From d63ff07edcb1a59be4ad63ee62acea61b0030e45 Mon Sep 17 00:00:00 2001 From: Sean Parkinson Date: Tue, 15 Sep 2020 10:08:30 +1000 Subject: [PATCH] TLS 1.3: Fix P-521 algorithm matching Digest size compared to key size - P521 has large key size. Fixed to round down. Added P-521 keys and certificates. Added testing of P-521 keys and certificcates to unittest. --- Makefile.am | 1 + certs/include.am | 1 + certs/p521/ca-p521-key.der | Bin 0 -> 158 bytes certs/p521/ca-p521-key.pem | 6 ++ certs/p521/ca-p521-priv.der | Bin 0 -> 223 bytes certs/p521/ca-p521-priv.pem | 7 ++ certs/p521/ca-p521.der | Bin 0 -> 779 bytes certs/p521/ca-p521.pem | 63 +++++++++++++++ certs/p521/client-p521-key.der | Bin 0 -> 158 bytes certs/p521/client-p521-key.pem | 6 ++ certs/p521/client-p521-priv.der | Bin 0 -> 223 bytes certs/p521/client-p521-priv.pem | 7 ++ certs/p521/client-p521.der | Bin 0 -> 1037 bytes certs/p521/client-p521.pem | 73 ++++++++++++++++++ certs/p521/gen-p521-certs.sh | 105 +++++++++++++++++++++++++ certs/p521/gen-p521-keys.sh | 16 ++++ certs/p521/include.am | 38 +++++++++ certs/p521/root-p521-key.der | Bin 0 -> 158 bytes certs/p521/root-p521-key.pem | 6 ++ certs/p521/root-p521-priv.der | Bin 0 -> 223 bytes certs/p521/root-p521-priv.pem | 7 ++ certs/p521/root-p521.der | Bin 0 -> 800 bytes certs/p521/root-p521.pem | 64 ++++++++++++++++ certs/p521/server-p521-cert.pem | 68 +++++++++++++++++ certs/p521/server-p521-key.der | Bin 0 -> 158 bytes certs/p521/server-p521-key.pem | 6 ++ certs/p521/server-p521-priv.der | Bin 0 -> 223 bytes certs/p521/server-p521-priv.pem | 7 ++ certs/p521/server-p521.der | Bin 0 -> 821 bytes certs/p521/server-p521.pem | 131 ++++++++++++++++++++++++++++++++ certs/renewcerts.sh | 12 ++- src/internal.c | 4 +- tests/include.am | 3 +- tests/suites.c | 12 +++ tests/test-p521.conf | 61 +++++++++++++++ 35 files changed, 700 insertions(+), 4 deletions(-) create mode 100644 certs/p521/ca-p521-key.der create mode 100644 certs/p521/ca-p521-key.pem create mode 100644 certs/p521/ca-p521-priv.der create mode 100644 certs/p521/ca-p521-priv.pem create mode 100644 certs/p521/ca-p521.der create mode 100644 certs/p521/ca-p521.pem create mode 100644 certs/p521/client-p521-key.der create mode 100644 certs/p521/client-p521-key.pem create mode 100644 certs/p521/client-p521-priv.der create mode 100644 certs/p521/client-p521-priv.pem create mode 100644 certs/p521/client-p521.der create mode 100644 certs/p521/client-p521.pem create mode 100755 certs/p521/gen-p521-certs.sh create mode 100755 certs/p521/gen-p521-keys.sh create mode 100644 certs/p521/include.am create mode 100644 certs/p521/root-p521-key.der create mode 100644 certs/p521/root-p521-key.pem create mode 100644 certs/p521/root-p521-priv.der create mode 100644 certs/p521/root-p521-priv.pem create mode 100644 certs/p521/root-p521.der create mode 100644 certs/p521/root-p521.pem create mode 100644 certs/p521/server-p521-cert.pem create mode 100644 certs/p521/server-p521-key.der create mode 100644 certs/p521/server-p521-key.pem create mode 100644 certs/p521/server-p521-priv.der create mode 100644 certs/p521/server-p521-priv.pem create mode 100644 certs/p521/server-p521.der create mode 100644 certs/p521/server-p521.pem create mode 100644 tests/test-p521.conf diff --git a/Makefile.am b/Makefile.am index 60a5a57ae..1de2b3d11 100644 --- a/Makefile.am +++ b/Makefile.am @@ -19,6 +19,7 @@ dist_doc_DATA= dist_noinst_SCRIPTS = noinst_SCRIPTS = check_SCRIPTS = +noinst_DATA = #includes additional rules from aminclude.am @INC_AMINCLUDE@ diff --git a/certs/include.am b/certs/include.am index 7a425515c..920c49165 100644 --- a/certs/include.am +++ b/certs/include.am @@ -106,6 +106,7 @@ include certs/crl/include.am include certs/ecc/include.am include certs/ed25519/include.am include certs/ed448/include.am +include certs/p521/include.am include certs/external/include.am include certs/ocsp/include.am include certs/statickeys/include.am diff --git a/certs/p521/ca-p521-key.der b/certs/p521/ca-p521-key.der new file mode 100644 index 0000000000000000000000000000000000000000..213b261ba0a48e05811bd621b1f82eade832f6f0 GIT binary patch literal 158 zcmXqLoNXY$#;(=oan6>Bk&RWmk%d8-xv`Cbg+W(BMfb_=oWq&3Z%d>be@w`jB64=3 zS9t1svtKGr9dC|*IPKw@H!Z&Yb=f`_hr^Nwj5Cg~vGg5M-8ijTiLd(jraz2r6W=<= zT0G!U?cIEPxCtpXfINkZVHZx5BKwZjeRbiW%Q}`lpDRA{OO*wjR zLf=`QHFlfkN2XU_bW>EgviP+!kMSa>KZPG+7qGLjYB#blC@*a6WNvI@U}4aeP|k*>(w14W>*^a&OcZ)7X0RRo}X6^t0 literal 0 HcmV?d00001 diff --git a/certs/p521/ca-p521-priv.pem b/certs/p521/ca-p521-priv.pem new file mode 100644 index 000000000..a5eb5bc73 --- /dev/null +++ b/certs/p521/ca-p521-priv.pem @@ -0,0 +1,7 @@ +-----BEGIN EC PRIVATE KEY----- +MIHcAgEBBEIB29qI0BYpdJXJ61gEQtz5rWlWL8B+ZKslEzyZlA5Z2iAKjwKUxd6Q +js0MrD6yn1lne9FGISDUo+sjDDOiQvxx8F2gBwYFK4EEACOhgYkDgYYABAAtGCQt +5Ntsw2mb2xhnM/FgaJQUzZFKV2XvNvokgojsx/DLSEVull9/63a+REDDGcAzaMQG +BI7CJbGWgyIOe8ey/AGGke1DXTjgDCWNs9ux3N63IYDPh95k9CE+La95vfbQAEuB +efr3EKoZzUDXHnU0UykD7UhUIeWPlbWbQY1f3XLSWg== +-----END EC PRIVATE KEY----- diff --git a/certs/p521/ca-p521.der b/certs/p521/ca-p521.der new file mode 100644 index 0000000000000000000000000000000000000000..8b964e419702cc67bc060d2ab42ac5be608a452a GIT binary patch literal 779 zcmXqLVrDmJV#-{=%*4pV#K>sC#m1r4=5fxJg_+5qak?S50Vf-CC<~h~Q)sZEfB_$f z!@Vdr6Y%CAbzP0TYCH4p}=;o{*b&(BE<4)%!;Ff}qX6fzJ133Kys z2Ic3M=z_&048%ZU%sl+%<>h)H<;BH0ddc~@hVlloY@Awc9&O)w895on1Tyo|@*R*A z7|4n98W|W^8k!gxo0=P1M2Yhn85@`x8bY}SjZ>-N@&b^{p`PaEVRv@a1&dJN?#9^$ z0&MKy0A^xjW7TeCVNhmnY-38`Kb`|SdQcVp$R?*gkN&pKR}D>Vt$WPa-rqWH9b>ektgz43R8 zE=4U)Hb^v(Wn&JNpf zm>O&>u}ERko|MpKt520>%syej4^kk^$oQXy)qt6i@jp1p$nt{(SeTg@+mI6&b7MDy zL1R0UW5U^AQ+SmR``K*FySXizZ@S!)`&>1wdWk&O4?JxXBk&RWmk%d8-xv`Cbg)u4bBg2~;Gb3gC zaMYctP2YZgoAZBbcIi~_B^t5wCa_#QAb0hz^E|oc1A^Mx?71te1g@t)4>VV~v7ec@ Rd#gi?|25%ar#%yI0swekNU{I` literal 0 HcmV?d00001 diff --git a/certs/p521/client-p521-key.pem b/certs/p521/client-p521-key.pem new file mode 100644 index 000000000..c1837cc15 --- /dev/null +++ b/certs/p521/client-p521-key.pem @@ -0,0 +1,6 @@ +-----BEGIN PUBLIC KEY----- +MIGbMBAGByqGSM49AgEGBSuBBAAjA4GGAAQBYm7xAOzYmVibgGv+LPGy8MhI36zS +O3Epq/BmY9iOtcjC/JlE4kWxWnu5cwHaeeycJic0RSbViUtE/mlOchTji7wADwmi +A8Na3JWC9vn2nP+1a3WVS6QoXZ6QBNHAHtX9Q54eg8ARKysHbal6ENdn51E3JNi/ +Aw2LtUBcT9YTc0K8kdk= +-----END PUBLIC KEY----- diff --git a/certs/p521/client-p521-priv.der b/certs/p521/client-p521-priv.der new file mode 100644 index 0000000000000000000000000000000000000000..882b3f4730c3b90bc7935ab4a80186d7f217fd17 GIT binary patch literal 223 zcmXqLyu-xE$l}D9G0`~q(S!`a{#7f=c)n|~OHa~T-emi$`CP$?LkUg)Bswx~Wi`81 zJbC%@Okn-nMkb?oYVBvDsgsOp`?jJGP^%u!P}aaFt8 z>Fx3_)2~S6arYhue$GYAhokOHZTj}}+noPfvrDIXFVTpdH-Y8i0lBMxo#)9l9}v{m hX3t$&C2&3cd7!z zo}ZHz9PATcU}|J&C}JQ466WUNcFxI6%`4Fbi%J-Xfkc^k_{+=7^*|bmi*xjn^K%X5 z4P@Ckwc0$|zVkA2GKvXg=B4F3ASp1A6X!KDFt9Wxn~uX1Y9b-56E9vzYN#<(oNb>L#vgS3A93{$=_Vi9GJ!!@$qEi1~2TovBUV zetw(te`|K>RPQAkvGXRdTs$Cm^{?|hx#k0c+S=^7E2{*qr#}xgSGlpDnYVkZLyZ45 z;bNyf6K^hVV)Qa-VstZ*Wn&JNatp3>w>+oERUrF6C?dzd`Hr zj^ZBKK6xjfd#5iZXPyhbpcN$Yq)K1z2)FcYIkV|SZ)fXYnOw>C#xW;HLStswHtvWc zd)#lQtf*sh)V^S($J}W2c~)w~lEAuIYY)xbulR9cL8AA&zWdg5Djy4Nv7VQ5>%#l! efa--C4Eoon70z{3IR9eK-mlh2{xLY4ssI3$c1&&n literal 0 HcmV?d00001 diff --git a/certs/p521/client-p521.pem b/certs/p521/client-p521.pem new file mode 100644 index 000000000..5fc68c016 --- /dev/null +++ b/certs/p521/client-p521.pem @@ -0,0 +1,73 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: + 24:9d:c6:98:df:09:87:30:42:bd:e6:4f:86:05:af:dc:82:89:d7:0e + Signature Algorithm: ecdsa-with-SHA256 + Issuer: C = US, ST = Montana, L = Bozeman, O = wolfSSL_p521, OU = Client-p521, CN = www.wolfssl.com, emailAddress = info@wolfssl.com + Validity + Not Before: Sep 14 23:57:18 2020 GMT + Not After : Jun 11 23:57:18 2023 GMT + Subject: C = US, ST = Montana, L = Bozeman, O = wolfSSL_p521, OU = Client-p521, CN = www.wolfssl.com, emailAddress = info@wolfssl.com + Subject Public Key Info: + Public Key Algorithm: id-ecPublicKey + Public-Key: (521 bit) + pub: + 04:01:62:6e:f1:00:ec:d8:99:58:9b:80:6b:fe:2c: + f1:b2:f0:c8:48:df:ac:d2:3b:71:29:ab:f0:66:63: + d8:8e:b5:c8:c2:fc:99:44:e2:45:b1:5a:7b:b9:73: + 01:da:79:ec:9c:26:27:34:45:26:d5:89:4b:44:fe: + 69:4e:72:14:e3:8b:bc:00:0f:09:a2:03:c3:5a:dc: + 95:82:f6:f9:f6:9c:ff:b5:6b:75:95:4b:a4:28:5d: + 9e:90:04:d1:c0:1e:d5:fd:43:9e:1e:83:c0:11:2b: + 2b:07:6d:a9:7a:10:d7:67:e7:51:37:24:d8:bf:03: + 0d:8b:b5:40:5c:4f:d6:13:73:42:bc:91:d9 + ASN1 OID: secp521r1 + NIST CURVE: P-521 + X509v3 extensions: + X509v3 Subject Key Identifier: + 20:E1:BF:57:E5:F3:C3:0C:72:84:6A:C6:DF:BC:22:D0:B7:25:E5:A4 + X509v3 Authority Key Identifier: + keyid:20:E1:BF:57:E5:F3:C3:0C:72:84:6A:C6:DF:BC:22:D0:B7:25:E5:A4 + DirName:/C=US/ST=Montana/L=Bozeman/O=wolfSSL_p521/OU=Client-p521/CN=www.wolfssl.com/emailAddress=info@wolfssl.com + serial:24:9D:C6:98:DF:09:87:30:42:BD:E6:4F:86:05:AF:DC:82:89:D7:0E + + X509v3 Basic Constraints: + CA:TRUE + X509v3 Subject Alternative Name: + DNS:example.com, IP Address:127.0.0.1 + X509v3 Extended Key Usage: + TLS Web Server Authentication, TLS Web Client Authentication + Signature Algorithm: ecdsa-with-SHA256 + 30:81:87:02:42:01:e1:85:a5:0e:81:ff:b0:2a:d3:b8:73:8c: + 1d:8e:1f:42:4c:de:cb:d1:63:69:ce:53:d0:2a:52:14:e4:7a: + 2f:1e:c4:0b:1b:db:1e:36:97:72:ed:9b:2f:d4:93:79:06:ec: + 41:6c:6c:18:28:99:56:b6:0b:58:c4:bc:47:db:64:a8:7e:02: + 41:2b:d0:32:2e:03:81:32:f3:9a:65:58:a4:51:7e:9a:ad:c2: + 99:bf:21:f1:a1:70:61:4b:ee:8e:df:3b:9c:79:e3:12:b4:3b: + 9e:64:da:d0:ef:5b:50:7b:a1:b0:30:8f:af:66:71:9d:41:20: + cf:e8:9c:bd:f5:3b:c4:fe:00:43:35:24 +-----BEGIN CERTIFICATE----- +MIIECTCCA2ugAwIBAgIUJJ3GmN8JhzBCveZPhgWv3IKJ1w4wCgYIKoZIzj0EAwIw +gZkxCzAJBgNVBAYTAlVTMRAwDgYDVQQIDAdNb250YW5hMRAwDgYDVQQHDAdCb3pl +bWFuMRUwEwYDVQQKDAx3b2xmU1NMX3A1MjExFDASBgNVBAsMC0NsaWVudC1wNTIx +MRgwFgYDVQQDDA93d3cud29sZnNzbC5jb20xHzAdBgkqhkiG9w0BCQEWEGluZm9A +d29sZnNzbC5jb20wHhcNMjAwOTE0MjM1NzE4WhcNMjMwNjExMjM1NzE4WjCBmTEL +MAkGA1UEBhMCVVMxEDAOBgNVBAgMB01vbnRhbmExEDAOBgNVBAcMB0JvemVtYW4x +FTATBgNVBAoMDHdvbGZTU0xfcDUyMTEUMBIGA1UECwwLQ2xpZW50LXA1MjExGDAW +BgNVBAMMD3d3dy53b2xmc3NsLmNvbTEfMB0GCSqGSIb3DQEJARYQaW5mb0B3b2xm +c3NsLmNvbTCBmzAQBgcqhkjOPQIBBgUrgQQAIwOBhgAEAWJu8QDs2JlYm4Br/izx +svDISN+s0jtxKavwZmPYjrXIwvyZROJFsVp7uXMB2nnsnCYnNEUm1YlLRP5pTnIU +44u8AA8JogPDWtyVgvb59pz/tWt1lUukKF2ekATRwB7V/UOeHoPAESsrB22pehDX +Z+dRNyTYvwMNi7VAXE/WE3NCvJHZo4IBSjCCAUYwHQYDVR0OBBYEFCDhv1fl88MM +coRqxt+8ItC3JeWkMIHZBgNVHSMEgdEwgc6AFCDhv1fl88MMcoRqxt+8ItC3JeWk +oYGfpIGcMIGZMQswCQYDVQQGEwJVUzEQMA4GA1UECAwHTW9udGFuYTEQMA4GA1UE +BwwHQm96ZW1hbjEVMBMGA1UECgwMd29sZlNTTF9wNTIxMRQwEgYDVQQLDAtDbGll +bnQtcDUyMTEYMBYGA1UEAwwPd3d3LndvbGZzc2wuY29tMR8wHQYJKoZIhvcNAQkB +FhBpbmZvQHdvbGZzc2wuY29tghQkncaY3wmHMEK95k+GBa/cgonXDjAMBgNVHRME +BTADAQH/MBwGA1UdEQQVMBOCC2V4YW1wbGUuY29thwR/AAABMB0GA1UdJQQWMBQG +CCsGAQUFBwMBBggrBgEFBQcDAjAKBggqhkjOPQQDAgOBiwAwgYcCQgHhhaUOgf+w +KtO4c4wdjh9CTN7L0WNpzlPQKlIU5HovHsQLG9seNpdy7Zsv1JN5BuxBbGwYKJlW +tgtYxLxH22SofgJBK9AyLgOBMvOaZVikUX6arcKZvyHxoXBhS+6O3zuceeMStDue +ZNrQ71tQe6GwMI+vZnGdQSDP6Jy99TvE/gBDNSQ= +-----END CERTIFICATE----- diff --git a/certs/p521/gen-p521-certs.sh b/certs/p521/gen-p521-certs.sh new file mode 100755 index 000000000..f13cd6fee --- /dev/null +++ b/certs/p521/gen-p521-certs.sh @@ -0,0 +1,105 @@ +#!/bin/bash + +check_result(){ + if [ $1 -ne 0 ]; then + echo "Failed at \"$2\", Abort" + exit 1 + else + echo "Step Succeeded!" + fi +} + +openssl pkey -in root-p521-priv.pem -noout >/dev/null 2>&1 +if [ $? -ne 0 ]; then + echo "OpenSSL does not support P521" + echo "Skipping P521 certificate renewal" + exit 0 +fi + +############################################################ +###### update the self-signed root-p521.pem ############### +############################################################ +echo "Updating root-p521.pem" +echo "" +#pipe the following arguments to openssl req... +echo -e "US\\nMontana\\nBozeman\\nwolfSSL_P521\\nRoot-P521\\nwww.wolfssl.com\\ninfo@wolfssl.com\\n.\\n.\\n" | \ +openssl req -new -key root-p521-priv.pem -config ../renewcerts/wolfssl.cnf -nodes -out root-p521.csr +check_result $? "Generate request" + +openssl x509 -req -in root-p521.csr -days 1000 -extfile ../renewcerts/wolfssl.cnf -extensions ca_ecc_cert -signkey root-p521-priv.pem -out root-p521.pem +check_result $? "Generate certificate" +rm root-p521.csr + +openssl x509 -in root-p521.pem -outform DER > root-p521.der +check_result $? "Convert to DER" +openssl x509 -in root-p521.pem -text > tmp.pem +check_result $? "Add text" +mv tmp.pem root-p521.pem +echo "End of section" +echo "---------------------------------------------------------------------" + +############################################################ +###### update ca-p521.pem signed by root ################## +############################################################ +echo "Updating ca-p521.pem" +echo "" +#pipe the following arguments to openssl req... +echo -e "US\\nMontana\\nBozeman\\nwolfSSL_p521\\nCA-p521\\nwww.wolfssl.com\\ninfo@wolfssl.com\\n\\n\\n\\n" | openssl req -new -key ca-p521-priv.pem -config ../renewcerts/wolfssl.cnf -nodes -out ca-p521.csr +check_result $? "Generate request" + +openssl x509 -req -in ca-p521.csr -days 1000 -extfile ../renewcerts/wolfssl.cnf -extensions ca_ecc_cert -CA root-p521.pem -CAkey root-p521-priv.pem -set_serial 01 -out ca-p521.pem +check_result $? "Generate certificate" +rm ca-p521.csr + +openssl x509 -in ca-p521.pem -outform DER > ca-p521.der +check_result $? "Convert to DER" +openssl x509 -in ca-p521.pem -text > tmp.pem +check_result $? "Add text" +mv tmp.pem ca-p521.pem +echo "End of section" +echo "---------------------------------------------------------------------" + +############################################################ +###### update server-p521.pem signed by ca ################ +############################################################ +echo "Updating server-p521.pem" +echo "" +#pipe the following arguments to openssl req... +echo -e "US\\nMontana\\nBozeman\\nwolfSSL_p521\\nServer-p521\\nwww.wolfssl.com\\ninfo@wolfssl.com\\n\\n\\n\\n" | openssl req -new -key server-p521-priv.pem -config ../renewcerts/wolfssl.cnf -nodes -out server-p521.csr +check_result $? "Generate request" + +openssl x509 -req -in server-p521.csr -days 1000 -extfile ../renewcerts/wolfssl.cnf -extensions server_ecc -CA ca-p521.pem -CAkey ca-p521-priv.pem -set_serial 01 -out server-p521-cert.pem +check_result $? "Generate certificate" +rm server-p521.csr + +openssl x509 -in server-p521-cert.pem -outform DER > server-p521.der +check_result $? "Convert to DER" +openssl x509 -in server-p521-cert.pem -text > tmp.pem +check_result $? "Add text" +mv tmp.pem server-p521-cert.pem +cat server-p521-cert.pem ca-p521.pem > server-p521.pem +check_result $? "Add CA into server cert" +echo "End of section" +echo "---------------------------------------------------------------------" + +############################################################ +###### update the self-signed client-p521.pem ############# +############################################################ +echo "Updating client-p521.pem" +echo "" +#pipe the following arguments to openssl req... +echo -e "US\\nMontana\\nBozeman\\nwolfSSL_p521\\nClient-p521\\nwww.wolfssl.com\\ninfo@wolfssl.com\\n\\n\\n\\n" | openssl req -new -key client-p521-priv.pem -config ../renewcerts/wolfssl.cnf -nodes -out client-p521.csr +check_result $? "Generate request" + +openssl x509 -req -in client-p521.csr -days 1000 -extfile ../renewcerts/wolfssl.cnf -extensions wolfssl_opts -signkey client-p521-priv.pem -out client-p521.pem +check_result $? "Generate certificate" +rm client-p521.csr + +openssl x509 -in client-p521.pem -outform DER > client-p521.der +check_result $? "Convert to DER" +openssl x509 -in client-p521.pem -text > tmp.pem +check_result $? "Add text" +mv tmp.pem client-p521.pem +echo "End of section" +echo "---------------------------------------------------------------------" + diff --git a/certs/p521/gen-p521-keys.sh b/certs/p521/gen-p521-keys.sh new file mode 100755 index 000000000..811c6af62 --- /dev/null +++ b/certs/p521/gen-p521-keys.sh @@ -0,0 +1,16 @@ +#!/bin/sh + +for key in root ca server client +do + + openssl ecparam -name secp521r1 -genkey -noout > ${key}-p521-priv.pem + + openssl pkey -in ${key}-p521-priv.pem -outform DER -out ${key}-p521-priv.der + + openssl pkey -in ${key}-p521-priv.pem -outform PEM -pubout -out ${key}-p521-key.pem + + openssl pkey -in ${key}-p521-priv.pem -outform DER -pubout -out ${key}-p521-key.der + +done + + diff --git a/certs/p521/include.am b/certs/p521/include.am new file mode 100644 index 000000000..fd2660b89 --- /dev/null +++ b/certs/p521/include.am @@ -0,0 +1,38 @@ +# vim:ft=automake +# All paths should be given relative to the root +# + +EXTRA_DIST += \ + certs/p521/ca-p521.der \ + certs/p521/ca-p521.pem \ + certs/p521/ca-p521-key.der \ + certs/p521/ca-p521-key.pem \ + certs/p521/ca-p521-priv.der \ + certs/p521/ca-p521-priv.pem \ + certs/p521/client-p521.der \ + certs/p521/client-p521.pem \ + certs/p521/client-p521-key.der \ + certs/p521/client-p521-key.pem \ + certs/p521/client-p521-priv.der \ + certs/p521/client-p521-priv.pem \ + certs/p521/root-p521.der \ + certs/p521/root-p521.pem \ + certs/p521/root-p521-key.der \ + certs/p521/root-p521-key.pem \ + certs/p521/root-p521-priv.der \ + certs/p521/root-p521-priv.pem \ + certs/p521/server-p521.der \ + certs/p521/server-p521.pem \ + certs/p521/server-p521-cert.pem \ + certs/p521/server-p521-key.der \ + certs/p521/server-p521-key.pem \ + certs/p521/server-p521-priv.der \ + certs/p521/server-p521-priv.pem + +if BUILD_FIPS_V2 +else +noinst_DATA+= \ + certs/p521/gen-p521-certs.sh \ + certs/p521/gen-p521-keys.sh +endif + diff --git a/certs/p521/root-p521-key.der b/certs/p521/root-p521-key.der new file mode 100644 index 0000000000000000000000000000000000000000..6de44a22802dfe8cb2db51f821eecaaff1e69fb3 GIT binary patch literal 158 zcmXqLoNXY$#;(=oan6>Bk&RWmk%d8-xv`Cbh0!tL%F{FEx4-xZo%vQ}bmo)H_F&Py z@xkv;7q2`al9OM1v}VihzOX~iuD>H>j=9>_KlN)k<8qL#s`O#z$*vWQRreWOJd5Y( z2iP|+kn6s<>Nf|^1Xf-ial=5nYpvFtLQNN!ahyHjpA~hYr!RK@tuxV67ruzntWest P%X4AtF^{go;NDIEAyGv+ literal 0 HcmV?d00001 diff --git a/certs/p521/root-p521-key.pem b/certs/p521/root-p521-key.pem new file mode 100644 index 000000000..e791da9ed --- /dev/null +++ b/certs/p521/root-p521-key.pem @@ -0,0 +1,6 @@ +-----BEGIN PUBLIC KEY----- +MIGbMBAGByqGSM49AgEGBSuBBAAjA4GGAAQBQWDU5cw32/RMEsz2ejLM8hy3UxW9 +X1Pvy3OpyBRsb33FfLS7jlbCQ0X7WBzGRT1/5U6AzETBBnp14WnJiqgBet8ARElz +nC9QP4OgHovRqvsIDJAFDQwXMVE+1oU7CRKC0aYIzchPalrIjI5dv9rMW5Wh6Fop +eCKyukmhhcZIinFTjYk= +-----END PUBLIC KEY----- diff --git a/certs/p521/root-p521-priv.der b/certs/p521/root-p521-priv.der new file mode 100644 index 0000000000000000000000000000000000000000..404c3ac41ef1d1817d1daf9736501a31051f27b5 GIT binary patch literal 223 zcmXqLyu-xE$l}EK+v$H)|K6MhdpbOq=-v>RU^7q6?eKE9XRTg+Rlis{urN9%TzPuN z{Pq_gp)=pAjLv+L*&ZyqH$M3N>Ee|qL~`JlVB^vFbj9i)Zm1{Q&#s1#;aNSN-PTnZU}+BW@UIcdgZ$Q>f|UGLEw+{IjA? g^z_Bh>cSUMniWc$c6lyrJ?7C>7~IVdr6Y%CAbzP0TYCH4p}=;o{*b z&(BE<4)%!;Ff}qX6fzJ133Kys2Ic3M=z_&048%ZU%sl+%<>h)H<;BH0ddc~@hVllo zY@Awc9&O)w895on1Tyo|@*R*A7|4n98W|W^8k!gxo0=P1M2Yhn85@`x8bY~)*yWA0 z4FuTO!9mQ#$i}MO$ikq^+}Osz!swWA<>?vo+h2Ty&U~vfI`c_pd$8!<_~7@ai&vfy z$;q!hTC-($U)UjM*WVE`$6RgepZYbNaXH9VRr)aVWY-GDs{0Hsp2c(Y1MHg@$aP;_ z^_zod0xK_%xM85(wN`6Rp{9$=IL@B%&x$(H(-*t{)|u$33tvQORw!-S<+-r+m`7J( zaBt`0WP?NlSvKZSSw0pq7LkFeB^D`6+LIExZ1t(KjM*m)3m<-Rx2Ey5d3LQ~>-O13&-( literal 0 HcmV?d00001 diff --git a/certs/p521/root-p521.pem b/certs/p521/root-p521.pem new file mode 100644 index 000000000..75df22061 --- /dev/null +++ b/certs/p521/root-p521.pem @@ -0,0 +1,64 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: + 23:0c:f9:b8:9a:a1:1d:4f:ec:23:8f:4b:f2:20:5d:7d:ac:43:4e:98 + Signature Algorithm: ecdsa-with-SHA256 + Issuer: C = US, ST = Montana, L = Bozeman, O = wolfSSL_P521, OU = Root-P521, CN = www.wolfssl.com, emailAddress = info@wolfssl.com + Validity + Not Before: Sep 14 23:57:18 2020 GMT + Not After : Jun 11 23:57:18 2023 GMT + Subject: C = US, ST = Montana, L = Bozeman, O = wolfSSL_P521, OU = Root-P521, CN = www.wolfssl.com, emailAddress = info@wolfssl.com + Subject Public Key Info: + Public Key Algorithm: id-ecPublicKey + Public-Key: (521 bit) + pub: + 04:01:41:60:d4:e5:cc:37:db:f4:4c:12:cc:f6:7a: + 32:cc:f2:1c:b7:53:15:bd:5f:53:ef:cb:73:a9:c8: + 14:6c:6f:7d:c5:7c:b4:bb:8e:56:c2:43:45:fb:58: + 1c:c6:45:3d:7f:e5:4e:80:cc:44:c1:06:7a:75:e1: + 69:c9:8a:a8:01:7a:df:00:44:49:73:9c:2f:50:3f: + 83:a0:1e:8b:d1:aa:fb:08:0c:90:05:0d:0c:17:31: + 51:3e:d6:85:3b:09:12:82:d1:a6:08:cd:c8:4f:6a: + 5a:c8:8c:8e:5d:bf:da:cc:5b:95:a1:e8:5a:29:78: + 22:b2:ba:49:a1:85:c6:48:8a:71:53:8d:89 + ASN1 OID: secp521r1 + NIST CURVE: P-521 + X509v3 extensions: + X509v3 Subject Key Identifier: + 64:A7:68:95:53:33:18:A2:20:92:BC:64:55:A6:AB:CA:76:68:9B:C8 + X509v3 Authority Key Identifier: + keyid:64:A7:68:95:53:33:18:A2:20:92:BC:64:55:A6:AB:CA:76:68:9B:C8 + + X509v3 Basic Constraints: critical + CA:TRUE + X509v3 Key Usage: critical + Digital Signature, Certificate Sign, CRL Sign + Signature Algorithm: ecdsa-with-SHA256 + 30:81:87:02:41:55:16:68:aa:bc:e1:5e:b6:d3:4c:3e:aa:e6: + 64:e6:ca:94:ec:7d:0f:a8:ea:70:00:33:26:95:27:bd:23:ae: + 69:5b:29:60:28:1e:0d:fa:69:3d:21:36:f9:9d:80:74:b1:ae: + d0:2c:bd:12:13:ce:98:0c:69:39:ab:99:88:90:17:02:02:42: + 01:f7:b2:95:d0:bf:64:4d:f9:2e:0e:98:40:00:1c:a7:0a:b3: + 2e:09:f8:c2:27:56:3e:b4:2a:c0:fc:1a:3a:87:c6:6f:ac:20: + d4:df:90:f0:00:88:a0:a6:63:79:74:9c:91:c0:ce:7c:21:6b: + 65:64:a8:fb:83:48:78:eb:78:e0:51:95 +-----BEGIN CERTIFICATE----- +MIIDHDCCAn6gAwIBAgIUIwz5uJqhHU/sI49L8iBdfaxDTpgwCgYIKoZIzj0EAwIw +gZcxCzAJBgNVBAYTAlVTMRAwDgYDVQQIDAdNb250YW5hMRAwDgYDVQQHDAdCb3pl +bWFuMRUwEwYDVQQKDAx3b2xmU1NMX1A1MjExEjAQBgNVBAsMCVJvb3QtUDUyMTEY +MBYGA1UEAwwPd3d3LndvbGZzc2wuY29tMR8wHQYJKoZIhvcNAQkBFhBpbmZvQHdv +bGZzc2wuY29tMB4XDTIwMDkxNDIzNTcxOFoXDTIzMDYxMTIzNTcxOFowgZcxCzAJ +BgNVBAYTAlVTMRAwDgYDVQQIDAdNb250YW5hMRAwDgYDVQQHDAdCb3plbWFuMRUw +EwYDVQQKDAx3b2xmU1NMX1A1MjExEjAQBgNVBAsMCVJvb3QtUDUyMTEYMBYGA1UE +AwwPd3d3LndvbGZzc2wuY29tMR8wHQYJKoZIhvcNAQkBFhBpbmZvQHdvbGZzc2wu +Y29tMIGbMBAGByqGSM49AgEGBSuBBAAjA4GGAAQBQWDU5cw32/RMEsz2ejLM8hy3 +UxW9X1Pvy3OpyBRsb33FfLS7jlbCQ0X7WBzGRT1/5U6AzETBBnp14WnJiqgBet8A +RElznC9QP4OgHovRqvsIDJAFDQwXMVE+1oU7CRKC0aYIzchPalrIjI5dv9rMW5Wh +6FopeCKyukmhhcZIinFTjYmjYzBhMB0GA1UdDgQWBBRkp2iVUzMYoiCSvGRVpqvK +dmibyDAfBgNVHSMEGDAWgBRkp2iVUzMYoiCSvGRVpqvKdmibyDAPBgNVHRMBAf8E +BTADAQH/MA4GA1UdDwEB/wQEAwIBhjAKBggqhkjOPQQDAgOBiwAwgYcCQVUWaKq8 +4V6200w+quZk5sqU7H0PqOpwADMmlSe9I65pWylgKB4N+mk9ITb5nYB0sa7QLL0S +E86YDGk5q5mIkBcCAkIB97KV0L9kTfkuDphAABynCrMuCfjCJ1Y+tCrA/Bo6h8Zv +rCDU35DwAIigpmN5dJyRwM58IWtlZKj7g0h463jgUZU= +-----END CERTIFICATE----- diff --git a/certs/p521/server-p521-cert.pem b/certs/p521/server-p521-cert.pem new file mode 100644 index 000000000..7659ffae8 --- /dev/null +++ b/certs/p521/server-p521-cert.pem @@ -0,0 +1,68 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 1 (0x1) + Signature Algorithm: ecdsa-with-SHA256 + Issuer: C = US, ST = Montana, L = Bozeman, O = wolfSSL_p521, OU = CA-p521, CN = www.wolfssl.com, emailAddress = info@wolfssl.com + Validity + Not Before: Sep 14 23:57:18 2020 GMT + Not After : Jun 11 23:57:18 2023 GMT + Subject: C = US, ST = Montana, L = Bozeman, O = wolfSSL_p521, OU = Server-p521, CN = www.wolfssl.com, emailAddress = info@wolfssl.com + Subject Public Key Info: + Public Key Algorithm: id-ecPublicKey + Public-Key: (521 bit) + pub: + 04:00:de:70:69:f6:d1:9e:c4:fe:5f:82:52:98:ce: + 52:c1:6a:4c:12:22:0f:76:88:22:11:a5:0d:a6:02: + 47:91:ab:79:8d:f6:08:70:2d:20:14:15:df:1b:57: + 58:b3:51:ab:20:a8:2b:bd:6a:3f:a9:ee:c2:6d:ae: + 99:44:b4:a1:12:10:70:00:ca:1f:14:1d:b0:e7:0c: + 41:18:52:37:04:a7:84:53:a1:02:46:93:1f:d5:60: + 63:a6:2e:7d:8d:ea:3f:e0:5b:e5:c8:6e:1f:a7:d9: + a3:59:e5:96:27:22:f4:02:2b:af:5b:78:1f:13:a8: + 22:8b:ec:ae:01:7d:c0:61:13:a4:35:0a:21 + ASN1 OID: secp521r1 + NIST CURVE: P-521 + X509v3 extensions: + X509v3 Subject Key Identifier: + 85:86:9F:AE:73:5F:94:77:27:3B:15:15:C6:79:07:A8:42:4B:1E:F3 + X509v3 Authority Key Identifier: + keyid:40:89:1D:30:5E:0C:6E:D5:3D:C6:D5:25:90:DA:B6:42:67:ED:E9:82 + + X509v3 Basic Constraints: critical + CA:FALSE + X509v3 Key Usage: critical + Digital Signature, Key Encipherment, Key Agreement + X509v3 Extended Key Usage: + TLS Web Server Authentication + Netscape Cert Type: + SSL Server + Signature Algorithm: ecdsa-with-SHA256 + 30:81:88:02:42:01:95:31:ef:ac:8f:c7:79:c8:b1:27:21:70: + 24:d1:78:d6:d4:da:d0:1d:44:52:6f:3f:0a:f1:33:ac:70:14: + cf:62:e6:23:a8:a5:30:04:e1:40:7b:05:c5:45:c9:be:b0:32: + d5:00:77:c7:6b:1d:37:7a:2c:83:02:9d:ef:5d:9e:9c:91:02: + 42:01:f8:7c:5b:fc:b3:1a:26:2c:b4:41:c8:bf:0d:ae:74:5a: + 0d:25:10:7d:9d:33:ec:5c:29:c0:7c:6a:96:f3:28:b6:06:de: + 13:1f:b1:a1:76:38:ea:a1:db:81:21:b6:81:0c:8f:67:b7:3d: + 7b:6b:e0:72:67:e3:d1:71:11:92:8b:d0:f1 +-----BEGIN CERTIFICATE----- +MIIDMTCCApKgAwIBAgIBATAKBggqhkjOPQQDAjCBlTELMAkGA1UEBhMCVVMxEDAO +BgNVBAgMB01vbnRhbmExEDAOBgNVBAcMB0JvemVtYW4xFTATBgNVBAoMDHdvbGZT +U0xfcDUyMTEQMA4GA1UECwwHQ0EtcDUyMTEYMBYGA1UEAwwPd3d3LndvbGZzc2wu +Y29tMR8wHQYJKoZIhvcNAQkBFhBpbmZvQHdvbGZzc2wuY29tMB4XDTIwMDkxNDIz +NTcxOFoXDTIzMDYxMTIzNTcxOFowgZkxCzAJBgNVBAYTAlVTMRAwDgYDVQQIDAdN +b250YW5hMRAwDgYDVQQHDAdCb3plbWFuMRUwEwYDVQQKDAx3b2xmU1NMX3A1MjEx +FDASBgNVBAsMC1NlcnZlci1wNTIxMRgwFgYDVQQDDA93d3cud29sZnNzbC5jb20x +HzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb20wgZswEAYHKoZIzj0CAQYF +K4EEACMDgYYABADecGn20Z7E/l+CUpjOUsFqTBIiD3aIIhGlDaYCR5GreY32CHAt +IBQV3xtXWLNRqyCoK71qP6nuwm2umUS0oRIQcADKHxQdsOcMQRhSNwSnhFOhAkaT +H9VgY6YufY3qP+Bb5chuH6fZo1nllici9AIrr1t4HxOoIovsrgF9wGETpDUKIaOB +iTCBhjAdBgNVHQ4EFgQUhYafrnNflHcnOxUVxnkHqEJLHvMwHwYDVR0jBBgwFoAU +QIkdMF4MbtU9xtUlkNq2Qmft6YIwDAYDVR0TAQH/BAIwADAOBgNVHQ8BAf8EBAMC +A6gwEwYDVR0lBAwwCgYIKwYBBQUHAwEwEQYJYIZIAYb4QgEBBAQDAgZAMAoGCCqG +SM49BAMCA4GMADCBiAJCAZUx76yPx3nIsSchcCTReNbU2tAdRFJvPwrxM6xwFM9i +5iOopTAE4UB7BcVFyb6wMtUAd8drHTd6LIMCne9dnpyRAkIB+Hxb/LMaJiy0Qci/ +Da50Wg0lEH2dM+xcKcB8apbzKLYG3hMfsaF2OOqh24EhtoEMj2e3PXtr4HJn49Fx +EZKL0PE= +-----END CERTIFICATE----- diff --git a/certs/p521/server-p521-key.der b/certs/p521/server-p521-key.der new file mode 100644 index 0000000000000000000000000000000000000000..db91e954c52827ef95b634cab49df7962e151aad GIT binary patch literal 158 zcmXqLoNXY$#;(=oan6>Bk&RWmk%d8-xv`Cbh2dU7=C_OUj{J*n3Yu{)=wOzQkP?4c zhmzn@-epYg6IWOEe&Z<6RS*%qFC8ASIdHYY3hljF_AB2V%3U|pWy?Y#fdYn8@*=Vu zp7S_L1evoeZwX$=*Ot};R(EVI@ literal 0 HcmV?d00001 diff --git a/certs/p521/server-p521-priv.pem b/certs/p521/server-p521-priv.pem new file mode 100644 index 000000000..8763564f9 --- /dev/null +++ b/certs/p521/server-p521-priv.pem @@ -0,0 +1,7 @@ +-----BEGIN EC PRIVATE KEY----- +MIHcAgEBBEIBA/UQ99abMXYOwp9KaXiqAj86ltsFQghlThjy9iBcnWkX1HwOvRd7 +cQFcIMmwK3LwktTPTcFOo0hgfvdwPKVlVJSgBwYFK4EEACOhgYkDgYYABADecGn2 +0Z7E/l+CUpjOUsFqTBIiD3aIIhGlDaYCR5GreY32CHAtIBQV3xtXWLNRqyCoK71q +P6nuwm2umUS0oRIQcADKHxQdsOcMQRhSNwSnhFOhAkaTH9VgY6YufY3qP+Bb5chu +H6fZo1nllici9AIrr1t4HxOoIovsrgF9wGETpDUKIQ== +-----END EC PRIVATE KEY----- diff --git a/certs/p521/server-p521.der b/certs/p521/server-p521.der new file mode 100644 index 0000000000000000000000000000000000000000..593e4f54e2033aa500069df191c2d8dad54af265 GIT binary patch literal 821 zcmXqLVm35rVw$vonTe5!iILHOi;Y98&EuRc3p0~J<5WX#15P&PP!={}rqEzR0Ruh| zhl7XRH$Sf=F)tA&!p_6)lwXyao0w-PY9I_!!^Oi>o}ZHz9PATcU}|ItQ^?K3?(C=w z7LhOz11V(Y;V&;Q*8?doF3!PlajwAV*h$P2Gf>VC71vGzcs@Dful#l?-C z290e7vTV$uvV1IJEF!IK^Vb!}PbpWo78N~K$-ctLTkf-gJV;uZMZ!R=LByd`)*y~2 z@2c&wtEv-jZF5S0`?AS^2c$rlk?}tZlK}%b&B*eDcr46J%qzg@LspfA2b9#b*%(<_ z*_jy)1lc$f+B_KBemF5Qvam2Su{nUG!NCO5)!4&e(AdG`#5mRP{hI#cl_xf;D;B6+ zthjdN)&*IYpnQ9-kH%{XM9wEYQ(m#ufaRe>HS1B=llwLpU1cago-J!$rPItb_kHZV zITM+j7=P46|Jf|1rnANI#D3m&B~iSp0=09E-^6GhsL7i4Sz{a9Jz@Ec3(G8CExg^R axUG?=KYhDxb@qdz^v4$q1t)c1_y_<12KXNU literal 0 HcmV?d00001 diff --git a/certs/p521/server-p521.pem b/certs/p521/server-p521.pem new file mode 100644 index 000000000..13b15caed --- /dev/null +++ b/certs/p521/server-p521.pem @@ -0,0 +1,131 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 1 (0x1) + Signature Algorithm: ecdsa-with-SHA256 + Issuer: C = US, ST = Montana, L = Bozeman, O = wolfSSL_p521, OU = CA-p521, CN = www.wolfssl.com, emailAddress = info@wolfssl.com + Validity + Not Before: Sep 14 23:57:18 2020 GMT + Not After : Jun 11 23:57:18 2023 GMT + Subject: C = US, ST = Montana, L = Bozeman, O = wolfSSL_p521, OU = Server-p521, CN = www.wolfssl.com, emailAddress = info@wolfssl.com + Subject Public Key Info: + Public Key Algorithm: id-ecPublicKey + Public-Key: (521 bit) + pub: + 04:00:de:70:69:f6:d1:9e:c4:fe:5f:82:52:98:ce: + 52:c1:6a:4c:12:22:0f:76:88:22:11:a5:0d:a6:02: + 47:91:ab:79:8d:f6:08:70:2d:20:14:15:df:1b:57: + 58:b3:51:ab:20:a8:2b:bd:6a:3f:a9:ee:c2:6d:ae: + 99:44:b4:a1:12:10:70:00:ca:1f:14:1d:b0:e7:0c: + 41:18:52:37:04:a7:84:53:a1:02:46:93:1f:d5:60: + 63:a6:2e:7d:8d:ea:3f:e0:5b:e5:c8:6e:1f:a7:d9: + a3:59:e5:96:27:22:f4:02:2b:af:5b:78:1f:13:a8: + 22:8b:ec:ae:01:7d:c0:61:13:a4:35:0a:21 + ASN1 OID: secp521r1 + NIST CURVE: P-521 + X509v3 extensions: + X509v3 Subject Key Identifier: + 85:86:9F:AE:73:5F:94:77:27:3B:15:15:C6:79:07:A8:42:4B:1E:F3 + X509v3 Authority Key Identifier: + keyid:40:89:1D:30:5E:0C:6E:D5:3D:C6:D5:25:90:DA:B6:42:67:ED:E9:82 + + X509v3 Basic Constraints: critical + CA:FALSE + X509v3 Key Usage: critical + Digital Signature, Key Encipherment, Key Agreement + X509v3 Extended Key Usage: + TLS Web Server Authentication + Netscape Cert Type: + SSL Server + Signature Algorithm: ecdsa-with-SHA256 + 30:81:88:02:42:01:95:31:ef:ac:8f:c7:79:c8:b1:27:21:70: + 24:d1:78:d6:d4:da:d0:1d:44:52:6f:3f:0a:f1:33:ac:70:14: + cf:62:e6:23:a8:a5:30:04:e1:40:7b:05:c5:45:c9:be:b0:32: + d5:00:77:c7:6b:1d:37:7a:2c:83:02:9d:ef:5d:9e:9c:91:02: + 42:01:f8:7c:5b:fc:b3:1a:26:2c:b4:41:c8:bf:0d:ae:74:5a: + 0d:25:10:7d:9d:33:ec:5c:29:c0:7c:6a:96:f3:28:b6:06:de: + 13:1f:b1:a1:76:38:ea:a1:db:81:21:b6:81:0c:8f:67:b7:3d: + 7b:6b:e0:72:67:e3:d1:71:11:92:8b:d0:f1 +-----BEGIN CERTIFICATE----- +MIIDMTCCApKgAwIBAgIBATAKBggqhkjOPQQDAjCBlTELMAkGA1UEBhMCVVMxEDAO +BgNVBAgMB01vbnRhbmExEDAOBgNVBAcMB0JvemVtYW4xFTATBgNVBAoMDHdvbGZT +U0xfcDUyMTEQMA4GA1UECwwHQ0EtcDUyMTEYMBYGA1UEAwwPd3d3LndvbGZzc2wu +Y29tMR8wHQYJKoZIhvcNAQkBFhBpbmZvQHdvbGZzc2wuY29tMB4XDTIwMDkxNDIz +NTcxOFoXDTIzMDYxMTIzNTcxOFowgZkxCzAJBgNVBAYTAlVTMRAwDgYDVQQIDAdN +b250YW5hMRAwDgYDVQQHDAdCb3plbWFuMRUwEwYDVQQKDAx3b2xmU1NMX3A1MjEx +FDASBgNVBAsMC1NlcnZlci1wNTIxMRgwFgYDVQQDDA93d3cud29sZnNzbC5jb20x +HzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb20wgZswEAYHKoZIzj0CAQYF +K4EEACMDgYYABADecGn20Z7E/l+CUpjOUsFqTBIiD3aIIhGlDaYCR5GreY32CHAt +IBQV3xtXWLNRqyCoK71qP6nuwm2umUS0oRIQcADKHxQdsOcMQRhSNwSnhFOhAkaT +H9VgY6YufY3qP+Bb5chuH6fZo1nllici9AIrr1t4HxOoIovsrgF9wGETpDUKIaOB +iTCBhjAdBgNVHQ4EFgQUhYafrnNflHcnOxUVxnkHqEJLHvMwHwYDVR0jBBgwFoAU +QIkdMF4MbtU9xtUlkNq2Qmft6YIwDAYDVR0TAQH/BAIwADAOBgNVHQ8BAf8EBAMC +A6gwEwYDVR0lBAwwCgYIKwYBBQUHAwEwEQYJYIZIAYb4QgEBBAQDAgZAMAoGCCqG +SM49BAMCA4GMADCBiAJCAZUx76yPx3nIsSchcCTReNbU2tAdRFJvPwrxM6xwFM9i +5iOopTAE4UB7BcVFyb6wMtUAd8drHTd6LIMCne9dnpyRAkIB+Hxb/LMaJiy0Qci/ +Da50Wg0lEH2dM+xcKcB8apbzKLYG3hMfsaF2OOqh24EhtoEMj2e3PXtr4HJn49Fx +EZKL0PE= +-----END CERTIFICATE----- +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 1 (0x1) + Signature Algorithm: ecdsa-with-SHA256 + Issuer: C = US, ST = Montana, L = Bozeman, O = wolfSSL_P521, OU = Root-P521, CN = www.wolfssl.com, emailAddress = info@wolfssl.com + Validity + Not Before: Sep 14 23:57:18 2020 GMT + Not After : Jun 11 23:57:18 2023 GMT + Subject: C = US, ST = Montana, L = Bozeman, O = wolfSSL_p521, OU = CA-p521, CN = www.wolfssl.com, emailAddress = info@wolfssl.com + Subject Public Key Info: + Public Key Algorithm: id-ecPublicKey + Public-Key: (521 bit) + pub: + 04:00:2d:18:24:2d:e4:db:6c:c3:69:9b:db:18:67: + 33:f1:60:68:94:14:cd:91:4a:57:65:ef:36:fa:24: + 82:88:ec:c7:f0:cb:48:45:6e:96:5f:7f:eb:76:be: + 44:40:c3:19:c0:33:68:c4:06:04:8e:c2:25:b1:96: + 83:22:0e:7b:c7:b2:fc:01:86:91:ed:43:5d:38:e0: + 0c:25:8d:b3:db:b1:dc:de:b7:21:80:cf:87:de:64: + f4:21:3e:2d:af:79:bd:f6:d0:00:4b:81:79:fa:f7: + 10:aa:19:cd:40:d7:1e:75:34:53:29:03:ed:48:54: + 21:e5:8f:95:b5:9b:41:8d:5f:dd:72:d2:5a + ASN1 OID: secp521r1 + NIST CURVE: P-521 + X509v3 extensions: + X509v3 Subject Key Identifier: + 40:89:1D:30:5E:0C:6E:D5:3D:C6:D5:25:90:DA:B6:42:67:ED:E9:82 + X509v3 Authority Key Identifier: + keyid:64:A7:68:95:53:33:18:A2:20:92:BC:64:55:A6:AB:CA:76:68:9B:C8 + + X509v3 Basic Constraints: critical + CA:TRUE + X509v3 Key Usage: critical + Digital Signature, Certificate Sign, CRL Sign + Signature Algorithm: ecdsa-with-SHA256 + 30:81:87:02:41:60:cd:fa:94:0d:23:c3:4e:3c:b1:6e:d9:b6: + 5b:0e:97:1e:a4:df:0a:7c:05:2e:61:0c:d7:c0:e5:86:16:0c: + 7b:01:a5:33:9a:e6:31:a0:62:91:da:dc:22:d1:ba:4f:75:43: + 94:43:67:91:20:08:66:96:27:53:b2:61:0e:59:0a:50:02:42: + 01:ec:87:8d:ca:6d:e0:bf:30:ba:ef:37:13:ad:f6:d1:c4:fc: + b5:e5:4b:96:c2:83:a0:d8:ed:04:73:85:8d:54:d7:e9:9a:67: + 8a:cf:11:36:4a:f2:2f:85:5a:24:5e:3c:79:e1:a7:c4:ec:78: + 82:7a:52:25:c4:55:57:95:0e:6f:c9:d5 +-----BEGIN CERTIFICATE----- +MIIDBzCCAmmgAwIBAgIBATAKBggqhkjOPQQDAjCBlzELMAkGA1UEBhMCVVMxEDAO +BgNVBAgMB01vbnRhbmExEDAOBgNVBAcMB0JvemVtYW4xFTATBgNVBAoMDHdvbGZT +U0xfUDUyMTESMBAGA1UECwwJUm9vdC1QNTIxMRgwFgYDVQQDDA93d3cud29sZnNz +bC5jb20xHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb20wHhcNMjAwOTE0 +MjM1NzE4WhcNMjMwNjExMjM1NzE4WjCBlTELMAkGA1UEBhMCVVMxEDAOBgNVBAgM +B01vbnRhbmExEDAOBgNVBAcMB0JvemVtYW4xFTATBgNVBAoMDHdvbGZTU0xfcDUy +MTEQMA4GA1UECwwHQ0EtcDUyMTEYMBYGA1UEAwwPd3d3LndvbGZzc2wuY29tMR8w +HQYJKoZIhvcNAQkBFhBpbmZvQHdvbGZzc2wuY29tMIGbMBAGByqGSM49AgEGBSuB +BAAjA4GGAAQALRgkLeTbbMNpm9sYZzPxYGiUFM2RSldl7zb6JIKI7Mfwy0hFbpZf +f+t2vkRAwxnAM2jEBgSOwiWxloMiDnvHsvwBhpHtQ1044AwljbPbsdzetyGAz4fe +ZPQhPi2veb320ABLgXn69xCqGc1A1x51NFMpA+1IVCHlj5W1m0GNX91y0lqjYzBh +MB0GA1UdDgQWBBRAiR0wXgxu1T3G1SWQ2rZCZ+3pgjAfBgNVHSMEGDAWgBRkp2iV +UzMYoiCSvGRVpqvKdmibyDAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIB +hjAKBggqhkjOPQQDAgOBiwAwgYcCQWDN+pQNI8NOPLFu2bZbDpcepN8KfAUuYQzX +wOWGFgx7AaUzmuYxoGKR2twi0bpPdUOUQ2eRIAhmlidTsmEOWQpQAkIB7IeNym3g +vzC67zcTrfbRxPy15UuWwoOg2O0Ec4WNVNfpmmeKzxE2SvIvhVokXjx54afE7HiC +elIlxFVXlQ5vydU= +-----END CERTIFICATE----- diff --git a/certs/renewcerts.sh b/certs/renewcerts.sh index c900231ea..e40270a18 100755 --- a/certs/renewcerts.sh +++ b/certs/renewcerts.sh @@ -504,7 +504,7 @@ run_renewcerts(){ echo "---------------------------------------------------------------------" ############################################################ - ########## generate PKCS7 bundles ########################## + ########## generate Ed448 certificates ##################### ############################################################ echo "Renewing Ed448 certificates" cd ed448 @@ -513,6 +513,16 @@ run_renewcerts(){ echo "End of section" echo "---------------------------------------------------------------------" + ############################################################ + ########## generate P-521 certificates ##################### + ############################################################ + echo "Renewing Ed448 certificates" + cd p521 + ./gen-p521-certs.sh + cd .. + echo "End of section" + echo "---------------------------------------------------------------------" + ############################################################ ###### update the ecc-rsa-server.p12 file ################## ############################################################ diff --git a/src/internal.c b/src/internal.c index 72b9dd2f1..758684c91 100644 --- a/src/internal.c +++ b/src/internal.c @@ -19461,7 +19461,7 @@ int PickHashSigAlgo(WOLFSSL* ssl, const byte* hashSigAlgo, word32 hashSigAlgoSz) #if defined(WOLFSSL_TLS13) && defined(HAVE_ECC) if (IsAtLeastTLSv1_3(ssl->version) && sigAlgo == ssl->suites->sigAlgo && sigAlgo == ecc_dsa_sa_algo) { - + int curveSz = ssl->buffers.keySz & (~0x3); int digestSz = GetMacDigestSize(hashAlgo); if (digestSz <= 0) continue; @@ -19469,7 +19469,7 @@ int PickHashSigAlgo(WOLFSSL* ssl, const byte* hashSigAlgo, word32 hashSigAlgoSz) /* TLS 1.3 signature algorithms for ECDSA match hash length with * key size. */ - if (digestSz != ssl->buffers.keySz) + if (digestSz != curveSz) continue; ssl->suites->hashAlgo = hashAlgo; diff --git a/tests/include.am b/tests/include.am index 1ef0a7cdf..d34223dcc 100644 --- a/tests/include.am +++ b/tests/include.am @@ -49,5 +49,6 @@ EXTRA_DIST += tests/test.conf \ tests/test-chains.conf \ tests/test-altchains.conf \ tests/test-trustpeer.conf \ - tests/test-dhprime.conf + tests/test-dhprime.conf \ + tests/test-p521.conf DISTCLEANFILES+= tests/.libs/unit.test diff --git a/tests/suites.c b/tests/suites.c index 655c29003..b2fddfe8c 100644 --- a/tests/suites.c +++ b/tests/suites.c @@ -879,6 +879,18 @@ int SuiteTest(int argc, char** argv) goto exit; } #endif +#if (defined(HAVE_ECC521) || defined(HAVE_ALL_CURVES)) && \ + defined(WOLFSSL_SHA512) + /* add P-521 certificate cipher suite tests */ + strcpy(argv0[1], "tests/test-p521.conf"); + printf("starting P-521 extra cipher suite tests\n"); + test_harness(&args); + if (args.return_code != 0) { + printf("error from script %d\n", args.return_code); + args.return_code = EXIT_FAILURE; + goto exit; + } +#endif #ifdef WOLFSSL_DTLS /* add dtls extra suites */ strcpy(argv0[1], "tests/test-dtls.conf"); diff --git a/tests/test-p521.conf b/tests/test-p521.conf new file mode 100644 index 000000000..84c42ebfb --- /dev/null +++ b/tests/test-p521.conf @@ -0,0 +1,61 @@ +# server TLSv1.2 ECDHE-ECDSA-AES128-GCM-SHA256 +-v 3 +-l ECDHE-ECDSA-AES128-GCM-SHA256 +-c ./certs/p521/server-p521.pem +-k ./certs/p521/server-p521-priv.pem +-d + +# client TLSv1.2 ECDHE-ECDSA-AES128-GCM-SHA256 +-v 3 +-l ECDHE-ECDSA-AES128-GCM-SHA256 +-A ./certs/p521/root-p521.pem +-C + +# server TLSv1.2 ECDHE-ECDSA-AES128-GCM-SHA256 +-v 3 +-l ECDHE-ECDSA-AES128-GCM-SHA256 +-c ./certs/p521/server-p521.pem +-k ./certs/p521/server-p521-priv.pem +-A ./certs/p521/client-p521.pem +-V +# Remove -V when CRL for P-521 certificates available. + +# client TLSv1.2 ECDHE-ECDSA-AES128-GCM-SHA256 +-v 3 +-l ECDHE-ECDSA-AES128-GCM-SHA256 +-c ./certs/p521/client-p521.pem +-k ./certs/p521/client-p521-priv.pem +-A ./certs/p521/root-p521.pem +-C + +# server TLSv1.3 TLS13-AES128-GCM-SHA256 +-v 4 +-l TLS13-AES128-GCM-SHA256 +-c ./certs/p521/server-p521.pem +-k ./certs/p521/server-p521-priv.pem +-d + +# client TLSv1.3 TLS13-AES128-GCM-SHA256 +-v 4 +-l TLS13-AES128-GCM-SHA256 +-A ./certs/p521/root-p521.pem +-C + +# Enable when CRL for P-521 certificates available. +# server TLSv1.3 TLS13-AES128-GCM-SHA256 +-v 4 +-l TLS13-AES128-GCM-SHA256 +-c ./certs/p521/server-p521.pem +-k ./certs/p521/server-p521-priv.pem +-A ./certs/p521/client-p521.pem +-V +# Remove -V when CRL for P-521 certificates available. + +# client TLSv1.3 TLS13-AES128-GCM-SHA256 +-v 4 +-l TLS13-AES128-GCM-SHA256 +-c ./certs/p521/client-p521.pem +-k ./certs/p521/client-p521-priv.pem +-A ./certs/p521/root-p521.pem +-C +