From 10f459f89147c05874f06d9a481943ec61492b7b Mon Sep 17 00:00:00 2001
From: David Garske <david@wolfssl.com>
Date: Thu, 15 Oct 2020 13:30:20 -0700
Subject: [PATCH] Added TLS v1.2 and v1.3 test cases for ECC Koblitz and
 Brainpool curves (both server auth and mutual auth).  Cipher suites:
 `ECDHE-ECDSA-AES128-GCM-SHA256`, `ECDH-ECDSA-AES128-GCM-SHA256` and
 `TLS13-AES128-GCM-SHA256`.

---
 certs/ecc/bp256r1-key.der           | Bin 0 -> 122 bytes
 certs/ecc/bp256r1-key.pem           |   5 +
 certs/ecc/client-bp256r1-cert.der   | Bin 0 -> 717 bytes
 certs/ecc/client-bp256r1-cert.pem   |  57 +++++++++
 certs/ecc/client-secp256k1-cert.der | Bin 0 -> 710 bytes
 certs/ecc/client-secp256k1-cert.pem |  57 +++++++++
 certs/ecc/genecc.sh                 |  33 +++++
 certs/ecc/include.am                |  18 +++
 certs/ecc/secp256k1-key.der         | Bin 0 -> 118 bytes
 certs/ecc/secp256k1-key.pem         |   5 +
 certs/ecc/server-bp256r1-cert.der   | Bin 0 -> 898 bytes
 certs/ecc/server-bp256r1-cert.pem   |  63 ++++++++++
 certs/ecc/server-secp256k1-cert.der | Bin 0 -> 887 bytes
 certs/ecc/server-secp256k1-cert.pem |  63 ++++++++++
 tests/include.am                    |   3 +-
 tests/suites.c                      |  16 ++-
 tests/test-ecc-cust-curves.conf     | 181 ++++++++++++++++++++++++++++
 17 files changed, 498 insertions(+), 3 deletions(-)
 create mode 100644 certs/ecc/bp256r1-key.der
 create mode 100644 certs/ecc/bp256r1-key.pem
 create mode 100644 certs/ecc/client-bp256r1-cert.der
 create mode 100644 certs/ecc/client-bp256r1-cert.pem
 create mode 100644 certs/ecc/client-secp256k1-cert.der
 create mode 100644 certs/ecc/client-secp256k1-cert.pem
 create mode 100644 certs/ecc/secp256k1-key.der
 create mode 100644 certs/ecc/secp256k1-key.pem
 create mode 100644 certs/ecc/server-bp256r1-cert.der
 create mode 100644 certs/ecc/server-bp256r1-cert.pem
 create mode 100644 certs/ecc/server-secp256k1-cert.der
 create mode 100644 certs/ecc/server-secp256k1-cert.pem
 create mode 100644 tests/test-ecc-cust-curves.conf

diff --git a/certs/ecc/bp256r1-key.der b/certs/ecc/bp256r1-key.der
new file mode 100644
index 0000000000000000000000000000000000000000..86b9407ef5659adb12ec31d89bcf2127b61638df
GIT binary patch
literal 122
zcmXr0U}9usQDC~*tNFW;V~$=)#*+TBW4}xv?YgTQS)$-`n7vo`&bQqQxY;<hRhXHX
zI2ak(7rHPzF|g>pS3ezYbtg%6+g7KTcbZ|3SDb6ha|u!wJ>h&HNkB}_>vYG3(gzmV
e4J|423s&9OZ9L)N?MAnCFB?xXXKp>W_B8-J5i||}

literal 0
HcmV?d00001

diff --git a/certs/ecc/bp256r1-key.pem b/certs/ecc/bp256r1-key.pem
new file mode 100644
index 000000000..165d0a867
--- /dev/null
+++ b/certs/ecc/bp256r1-key.pem
@@ -0,0 +1,5 @@
+-----BEGIN EC PRIVATE KEY-----
+MHgCAQEEIALRjSn7gQicLnRopI92xvo14rrdLVl0IEzDB40t3Pa7oAsGCSskAwMC
+CAEBB6FEA0IABC7vJ8tXOtxiJba1QlzuKVbjqM6GbkRSIxXIQ8BiEBYeSsuI0HXg
+OGuAhGSfcKrYuzOQwduBRq7pgckDabXOres=
+-----END EC PRIVATE KEY-----
diff --git a/certs/ecc/client-bp256r1-cert.der b/certs/ecc/client-bp256r1-cert.der
new file mode 100644
index 0000000000000000000000000000000000000000..2a70bc9fe6eaf7e999ed1453eadf7682f337f12c
GIT binary patch
literal 717
zcmXqLVmfKi#8j|=nTe5!NksXOkx}~r1=I3pVcxqg?~=U7_jaBE7aNCGo5wj@7G@@c
z##x5k2Apinp)72|OrgPs!UlpM4hIiccw%uzW?p(pex9L#0Ut<^orgU*HL;{5Clw~b
z#l!BJlUY!bnQSO-APQ2$&BN#F>}+Ie<`fWQsO#+GX((YJ29jXr;V&;Q*DKG@Nh>bS
z(M!(HHIz4yW#iOp^Jx3d%gD(nCXktzmhXV1z(7u%*T}%oz|hplz|h##B1)Xs7{oP(
zatF8LqYOmY*umk<#K^{}t-{RA#KFkO&g{g%qW50?bhy=>B-L$Oonqc;hCN<!t}V|c
zNLloR^MND*F*&c(9T!R;SY$V}q|7f^bz`^jgoC#m-PXNqJjtB7_1xOmiyJ2xH1>j{
zO;(tN$$-H?kc~5;&4aP+hZ7?s3kx$7>jDE=Hs(-SJ{B<+kuB2J{;8k#&+F=cY&^|H
zKK<2ZldA^uAZcY52?MbP><U0pF3Zoz_#bTE1BiL5EMf*CY#iEbjI6Be%uH|=3v!}j
zc4shfVN%f8w&nG@gR={{L?=zYrYp4UzpmC-<rR<a=iD^DQvXtqgGs^owd<;bHD(7B
df;jnfpJ;i?-q>`s(r(|C#G@h?wtaHC0sz#=%l-fW

literal 0
HcmV?d00001

diff --git a/certs/ecc/client-bp256r1-cert.pem b/certs/ecc/client-bp256r1-cert.pem
new file mode 100644
index 000000000..bdc13916e
--- /dev/null
+++ b/certs/ecc/client-bp256r1-cert.pem
@@ -0,0 +1,57 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number:
+            23:c2:32:32:87:c0:20:35:77:e6:56:4b:ba:d3:ba:19:de:0e:ed:9e
+        Signature Algorithm: ecdsa-with-SHA256
+        Issuer: C = US, ST = Washington, L = Seattle, O = Eliptic, OU = ECC256BPR1-CLI, CN = www.wolfssl.com, emailAddress = info@wolfssl.com
+        Validity
+            Not Before: Oct 15 20:13:58 2020 GMT
+            Not After : Oct 13 20:13:58 2030 GMT
+        Subject: C = US, ST = Washington, L = Seattle, O = Eliptic, OU = ECC256BPR1-CLI, CN = www.wolfssl.com, emailAddress = info@wolfssl.com
+        Subject Public Key Info:
+            Public Key Algorithm: id-ecPublicKey
+                Public-Key: (256 bit)
+                pub:
+                    04:2e:ef:27:cb:57:3a:dc:62:25:b6:b5:42:5c:ee:
+                    29:56:e3:a8:ce:86:6e:44:52:23:15:c8:43:c0:62:
+                    10:16:1e:4a:cb:88:d0:75:e0:38:6b:80:84:64:9f:
+                    70:aa:d8:bb:33:90:c1:db:81:46:ae:e9:81:c9:03:
+                    69:b5:ce:ad:eb
+                ASN1 OID: brainpoolP256r1
+        X509v3 extensions:
+            X509v3 Basic Constraints: 
+                CA:FALSE
+            Netscape Cert Type: 
+                SSL Client, S/MIME
+            X509v3 Subject Key Identifier: 
+                B4:1B:3B:4F:65:F2:BF:9E:8A:8F:E3:33:96:44:1F:67:EA:B3:34:D5
+            X509v3 Authority Key Identifier: 
+                keyid:B4:1B:3B:4F:65:F2:BF:9E:8A:8F:E3:33:96:44:1F:67:EA:B3:34:D5
+
+            X509v3 Key Usage: critical
+                Digital Signature, Non Repudiation, Key Encipherment
+            X509v3 Extended Key Usage: 
+                TLS Web Client Authentication, E-mail Protection
+    Signature Algorithm: ecdsa-with-SHA256
+         30:44:02:20:28:b6:b4:eb:ae:c1:9b:71:0a:15:92:93:d6:2d:
+         12:a6:ff:2d:2a:f5:23:a8:e2:df:6c:d9:33:d4:7f:e9:2e:08:
+         02:20:33:eb:45:aa:c1:7c:36:c1:60:52:09:0e:2d:e4:2a:49:
+         1d:d8:b2:c5:79:3e:be:d4:61:c5:14:d0:b6:f2:42:d4
+-----BEGIN CERTIFICATE-----
+MIICyTCCAnCgAwIBAgIUI8IyMofAIDV35lZLutO6Gd4O7Z4wCgYIKoZIzj0EAwIw
+gZoxCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApXYXNoaW5ndG9uMRAwDgYDVQQHDAdT
+ZWF0dGxlMRAwDgYDVQQKDAdFbGlwdGljMRcwFQYDVQQLDA5FQ0MyNTZCUFIxLUNM
+STEYMBYGA1UEAwwPd3d3LndvbGZzc2wuY29tMR8wHQYJKoZIhvcNAQkBFhBpbmZv
+QHdvbGZzc2wuY29tMB4XDTIwMTAxNTIwMTM1OFoXDTMwMTAxMzIwMTM1OFowgZox
+CzAJBgNVBAYTAlVTMRMwEQYDVQQIDApXYXNoaW5ndG9uMRAwDgYDVQQHDAdTZWF0
+dGxlMRAwDgYDVQQKDAdFbGlwdGljMRcwFQYDVQQLDA5FQ0MyNTZCUFIxLUNMSTEY
+MBYGA1UEAwwPd3d3LndvbGZzc2wuY29tMR8wHQYJKoZIhvcNAQkBFhBpbmZvQHdv
+bGZzc2wuY29tMFowFAYHKoZIzj0CAQYJKyQDAwIIAQEHA0IABC7vJ8tXOtxiJba1
+QlzuKVbjqM6GbkRSIxXIQ8BiEBYeSsuI0HXgOGuAhGSfcKrYuzOQwduBRq7pgckD
+abXOreujgZAwgY0wCQYDVR0TBAIwADARBglghkgBhvhCAQEEBAMCBaAwHQYDVR0O
+BBYEFLQbO09l8r+eio/jM5ZEH2fqszTVMB8GA1UdIwQYMBaAFLQbO09l8r+eio/j
+M5ZEH2fqszTVMA4GA1UdDwEB/wQEAwIF4DAdBgNVHSUEFjAUBggrBgEFBQcDAgYI
+KwYBBQUHAwQwCgYIKoZIzj0EAwIDRwAwRAIgKLa0667Bm3EKFZKT1i0Spv8tKvUj
+qOLfbNkz1H/pLggCIDPrRarBfDbBYFIJDi3kKkkd2LLFeT6+1GHFFNC28kLU
+-----END CERTIFICATE-----
diff --git a/certs/ecc/client-secp256k1-cert.der b/certs/ecc/client-secp256k1-cert.der
new file mode 100644
index 0000000000000000000000000000000000000000..1185dc21ed6b704c62fe5466199ee7d82f9e64bf
GIT binary patch
literal 710
zcmXqLVmf5d#FVjsnTe5!NyJv@@1hl=$v6D$JsRC6txNr^UjNB}i;Y98&EuRc3p0~J
z;|xP?15P&PP!={}rqEzRVFN)Bhl7VJJh3<<GcUa)KhIFWfDa_d&chy@npjejlL`~z
z;$e5q$t)<zOg0oX5C*B?=HYR5b~Z9K^ET9V_VF~7Fc1R?GxPA5mzV36=jWsq7w70D
z=jR&A8_2S8YPET^edlH5WE2y~%uCC6KvG~JC(dhRU}#`yYGhz&Y+@ND&T9<f8bi5*
z+38^h0&MKyFlJ(8W7TeCVc=qRVqm$>%l(m0spH@8t4|+tF0q?XwpsJ^P2q&?uR5Bp
z_iVeZcxN*I%ZS}aKP@`+RoU$5)z>P^RBpdx+Q4eK%vk<xWs|_-#t8<Ez2NAQ6=q>F
zU@#D5<4kDtU~K#0#K_3P!py|Fz(AIbIaHR9MT|wnCF@3E?&>57MJ9FS3HxQsw^e$V
z8_0vCm02VV#2T<G07bPdKO^IRuz3$4=BcuX8HliPXtOc0va&NX!C5TGiHX^R!N8SC
zp_s!<;^NxIZ!wYTx6Edp{p~kBDq?fuzYTBd%1-e_T|UU9$gq@k%UAu&`wOq|{NBGH
Yh5PJoiTC#>?TI;)Q_^%IDC(OV0DT3@cK`qY

literal 0
HcmV?d00001

diff --git a/certs/ecc/client-secp256k1-cert.pem b/certs/ecc/client-secp256k1-cert.pem
new file mode 100644
index 000000000..0d03c0889
--- /dev/null
+++ b/certs/ecc/client-secp256k1-cert.pem
@@ -0,0 +1,57 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number:
+            3d:12:fd:a2:a8:15:63:d8:4e:3f:48:81:46:92:ae:65:f3:27:7f:f2
+        Signature Algorithm: ecdsa-with-SHA256
+        Issuer: C = US, ST = Washington, L = Seattle, O = Eliptic, OU = ECC256K1-CLI, CN = www.wolfssl.com, emailAddress = info@wolfssl.com
+        Validity
+            Not Before: Oct 15 20:13:49 2020 GMT
+            Not After : Oct 13 20:13:49 2030 GMT
+        Subject: C = US, ST = Washington, L = Seattle, O = Eliptic, OU = ECC256K1-CLI, CN = www.wolfssl.com, emailAddress = info@wolfssl.com
+        Subject Public Key Info:
+            Public Key Algorithm: id-ecPublicKey
+                Public-Key: (256 bit)
+                pub:
+                    04:d7:0d:0b:f1:0e:22:88:fe:fb:d5:e5:e1:09:a4:
+                    3e:90:76:b3:29:cb:d9:13:60:b7:ea:88:82:d7:8c:
+                    b6:db:21:dc:93:0f:e9:58:bb:c5:f2:a2:c2:f5:23:
+                    36:c5:d5:eb:24:a6:24:db:ee:02:b0:05:31:a6:33:
+                    1f:cd:79:82:10
+                ASN1 OID: secp256k1
+        X509v3 extensions:
+            X509v3 Basic Constraints: 
+                CA:FALSE
+            Netscape Cert Type: 
+                SSL Client, S/MIME
+            X509v3 Subject Key Identifier: 
+                44:6A:D8:71:6D:AB:62:18:21:02:27:23:90:BF:1D:77:B6:79:4B:77
+            X509v3 Authority Key Identifier: 
+                keyid:44:6A:D8:71:6D:AB:62:18:21:02:27:23:90:BF:1D:77:B6:79:4B:77
+
+            X509v3 Key Usage: critical
+                Digital Signature, Non Repudiation, Key Encipherment
+            X509v3 Extended Key Usage: 
+                TLS Web Client Authentication, E-mail Protection
+    Signature Algorithm: ecdsa-with-SHA256
+         30:45:02:20:73:08:4a:18:d1:ad:81:f6:5c:59:27:da:36:9a:
+         cd:fb:4e:97:5a:58:b3:61:fe:b0:ec:7e:76:ca:0c:5a:d3:c1:
+         02:21:00:a5:05:b4:f5:2f:d3:bf:71:d4:0c:fb:bf:a0:64:0b:
+         cd:bb:18:ef:df:92:bc:5c:cc:6c:74:82:c8:52:5a:f6:46
+-----BEGIN CERTIFICATE-----
+MIICwjCCAmigAwIBAgIUPRL9oqgVY9hOP0iBRpKuZfMnf/IwCgYIKoZIzj0EAwIw
+gZgxCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApXYXNoaW5ndG9uMRAwDgYDVQQHDAdT
+ZWF0dGxlMRAwDgYDVQQKDAdFbGlwdGljMRUwEwYDVQQLDAxFQ0MyNTZLMS1DTEkx
+GDAWBgNVBAMMD3d3dy53b2xmc3NsLmNvbTEfMB0GCSqGSIb3DQEJARYQaW5mb0B3
+b2xmc3NsLmNvbTAeFw0yMDEwMTUyMDEzNDlaFw0zMDEwMTMyMDEzNDlaMIGYMQsw
+CQYDVQQGEwJVUzETMBEGA1UECAwKV2FzaGluZ3RvbjEQMA4GA1UEBwwHU2VhdHRs
+ZTEQMA4GA1UECgwHRWxpcHRpYzEVMBMGA1UECwwMRUNDMjU2SzEtQ0xJMRgwFgYD
+VQQDDA93d3cud29sZnNzbC5jb20xHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNz
+bC5jb20wVjAQBgcqhkjOPQIBBgUrgQQACgNCAATXDQvxDiKI/vvV5eEJpD6QdrMp
+y9kTYLfqiILXjLbbIdyTD+lYu8XyosL1IzbF1eskpiTb7gKwBTGmMx/NeYIQo4GQ
+MIGNMAkGA1UdEwQCMAAwEQYJYIZIAYb4QgEBBAQDAgWgMB0GA1UdDgQWBBREathx
+batiGCECJyOQvx13tnlLdzAfBgNVHSMEGDAWgBREathxbatiGCECJyOQvx13tnlL
+dzAOBgNVHQ8BAf8EBAMCBeAwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwME
+MAoGCCqGSM49BAMCA0gAMEUCIHMIShjRrYH2XFkn2jaazftOl1pYs2H+sOx+dsoM
+WtPBAiEApQW09S/Tv3HUDPu/oGQLzbsY79+SvFzMbHSCyFJa9kY=
+-----END CERTIFICATE-----
diff --git a/certs/ecc/genecc.sh b/certs/ecc/genecc.sh
index 025072b38..752440e5f 100755
--- a/certs/ecc/genecc.sh
+++ b/certs/ecc/genecc.sh
@@ -88,6 +88,39 @@ rm ./certs/client-ecc384-req.pem
 rm ./certs/client-ecc384-key.par
 
 
+# Generate ECC Kerberos Keys
+if [ -f ./certs/ecc/secp256k1-key.pem ]; then
+	openssl ecparam -name secp256k1 -genkey -noout -out ./certs/ecc/secp256k1-key.pem
+	openssl ec -in ./certs/ecc/secp256k1-key.pem -inform PEM -out ./certs/ecc/secp256k1-key.der -outform DER
+fi
+# Create self-signed ECC Kerberos certificates
+openssl req -config ./certs/ecc/wolfssl.cnf -sha256 -new -key ./certs/ecc/secp256k1-key.pem -out ./certs/ecc/server-secp256k1-req.pem -subj "/C=US/ST=Washington/L=Seattle/O=Eliptic/OU=ECC256K1-SRV/CN=www.wolfssl.com/emailAddress=info@wolfssl.com/"
+openssl x509 -req -in ./certs/ecc/server-secp256k1-req.pem -days 3650 -extfile ./certs/ecc/wolfssl.cnf -extensions server_cert -signkey ./certs/ecc/secp256k1-key.pem -text -out ./certs/ecc/server-secp256k1-cert.pem
+openssl x509 -inform pem -in ./certs/ecc/server-secp256k1-cert.pem -outform der -out ./certs/ecc/server-secp256k1-cert.der
+rm ./certs/ecc/server-secp256k1-req.pem
+
+openssl req -config ./certs/ecc/wolfssl.cnf -sha256 -new -key ./certs/ecc/secp256k1-key.pem -out ./certs/ecc/client-secp256k1-req.pem -subj "/C=US/ST=Washington/L=Seattle/O=Eliptic/OU=ECC256K1-CLI/CN=www.wolfssl.com/emailAddress=info@wolfssl.com/"
+openssl x509 -req -in ./certs/ecc/client-secp256k1-req.pem -days 3650 -extfile ./certs/ecc/wolfssl.cnf -extensions usr_cert -signkey ./certs/ecc/secp256k1-key.pem -text -out ./certs/ecc/client-secp256k1-cert.pem
+openssl x509 -inform pem -in ./certs/ecc/client-secp256k1-cert.pem -outform der -out ./certs/ecc/client-secp256k1-cert.der
+rm ./certs/ecc/client-secp256k1-req.pem
+
+# Generate ECC Brainpool Keys
+if [ -f ./certs/ecc/bp256r1-key.pem ]; then
+	openssl ecparam -name brainpoolP256r1 -genkey -noout -out ./certs/ecc/bp256r1-key.pem
+	openssl ec -in ./certs/ecc/bp256r1-key.pem -inform PEM -out ./certs/ecc/bp256r1-key.der -outform DER
+fi
+# Create self-signed ECC Brainpool certificates
+openssl req -config ./certs/ecc/wolfssl.cnf -sha256 -new -key ./certs/ecc/bp256r1-key.pem -out ./certs/ecc/server-bp256r1-req.pem -subj "/C=US/ST=Washington/L=Seattle/O=Eliptic/OU=ECC256BPR1-SRV/CN=www.wolfssl.com/emailAddress=info@wolfssl.com/"
+openssl x509 -req -in ./certs/ecc/server-bp256r1-req.pem -days 3650 -extfile ./certs/ecc/wolfssl.cnf -extensions server_cert -signkey ./certs/ecc/bp256r1-key.pem -text -out ./certs/ecc/server-bp256r1-cert.pem
+openssl x509 -inform pem -in ./certs/ecc/server-bp256r1-cert.pem -outform der -out ./certs/ecc/server-bp256r1-cert.der
+rm ./certs/ecc/server-bp256r1-req.pem
+
+openssl req -config ./certs/ecc/wolfssl.cnf -sha256 -new -key ./certs/ecc/bp256r1-key.pem -out ./certs/ecc/client-bp256r1-req.pem -subj "/C=US/ST=Washington/L=Seattle/O=Eliptic/OU=ECC256BPR1-CLI/CN=www.wolfssl.com/emailAddress=info@wolfssl.com/"
+openssl x509 -req -in ./certs/ecc/client-bp256r1-req.pem -days 3650 -extfile ./certs/ecc/wolfssl.cnf -extensions usr_cert -signkey ./certs/ecc/bp256r1-key.pem -text -out ./certs/ecc/client-bp256r1-cert.pem
+openssl x509 -inform pem -in ./certs/ecc/client-bp256r1-cert.pem -outform der -out ./certs/ecc/client-bp256r1-cert.der
+rm ./certs/ecc/client-bp256r1-req.pem
+
+
 # Also manually need to:
 # 1. Copy ./certs/server-ecc.der into ./certs/test/server-cert-ecc-badsig.der `cp ./certs/server-ecc.der ./certs/test/server-cert-ecc-badsig.der`
 # 2. Modify last byte so its invalidates signature in ./certs/test/server-cert-ecc-badsig.der
diff --git a/certs/ecc/include.am b/certs/ecc/include.am
index b9897c1c2..c5a4f858a 100644
--- a/certs/ecc/include.am
+++ b/certs/ecc/include.am
@@ -6,3 +6,21 @@ EXTRA_DIST += \
 	     certs/ecc/genecc.sh \
 	     certs/ecc/wolfssl.cnf \
 	     certs/ecc/wolfssl_384.cnf
+
+# Koblitz Curves
+EXTRA_DIST += \
+	     certs/ecc/secp256k1-key.der \
+		 certs/ecc/secp256k1-key.pem \
+		 certs/ecc/client-secp256k1-cert.der \
+		 certs/ecc/client-secp256k1-cert.pem \
+		 certs/ecc/server-secp256k1-cert.der \
+		 certs/ecc/server-secp256k1-cert.pem
+
+# Brainpool Curves
+EXTRA_DIST += \
+		 certs/ecc/bp256r1-key.der \
+		 certs/ecc/bp256r1-key.pem \
+		 certs/ecc/client-bp256r1-cert.der \
+		 certs/ecc/client-bp256r1-cert.pem \
+		 certs/ecc/server-bp256r1-cert.der \
+		 certs/ecc/server-bp256r1-cert.pem
diff --git a/certs/ecc/secp256k1-key.der b/certs/ecc/secp256k1-key.der
new file mode 100644
index 0000000000000000000000000000000000000000..6a80d8bdf8f19d6a2cca9570fbfab66d489cc75c
GIT binary patch
literal 118
zcmXpgVPa%tQP}C)yR_i&7aN1EGc8X}x;tUx-GI)>EZ%sL2p8Ua4;nNVu(PphH?lBr
zEp%aaVqm$>%l(m0spH@8t4|+tF0q?XwpsJ^P2q&?uR5Bp_iVeZcxN*I%ZS}aKP@`+
bRoU$5)z>P^RBpdx+Q4eK%vk<xWs?8^pZ7J|

literal 0
HcmV?d00001

diff --git a/certs/ecc/secp256k1-key.pem b/certs/ecc/secp256k1-key.pem
new file mode 100644
index 000000000..be4b4889a
--- /dev/null
+++ b/certs/ecc/secp256k1-key.pem
@@ -0,0 +1,5 @@
+-----BEGIN EC PRIVATE KEY-----
+MHQCAQEEILlFjaVww/Q8MLWZOcmS3ZCx3VCJWWoNXxRYRA3e4IApoAcGBSuBBAAK
+oUQDQgAE1w0L8Q4iiP771eXhCaQ+kHazKcvZE2C36oiC14y22yHckw/pWLvF8qLC
+9SM2xdXrJKYk2+4CsAUxpjMfzXmCEA==
+-----END EC PRIVATE KEY-----
diff --git a/certs/ecc/server-bp256r1-cert.der b/certs/ecc/server-bp256r1-cert.der
new file mode 100644
index 0000000000000000000000000000000000000000..2115e057273a2b44699918cd3eaf83c149dbc6a7
GIT binary patch
literal 898
zcmXqLVy-i2Vpdte%*4pVB%=T0SNHih{W^ObeotLs$8!7b(RvO8E;bIWHji_*EX+&>
zjk6574LI4DLs{5_nL>jNg$)Ej91b3?@WkSb%)IoH{5(Se13r)-I}dwsYGO%APAW`<
zi-+AcC$pd=GucqwKoq2gn}^TU+1bd{%qbwqP&YUz%uvEW3?#wK!(U!ru2-I)lU7`u
zqnDhYYbb9Z%f_kI=F#?@mywfEOdvBaE#Co2fq|SjuaSYFfuX69fuXUfX_PpxF^Fpn
z<qmGgM;VB)v4g{ziII&{TZNgKiGz`mo!N<jMen`(>2Rw%NvhknI>o%x412udTw9(?
zkh16r=L1OsVsc)mJ1&$yu*hy`Nts`;>c(#42?uXCx~+TJc#=7D>$$bB7dJ6F8#FQ6
zgCkB>n1#uJ!9b9WGoj6cvF(QwBO?n7GZUMGfh-$ys4O3g7>mdjX>0$~Py6R}^*=VA
z<|3c|YO~2zgT`ARd1aQyO9qYS8?dTb*tlRx<J>_V&P~|UI4Hr&@-s622ZaUm3Ikz~
zUsYLnK#5<Qjggg=otY8D21gJJGZV81gMllPB15D3=I_g&&y`NHS5;tgo$MMjQCYfs
z4=2y}_ko&ACcK%*q)>8K?eJ@rhsNi&9QzSJe`c=staodSZ*XWz+Aw@<zPD^W0Cac*
AJOBUy

literal 0
HcmV?d00001

diff --git a/certs/ecc/server-bp256r1-cert.pem b/certs/ecc/server-bp256r1-cert.pem
new file mode 100644
index 000000000..217d21c55
--- /dev/null
+++ b/certs/ecc/server-bp256r1-cert.pem
@@ -0,0 +1,63 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number:
+            2f:f8:fa:8b:cf:ec:8f:2c:bc:40:fb:95:a0:3e:04:db:dd:c5:7f:08
+        Signature Algorithm: ecdsa-with-SHA256
+        Issuer: C = US, ST = Washington, L = Seattle, O = Eliptic, OU = ECC256BPR1-SRV, CN = www.wolfssl.com, emailAddress = info@wolfssl.com
+        Validity
+            Not Before: Oct 15 20:13:55 2020 GMT
+            Not After : Oct 13 20:13:55 2030 GMT
+        Subject: C = US, ST = Washington, L = Seattle, O = Eliptic, OU = ECC256BPR1-SRV, CN = www.wolfssl.com, emailAddress = info@wolfssl.com
+        Subject Public Key Info:
+            Public Key Algorithm: id-ecPublicKey
+                Public-Key: (256 bit)
+                pub:
+                    04:2e:ef:27:cb:57:3a:dc:62:25:b6:b5:42:5c:ee:
+                    29:56:e3:a8:ce:86:6e:44:52:23:15:c8:43:c0:62:
+                    10:16:1e:4a:cb:88:d0:75:e0:38:6b:80:84:64:9f:
+                    70:aa:d8:bb:33:90:c1:db:81:46:ae:e9:81:c9:03:
+                    69:b5:ce:ad:eb
+                ASN1 OID: brainpoolP256r1
+        X509v3 extensions:
+            X509v3 Basic Constraints: 
+                CA:FALSE
+            Netscape Cert Type: 
+                SSL Server
+            X509v3 Subject Key Identifier: 
+                B4:1B:3B:4F:65:F2:BF:9E:8A:8F:E3:33:96:44:1F:67:EA:B3:34:D5
+            X509v3 Authority Key Identifier: 
+                keyid:B4:1B:3B:4F:65:F2:BF:9E:8A:8F:E3:33:96:44:1F:67:EA:B3:34:D5
+                DirName:/C=US/ST=Washington/L=Seattle/O=Eliptic/OU=ECC256BPR1-SRV/CN=www.wolfssl.com/emailAddress=info@wolfssl.com
+                serial:2F:F8:FA:8B:CF:EC:8F:2C:BC:40:FB:95:A0:3E:04:DB:DD:C5:7F:08
+
+            X509v3 Key Usage: critical
+                Digital Signature, Key Encipherment, Key Agreement
+            X509v3 Extended Key Usage: 
+                TLS Web Server Authentication
+    Signature Algorithm: ecdsa-with-SHA256
+         30:45:02:21:00:81:37:b3:f7:a7:e7:9d:1b:62:3f:25:20:02:
+         45:93:45:5c:91:23:1b:8b:bc:09:0c:f7:ef:51:29:a4:90:ec:
+         91:02:20:74:dd:26:c3:eb:24:e1:33:ce:b4:c6:f8:5f:9f:99:
+         6d:2b:9a:ee:ac:33:d8:08:29:19:3c:00:f1:83:de:a6:af
+-----BEGIN CERTIFICATE-----
+MIIDfjCCAySgAwIBAgIUL/j6i8/sjyy8QPuVoD4E293FfwgwCgYIKoZIzj0EAwIw
+gZoxCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApXYXNoaW5ndG9uMRAwDgYDVQQHDAdT
+ZWF0dGxlMRAwDgYDVQQKDAdFbGlwdGljMRcwFQYDVQQLDA5FQ0MyNTZCUFIxLVNS
+VjEYMBYGA1UEAwwPd3d3LndvbGZzc2wuY29tMR8wHQYJKoZIhvcNAQkBFhBpbmZv
+QHdvbGZzc2wuY29tMB4XDTIwMTAxNTIwMTM1NVoXDTMwMTAxMzIwMTM1NVowgZox
+CzAJBgNVBAYTAlVTMRMwEQYDVQQIDApXYXNoaW5ndG9uMRAwDgYDVQQHDAdTZWF0
+dGxlMRAwDgYDVQQKDAdFbGlwdGljMRcwFQYDVQQLDA5FQ0MyNTZCUFIxLVNSVjEY
+MBYGA1UEAwwPd3d3LndvbGZzc2wuY29tMR8wHQYJKoZIhvcNAQkBFhBpbmZvQHdv
+bGZzc2wuY29tMFowFAYHKoZIzj0CAQYJKyQDAwIIAQEHA0IABC7vJ8tXOtxiJba1
+QlzuKVbjqM6GbkRSIxXIQ8BiEBYeSsuI0HXgOGuAhGSfcKrYuzOQwduBRq7pgckD
+abXOreujggFDMIIBPzAJBgNVHRMEAjAAMBEGCWCGSAGG+EIBAQQEAwIGQDAdBgNV
+HQ4EFgQUtBs7T2Xyv56Kj+MzlkQfZ+qzNNUwgdoGA1UdIwSB0jCBz4AUtBs7T2Xy
+v56Kj+MzlkQfZ+qzNNWhgaCkgZ0wgZoxCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApX
+YXNoaW5ndG9uMRAwDgYDVQQHDAdTZWF0dGxlMRAwDgYDVQQKDAdFbGlwdGljMRcw
+FQYDVQQLDA5FQ0MyNTZCUFIxLVNSVjEYMBYGA1UEAwwPd3d3LndvbGZzc2wuY29t
+MR8wHQYJKoZIhvcNAQkBFhBpbmZvQHdvbGZzc2wuY29tghQv+PqLz+yPLLxA+5Wg
+PgTb3cV/CDAOBgNVHQ8BAf8EBAMCA6gwEwYDVR0lBAwwCgYIKwYBBQUHAwEwCgYI
+KoZIzj0EAwIDSAAwRQIhAIE3s/en550bYj8lIAJFk0VckSMbi7wJDPfvUSmkkOyR
+AiB03SbD6yThM860xvhfn5ltK5rurDPYCCkZPADxg96mrw==
+-----END CERTIFICATE-----
diff --git a/certs/ecc/server-secp256k1-cert.der b/certs/ecc/server-secp256k1-cert.der
new file mode 100644
index 0000000000000000000000000000000000000000..19f9ec7e801b5312422d3283c46867bcd652503e
GIT binary patch
literal 887
zcmXqLVlFmlVwPIK%*4pVB$9A-d&Pe?5o@`lySnejrEd~jwduG47aNCGo5wj@7G@@c
z#u<j(2Apinp)72|OrgPs!UlpM4hIiccw%uzW?p(pex9L#0Ut<^orgU*HL;{5Clw~b
z#l!BJlUY!bnQSO(APiE&&BNpB>}+Ie=544O9290KVIT$)X6E59FE7_C&(BFKF3!<Q
z&d)WJH;`rH)N1o+`_9YA$tWg}nU|LDfTX}cPMp`sz|g?Z)X2cl*u*SKoYxq{HHLBr
zv(v*21lZWYVa&wH#;V=O!obDs#K3Z$m-{21QpdmFSD!xQTw*t&Y_sO+o5Bg(Uv)HH
z@7Z=+@y=xaml3;<ep+<stFqbAtFKj-soZ|Yw1L%dnX&xY$|ixuO^l8PO^mkS2$L0N
zVKQJa5M<*_X!Brf`{BgM$il+R#O7ci%f=ik%f}+dBI1&DqcC@Ml7u3Yy7GkmvgO+<
zy~_<6Z-C^LSsE`GG@fn1s%By1yd{mZ2XP2DVNcnhWGc(g$oL-=63i>WNm5pog$I=6
zwb>Y1S=pHxL2Pi;urM<*yE7QLFexw=ZjFBuy?yGI$XOfiyiZ{)d(XmtV~fkv+ig!+
sdk!i|GAY<i{%!Enr_<8({^rW7n!B|*TDpFO*8I%4rX#4aex)%#072LMbpQYW

literal 0
HcmV?d00001

diff --git a/certs/ecc/server-secp256k1-cert.pem b/certs/ecc/server-secp256k1-cert.pem
new file mode 100644
index 000000000..bc8d1952f
--- /dev/null
+++ b/certs/ecc/server-secp256k1-cert.pem
@@ -0,0 +1,63 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number:
+            60:d5:b7:78:ff:06:14:3b:1e:c5:ba:8b:dd:5e:67:b2:16:aa:b2:c7
+        Signature Algorithm: ecdsa-with-SHA256
+        Issuer: C = US, ST = Washington, L = Seattle, O = Eliptic, OU = ECC256K1-SRV, CN = www.wolfssl.com, emailAddress = info@wolfssl.com
+        Validity
+            Not Before: Oct 15 20:13:46 2020 GMT
+            Not After : Oct 13 20:13:46 2030 GMT
+        Subject: C = US, ST = Washington, L = Seattle, O = Eliptic, OU = ECC256K1-SRV, CN = www.wolfssl.com, emailAddress = info@wolfssl.com
+        Subject Public Key Info:
+            Public Key Algorithm: id-ecPublicKey
+                Public-Key: (256 bit)
+                pub:
+                    04:d7:0d:0b:f1:0e:22:88:fe:fb:d5:e5:e1:09:a4:
+                    3e:90:76:b3:29:cb:d9:13:60:b7:ea:88:82:d7:8c:
+                    b6:db:21:dc:93:0f:e9:58:bb:c5:f2:a2:c2:f5:23:
+                    36:c5:d5:eb:24:a6:24:db:ee:02:b0:05:31:a6:33:
+                    1f:cd:79:82:10
+                ASN1 OID: secp256k1
+        X509v3 extensions:
+            X509v3 Basic Constraints: 
+                CA:FALSE
+            Netscape Cert Type: 
+                SSL Server
+            X509v3 Subject Key Identifier: 
+                44:6A:D8:71:6D:AB:62:18:21:02:27:23:90:BF:1D:77:B6:79:4B:77
+            X509v3 Authority Key Identifier: 
+                keyid:44:6A:D8:71:6D:AB:62:18:21:02:27:23:90:BF:1D:77:B6:79:4B:77
+                DirName:/C=US/ST=Washington/L=Seattle/O=Eliptic/OU=ECC256K1-SRV/CN=www.wolfssl.com/emailAddress=info@wolfssl.com
+                serial:60:D5:B7:78:FF:06:14:3B:1E:C5:BA:8B:DD:5E:67:B2:16:AA:B2:C7
+
+            X509v3 Key Usage: critical
+                Digital Signature, Key Encipherment, Key Agreement
+            X509v3 Extended Key Usage: 
+                TLS Web Server Authentication
+    Signature Algorithm: ecdsa-with-SHA256
+         30:44:02:20:01:71:b5:5f:e4:5b:b7:95:b4:59:9a:b0:dc:ef:
+         64:01:76:ef:04:07:d8:b4:44:e5:db:86:e4:05:8c:c1:22:19:
+         02:20:3e:93:fb:30:f9:4c:89:39:35:df:b3:79:d5:29:bb:2b:
+         08:84:8a:f8:55:7c:f9:68:d6:2c:11:28:af:a9:33:0f
+-----BEGIN CERTIFICATE-----
+MIIDczCCAxqgAwIBAgIUYNW3eP8GFDsexbqL3V5nshaqsscwCgYIKoZIzj0EAwIw
+gZgxCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApXYXNoaW5ndG9uMRAwDgYDVQQHDAdT
+ZWF0dGxlMRAwDgYDVQQKDAdFbGlwdGljMRUwEwYDVQQLDAxFQ0MyNTZLMS1TUlYx
+GDAWBgNVBAMMD3d3dy53b2xmc3NsLmNvbTEfMB0GCSqGSIb3DQEJARYQaW5mb0B3
+b2xmc3NsLmNvbTAeFw0yMDEwMTUyMDEzNDZaFw0zMDEwMTMyMDEzNDZaMIGYMQsw
+CQYDVQQGEwJVUzETMBEGA1UECAwKV2FzaGluZ3RvbjEQMA4GA1UEBwwHU2VhdHRs
+ZTEQMA4GA1UECgwHRWxpcHRpYzEVMBMGA1UECwwMRUNDMjU2SzEtU1JWMRgwFgYD
+VQQDDA93d3cud29sZnNzbC5jb20xHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNz
+bC5jb20wVjAQBgcqhkjOPQIBBgUrgQQACgNCAATXDQvxDiKI/vvV5eEJpD6QdrMp
+y9kTYLfqiILXjLbbIdyTD+lYu8XyosL1IzbF1eskpiTb7gKwBTGmMx/NeYIQo4IB
+QTCCAT0wCQYDVR0TBAIwADARBglghkgBhvhCAQEEBAMCBkAwHQYDVR0OBBYEFERq
+2HFtq2IYIQInI5C/HXe2eUt3MIHYBgNVHSMEgdAwgc2AFERq2HFtq2IYIQInI5C/
+HXe2eUt3oYGepIGbMIGYMQswCQYDVQQGEwJVUzETMBEGA1UECAwKV2FzaGluZ3Rv
+bjEQMA4GA1UEBwwHU2VhdHRsZTEQMA4GA1UECgwHRWxpcHRpYzEVMBMGA1UECwwM
+RUNDMjU2SzEtU1JWMRgwFgYDVQQDDA93d3cud29sZnNzbC5jb20xHzAdBgkqhkiG
+9w0BCQEWEGluZm9Ad29sZnNzbC5jb22CFGDVt3j/BhQ7HsW6i91eZ7IWqrLHMA4G
+A1UdDwEB/wQEAwIDqDATBgNVHSUEDDAKBggrBgEFBQcDATAKBggqhkjOPQQDAgNH
+ADBEAiABcbVf5Fu3lbRZmrDc72QBdu8EB9i0ROXbhuQFjMEiGQIgPpP7MPlMiTk1
+37N51Sm7KwiEivhVfPlo1iwRKK+pMw8=
+-----END CERTIFICATE-----
diff --git a/tests/include.am b/tests/include.am
index f6d2cd600..d1519b918 100644
--- a/tests/include.am
+++ b/tests/include.am
@@ -49,5 +49,6 @@ EXTRA_DIST += tests/test.conf \
               tests/test-altchains.conf \
               tests/test-trustpeer.conf \
               tests/test-dhprime.conf \
-              tests/test-p521.conf
+              tests/test-p521.conf \
+              test-ecc-cust-curves.conf
 DISTCLEANFILES+= tests/.libs/unit.test
diff --git a/tests/suites.c b/tests/suites.c
index 288283333..f2d797af2 100644
--- a/tests/suites.c
+++ b/tests/suites.c
@@ -882,8 +882,8 @@ int SuiteTest(int argc, char** argv)
         goto exit;
     }
 #endif
-#if (defined(HAVE_ECC521) || defined(HAVE_ALL_CURVES)) && \
-                                                         defined(WOLFSSL_SHA512)
+#if defined(HAVE_ECC) && defined(WOLFSSL_SHA512) && \
+    (defined(HAVE_ECC521) || defined(HAVE_ALL_CURVES))
     /* add P-521 certificate cipher suite tests */
     strcpy(argv0[1], "tests/test-p521.conf");
     printf("starting P-521 extra cipher suite tests\n");
@@ -894,6 +894,18 @@ int SuiteTest(int argc, char** argv)
         goto exit;
     }
 #endif
+#if defined(HAVE_ECC) && !defined(NO_SHA256) && defined(WOLFSSL_CUSTOM_CURVES) && \
+    defined(HAVE_ECC_KOBLITZ) && defined(HAVE_ECC_BRAINPOOL)
+    /* TLS non-NIST curves (Koblitz / Brainpool) */
+    strcpy(argv0[1], "tests/test-ecc-cust-curves.conf");
+    printf("starting TLS test of non-NIST curves (Koblitz / Brainpool)\n");
+    test_harness(&args);
+    if (args.return_code != 0) {
+        printf("error from script %d\n", args.return_code);
+        args.return_code = EXIT_FAILURE;
+        goto exit;
+    }
+#endif
 #ifdef WOLFSSL_DTLS
     /* add dtls extra suites */
     strcpy(argv0[1], "tests/test-dtls.conf");
diff --git a/tests/test-ecc-cust-curves.conf b/tests/test-ecc-cust-curves.conf
new file mode 100644
index 000000000..697d96796
--- /dev/null
+++ b/tests/test-ecc-cust-curves.conf
@@ -0,0 +1,181 @@
+# ----- secp256k1 ------
+# server TLSv1.2 ECDHE-ECDSA-AES128-GCM-SHA256
+-v 3
+-l ECDHE-ECDSA-AES128-GCM-SHA256
+-c ./certs/ecc/server-secp256k1-cert.pem
+-k ./certs/ecc/secp256k1-key.pem
+-d
+
+# client TLSv1.2 ECDHE-ECDSA-AES128-GCM-SHA256
+-v 3
+-l ECDHE-ECDSA-AES128-GCM-SHA256
+-A ./certs/ecc/server-secp256k1-cert.pem
+-x
+-C
+
+# server TLSv1.2 ECDH-ECDSA-AES128-GCM-SHA256 (static)
+-v 3
+-l ECDH-ECDSA-AES128-GCM-SHA256
+-c ./certs/ecc/server-secp256k1-cert.pem
+-k ./certs/ecc/secp256k1-key.pem
+-d
+
+# client TLSv1.2 ECDH-ECDSA-AES128-GCM-SHA256 (static)
+-v 3
+-l ECDH-ECDSA-AES128-GCM-SHA256
+-A ./certs/ecc/server-secp256k1-cert.pem
+-x
+-C
+
+# server TLSv1.3 TLS13-AES128-GCM-SHA256
+-v 4
+-l TLS13-AES128-GCM-SHA256
+-c ./certs/ecc/server-secp256k1-cert.pem
+-k ./certs/ecc/secp256k1-key.pem
+-d
+
+# client TLSv1.3 TLS13-AES128-GCM-SHA256
+-v 4
+-l TLS13-AES128-GCM-SHA256
+-A ./certs/ecc/server-secp256k1-cert.pem
+-x
+-C
+
+# server TLSv1.2 ECDHE-ECDSA-AES128-GCM-SHA256 (mutual auth)
+-v 3
+-l ECDHE-ECDSA-AES128-GCM-SHA256
+-c ./certs/ecc/server-secp256k1-cert.pem
+-k ./certs/ecc/secp256k1-key.pem
+-A ./certs/ecc/client-secp256k1-cert.pem
+-V
+
+# client TLSv1.2 ECDHE-ECDSA-AES128-GCM-SHA256 (mutal auth)
+-v 3
+-l ECDHE-ECDSA-AES128-GCM-SHA256
+-c ./certs/ecc/client-secp256k1-cert.pem
+-k ./certs/ecc/secp256k1-key.pem
+-A ./certs/ecc/server-secp256k1-cert.pem
+-C
+
+# server TLSv1.2 ECDH-ECDSA-AES128-GCM-SHA256 (static - mutual auth)
+-v 3
+-l ECDH-ECDSA-AES128-GCM-SHA256
+-c ./certs/ecc/server-secp256k1-cert.pem
+-k ./certs/ecc/secp256k1-key.pem
+-A ./certs/ecc/client-secp256k1-cert.pem
+-V
+
+# client TLSv1.2 ECDH-ECDSA-AES128-GCM-SHA256 (static - mutal auth)
+-v 3
+-l ECDH-ECDSA-AES128-GCM-SHA256
+-c ./certs/ecc/client-secp256k1-cert.pem
+-k ./certs/ecc/secp256k1-key.pem
+-A ./certs/ecc/server-secp256k1-cert.pem
+-C
+
+# server TLSv1.3 TLS13-AES128-GCM-SHA256 (mutal auth)
+-v 4
+-l TLS13-AES128-GCM-SHA256
+-c ./certs/ecc/server-secp256k1-cert.pem
+-k ./certs/ecc/secp256k1-key.pem
+-A ./certs/ecc/client-secp256k1-cert.pem
+-V
+
+# client TLSv1.3 TLS13-AES128-GCM-SHA256 (mutal auth)
+-v 4
+-l TLS13-AES128-GCM-SHA256
+-c ./certs/ecc/client-secp256k1-cert.pem
+-k ./certs/ecc/secp256k1-key.pem
+-A ./certs/ecc/server-secp256k1-cert.pem
+-C
+
+# ----- bp256r1 ------
+# server TLSv1.2 ECDHE-ECDSA-AES128-GCM-SHA256
+-v 3
+-l ECDHE-ECDSA-AES128-GCM-SHA256
+-c ./certs/ecc/server-bp256r1-cert.pem
+-k ./certs/ecc/bp256r1-key.pem
+-d
+
+# client TLSv1.2 ECDHE-ECDSA-AES128-GCM-SHA256
+-v 3
+-l ECDHE-ECDSA-AES128-GCM-SHA256
+-A ./certs/ecc/server-bp256r1-cert.pem
+-x
+-C
+
+# server TLSv1.2 ECDH-ECDSA-AES128-GCM-SHA256 (static)
+-v 3
+-l ECDH-ECDSA-AES128-GCM-SHA256
+-c ./certs/ecc/server-bp256r1-cert.pem
+-k ./certs/ecc/bp256r1-key.pem
+-d
+
+# client TLSv1.2 ECDH-ECDSA-AES128-GCM-SHA256 (static)
+-v 3
+-l ECDH-ECDSA-AES128-GCM-SHA256
+-A ./certs/ecc/server-bp256r1-cert.pem
+-x
+-C
+
+# server TLSv1.3 TLS13-AES128-GCM-SHA256
+-v 4
+-l TLS13-AES128-GCM-SHA256
+-c ./certs/ecc/server-bp256r1-cert.pem
+-k ./certs/ecc/bp256r1-key.pem
+-d
+
+# client TLSv1.3 TLS13-AES128-GCM-SHA256
+-v 4
+-l TLS13-AES128-GCM-SHA256
+-A ./certs/ecc/server-bp256r1-cert.pem
+-x
+-C
+
+# server TLSv1.2 ECDHE-ECDSA-AES128-GCM-SHA256 (mutual auth)
+-v 3
+-l ECDHE-ECDSA-AES128-GCM-SHA256
+-c ./certs/ecc/server-bp256r1-cert.pem
+-k ./certs/ecc/bp256r1-key.pem
+-A ./certs/ecc/client-bp256r1-cert.pem
+-V
+
+# client TLSv1.2 ECDHE-ECDSA-AES128-GCM-SHA256 (mutal auth)
+-v 3
+-l ECDHE-ECDSA-AES128-GCM-SHA256
+-c ./certs/ecc/client-bp256r1-cert.pem
+-k ./certs/ecc/bp256r1-key.pem
+-A ./certs/ecc/server-bp256r1-cert.pem
+-C
+
+# server TLSv1.2 ECDH-ECDSA-AES128-GCM-SHA256 (static - mutual auth)
+-v 3
+-l ECDH-ECDSA-AES128-GCM-SHA256
+-c ./certs/ecc/server-bp256r1-cert.pem
+-k ./certs/ecc/bp256r1-key.pem
+-A ./certs/ecc/client-bp256r1-cert.pem
+-V
+
+# client TLSv1.2 ECDH-ECDSA-AES128-GCM-SHA256 (static - mutal auth)
+-v 3
+-l ECDH-ECDSA-AES128-GCM-SHA256
+-c ./certs/ecc/client-bp256r1-cert.pem
+-k ./certs/ecc/bp256r1-key.pem
+-A ./certs/ecc/server-bp256r1-cert.pem
+-C
+
+# server TLSv1.3 TLS13-AES128-GCM-SHA256 (mutal auth)
+-v 4
+-l TLS13-AES128-GCM-SHA256
+-c ./certs/ecc/server-bp256r1-cert.pem
+-k ./certs/ecc/bp256r1-key.pem
+-A ./certs/ecc/client-bp256r1-cert.pem
+-V
+
+# client TLSv1.3 TLS13-AES128-GCM-SHA256 (mutal auth)
+-v 4
+-l TLS13-AES128-GCM-SHA256
+-c ./certs/ecc/client-bp256r1-cert.pem
+-k ./certs/ecc/bp256r1-key.pem
+-A ./certs/ecc/server-bp256r1-cert.pem
+-C