Merge pull request #1177 from dgarske/certreq_tests

Testing improvements for cert gen and TLS cert validation

.gitignore

@@ -81,6 +81,8 @@ certecc.der
 certecc.pem
 othercert.der
 othercert.pem
+certeccrsa.der
+certeccrsa.pem
 ntru-cert.der
 ntru-cert.pem
 ntru-key.raw

certs/ca-ecc-cert.pem

@@ -0,0 +1,53 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number:
+            97:b4:bd:16:78:f8:47:f2
+    Signature Algorithm: ecdsa-with-SHA256
+        Issuer: C=US, ST=Washington, L=Seattle, O=wolfSSL, OU=Development, CN=www.wolfssl.com/emailAddress=info@wolfssl.com
+        Validity
+            Not Before: Oct 20 18:19:06 2017 GMT
+            Not After : Oct 15 18:19:06 2037 GMT
+        Subject: C=US, ST=Washington, L=Seattle, O=wolfSSL, OU=Development, CN=www.wolfssl.com/emailAddress=info@wolfssl.com
+        Subject Public Key Info:
+            Public Key Algorithm: id-ecPublicKey
+                Public-Key: (256 bit)
+                pub: 
+                    04:02:d3:d9:6e:d6:01:8e:45:c8:b9:90:31:e5:c0:
+                    4c:e3:9e:ad:29:38:98:ba:10:d6:e9:09:2a:80:a9:
+                    2e:17:2a:b9:8a:bf:33:83:46:e3:95:0b:e4:77:40:
+                    b5:3b:43:45:33:0f:61:53:7c:37:44:c1:cb:fc:80:
+                    ca:e8:43:ea:a7
+                ASN1 OID: prime256v1
+                NIST CURVE: P-256
+        X509v3 extensions:
+            X509v3 Subject Key Identifier: 
+                56:8E:9A:C3:F0:42:DE:18:B9:45:55:6E:F9:93:CF:EA:C3:F3:A5:21
+            X509v3 Authority Key Identifier: 
+                keyid:56:8E:9A:C3:F0:42:DE:18:B9:45:55:6E:F9:93:CF:EA:C3:F3:A5:21
+
+            X509v3 Basic Constraints: critical
+                CA:TRUE
+            X509v3 Key Usage: critical
+                Digital Signature, Certificate Sign, CRL Sign
+    Signature Algorithm: ecdsa-with-SHA256
+         30:45:02:20:32:26:81:e4:15:ec:e3:aa:d3:e5:b8:2a:ca:a3:
+         06:a7:04:97:d8:43:7f:d4:94:47:f8:18:0d:93:52:23:8b:08:
+         02:21:00:e1:9e:34:d0:92:ee:56:0d:23:38:4a:20:bc:cf:11:
+         c3:33:77:96:81:56:2b:ca:c4:d5:c6:65:5d:36:73:2f:ba
+-----BEGIN CERTIFICATE-----
+MIICijCCAjCgAwIBAgIJAJe0vRZ4+EfyMAoGCCqGSM49BAMCMIGXMQswCQYDVQQG
+EwJVUzETMBEGA1UECAwKV2FzaGluZ3RvbjEQMA4GA1UEBwwHU2VhdHRsZTEQMA4G
+A1UECgwHd29sZlNTTDEUMBIGA1UECwwLRGV2ZWxvcG1lbnQxGDAWBgNVBAMMD3d3
+dy53b2xmc3NsLmNvbTEfMB0GCSqGSIb3DQEJARYQaW5mb0B3b2xmc3NsLmNvbTAe
+Fw0xNzEwMjAxODE5MDZaFw0zNzEwMTUxODE5MDZaMIGXMQswCQYDVQQGEwJVUzET
+MBEGA1UECAwKV2FzaGluZ3RvbjEQMA4GA1UEBwwHU2VhdHRsZTEQMA4GA1UECgwH
+d29sZlNTTDEUMBIGA1UECwwLRGV2ZWxvcG1lbnQxGDAWBgNVBAMMD3d3dy53b2xm
+c3NsLmNvbTEfMB0GCSqGSIb3DQEJARYQaW5mb0B3b2xmc3NsLmNvbTBZMBMGByqG
+SM49AgEGCCqGSM49AwEHA0IABALT2W7WAY5FyLmQMeXATOOerSk4mLoQ1ukJKoCp
+LhcquYq/M4NG45UL5HdAtTtDRTMPYVN8N0TBy/yAyuhD6qejYzBhMB0GA1UdDgQW
+BBRWjprD8ELeGLlFVW75k8/qw/OlITAfBgNVHSMEGDAWgBRWjprD8ELeGLlFVW75
+k8/qw/OlITAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBhjAKBggqhkjO
+PQQDAgNIADBFAiAyJoHkFezjqtPluCrKowanBJfYQ3/UlEf4GA2TUiOLCAIhAOGe
+NNCS7lYNIzhKILzPEcMzd5aBVivKxNXGZV02cy+6
+-----END CERTIFICATE-----

certs/ca-ecc-key.pem

@@ -0,0 +1,5 @@
+-----BEGIN PRIVATE KEY-----
+MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgAuEzmHeXrEpZbSib
+bqCTmwdxi01gY4WZ5rsWcOkK9oChRANCAAQC09lu1gGORci5kDHlwEzjnq0pOJi6
+ENbpCSqAqS4XKrmKvzODRuOVC+R3QLU7Q0UzD2FTfDdEwcv8gMroQ+qn
+-----END PRIVATE KEY-----

certs/ca-ecc384-cert.pem

@@ -0,0 +1,58 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number:
+            f5:e1:8f:f1:4b:a6:83:8e
+    Signature Algorithm: ecdsa-with-SHA384
+        Issuer: C=US, ST=Washington, L=Seattle, O=wolfSSL, OU=Development, CN=www.wolfssl.com/emailAddress=info@wolfssl.com
+        Validity
+            Not Before: Oct 20 18:19:06 2017 GMT
+            Not After : Oct 15 18:19:06 2037 GMT
+        Subject: C=US, ST=Washington, L=Seattle, O=wolfSSL, OU=Development, CN=www.wolfssl.com/emailAddress=info@wolfssl.com
+        Subject Public Key Info:
+            Public Key Algorithm: id-ecPublicKey
+                Public-Key: (384 bit)
+                pub: 
+                    04:ee:82:d4:39:9a:b1:27:82:f4:d7:ea:c6:bc:03:
+                    1d:4d:83:61:f4:03:ae:7e:bd:d8:5a:a5:b9:f0:8e:
+                    a2:a5:da:ce:87:3b:5a:ab:44:16:9c:f5:9f:62:dd:
+                    f6:20:cd:9c:76:3c:40:b1:3f:97:17:df:59:f6:cd:
+                    de:cd:46:35:c0:ed:5e:2e:48:b6:66:91:71:74:b7:
+                    0c:3f:b9:9a:b7:83:bd:93:3f:5f:50:2d:70:3f:de:
+                    35:25:e1:90:3b:86:e0
+                ASN1 OID: secp384r1
+                NIST CURVE: P-384
+        X509v3 extensions:
+            X509v3 Subject Key Identifier: 
+                AB:E0:C3:26:4C:18:D4:72:BB:D2:84:8C:9C:0A:05:92:80:12:53:52
+            X509v3 Authority Key Identifier: 
+                keyid:AB:E0:C3:26:4C:18:D4:72:BB:D2:84:8C:9C:0A:05:92:80:12:53:52
+
+            X509v3 Basic Constraints: critical
+                CA:TRUE
+            X509v3 Key Usage: critical
+                Digital Signature, Certificate Sign, CRL Sign
+    Signature Algorithm: ecdsa-with-SHA384
+         30:65:02:30:17:dd:b9:a5:e0:ec:8a:03:8b:66:45:69:ad:5e:
+         ad:32:bc:45:4c:89:85:3f:a1:dd:a4:74:4b:5d:08:65:1b:d8:
+         07:00:49:5d:ef:10:fc:eb:8f:64:a8:62:99:88:20:59:02:31:
+         00:94:40:64:29:86:d0:00:76:1c:98:23:9c:b7:9b:be:78:73:
+         3a:88:be:52:00:3f:e3:81:36:d9:14:22:3d:9e:a2:8a:4a:56:
+         9c:c4:3f:5f:88:2e:b1:a7:6c:4d:0e:cc:92
+-----BEGIN CERTIFICATE-----
+MIICxzCCAk2gAwIBAgIJAPXhj/FLpoOOMAoGCCqGSM49BAMDMIGXMQswCQYDVQQG
+EwJVUzETMBEGA1UECAwKV2FzaGluZ3RvbjEQMA4GA1UEBwwHU2VhdHRsZTEQMA4G
+A1UECgwHd29sZlNTTDEUMBIGA1UECwwLRGV2ZWxvcG1lbnQxGDAWBgNVBAMMD3d3
+dy53b2xmc3NsLmNvbTEfMB0GCSqGSIb3DQEJARYQaW5mb0B3b2xmc3NsLmNvbTAe
+Fw0xNzEwMjAxODE5MDZaFw0zNzEwMTUxODE5MDZaMIGXMQswCQYDVQQGEwJVUzET
+MBEGA1UECAwKV2FzaGluZ3RvbjEQMA4GA1UEBwwHU2VhdHRsZTEQMA4GA1UECgwH
+d29sZlNTTDEUMBIGA1UECwwLRGV2ZWxvcG1lbnQxGDAWBgNVBAMMD3d3dy53b2xm
+c3NsLmNvbTEfMB0GCSqGSIb3DQEJARYQaW5mb0B3b2xmc3NsLmNvbTB2MBAGByqG
+SM49AgEGBSuBBAAiA2IABO6C1DmasSeC9NfqxrwDHU2DYfQDrn692FqlufCOoqXa
+zoc7WqtEFpz1n2Ld9iDNnHY8QLE/lxffWfbN3s1GNcDtXi5ItmaRcXS3DD+5mreD
+vZM/X1AtcD/eNSXhkDuG4KNjMGEwHQYDVR0OBBYEFKvgwyZMGNRyu9KEjJwKBZKA
+ElNSMB8GA1UdIwQYMBaAFKvgwyZMGNRyu9KEjJwKBZKAElNSMA8GA1UdEwEB/wQF
+MAMBAf8wDgYDVR0PAQH/BAQDAgGGMAoGCCqGSM49BAMDA2gAMGUCMBfduaXg7IoD
+i2ZFaa1erTK8RUyJhT+h3aR0S10IZRvYBwBJXe8Q/OuPZKhimYggWQIxAJRAZCmG
+0AB2HJgjnLebvnhzOoi+UgA/44E22RQiPZ6iikpWnMQ/X4gusadsTQ7Mkg==
+-----END CERTIFICATE-----

certs/ca-ecc384-key.pem

@@ -0,0 +1,6 @@
+-----BEGIN PRIVATE KEY-----
+MIG2AgEAMBAGByqGSM49AgEGBSuBBAAiBIGeMIGbAgEBBDB7FuPW0oGUbIrdqHju
+x36zxdHbLvPtDkiFsfLhejlWwPFiEg81tzm8nCXAduv+VXChZANiAATugtQ5mrEn
+gvTX6sa8Ax1Ng2H0A65+vdhapbnwjqKl2s6HO1qrRBac9Z9i3fYgzZx2PECxP5cX
+31n2zd7NRjXA7V4uSLZmkXF0tww/uZq3g72TP19QLXA/3jUl4ZA7huA=
+-----END PRIVATE KEY-----

certs/crl/caEcc384Crl.pem

@@ -0,0 +1,30 @@
+Certificate Revocation List (CRL):
+        Version 2 (0x1)
+    Signature Algorithm: ecdsa-with-SHA256
+        Issuer: /C=US/ST=Washington/L=Seattle/O=wolfSSL/OU=Development/CN=www.wolfssl.com/emailAddress=info@wolfssl.com
+        Last Update: Oct 20 18:19:08 2017 GMT
+        Next Update: Jul 16 18:19:08 2020 GMT
+        CRL extensions:
+            X509v3 Authority Key Identifier: 
+                keyid:AB:E0:C3:26:4C:18:D4:72:BB:D2:84:8C:9C:0A:05:92:80:12:53:52
+
+            X509v3 CRL Number: 
+                8193
+No Revoked Certificates.
+    Signature Algorithm: ecdsa-with-SHA256
+         30:65:02:31:00:ad:70:4b:08:03:b6:ab:d4:9e:8d:dd:2a:05:
+         ec:07:6b:86:61:08:69:08:1e:01:02:42:22:5f:a9:6d:4f:de:
+         20:6b:aa:a0:8f:e4:0a:8e:40:7c:cf:84:fb:10:50:01:90:02:
+         30:50:35:d3:6c:44:bd:ad:56:9d:3e:47:09:ac:b8:0d:db:5c:
+         54:f2:1c:25:fb:d2:cb:63:2b:9e:17:a3:1e:0b:ba:15:a8:65:
+         7e:5b:94:c0:11:f4:e2:c9:f1:25:ba:08:26
+-----BEGIN X509 CRL-----
+MIIBcjCB+QIBATAKBggqhkjOPQQDAjCBlzELMAkGA1UEBhMCVVMxEzARBgNVBAgM
+Cldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxEDAOBgNVBAoMB3dvbGZTU0wx
+FDASBgNVBAsMC0RldmVsb3BtZW50MRgwFgYDVQQDDA93d3cud29sZnNzbC5jb20x
+HzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb20XDTE3MTAyMDE4MTkwOFoX
+DTIwMDcxNjE4MTkwOFqgMDAuMB8GA1UdIwQYMBaAFKvgwyZMGNRyu9KEjJwKBZKA
+ElNSMAsGA1UdFAQEAgIgATAKBggqhkjOPQQDAgNoADBlAjEArXBLCAO2q9Sejd0q
+BewHa4ZhCGkIHgECQiJfqW1P3iBrqqCP5AqOQHzPhPsQUAGQAjBQNdNsRL2tVp0+
+RwmsuA3bXFTyHCX70stjK54Xox4LuhWoZX5blMAR9OLJ8SW6CCY=
+-----END X509 CRL-----

certs/crl/caEccCrl.pem

@@ -0,0 +1,28 @@
+Certificate Revocation List (CRL):
+        Version 2 (0x1)
+    Signature Algorithm: ecdsa-with-SHA256
+        Issuer: /C=US/ST=Washington/L=Seattle/O=wolfSSL/OU=Development/CN=www.wolfssl.com/emailAddress=info@wolfssl.com
+        Last Update: Oct 20 18:19:08 2017 GMT
+        Next Update: Jul 16 18:19:08 2020 GMT
+        CRL extensions:
+            X509v3 Authority Key Identifier: 
+                keyid:56:8E:9A:C3:F0:42:DE:18:B9:45:55:6E:F9:93:CF:EA:C3:F3:A5:21
+
+            X509v3 CRL Number: 
+                8192
+No Revoked Certificates.
+    Signature Algorithm: ecdsa-with-SHA256
+         30:45:02:20:51:84:45:49:4b:69:3a:e0:84:d2:9c:e4:62:c9:
+         4c:30:83:ba:3e:5a:f6:ea:2c:54:50:17:26:4d:fc:82:5f:d2:
+         02:21:00:e5:6b:a6:1c:e3:83:07:cd:59:04:66:00:a0:76:77:
+         11:d8:82:76:fd:a9:2d:cc:3a:db:3a:0f:b5:1a:a6:f3:a8
+-----BEGIN X509 CRL-----
+MIIBUjCB+QIBATAKBggqhkjOPQQDAjCBlzELMAkGA1UEBhMCVVMxEzARBgNVBAgM
+Cldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxEDAOBgNVBAoMB3dvbGZTU0wx
+FDASBgNVBAsMC0RldmVsb3BtZW50MRgwFgYDVQQDDA93d3cud29sZnNzbC5jb20x
+HzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb20XDTE3MTAyMDE4MTkwOFoX
+DTIwMDcxNjE4MTkwOFqgMDAuMB8GA1UdIwQYMBaAFFaOmsPwQt4YuUVVbvmTz+rD
+86UhMAsGA1UdFAQEAgIgADAKBggqhkjOPQQDAgNIADBFAiBRhEVJS2k64ITSnORi
+yUwwg7o+WvbqLFRQFyZN/IJf0gIhAOVrphzjgwfNWQRmAKB2dxHYgnb9qS3MOts6
+D7UapvOo
+-----END X509 CRL-----

certs/crl/gencrls.sh

@@ -55,6 +55,28 @@ mv tmp crl.revoked
 # remove revoked so next time through the normal CA won't have server revoked
 cp blank.index.txt demoCA/index.txt
 
+# caEccCrl
+openssl ca -config ../renewcerts/wolfssl.cnf -revoke ../server-revoked-cert.pem -keyfile ../ca-ecc-key.pem -cert ../ca-ecc-cert.pem
+
+openssl ca -config ../renewcerts/wolfssl.cnf -gencrl -crldays 1000 -out caEccCrl.pem -keyfile ../ca-ecc-key.pem -cert ../ca-ecc-cert.pem
+
+# metadata
+openssl crl -in caEccCrl.pem -text > tmp
+mv tmp caEccCrl.pem
+# install (only needed if working outside wolfssl)
+#cp caEccCrl.pem ~/wolfssl/certs/crl/caEccCrl.pem
+
+# caEcc384Crl
+openssl ca -config ../renewcerts/wolfssl.cnf -revoke ../server-revoked-cert.pem -keyfile ../ca-ecc384-key.pem -cert ../ca-ecc384-cert.pem
+
+openssl ca -config ../renewcerts/wolfssl.cnf -gencrl -crldays 1000 -out caEcc384Crl.pem -keyfile ../ca-ecc384-key.pem -cert ../ca-ecc384-cert.pem
+
+# metadata
+openssl crl -in caEcc384Crl.pem -text > tmp
+mv tmp caEcc384Crl.pem
+# install (only needed if working outside wolfssl)
+#cp caEcc384Crl.pem ~/wolfssl/certs/crl/caEcc384Crl.pem
+
 # cliCrl
 openssl ca -config ../renewcerts/wolfssl.cnf -gencrl -crldays 1000 -out cliCrl.pem -keyfile ../client-key.pem -cert ../client-cert.pem
 

certs/crl/include.am

@@ -7,9 +7,9 @@ EXTRA_DIST += \
 	     certs/crl/cliCrl.pem \
 	     certs/crl/eccSrvCRL.pem \
 	     certs/crl/eccCliCRL.pem \
-	     certs/crl/crl2.pem
+	     certs/crl/crl2.pem \
+	     certs/crl/caEccCrl.pem \
+	     certs/crl/caEcc384Crl.pem
 
 EXTRA_DIST += \
 	     certs/crl/crl.revoked
-
-

certs/ecc/genecc.sh

@@ -0,0 +1,51 @@
+#!/bin/bash
+
+# run from wolfssl root
+
+rm ./certs/ecc/*.old
+rm ./certs/ecc/index.txt*
+rm ./certs/ecc/serial
+rm ./certs/ecc/crlnumber
+
+touch ./certs/ecc/index.txt
+echo 1000 > ./certs/ecc/serial
+echo 2000 > ./certs/ecc/crlnumber
+
+# generate ECC 256-bit CA
+openssl ecparam -out ./certs/ca-ecc-key.par -name prime256v1
+openssl req -config ./certs/ecc/wolfssl.cnf -extensions v3_ca -x509 -nodes -newkey ec:./certs/ca-ecc-key.par -keyout ./certs/ca-ecc-key.pem -out ./certs/ca-ecc-cert.pem -sha256 -days 7300 -batch -subj "/C=US/ST=Washington/L=Seattle/O=wolfSSL/OU=Development/CN=www.wolfssl.com/emailAddress=info@wolfssl.com"
+
+openssl x509 -in ./certs/ca-ecc-cert.pem -inform PEM -out ./certs/ca-ecc-cert.der -outform DER
+openssl ec -in ./certs/ca-ecc-key.pem -inform PEM -out ./certs/ca-ecc-key.der -outform DER
+
+rm ./certs/ca-ecc-key.par
+
+# generate ECC 384-bit CA
+openssl ecparam -out ./certs/ca-ecc384-key.par -name secp384r1
+openssl req -config ./certs/ecc/wolfssl.cnf -extensions v3_ca -x509 -nodes -newkey ec:./certs/ca-ecc384-key.par -keyout ./certs/ca-ecc384-key.pem -out ./certs/ca-ecc384-cert.pem -sha384 -days 7300 -batch -subj "/C=US/ST=Washington/L=Seattle/O=wolfSSL/OU=Development/CN=www.wolfssl.com/emailAddress=info@wolfssl.com"
+
+openssl x509 -in ./certs/ca-ecc384-cert.pem -inform PEM -out ./certs/ca-ecc384-cert.der -outform DER
+openssl ec -in ./certs/ca-ecc384-key.pem -inform PEM -out ./certs/ca-ecc384-key.der -outform DER
+
+rm ./certs/ca-ecc384-key.par
+
+
+# Generate ECC 256-bit server cert
+openssl req -config ./certs/ecc/wolfssl.cnf -sha256 -new -key ./certs/ecc-key.pem -out ./certs/server-ecc-req.pem -subj "/C=US/ST=Washington/L=Seattle/O=Eliptic/OU=ECC/CN=www.wolfssl.com/emailAddress=info@wolfssl.com/"
+openssl x509 -req -in ./certs/server-ecc-req.pem -CA ./certs/ca-ecc-cert.pem -CAkey ./certs/ca-ecc-key.pem -CAcreateserial -out ./certs/server-ecc.pem -sha256
+
+# Sign server certificate
+openssl ca -config ./certs/ecc/wolfssl.cnf -extensions server_cert -days 3650 -notext -md sha256 -in ./certs/server-ecc-req.pem -out ./certs/server-ecc.pem
+openssl x509 -in ./certs/server-ecc.pem -outform der -out ./certs/server-ecc.der
+
+rm ./certs/server-ecc-req.pem 
+
+# Gen CRL
+openssl ca -config ./certs/ecc/wolfssl.cnf -gencrl -crldays 1000 -out ./certs/crl/caEccCrl.pem -keyfile ./certs/ca-ecc-key.pem -cert ./certs/ca-ecc-cert.pem
+openssl ca -config ./certs/ecc/wolfssl.cnf -gencrl -crldays 1000 -out ./certs/crl/caEcc384Crl.pem -keyfile ./certs/ca-ecc384-key.pem -cert ./certs/ca-ecc384-cert.pem
+
+# Also manually need to:
+# 1. Copy ./certs/server-ecc.der into ./certs/test/server-cert-ecc-badsig.der `cp ./certs/server-ecc.der ./certs/test/server-cert-ecc-badsig.der`
+# 2. Modify last byte so its invalidates signature in ./certs/test/server-cert-ecc-badsig.der
+# 3. Covert bad cert to pem `openssl x509 -inform der -in ./certs/test/server-cert-ecc-badsig.der -outform pem -out ./certs/test/server-cert-ecc-badsig.pem`
+# 4. Update AKID's for CA's in test.c certext_test() function akid_ecc.

certs/ecc/include.am

@@ -0,0 +1,8 @@
+# vim:ft=automake
+# All paths should be given relative to the root
+#
+
+EXTRA_DIST += \
+	     certs/ecc/genecc.sh \
+	     certs/ecc/wolfssl.cnf
+

certs/ecc/wolfssl.cnf

@@ -0,0 +1,109 @@
+[ ca ]
+# `man ca`
+default_ca = CA_default
+
+[ CA_default ]
+# Directory and file locations.
+dir               = .
+certs             = $dir/certs
+new_certs_dir     = $dir/certs
+database          = $dir/certs/ecc/index.txt
+serial            = $dir/certs/ecc/serial
+RANDFILE          = $dir/private/.rand
+
+# The root key and root certificate.
+private_key       = $dir/certs/ca-ecc-key.pem
+certificate       = $dir/certs/ca-ecc-cert.pem
+
+# For certificate revocation lists.
+crlnumber         = $dir/certs/ecc/crlnumber
+crl_extensions    = crl_ext
+default_crl_days  = 1000
+
+# SHA-1 is deprecated, so use SHA-2 instead.
+default_md        = sha256
+
+name_opt          = ca_default
+cert_opt          = ca_default
+default_days      = 3650
+preserve          = no
+policy            = policy_loose
+
+
+[ policy_strict ]
+# The root CA should only sign intermediate certificates that match.
+# See the POLICY FORMAT section of `man ca`.
+countryName             = match
+stateOrProvinceName     = match
+organizationName        = match
+organizationalUnitName  = optional
+commonName              = supplied
+emailAddress            = optional
+
+[ policy_loose ]
+# Allow the intermediate CA to sign a more diverse range of certificates.
+# See the POLICY FORMAT section of the `ca` man page.
+countryName             = optional
+stateOrProvinceName     = optional
+localityName            = optional
+organizationName        = optional
+organizationalUnitName  = optional
+commonName              = supplied
+emailAddress            = optional
+
+[ req ]
+# Options for the `req` tool (`man req`).
+default_bits        = 2048
+distinguished_name  = req_distinguished_name
+string_mask         = utf8only
+
+# SHA-1 is deprecated, so use SHA-2 instead.
+default_md          = sha256
+
+# Extension to add when the -x509 option is used.
+x509_extensions     = v3_ca
+
+[ req_distinguished_name ]
+countryName                     = US
+stateOrProvinceName             = Washington
+localityName                    = Seattle
+0.organizationName              = wolfSSL
+organizationalUnitName          = Development
+commonName                      = www.wolfssl.com
+emailAddress                    = info@wolfssl.com
+
+[ v3_ca ]
+# Extensions for a typical CA (`man x509v3_config`).
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid:always,issuer
+basicConstraints = critical, CA:true
+keyUsage = critical, digitalSignature, cRLSign, keyCertSign
+
+[ v3_intermediate_ca ]
+# Extensions for a typical intermediate CA (`man x509v3_config`).
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid:always,issuer
+basicConstraints = critical, CA:true, pathlen:0
+keyUsage = critical, digitalSignature, cRLSign, keyCertSign
+
+[ usr_cert ]
+# Extensions for client certificates (`man x509v3_config`).
+basicConstraints = CA:FALSE
+nsCertType = client, email
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid,issuer
+keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment
+extendedKeyUsage = clientAuth, emailProtection
+
+[ server_cert ]
+# Extensions for server certificates (`man x509v3_config`).
+basicConstraints = CA:FALSE
+nsCertType = server
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid,issuer:always
+keyUsage = critical, digitalSignature, keyEncipherment, keyAgreement
+extendedKeyUsage = serverAuth
+
+[ crl_ext ]
+# Extension for CRLs (`man x509v3_config`).
+authorityKeyIdentifier=keyid:always

certs/include.am

@@ -21,6 +21,7 @@ EXTRA_DIST += \
 	     certs/dh2048.pem \
 	     certs/server-cert.pem \
 	     certs/server-ecc.pem \
+	     certs/server-ecc-self.pem \
 	     certs/server-ecc-comp.pem \
 	     certs/server-ecc-rsa.pem \
 	     certs/server-keyEnc.pem \
@@ -35,8 +36,8 @@ EXTRA_DIST += \
 	     certs/wolfssl-website-ca.pem \
 	     certs/test-servercert.p12 \
 	     certs/dsaparams.pem \
-             certs/ecc-privOnlyKey.pem \
-             certs/ecc-privOnlyCert.pem \
+	     certs/ecc-privOnlyKey.pem \
+	     certs/ecc-privOnlyCert.pem \
 	     certs/dh3072.pem \
 	     certs/client-cert-3072.pem \
 	     certs/client-key-3072.pem
@@ -58,25 +59,40 @@ EXTRA_DIST += \
 	     certs/server-cert.der \
 	     certs/server-ecc-comp.der \
 	     certs/server-ecc.der \
+	     certs/server-ecc-self.der \
 	     certs/server-ecc-rsa.der \
 	     certs/server-cert-chain.der
 EXTRA_DIST += \
-             certs/ed25519/ca-ed25519.der \
-             certs/ed25519/ca-ed25519-key.der \
-             certs/ed25519/ca-ed25519-key.pem \
-             certs/ed25519/ca-ed25519.pem \
-             certs/ed25519/client-ed25519.der \
-             certs/ed25519/client-ed25519-key.der \
-             certs/ed25519/client-ed25519-key.pem \
-             certs/ed25519/client-ed25519.pem \
-             certs/ed25519/root-ed25519.der \
-             certs/ed25519/root-ed25519-key.der \
-             certs/ed25519/root-ed25519-key.pem \
-             certs/ed25519/root-ed25519.pem \
-             certs/ed25519/server-ed25519.der \
-             certs/ed25519/server-ed25519-key.der \
-             certs/ed25519/server-ed25519-key.pem \
-             certs/ed25519/server-ed25519.pem
+         certs/ed25519/ca-ed25519.der \
+         certs/ed25519/ca-ed25519-key.der \
+         certs/ed25519/ca-ed25519-key.pem \
+         certs/ed25519/ca-ed25519.pem \
+         certs/ed25519/client-ed25519.der \
+         certs/ed25519/client-ed25519-key.der \
+         certs/ed25519/client-ed25519-key.pem \
+         certs/ed25519/client-ed25519.pem \
+         certs/ed25519/root-ed25519.der \
+         certs/ed25519/root-ed25519-key.der \
+         certs/ed25519/root-ed25519-key.pem \
+         certs/ed25519/root-ed25519.pem \
+         certs/ed25519/server-ed25519.der \
+         certs/ed25519/server-ed25519-key.der \
+         certs/ed25519/server-ed25519-key.pem \
+         certs/ed25519/server-ed25519.pem
+
+# ECC CA prime256v1
+EXTRA_DIST += \
+		 certs/ca-ecc-cert.der \
+		 certs/ca-ecc-cert.pem \
+		 certs/ca-ecc-key.der \
+		 certs/ca-ecc-key.pem
+
+# ECC CA SECP384R1
+EXTRA_DIST += \
+		 certs/ca-ecc384-cert.der \
+		 certs/ca-ecc384-cert.pem \
+		 certs/ca-ecc384-key.der \
+		 certs/ca-ecc384-key.pem
 
 dist_doc_DATA+= certs/taoCert.txt
 
@@ -85,3 +101,4 @@ EXTRA_DIST+= certs/ntru-key.raw
 include certs/test/include.am
 include certs/test-pathlen/include.am
 include certs/test/include.am
+include certs/ecc/include.am

certs/server-ecc-self.pem

@@ -0,0 +1,56 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number:
+            ef:46:c7:a4:9b:bb:60:d3
+    Signature Algorithm: ecdsa-with-SHA256
+        Issuer: C=US, ST=Washington, L=Seattle, O=Eliptic, OU=ECC, CN=www.wolfssl.com/emailAddress=info@wolfssl.com
+        Validity
+            Not Before: Aug 11 20:07:38 2016 GMT
+            Not After : May  8 20:07:38 2019 GMT
+        Subject: C=US, ST=Washington, L=Seattle, O=Eliptic, OU=ECC, CN=www.wolfssl.com/emailAddress=info@wolfssl.com
+        Subject Public Key Info:
+            Public Key Algorithm: id-ecPublicKey
+                Public-Key: (256 bit)
+                pub: 
+                    04:bb:33:ac:4c:27:50:4a:c6:4a:a5:04:c3:3c:de:
+                    9f:36:db:72:2d:ce:94:ea:2b:fa:cb:20:09:39:2c:
+                    16:e8:61:02:e9:af:4d:d3:02:93:9a:31:5b:97:92:
+                    21:7f:f0:cf:18:da:91:11:02:34:86:e8:20:58:33:
+                    0b:80:34:89:d8
+                ASN1 OID: prime256v1
+                NIST CURVE: P-256
+        X509v3 extensions:
+            X509v3 Subject Key Identifier: 
+                5D:5D:26:EF:AC:7E:36:F9:9B:76:15:2B:4A:25:02:23:EF:B2:89:30
+            X509v3 Authority Key Identifier: 
+                keyid:5D:5D:26:EF:AC:7E:36:F9:9B:76:15:2B:4A:25:02:23:EF:B2:89:30
+                DirName:/C=US/ST=Washington/L=Seattle/O=Eliptic/OU=ECC/CN=www.wolfssl.com/emailAddress=info@wolfssl.com
+                serial:EF:46:C7:A4:9B:BB:60:D3
+
+            X509v3 Basic Constraints: 
+                CA:TRUE
+    Signature Algorithm: ecdsa-with-SHA256
+         30:46:02:21:00:f1:d0:a6:3e:83:33:24:d1:7a:05:5f:1e:0e:
+         bd:7d:6b:33:e9:f2:86:f3:f3:3d:a9:ef:6a:87:31:b3:b7:7e:
+         50:02:21:00:f0:60:dd:ce:a2:db:56:ec:d9:f4:e4:e3:25:d4:
+         b0:c9:25:7d:ca:7a:5d:ba:c4:b2:f6:7d:04:c7:bd:62:c9:20
+-----BEGIN CERTIFICATE-----
+MIIDEDCCArWgAwIBAgIJAO9Gx6Sbu2DTMAoGCCqGSM49BAMCMIGPMQswCQYDVQQG
+EwJVUzETMBEGA1UECAwKV2FzaGluZ3RvbjEQMA4GA1UEBwwHU2VhdHRsZTEQMA4G
+A1UECgwHRWxpcHRpYzEMMAoGA1UECwwDRUNDMRgwFgYDVQQDDA93d3cud29sZnNz
+bC5jb20xHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb20wHhcNMTYwODEx
+MjAwNzM4WhcNMTkwNTA4MjAwNzM4WjCBjzELMAkGA1UEBhMCVVMxEzARBgNVBAgM
+Cldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxEDAOBgNVBAoMB0VsaXB0aWMx
+DDAKBgNVBAsMA0VDQzEYMBYGA1UEAwwPd3d3LndvbGZzc2wuY29tMR8wHQYJKoZI
+hvcNAQkBFhBpbmZvQHdvbGZzc2wuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcD
+QgAEuzOsTCdQSsZKpQTDPN6fNttyLc6U6iv6yyAJOSwW6GEC6a9N0wKTmjFbl5Ih
+f/DPGNqREQI0huggWDMLgDSJ2KOB9zCB9DAdBgNVHQ4EFgQUXV0m76x+NvmbdhUr
+SiUCI++yiTAwgcQGA1UdIwSBvDCBuYAUXV0m76x+NvmbdhUrSiUCI++yiTChgZWk
+gZIwgY8xCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApXYXNoaW5ndG9uMRAwDgYDVQQH
+DAdTZWF0dGxlMRAwDgYDVQQKDAdFbGlwdGljMQwwCgYDVQQLDANFQ0MxGDAWBgNV
+BAMMD3d3dy53b2xmc3NsLmNvbTEfMB0GCSqGSIb3DQEJARYQaW5mb0B3b2xmc3Ns
+LmNvbYIJAO9Gx6Sbu2DTMAwGA1UdEwQFMAMBAf8wCgYIKoZIzj0EAwIDSQAwRgIh
+APHQpj6DMyTRegVfHg69fWsz6fKG8/M9qe9qhzGzt35QAiEA8GDdzqLbVuzZ9OTj
+JdSwySV9ynpdusSy9n0Ex71iySA=
+-----END CERTIFICATE-----

certs/server-ecc.pem

@@ -1,13 +1,12 @@
 Certificate:
     Data:
         Version: 3 (0x2)
-        Serial Number:
-            ef:46:c7:a4:9b:bb:60:d3
+        Serial Number: 4096 (0x1000)
     Signature Algorithm: ecdsa-with-SHA256
-        Issuer: C=US, ST=Washington, L=Seattle, O=Eliptic, OU=ECC, CN=www.wolfssl.com/emailAddress=info@wolfssl.com
+        Issuer: C=US, ST=Washington, L=Seattle, O=wolfSSL, OU=Development, CN=www.wolfssl.com/emailAddress=info@wolfssl.com
         Validity
-            Not Before: Aug 11 20:07:38 2016 GMT
-            Not After : May  8 20:07:38 2019 GMT
+            Not Before: Oct 20 18:19:06 2017 GMT
+            Not After : Oct 18 18:19:06 2027 GMT
         Subject: C=US, ST=Washington, L=Seattle, O=Eliptic, OU=ECC, CN=www.wolfssl.com/emailAddress=info@wolfssl.com
         Subject Public Key Info:
             Public Key Algorithm: id-ecPublicKey
@@ -21,36 +20,43 @@ Certificate:
                 ASN1 OID: prime256v1
                 NIST CURVE: P-256
         X509v3 extensions:
+            X509v3 Basic Constraints: 
+                CA:FALSE
+            Netscape Cert Type: 
+                SSL Server
             X509v3 Subject Key Identifier: 
                 5D:5D:26:EF:AC:7E:36:F9:9B:76:15:2B:4A:25:02:23:EF:B2:89:30
             X509v3 Authority Key Identifier: 
-                keyid:5D:5D:26:EF:AC:7E:36:F9:9B:76:15:2B:4A:25:02:23:EF:B2:89:30
-                DirName:/C=US/ST=Washington/L=Seattle/O=Eliptic/OU=ECC/CN=www.wolfssl.com/emailAddress=info@wolfssl.com
-                serial:EF:46:C7:A4:9B:BB:60:D3
+                keyid:56:8E:9A:C3:F0:42:DE:18:B9:45:55:6E:F9:93:CF:EA:C3:F3:A5:21
+                DirName:/C=US/ST=Washington/L=Seattle/O=wolfSSL/OU=Development/CN=www.wolfssl.com/emailAddress=info@wolfssl.com
+                serial:97:B4:BD:16:78:F8:47:F2
 
-            X509v3 Basic Constraints: 
-                CA:TRUE
+            X509v3 Key Usage: critical
+                Digital Signature, Key Encipherment, Key Agreement
+            X509v3 Extended Key Usage: 
+                TLS Web Server Authentication
     Signature Algorithm: ecdsa-with-SHA256
-         30:46:02:21:00:f1:d0:a6:3e:83:33:24:d1:7a:05:5f:1e:0e:
-         bd:7d:6b:33:e9:f2:86:f3:f3:3d:a9:ef:6a:87:31:b3:b7:7e:
-         50:02:21:00:f0:60:dd:ce:a2:db:56:ec:d9:f4:e4:e3:25:d4:
-         b0:c9:25:7d:ca:7a:5d:ba:c4:b2:f6:7d:04:c7:bd:62:c9:20
+         30:46:02:21:00:be:b8:58:f0:e4:15:01:1f:df:70:54:73:4a:
+         6c:40:1f:77:a8:b4:eb:52:1e:bf:f5:0d:b1:33:ca:6a:c4:76:
+         b9:02:21:00:97:08:de:2c:28:c1:45:71:b6:2c:54:87:98:63:
+         76:a8:21:34:90:a8:f7:9e:3f:fc:02:b0:e7:d3:09:31:27:e4
 -----BEGIN CERTIFICATE-----
-MIIDEDCCArWgAwIBAgIJAO9Gx6Sbu2DTMAoGCCqGSM49BAMCMIGPMQswCQYDVQQG
-EwJVUzETMBEGA1UECAwKV2FzaGluZ3RvbjEQMA4GA1UEBwwHU2VhdHRsZTEQMA4G
-A1UECgwHRWxpcHRpYzEMMAoGA1UECwwDRUNDMRgwFgYDVQQDDA93d3cud29sZnNz
-bC5jb20xHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb20wHhcNMTYwODEx
-MjAwNzM4WhcNMTkwNTA4MjAwNzM4WjCBjzELMAkGA1UEBhMCVVMxEzARBgNVBAgM
-Cldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxEDAOBgNVBAoMB0VsaXB0aWMx
-DDAKBgNVBAsMA0VDQzEYMBYGA1UEAwwPd3d3LndvbGZzc2wuY29tMR8wHQYJKoZI
-hvcNAQkBFhBpbmZvQHdvbGZzc2wuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcD
-QgAEuzOsTCdQSsZKpQTDPN6fNttyLc6U6iv6yyAJOSwW6GEC6a9N0wKTmjFbl5Ih
-f/DPGNqREQI0huggWDMLgDSJ2KOB9zCB9DAdBgNVHQ4EFgQUXV0m76x+NvmbdhUr
-SiUCI++yiTAwgcQGA1UdIwSBvDCBuYAUXV0m76x+NvmbdhUrSiUCI++yiTChgZWk
-gZIwgY8xCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApXYXNoaW5ndG9uMRAwDgYDVQQH
-DAdTZWF0dGxlMRAwDgYDVQQKDAdFbGlwdGljMQwwCgYDVQQLDANFQ0MxGDAWBgNV
-BAMMD3d3dy53b2xmc3NsLmNvbTEfMB0GCSqGSIb3DQEJARYQaW5mb0B3b2xmc3Ns
-LmNvbYIJAO9Gx6Sbu2DTMAwGA1UdEwQFMAMBAf8wCgYIKoZIzj0EAwIDSQAwRgIh
-APHQpj6DMyTRegVfHg69fWsz6fKG8/M9qe9qhzGzt35QAiEA8GDdzqLbVuzZ9OTj
-JdSwySV9ynpdusSy9n0Ex71iySA=
+MIIDUDCCAvWgAwIBAgICEAAwCgYIKoZIzj0EAwIwgZcxCzAJBgNVBAYTAlVTMRMw
+EQYDVQQIDApXYXNoaW5ndG9uMRAwDgYDVQQHDAdTZWF0dGxlMRAwDgYDVQQKDAd3
+b2xmU1NMMRQwEgYDVQQLDAtEZXZlbG9wbWVudDEYMBYGA1UEAwwPd3d3LndvbGZz
+c2wuY29tMR8wHQYJKoZIhvcNAQkBFhBpbmZvQHdvbGZzc2wuY29tMB4XDTE3MTAy
+MDE4MTkwNloXDTI3MTAxODE4MTkwNlowgY8xCzAJBgNVBAYTAlVTMRMwEQYDVQQI
+DApXYXNoaW5ndG9uMRAwDgYDVQQHDAdTZWF0dGxlMRAwDgYDVQQKDAdFbGlwdGlj
+MQwwCgYDVQQLDANFQ0MxGDAWBgNVBAMMD3d3dy53b2xmc3NsLmNvbTEfMB0GCSqG
+SIb3DQEJARYQaW5mb0B3b2xmc3NsLmNvbTBZMBMGByqGSM49AgEGCCqGSM49AwEH
+A0IABLszrEwnUErGSqUEwzzenzbbci3OlOor+ssgCTksFuhhAumvTdMCk5oxW5eS
+IX/wzxjakRECNIboIFgzC4A0idijggE1MIIBMTAJBgNVHRMEAjAAMBEGCWCGSAGG
++EIBAQQEAwIGQDAdBgNVHQ4EFgQUXV0m76x+NvmbdhUrSiUCI++yiTAwgcwGA1Ud
+IwSBxDCBwYAUVo6aw/BC3hi5RVVu+ZPP6sPzpSGhgZ2kgZowgZcxCzAJBgNVBAYT
+AlVTMRMwEQYDVQQIDApXYXNoaW5ndG9uMRAwDgYDVQQHDAdTZWF0dGxlMRAwDgYD
+VQQKDAd3b2xmU1NMMRQwEgYDVQQLDAtEZXZlbG9wbWVudDEYMBYGA1UEAwwPd3d3
+LndvbGZzc2wuY29tMR8wHQYJKoZIhvcNAQkBFhBpbmZvQHdvbGZzc2wuY29tggkA
+l7S9Fnj4R/IwDgYDVR0PAQH/BAQDAgOoMBMGA1UdJQQMMAoGCCsGAQUFBwMBMAoG
+CCqGSM49BAMCA0kAMEYCIQC+uFjw5BUBH99wVHNKbEAfd6i061Iev/UNsTPKasR2
+uQIhAJcI3iwowUVxtixUh5hjdqghNJCo954//AKw59MJMSfk
 -----END CERTIFICATE-----

certs/test/include.am

@@ -11,3 +11,9 @@ EXTRA_DIST += \
 	     certs/test/gen-ext-certs.sh \
          certs/test/server-duplicate-policy.pem
 
+# The certs/server-cert with the last byte (signature byte) changed
+EXTRA_DIST += \
+         certs/test/server-cert-rsa-badsig.der \
+         certs/test/server-cert-rsa-badsig.pem \
+		 certs/test/server-cert-ecc-badsig.der \
+         certs/test/server-cert-ecc-badsig.pem

certs/test/server-cert-ecc-badsig.pem

@@ -0,0 +1,20 @@
+-----BEGIN CERTIFICATE-----
+MIIDUDCCAvWgAwIBAgICEAAwCgYIKoZIzj0EAwIwgZcxCzAJBgNVBAYTAlVTMRMw
+EQYDVQQIDApXYXNoaW5ndG9uMRAwDgYDVQQHDAdTZWF0dGxlMRAwDgYDVQQKDAd3
+b2xmU1NMMRQwEgYDVQQLDAtEZXZlbG9wbWVudDEYMBYGA1UEAwwPd3d3LndvbGZz
+c2wuY29tMR8wHQYJKoZIhvcNAQkBFhBpbmZvQHdvbGZzc2wuY29tMB4XDTE3MTAy
+MDE4MTkwNloXDTI3MTAxODE4MTkwNlowgY8xCzAJBgNVBAYTAlVTMRMwEQYDVQQI
+DApXYXNoaW5ndG9uMRAwDgYDVQQHDAdTZWF0dGxlMRAwDgYDVQQKDAdFbGlwdGlj
+MQwwCgYDVQQLDANFQ0MxGDAWBgNVBAMMD3d3dy53b2xmc3NsLmNvbTEfMB0GCSqG
+SIb3DQEJARYQaW5mb0B3b2xmc3NsLmNvbTBZMBMGByqGSM49AgEGCCqGSM49AwEH
+A0IABLszrEwnUErGSqUEwzzenzbbci3OlOor+ssgCTksFuhhAumvTdMCk5oxW5eS
+IX/wzxjakRECNIboIFgzC4A0idijggE1MIIBMTAJBgNVHRMEAjAAMBEGCWCGSAGG
++EIBAQQEAwIGQDAdBgNVHQ4EFgQUXV0m76x+NvmbdhUrSiUCI++yiTAwgcwGA1Ud
+IwSBxDCBwYAUVo6aw/BC3hi5RVVu+ZPP6sPzpSGhgZ2kgZowgZcxCzAJBgNVBAYT
+AlVTMRMwEQYDVQQIDApXYXNoaW5ndG9uMRAwDgYDVQQHDAdTZWF0dGxlMRAwDgYD
+VQQKDAd3b2xmU1NMMRQwEgYDVQQLDAtEZXZlbG9wbWVudDEYMBYGA1UEAwwPd3d3
+LndvbGZzc2wuY29tMR8wHQYJKoZIhvcNAQkBFhBpbmZvQHdvbGZzc2wuY29tggkA
+l7S9Fnj4R/IwDgYDVR0PAQH/BAQDAgOoMBMGA1UdJQQMMAoGCCsGAQUFBwMBMAoG
+CCqGSM49BAMCA0kAMEYCIQC+uFjw5BUBH99wVHNKbEAfd6i061Iev/UNsTPKasR2
+uQIhAJcI3iwowUVxtixUh5hjdqghNJCo954//AKw59MJMSfl
+-----END CERTIFICATE-----

certs/test/server-cert-rsa-badsig.pem

@@ -0,0 +1,27 @@
+-----BEGIN CERTIFICATE-----
+MIIEnjCCA4agAwIBAgIBATANBgkqhkiG9w0BAQsFADCBlDELMAkGA1UEBhMCVVMx
+EDAOBgNVBAgMB01vbnRhbmExEDAOBgNVBAcMB0JvemVtYW4xETAPBgNVBAoMCFNh
+d3Rvb3RoMRMwEQYDVQQLDApDb25zdWx0aW5nMRgwFgYDVQQDDA93d3cud29sZnNz
+bC5jb20xHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb20wHhcNMTYwODEx
+MjAwNzM3WhcNMTkwNTA4MjAwNzM3WjCBkDELMAkGA1UEBhMCVVMxEDAOBgNVBAgM
+B01vbnRhbmExEDAOBgNVBAcMB0JvemVtYW4xEDAOBgNVBAoMB3dvbGZTU0wxEDAO
+BgNVBAsMB1N1cHBvcnQxGDAWBgNVBAMMD3d3dy53b2xmc3NsLmNvbTEfMB0GCSqG
+SIb3DQEJARYQaW5mb0B3b2xmc3NsLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEP
+ADCCAQoCggEBAMCVCOFXQfJxbbfSRUEnAWXGRa7yvCQwuJXOL07W9hyIvHyf+6hn
+f/5cnFF194rKB+c1L4/hvXvAL3yrZKgX/Mpde7rgIeVyLm8uhtiVc9qsG1O5Xz/X
+GQ0lT+FjY1GLC2Q/rUO4pRxcNLOuAKBjxfZ/C1loeHOmjBipAm2vwxkBLrgQ48bM
+QLRpo0YzaYduxLsXpvPo3a1zvHsvIbX9ZlEMvVSz4W1fHLwjc9EJA4kU0hC5ZMMq
+0KGWSrzh1Bpbx6DAwWN4D0Q3MDKWgDIjlaF3uhPSl3PiXSXJag3DOWCktLBpQkIJ
+6dgIvDMgs1gip6rrxOHmYYPF0pbf2dBPrdcCAwEAAaOB/DCB+TAdBgNVHQ4EFgQU
+sxEyyZKYhOLJ+NA7bgNCyh8OjjwwgckGA1UdIwSBwTCBvoAUJ45nEXTDJh0/7TNj
+s6TYHTDl6NWhgZqkgZcwgZQxCzAJBgNVBAYTAlVTMRAwDgYDVQQIDAdNb250YW5h
+MRAwDgYDVQQHDAdCb3plbWFuMREwDwYDVQQKDAhTYXd0b290aDETMBEGA1UECwwK
+Q29uc3VsdGluZzEYMBYGA1UEAwwPd3d3LndvbGZzc2wuY29tMR8wHQYJKoZIhvcN
+AQkBFhBpbmZvQHdvbGZzc2wuY29tggkAt7aQM2YbayMwDAYDVR0TBAUwAwEB/zAN
+BgkqhkiG9w0BAQsFAAOCAQEAUf4q3wd+Q8pmjRXEK9tXsgZtDZBm/6UknBTvgfKk
+q5mpakkgpdJx5xw8mQfHR/zolrT1QjDOOQFL0cLovJWEh85VXZefz3jzVpulCG2s
+9qVcxO8+KjmmSCYpey3gzaaMV0gLuzEywr/ZQ0xHJRiBqMkzgkGbumGG14STFyQl
+NspNY2tPlXnYYOAe9azBiqGxfoWOhyAvCDGtXsZKyGH0ngceoiLtc3yF7vpi3FA2
+qv3HnaoYBPvqzCxom7OpwpbYwcxafvcNngjgnSmLhEaP05Fqtbh6XMxPVQG4mkig
+lEPKJUdSCvf0vrDRcW2lUkplULKtTh3gbAHY+0OA5uQMOA==
+-----END CERTIFICATE-----

configure.ac

@@ -3631,6 +3631,18 @@ fi
 AM_CONDITIONAL([BUILD_TRUST_PEER_CERT], [test "x$have_tp" = "xyes"])
 
 
+# dertermine if we have key validation mechanism
+if test "x$ENABLED_ECC" = "xyes" || test "x$ENABLED_RSA" = "xyes"
+then
+    if test "x$ENABLED_ASN" = "xyes"
+    then
+        ENABLED_PKI="yes"
+    fi
+fi
+AM_CONDITIONAL([BUILD_PKI], [test "x$ENABLED_PKI" = "xyes"])
+
+
+
 ################################################################################
 # Check for build-type conflicts                                               #
 ################################################################################

examples/client/client.c

@@ -736,7 +736,7 @@ static void Usage(void)
 #ifdef HAVE_WNR
     printf("-q <file>   Whitewood config file,      default %s\n", wnrConfig);
 #endif
-    printf("-H          Force use of the default cipher suite list\n");
+    printf("-H <arg>    Internal tests [defCipherList, badCert]\n");
 #ifdef WOLFSSL_TLS13
     printf("-J          Use HelloRetryRequest to choose group for KE\n");
     printf("-K          Key Exchange for PSK not using (EC)DHE\n");
@@ -826,6 +826,7 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args)
     unsigned char alpn_opt = 0;
     char*  cipherList = NULL;
     int    useDefCipherList = 0;
+    int    useBadCert = 0;
     const char* verifyCert = caCertFile;
     const char* ourCert    = cliCertFile;
     const char* ourKey     = cliKeyFile;
@@ -887,7 +888,7 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args)
     ((func_args*)args)->return_code = -1; /* error state */
 
 #ifdef NO_RSA
-    verifyCert = (char*)eccCertFile;
+    verifyCert = (char*)caEccCertFile;
     ourCert    = (char*)cliEccCertFile;
     ourKey     = (char*)cliEccKeyFile;
 #endif
@@ -910,6 +911,7 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args)
     (void)updateKeysIVs;
     (void)useX25519;
     (void)helloRetry;
+    (void)useBadCert;
 
     StackTrap();
 
@@ -917,7 +919,7 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args)
     /* Not used: All used */
     while ((ch = mygetopt(argc, argv, "?"
             "ab:c:defgh:ijk:l:mnop:q:rstuv:wxyz"
-            "A:B:CDE:F:GHIJKL:M:NO:PQRS:TUVW:XYZ:"
+            "A:B:CDE:F:GH:IJKL:M:NO:PQRS:TUVW:XYZ:"
             "03:")) != -1) {
         switch (ch) {
             case '?' :
@@ -1026,7 +1028,18 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args)
                 break;
 
             case 'H' :
-                useDefCipherList = 1;
+                if (XSTRNCMP(myoptarg, "defCipherList", 13) == 0) {
+                    printf("Using default cipher list for testing\n");
+                    useDefCipherList = 1;
+                }
+                else if (XSTRNCMP(myoptarg, "badCert", 7) == 0) {
+                    printf("Using bad certificate for testing\n");
+                    useBadCert = 1;
+                }
+                else {
+                    Usage();
+                    exit(MY_EX_USAGE);
+                }
                 break;
 
             case 'A' :
@@ -1461,7 +1474,7 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args)
                 defaultCipherList = "PSK-AES128-CBC-SHA256";
         #endif
             if (wolfSSL_CTX_set_cipher_list(ctx,defaultCipherList)
-                                                                !=WOLFSSL_SUCCESS) {
+                                                            !=WOLFSSL_SUCCESS) {
                 wolfSSL_CTX_free(ctx);
                 err_sys("client can't set cipher list 2");
             }
@@ -1477,7 +1490,7 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args)
         if (cipherList == NULL || (cipherList && useDefCipherList)) {
             wolfSSL_CTX_allow_anon_cipher(ctx);
             if (wolfSSL_CTX_set_cipher_list(ctx,"ADH-AES128-SHA")
-                                                               != WOLFSSL_SUCCESS) {
+                                                           != WOLFSSL_SUCCESS) {
                 wolfSSL_CTX_free(ctx);
                 err_sys("client can't set cipher list 4");
             }
@@ -1531,7 +1544,7 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args)
     if (useClientCert){
 #if !defined(NO_FILESYSTEM)
         if (wolfSSL_CTX_use_certificate_chain_file(ctx, ourCert)
-                                                               != WOLFSSL_SUCCESS) {
+                                                           != WOLFSSL_SUCCESS) {
             wolfSSL_CTX_free(ctx);
             err_sys("can't load client cert file, check file and run from"
                     " wolfSSL home dir");
@@ -1549,10 +1562,19 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args)
 #endif  /* !defined(NO_FILESYSTEM) */
     }
 
+    /* for testing only - use client cert as CA to force no signer error */
+    if (useBadCert) {
+    #if !defined(NO_RSA)
+        verifyCert = "./certs/client-cert.pem";
+    #elif defined(HAVE_ECC)
+        verifyCert = "./certs/client-ecc-cert.pem";
+    #endif
+    }
+
     if (!usePsk && !useAnon && !useVerifyCb) {
 #if !defined(NO_FILESYSTEM)
         if (wolfSSL_CTX_load_verify_locations(ctx, verifyCert,0)
-                                                               != WOLFSSL_SUCCESS) {
+                                                           != WOLFSSL_SUCCESS) {
             wolfSSL_CTX_free(ctx);
             err_sys("can't load ca file, Please run from wolfSSL home dir");
         }
@@ -1562,7 +1584,8 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args)
 #ifdef HAVE_ECC
         /* load ecc verify too, echoserver uses it by default w/ ecc */
 #if !defined(NO_FILESYSTEM)
-        if (wolfSSL_CTX_load_verify_locations(ctx, eccCertFile, 0) != WOLFSSL_SUCCESS) {
+        if (wolfSSL_CTX_load_verify_locations(ctx, eccCertFile, 0)
+                                                           != WOLFSSL_SUCCESS) {
             wolfSSL_CTX_free(ctx);
             err_sys("can't load ecc ca file, Please run from wolfSSL home dir");
         }
@@ -1573,7 +1596,7 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args)
 #if defined(WOLFSSL_TRUST_PEER_CERT) && !defined(NO_FILESYSTEM)
         if (trustCert) {
             if ((ret = wolfSSL_CTX_trust_peer_cert(ctx, trustCert,
-                                            WOLFSSL_FILETYPE_PEM)) != WOLFSSL_SUCCESS) {
+                                    WOLFSSL_FILETYPE_PEM)) != WOLFSSL_SUCCESS) {
                 wolfSSL_CTX_free(ctx);
                 err_sys("can't load trusted peer cert file");
             }
@@ -1599,7 +1622,7 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args)
 #ifdef HAVE_SNI
     if (sniHostName)
         if (wolfSSL_CTX_UseSNI(ctx, 0, sniHostName, XSTRLEN(sniHostName))
-                                                               != WOLFSSL_SUCCESS) {
+                                                           != WOLFSSL_SUCCESS) {
             wolfSSL_CTX_free(ctx);
             err_sys("UseSNI failed");
     }
@@ -1634,11 +1657,11 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args)
 #if defined(HAVE_CURVE25519) && defined(HAVE_SUPPORTED_CURVES)
     if (useX25519) {
         if (wolfSSL_CTX_UseSupportedCurve(ctx, WOLFSSL_ECC_X25519)
-                                                               != WOLFSSL_SUCCESS) {
+                                                           != WOLFSSL_SUCCESS) {
             err_sys("unable to support X25519");
         }
         if (wolfSSL_CTX_UseSupportedCurve(ctx, WOLFSSL_ECC_SECP256R1)
-                                                               != WOLFSSL_SUCCESS) {
+                                                           != WOLFSSL_SUCCESS) {
             err_sys("unable to support secp256r1");
         }
     }
@@ -1688,7 +1711,8 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args)
     if (doMcast) {
 #ifdef WOLFSSL_MULTICAST
         wolfSSL_CTX_mcast_set_member_id(ctx, mcastID);
-        if (wolfSSL_CTX_set_cipher_list(ctx, "WDM-NULL-SHA256") != WOLFSSL_SUCCESS) {
+        if (wolfSSL_CTX_set_cipher_list(ctx, "WDM-NULL-SHA256")
+                                                           != WOLFSSL_SUCCESS) {
             wolfSSL_CTX_free(ctx);
             err_sys("Couldn't set multicast cipher list.");
         }
@@ -1733,7 +1757,8 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args)
         }
         if (onlyKeyShare == 0 || onlyKeyShare == 1) {
         #ifdef HAVE_FFDHE_2048
-            if (wolfSSL_UseKeyShare(ssl, WOLFSSL_FFDHE_2048) != WOLFSSL_SUCCESS) {
+            if (wolfSSL_UseKeyShare(ssl, WOLFSSL_FFDHE_2048)
+                                                           != WOLFSSL_SUCCESS) {
                 err_sys("unable to use DH 2048-bit parameters");
             }
         #endif
@@ -1756,7 +1781,7 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args)
         XMEMSET(sr, 0x5A, sizeof(sr));
 
         if (wolfSSL_set_secret(ssl, 1, pms, sizeof(pms), cr, sr, suite)
-                                                               != WOLFSSL_SUCCESS) {
+                                                           != WOLFSSL_SUCCESS) {
             wolfSSL_CTX_free(ctx);
             err_sys("unable to set mcast secret");
         }
@@ -1778,7 +1803,7 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args)
         switch (statusRequest) {
             case WOLFSSL_CSR_OCSP:
                 if (wolfSSL_UseOCSPStapling(ssl, WOLFSSL_CSR_OCSP,
-                                   WOLFSSL_CSR_OCSP_USE_NONCE) != WOLFSSL_SUCCESS) {
+                               WOLFSSL_CSR_OCSP_USE_NONCE) != WOLFSSL_SUCCESS) {
                     wolfSSL_free(ssl);
                     wolfSSL_CTX_free(ctx);
                     err_sys("UseCertificateStatusRequest failed");
@@ -1796,7 +1821,7 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args)
             case WOLFSSL_CSR2_OCSP:
                 if (wolfSSL_UseOCSPStaplingV2(ssl,
                     WOLFSSL_CSR2_OCSP, WOLFSSL_CSR2_OCSP_USE_NONCE)
-                                                               != WOLFSSL_SUCCESS) {
+                                                           != WOLFSSL_SUCCESS) {
                     wolfSSL_free(ssl);
                     wolfSSL_CTX_free(ctx);
                     err_sys("UseCertificateStatusRequest failed");
@@ -1805,7 +1830,7 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args)
             case WOLFSSL_CSR2_OCSP_MULTI:
                 if (wolfSSL_UseOCSPStaplingV2(ssl,
                     WOLFSSL_CSR2_OCSP_MULTI, 0)
-                                                               != WOLFSSL_SUCCESS) {
+                                                           != WOLFSSL_SUCCESS) {
                     wolfSSL_free(ssl);
                     wolfSSL_CTX_free(ctx);
                     err_sys("UseCertificateStatusRequest failed");
@@ -1846,7 +1871,7 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args)
             err_sys("can't enable crl check");
         }
         if (wolfSSL_LoadCRL(ssl, crlPemDir, WOLFSSL_FILETYPE_PEM, 0)
-                                                               != WOLFSSL_SUCCESS) {
+                                                           != WOLFSSL_SUCCESS) {
             wolfSSL_free(ssl);
             wolfSSL_CTX_free(ctx);
             err_sys("can't load crl, check crlfile and date validity");

examples/echoclient/echoclient.c

@@ -139,7 +139,7 @@ void echoclient_test(void* args)
         err_sys("can't load ca file, Please run from wolfSSL home dir");
     #endif
     #ifdef HAVE_ECC
-        if (SSL_CTX_load_verify_locations(ctx, eccCertFile, 0) != WOLFSSL_SUCCESS)
+        if (SSL_CTX_load_verify_locations(ctx, caEccCertFile, 0) != WOLFSSL_SUCCESS)
             err_sys("can't load ca file, Please run from wolfSSL home dir");
     #endif
 #elif !defined(NO_CERTS)

examples/server/server.c

@@ -411,7 +411,7 @@ static void Usage(void)
 #endif
     printf("-g          Return basic HTML web page\n");
     printf("-C <num>    The number of connections to accept, default: 1\n");
-    printf("-H          Force use of the default cipher suite list\n");
+    printf("-H <arg>    Internal tests [defCipherList, badCert]\n");
 #ifdef WOLFSSL_TLS13
     printf("-K          Key Exchange for PSK not using (EC)DHE\n");
     printf("-U          Update keys and IVs before sending\n");
@@ -481,6 +481,7 @@ THREAD_RETURN CYASSL_THREAD server_test(void* args)
     unsigned char alpn_opt = 0;
     char*  cipherList = NULL;
     int    useDefCipherList = 0;
+    int    useBadCert = 0;
     const char* verifyCert = cliCertFile;
     const char* ourCert    = svrCertFile;
     const char* ourKey     = svrKeyFile;
@@ -561,6 +562,7 @@ THREAD_RETURN CYASSL_THREAD server_test(void* args)
     (void)readySignal;
     (void)updateKeysIVs;
     (void)mcastID;
+    (void)useBadCert;
 
 #ifdef CYASSL_TIRTOS
     fdOpenSession(Task_self());
@@ -572,7 +574,7 @@ THREAD_RETURN CYASSL_THREAD server_test(void* args)
     /* Not Used: h, m, t, y, z, F, M, T, V, W, X, Y */
     while ((ch = mygetopt(argc, argv, "?"
                 "abc:defgijk:l:nop:q:rsuv:wx"
-                "A:B:C:D:E:GHIJKL:NO:PQR:S:UYZ:"
+                "A:B:C:D:E:GH:IJKL:NO:PQR:S:UYZ:"
                 "03:")) != -1) {
         switch (ch) {
             case '?' :
@@ -656,7 +658,18 @@ THREAD_RETURN CYASSL_THREAD server_test(void* args)
                 break;
 
             case 'H' :
-                useDefCipherList = 1;
+                if (XSTRNCMP(myoptarg, "defCipherList", 13) == 0) {
+                    printf("Using default cipher list for testing\n");
+                    useDefCipherList = 1;
+                }
+                else if (XSTRNCMP(myoptarg, "badCert", 7) == 0) {
+                    printf("Using bad certificate for testing\n");
+                    useBadCert = 1;
+                }
+                else {
+                    Usage();
+                    exit(MY_EX_USAGE);
+                }
                 break;
 
             case 'A' :
@@ -969,6 +982,15 @@ THREAD_RETURN CYASSL_THREAD server_test(void* args)
 #endif
 
 #if !defined(NO_CERTS)
+    /* for testing only - use bad cert as server cert for sig confirm err */
+    if (useBadCert) {
+    #if !defined(NO_RSA)
+        ourCert = "./certs/test/server-cert-rsa-badsig.pem";
+    #elif defined(HAVE_ECC)
+        ourCert = "./certs/test/server-cert-ecc-badsig.pem";
+    #endif
+    }
+
     if ((!usePsk || usePskPlus) && !useAnon) {
     #if !defined(NO_FILESYSTEM)
         if (SSL_CTX_use_certificate_chain_file(ctx, ourCert)
@@ -1063,8 +1085,8 @@ THREAD_RETURN CYASSL_THREAD server_test(void* args)
        if using PSK Plus then verify peer certs except PSK suites */
     if (doCliCertCheck && (usePsk == 0 || usePskPlus) && useAnon == 0) {
         SSL_CTX_set_verify(ctx, WOLFSSL_VERIFY_PEER |
-                                ((usePskPlus)? WOLFSSL_VERIFY_FAIL_EXCEPT_PSK :
-                                WOLFSSL_VERIFY_FAIL_IF_NO_PEER_CERT),0);
+                            (usePskPlus ? WOLFSSL_VERIFY_FAIL_EXCEPT_PSK :
+                                WOLFSSL_VERIFY_FAIL_IF_NO_PEER_CERT), 0);
         if (SSL_CTX_load_verify_locations(ctx, verifyCert, 0) != WOLFSSL_SUCCESS)
             err_sys_ex(runWithErrors, "can't load ca file, Please run from wolfSSL home dir");
         #ifdef WOLFSSL_TRUST_PEER_CERT

gencertbuf.pl

@@ -26,7 +26,19 @@ my @fileList_ecc = (
         [ "./certs/ecc-keyPub.der",        "ecc_key_pub_der_256" ],
         [ "./certs/server-ecc-comp.der",   "serv_ecc_comp_der_256" ],
         [ "./certs/server-ecc-rsa.der",    "serv_ecc_rsa_der_256" ],
-        [ "./certs/server-ecc.der",        "serv_ecc_der_256" ]
+        [ "./certs/server-ecc.der",        "serv_ecc_der_256" ],
+        [ "./certs/ca-ecc-key.der",        "ca_ecc_key_der_256" ],
+        [ "./certs/ca-ecc-cert.der",       "ca_ecc_cert_der_256" ],
+        [ "./certs/ca-ecc384-key.der",     "ca_ecc_key_der_384" ],
+        [ "./certs/ca-ecc384-cert.der",    "ca_ecc_cert_der_384" ]
+        );
+
+
+# ed25519 keys and certs
+# Used with HAVE_ED25519 define.
+my @fileList_ed = (
+        [ "./certs/ed25519/server-ed25519.der",    "server_ed25519_cert" ],
+        [ "./certs/ed25519/ca-ed25519.der",        "ca_ed25519_cert" ]
         );
 
 # 1024-bit certs/keys to be converted
@@ -64,6 +76,7 @@ my @fileList_2048 = (
 # ----------------------------------------------------------------------------
 
 my $num_ecc = @fileList_ecc;
+my $num_ed = @fileList_ed;
 my $num_1024 = @fileList_1024;
 my $num_2048 = @fileList_2048;
 
@@ -109,7 +122,7 @@ for (my $i = 0; $i < $num_2048; $i++) {
 
 print OUT_FILE "#endif /* USE_CERT_BUFFERS_2048 */\n\n";
 
-# convert and print 256-bit cert/keys
+# convert and print ECC cert/keys
 print OUT_FILE "#if defined(HAVE_ECC) && defined(USE_CERT_BUFFERS_256)\n\n";
 for (my $i = 0; $i < $num_ecc; $i++) {
 
@@ -147,6 +160,23 @@ static const unsigned char dh_g[] =
 {
   0x02,
 };\n\n";
+
+# convert and print ed25519 cert/keys
+print OUT_FILE "#if defined(HAVE_ED25519)\n\n";
+for (my $i = 0; $i < $num_ed; $i++) {
+
+    my $fname = $fileList_ed[$i][0];
+    my $sname = $fileList_ed[$i][1];
+
+    print OUT_FILE "/* $fname, ED25519 */\n";
+    print OUT_FILE "static const unsigned char $sname\[] =\n";
+    print OUT_FILE "{\n";
+    file_to_hex($fname);
+    print OUT_FILE "};\n";
+    print OUT_FILE "static const int sizeof_$sname = sizeof($sname);\n\n";
+}
+print OUT_FILE "#endif /* HAVE_ED25519 */\n\n";
+
 print OUT_FILE "#endif /* WOLFSSL_CERTS_TEST_H */\n\n";
 
 # close certs_test.h file

scripts/include.am

@@ -11,6 +11,12 @@ endif
 if BUILD_EXAMPLE_SERVERS
 
 dist_noinst_SCRIPTS+= scripts/resume.test
+
+# only run this test if we have the ability to support cert validation
+if BUILD_PKI
+dist_noinst_SCRIPTS+= scripts/tls-cert-fail.test
+endif
+
 EXTRA_DIST+= scripts/benchmark.test
 
 if BUILD_CRL

scripts/openssl.test

@@ -269,9 +269,12 @@ do
         psk=""
         adh=""
         port=$openssl_port
+        caCert=""
         case $wolfSuite in
         *ECDH-RSA*)
             port=$ecdh_port ;;
+        *ECDHE-ECDSA*|*ECDH-ECDSA*)
+            caCert="-A./certs/ca-ecc-cert.pem" ;;
         *PSK*)
             psk="-s " ;;
         *ADH*)
@@ -280,10 +283,10 @@ do
 
         if [ $version -lt 4 ]
         then
-            ./examples/client/client -p $port -g -r -l $wolfSuite -v $version $psk $adh
+            ./examples/client/client -p $port -g -r -l $wolfSuite -v $version $psk $adh $caCert
         else
             # do all versions
-            ./examples/client/client -p $port -g -r -l $wolfSuite $psk $adh
+            ./examples/client/client -p $port -g -r -l $wolfSuite $psk $adh $caCert
         fi
 
         client_result=$?

scripts/tls-cert-fail.test

@@ -0,0 +1,173 @@
+#!/bin/sh
+
+#tls-cert-fail.test
+
+asn_no_signer_e="-188"
+asn_sig_confirm_e="-155"
+exit_code=1
+counter=0
+
+# need a unique resume port since may run the same time as testsuite
+# use server port zero hack to get one
+tls_port=0
+
+#no_pid tells us process was never started if -1
+no_pid=-1
+
+#server_pid captured on startup, stores the id of the server process
+server_pid=$no_pid
+
+# let's use absolute path to a local dir (make distcheck may be in sub dir)
+# also let's add some randomness by adding pid in case multiple 'make check's
+# per source tree
+ready_file=`pwd`/wolfssl_tls_ready$$
+
+remove_ready_file() {
+    if test -e $ready_file; then
+        echo -e "removing existing ready file"
+        rm $ready_file
+    fi
+}
+
+# trap this function so if user aborts with ^C or other kill signal we still
+# get an exit that will in turn clean up the file system
+abort_trap() {
+    echo "script aborted"
+
+    if  [ $server_pid != $no_pid ]
+    then
+        echo "killing server"
+        kill -9 $server_pid
+    fi
+
+    exit_code=2 #different exit code in case of user interrupt
+
+    echo "got abort signal, exiting with $exit_code"
+    exit $exit_code
+}
+trap abort_trap INT TERM
+
+
+# trap this function so that if we exit on an error the file system will still
+# be restored and the other tests may still pass. Never call this function
+# instead use "exit <some value>" and this function will run automatically
+restore_file_system() {
+    remove_ready_file
+}
+trap restore_file_system EXIT
+
+run_tls_no_signer_test() {
+    echo -e "\nStarting example server for tls no signer fail test...\n"
+
+    remove_ready_file
+
+    # starts the server on tls_port, -R generates ready file to be used as a
+    # mutex lock. We capture the processid into the variable server_pid
+    ./examples/server/server -R $ready_file -p $tls_port &
+    server_pid=$!
+
+    while [ ! -s $ready_file -a "$counter" -lt 20 ]; do
+        echo -e "waiting for ready file..."
+        sleep 0.1
+        counter=$((counter+ 1))
+    done
+
+    if test -e $ready_file; then
+        echo -e "found ready file, starting client..."
+    else
+        echo -e "NO ready file ending test..."
+        exit 1
+    fi
+
+    # get created port 0 ephemeral port
+    tls_port=`cat $ready_file`
+
+    # starts client on tls_port and captures the output from client
+    capture_out=$(./examples/client/client -p $tls_port -H badCert 2>&1)
+    client_result=$?
+
+    wait $server_pid
+    server_result=$?
+
+    case  "$capture_out" in
+    *$asn_no_signer_e*)
+        # only exit with zero on detection of the expected error code
+        echo ""
+        echo "$capture_out"
+        echo ""
+        echo "No signer error as expected! Test pass"
+        echo ""
+        exit_code=0
+        ;;
+    *)
+        echo ""
+        echo "Client did not return asn_no_signer_e as expected: $capture_out"
+        echo ""
+        exit_code=1
+    esac
+}
+
+run_tls_sig_confirm_test() {
+    echo -e "\nStarting example server for tls sig confirm fail test...\n"
+
+    remove_ready_file
+
+    # starts the server on tls_port, -R generates ready file to be used as a
+    # mutex lock. We capture the processid into the variable server_pid
+    ./examples/server/server -R $ready_file -p $tls_port -H badCert &
+    server_pid=$!
+
+    while [ ! -s $ready_file -a "$counter" -lt 20 ]; do
+        echo -e "waiting for ready file..."
+        sleep 0.1
+        counter=$((counter+ 1))
+    done
+
+    if test -e $ready_file; then
+        echo -e "found ready file, starting client..."
+    else
+        echo -e "NO ready file ending test..."
+        exit 1
+    fi
+
+    # get created port 0 ephemeral port
+    tls_port=`cat $ready_file`
+
+    # starts client on tls_port and captures the output from client
+    capture_out=$(./examples/client/client -p $tls_port 2>&1)
+    client_result=$?
+
+    wait $server_pid
+    server_result=$?
+
+    case  "$capture_out" in
+    *$asn_sig_confirm_e*)
+        # only exit with zero on detection of the expected error code
+        echo ""
+        echo "$capture_out"
+        echo ""
+        echo "Sig confirm error as expected! Test pass"
+        echo ""
+        exit_code=0
+        ;;
+    *)
+        echo ""
+        echo "Client did not return asn_sig_confirm_e as expected: $capture_out"
+        echo ""
+        exit_code=1
+    esac
+}
+
+
+######### begin program #########
+
+# run the test
+run_tls_no_signer_test
+
+tls_port=0
+run_tls_sig_confirm_test
+
+echo "exiting with $exit_code"
+exit $exit_code
+########## end program ##########
+

scripts/tls13.test

@@ -181,7 +181,7 @@ port=0
 ./examples/server/server -v 4 -A certs/client-ecc-cert.pem -c certs/server-ecc.pem -k certs/ecc-key.pem -R $ready_file -p $port &
 server_pid=$!
 create_port
-./examples/client/client -v 4 -A certs/server-ecc.pem -c certs/client-ecc-cert.pem -k certs/ecc-client-key.pem -p $port
+./examples/client/client -v 4 -A certs/ca-ecc-cert.pem -c certs/client-ecc-cert.pem -k certs/ecc-client-key.pem -p $port
 RESULT=$?
 remove_ready_file
 if [ $RESULT -ne 0 ]; then

tests/api.c

@@ -10641,7 +10641,7 @@ static void test_wc_ecc_get_curve_id_from_params(void)
     {
         int ret = 0;
         /* self-signed ECC cert, so use server cert as CA */
-        const char* ca_cert = "./certs/server-ecc.pem";
+        const char* ca_cert = "./certs/ca-ecc-cert.pem";
         const char* server_cert = "./certs/server-ecc.der";
         byte* cert_buf = NULL;
         size_t cert_sz = 0;

tests/suites.c

@@ -54,7 +54,7 @@ static char flagSep[] = " ";
     static char portFlag[] = "-p";
     static char svrPort[] = "0";
 #endif
-static char forceDefCipherListFlag[] = "-H";
+static char forceDefCipherListFlag[] = "-HdefCipherList";
 
 #ifdef WOLFSSL_ASYNC_CRYPT
     static int devId = INVALID_DEVID;

tests/test-dtls.conf

@@ -29,7 +29,7 @@
 -u
 -v 3
 -l ECDHE-ECDSA-CHACHA20-POLY1305
--A ./certs/server-ecc.pem
+-A ./certs/ca-ecc-cert.pem
 
 # server TLSv1.2 DHE-PSK-CHACHA20-POLY1305
 -u
@@ -98,7 +98,7 @@
 -u
 -v 3
 -l ECDHE-ECDSA-CHACHA20-POLY1305-OLD
--A ./certs/server-ecc.pem
+-A ./certs/ca-ecc-cert.pem
 
 # server DTLSv1 IDEA-CBC-SHA
 -u
@@ -291,7 +291,7 @@
 -u
 -v 1
 -l ECDHE-ECDSA-NULL-SHA
--A ./certs/server-ecc.pem
+-A ./certs/ca-ecc-cert.pem
 
 # server TLSv1.1 ECDHE-ECDSA-NULL-SHA
 -u
@@ -304,7 +304,7 @@
 -u
 -v 2
 -l ECDHE-ECDSA-NULL-SHA
--A ./certs/server-ecc.pem
+-A ./certs/ca-ecc-cert.pem
 
 # server TLSv1.2 ECDHE-ECDSA-NULL-SHA
 -u
@@ -317,7 +317,7 @@
 -u
 -v 3
 -l ECDHE-ECDSA-NULL-SHA
--A ./certs/server-ecc.pem
+-A ./certs/ca-ecc-cert.pem
 
 # server DTLSv1.1 ECDHE-ECDSA-DES3
 -u
@@ -330,7 +330,7 @@
 -u
 -v 2
 -l ECDHE-ECDSA-DES-CBC3-SHA
--A ./certs/server-ecc.pem
+-A ./certs/ca-ecc-cert.pem
 
 # server DTLSv1.1 ECDHE-ECDSA-AES128
 -u
@@ -343,7 +343,7 @@
 -u
 -v 2
 -l ECDHE-ECDSA-AES128-SHA
--A ./certs/server-ecc.pem
+-A ./certs/ca-ecc-cert.pem
 
 # server DTLSv1.1 ECDHE-ECDSA-AES256
 -u
@@ -356,7 +356,7 @@
 -u
 -v 2
 -l ECDHE-ECDSA-AES256-SHA
--A ./certs/server-ecc.pem
+-A ./certs/ca-ecc-cert.pem
 
 # server DTLSv1.2 ECDHE-ECDSA-DES3
 -u
@@ -369,7 +369,7 @@
 -u
 -v 3
 -l ECDHE-ECDSA-DES-CBC3-SHA
--A ./certs/server-ecc.pem
+-A ./certs/ca-ecc-cert.pem
 
 # server DTLSv1.2 ECDHE-ECDSA-AES128
 -u
@@ -382,7 +382,7 @@
 -u
 -v 3
 -l ECDHE-ECDSA-AES128-SHA
--A ./certs/server-ecc.pem
+-A ./certs/ca-ecc-cert.pem
 
 # server DTLSv1.2 ECDHE-ECDSA-AES128-SHA256
 -u
@@ -395,7 +395,7 @@
 -u
 -v 3
 -l ECDHE-ECDSA-AES128-SHA256
--A ./certs/server-ecc.pem
+-A ./certs/ca-ecc-cert.pem
 
 # server DTLSv1.2 ECDHE-ECDSA-AES256
 -u
@@ -408,7 +408,7 @@
 -u
 -v 3
 -l ECDHE-ECDSA-AES256-SHA
--A ./certs/server-ecc.pem
+-A ./certs/ca-ecc-cert.pem
 
 # server DTLSv1.1 ECDH-RSA-DES3
 -u
@@ -505,7 +505,7 @@
 -u
 -v 2
 -l ECDH-ECDSA-DES-CBC3-SHA
--A ./certs/server-ecc.pem
+-A ./certs/ca-ecc-cert.pem
 
 # server DTLSv1.1 ECDH-ECDSA-AES128
 -u
@@ -518,7 +518,7 @@
 -u
 -v 2
 -l ECDH-ECDSA-AES128-SHA
--A ./certs/server-ecc.pem
+-A ./certs/ca-ecc-cert.pem
 
 # server DTLSv1.1 ECDH-ECDSA-AES256
 -u
@@ -531,7 +531,7 @@
 -u
 -v 2
 -l ECDH-ECDSA-AES256-SHA
--A ./certs/server-ecc.pem
+-A ./certs/ca-ecc-cert.pem
 
 # server DTLSv1.2 ECDH-ECDSA-DES3
 -u
@@ -544,7 +544,7 @@
 -u
 -v 3
 -l ECDH-ECDSA-DES-CBC3-SHA
--A ./certs/server-ecc.pem
+-A ./certs/ca-ecc-cert.pem
 
 # server DTLSv1.2 ECDH-ECDSA-AES128
 -u
@@ -557,7 +557,7 @@
 -u
 -v 3
 -l ECDH-ECDSA-AES128-SHA
--A ./certs/server-ecc.pem
+-A ./certs/ca-ecc-cert.pem
 
 # server DTLSv1.2 ECDH-ECDSA-AES128-SHA256
 -u
@@ -570,7 +570,7 @@
 -u
 -v 3
 -l ECDH-ECDSA-AES128-SHA256
--A ./certs/server-ecc.pem
+-A ./certs/ca-ecc-cert.pem
 
 # server DTLSv1.2 ECDH-ECDSA-AES256
 -u
@@ -583,7 +583,7 @@
 -u
 -v 3
 -l ECDH-ECDSA-AES256-SHA
--A ./certs/server-ecc.pem
+-A ./certs/ca-ecc-cert.pem
 
 # server DTLSv1.2 ECDHE-RSA-AES256-SHA384
 -u
@@ -606,7 +606,7 @@
 -u
 -v 3
 -l ECDHE-ECDSA-AES256-SHA384
--A ./certs/server-ecc.pem
+-A ./certs/ca-ecc-cert.pem
 
 # server DTLSv1.2 ECDH-RSA-AES256-SHA384
 -u
@@ -631,7 +631,7 @@
 -u
 -v 3
 -l ECDH-ECDSA-AES256-SHA384
--A ./certs/server-ecc.pem
+-A ./certs/ca-ecc-cert.pem
 
 # server TLSv1 ECDHE-PSK-AES128-SHA256
 -s
@@ -788,7 +788,7 @@
 -u
 -v 3
 -l ECDHE-ECDSA-AES128-GCM-SHA256
--A ./certs/server-ecc.pem
+-A ./certs/ca-ecc-cert.pem
 
 # server DTLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384
 -u
@@ -801,7 +801,7 @@
 -u
 -v 3
 -l ECDHE-ECDSA-AES256-GCM-SHA384
--A ./certs/server-ecc.pem
+-A ./certs/ca-ecc-cert.pem
 
 # server DTLSv1.2 ECDH-ECDSA-AES128-GCM-SHA256
 -u
@@ -814,7 +814,7 @@
 -u
 -v 3
 -l ECDH-ECDSA-AES128-GCM-SHA256
--A ./certs/server-ecc.pem
+-A ./certs/ca-ecc-cert.pem
 
 # server DTLSv1.2 ECDH-ECDSA-AES256-GCM-SHA384
 -u
@@ -827,7 +827,7 @@
 -u
 -v 3
 -l ECDH-ECDSA-AES256-GCM-SHA384
--A ./certs/server-ecc.pem
+-A ./certs/ca-ecc-cert.pem
 
 # server DTLSv1.2 ECDHE-RSA-AES128-GCM-SHA256
 -u
@@ -908,7 +908,7 @@
 -u
 -v 3
 -l ECDHE-ECDSA-AES128-CCM
--A ./certs/server-ecc.pem
+-A ./certs/ca-ecc-cert.pem
 
 # server DTLSv1.2 ECDHE-ECDSA-AES128-CCM-8
 -u
@@ -921,7 +921,7 @@
 -u
 -v 3
 -l ECDHE-ECDSA-AES128-CCM-8
--A ./certs/server-ecc.pem
+-A ./certs/ca-ecc-cert.pem
 
 # server DTLSv1.2 ECDHE-ECDSA-AES256-CCM-8
 -u
@@ -934,7 +934,7 @@
 -u
 -v 3
 -l ECDHE-ECDSA-AES256-CCM-8
--A ./certs/server-ecc.pem
+-A ./certs/ca-ecc-cert.pem
 
 # server DTLSv1.2 ADH-AES128-SHA
 -u

tests/test-qsh.conf

@@ -53,7 +53,7 @@
 # client TLSv1.2 ECDHE-ECDSA-CHACHA20-POLY1305-OLD
 -v 3
 -l QSH:ECDHE-ECDSA-CHACHA20-POLY1305-OLD
--A ./certs/server-ecc.pem
+-A ./certs/ca-ecc-cert.pem
 
 # server TLSv1.2 DHE-RSA-CHACHA20-POLY1305
 -v 3
@@ -80,7 +80,7 @@
 # client TLSv1.2 ECDHE-ECDSA-CHACHA20-POLY1305
 -v 3
 -l QSH:ECDHE-ECDSA-CHACHA20-POLY1305
--A ./certs/server-ecc.pem
+-A ./certs/ca-ecc-cert.pem
 
 # server SSLv3 RC4-SHA
 -v 0
@@ -339,7 +339,7 @@
 # client TLSv1 ECDHE-ECDSA-NULL-SHA
 -v 1
 -l QSH:ECDHE-ECDSA-NULL-SHA
--A ./certs/server-ecc.pem
+-A ./certs/ca-ecc-cert.pem
 
 # server TLSv1.1 ECDHE-ECDSA-NULL-SHA
 -v 2
@@ -350,7 +350,7 @@
 # client TLSv1 ECDHE-ECDSA-NULL-SHA
 -v 2
 -l QSH:ECDHE-ECDSA-NULL-SHA
--A ./certs/server-ecc.pem
+-A ./certs/ca-ecc-cert.pem
 
 # server TLSv1.2 ECDHE-ECDSA-NULL-SHA
 -v 3
@@ -361,7 +361,7 @@
 # client TLSv1.2 ECDHE-ECDSA-NULL-SHA
 -v 3
 -l QSH:ECDHE-ECDSA-NULL-SHA
--A ./certs/server-ecc.pem
+-A ./certs/ca-ecc-cert.pem
 
 # server TLSv1.1 ECDHE-RSA-RC4
 -v 2
@@ -444,7 +444,7 @@
 # client TLSv1 ECDHE-ECDSA-RC4
 -v 1
 -l QSH:ECDHE-ECDSA-RC4-SHA
--A ./certs/server-ecc.pem
+-A ./certs/ca-ecc-cert.pem
 
 # server TLSv1 ECDHE-ECDSA-DES3
 -v 1
@@ -455,7 +455,7 @@
 # client TLSv1 ECDHE-ECDSA-DES3
 -v 1
 -l QSH:ECDHE-ECDSA-DES-CBC3-SHA
--A ./certs/server-ecc.pem
+-A ./certs/ca-ecc-cert.pem
 
 # server TLSv1 ECDHE-ECDSA-AES128 
 -v 1
@@ -466,7 +466,7 @@
 # client TLSv1 ECDHE-ECDSA-AES128 
 -v 1
 -l QSH:ECDHE-ECDSA-AES128-SHA
--A ./certs/server-ecc.pem
+-A ./certs/ca-ecc-cert.pem
 
 # server TLSv1 ECDHE-ECDSA-AES256
 -v 1
@@ -477,7 +477,7 @@
 # client TLSv1 ECDHE-ECDSA-AES256
 -v 1
 -l QSH:ECDHE-ECDSA-AES256-SHA
--A ./certs/server-ecc.pem
+-A ./certs/ca-ecc-cert.pem
 
 # server TLSv1.1 ECDHE-EDCSA-RC4
 -v 2
@@ -488,7 +488,7 @@
 # client TLSv1.1 ECDHE-ECDSA-RC4
 -v 2
 -l QSH:ECDHE-ECDSA-RC4-SHA
--A ./certs/server-ecc.pem
+-A ./certs/ca-ecc-cert.pem
 
 # server TLSv1.1 ECDHE-ECDSA-DES3
 -v 2
@@ -499,7 +499,7 @@
 # client TLSv1.1 ECDHE-ECDSA-DES3
 -v 2
 -l QSH:ECDHE-ECDSA-DES-CBC3-SHA
--A ./certs/server-ecc.pem
+-A ./certs/ca-ecc-cert.pem
 
 # server TLSv1.1 ECDHE-ECDSA-AES128 
 -v 2
@@ -510,7 +510,7 @@
 # client TLSv1.1 ECDHE-ECDSA-AES128 
 -v 2
 -l QSH:ECDHE-ECDSA-AES128-SHA
--A ./certs/server-ecc.pem
+-A ./certs/ca-ecc-cert.pem
 
 # server TLSv1.1 ECDHE-ECDSA-AES256
 -v 2
@@ -521,7 +521,7 @@
 # client TLSv1.1 ECDHE-ECDSA-AES256
 -v 2
 -l QSH:ECDHE-ECDSA-AES256-SHA
--A ./certs/server-ecc.pem
+-A ./certs/ca-ecc-cert.pem
 
 # server TLSv1.2 ECDHE-ECDSA-RC4
 -v 3
@@ -532,7 +532,7 @@
 # client TLSv1.2 ECDHE-ECDSA-RC4
 -v 3
 -l QSH:ECDHE-ECDSA-RC4-SHA
--A ./certs/server-ecc.pem
+-A ./certs/ca-ecc-cert.pem
 
 # server TLSv1.2 ECDHE-ECDSA-DES3
 -v 3
@@ -543,7 +543,7 @@
 # client TLSv1.2 ECDHE-ECDSA-DES3
 -v 3
 -l QSH:ECDHE-ECDSA-DES-CBC3-SHA
--A ./certs/server-ecc.pem
+-A ./certs/ca-ecc-cert.pem
 
 # server TLSv1.2 ECDHE-ECDSA-AES128 
 -v 3
@@ -554,7 +554,7 @@
 # client TLSv1.2 ECDHE-ECDSA-AES128 
 -v 3
 -l QSH:ECDHE-ECDSA-AES128-SHA
--A ./certs/server-ecc.pem
+-A ./certs/ca-ecc-cert.pem
 
 # server TLSv1.2 ECDHE-ECDSA-AES128-SHA256
 -v 3
@@ -565,7 +565,7 @@
 # client TLSv1.2 ECDHE-ECDSA-AES128-SHA256
 -v 3
 -l QSH:ECDHE-ECDSA-AES128-SHA256
--A ./certs/server-ecc.pem
+-A ./certs/ca-ecc-cert.pem
 
 # server TLSv1.2 ECDHE-ECDSA-AES256
 -v 3
@@ -576,7 +576,7 @@
 # client TLSv1.2 ECDHE-ECDSA-AES256
 -v 3
 -l QSH:ECDHE-ECDSA-AES256-SHA
--A ./certs/server-ecc.pem
+-A ./certs/ca-ecc-cert.pem
 
 # server TLSv1 ECDH-RSA-RC4
 -v 1
@@ -717,7 +717,7 @@
 # client TLSv1 ECDH-ECDSA-RC4
 -v 1
 -l QSH:ECDH-ECDSA-RC4-SHA
--A ./certs/server-ecc.pem
+-A ./certs/ca-ecc-cert.pem
 
 # server TLSv1 ECDH-ECDSA-DES3
 -v 1
@@ -728,7 +728,7 @@
 # client TLSv1 ECDH-ECDSA-DES3
 -v 1
 -l QSH:ECDH-ECDSA-DES-CBC3-SHA
--A ./certs/server-ecc.pem
+-A ./certs/ca-ecc-cert.pem
 
 # server TLSv1 ECDH-ECDSA-AES128 
 -v 1
@@ -739,7 +739,7 @@
 # client TLSv1 ECDH-ECDSA-AES128 
 -v 1
 -l QSH:ECDH-ECDSA-AES128-SHA
--A ./certs/server-ecc.pem
+-A ./certs/ca-ecc-cert.pem
 
 # server TLSv1 ECDH-ECDSA-AES256
 -v 1
@@ -750,7 +750,7 @@
 # client TLSv1 ECDH-ECDSA-AES256
 -v 1
 -l QSH:ECDH-ECDSA-AES256-SHA
--A ./certs/server-ecc.pem
+-A ./certs/ca-ecc-cert.pem
 
 # server TLSv1.1 ECDH-EDCSA-RC4
 -v 2
@@ -761,7 +761,7 @@
 # client TLSv1.1 ECDH-ECDSA-RC4
 -v 2
 -l QSH:ECDH-ECDSA-RC4-SHA
--A ./certs/server-ecc.pem
+-A ./certs/ca-ecc-cert.pem
 
 # server TLSv1.1 ECDH-ECDSA-DES3
 -v 2
@@ -772,7 +772,7 @@
 # client TLSv1.1 ECDH-ECDSA-DES3
 -v 2
 -l QSH:ECDH-ECDSA-DES-CBC3-SHA
--A ./certs/server-ecc.pem
+-A ./certs/ca-ecc-cert.pem
 
 # server TLSv1.1 ECDH-ECDSA-AES128 
 -v 2
@@ -783,7 +783,7 @@
 # client TLSv1.1 ECDH-ECDSA-AES128 
 -v 2
 -l QSH:ECDH-ECDSA-AES128-SHA
--A ./certs/server-ecc.pem
+-A ./certs/ca-ecc-cert.pem
 
 # server TLSv1.1 ECDH-ECDSA-AES256
 -v 2
@@ -794,7 +794,7 @@
 # client TLSv1.1 ECDH-ECDSA-AES256
 -v 2
 -l QSH:ECDH-ECDSA-AES256-SHA
--A ./certs/server-ecc.pem
+-A ./certs/ca-ecc-cert.pem
 
 # server TLSv1.2 ECDHE-ECDSA-RC4
 -v 3
@@ -805,7 +805,7 @@
 # client TLSv1.2 ECDH-ECDSA-RC4
 -v 3
 -l QSH:ECDH-ECDSA-RC4-SHA
--A ./certs/server-ecc.pem
+-A ./certs/ca-ecc-cert.pem
 
 # server TLSv1.2 ECDH-ECDSA-DES3
 -v 3
@@ -816,7 +816,7 @@
 # client TLSv1.2 ECDH-ECDSA-DES3
 -v 3
 -l QSH:ECDH-ECDSA-DES-CBC3-SHA
--A ./certs/server-ecc.pem
+-A ./certs/ca-ecc-cert.pem
 
 # server TLSv1.2 ECDH-ECDSA-AES128 
 -v 3
@@ -827,7 +827,7 @@
 # client TLSv1.2 ECDH-ECDSA-AES128 
 -v 3
 -l QSH:ECDH-ECDSA-AES128-SHA
--A ./certs/server-ecc.pem
+-A ./certs/ca-ecc-cert.pem
 
 # server TLSv1.2 ECDH-ECDSA-AES128-SHA256
 -v 3
@@ -838,7 +838,7 @@
 # client TLSv1.2 ECDH-ECDSA-AES128-SHA256 
 -v 3
 -l QSH:ECDH-ECDSA-AES128-SHA256
--A ./certs/server-ecc.pem
+-A ./certs/ca-ecc-cert.pem
 
 # server TLSv1.2 ECDH-ECDSA-AES256
 -v 3
@@ -849,7 +849,7 @@
 # client TLSv1.2 ECDH-ECDSA-AES256
 -v 3
 -l QSH:ECDH-ECDSA-AES256-SHA
--A ./certs/server-ecc.pem
+-A ./certs/ca-ecc-cert.pem
 
 # server TLSv1.2 ECDHE-RSA-AES256-SHA384
 -v 3
@@ -868,7 +868,7 @@
 # client TLSv1.2 ECDHE-ECDSA-AES256-SHA384
 -v 3
 -l QSH:ECDHE-ECDSA-AES256-SHA384
--A ./certs/server-ecc.pem
+-A ./certs/ca-ecc-cert.pem
 
 # server TLSv1.2 ECDH-RSA-AES256-SHA384 
 -v 3
@@ -889,7 +889,7 @@
 # client TLSv1.2 ECDH-ECDSA-AES256-SHA384 
 -v 3
 -l QSH:ECDH-ECDSA-AES256-SHA384
--A ./certs/server-ecc.pem
+-A ./certs/ca-ecc-cert.pem
 
 # server TLSv1 HC128-SHA
 -v 1
@@ -1646,7 +1646,7 @@
 # client TLSv1.2 ECDHE-ECDSA-AES128-GCM-SHA256 
 -v 3
 -l QSH:ECDHE-ECDSA-AES128-GCM-SHA256
--A ./certs/server-ecc.pem
+-A ./certs/ca-ecc-cert.pem
 
 # server TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384
 -v 3
@@ -1657,7 +1657,7 @@
 # client TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384
 -v 3
 -l QSH:ECDHE-ECDSA-AES256-GCM-SHA384
--A ./certs/server-ecc.pem
+-A ./certs/ca-ecc-cert.pem
 
 # server TLSv1.2 ECDH-ECDSA-AES128-GCM-SHA256 
 -v 3
@@ -1668,7 +1668,7 @@
 # client TLSv1.2 ECDH-ECDSA-AES128-GCM-SHA256 
 -v 3
 -l QSH:ECDH-ECDSA-AES128-GCM-SHA256
--A ./certs/server-ecc.pem
+-A ./certs/ca-ecc-cert.pem
 
 # server TLSv1.2 ECDH-ECDSA-AES256-GCM-SHA384
 -v 3
@@ -1679,7 +1679,7 @@
 # client TLSv1.2 ECDH-ECDSA-AES256-GCM-SHA384
 -v 3
 -l QSH:ECDH-ECDSA-AES256-GCM-SHA384
--A ./certs/server-ecc.pem
+-A ./certs/ca-ecc-cert.pem
 
 # server TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256 
 -v 3
@@ -1778,7 +1778,7 @@
 # client TLSv1.2 ECDHE-ECDSA-AES128-CCM
 -v 3
 -l QSH:ECDHE-ECDSA-AES128-CCM
--A ./certs/server-ecc.pem
+-A ./certs/ca-ecc-cert.pem
 
 # server TLSv1.2 ECDHE-ECDSA-AES128-CCM-8
 -v 3
@@ -1789,7 +1789,7 @@
 # client TLSv1.2 ECDHE-ECDSA-AES128-CCM-8
 -v 3
 -l QSH:ECDHE-ECDSA-AES128-CCM-8
--A ./certs/server-ecc.pem
+-A ./certs/ca-ecc-cert.pem
 
 # server TLSv1.2 ECDHE-ECDSA-AES256-CCM-8
 -v 3
@@ -1800,7 +1800,7 @@
 # client TLSv1.2 ECDHE-ECDSA-AES256-CCM-8
 -v 3
 -l QSH:ECDHE-ECDSA-AES256-CCM-8
--A ./certs/server-ecc.pem
+-A ./certs/ca-ecc-cert.pem
 
 # server TLSv1.2 PSK-AES128-CCM
 -s

tests/test-sctp.conf

@@ -29,7 +29,7 @@
 -G
 -v 2
 -l ECDHE-ECDSA-CHACHA20-POLY1305
--A ./certs/server-ecc.pem
+-A ./certs/ca-ecc-cert.pem
 
 # server DTLSv1.2 DHE-RSA-CHACHA20-POLY1305
 -G
@@ -62,7 +62,7 @@
 -G
 -v 3
 -l ECDHE-ECDSA-CHACHA20-POLY1305
--A ./certs/server-ecc.pem
+-A ./certs/ca-ecc-cert.pem
 
 # server TLSv1.2 DHE-PSK-CHACHA20-POLY1305
 -G
@@ -131,7 +131,7 @@
 -G
 -v 3
 -l ECDHE-ECDSA-CHACHA20-POLY1305-OLD
--A ./certs/server-ecc.pem
+-A ./certs/ca-ecc-cert.pem
 
 # server DTLSv1 RC4-SHA
 -G
@@ -364,7 +364,7 @@
 -G
 -v 1
 -l ECDHE-ECDSA-NULL-SHA
--A ./certs/server-ecc.pem
+-A ./certs/ca-ecc-cert.pem
 
 # server TLSv1.1 ECDHE-ECDSA-NULL-SHA
 -G
@@ -377,7 +377,7 @@
 -G
 -v 2
 -l ECDHE-ECDSA-NULL-SHA
--A ./certs/server-ecc.pem
+-A ./certs/ca-ecc-cert.pem
 
 # server TLSv1.2 ECDHE-ECDSA-NULL-SHA
 -G
@@ -390,7 +390,7 @@
 -G
 -v 3
 -l ECDHE-ECDSA-NULL-SHA
--A ./certs/server-ecc.pem
+-A ./certs/ca-ecc-cert.pem
 
 # server DTLSv1.1 ECDHE-EDCSA-RC4
 -G
@@ -403,7 +403,7 @@
 -G
 -v 2
 -l ECDHE-ECDSA-RC4-SHA
--A ./certs/server-ecc.pem
+-A ./certs/ca-ecc-cert.pem
 
 # server DTLSv1.1 ECDHE-ECDSA-DES3
 -G
@@ -416,7 +416,7 @@
 -G
 -v 2
 -l ECDHE-ECDSA-DES-CBC3-SHA
--A ./certs/server-ecc.pem
+-A ./certs/ca-ecc-cert.pem
 
 # server DTLSv1.1 ECDHE-ECDSA-AES128 
 -G
@@ -429,7 +429,7 @@
 -G
 -v 2
 -l ECDHE-ECDSA-AES128-SHA
--A ./certs/server-ecc.pem
+-A ./certs/ca-ecc-cert.pem
 
 # server DTLSv1.1 ECDHE-ECDSA-AES256
 -G
@@ -442,7 +442,7 @@
 -G
 -v 2
 -l ECDHE-ECDSA-AES256-SHA
--A ./certs/server-ecc.pem
+-A ./certs/ca-ecc-cert.pem
 
 # server DTLSv1.2 ECDHE-ECDSA-RC4
 -G
@@ -455,7 +455,7 @@
 -G
 -v 3
 -l ECDHE-ECDSA-RC4-SHA
--A ./certs/server-ecc.pem
+-A ./certs/ca-ecc-cert.pem
 
 # server DTLSv1.2 ECDHE-ECDSA-DES3
 -G
@@ -468,7 +468,7 @@
 -G
 -v 3
 -l ECDHE-ECDSA-DES-CBC3-SHA
--A ./certs/server-ecc.pem
+-A ./certs/ca-ecc-cert.pem
 
 # server DTLSv1.2 ECDHE-ECDSA-AES128 
 -G
@@ -481,7 +481,7 @@
 -G
 -v 3
 -l ECDHE-ECDSA-AES128-SHA
--A ./certs/server-ecc.pem
+-A ./certs/ca-ecc-cert.pem
 
 # server DTLSv1.2 ECDHE-ECDSA-AES128-SHA256
 -G
@@ -494,7 +494,7 @@
 -G
 -v 3
 -l ECDHE-ECDSA-AES128-SHA256
--A ./certs/server-ecc.pem
+-A ./certs/ca-ecc-cert.pem
 
 # server DTLSv1.2 ECDHE-ECDSA-AES256
 -G
@@ -507,7 +507,7 @@
 -G
 -v 3
 -l ECDHE-ECDSA-AES256-SHA
--A ./certs/server-ecc.pem
+-A ./certs/ca-ecc-cert.pem
 
 # server DTLSv1.1 ECDH-RSA-RC4
 -G
@@ -628,7 +628,7 @@
 -G
 -v 2
 -l ECDH-ECDSA-RC4-SHA
--A ./certs/server-ecc.pem
+-A ./certs/ca-ecc-cert.pem
 
 # server DTLSv1.1 ECDH-ECDSA-DES3
 -G
@@ -641,7 +641,7 @@
 -G
 -v 2
 -l ECDH-ECDSA-DES-CBC3-SHA
--A ./certs/server-ecc.pem
+-A ./certs/ca-ecc-cert.pem
 
 # server DTLSv1.1 ECDH-ECDSA-AES128 
 -G
@@ -654,7 +654,7 @@
 -G
 -v 2
 -l ECDH-ECDSA-AES128-SHA
--A ./certs/server-ecc.pem
+-A ./certs/ca-ecc-cert.pem
 
 # server DTLSv1.1 ECDH-ECDSA-AES256
 -G
@@ -667,7 +667,7 @@
 -G
 -v 2
 -l ECDH-ECDSA-AES256-SHA
--A ./certs/server-ecc.pem
+-A ./certs/ca-ecc-cert.pem
 
 # server DTLSv1.2 ECDHE-ECDSA-RC4
 -G
@@ -680,7 +680,7 @@
 -G
 -v 3
 -l ECDH-ECDSA-RC4-SHA
--A ./certs/server-ecc.pem
+-A ./certs/ca-ecc-cert.pem
 
 # server DTLSv1.2 ECDH-ECDSA-DES3
 -G
@@ -693,7 +693,7 @@
 -G
 -v 3
 -l ECDH-ECDSA-DES-CBC3-SHA
--A ./certs/server-ecc.pem
+-A ./certs/ca-ecc-cert.pem
 
 # server DTLSv1.2 ECDH-ECDSA-AES128 
 -G
@@ -706,7 +706,7 @@
 -G
 -v 3
 -l ECDH-ECDSA-AES128-SHA
--A ./certs/server-ecc.pem
+-A ./certs/ca-ecc-cert.pem
 
 # server DTLSv1.2 ECDH-ECDSA-AES128-SHA256
 -G
@@ -719,7 +719,7 @@
 -G
 -v 3
 -l ECDH-ECDSA-AES128-SHA256
--A ./certs/server-ecc.pem
+-A ./certs/ca-ecc-cert.pem
 
 # server DTLSv1.2 ECDH-ECDSA-AES256
 -G
@@ -732,7 +732,7 @@
 -G
 -v 3
 -l ECDH-ECDSA-AES256-SHA
--A ./certs/server-ecc.pem
+-A ./certs/ca-ecc-cert.pem
 
 # server DTLSv1.2 ECDHE-RSA-AES256-SHA384 
 -G
@@ -755,7 +755,7 @@
 -G
 -v 3
 -l ECDHE-ECDSA-AES256-SHA384
--A ./certs/server-ecc.pem
+-A ./certs/ca-ecc-cert.pem
 
 # server DTLSv1.2 ECDH-RSA-AES256-SHA384 
 -G
@@ -780,7 +780,7 @@
 -G
 -v 3
 -l ECDH-ECDSA-AES256-SHA384
--A ./certs/server-ecc.pem
+-A ./certs/ca-ecc-cert.pem
 
 # server TLSv1 ECDHE-PSK-AES128-SHA256
 -s
@@ -937,7 +937,7 @@
 -G
 -v 3
 -l ECDHE-ECDSA-AES128-GCM-SHA256
--A ./certs/server-ecc.pem
+-A ./certs/ca-ecc-cert.pem
 
 # server DTLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384
 -G
@@ -950,7 +950,7 @@
 -G
 -v 3
 -l ECDHE-ECDSA-AES256-GCM-SHA384
--A ./certs/server-ecc.pem
+-A ./certs/ca-ecc-cert.pem
 
 # server DTLSv1.2 ECDH-ECDSA-AES128-GCM-SHA256 
 -G
@@ -963,7 +963,7 @@
 -G
 -v 3
 -l ECDH-ECDSA-AES128-GCM-SHA256
--A ./certs/server-ecc.pem
+-A ./certs/ca-ecc-cert.pem
 
 # server DTLSv1.2 ECDH-ECDSA-AES256-GCM-SHA384
 -G
@@ -976,7 +976,7 @@
 -G
 -v 3
 -l ECDH-ECDSA-AES256-GCM-SHA384
--A ./certs/server-ecc.pem
+-A ./certs/ca-ecc-cert.pem
 
 # server DTLSv1.2 ECDHE-RSA-AES128-GCM-SHA256 
 -G
@@ -1057,7 +1057,7 @@
 -G
 -v 3
 -l ECDHE-ECDSA-AES128-CCM
--A ./certs/server-ecc.pem
+-A ./certs/ca-ecc-cert.pem
 
 # server DTLSv1.2 ECDHE-ECDSA-AES128-CCM-8
 -G
@@ -1070,7 +1070,7 @@
 -G
 -v 3
 -l ECDHE-ECDSA-AES128-CCM-8
--A ./certs/server-ecc.pem
+-A ./certs/ca-ecc-cert.pem
 
 # server DTLSv1.2 ECDHE-ECDSA-AES256-CCM-8
 -G
@@ -1083,7 +1083,7 @@
 -G
 -v 3
 -l ECDHE-ECDSA-AES256-CCM-8
--A ./certs/server-ecc.pem
+-A ./certs/ca-ecc-cert.pem
 
 # server DTLSv1.2 ADH-AES128-SHA
 -G

tests/test-sig.conf

@@ -18,7 +18,7 @@
 # client TLSv1 ECDHE-ECDSA-AES128
 -v 1
 -l ECDHE-ECDSA-AES128-SHA
--A ./certs/server-ecc.pem
+-A ./certs/ca-ecc-cert.pem
 
 # server TLSv1 ECDHE-ECDSA-AES128
 -v 1
@@ -62,7 +62,7 @@
 # client TLSv1.1 ECDHE-ECDSA-AES128
 -v 2
 -l ECDHE-ECDSA-AES128-SHA
--A ./certs/server-ecc.pem
+-A ./certs/ca-ecc-cert.pem
 
 # server TLSv1.1 ECDHE-ECDSA-AES128
 -v 2
@@ -106,7 +106,7 @@
 # client TLSv1.2 ECDHE-ECDSA-AES128
 -v 3
 -l ECDHE-ECDSA-AES128-SHA
--A ./certs/server-ecc.pem
+-A ./certs/ca-ecc-cert.pem
 
 # server TLSv1.2 ECDHE-ECDSA-AES128-SHA256
 -v 3

tests/test-tls13.conf

@@ -47,7 +47,7 @@
 # client TLSv1.3 TLS13-CHACH20-POLY1305-SHA256
 -v 4
 -l TLS13-CHACH20-POLY1305-SHA256
--A ./certs/server-ecc.pem
+-A ./certs/ca-ecc-cert.pem
 
 # server TLSv1.3 TLS13-AES128-GCM-SHA256
 -v 4
@@ -58,7 +58,7 @@
 # client TLSv1.3 TLS13-AES128-GCM-SHA256
 -v 4
 -l TLS13-AES128-GCM-SHA256
--A ./certs/server-ecc.pem
+-A ./certs/ca-ecc-cert.pem
 
 # server TLSv1.3 TLS13-AES256-GCM-SHA384
 -v 4
@@ -69,7 +69,7 @@
 # client TLSv1.3 TLS13-AES256-GCM-SHA384
 -v 4
 -l TLS13-AES256-GCM-SHA384
--A ./certs/server-ecc.pem
+-A ./certs/ca-ecc-cert.pem
 
 # server TLSv1.3 TLS13-AES128-CCM-SHA256
 -v 4
@@ -80,7 +80,7 @@
 # client TLSv1.3 TLS13-AES128-CCM-SHA256
 -v 4
 -l TLS13-AES128-CCM-SHA256
--A ./certs/server-ecc.pem
+-A ./certs/ca-ecc-cert.pem
 
 # server TLSv1.3 TLS13-AES128-CCM-8-SHA256
 -v 4
@@ -91,7 +91,7 @@
 # client TLSv1.3 TLS13-AES128-CCM-8-SHA256
 -v 4
 -l TLS13-AES128-CCM-8-SHA256
--A ./certs/server-ecc.pem
+-A ./certs/ca-ecc-cert.pem
 
 # server TLSv1.3 TLS13-AES128-GCM-SHA256
 -v 4
@@ -102,7 +102,7 @@
 # client TLSv1.3 TLS13-AES128-GCM-SHA256
 -v 4
 -l TLS13-AES128-GCM-SHA256
--A ./certs/server-ecc.pem
+-A ./certs/ca-ecc-cert.pem
 -t
 
 # server TLSv1.3 accepting EarlyData

tests/test.conf

@@ -23,7 +23,7 @@
 # client TLSv1.2 ECDHE-ECDSA-CHACHA20-POLY1305
 -v 3
 -l ECDHE-ECDSA-CHACHA20-POLY1305
--A ./certs/server-ecc.pem
+-A ./certs/ca-ecc-cert.pem
 
 # server TLSv1.2 DHE-PSK-CHACHA20-POLY1305
 -v 3
@@ -80,7 +80,7 @@
 # client TLSv1.2 ECDHE-ECDSA-CHACHA20-POLY1305-OLD
 -v 3
 -l ECDHE-ECDSA-CHACHA20-POLY1305-OLD
--A ./certs/server-ecc.pem
+-A ./certs/ca-ecc-cert.pem
 
 # server SSLv3 RC4-SHA
 -v 0
@@ -411,7 +411,7 @@
 # client TLSv1 ECDHE-ECDSA-NULL-SHA
 -v 1
 -l ECDHE-ECDSA-NULL-SHA
--A ./certs/server-ecc.pem
+-A ./certs/ca-ecc-cert.pem
 
 # server TLSv1.1 ECDHE-ECDSA-NULL-SHA
 -v 2
@@ -422,7 +422,7 @@
 # client TLSv1 ECDHE-ECDSA-NULL-SHA
 -v 2
 -l ECDHE-ECDSA-NULL-SHA
--A ./certs/server-ecc.pem
+-A ./certs/ca-ecc-cert.pem
 
 # server TLSv1.2 ECDHE-ECDSA-NULL-SHA
 -v 3
@@ -433,7 +433,7 @@
 # client TLSv1.2 ECDHE-ECDSA-NULL-SHA
 -v 3
 -l ECDHE-ECDSA-NULL-SHA
--A ./certs/server-ecc.pem
+-A ./certs/ca-ecc-cert.pem
 
 # server TLSv1 ECDHE-ECDSA-RC4
 -v 1
@@ -444,7 +444,7 @@
 # client TLSv1 ECDHE-ECDSA-RC4
 -v 1
 -l ECDHE-ECDSA-RC4-SHA
--A ./certs/server-ecc.pem
+-A ./certs/ca-ecc-cert.pem
 
 # server TLSv1 ECDHE-ECDSA-DES3
 -v 1
@@ -455,7 +455,7 @@
 # client TLSv1 ECDHE-ECDSA-DES3
 -v 1
 -l ECDHE-ECDSA-DES-CBC3-SHA
--A ./certs/server-ecc.pem
+-A ./certs/ca-ecc-cert.pem
 
 # server TLSv1 ECDHE-ECDSA-AES128
 -v 1
@@ -466,7 +466,7 @@
 # client TLSv1 ECDHE-ECDSA-AES128
 -v 1
 -l ECDHE-ECDSA-AES128-SHA
--A ./certs/server-ecc.pem
+-A ./certs/ca-ecc-cert.pem
 
 # server TLSv1 ECDHE-ECDSA-AES256
 -v 1
@@ -477,7 +477,7 @@
 # client TLSv1 ECDHE-ECDSA-AES256
 -v 1
 -l ECDHE-ECDSA-AES256-SHA
--A ./certs/server-ecc.pem
+-A ./certs/ca-ecc-cert.pem
 
 # server TLSv1.1 ECDHE-EDCSA-RC4
 -v 2
@@ -488,7 +488,7 @@
 # client TLSv1.1 ECDHE-ECDSA-RC4
 -v 2
 -l ECDHE-ECDSA-RC4-SHA
--A ./certs/server-ecc.pem
+-A ./certs/ca-ecc-cert.pem
 
 # server TLSv1.1 ECDHE-ECDSA-DES3
 -v 2
@@ -499,7 +499,7 @@
 # client TLSv1.1 ECDHE-ECDSA-DES3
 -v 2
 -l ECDHE-ECDSA-DES-CBC3-SHA
--A ./certs/server-ecc.pem
+-A ./certs/ca-ecc-cert.pem
 
 # server TLSv1.1 ECDHE-ECDSA-AES128
 -v 2
@@ -510,7 +510,7 @@
 # client TLSv1.1 ECDHE-ECDSA-AES128
 -v 2
 -l ECDHE-ECDSA-AES128-SHA
--A ./certs/server-ecc.pem
+-A ./certs/ca-ecc-cert.pem
 
 # server TLSv1.1 ECDHE-ECDSA-AES256
 -v 2
@@ -521,7 +521,7 @@
 # client TLSv1.1 ECDHE-ECDSA-AES256
 -v 2
 -l ECDHE-ECDSA-AES256-SHA
--A ./certs/server-ecc.pem
+-A ./certs/ca-ecc-cert.pem
 
 # server TLSv1.2 ECDHE-ECDSA-RC4
 -v 3
@@ -532,7 +532,7 @@
 # client TLSv1.2 ECDHE-ECDSA-RC4
 -v 3
 -l ECDHE-ECDSA-RC4-SHA
--A ./certs/server-ecc.pem
+-A ./certs/ca-ecc-cert.pem
 
 # server TLSv1.2 ECDHE-ECDSA-DES3
 -v 3
@@ -543,7 +543,7 @@
 # client TLSv1.2 ECDHE-ECDSA-DES3
 -v 3
 -l ECDHE-ECDSA-DES-CBC3-SHA
--A ./certs/server-ecc.pem
+-A ./certs/ca-ecc-cert.pem
 
 # server TLSv1.2 ECDHE-ECDSA-AES128
 -v 3
@@ -554,7 +554,7 @@
 # client TLSv1.2 ECDHE-ECDSA-AES128
 -v 3
 -l ECDHE-ECDSA-AES128-SHA
--A ./certs/server-ecc.pem
+-A ./certs/ca-ecc-cert.pem
 
 # server TLSv1.2 ECDHE-ECDSA-AES128-SHA256
 -v 3
@@ -565,7 +565,7 @@
 # client TLSv1.2 ECDHE-ECDSA-AES128-SHA256
 -v 3
 -l ECDHE-ECDSA-AES128-SHA256
--A ./certs/server-ecc.pem
+-A ./certs/ca-ecc-cert.pem
 
 # server TLSv1.2 ECDHE-ECDSA-AES256
 -v 3
@@ -576,7 +576,7 @@
 # client TLSv1.2 ECDHE-ECDSA-AES256
 -v 3
 -l ECDHE-ECDSA-AES256-SHA
--A ./certs/server-ecc.pem
+-A ./certs/ca-ecc-cert.pem
 
 # server TLSv1 ECDH-RSA-RC4
 -v 1
@@ -717,7 +717,7 @@
 # client TLSv1 ECDH-ECDSA-RC4
 -v 1
 -l ECDH-ECDSA-RC4-SHA
--A ./certs/server-ecc.pem
+-A ./certs/ca-ecc-cert.pem
 
 # server TLSv1 ECDH-ECDSA-DES3
 -v 1
@@ -728,7 +728,7 @@
 # client TLSv1 ECDH-ECDSA-DES3
 -v 1
 -l ECDH-ECDSA-DES-CBC3-SHA
--A ./certs/server-ecc.pem
+-A ./certs/ca-ecc-cert.pem
 
 # server TLSv1 ECDH-ECDSA-AES128
 -v 1
@@ -739,7 +739,7 @@
 # client TLSv1 ECDH-ECDSA-AES128
 -v 1
 -l ECDH-ECDSA-AES128-SHA
--A ./certs/server-ecc.pem
+-A ./certs/ca-ecc-cert.pem
 
 # server TLSv1 ECDH-ECDSA-AES256
 -v 1
@@ -750,7 +750,7 @@
 # client TLSv1 ECDH-ECDSA-AES256
 -v 1
 -l ECDH-ECDSA-AES256-SHA
--A ./certs/server-ecc.pem
+-A ./certs/ca-ecc-cert.pem
 
 # server TLSv1.1 ECDH-EDCSA-RC4
 -v 2
@@ -761,7 +761,7 @@
 # client TLSv1.1 ECDH-ECDSA-RC4
 -v 2
 -l ECDH-ECDSA-RC4-SHA
--A ./certs/server-ecc.pem
+-A ./certs/ca-ecc-cert.pem
 
 # server TLSv1.1 ECDH-ECDSA-DES3
 -v 2
@@ -772,7 +772,7 @@
 # client TLSv1.1 ECDH-ECDSA-DES3
 -v 2
 -l ECDH-ECDSA-DES-CBC3-SHA
--A ./certs/server-ecc.pem
+-A ./certs/ca-ecc-cert.pem
 
 # server TLSv1.1 ECDH-ECDSA-AES128
 -v 2
@@ -783,7 +783,7 @@
 # client TLSv1.1 ECDH-ECDSA-AES128
 -v 2
 -l ECDH-ECDSA-AES128-SHA
--A ./certs/server-ecc.pem
+-A ./certs/ca-ecc-cert.pem
 
 # server TLSv1.1 ECDH-ECDSA-AES256
 -v 2
@@ -794,7 +794,7 @@
 # client TLSv1.1 ECDH-ECDSA-AES256
 -v 2
 -l ECDH-ECDSA-AES256-SHA
--A ./certs/server-ecc.pem
+-A ./certs/ca-ecc-cert.pem
 
 # server TLSv1.2 ECDHE-ECDSA-RC4
 -v 3
@@ -805,7 +805,7 @@
 # client TLSv1.2 ECDH-ECDSA-RC4
 -v 3
 -l ECDH-ECDSA-RC4-SHA
--A ./certs/server-ecc.pem
+-A ./certs/ca-ecc-cert.pem
 
 # server TLSv1.2 ECDH-ECDSA-DES3
 -v 3
@@ -816,7 +816,7 @@
 # client TLSv1.2 ECDH-ECDSA-DES3
 -v 3
 -l ECDH-ECDSA-DES-CBC3-SHA
--A ./certs/server-ecc.pem
+-A ./certs/ca-ecc-cert.pem
 
 # server TLSv1.2 ECDH-ECDSA-AES128
 -v 3
@@ -827,7 +827,7 @@
 # client TLSv1.2 ECDH-ECDSA-AES128
 -v 3
 -l ECDH-ECDSA-AES128-SHA
--A ./certs/server-ecc.pem
+-A ./certs/ca-ecc-cert.pem
 
 # server TLSv1.2 ECDH-ECDSA-AES128-SHA256
 -v 3
@@ -838,7 +838,7 @@
 # client TLSv1.2 ECDH-ECDSA-AES128-SHA256
 -v 3
 -l ECDH-ECDSA-AES128-SHA256
--A ./certs/server-ecc.pem
+-A ./certs/ca-ecc-cert.pem
 
 # server TLSv1.2 ECDH-ECDSA-AES256
 -v 3
@@ -849,7 +849,7 @@
 # client TLSv1.2 ECDH-ECDSA-AES256
 -v 3
 -l ECDH-ECDSA-AES256-SHA
--A ./certs/server-ecc.pem
+-A ./certs/ca-ecc-cert.pem
 
 # server TLSv1.2 ECDHE-RSA-AES256-SHA384
 -v 3
@@ -868,7 +868,7 @@
 # client TLSv1.2 ECDHE-ECDSA-AES256-SHA384
 -v 3
 -l ECDHE-ECDSA-AES256-SHA384
--A ./certs/server-ecc.pem
+-A ./certs/ca-ecc-cert.pem
 
 # server TLSv1.2 ECDH-RSA-AES256-SHA384
 -v 3
@@ -889,7 +889,7 @@
 # client TLSv1.2 ECDH-ECDSA-AES256-SHA384
 -v 3
 -l ECDH-ECDSA-AES256-SHA384
--A ./certs/server-ecc.pem
+-A ./certs/ca-ecc-cert.pem
 
 # server TLSv1 HC128-SHA
 -v 1
@@ -1662,7 +1662,7 @@
 # client TLSv1.2 ECDHE-ECDSA-AES128-GCM-SHA256
 -v 3
 -l ECDHE-ECDSA-AES128-GCM-SHA256
--A ./certs/server-ecc.pem
+-A ./certs/ca-ecc-cert.pem
 
 # server TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384
 -v 3
@@ -1673,7 +1673,7 @@
 # client TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384
 -v 3
 -l ECDHE-ECDSA-AES256-GCM-SHA384
--A ./certs/server-ecc.pem
+-A ./certs/ca-ecc-cert.pem
 
 # server TLSv1.2 ECDH-ECDSA-AES128-GCM-SHA256
 -v 3
@@ -1684,7 +1684,7 @@
 # client TLSv1.2 ECDH-ECDSA-AES128-GCM-SHA256
 -v 3
 -l ECDH-ECDSA-AES128-GCM-SHA256
--A ./certs/server-ecc.pem
+-A ./certs/ca-ecc-cert.pem
 
 # server TLSv1.2 ECDH-ECDSA-AES256-GCM-SHA384
 -v 3
@@ -1695,7 +1695,7 @@
 # client TLSv1.2 ECDH-ECDSA-AES256-GCM-SHA384
 -v 3
 -l ECDH-ECDSA-AES256-GCM-SHA384
--A ./certs/server-ecc.pem
+-A ./certs/ca-ecc-cert.pem
 
 # server TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256
 -v 3
@@ -1794,7 +1794,7 @@
 # client TLSv1.2 ECDHE-ECDSA-AES128-CCM
 -v 3
 -l ECDHE-ECDSA-AES128-CCM
--A ./certs/server-ecc.pem
+-A ./certs/ca-ecc-cert.pem
 
 # server TLSv1.2 ECDHE-ECDSA-AES128-CCM-8
 -v 3
@@ -1805,7 +1805,7 @@
 # client TLSv1.2 ECDHE-ECDSA-AES128-CCM-8
 -v 3
 -l ECDHE-ECDSA-AES128-CCM-8
--A ./certs/server-ecc.pem
+-A ./certs/ca-ecc-cert.pem
 
 # server TLSv1.2 ECDHE-ECDSA-AES256-CCM-8
 -v 3
@@ -1816,7 +1816,7 @@
 # client TLSv1.2 ECDHE-ECDSA-AES256-CCM-8
 -v 3
 -l ECDHE-ECDSA-AES256-CCM-8
--A ./certs/server-ecc.pem
+-A ./certs/ca-ecc-cert.pem
 
 # server TLSv1.2 PSK-AES128-CCM
 -s
@@ -2187,7 +2187,7 @@
 # client TLSv1.2 ECDHE-ECDSA-CHACHA20-POLY1305
 -v 3
 -l ECDHE-ECDSA-CHACHA20-POLY1305
--A ./certs/server-ecc.pem
+-A ./certs/ca-ecc-cert.pem
 -t
 
 # server TLSv1.2 private-only key

wolfcrypt/src/asn.c

@@ -162,7 +162,8 @@ ASN Options:
     #define XTIME(t1)       mqx_time((t1))
     #define HAVE_GMTIME_R
 
-#elif defined(FREESCALE_KSDK_BM) || defined(FREESCALE_FREE_RTOS) || defined(FREESCALE_KSDK_FREERTOS)
+#elif defined(FREESCALE_KSDK_BM) || defined(FREESCALE_FREE_RTOS) || \
+        defined(FREESCALE_KSDK_FREERTOS)
     #include <time.h>
     #ifndef XTIME
         /*extern time_t ksdk_time(time_t* timer);*/
@@ -757,7 +758,10 @@ static int GetInteger7Bit(const byte* input, word32* inOutIdx, word32 maxIdx)
     return b;
 }
 
-#if !defined(NO_DSA) || defined(HAVE_ECC) || (!defined(NO_RSA) && (defined(WOLFSSL_CERT_GEN) || (defined(WOLFSSL_KEY_GEN) && !defined(HAVE_USER_RSA))))
+#if !defined(NO_DSA) || defined(HAVE_ECC) || \
+   (!defined(NO_RSA) && \
+        (defined(WOLFSSL_CERT_GEN) || \
+        (defined(WOLFSSL_KEY_GEN) && !defined(HAVE_USER_RSA))))
 /* Set the DER/BER encoding of the ASN.1 INTEGER header.
  *
  * len        Length of data to encode.
@@ -780,7 +784,8 @@ static int SetASNInt(int len, byte firstByte, byte* output)
 }
 #endif
 
-#if !defined(NO_DSA) || defined(HAVE_ECC) || defined(WOLFSSL_CERT_GEN) || (defined(WOLFSSL_KEY_GEN) && !defined(NO_RSA) && !defined(HAVE_USER_RSA))
+#if !defined(NO_DSA) || defined(HAVE_ECC) || defined(WOLFSSL_CERT_GEN) || \
+    (defined(WOLFSSL_KEY_GEN) && !defined(NO_RSA) && !defined(HAVE_USER_RSA))
 /* Set the DER/BER encoding of the ASN.1 INTEGER element with an mp_int.
  * The number is assumed to be positive.
  *
@@ -845,8 +850,7 @@ static int SetASNIntRSA(mp_int* n, byte* output)
 
     return idx;
 }
-#endif /* !NO_RSA && (WOLFSSL_CERT_GEN || (WOLFSSL_KEY_GEN &&
-                                           !HAVE_USER_RSA))) */
+#endif /* !NO_RSA && HAVE_USER_RSA && WOLFSSL_CERT_GEN */
 
 /* Windows header clash for WinCE using GetVersion */
 WOLFSSL_LOCAL int GetMyVersion(const byte* input, word32* inOutIdx,
@@ -4301,7 +4305,7 @@ static int SetCurve(ecc_key* key, byte* output)
     return idx;
 }
 
-#endif /* HAVE_ECC && WOLFSSL_CERT_GEN */
+#endif /* HAVE_ECC && (WOLFSSL_CERT_GEN || WOLFSSL_KEY_GEN) */
 
 
 static INLINE int IsSigAlgoECDSA(int algoOID)
@@ -6674,9 +6678,10 @@ int wc_DerToPemEx(const byte* der, word32 derSz, byte* output, word32 outSz,
     return outLen + headerLen + footerLen;
 }
 
-#endif /* WOLFSSL_KEY_GEN || WOLFSSL_CERT_GEN */
+#endif /* WOLFSSL_KEY_GEN || WOLFSSL_CERT_GEN || OPENSSL_EXTRA */
 
-#if !defined(NO_RSA) && (defined(WOLFSSL_CERT_GEN) || (defined(WOLFSSL_KEY_GEN) && !defined(HAVE_USER_RSA)))
+#if !defined(NO_RSA) && (defined(WOLFSSL_CERT_GEN) || \
+        (defined(WOLFSSL_KEY_GEN) && !defined(HAVE_USER_RSA)))
 /* USER RSA ifdef portions used instead of refactor in consideration for
    possible fips build */
 /* Write a public RSA key to output */
@@ -6938,7 +6943,7 @@ int wc_RsaKeyToPublicDer(RsaKey* key, byte* output, word32 inLen)
 #endif /* WOLFSSL_KEY_GEN && !NO_RSA && !HAVE_USER_RSA */
 
 
-#if defined(WOLFSSL_CERT_GEN) && !defined(NO_RSA)
+#ifdef WOLFSSL_CERT_GEN
 
 /* Initialize and Set Certificate defaults:
    version    = 3 (0x2)
@@ -7088,8 +7093,8 @@ static word32 SetUTF8String(word32 len, byte* output)
 
 #endif /* WOLFSSL_CERT_REQ */
 
+#endif /*WOLFSSL_CERT_GEN */
 
-#endif /* defined(WOLFSSL_CERT_GEN) && !defined(NO_RSA) */
 #if defined(HAVE_ECC) && (defined(WOLFSSL_CERT_GEN) || defined(WOLFSSL_KEY_GEN))
 
 /* Write a public ECC key to output */
@@ -7222,6 +7227,7 @@ int wc_EccPublicKeyToDer(ecc_key* key, byte* output, word32 inLen,
     return SetEccPublicKey(output, key, with_AlgCurve);
 }
 #endif /* HAVE_ECC && (WOLFSSL_CERT_GEN || WOLFSSL_KEY_GEN) */
+
 #if defined(HAVE_ED25519) && (defined(WOLFSSL_CERT_GEN) || \
                               defined(WOLFSSL_KEY_GEN))
 
@@ -7326,7 +7332,9 @@ int wc_Ed25519PublicKeyToDer(ed25519_key* key, byte* output, word32 inLen,
     return SetEd25519PublicKey(output, key, withAlg);
 }
 #endif /* HAVE_ED25519 && (WOLFSSL_CERT_GEN || WOLFSSL_KEY_GEN) */
-#if defined(WOLFSSL_CERT_GEN) && !defined(NO_RSA)
+
+
+#ifdef WOLFSSL_CERT_GEN
 
 static INLINE byte itob(int number)
 {
@@ -8169,14 +8177,13 @@ static int EncodeCert(Cert* cert, DerCert* der, RsaKey* rsaKey, ecc_key* eccKey,
 {
     int ret;
 
-    (void)eccKey;
-    (void)ntruKey;
-    (void)ntruSz;
-    (void)ed25519Key;
-
     if (cert == NULL || der == NULL || rng == NULL)
         return BAD_FUNC_ARG;
 
+    /* make sure at least one key type is provided */
+    if (rsaKey == NULL && eccKey == NULL && ed25519Key == NULL && ntruKey == NULL)
+        return PUBLIC_KEY_E;
+
     /* init */
     XMEMSET(der, 0, sizeof(DerCert));
 
@@ -8204,32 +8211,28 @@ static int EncodeCert(Cert* cert, DerCert* der, RsaKey* rsaKey, ecc_key* eccKey,
         return ALGO_ID_E;
 
     /* public key */
+#ifndef NO_RSA
     if (cert->keyType == RSA_KEY) {
         if (rsaKey == NULL)
             return PUBLIC_KEY_E;
         der->publicKeySz = SetRsaPublicKey(der->publicKey, rsaKey,
                                            sizeof(der->publicKey), 1);
-        if (der->publicKeySz <= 0)
-            return PUBLIC_KEY_E;
     }
+#endif
 
 #ifdef HAVE_ECC
     if (cert->keyType == ECC_KEY) {
         if (eccKey == NULL)
             return PUBLIC_KEY_E;
         der->publicKeySz = SetEccPublicKey(der->publicKey, eccKey, 1);
-        if (der->publicKeySz <= 0)
-            return PUBLIC_KEY_E;
     }
-#endif /* HAVE_ECC */
+#endif
 
 #ifdef HAVE_ED25519
     if (cert->keyType == ED25519_KEY) {
         if (ed25519Key == NULL)
             return PUBLIC_KEY_E;
         der->publicKeySz = SetEd25519PublicKey(der->publicKey, ed25519Key, 1);
-        if (der->publicKeySz <= 0)
-            return PUBLIC_KEY_E;
     }
 #endif
 
@@ -8238,22 +8241,30 @@ static int EncodeCert(Cert* cert, DerCert* der, RsaKey* rsaKey, ecc_key* eccKey,
         word32 rc;
         word16 encodedSz;
 
-        rc  = ntru_crypto_ntru_encrypt_publicKey2SubjectPublicKeyInfo( ntruSz,
+        if (ntruKey == NULL)
+            return PUBLIC_KEY_E;
+
+        rc  = ntru_crypto_ntru_encrypt_publicKey2SubjectPublicKeyInfo(ntruSz,
                                                    ntruKey, &encodedSz, NULL);
         if (rc != NTRU_OK)
             return PUBLIC_KEY_E;
         if (encodedSz > MAX_PUBLIC_KEY_SZ)
             return PUBLIC_KEY_E;
 
-        rc  = ntru_crypto_ntru_encrypt_publicKey2SubjectPublicKeyInfo( ntruSz,
+        rc  = ntru_crypto_ntru_encrypt_publicKey2SubjectPublicKeyInfo(ntruSz,
                                          ntruKey, &encodedSz, der->publicKey);
         if (rc != NTRU_OK)
             return PUBLIC_KEY_E;
 
         der->publicKeySz = encodedSz;
     }
+#else
+    (void)ntruSz;
 #endif /* HAVE_NTRU */
 
+    if (der->publicKeySz <= 0)
+        return PUBLIC_KEY_E;
+
     der->validitySz = 0;
 #ifdef WOLFSSL_ALT_NAMES
     /* date validity copy ? */
@@ -8806,6 +8817,9 @@ static int EncodeCertReq(Cert* cert, DerCert* der, RsaKey* rsaKey,
     if (cert == NULL || der == NULL)
         return BAD_FUNC_ARG;
 
+    if (rsaKey == NULL && eccKey == NULL && ed25519Key == NULL)
+            return PUBLIC_KEY_E;
+
     /* init */
     XMEMSET(der, 0, sizeof(DerCert));
 
@@ -8818,34 +8832,31 @@ static int EncodeCertReq(Cert* cert, DerCert* der, RsaKey* rsaKey,
         return SUBJECT_E;
 
     /* public key */
+#ifndef NO_RSA
     if (cert->keyType == RSA_KEY) {
         if (rsaKey == NULL)
             return PUBLIC_KEY_E;
         der->publicKeySz = SetRsaPublicKey(der->publicKey, rsaKey,
                                            sizeof(der->publicKey), 1);
-        if (der->publicKeySz <= 0)
-            return PUBLIC_KEY_E;
     }
+#endif
 
 #ifdef HAVE_ECC
     if (cert->keyType == ECC_KEY) {
-        if (eccKey == NULL)
-            return PUBLIC_KEY_E;
         der->publicKeySz = SetEccPublicKey(der->publicKey, eccKey, 1);
-        if (der->publicKeySz <= 0)
-            return PUBLIC_KEY_E;
     }
-#endif /* HAVE_ECC */
+#endif
 
 #ifdef HAVE_ED25519
     if (cert->keyType == ED25519_KEY) {
         if (ed25519Key == NULL)
             return PUBLIC_KEY_E;
         der->publicKeySz = SetEd25519PublicKey(der->publicKey, ed25519Key, 1);
-        if (der->publicKeySz <= 0)
-            return PUBLIC_KEY_E;
     }
-#endif /* HAVE_ED25519 */
+#endif
+
+    if (der->publicKeySz <= 0)
+        return PUBLIC_KEY_E;
 
     /* set the extensions */
     der->extensionsSz = 0;
@@ -9173,24 +9184,17 @@ int wc_MakeSelfCert(Cert* cert, byte* buffer, word32 buffSz,
 
 #ifdef WOLFSSL_CERT_EXT
 
-/* Set KID from RSA or ECC public key */
+/* Set KID from public key */
 static int SetKeyIdFromPublicKey(Cert *cert, RsaKey *rsakey, ecc_key *eckey,
                                  byte *ntruKey, word16 ntruKeySz,
                                  ed25519_key* ed25519Key, int kid_type)
 {
-    byte    *buffer;
-    int     bufferSz, ret;
-
-#ifndef HAVE_NTRU
-    (void)ntruKeySz;
-#endif
+    byte *buffer;
+    int   bufferSz, ret;
 
     if (cert == NULL ||
         (rsakey == NULL && eckey == NULL && ntruKey == NULL &&
                                             ed25519Key == NULL) ||
-        (rsakey != NULL && eckey != NULL) ||
-        (rsakey != NULL && ntruKey != NULL) ||
-        (ntruKey != NULL && eckey != NULL) ||
         (kid_type != SKID_TYPE && kid_type != AKID_TYPE))
         return BAD_FUNC_ARG;
 
@@ -9199,31 +9203,35 @@ static int SetKeyIdFromPublicKey(Cert *cert, RsaKey *rsakey, ecc_key *eckey,
     if (buffer == NULL)
         return MEMORY_E;
 
+    /* Public Key */
+    bufferSz = -1;
+#ifndef NO_RSA
     /* RSA public key */
     if (rsakey != NULL)
         bufferSz = SetRsaPublicKey(buffer, rsakey, MAX_PUBLIC_KEY_SZ, 0);
+#endif
 #ifdef HAVE_ECC
     /* ECC public key */
-    else if (eckey != NULL)
+    if (eckey != NULL)
         bufferSz = SetEccPublicKey(buffer, eckey, 0);
-#endif /* HAVE_ECC */
+#endif
 #ifdef HAVE_NTRU
     /* NTRU public key */
-    else if (ntruKey != NULL) {
+    if (ntruKey != NULL) {
         bufferSz = MAX_PUBLIC_KEY_SZ;
         ret = ntru_crypto_ntru_encrypt_publicKey2SubjectPublicKeyInfo(
                         ntruKeySz, ntruKey, (word16 *)(&bufferSz), buffer);
         if (ret != NTRU_OK)
             bufferSz = -1;
     }
+#else
+    (void)ntruKeySz;
 #endif
 #ifdef HAVE_ED25519
     /* ED25519 public key */
-    else if (ed25519Key != NULL)
+    if (ed25519Key != NULL)
         bufferSz = SetEd25519PublicKey(buffer, ed25519Key, 0);
-#endif /* HAVE_ECC */
-    else
-        bufferSz = -1;
+#endif
 
     if (bufferSz <= 0) {
         XFREE(buffer, cert->heap, DYNAMIC_TYPE_TMP_BUFFER);
@@ -9344,6 +9352,7 @@ int wc_SetSubjectKeyId(Cert *cert, const char* file)
     }
 
     /* Load PubKey in internal structure */
+#ifndef NO_RSA
     rsakey = (RsaKey*) XMALLOC(sizeof(RsaKey), cert->heap, DYNAMIC_TYPE_RSA);
     if (rsakey == NULL) {
         XFREE(der, cert->heap, DYNAMIC_TYPE_CERT);
@@ -9359,11 +9368,15 @@ int wc_SetSubjectKeyId(Cert *cert, const char* file)
 
     idx = 0;
     ret = wc_RsaPublicKeyDecode(der, &idx, rsakey, derSz);
-    if (ret != 0) {
+    if (ret != 0)
+#endif
+    {
+#ifndef NO_RSA
         WOLFSSL_MSG("wc_RsaPublicKeyDecode failed");
         wc_FreeRsaKey(rsakey);
         XFREE(rsakey, cert->heap, DYNAMIC_TYPE_RSA);
         rsakey = NULL;
+#endif
 #ifdef HAVE_ECC
         /* Check to load ecc public key */
         eckey = (ecc_key*) XMALLOC(sizeof(ecc_key), cert->heap,
@@ -9399,8 +9412,10 @@ int wc_SetSubjectKeyId(Cert *cert, const char* file)
 
     ret = wc_SetSubjectKeyIdFromPublicKey(cert, rsakey, eckey);
 
+#ifndef NO_RSA
     wc_FreeRsaKey(rsakey);
     XFREE(rsakey, cert->heap, DYNAMIC_TYPE_RSA);
+#endif
 #ifdef HAVE_ECC
     wc_ecc_free(eckey);
     XFREE(eckey, cert->heap, DYNAMIC_TYPE_ECC);
@@ -9772,9 +9787,7 @@ static int SetDatesFromCert(Cert* cert, const byte* der, int derSz)
     return ret < 0 ? ret : 0;
 }
 
-
-#endif /* WOLFSSL_ALT_NAMES && !NO_RSA */
-
+#endif /* WOLFSSL_ALT_NAMES */
 
 /* Set cn name from der buffer, return 0 on success */
 static int SetNameFromCert(CertName* cn, const byte* der, int derSz)

wolfssl/certs_test.h

@@ -2077,87 +2077,286 @@ static const int sizeof_serv_ecc_rsa_der_256 = sizeof(serv_ecc_rsa_der_256);
 /* ./certs/server-ecc.der, ECC */
 static const unsigned char serv_ecc_der_256[] =
 {
-	0x30, 0x82, 0x03, 0x10, 0x30, 0x82, 0x02, 0xB5, 0xA0, 0x03, 
-	0x02, 0x01, 0x02, 0x02, 0x09, 0x00, 0xEF, 0x46, 0xC7, 0xA4, 
-	0x9B, 0xBB, 0x60, 0xD3, 0x30, 0x0A, 0x06, 0x08, 0x2A, 0x86, 
-	0x48, 0xCE, 0x3D, 0x04, 0x03, 0x02, 0x30, 0x81, 0x8F, 0x31, 
+	0x30, 0x82, 0x03, 0x50, 0x30, 0x82, 0x02, 0xF5, 0xA0, 0x03, 
+	0x02, 0x01, 0x02, 0x02, 0x02, 0x10, 0x00, 0x30, 0x0A, 0x06, 
+	0x08, 0x2A, 0x86, 0x48, 0xCE, 0x3D, 0x04, 0x03, 0x02, 0x30, 
+	0x81, 0x97, 0x31, 0x0B, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 
+	0x06, 0x13, 0x02, 0x55, 0x53, 0x31, 0x13, 0x30, 0x11, 0x06, 
+	0x03, 0x55, 0x04, 0x08, 0x0C, 0x0A, 0x57, 0x61, 0x73, 0x68, 
+	0x69, 0x6E, 0x67, 0x74, 0x6F, 0x6E, 0x31, 0x10, 0x30, 0x0E, 
+	0x06, 0x03, 0x55, 0x04, 0x07, 0x0C, 0x07, 0x53, 0x65, 0x61, 
+	0x74, 0x74, 0x6C, 0x65, 0x31, 0x10, 0x30, 0x0E, 0x06, 0x03, 
+	0x55, 0x04, 0x0A, 0x0C, 0x07, 0x77, 0x6F, 0x6C, 0x66, 0x53, 
+	0x53, 0x4C, 0x31, 0x14, 0x30, 0x12, 0x06, 0x03, 0x55, 0x04, 
+	0x0B, 0x0C, 0x0B, 0x44, 0x65, 0x76, 0x65, 0x6C, 0x6F, 0x70, 
+	0x6D, 0x65, 0x6E, 0x74, 0x31, 0x18, 0x30, 0x16, 0x06, 0x03, 
+	0x55, 0x04, 0x03, 0x0C, 0x0F, 0x77, 0x77, 0x77, 0x2E, 0x77, 
+	0x6F, 0x6C, 0x66, 0x73, 0x73, 0x6C, 0x2E, 0x63, 0x6F, 0x6D, 
+	0x31, 0x1F, 0x30, 0x1D, 0x06, 0x09, 0x2A, 0x86, 0x48, 0x86, 
+	0xF7, 0x0D, 0x01, 0x09, 0x01, 0x16, 0x10, 0x69, 0x6E, 0x66, 
+	0x6F, 0x40, 0x77, 0x6F, 0x6C, 0x66, 0x73, 0x73, 0x6C, 0x2E, 
+	0x63, 0x6F, 0x6D, 0x30, 0x1E, 0x17, 0x0D, 0x31, 0x37, 0x31, 
+	0x30, 0x32, 0x30, 0x31, 0x38, 0x31, 0x39, 0x30, 0x36, 0x5A, 
+	0x17, 0x0D, 0x32, 0x37, 0x31, 0x30, 0x31, 0x38, 0x31, 0x38, 
+	0x31, 0x39, 0x30, 0x36, 0x5A, 0x30, 0x81, 0x8F, 0x31, 0x0B, 
+	0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x55, 
+	0x53, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x08, 
+	0x0C, 0x0A, 0x57, 0x61, 0x73, 0x68, 0x69, 0x6E, 0x67, 0x74, 
+	0x6F, 0x6E, 0x31, 0x10, 0x30, 0x0E, 0x06, 0x03, 0x55, 0x04, 
+	0x07, 0x0C, 0x07, 0x53, 0x65, 0x61, 0x74, 0x74, 0x6C, 0x65, 
+	0x31, 0x10, 0x30, 0x0E, 0x06, 0x03, 0x55, 0x04, 0x0A, 0x0C, 
+	0x07, 0x45, 0x6C, 0x69, 0x70, 0x74, 0x69, 0x63, 0x31, 0x0C, 
+	0x30, 0x0A, 0x06, 0x03, 0x55, 0x04, 0x0B, 0x0C, 0x03, 0x45, 
+	0x43, 0x43, 0x31, 0x18, 0x30, 0x16, 0x06, 0x03, 0x55, 0x04, 
+	0x03, 0x0C, 0x0F, 0x77, 0x77, 0x77, 0x2E, 0x77, 0x6F, 0x6C, 
+	0x66, 0x73, 0x73, 0x6C, 0x2E, 0x63, 0x6F, 0x6D, 0x31, 0x1F, 
+	0x30, 0x1D, 0x06, 0x09, 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 
+	0x01, 0x09, 0x01, 0x16, 0x10, 0x69, 0x6E, 0x66, 0x6F, 0x40, 
+	0x77, 0x6F, 0x6C, 0x66, 0x73, 0x73, 0x6C, 0x2E, 0x63, 0x6F, 
+	0x6D, 0x30, 0x59, 0x30, 0x13, 0x06, 0x07, 0x2A, 0x86, 0x48, 
+	0xCE, 0x3D, 0x02, 0x01, 0x06, 0x08, 0x2A, 0x86, 0x48, 0xCE, 
+	0x3D, 0x03, 0x01, 0x07, 0x03, 0x42, 0x00, 0x04, 0xBB, 0x33, 
+	0xAC, 0x4C, 0x27, 0x50, 0x4A, 0xC6, 0x4A, 0xA5, 0x04, 0xC3, 
+	0x3C, 0xDE, 0x9F, 0x36, 0xDB, 0x72, 0x2D, 0xCE, 0x94, 0xEA, 
+	0x2B, 0xFA, 0xCB, 0x20, 0x09, 0x39, 0x2C, 0x16, 0xE8, 0x61, 
+	0x02, 0xE9, 0xAF, 0x4D, 0xD3, 0x02, 0x93, 0x9A, 0x31, 0x5B, 
+	0x97, 0x92, 0x21, 0x7F, 0xF0, 0xCF, 0x18, 0xDA, 0x91, 0x11, 
+	0x02, 0x34, 0x86, 0xE8, 0x20, 0x58, 0x33, 0x0B, 0x80, 0x34, 
+	0x89, 0xD8, 0xA3, 0x82, 0x01, 0x35, 0x30, 0x82, 0x01, 0x31, 
+	0x30, 0x09, 0x06, 0x03, 0x55, 0x1D, 0x13, 0x04, 0x02, 0x30, 
+	0x00, 0x30, 0x11, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x86, 
+	0xF8, 0x42, 0x01, 0x01, 0x04, 0x04, 0x03, 0x02, 0x06, 0x40, 
+	0x30, 0x1D, 0x06, 0x03, 0x55, 0x1D, 0x0E, 0x04, 0x16, 0x04, 
+	0x14, 0x5D, 0x5D, 0x26, 0xEF, 0xAC, 0x7E, 0x36, 0xF9, 0x9B, 
+	0x76, 0x15, 0x2B, 0x4A, 0x25, 0x02, 0x23, 0xEF, 0xB2, 0x89, 
+	0x30, 0x30, 0x81, 0xCC, 0x06, 0x03, 0x55, 0x1D, 0x23, 0x04, 
+	0x81, 0xC4, 0x30, 0x81, 0xC1, 0x80, 0x14, 0x56, 0x8E, 0x9A, 
+	0xC3, 0xF0, 0x42, 0xDE, 0x18, 0xB9, 0x45, 0x55, 0x6E, 0xF9, 
+	0x93, 0xCF, 0xEA, 0xC3, 0xF3, 0xA5, 0x21, 0xA1, 0x81, 0x9D, 
+	0xA4, 0x81, 0x9A, 0x30, 0x81, 0x97, 0x31, 0x0B, 0x30, 0x09, 
+	0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x55, 0x53, 0x31, 
+	0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x08, 0x0C, 0x0A, 
+	0x57, 0x61, 0x73, 0x68, 0x69, 0x6E, 0x67, 0x74, 0x6F, 0x6E, 
+	0x31, 0x10, 0x30, 0x0E, 0x06, 0x03, 0x55, 0x04, 0x07, 0x0C, 
+	0x07, 0x53, 0x65, 0x61, 0x74, 0x74, 0x6C, 0x65, 0x31, 0x10, 
+	0x30, 0x0E, 0x06, 0x03, 0x55, 0x04, 0x0A, 0x0C, 0x07, 0x77, 
+	0x6F, 0x6C, 0x66, 0x53, 0x53, 0x4C, 0x31, 0x14, 0x30, 0x12, 
+	0x06, 0x03, 0x55, 0x04, 0x0B, 0x0C, 0x0B, 0x44, 0x65, 0x76, 
+	0x65, 0x6C, 0x6F, 0x70, 0x6D, 0x65, 0x6E, 0x74, 0x31, 0x18, 
+	0x30, 0x16, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0C, 0x0F, 0x77, 
+	0x77, 0x77, 0x2E, 0x77, 0x6F, 0x6C, 0x66, 0x73, 0x73, 0x6C, 
+	0x2E, 0x63, 0x6F, 0x6D, 0x31, 0x1F, 0x30, 0x1D, 0x06, 0x09, 
+	0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x09, 0x01, 0x16, 
+	0x10, 0x69, 0x6E, 0x66, 0x6F, 0x40, 0x77, 0x6F, 0x6C, 0x66, 
+	0x73, 0x73, 0x6C, 0x2E, 0x63, 0x6F, 0x6D, 0x82, 0x09, 0x00, 
+	0x97, 0xB4, 0xBD, 0x16, 0x78, 0xF8, 0x47, 0xF2, 0x30, 0x0E, 
+	0x06, 0x03, 0x55, 0x1D, 0x0F, 0x01, 0x01, 0xFF, 0x04, 0x04, 
+	0x03, 0x02, 0x03, 0xA8, 0x30, 0x13, 0x06, 0x03, 0x55, 0x1D, 
+	0x25, 0x04, 0x0C, 0x30, 0x0A, 0x06, 0x08, 0x2B, 0x06, 0x01, 
+	0x05, 0x05, 0x07, 0x03, 0x01, 0x30, 0x0A, 0x06, 0x08, 0x2A, 
+	0x86, 0x48, 0xCE, 0x3D, 0x04, 0x03, 0x02, 0x03, 0x49, 0x00, 
+	0x30, 0x46, 0x02, 0x21, 0x00, 0xBE, 0xB8, 0x58, 0xF0, 0xE4, 
+	0x15, 0x01, 0x1F, 0xDF, 0x70, 0x54, 0x73, 0x4A, 0x6C, 0x40, 
+	0x1F, 0x77, 0xA8, 0xB4, 0xEB, 0x52, 0x1E, 0xBF, 0xF5, 0x0D, 
+	0xB1, 0x33, 0xCA, 0x6A, 0xC4, 0x76, 0xB9, 0x02, 0x21, 0x00, 
+	0x97, 0x08, 0xDE, 0x2C, 0x28, 0xC1, 0x45, 0x71, 0xB6, 0x2C, 
+	0x54, 0x87, 0x98, 0x63, 0x76, 0xA8, 0x21, 0x34, 0x90, 0xA8, 
+	0xF7, 0x9E, 0x3F, 0xFC, 0x02, 0xB0, 0xE7, 0xD3, 0x09, 0x31, 
+	0x27, 0xE4
+};
+static const int sizeof_serv_ecc_der_256 = sizeof(serv_ecc_der_256);
+
+/* ./certs/ca-ecc-key.der, ECC */
+static const unsigned char ca_ecc_key_der_256[] =
+{
+	0x30, 0x77, 0x02, 0x01, 0x01, 0x04, 0x20, 0x02, 0xE1, 0x33, 
+	0x98, 0x77, 0x97, 0xAC, 0x4A, 0x59, 0x6D, 0x28, 0x9B, 0x6E, 
+	0xA0, 0x93, 0x9B, 0x07, 0x71, 0x8B, 0x4D, 0x60, 0x63, 0x85, 
+	0x99, 0xE6, 0xBB, 0x16, 0x70, 0xE9, 0x0A, 0xF6, 0x80, 0xA0, 
+	0x0A, 0x06, 0x08, 0x2A, 0x86, 0x48, 0xCE, 0x3D, 0x03, 0x01, 
+	0x07, 0xA1, 0x44, 0x03, 0x42, 0x00, 0x04, 0x02, 0xD3, 0xD9, 
+	0x6E, 0xD6, 0x01, 0x8E, 0x45, 0xC8, 0xB9, 0x90, 0x31, 0xE5, 
+	0xC0, 0x4C, 0xE3, 0x9E, 0xAD, 0x29, 0x38, 0x98, 0xBA, 0x10, 
+	0xD6, 0xE9, 0x09, 0x2A, 0x80, 0xA9, 0x2E, 0x17, 0x2A, 0xB9, 
+	0x8A, 0xBF, 0x33, 0x83, 0x46, 0xE3, 0x95, 0x0B, 0xE4, 0x77, 
+	0x40, 0xB5, 0x3B, 0x43, 0x45, 0x33, 0x0F, 0x61, 0x53, 0x7C, 
+	0x37, 0x44, 0xC1, 0xCB, 0xFC, 0x80, 0xCA, 0xE8, 0x43, 0xEA, 
+	0xA7
+};
+static const int sizeof_ca_ecc_key_der_256 = sizeof(ca_ecc_key_der_256);
+
+/* ./certs/ca-ecc-cert.der, ECC */
+static const unsigned char ca_ecc_cert_der_256[] =
+{
+	0x30, 0x82, 0x02, 0x8A, 0x30, 0x82, 0x02, 0x30, 0xA0, 0x03, 
+	0x02, 0x01, 0x02, 0x02, 0x09, 0x00, 0x97, 0xB4, 0xBD, 0x16, 
+	0x78, 0xF8, 0x47, 0xF2, 0x30, 0x0A, 0x06, 0x08, 0x2A, 0x86, 
+	0x48, 0xCE, 0x3D, 0x04, 0x03, 0x02, 0x30, 0x81, 0x97, 0x31, 
 	0x0B, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 
 	0x55, 0x53, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 
 	0x08, 0x0C, 0x0A, 0x57, 0x61, 0x73, 0x68, 0x69, 0x6E, 0x67, 
 	0x74, 0x6F, 0x6E, 0x31, 0x10, 0x30, 0x0E, 0x06, 0x03, 0x55, 
 	0x04, 0x07, 0x0C, 0x07, 0x53, 0x65, 0x61, 0x74, 0x74, 0x6C, 
 	0x65, 0x31, 0x10, 0x30, 0x0E, 0x06, 0x03, 0x55, 0x04, 0x0A, 
-	0x0C, 0x07, 0x45, 0x6C, 0x69, 0x70, 0x74, 0x69, 0x63, 0x31, 
-	0x0C, 0x30, 0x0A, 0x06, 0x03, 0x55, 0x04, 0x0B, 0x0C, 0x03, 
-	0x45, 0x43, 0x43, 0x31, 0x18, 0x30, 0x16, 0x06, 0x03, 0x55, 
-	0x04, 0x03, 0x0C, 0x0F, 0x77, 0x77, 0x77, 0x2E, 0x77, 0x6F, 
-	0x6C, 0x66, 0x73, 0x73, 0x6C, 0x2E, 0x63, 0x6F, 0x6D, 0x31, 
-	0x1F, 0x30, 0x1D, 0x06, 0x09, 0x2A, 0x86, 0x48, 0x86, 0xF7, 
-	0x0D, 0x01, 0x09, 0x01, 0x16, 0x10, 0x69, 0x6E, 0x66, 0x6F, 
-	0x40, 0x77, 0x6F, 0x6C, 0x66, 0x73, 0x73, 0x6C, 0x2E, 0x63, 
-	0x6F, 0x6D, 0x30, 0x1E, 0x17, 0x0D, 0x31, 0x36, 0x30, 0x38, 
-	0x31, 0x31, 0x32, 0x30, 0x30, 0x37, 0x33, 0x38, 0x5A, 0x17, 
-	0x0D, 0x31, 0x39, 0x30, 0x35, 0x30, 0x38, 0x32, 0x30, 0x30, 
-	0x37, 0x33, 0x38, 0x5A, 0x30, 0x81, 0x8F, 0x31, 0x0B, 0x30, 
-	0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x55, 0x53, 
-	0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x08, 0x0C, 
-	0x0A, 0x57, 0x61, 0x73, 0x68, 0x69, 0x6E, 0x67, 0x74, 0x6F, 
-	0x6E, 0x31, 0x10, 0x30, 0x0E, 0x06, 0x03, 0x55, 0x04, 0x07, 
-	0x0C, 0x07, 0x53, 0x65, 0x61, 0x74, 0x74, 0x6C, 0x65, 0x31, 
-	0x10, 0x30, 0x0E, 0x06, 0x03, 0x55, 0x04, 0x0A, 0x0C, 0x07, 
-	0x45, 0x6C, 0x69, 0x70, 0x74, 0x69, 0x63, 0x31, 0x0C, 0x30, 
-	0x0A, 0x06, 0x03, 0x55, 0x04, 0x0B, 0x0C, 0x03, 0x45, 0x43, 
-	0x43, 0x31, 0x18, 0x30, 0x16, 0x06, 0x03, 0x55, 0x04, 0x03, 
+	0x0C, 0x07, 0x77, 0x6F, 0x6C, 0x66, 0x53, 0x53, 0x4C, 0x31, 
+	0x14, 0x30, 0x12, 0x06, 0x03, 0x55, 0x04, 0x0B, 0x0C, 0x0B, 
+	0x44, 0x65, 0x76, 0x65, 0x6C, 0x6F, 0x70, 0x6D, 0x65, 0x6E, 
+	0x74, 0x31, 0x18, 0x30, 0x16, 0x06, 0x03, 0x55, 0x04, 0x03, 
 	0x0C, 0x0F, 0x77, 0x77, 0x77, 0x2E, 0x77, 0x6F, 0x6C, 0x66, 
 	0x73, 0x73, 0x6C, 0x2E, 0x63, 0x6F, 0x6D, 0x31, 0x1F, 0x30, 
 	0x1D, 0x06, 0x09, 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 
 	0x09, 0x01, 0x16, 0x10, 0x69, 0x6E, 0x66, 0x6F, 0x40, 0x77, 
 	0x6F, 0x6C, 0x66, 0x73, 0x73, 0x6C, 0x2E, 0x63, 0x6F, 0x6D, 
-	0x30, 0x59, 0x30, 0x13, 0x06, 0x07, 0x2A, 0x86, 0x48, 0xCE, 
-	0x3D, 0x02, 0x01, 0x06, 0x08, 0x2A, 0x86, 0x48, 0xCE, 0x3D, 
-	0x03, 0x01, 0x07, 0x03, 0x42, 0x00, 0x04, 0xBB, 0x33, 0xAC, 
-	0x4C, 0x27, 0x50, 0x4A, 0xC6, 0x4A, 0xA5, 0x04, 0xC3, 0x3C, 
-	0xDE, 0x9F, 0x36, 0xDB, 0x72, 0x2D, 0xCE, 0x94, 0xEA, 0x2B, 
-	0xFA, 0xCB, 0x20, 0x09, 0x39, 0x2C, 0x16, 0xE8, 0x61, 0x02, 
-	0xE9, 0xAF, 0x4D, 0xD3, 0x02, 0x93, 0x9A, 0x31, 0x5B, 0x97, 
-	0x92, 0x21, 0x7F, 0xF0, 0xCF, 0x18, 0xDA, 0x91, 0x11, 0x02, 
-	0x34, 0x86, 0xE8, 0x20, 0x58, 0x33, 0x0B, 0x80, 0x34, 0x89, 
-	0xD8, 0xA3, 0x81, 0xF7, 0x30, 0x81, 0xF4, 0x30, 0x1D, 0x06, 
-	0x03, 0x55, 0x1D, 0x0E, 0x04, 0x16, 0x04, 0x14, 0x5D, 0x5D, 
-	0x26, 0xEF, 0xAC, 0x7E, 0x36, 0xF9, 0x9B, 0x76, 0x15, 0x2B, 
-	0x4A, 0x25, 0x02, 0x23, 0xEF, 0xB2, 0x89, 0x30, 0x30, 0x81, 
-	0xC4, 0x06, 0x03, 0x55, 0x1D, 0x23, 0x04, 0x81, 0xBC, 0x30, 
-	0x81, 0xB9, 0x80, 0x14, 0x5D, 0x5D, 0x26, 0xEF, 0xAC, 0x7E, 
-	0x36, 0xF9, 0x9B, 0x76, 0x15, 0x2B, 0x4A, 0x25, 0x02, 0x23, 
-	0xEF, 0xB2, 0x89, 0x30, 0xA1, 0x81, 0x95, 0xA4, 0x81, 0x92, 
-	0x30, 0x81, 0x8F, 0x31, 0x0B, 0x30, 0x09, 0x06, 0x03, 0x55, 
-	0x04, 0x06, 0x13, 0x02, 0x55, 0x53, 0x31, 0x13, 0x30, 0x11, 
-	0x06, 0x03, 0x55, 0x04, 0x08, 0x0C, 0x0A, 0x57, 0x61, 0x73, 
-	0x68, 0x69, 0x6E, 0x67, 0x74, 0x6F, 0x6E, 0x31, 0x10, 0x30, 
-	0x0E, 0x06, 0x03, 0x55, 0x04, 0x07, 0x0C, 0x07, 0x53, 0x65, 
-	0x61, 0x74, 0x74, 0x6C, 0x65, 0x31, 0x10, 0x30, 0x0E, 0x06, 
-	0x03, 0x55, 0x04, 0x0A, 0x0C, 0x07, 0x45, 0x6C, 0x69, 0x70, 
-	0x74, 0x69, 0x63, 0x31, 0x0C, 0x30, 0x0A, 0x06, 0x03, 0x55, 
-	0x04, 0x0B, 0x0C, 0x03, 0x45, 0x43, 0x43, 0x31, 0x18, 0x30, 
+	0x30, 0x1E, 0x17, 0x0D, 0x31, 0x37, 0x31, 0x30, 0x32, 0x30, 
+	0x31, 0x38, 0x31, 0x39, 0x30, 0x36, 0x5A, 0x17, 0x0D, 0x33, 
+	0x37, 0x31, 0x30, 0x31, 0x35, 0x31, 0x38, 0x31, 0x39, 0x30, 
+	0x36, 0x5A, 0x30, 0x81, 0x97, 0x31, 0x0B, 0x30, 0x09, 0x06, 
+	0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x55, 0x53, 0x31, 0x13, 
+	0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x08, 0x0C, 0x0A, 0x57, 
+	0x61, 0x73, 0x68, 0x69, 0x6E, 0x67, 0x74, 0x6F, 0x6E, 0x31, 
+	0x10, 0x30, 0x0E, 0x06, 0x03, 0x55, 0x04, 0x07, 0x0C, 0x07, 
+	0x53, 0x65, 0x61, 0x74, 0x74, 0x6C, 0x65, 0x31, 0x10, 0x30, 
+	0x0E, 0x06, 0x03, 0x55, 0x04, 0x0A, 0x0C, 0x07, 0x77, 0x6F, 
+	0x6C, 0x66, 0x53, 0x53, 0x4C, 0x31, 0x14, 0x30, 0x12, 0x06, 
+	0x03, 0x55, 0x04, 0x0B, 0x0C, 0x0B, 0x44, 0x65, 0x76, 0x65, 
+	0x6C, 0x6F, 0x70, 0x6D, 0x65, 0x6E, 0x74, 0x31, 0x18, 0x30, 
 	0x16, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0C, 0x0F, 0x77, 0x77, 
 	0x77, 0x2E, 0x77, 0x6F, 0x6C, 0x66, 0x73, 0x73, 0x6C, 0x2E, 
 	0x63, 0x6F, 0x6D, 0x31, 0x1F, 0x30, 0x1D, 0x06, 0x09, 0x2A, 
 	0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x09, 0x01, 0x16, 0x10, 
 	0x69, 0x6E, 0x66, 0x6F, 0x40, 0x77, 0x6F, 0x6C, 0x66, 0x73, 
-	0x73, 0x6C, 0x2E, 0x63, 0x6F, 0x6D, 0x82, 0x09, 0x00, 0xEF, 
-	0x46, 0xC7, 0xA4, 0x9B, 0xBB, 0x60, 0xD3, 0x30, 0x0C, 0x06, 
-	0x03, 0x55, 0x1D, 0x13, 0x04, 0x05, 0x30, 0x03, 0x01, 0x01, 
-	0xFF, 0x30, 0x0A, 0x06, 0x08, 0x2A, 0x86, 0x48, 0xCE, 0x3D, 
-	0x04, 0x03, 0x02, 0x03, 0x49, 0x00, 0x30, 0x46, 0x02, 0x21, 
-	0x00, 0xF1, 0xD0, 0xA6, 0x3E, 0x83, 0x33, 0x24, 0xD1, 0x7A, 
-	0x05, 0x5F, 0x1E, 0x0E, 0xBD, 0x7D, 0x6B, 0x33, 0xE9, 0xF2, 
-	0x86, 0xF3, 0xF3, 0x3D, 0xA9, 0xEF, 0x6A, 0x87, 0x31, 0xB3, 
-	0xB7, 0x7E, 0x50, 0x02, 0x21, 0x00, 0xF0, 0x60, 0xDD, 0xCE, 
-	0xA2, 0xDB, 0x56, 0xEC, 0xD9, 0xF4, 0xE4, 0xE3, 0x25, 0xD4, 
-	0xB0, 0xC9, 0x25, 0x7D, 0xCA, 0x7A, 0x5D, 0xBA, 0xC4, 0xB2, 
-	0xF6, 0x7D, 0x04, 0xC7, 0xBD, 0x62, 0xC9, 0x20
+	0x73, 0x6C, 0x2E, 0x63, 0x6F, 0x6D, 0x30, 0x59, 0x30, 0x13, 
+	0x06, 0x07, 0x2A, 0x86, 0x48, 0xCE, 0x3D, 0x02, 0x01, 0x06, 
+	0x08, 0x2A, 0x86, 0x48, 0xCE, 0x3D, 0x03, 0x01, 0x07, 0x03, 
+	0x42, 0x00, 0x04, 0x02, 0xD3, 0xD9, 0x6E, 0xD6, 0x01, 0x8E, 
+	0x45, 0xC8, 0xB9, 0x90, 0x31, 0xE5, 0xC0, 0x4C, 0xE3, 0x9E, 
+	0xAD, 0x29, 0x38, 0x98, 0xBA, 0x10, 0xD6, 0xE9, 0x09, 0x2A, 
+	0x80, 0xA9, 0x2E, 0x17, 0x2A, 0xB9, 0x8A, 0xBF, 0x33, 0x83, 
+	0x46, 0xE3, 0x95, 0x0B, 0xE4, 0x77, 0x40, 0xB5, 0x3B, 0x43, 
+	0x45, 0x33, 0x0F, 0x61, 0x53, 0x7C, 0x37, 0x44, 0xC1, 0xCB, 
+	0xFC, 0x80, 0xCA, 0xE8, 0x43, 0xEA, 0xA7, 0xA3, 0x63, 0x30, 
+	0x61, 0x30, 0x1D, 0x06, 0x03, 0x55, 0x1D, 0x0E, 0x04, 0x16, 
+	0x04, 0x14, 0x56, 0x8E, 0x9A, 0xC3, 0xF0, 0x42, 0xDE, 0x18, 
+	0xB9, 0x45, 0x55, 0x6E, 0xF9, 0x93, 0xCF, 0xEA, 0xC3, 0xF3, 
+	0xA5, 0x21, 0x30, 0x1F, 0x06, 0x03, 0x55, 0x1D, 0x23, 0x04, 
+	0x18, 0x30, 0x16, 0x80, 0x14, 0x56, 0x8E, 0x9A, 0xC3, 0xF0, 
+	0x42, 0xDE, 0x18, 0xB9, 0x45, 0x55, 0x6E, 0xF9, 0x93, 0xCF, 
+	0xEA, 0xC3, 0xF3, 0xA5, 0x21, 0x30, 0x0F, 0x06, 0x03, 0x55, 
+	0x1D, 0x13, 0x01, 0x01, 0xFF, 0x04, 0x05, 0x30, 0x03, 0x01, 
+	0x01, 0xFF, 0x30, 0x0E, 0x06, 0x03, 0x55, 0x1D, 0x0F, 0x01, 
+	0x01, 0xFF, 0x04, 0x04, 0x03, 0x02, 0x01, 0x86, 0x30, 0x0A, 
+	0x06, 0x08, 0x2A, 0x86, 0x48, 0xCE, 0x3D, 0x04, 0x03, 0x02, 
+	0x03, 0x48, 0x00, 0x30, 0x45, 0x02, 0x20, 0x32, 0x26, 0x81, 
+	0xE4, 0x15, 0xEC, 0xE3, 0xAA, 0xD3, 0xE5, 0xB8, 0x2A, 0xCA, 
+	0xA3, 0x06, 0xA7, 0x04, 0x97, 0xD8, 0x43, 0x7F, 0xD4, 0x94, 
+	0x47, 0xF8, 0x18, 0x0D, 0x93, 0x52, 0x23, 0x8B, 0x08, 0x02, 
+	0x21, 0x00, 0xE1, 0x9E, 0x34, 0xD0, 0x92, 0xEE, 0x56, 0x0D, 
+	0x23, 0x38, 0x4A, 0x20, 0xBC, 0xCF, 0x11, 0xC3, 0x33, 0x77, 
+	0x96, 0x81, 0x56, 0x2B, 0xCA, 0xC4, 0xD5, 0xC6, 0x65, 0x5D, 
+	0x36, 0x73, 0x2F, 0xBA
 };
-static const int sizeof_serv_ecc_der_256 = sizeof(serv_ecc_der_256);
+static const int sizeof_ca_ecc_cert_der_256 = sizeof(ca_ecc_cert_der_256);
+
+/* ./certs/ca-ecc384-key.der, ECC */
+static const unsigned char ca_ecc_key_der_384[] =
+{
+	0x30, 0x81, 0xA4, 0x02, 0x01, 0x01, 0x04, 0x30, 0x7B, 0x16, 
+	0xE3, 0xD6, 0xD2, 0x81, 0x94, 0x6C, 0x8A, 0xDD, 0xA8, 0x78, 
+	0xEE, 0xC7, 0x7E, 0xB3, 0xC5, 0xD1, 0xDB, 0x2E, 0xF3, 0xED, 
+	0x0E, 0x48, 0x85, 0xB1, 0xF2, 0xE1, 0x7A, 0x39, 0x56, 0xC0, 
+	0xF1, 0x62, 0x12, 0x0F, 0x35, 0xB7, 0x39, 0xBC, 0x9C, 0x25, 
+	0xC0, 0x76, 0xEB, 0xFE, 0x55, 0x70, 0xA0, 0x07, 0x06, 0x05, 
+	0x2B, 0x81, 0x04, 0x00, 0x22, 0xA1, 0x64, 0x03, 0x62, 0x00, 
+	0x04, 0xEE, 0x82, 0xD4, 0x39, 0x9A, 0xB1, 0x27, 0x82, 0xF4, 
+	0xD7, 0xEA, 0xC6, 0xBC, 0x03, 0x1D, 0x4D, 0x83, 0x61, 0xF4, 
+	0x03, 0xAE, 0x7E, 0xBD, 0xD8, 0x5A, 0xA5, 0xB9, 0xF0, 0x8E, 
+	0xA2, 0xA5, 0xDA, 0xCE, 0x87, 0x3B, 0x5A, 0xAB, 0x44, 0x16, 
+	0x9C, 0xF5, 0x9F, 0x62, 0xDD, 0xF6, 0x20, 0xCD, 0x9C, 0x76, 
+	0x3C, 0x40, 0xB1, 0x3F, 0x97, 0x17, 0xDF, 0x59, 0xF6, 0xCD, 
+	0xDE, 0xCD, 0x46, 0x35, 0xC0, 0xED, 0x5E, 0x2E, 0x48, 0xB6, 
+	0x66, 0x91, 0x71, 0x74, 0xB7, 0x0C, 0x3F, 0xB9, 0x9A, 0xB7, 
+	0x83, 0xBD, 0x93, 0x3F, 0x5F, 0x50, 0x2D, 0x70, 0x3F, 0xDE, 
+	0x35, 0x25, 0xE1, 0x90, 0x3B, 0x86, 0xE0
+};
+static const int sizeof_ca_ecc_key_der_384 = sizeof(ca_ecc_key_der_384);
+
+/* ./certs/ca-ecc384-cert.der, ECC */
+static const unsigned char ca_ecc_cert_der_384[] =
+{
+	0x30, 0x82, 0x02, 0xC7, 0x30, 0x82, 0x02, 0x4D, 0xA0, 0x03, 
+	0x02, 0x01, 0x02, 0x02, 0x09, 0x00, 0xF5, 0xE1, 0x8F, 0xF1, 
+	0x4B, 0xA6, 0x83, 0x8E, 0x30, 0x0A, 0x06, 0x08, 0x2A, 0x86, 
+	0x48, 0xCE, 0x3D, 0x04, 0x03, 0x03, 0x30, 0x81, 0x97, 0x31, 
+	0x0B, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 
+	0x55, 0x53, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 
+	0x08, 0x0C, 0x0A, 0x57, 0x61, 0x73, 0x68, 0x69, 0x6E, 0x67, 
+	0x74, 0x6F, 0x6E, 0x31, 0x10, 0x30, 0x0E, 0x06, 0x03, 0x55, 
+	0x04, 0x07, 0x0C, 0x07, 0x53, 0x65, 0x61, 0x74, 0x74, 0x6C, 
+	0x65, 0x31, 0x10, 0x30, 0x0E, 0x06, 0x03, 0x55, 0x04, 0x0A, 
+	0x0C, 0x07, 0x77, 0x6F, 0x6C, 0x66, 0x53, 0x53, 0x4C, 0x31, 
+	0x14, 0x30, 0x12, 0x06, 0x03, 0x55, 0x04, 0x0B, 0x0C, 0x0B, 
+	0x44, 0x65, 0x76, 0x65, 0x6C, 0x6F, 0x70, 0x6D, 0x65, 0x6E, 
+	0x74, 0x31, 0x18, 0x30, 0x16, 0x06, 0x03, 0x55, 0x04, 0x03, 
+	0x0C, 0x0F, 0x77, 0x77, 0x77, 0x2E, 0x77, 0x6F, 0x6C, 0x66, 
+	0x73, 0x73, 0x6C, 0x2E, 0x63, 0x6F, 0x6D, 0x31, 0x1F, 0x30, 
+	0x1D, 0x06, 0x09, 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 
+	0x09, 0x01, 0x16, 0x10, 0x69, 0x6E, 0x66, 0x6F, 0x40, 0x77, 
+	0x6F, 0x6C, 0x66, 0x73, 0x73, 0x6C, 0x2E, 0x63, 0x6F, 0x6D, 
+	0x30, 0x1E, 0x17, 0x0D, 0x31, 0x37, 0x31, 0x30, 0x32, 0x30, 
+	0x31, 0x38, 0x31, 0x39, 0x30, 0x36, 0x5A, 0x17, 0x0D, 0x33, 
+	0x37, 0x31, 0x30, 0x31, 0x35, 0x31, 0x38, 0x31, 0x39, 0x30, 
+	0x36, 0x5A, 0x30, 0x81, 0x97, 0x31, 0x0B, 0x30, 0x09, 0x06, 
+	0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x55, 0x53, 0x31, 0x13, 
+	0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x08, 0x0C, 0x0A, 0x57, 
+	0x61, 0x73, 0x68, 0x69, 0x6E, 0x67, 0x74, 0x6F, 0x6E, 0x31, 
+	0x10, 0x30, 0x0E, 0x06, 0x03, 0x55, 0x04, 0x07, 0x0C, 0x07, 
+	0x53, 0x65, 0x61, 0x74, 0x74, 0x6C, 0x65, 0x31, 0x10, 0x30, 
+	0x0E, 0x06, 0x03, 0x55, 0x04, 0x0A, 0x0C, 0x07, 0x77, 0x6F, 
+	0x6C, 0x66, 0x53, 0x53, 0x4C, 0x31, 0x14, 0x30, 0x12, 0x06, 
+	0x03, 0x55, 0x04, 0x0B, 0x0C, 0x0B, 0x44, 0x65, 0x76, 0x65, 
+	0x6C, 0x6F, 0x70, 0x6D, 0x65, 0x6E, 0x74, 0x31, 0x18, 0x30, 
+	0x16, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0C, 0x0F, 0x77, 0x77, 
+	0x77, 0x2E, 0x77, 0x6F, 0x6C, 0x66, 0x73, 0x73, 0x6C, 0x2E, 
+	0x63, 0x6F, 0x6D, 0x31, 0x1F, 0x30, 0x1D, 0x06, 0x09, 0x2A, 
+	0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x09, 0x01, 0x16, 0x10, 
+	0x69, 0x6E, 0x66, 0x6F, 0x40, 0x77, 0x6F, 0x6C, 0x66, 0x73, 
+	0x73, 0x6C, 0x2E, 0x63, 0x6F, 0x6D, 0x30, 0x76, 0x30, 0x10, 
+	0x06, 0x07, 0x2A, 0x86, 0x48, 0xCE, 0x3D, 0x02, 0x01, 0x06, 
+	0x05, 0x2B, 0x81, 0x04, 0x00, 0x22, 0x03, 0x62, 0x00, 0x04, 
+	0xEE, 0x82, 0xD4, 0x39, 0x9A, 0xB1, 0x27, 0x82, 0xF4, 0xD7, 
+	0xEA, 0xC6, 0xBC, 0x03, 0x1D, 0x4D, 0x83, 0x61, 0xF4, 0x03, 
+	0xAE, 0x7E, 0xBD, 0xD8, 0x5A, 0xA5, 0xB9, 0xF0, 0x8E, 0xA2, 
+	0xA5, 0xDA, 0xCE, 0x87, 0x3B, 0x5A, 0xAB, 0x44, 0x16, 0x9C, 
+	0xF5, 0x9F, 0x62, 0xDD, 0xF6, 0x20, 0xCD, 0x9C, 0x76, 0x3C, 
+	0x40, 0xB1, 0x3F, 0x97, 0x17, 0xDF, 0x59, 0xF6, 0xCD, 0xDE, 
+	0xCD, 0x46, 0x35, 0xC0, 0xED, 0x5E, 0x2E, 0x48, 0xB6, 0x66, 
+	0x91, 0x71, 0x74, 0xB7, 0x0C, 0x3F, 0xB9, 0x9A, 0xB7, 0x83, 
+	0xBD, 0x93, 0x3F, 0x5F, 0x50, 0x2D, 0x70, 0x3F, 0xDE, 0x35, 
+	0x25, 0xE1, 0x90, 0x3B, 0x86, 0xE0, 0xA3, 0x63, 0x30, 0x61, 
+	0x30, 0x1D, 0x06, 0x03, 0x55, 0x1D, 0x0E, 0x04, 0x16, 0x04, 
+	0x14, 0xAB, 0xE0, 0xC3, 0x26, 0x4C, 0x18, 0xD4, 0x72, 0xBB, 
+	0xD2, 0x84, 0x8C, 0x9C, 0x0A, 0x05, 0x92, 0x80, 0x12, 0x53, 
+	0x52, 0x30, 0x1F, 0x06, 0x03, 0x55, 0x1D, 0x23, 0x04, 0x18, 
+	0x30, 0x16, 0x80, 0x14, 0xAB, 0xE0, 0xC3, 0x26, 0x4C, 0x18, 
+	0xD4, 0x72, 0xBB, 0xD2, 0x84, 0x8C, 0x9C, 0x0A, 0x05, 0x92, 
+	0x80, 0x12, 0x53, 0x52, 0x30, 0x0F, 0x06, 0x03, 0x55, 0x1D, 
+	0x13, 0x01, 0x01, 0xFF, 0x04, 0x05, 0x30, 0x03, 0x01, 0x01, 
+	0xFF, 0x30, 0x0E, 0x06, 0x03, 0x55, 0x1D, 0x0F, 0x01, 0x01, 
+	0xFF, 0x04, 0x04, 0x03, 0x02, 0x01, 0x86, 0x30, 0x0A, 0x06, 
+	0x08, 0x2A, 0x86, 0x48, 0xCE, 0x3D, 0x04, 0x03, 0x03, 0x03, 
+	0x68, 0x00, 0x30, 0x65, 0x02, 0x30, 0x17, 0xDD, 0xB9, 0xA5, 
+	0xE0, 0xEC, 0x8A, 0x03, 0x8B, 0x66, 0x45, 0x69, 0xAD, 0x5E, 
+	0xAD, 0x32, 0xBC, 0x45, 0x4C, 0x89, 0x85, 0x3F, 0xA1, 0xDD, 
+	0xA4, 0x74, 0x4B, 0x5D, 0x08, 0x65, 0x1B, 0xD8, 0x07, 0x00, 
+	0x49, 0x5D, 0xEF, 0x10, 0xFC, 0xEB, 0x8F, 0x64, 0xA8, 0x62, 
+	0x99, 0x88, 0x20, 0x59, 0x02, 0x31, 0x00, 0x94, 0x40, 0x64, 
+	0x29, 0x86, 0xD0, 0x00, 0x76, 0x1C, 0x98, 0x23, 0x9C, 0xB7, 
+	0x9B, 0xBE, 0x78, 0x73, 0x3A, 0x88, 0xBE, 0x52, 0x00, 0x3F, 
+	0xE3, 0x81, 0x36, 0xD9, 0x14, 0x22, 0x3D, 0x9E, 0xA2, 0x8A, 
+	0x4A, 0x56, 0x9C, 0xC4, 0x3F, 0x5F, 0x88, 0x2E, 0xB1, 0xA7, 
+	0x6C, 0x4D, 0x0E, 0xCC, 0x92
+};
+static const int sizeof_ca_ecc_cert_der_384 = sizeof(ca_ecc_cert_der_384);
 
 #endif /* HAVE_ECC && USE_CERT_BUFFERS_256 */
 
@@ -2183,158 +2382,142 @@ static const unsigned char dh_g[] =
   0x02,
 };
 
-#ifdef HAVE_ED25519
-/*
- * Subject: /C=US/ST=Montana/L=Bozeman/SN=Leaf/O=wolfSSL/OU=ED25519/CN=www.wolfssl.com/emailAddress=info@wolfssl.com
- * Issuer:  /C=US/ST=Montana/L=Bozeman/SN=CA/O=wolfSSL/OU=ED25519/CN=www.wolfssl.com/emailAddress=info@wolfssl.com
- */
-static const unsigned char server_ed25519_pkey[44] = {
-    0x30, 0x2A, 0x30, 0x05, 0x06, 0x03, 0x2B, 0x65, 0x70, 0x03, 
-    0x21, 0x00, 0x1A, 0x30, 0x88, 0x18, 0x47, 0x2F, 0x97, 0xDA, 
-    0x04, 0xF4, 0xA4, 0xE3, 0xBD, 0x6C, 0x0C, 0x16, 0xB9, 0x48, 
-    0xC1, 0xD1, 0x42, 0xD7, 0x8E, 0x92, 0x84, 0xA0, 0x74, 0x2A, 
-    0x43, 0x9E, 0x0E, 0x29
-};
-static const int sizeof_server_ed25519_pkey = sizeof(server_ed25519_pkey);
+#if defined(HAVE_ED25519)
 
-static const unsigned char server_ed25519_cert[591] = {
-    0x30, 0x82, 0x02, 0x4B, 0x30, 0x82, 0x01, 0xFD, 0xA0, 0x03, 
-    0x02, 0x01, 0x02, 0x02, 0x08, 0x01, 0xD0, 0x92, 0x10, 0x6A, 
-    0x5A, 0x46, 0x57, 0x30, 0x05, 0x06, 0x03, 0x2B, 0x65, 0x70, 
-    0x30, 0x81, 0x9D, 0x31, 0x0B, 0x30, 0x09, 0x06, 0x03, 0x55, 
-    0x04, 0x06, 0x13, 0x02, 0x55, 0x53, 0x31, 0x10, 0x30, 0x0E, 
-    0x06, 0x03, 0x55, 0x04, 0x08, 0x0C, 0x07, 0x4D, 0x6F, 0x6E, 
-    0x74, 0x61, 0x6E, 0x61, 0x31, 0x10, 0x30, 0x0E, 0x06, 0x03, 
-    0x55, 0x04, 0x07, 0x0C, 0x07, 0x42, 0x6F, 0x7A, 0x65, 0x6D, 
-    0x61, 0x6E, 0x31, 0x0B, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 
-    0x04, 0x0C, 0x02, 0x43, 0x41, 0x31, 0x10, 0x30, 0x0E, 0x06, 
-    0x03, 0x55, 0x04, 0x0A, 0x0C, 0x07, 0x77, 0x6F, 0x6C, 0x66, 
-    0x53, 0x53, 0x4C, 0x31, 0x10, 0x30, 0x0E, 0x06, 0x03, 0x55, 
-    0x04, 0x0B, 0x0C, 0x07, 0x45, 0x44, 0x32, 0x35, 0x35, 0x31, 
-    0x39, 0x31, 0x18, 0x30, 0x16, 0x06, 0x03, 0x55, 0x04, 0x03, 
-    0x0C, 0x0F, 0x77, 0x77, 0x77, 0x2E, 0x77, 0x6F, 0x6C, 0x66, 
-    0x73, 0x73, 0x6C, 0x2E, 0x63, 0x6F, 0x6D, 0x31, 0x1F, 0x30, 
-    0x1D, 0x06, 0x09, 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 
-    0x09, 0x01, 0x16, 0x10, 0x69, 0x6E, 0x66, 0x6F, 0x40, 0x77, 
-    0x6F, 0x6C, 0x66, 0x73, 0x73, 0x6C, 0x2E, 0x63, 0x6F, 0x6D, 
-    0x30, 0x22, 0x18, 0x0F, 0x32, 0x30, 0x31, 0x37, 0x30, 0x35, 
-    0x32, 0x38, 0x32, 0x33, 0x32, 0x36, 0x32, 0x39, 0x5A, 0x18, 
-    0x0F, 0x32, 0x30, 0x31, 0x39, 0x30, 0x35, 0x32, 0x39, 0x32, 
-    0x33, 0x32, 0x36, 0x32, 0x39, 0x5A, 0x30, 0x81, 0x9F, 0x31, 
-    0x0B, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 
-    0x55, 0x53, 0x31, 0x10, 0x30, 0x0E, 0x06, 0x03, 0x55, 0x04, 
-    0x08, 0x0C, 0x07, 0x4D, 0x6F, 0x6E, 0x74, 0x61, 0x6E, 0x61, 
-    0x31, 0x10, 0x30, 0x0E, 0x06, 0x03, 0x55, 0x04, 0x07, 0x0C, 
-    0x07, 0x42, 0x6F, 0x7A, 0x65, 0x6D, 0x61, 0x6E, 0x31, 0x0D, 
-    0x30, 0x0B, 0x06, 0x03, 0x55, 0x04, 0x04, 0x0C, 0x04, 0x4C, 
-    0x65, 0x61, 0x66, 0x31, 0x10, 0x30, 0x0E, 0x06, 0x03, 0x55, 
-    0x04, 0x0A, 0x0C, 0x07, 0x77, 0x6F, 0x6C, 0x66, 0x53, 0x53, 
-    0x4C, 0x31, 0x10, 0x30, 0x0E, 0x06, 0x03, 0x55, 0x04, 0x0B, 
-    0x0C, 0x07, 0x45, 0x44, 0x32, 0x35, 0x35, 0x31, 0x39, 0x31, 
-    0x18, 0x30, 0x16, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0C, 0x0F, 
-    0x77, 0x77, 0x77, 0x2E, 0x77, 0x6F, 0x6C, 0x66, 0x73, 0x73, 
-    0x6C, 0x2E, 0x63, 0x6F, 0x6D, 0x31, 0x1F, 0x30, 0x1D, 0x06, 
-    0x09, 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x09, 0x01, 
-    0x16, 0x10, 0x69, 0x6E, 0x66, 0x6F, 0x40, 0x77, 0x6F, 0x6C, 
-    0x66, 0x73, 0x73, 0x6C, 0x2E, 0x63, 0x6F, 0x6D, 0x30, 0x2A, 
-    0x30, 0x05, 0x06, 0x03, 0x2B, 0x65, 0x70, 0x03, 0x21, 0x00, 
-    0x1A, 0x30, 0x88, 0x18, 0x47, 0x2F, 0x97, 0xDA, 0x04, 0xF4, 
-    0xA4, 0xE3, 0xBD, 0x6C, 0x0C, 0x16, 0xB9, 0x48, 0xC1, 0xD1, 
-    0x42, 0xD7, 0x8E, 0x92, 0x84, 0xA0, 0x74, 0x2A, 0x43, 0x9E, 
-    0x0E, 0x29, 0xA3, 0x53, 0x30, 0x51, 0x30, 0x1D, 0x06, 0x03, 
-    0x55, 0x1D, 0x0E, 0x04, 0x16, 0x04, 0x14, 0xF6, 0xB2, 0x84, 
-    0x1A, 0x95, 0xB4, 0x70, 0x32, 0x53, 0xFE, 0xD9, 0xEB, 0x9B, 
-    0x29, 0x80, 0x4B, 0xD6, 0xB5, 0xF1, 0xC0, 0x30, 0x1F, 0x06, 
-    0x03, 0x55, 0x1D, 0x23, 0x04, 0x18, 0x30, 0x16, 0x80, 0x14, 
-    0x92, 0xD5, 0x0B, 0xDA, 0xF1, 0x04, 0x8B, 0xB9, 0xA1, 0x8B, 
-    0x03, 0x02, 0x9F, 0x58, 0x00, 0x35, 0x36, 0x07, 0x7A, 0xC9, 
-    0x30, 0x0F, 0x06, 0x03, 0x55, 0x1D, 0x0F, 0x01, 0x01, 0xFF, 
-    0x04, 0x05, 0x03, 0x02, 0x06, 0xC0, 0x00, 0x30, 0x05, 0x06, 
-    0x03, 0x2B, 0x65, 0x70, 0x03, 0x41, 0x00, 0x12, 0x56, 0x77, 
-    0x0C, 0x96, 0x42, 0x98, 0xDA, 0xC9, 0x15, 0x6C, 0x4E, 0x48, 
-    0x95, 0x05, 0x1D, 0xD0, 0x78, 0x32, 0xF8, 0x86, 0x46, 0x9A, 
-    0x46, 0x9B, 0x64, 0x8B, 0x31, 0xB0, 0x19, 0x6B, 0x77, 0x99, 
-    0x8B, 0xFF, 0xFC, 0x02, 0x36, 0x05, 0x0B, 0x69, 0x37, 0x87, 
-    0x62, 0x75, 0xDA, 0x50, 0x2C, 0x2D, 0x5D, 0x52, 0x94, 0x3F, 
-    0x00, 0x9D, 0x18, 0x45, 0x6F, 0x37, 0x12, 0x8E, 0xF4, 0xE4, 
-    0x00
+/* ./certs/ed25519/server-ed25519.der, ED25519 */
+static const unsigned char server_ed25519_cert[] =
+{
+	0x30, 0x82, 0x02, 0x4B, 0x30, 0x82, 0x01, 0xFD, 0xA0, 0x03, 
+	0x02, 0x01, 0x02, 0x02, 0x08, 0x01, 0xD0, 0x92, 0x10, 0x6A, 
+	0x5A, 0x46, 0x57, 0x30, 0x05, 0x06, 0x03, 0x2B, 0x65, 0x70, 
+	0x30, 0x81, 0x9D, 0x31, 0x0B, 0x30, 0x09, 0x06, 0x03, 0x55, 
+	0x04, 0x06, 0x13, 0x02, 0x55, 0x53, 0x31, 0x10, 0x30, 0x0E, 
+	0x06, 0x03, 0x55, 0x04, 0x08, 0x0C, 0x07, 0x4D, 0x6F, 0x6E, 
+	0x74, 0x61, 0x6E, 0x61, 0x31, 0x10, 0x30, 0x0E, 0x06, 0x03, 
+	0x55, 0x04, 0x07, 0x0C, 0x07, 0x42, 0x6F, 0x7A, 0x65, 0x6D, 
+	0x61, 0x6E, 0x31, 0x0B, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 
+	0x04, 0x0C, 0x02, 0x43, 0x41, 0x31, 0x10, 0x30, 0x0E, 0x06, 
+	0x03, 0x55, 0x04, 0x0A, 0x0C, 0x07, 0x77, 0x6F, 0x6C, 0x66, 
+	0x53, 0x53, 0x4C, 0x31, 0x10, 0x30, 0x0E, 0x06, 0x03, 0x55, 
+	0x04, 0x0B, 0x0C, 0x07, 0x45, 0x44, 0x32, 0x35, 0x35, 0x31, 
+	0x39, 0x31, 0x18, 0x30, 0x16, 0x06, 0x03, 0x55, 0x04, 0x03, 
+	0x0C, 0x0F, 0x77, 0x77, 0x77, 0x2E, 0x77, 0x6F, 0x6C, 0x66, 
+	0x73, 0x73, 0x6C, 0x2E, 0x63, 0x6F, 0x6D, 0x31, 0x1F, 0x30, 
+	0x1D, 0x06, 0x09, 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 
+	0x09, 0x01, 0x16, 0x10, 0x69, 0x6E, 0x66, 0x6F, 0x40, 0x77, 
+	0x6F, 0x6C, 0x66, 0x73, 0x73, 0x6C, 0x2E, 0x63, 0x6F, 0x6D, 
+	0x30, 0x22, 0x18, 0x0F, 0x32, 0x30, 0x31, 0x37, 0x30, 0x35, 
+	0x32, 0x38, 0x32, 0x33, 0x32, 0x36, 0x32, 0x39, 0x5A, 0x18, 
+	0x0F, 0x32, 0x30, 0x31, 0x39, 0x30, 0x35, 0x32, 0x39, 0x32, 
+	0x33, 0x32, 0x36, 0x32, 0x39, 0x5A, 0x30, 0x81, 0x9F, 0x31, 
+	0x0B, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 
+	0x55, 0x53, 0x31, 0x10, 0x30, 0x0E, 0x06, 0x03, 0x55, 0x04, 
+	0x08, 0x0C, 0x07, 0x4D, 0x6F, 0x6E, 0x74, 0x61, 0x6E, 0x61, 
+	0x31, 0x10, 0x30, 0x0E, 0x06, 0x03, 0x55, 0x04, 0x07, 0x0C, 
+	0x07, 0x42, 0x6F, 0x7A, 0x65, 0x6D, 0x61, 0x6E, 0x31, 0x0D, 
+	0x30, 0x0B, 0x06, 0x03, 0x55, 0x04, 0x04, 0x0C, 0x04, 0x4C, 
+	0x65, 0x61, 0x66, 0x31, 0x10, 0x30, 0x0E, 0x06, 0x03, 0x55, 
+	0x04, 0x0A, 0x0C, 0x07, 0x77, 0x6F, 0x6C, 0x66, 0x53, 0x53, 
+	0x4C, 0x31, 0x10, 0x30, 0x0E, 0x06, 0x03, 0x55, 0x04, 0x0B, 
+	0x0C, 0x07, 0x45, 0x44, 0x32, 0x35, 0x35, 0x31, 0x39, 0x31, 
+	0x18, 0x30, 0x16, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0C, 0x0F, 
+	0x77, 0x77, 0x77, 0x2E, 0x77, 0x6F, 0x6C, 0x66, 0x73, 0x73, 
+	0x6C, 0x2E, 0x63, 0x6F, 0x6D, 0x31, 0x1F, 0x30, 0x1D, 0x06, 
+	0x09, 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x09, 0x01, 
+	0x16, 0x10, 0x69, 0x6E, 0x66, 0x6F, 0x40, 0x77, 0x6F, 0x6C, 
+	0x66, 0x73, 0x73, 0x6C, 0x2E, 0x63, 0x6F, 0x6D, 0x30, 0x2A, 
+	0x30, 0x05, 0x06, 0x03, 0x2B, 0x65, 0x70, 0x03, 0x21, 0x00, 
+	0x1A, 0x30, 0x88, 0x18, 0x47, 0x2F, 0x97, 0xDA, 0x04, 0xF4, 
+	0xA4, 0xE3, 0xBD, 0x6C, 0x0C, 0x16, 0xB9, 0x48, 0xC1, 0xD1, 
+	0x42, 0xD7, 0x8E, 0x92, 0x84, 0xA0, 0x74, 0x2A, 0x43, 0x9E, 
+	0x0E, 0x29, 0xA3, 0x53, 0x30, 0x51, 0x30, 0x1D, 0x06, 0x03, 
+	0x55, 0x1D, 0x0E, 0x04, 0x16, 0x04, 0x14, 0xF6, 0xB2, 0x84, 
+	0x1A, 0x95, 0xB4, 0x70, 0x32, 0x53, 0xFE, 0xD9, 0xEB, 0x9B, 
+	0x29, 0x80, 0x4B, 0xD6, 0xB5, 0xF1, 0xC0, 0x30, 0x1F, 0x06, 
+	0x03, 0x55, 0x1D, 0x23, 0x04, 0x18, 0x30, 0x16, 0x80, 0x14, 
+	0x92, 0xD5, 0x0B, 0xDA, 0xF1, 0x04, 0x8B, 0xB9, 0xA1, 0x8B, 
+	0x03, 0x02, 0x9F, 0x58, 0x00, 0x35, 0x36, 0x07, 0x7A, 0xC9, 
+	0x30, 0x0F, 0x06, 0x03, 0x55, 0x1D, 0x0F, 0x01, 0x01, 0xFF, 
+	0x04, 0x05, 0x03, 0x02, 0x06, 0xC0, 0x00, 0x30, 0x05, 0x06, 
+	0x03, 0x2B, 0x65, 0x70, 0x03, 0x41, 0x00, 0x12, 0x56, 0x77, 
+	0x0C, 0x96, 0x42, 0x98, 0xDA, 0xC9, 0x15, 0x6C, 0x4E, 0x48, 
+	0x95, 0x05, 0x1D, 0xD0, 0x78, 0x32, 0xF8, 0x86, 0x46, 0x9A, 
+	0x46, 0x9B, 0x64, 0x8B, 0x31, 0xB0, 0x19, 0x6B, 0x77, 0x99, 
+	0x8B, 0xFF, 0xFC, 0x02, 0x36, 0x05, 0x0B, 0x69, 0x37, 0x87, 
+	0x62, 0x75, 0xDA, 0x50, 0x2C, 0x2D, 0x5D, 0x52, 0x94, 0x3F, 
+	0x00, 0x9D, 0x18, 0x45, 0x6F, 0x37, 0x12, 0x8E, 0xF4, 0xE4, 
+	0x00
 };
 static const int sizeof_server_ed25519_cert = sizeof(server_ed25519_cert);
 
-static const unsigned char ca_ed25519_pkey[44] = {
-    0x30, 0x2A, 0x30, 0x05, 0x06, 0x03, 0x2B, 0x65, 0x70, 0x03, 
-    0x21, 0x00, 0x41, 0x07, 0xEC, 0x75, 0x0C, 0x68, 0x72, 0x12, 
-    0x3C, 0x04, 0x82, 0x07, 0x6E, 0x16, 0x6F, 0x40, 0x41, 0x6D, 
-    0xA4, 0x8F, 0x08, 0xF2, 0xE2, 0x9D, 0xA7, 0x43, 0xC2, 0x24, 
-    0x28, 0x98, 0x7E, 0xAC
-};
-static const int sizeof_ca_ed25519_pkey = sizeof(ca_ed25519_pkey);
-
-static const unsigned char ca_ed25519_cert[605] = {
-    0x30, 0x82, 0x02, 0x59, 0x30, 0x82, 0x02, 0x0B, 0xA0, 0x03, 
-    0x02, 0x01, 0x02, 0x02, 0x08, 0x01, 0xF6, 0xE1, 0x3E, 0xBC, 
-    0x79, 0xA1, 0x85, 0x30, 0x05, 0x06, 0x03, 0x2B, 0x65, 0x70, 
-    0x30, 0x81, 0x9F, 0x31, 0x0B, 0x30, 0x09, 0x06, 0x03, 0x55, 
-    0x04, 0x06, 0x13, 0x02, 0x55, 0x53, 0x31, 0x10, 0x30, 0x0E, 
-    0x06, 0x03, 0x55, 0x04, 0x08, 0x0C, 0x07, 0x4D, 0x6F, 0x6E, 
-    0x74, 0x61, 0x6E, 0x61, 0x31, 0x10, 0x30, 0x0E, 0x06, 0x03, 
-    0x55, 0x04, 0x07, 0x0C, 0x07, 0x42, 0x6F, 0x7A, 0x65, 0x6D, 
-    0x61, 0x6E, 0x31, 0x0D, 0x30, 0x0B, 0x06, 0x03, 0x55, 0x04, 
-    0x04, 0x0C, 0x04, 0x52, 0x6F, 0x6F, 0x74, 0x31, 0x10, 0x30, 
-    0x0E, 0x06, 0x03, 0x55, 0x04, 0x0A, 0x0C, 0x07, 0x77, 0x6F, 
-    0x6C, 0x66, 0x53, 0x53, 0x4C, 0x31, 0x10, 0x30, 0x0E, 0x06, 
-    0x03, 0x55, 0x04, 0x0B, 0x0C, 0x07, 0x45, 0x44, 0x32, 0x35, 
-    0x35, 0x31, 0x39, 0x31, 0x18, 0x30, 0x16, 0x06, 0x03, 0x55, 
-    0x04, 0x03, 0x0C, 0x0F, 0x77, 0x77, 0x77, 0x2E, 0x77, 0x6F, 
-    0x6C, 0x66, 0x73, 0x73, 0x6C, 0x2E, 0x63, 0x6F, 0x6D, 0x31, 
-    0x1F, 0x30, 0x1D, 0x06, 0x09, 0x2A, 0x86, 0x48, 0x86, 0xF7, 
-    0x0D, 0x01, 0x09, 0x01, 0x16, 0x10, 0x69, 0x6E, 0x66, 0x6F, 
-    0x40, 0x77, 0x6F, 0x6C, 0x66, 0x73, 0x73, 0x6C, 0x2E, 0x63, 
-    0x6F, 0x6D, 0x30, 0x22, 0x18, 0x0F, 0x32, 0x30, 0x31, 0x37, 
-    0x30, 0x35, 0x32, 0x38, 0x32, 0x33, 0x32, 0x36, 0x32, 0x39, 
-    0x5A, 0x18, 0x0F, 0x32, 0x30, 0x31, 0x39, 0x30, 0x35, 0x32, 
-    0x39, 0x32, 0x33, 0x32, 0x36, 0x32, 0x39, 0x5A, 0x30, 0x81, 
-    0x9D, 0x31, 0x0B, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 
-    0x13, 0x02, 0x55, 0x53, 0x31, 0x10, 0x30, 0x0E, 0x06, 0x03, 
-    0x55, 0x04, 0x08, 0x0C, 0x07, 0x4D, 0x6F, 0x6E, 0x74, 0x61, 
-    0x6E, 0x61, 0x31, 0x10, 0x30, 0x0E, 0x06, 0x03, 0x55, 0x04, 
-    0x07, 0x0C, 0x07, 0x42, 0x6F, 0x7A, 0x65, 0x6D, 0x61, 0x6E, 
-    0x31, 0x0B, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x04, 0x0C, 
-    0x02, 0x43, 0x41, 0x31, 0x10, 0x30, 0x0E, 0x06, 0x03, 0x55, 
-    0x04, 0x0A, 0x0C, 0x07, 0x77, 0x6F, 0x6C, 0x66, 0x53, 0x53, 
-    0x4C, 0x31, 0x10, 0x30, 0x0E, 0x06, 0x03, 0x55, 0x04, 0x0B, 
-    0x0C, 0x07, 0x45, 0x44, 0x32, 0x35, 0x35, 0x31, 0x39, 0x31, 
-    0x18, 0x30, 0x16, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0C, 0x0F, 
-    0x77, 0x77, 0x77, 0x2E, 0x77, 0x6F, 0x6C, 0x66, 0x73, 0x73, 
-    0x6C, 0x2E, 0x63, 0x6F, 0x6D, 0x31, 0x1F, 0x30, 0x1D, 0x06, 
-    0x09, 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x09, 0x01, 
-    0x16, 0x10, 0x69, 0x6E, 0x66, 0x6F, 0x40, 0x77, 0x6F, 0x6C, 
-    0x66, 0x73, 0x73, 0x6C, 0x2E, 0x63, 0x6F, 0x6D, 0x30, 0x2A, 
-    0x30, 0x05, 0x06, 0x03, 0x2B, 0x65, 0x70, 0x03, 0x21, 0x00, 
-    0x41, 0x07, 0xEC, 0x75, 0x0C, 0x68, 0x72, 0x12, 0x3C, 0x04, 
-    0x82, 0x07, 0x6E, 0x16, 0x6F, 0x40, 0x41, 0x6D, 0xA4, 0x8F, 
-    0x08, 0xF2, 0xE2, 0x9D, 0xA7, 0x43, 0xC2, 0x24, 0x28, 0x98, 
-    0x7E, 0xAC, 0xA3, 0x61, 0x30, 0x5F, 0x30, 0x0C, 0x06, 0x03, 
-    0x55, 0x1D, 0x13, 0x04, 0x05, 0x30, 0x03, 0x01, 0x01, 0xFF, 
-    0x30, 0x1D, 0x06, 0x03, 0x55, 0x1D, 0x0E, 0x04, 0x16, 0x04, 
-    0x14, 0x92, 0xD5, 0x0B, 0xDA, 0xF1, 0x04, 0x8B, 0xB9, 0xA1, 
-    0x8B, 0x03, 0x02, 0x9F, 0x58, 0x00, 0x35, 0x36, 0x07, 0x7A, 
-    0xC9, 0x30, 0x1F, 0x06, 0x03, 0x55, 0x1D, 0x23, 0x04, 0x18, 
-    0x30, 0x16, 0x80, 0x14, 0x86, 0xC0, 0x27, 0xE9, 0x9E, 0xFA, 
-    0x85, 0xC1, 0xFD, 0xE3, 0x6F, 0xFC, 0x54, 0x59, 0x72, 0x37, 
-    0xC7, 0x33, 0x92, 0xBB, 0x30, 0x0F, 0x06, 0x03, 0x55, 0x1D, 
-    0x0F, 0x01, 0x01, 0xFF, 0x04, 0x05, 0x03, 0x02, 0x01, 0xC6, 
-    0x00, 0x30, 0x05, 0x06, 0x03, 0x2B, 0x65, 0x70, 0x03, 0x41, 
-    0x00, 0x22, 0x1B, 0x06, 0x17, 0xC0, 0x11, 0x74, 0x1F, 0x64, 
-    0xD1, 0xA3, 0xF6, 0x7B, 0x06, 0x00, 0x1A, 0x0B, 0x50, 0x8E, 
-    0xEB, 0xB1, 0x63, 0x92, 0x45, 0xBA, 0xDC, 0xE2, 0xC1, 0x68, 
-    0x14, 0x23, 0x0C, 0x6E, 0x2C, 0x95, 0x3C, 0xB1, 0x1C, 0x19, 
-    0x27, 0x98, 0x50, 0x3E, 0x55, 0x51, 0xCC, 0xC4, 0x49, 0x58, 
-    0xAF, 0xB9, 0x46, 0x4F, 0xED, 0x9C, 0x57, 0x38, 0x04, 0x29, 
-    0xD4, 0xA9, 0x12, 0xFE, 0x08
+/* ./certs/ed25519/ca-ed25519.der, ED25519 */
+static const unsigned char ca_ed25519_cert[] =
+{
+	0x30, 0x82, 0x02, 0x59, 0x30, 0x82, 0x02, 0x0B, 0xA0, 0x03, 
+	0x02, 0x01, 0x02, 0x02, 0x08, 0x01, 0xF6, 0xE1, 0x3E, 0xBC, 
+	0x79, 0xA1, 0x85, 0x30, 0x05, 0x06, 0x03, 0x2B, 0x65, 0x70, 
+	0x30, 0x81, 0x9F, 0x31, 0x0B, 0x30, 0x09, 0x06, 0x03, 0x55, 
+	0x04, 0x06, 0x13, 0x02, 0x55, 0x53, 0x31, 0x10, 0x30, 0x0E, 
+	0x06, 0x03, 0x55, 0x04, 0x08, 0x0C, 0x07, 0x4D, 0x6F, 0x6E, 
+	0x74, 0x61, 0x6E, 0x61, 0x31, 0x10, 0x30, 0x0E, 0x06, 0x03, 
+	0x55, 0x04, 0x07, 0x0C, 0x07, 0x42, 0x6F, 0x7A, 0x65, 0x6D, 
+	0x61, 0x6E, 0x31, 0x0D, 0x30, 0x0B, 0x06, 0x03, 0x55, 0x04, 
+	0x04, 0x0C, 0x04, 0x52, 0x6F, 0x6F, 0x74, 0x31, 0x10, 0x30, 
+	0x0E, 0x06, 0x03, 0x55, 0x04, 0x0A, 0x0C, 0x07, 0x77, 0x6F, 
+	0x6C, 0x66, 0x53, 0x53, 0x4C, 0x31, 0x10, 0x30, 0x0E, 0x06, 
+	0x03, 0x55, 0x04, 0x0B, 0x0C, 0x07, 0x45, 0x44, 0x32, 0x35, 
+	0x35, 0x31, 0x39, 0x31, 0x18, 0x30, 0x16, 0x06, 0x03, 0x55, 
+	0x04, 0x03, 0x0C, 0x0F, 0x77, 0x77, 0x77, 0x2E, 0x77, 0x6F, 
+	0x6C, 0x66, 0x73, 0x73, 0x6C, 0x2E, 0x63, 0x6F, 0x6D, 0x31, 
+	0x1F, 0x30, 0x1D, 0x06, 0x09, 0x2A, 0x86, 0x48, 0x86, 0xF7, 
+	0x0D, 0x01, 0x09, 0x01, 0x16, 0x10, 0x69, 0x6E, 0x66, 0x6F, 
+	0x40, 0x77, 0x6F, 0x6C, 0x66, 0x73, 0x73, 0x6C, 0x2E, 0x63, 
+	0x6F, 0x6D, 0x30, 0x22, 0x18, 0x0F, 0x32, 0x30, 0x31, 0x37, 
+	0x30, 0x35, 0x32, 0x38, 0x32, 0x33, 0x32, 0x36, 0x32, 0x39, 
+	0x5A, 0x18, 0x0F, 0x32, 0x30, 0x31, 0x39, 0x30, 0x35, 0x32, 
+	0x39, 0x32, 0x33, 0x32, 0x36, 0x32, 0x39, 0x5A, 0x30, 0x81, 
+	0x9D, 0x31, 0x0B, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 
+	0x13, 0x02, 0x55, 0x53, 0x31, 0x10, 0x30, 0x0E, 0x06, 0x03, 
+	0x55, 0x04, 0x08, 0x0C, 0x07, 0x4D, 0x6F, 0x6E, 0x74, 0x61, 
+	0x6E, 0x61, 0x31, 0x10, 0x30, 0x0E, 0x06, 0x03, 0x55, 0x04, 
+	0x07, 0x0C, 0x07, 0x42, 0x6F, 0x7A, 0x65, 0x6D, 0x61, 0x6E, 
+	0x31, 0x0B, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x04, 0x0C, 
+	0x02, 0x43, 0x41, 0x31, 0x10, 0x30, 0x0E, 0x06, 0x03, 0x55, 
+	0x04, 0x0A, 0x0C, 0x07, 0x77, 0x6F, 0x6C, 0x66, 0x53, 0x53, 
+	0x4C, 0x31, 0x10, 0x30, 0x0E, 0x06, 0x03, 0x55, 0x04, 0x0B, 
+	0x0C, 0x07, 0x45, 0x44, 0x32, 0x35, 0x35, 0x31, 0x39, 0x31, 
+	0x18, 0x30, 0x16, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0C, 0x0F, 
+	0x77, 0x77, 0x77, 0x2E, 0x77, 0x6F, 0x6C, 0x66, 0x73, 0x73, 
+	0x6C, 0x2E, 0x63, 0x6F, 0x6D, 0x31, 0x1F, 0x30, 0x1D, 0x06, 
+	0x09, 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x09, 0x01, 
+	0x16, 0x10, 0x69, 0x6E, 0x66, 0x6F, 0x40, 0x77, 0x6F, 0x6C, 
+	0x66, 0x73, 0x73, 0x6C, 0x2E, 0x63, 0x6F, 0x6D, 0x30, 0x2A, 
+	0x30, 0x05, 0x06, 0x03, 0x2B, 0x65, 0x70, 0x03, 0x21, 0x00, 
+	0x41, 0x07, 0xEC, 0x75, 0x0C, 0x68, 0x72, 0x12, 0x3C, 0x04, 
+	0x82, 0x07, 0x6E, 0x16, 0x6F, 0x40, 0x41, 0x6D, 0xA4, 0x8F, 
+	0x08, 0xF2, 0xE2, 0x9D, 0xA7, 0x43, 0xC2, 0x24, 0x28, 0x98, 
+	0x7E, 0xAC, 0xA3, 0x61, 0x30, 0x5F, 0x30, 0x0C, 0x06, 0x03, 
+	0x55, 0x1D, 0x13, 0x04, 0x05, 0x30, 0x03, 0x01, 0x01, 0xFF, 
+	0x30, 0x1D, 0x06, 0x03, 0x55, 0x1D, 0x0E, 0x04, 0x16, 0x04, 
+	0x14, 0x92, 0xD5, 0x0B, 0xDA, 0xF1, 0x04, 0x8B, 0xB9, 0xA1, 
+	0x8B, 0x03, 0x02, 0x9F, 0x58, 0x00, 0x35, 0x36, 0x07, 0x7A, 
+	0xC9, 0x30, 0x1F, 0x06, 0x03, 0x55, 0x1D, 0x23, 0x04, 0x18, 
+	0x30, 0x16, 0x80, 0x14, 0x86, 0xC0, 0x27, 0xE9, 0x9E, 0xFA, 
+	0x85, 0xC1, 0xFD, 0xE3, 0x6F, 0xFC, 0x54, 0x59, 0x72, 0x37, 
+	0xC7, 0x33, 0x92, 0xBB, 0x30, 0x0F, 0x06, 0x03, 0x55, 0x1D, 
+	0x0F, 0x01, 0x01, 0xFF, 0x04, 0x05, 0x03, 0x02, 0x01, 0xC6, 
+	0x00, 0x30, 0x05, 0x06, 0x03, 0x2B, 0x65, 0x70, 0x03, 0x41, 
+	0x00, 0x22, 0x1B, 0x06, 0x17, 0xC0, 0x11, 0x74, 0x1F, 0x64, 
+	0xD1, 0xA3, 0xF6, 0x7B, 0x06, 0x00, 0x1A, 0x0B, 0x50, 0x8E, 
+	0xEB, 0xB1, 0x63, 0x92, 0x45, 0xBA, 0xDC, 0xE2, 0xC1, 0x68, 
+	0x14, 0x23, 0x0C, 0x6E, 0x2C, 0x95, 0x3C, 0xB1, 0x1C, 0x19, 
+	0x27, 0x98, 0x50, 0x3E, 0x55, 0x51, 0xCC, 0xC4, 0x49, 0x58, 
+	0xAF, 0xB9, 0x46, 0x4F, 0xED, 0x9C, 0x57, 0x38, 0x04, 0x29, 
+	0xD4, 0xA9, 0x12, 0xFE, 0x08
 };
 static const int sizeof_ca_ed25519_cert = sizeof(ca_ed25519_cert);
-#endif
+
+#endif /* HAVE_ED25519 */
 
 #endif /* WOLFSSL_CERTS_TEST_H */
 

wolfssl/test.h

@@ -265,6 +265,7 @@
 #define dhParamFile    "certs/dh2048.pem"
 #define cliEccKeyFile  "certs/ecc-client-key.pem"
 #define cliEccCertFile "certs/client-ecc-cert.pem"
+#define caEccCertFile  "certs/ca-ecc-cert/pem"
 #define crlPemDir      "certs/crl"
 #ifdef HAVE_WNR
     /* Whitewood netRandom default config file */
@@ -283,6 +284,7 @@
 #define dhParamFile    "./certs/dh2048.pem"
 #define cliEccKeyFile  "./certs/ecc-client-key.pem"
 #define cliEccCertFile "./certs/client-ecc-cert.pem"
+#define caEccCertFile  "./certs/ca-ecc-cert.pem"
 #define crlPemDir      "./certs/crl"
 #ifdef HAVE_WNR
     /* Whitewood netRandom default config file */