9:82 + X509v3 Authority Key Identifier: + keyid:64:A7:68:95:53:33:18:A2:20:92:BC:64:55:A6:AB:CA:76:68:9B:C8 + + X509v3 Basic Constraints: critical + CA:TRUE + X509v3 Key Usage: critical + Digital Signature, Certificate Sign, CRL Sign + Signature Algorithm: ecdsa-with-SHA256 + 30:81:87:02:41:60:cd:fa:94:0d:23:c3:4e:3c:b1:6e:d9:b6: + 5b:0e:97:1e:a4:df:0a:7c:05:2e:61:0c:d7:c0:e5:86:16:0c: + 7b:01:a5:33:9a:e6:31:a0:62:91:da:dc:22:d1:ba:4f:75:43: + 94:43:67:91:20:08:66:96:27:53:b2:61:0e:59:0a:50:02:42: + 01:ec:87:8d:ca:6d:e0:bf:30:ba:ef:37:13:ad:f6:d1:c4:fc: + b5:e5:4b:96:c2:83:a0:d8:ed:04:73:85:8d:54:d7:e9:9a:67: + 8a:cf:11:36:4a:f2:2f:85:5a:24:5e:3c:79:e1:a7:c4:ec:78: + 82:7a:52:25:c4:55:57:95:0e:6f:c9:d5 +-----BEGIN CERTIFICATE----- +MIIDBzCCAmmgAwIBAgIBATAKBggqhkjOPQQDAjCBlzELMAkGA1UEBhMCVVMxEDAO +BgNVBAgMB01vbnRhbmExEDAOBgNVBAcMB0JvemVtYW4xFTATBgNVBAoMDHdvbGZT +U0xfUDUyMTESMBAGA1UECwwJUm9vdC1QNTIxMRgwFgYDVQQDDA93d3cud29sZnNz +bC5jb20xHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb20wHhcNMjAwOTE0 +MjM1NzE4WhcNMjMwNjExMjM1NzE4WjCBlTELMAkGA1UEBhMCVVMxEDAOBgNVBAgM +B01vbnRhbmExEDAOBgNVBAcMB0JvemVtYW4xFTATBgNVBAoMDHdvbGZTU0xfcDUy +MTEQMA4GA1UECwwHQ0EtcDUyMTEYMBYGA1UEAwwPd3d3LndvbGZzc2wuY29tMR8w +HQYJKoZIhvcNAQkBFhBpbmZvQHdvbGZzc2wuY29tMIGbMBAGByqGSM49AgEGBSuB +BAAjA4GGAAQALRgkLeTbbMNpm9sYZzPxYGiUFM2RSldl7zb6JIKI7Mfwy0hFbpZf +f+t2vkRAwxnAM2jEBgSOwiWxloMiDnvHsvwBhpHtQ1044AwljbPbsdzetyGAz4fe +ZPQhPi2veb320ABLgXn69xCqGc1A1x51NFMpA+1IVCHlj5W1m0GNX91y0lqjYzBh +MB0GA1UdDgQWBBRAiR0wXgxu1T3G1SWQ2rZCZ+3pgjAfBgNVHSMEGDAWgBRkp2iV +UzMYoiCSvGRVpqvKdmibyDAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIB +hjAKBggqhkjOPQQDAgOBiwAwgYcCQWDN+pQNI8NOPLFu2bZbDpcepN8KfAUuYQzX +wOWGFgx7AaUzmuYxoGKR2twi0bpPdUOUQ2eRIAhmlidTsmEOWQpQAkIB7IeNym3g +vzC67zcTrfbRxPy15UuWwoOg2O0Ec4WNVNfpmmeKzxE2SvIvhVokXjx54afE7HiC +elIlxFVXlQ5vydU= +-----END CERTIFICATE----- diff --git a/certs/renewcerts.sh b/certs/renewcerts.sh index c900231ea..e40270a18 100755 --- a/certs/renewcerts.sh +++ b/certs/renewcerts.sh @@ -504,7 +504,7 @@ run_renewcerts(){ echo "---------------------------------------------------------------------" ############################################################ - ########## generate PKCS7 bundles ########################## + ########## generate Ed448 certificates ##################### ############################################################ echo "Renewing Ed448 certificates" cd ed448 @@ -513,6 +513,16 @@ run_renewcerts(){ echo "End of section" echo "---------------------------------------------------------------------" + ############################################################ + ########## generate P-521 certificates ##################### + ############################################################ + echo "Renewing Ed448 certificates" + cd p521 + ./gen-p521-certs.sh + cd .. + echo "End of section" + echo "---------------------------------------------------------------------" + ############################################################ ###### update the ecc-rsa-server.p12 file ################## ############################################################ diff --git a/src/internal.c b/src/internal.c index 72b9dd2f1..758684c91 100644 --- a/src/internal.c +++ b/src/internal.c @@ -19461,7 +19461,7 @@ int PickHashSigAlgo(WOLFSSL* ssl, const byte* hashSigAlgo, word32 hashSigAlgoSz) #if defined(WOLFSSL_TLS13) && defined(HAVE_ECC) if (IsAtLeastTLSv1_3(ssl->version) && sigAlgo == ssl->suites->sigAlgo && sigAlgo == ecc_dsa_sa_algo) { - + int curveSz = ssl->buffers.keySz & (~0x3); int digestSz = GetMacDigestSize(hashAlgo); if (digestSz <= 0) continue; @@ -19469,7 +19469,7 @@ int PickHashSigAlgo(WOLFSSL* ssl, const byte* hashSigAlgo, word32 hashSigAlgoSz) /* TLS 1.3 signature algorithms for ECDSA match hash length with * key size. */ - if (digestSz != ssl->buffers.keySz) + if (digestSz != curveSz) continue; ssl->suites->hashAlgo = hashAlgo; diff --git a/tests/include.am b/tests/include.am index 1ef0a7cdf..d34223dcc 100644 --- a/tests/include.am +++ b/tests/include.am @@ -49,5 +49,6 @@ EXTRA_DIST += tests/test.conf \ tests/test-chains.conf \ tests/test-altchains.conf \ tests/test-trustpeer.conf \ - tests/test-dhprime.conf + tests/test-dhprime.conf \ + tests/test-p521.conf DISTCLEANFILES+= tests/.libs/unit.test diff --git a/tests/suites.c b/tests/suites.c index 655c29003..b2fddfe8c 100644 --- a/tests/suites.c +++ b/tests/suites.c @@ -879,6 +879,18 @@ int SuiteTest(int argc, char** argv) goto exit; } #endif +#if (defined(HAVE_ECC521) || defined(HAVE_ALL_CURVES)) && \ + defined(WOLFSSL_SHA512) + /* add P-521 certificate cipher suite tests */ + strcpy(argv0[1], "tests/test-p521.conf"); + printf("starting P-521 extra cipher suite tests\n"); + test_harness(&args); + if (args.return_code != 0) { + printf("error from script %d\n", args.return_code); + args.return_code = EXIT_FAILURE; + goto exit; + } +#endif #ifdef WOLFSSL_DTLS /* add dtls extra suites */ strcpy(argv0[1], "tests/test-dtls.conf"); diff --git a/tests/test-p521.conf b/tests/test-p521.conf new file mode 100644 index 000000000..84c42ebfb --- /dev/null +++ b/tests/test-p521.conf @@ -0,0 +1,61 @@ +# server TLSv1.2 ECDHE-ECDSA-AES128-GCM-SHA256 +-v 3 +-l ECDHE-ECDSA-AES128-GCM-SHA256 +-c ./certs/p521/server-p521.pem +-k ./certs/p521/server-p521-priv.pem +-d + +# client TLSv1.2 ECDHE-ECDSA-AES128-GCM-SHA256 +-v 3 +-l ECDHE-ECDSA-AES128-GCM-SHA256 +-A ./certs/p521/root-p521.pem +-C + +# server TLSv1.2 ECDHE-ECDSA-AES128-GCM-SHA256 +-v 3 +-l ECDHE-ECDSA-AES128-GCM-SHA256 +-c ./certs/p521/server-p521.pem +-k ./certs/p521/server-p521-priv.pem +-A ./certs/p521/client-p521.pem +-V +# Remove -V when CRL for P-521 certificates available. + +# client TLSv1.2 ECDHE-ECDSA-AES128-GCM-SHA256 +-v 3 +-l ECDHE-ECDSA-AES128-GCM-SHA256 +-c ./certs/p521/client-p521.pem +-k ./certs/p521/client-p521-priv.pem +-A ./certs/p521/root-p521.pem +-C + +# server TLSv1.3 TLS13-AES128-GCM-SHA256 +-v 4 +-l TLS13-AES128-GCM-SHA256 +-c ./certs/p521/server-p521.pem +-k ./certs/p521/server-p521-priv.pem +-d + +# client TLSv1.3 TLS13-AES128-GCM-SHA256 +-v 4 +-l TLS13-AES128-GCM-SHA256 +-A ./certs/p521/root-p521.pem +-C + +# Enable when CRL for P-521 certificates available. +# server TLSv1.3 TLS13-AES128-GCM-SHA256 +-v 4 +-l TLS13-AES128-GCM-SHA256 +-c ./certs/p521/server-p521.pem +-k ./certs/p521/server-p521-priv.pem +-A ./certs/p521/client-p521.pem +-V +# Remove -V when CRL for P-521 certificates available. + +# client TLSv1.3 TLS13-AES128-GCM-SHA256 +-v 4 +-l TLS13-AES128-GCM-SHA256 +-c ./certs/p521/client-p521.pem +-k ./certs/p521/client-p521-priv.pem +-A ./certs/p521/root-p521.pem +-C +