Testing improvements for cert gen and TLS cert validation:

* Fixes to support certificate generation (`WOLFSSL_CERT_GEN`) without RSA enabled.
* Added new ECC CA for 384-bit tests.
* Created new server cert chain (ECC CA for 256-bit that signs server-ecc.pem)
* Created new `./certs/ecc/genecc.sh` script for generating all ECC CA's, generated server cert req (CSR), signing with CA and the required CRL.
* Moved the wolfCrypt ECC CA / ECC cert gen test into `ecc_test` as `ecc_test_cert_gen`.
* Refactor duplicate code that saves DER to disk, converts DER to PEM and saves PEM to disk into SaveDerAndPem function.
* Changed `ecc_test_make_pub` and `ecc_test_key_gen` to use XMALLOC for temp buffers (uses heap instead of stack).
* Cleanup to combine all certificate subject information into global `certDefaultName`.
* Updated cert request info to use wolfSSL instead of Yassl.
* Cleanup to combine keyUsage into `certKeyUsage` and `certKeyUsage2`.
* Re-number error codes in rsa_test.
* Moved the certext_test after the ecc_test, since it uses a file generated in `ecc_test_cert_gen`.

.gitignore

@@ -81,6 +81,8 @@ certecc.der
 certecc.pem
 othercert.der
 othercert.pem
+certeccrsa.der
+certeccrsa.pem
 ntru-cert.der
 ntru-cert.pem
 ntru-key.raw

certs/ca-ecc-cert.pem

@@ -0,0 +1,51 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number: 10982604883445917224 (0x986a0cf40243a628)
+    Signature Algorithm: ecdsa-with-SHA256
+        Issuer: C=US, ST=Washington, L=Seattle, O=wolfSSL, OU=Development, CN=www.wolfssl.com/emailAddress=info@wolfssl.com
+        Validity
+            Not Before: Oct 19 19:06:49 2017 GMT
+            Not After : Oct 14 19:06:49 2037 GMT
+        Subject: C=US, ST=Washington, L=Seattle, O=wolfSSL, OU=Development, CN=www.wolfssl.com/emailAddress=info@wolfssl.com
+        Subject Public Key Info:
+            Public Key Algorithm: id-ecPublicKey
+                Public-Key: (256 bit)
+                pub: 
+                    04:e6:38:df:16:e3:4b:ea:aa:9f:91:a3:f3:32:40:
+                    f6:6c:7e:a1:55:01:38:05:fe:6b:39:37:1c:ea:f9:
+                    f9:4d:87:4b:2d:2f:4b:54:e5:9b:4a:1a:ba:0d:02:
+                    a5:1c:ec:c1:51:30:c9:3c:94:ac:2e:5b:2f:40:f6:
+                    3c:a7:7a:d0:68
+                ASN1 OID: prime256v1
+        X509v3 extensions:
+            X509v3 Subject Key Identifier: 
+                FD:9D:85:D5:C1:6F:47:EA:C6:75:96:59:25:37:46:8C:61:DB:E1:C3
+            X509v3 Authority Key Identifier: 
+                keyid:FD:9D:85:D5:C1:6F:47:EA:C6:75:96:59:25:37:46:8C:61:DB:E1:C3
+
+            X509v3 Basic Constraints: critical
+                CA:TRUE
+            X509v3 Key Usage: critical
+                Digital Signature, Certificate Sign, CRL Sign
+    Signature Algorithm: ecdsa-with-SHA256
+         30:44:02:20:03:cf:3f:6e:26:f7:76:be:98:81:20:57:6b:4a:
+         55:f7:16:19:21:a0:4c:c8:a1:19:83:4c:66:55:2d:43:36:e1:
+         02:20:4d:26:29:2b:f2:38:94:85:7e:a0:13:b6:c5:8d:61:be:
+         96:15:ad:fe:ae:61:ed:a1:88:f9:79:c6:40:57:e4:9b
+-----BEGIN CERTIFICATE-----
+MIICiTCCAjCgAwIBAgIJAJhqDPQCQ6YoMAoGCCqGSM49BAMCMIGXMQswCQYDVQQG
+EwJVUzETMBEGA1UECAwKV2FzaGluZ3RvbjEQMA4GA1UEBwwHU2VhdHRsZTEQMA4G
+A1UECgwHd29sZlNTTDEUMBIGA1UECwwLRGV2ZWxvcG1lbnQxGDAWBgNVBAMMD3d3
+dy53b2xmc3NsLmNvbTEfMB0GCSqGSIb3DQEJARYQaW5mb0B3b2xmc3NsLmNvbTAe
+Fw0xNzEwMTkxOTA2NDlaFw0zNzEwMTQxOTA2NDlaMIGXMQswCQYDVQQGEwJVUzET
+MBEGA1UECAwKV2FzaGluZ3RvbjEQMA4GA1UEBwwHU2VhdHRsZTEQMA4GA1UECgwH
+d29sZlNTTDEUMBIGA1UECwwLRGV2ZWxvcG1lbnQxGDAWBgNVBAMMD3d3dy53b2xm
+c3NsLmNvbTEfMB0GCSqGSIb3DQEJARYQaW5mb0B3b2xmc3NsLmNvbTBZMBMGByqG
+SM49AgEGCCqGSM49AwEHA0IABOY43xbjS+qqn5Gj8zJA9mx+oVUBOAX+azk3HOr5
++U2HSy0vS1Tlm0oaug0CpRzswVEwyTyUrC5bL0D2PKd60GijYzBhMB0GA1UdDgQW
+BBT9nYXVwW9H6sZ1llklN0aMYdvhwzAfBgNVHSMEGDAWgBT9nYXVwW9H6sZ1llkl
+N0aMYdvhwzAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBhjAKBggqhkjO
+PQQDAgNHADBEAiADzz9uJvd2vpiBIFdrSlX3FhkhoEzIoRmDTGZVLUM24QIgTSYp
+K/I4lIV+oBO2xY1hvpYVrf6uYe2hiPl5xkBX5Js=
+-----END CERTIFICATE-----

certs/ca-ecc-key.pem

@@ -0,0 +1,5 @@
+-----BEGIN PRIVATE KEY-----
+MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgrLj6Fn0Y1kN7krjS
+pmBtRA6quQ8cOltX0F9nEcurSIehRANCAATmON8W40vqqp+Ro/MyQPZsfqFVATgF
+/ms5Nxzq+flNh0stL0tU5ZtKGroNAqUc7MFRMMk8lKwuWy9A9jynetBo
+-----END PRIVATE KEY-----

certs/ca-ecc384-cert.pem

@@ -0,0 +1,56 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number: 12125228858566244640 (0xa84577679727f920)
+    Signature Algorithm: ecdsa-with-SHA384
+        Issuer: C=US, ST=Washington, L=Seattle, O=wolfSSL, OU=Development, CN=www.wolfssl.com/emailAddress=info@wolfssl.com
+        Validity
+            Not Before: Oct 19 19:06:49 2017 GMT
+            Not After : Oct 14 19:06:49 2037 GMT
+        Subject: C=US, ST=Washington, L=Seattle, O=wolfSSL, OU=Development, CN=www.wolfssl.com/emailAddress=info@wolfssl.com
+        Subject Public Key Info:
+            Public Key Algorithm: id-ecPublicKey
+                Public-Key: (384 bit)
+                pub: 
+                    04:11:3c:5c:d0:64:22:a7:0f:c8:b6:40:84:d7:e9:
+                    42:13:88:b9:11:b5:8d:9e:bb:40:b4:9e:f7:20:35:
+                    2b:f5:dc:59:70:00:19:32:63:de:56:55:6a:0b:d5:
+                    29:ba:c1:26:53:3f:11:b4:9c:d1:0e:23:bf:03:2b:
+                    46:45:4e:65:f4:77:22:0a:63:e2:49:5d:f0:a7:8c:
+                    29:49:00:33:00:b1:40:19:bf:67:3f:d1:f2:4e:6e:
+                    1d:18:81:50:eb:13:6a
+                ASN1 OID: secp384r1
+        X509v3 extensions:
+            X509v3 Subject Key Identifier: 
+                97:FD:B4:6D:CE:08:B3:02:57:AB:F3:40:D6:1D:AC:75:32:35:AA:F2
+            X509v3 Authority Key Identifier: 
+                keyid:97:FD:B4:6D:CE:08:B3:02:57:AB:F3:40:D6:1D:AC:75:32:35:AA:F2
+
+            X509v3 Basic Constraints: critical
+                CA:TRUE
+            X509v3 Key Usage: critical
+                Digital Signature, Certificate Sign, CRL Sign
+    Signature Algorithm: ecdsa-with-SHA384
+         30:65:02:31:00:9d:49:9e:68:10:55:b3:92:89:23:cf:58:fb:
+         04:ee:ab:ed:3e:3c:f6:94:66:d1:bd:16:8e:ca:52:9f:39:f3:
+         d6:47:c0:cb:45:e2:1e:c6:dd:50:08:37:37:ba:ae:e6:72:02:
+         30:6b:38:53:41:32:3e:55:84:39:65:9b:a7:40:98:05:cd:16:
+         fe:dd:54:3a:38:19:f0:63:b9:c1:45:46:dc:b4:4d:47:21:49:
+         fc:5b:63:a8:16:4c:d8:3f:3b:a8:c9:fb:fa
+-----BEGIN CERTIFICATE-----
+MIICxzCCAk2gAwIBAgIJAKhFd2eXJ/kgMAoGCCqGSM49BAMDMIGXMQswCQYDVQQG
+EwJVUzETMBEGA1UECAwKV2FzaGluZ3RvbjEQMA4GA1UEBwwHU2VhdHRsZTEQMA4G
+A1UECgwHd29sZlNTTDEUMBIGA1UECwwLRGV2ZWxvcG1lbnQxGDAWBgNVBAMMD3d3
+dy53b2xmc3NsLmNvbTEfMB0GCSqGSIb3DQEJARYQaW5mb0B3b2xmc3NsLmNvbTAe
+Fw0xNzEwMTkxOTA2NDlaFw0zNzEwMTQxOTA2NDlaMIGXMQswCQYDVQQGEwJVUzET
+MBEGA1UECAwKV2FzaGluZ3RvbjEQMA4GA1UEBwwHU2VhdHRsZTEQMA4GA1UECgwH
+d29sZlNTTDEUMBIGA1UECwwLRGV2ZWxvcG1lbnQxGDAWBgNVBAMMD3d3dy53b2xm
+c3NsLmNvbTEfMB0GCSqGSIb3DQEJARYQaW5mb0B3b2xmc3NsLmNvbTB2MBAGByqG
+SM49AgEGBSuBBAAiA2IABBE8XNBkIqcPyLZAhNfpQhOIuRG1jZ67QLSe9yA1K/Xc
+WXAAGTJj3lZVagvVKbrBJlM/EbSc0Q4jvwMrRkVOZfR3Igpj4kld8KeMKUkAMwCx
+QBm/Zz/R8k5uHRiBUOsTaqNjMGEwHQYDVR0OBBYEFJf9tG3OCLMCV6vzQNYdrHUy
+NaryMB8GA1UdIwQYMBaAFJf9tG3OCLMCV6vzQNYdrHUyNaryMA8GA1UdEwEB/wQF
+MAMBAf8wDgYDVR0PAQH/BAQDAgGGMAoGCCqGSM49BAMDA2gAMGUCMQCdSZ5oEFWz
+kokjz1j7BO6r7T489pRm0b0WjspSnznz1kfAy0XiHsbdUAg3N7qu5nICMGs4U0Ey
+PlWEOWWbp0CYBc0W/t1UOjgZ8GO5wUVG3LRNRyFJ/FtjqBZM2D87qMn7+g==
+-----END CERTIFICATE-----

certs/ca-ecc384-key.pem

@@ -0,0 +1,6 @@
+-----BEGIN PRIVATE KEY-----
+MIG2AgEAMBAGByqGSM49AgEGBSuBBAAiBIGeMIGbAgEBBDAle3GsRkzyxKVZhvYJ
+tHOExBgEpBojdYDOXglcBOCtBI5f18eR53bLiu/A8TQo7lyhZANiAAQRPFzQZCKn
+D8i2QITX6UITiLkRtY2eu0C0nvcgNSv13FlwABkyY95WVWoL1Sm6wSZTPxG0nNEO
+I78DK0ZFTmX0dyIKY+JJXfCnjClJADMAsUAZv2c/0fJObh0YgVDrE2o=
+-----END PRIVATE KEY-----

certs/crl/caEcc384Crl.pem

@@ -0,0 +1,30 @@
+Certificate Revocation List (CRL):
+        Version 2 (0x1)
+    Signature Algorithm: ecdsa-with-SHA256
+        Issuer: /C=US/ST=Washington/L=Seattle/O=wolfSSL/OU=Development/CN=www.wolfssl.com/emailAddress=info@wolfssl.com
+        Last Update: Oct 19 19:06:54 2017 GMT
+        Next Update: Jul 15 19:06:54 2020 GMT
+        CRL extensions:
+            X509v3 Authority Key Identifier: 
+                keyid:97:FD:B4:6D:CE:08:B3:02:57:AB:F3:40:D6:1D:AC:75:32:35:AA:F2
+
+            X509v3 CRL Number: 
+                8193
+No Revoked Certificates.
+    Signature Algorithm: ecdsa-with-SHA256
+         30:64:02:30:37:0c:54:d6:da:d1:0b:a0:f9:9f:91:91:41:6d:
+         e3:5f:91:1e:1b:18:ad:ef:cd:a9:80:25:1b:47:81:7a:95:64:
+         fe:a3:98:19:be:8f:a7:69:c7:d0:b4:b5:f1:a2:d5:e0:02:30:
+         2a:33:97:79:c7:31:5a:d6:e0:f0:17:ae:2c:72:3a:8e:5e:82:
+         93:87:af:17:1f:6e:83:dc:81:06:6d:3c:6e:2a:9c:b5:50:bd:
+         a5:66:b3:82:de:48:9a:88:84:a4:a0:f3
+-----BEGIN X509 CRL-----
+MIIBcTCB+QIBATAKBggqhkjOPQQDAjCBlzELMAkGA1UEBhMCVVMxEzARBgNVBAgM
+Cldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxEDAOBgNVBAoMB3dvbGZTU0wx
+FDASBgNVBAsMC0RldmVsb3BtZW50MRgwFgYDVQQDDA93d3cud29sZnNzbC5jb20x
+HzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb20XDTE3MTAxOTE5MDY1NFoX
+DTIwMDcxNTE5MDY1NFqgMDAuMB8GA1UdIwQYMBaAFJf9tG3OCLMCV6vzQNYdrHUy
+NaryMAsGA1UdFAQEAgIgATAKBggqhkjOPQQDAgNnADBkAjA3DFTW2tELoPmfkZFB
+beNfkR4bGK3vzamAJRtHgXqVZP6jmBm+j6dpx9C0tfGi1eACMCozl3nHMVrW4PAX
+rixyOo5egpOHrxcfboPcgQZtPG4qnLVQvaVms4LeSJqIhKSg8w==
+-----END X509 CRL-----

certs/crl/caEccCrl.pem

@@ -0,0 +1,28 @@
+Certificate Revocation List (CRL):
+        Version 2 (0x1)
+    Signature Algorithm: ecdsa-with-SHA256
+        Issuer: /C=US/ST=Washington/L=Seattle/O=wolfSSL/OU=Development/CN=www.wolfssl.com/emailAddress=info@wolfssl.com
+        Last Update: Oct 19 19:06:54 2017 GMT
+        Next Update: Jul 15 19:06:54 2020 GMT
+        CRL extensions:
+            X509v3 Authority Key Identifier: 
+                keyid:FD:9D:85:D5:C1:6F:47:EA:C6:75:96:59:25:37:46:8C:61:DB:E1:C3
+
+            X509v3 CRL Number: 
+                8192
+No Revoked Certificates.
+    Signature Algorithm: ecdsa-with-SHA256
+         30:44:02:20:02:41:b8:0e:b1:33:d2:5e:b5:1f:fd:0d:09:20:
+         46:25:7e:98:09:d2:2e:20:eb:75:cd:b8:ed:ad:b6:b8:80:2a:
+         02:20:2a:56:04:d8:1a:ab:d7:3a:96:bb:a7:06:b2:93:b7:8b:
+         22:da:f8:49:9c:64:2a:24:6e:c1:b5:b3:8d:80:4c:c7
+-----BEGIN X509 CRL-----
+MIIBUTCB+QIBATAKBggqhkjOPQQDAjCBlzELMAkGA1UEBhMCVVMxEzARBgNVBAgM
+Cldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxEDAOBgNVBAoMB3dvbGZTU0wx
+FDASBgNVBAsMC0RldmVsb3BtZW50MRgwFgYDVQQDDA93d3cud29sZnNzbC5jb20x
+HzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb20XDTE3MTAxOTE5MDY1NFoX
+DTIwMDcxNTE5MDY1NFqgMDAuMB8GA1UdIwQYMBaAFP2dhdXBb0fqxnWWWSU3Roxh
+2+HDMAsGA1UdFAQEAgIgADAKBggqhkjOPQQDAgNHADBEAiACQbgOsTPSXrUf/Q0J
+IEYlfpgJ0i4g63XNuO2ttriAKgIgKlYE2Bqr1zqWu6cGspO3iyLa+EmcZCokbsG1
+s42ATMc=
+-----END X509 CRL-----

certs/crl/gencrls.sh

@@ -55,6 +55,28 @@ mv tmp crl.revoked
 # remove revoked so next time through the normal CA won't have server revoked
 cp blank.index.txt demoCA/index.txt
 
+# caEccCrl
+openssl ca -config ../renewcerts/wolfssl.cnf -revoke ../server-revoked-cert.pem -keyfile ../ca-ecc-key.pem -cert ../ca-ecc-cert.pem
+
+openssl ca -config ../renewcerts/wolfssl.cnf -gencrl -crldays 1000 -out caEccCrl.pem -keyfile ../ca-ecc-key.pem -cert ../ca-ecc-cert.pem
+
+# metadata
+openssl crl -in caEccCrl.pem -text > tmp
+mv tmp caEccCrl.pem
+# install (only needed if working outside wolfssl)
+#cp caEccCrl.pem ~/wolfssl/certs/crl/caEccCrl.pem
+
+# caEcc384Crl
+openssl ca -config ../renewcerts/wolfssl.cnf -revoke ../server-revoked-cert.pem -keyfile ../ca-ecc384-key.pem -cert ../ca-ecc384-cert.pem
+
+openssl ca -config ../renewcerts/wolfssl.cnf -gencrl -crldays 1000 -out caEcc384Crl.pem -keyfile ../ca-ecc384-key.pem -cert ../ca-ecc384-cert.pem
+
+# metadata
+openssl crl -in caEcc384Crl.pem -text > tmp
+mv tmp caEcc384Crl.pem
+# install (only needed if working outside wolfssl)
+#cp caEcc384Crl.pem ~/wolfssl/certs/crl/caEcc384Crl.pem
+
 # cliCrl
 openssl ca -config ../renewcerts/wolfssl.cnf -gencrl -crldays 1000 -out cliCrl.pem -keyfile ../client-key.pem -cert ../client-cert.pem
 

certs/crl/include.am

@@ -7,9 +7,9 @@ EXTRA_DIST += \
 	     certs/crl/cliCrl.pem \
 	     certs/crl/eccSrvCRL.pem \
 	     certs/crl/eccCliCRL.pem \
-	     certs/crl/crl2.pem
+	     certs/crl/crl2.pem \
+	     certs/crl/caEccCrl.pem \
+	     certs/crl/caEcc384Crl.pem
 
 EXTRA_DIST += \
 	     certs/crl/crl.revoked
-
-

certs/ecc/genecc.sh

@@ -0,0 +1,51 @@
+#!/bin/bash
+
+# run from wolfssl root
+
+rm ./certs/ecc/*.old
+rm ./certs/ecc/index.txt*
+rm ./certs/ecc/serial
+rm ./certs/ecc/crlnumber
+
+touch ./certs/ecc/index.txt
+echo 1000 > ./certs/ecc/serial
+echo 2000 > ./certs/ecc/crlnumber
+
+# generate ECC 256-bit CA
+openssl ecparam -out ./certs/ca-ecc-key.par -name prime256v1
+openssl req -config ./certs/ecc/wolfssl.cnf -extensions v3_ca -x509 -nodes -newkey ec:./certs/ca-ecc-key.par -keyout ./certs/ca-ecc-key.pem -out ./certs/ca-ecc-cert.pem -sha256 -days 7300 -batch -subj "/C=US/ST=Washington/L=Seattle/O=wolfSSL/OU=Development/CN=www.wolfssl.com/emailAddress=info@wolfssl.com"
+
+openssl x509 -in ./certs/ca-ecc-cert.pem -inform PEM -out ./certs/ca-ecc-cert.der -outform DER
+openssl ec -in ./certs/ca-ecc-key.pem -inform PEM -out ./certs/ca-ecc-key.der -outform DER
+
+rm ./certs/ca-ecc-key.par
+
+# generate ECC 384-bit CA
+openssl ecparam -out ./certs/ca-ecc384-key.par -name secp384r1
+openssl req -config ./certs/ecc/wolfssl.cnf -extensions v3_ca -x509 -nodes -newkey ec:./certs/ca-ecc384-key.par -keyout ./certs/ca-ecc384-key.pem -out ./certs/ca-ecc384-cert.pem -sha384 -days 7300 -batch -subj "/C=US/ST=Washington/L=Seattle/O=wolfSSL/OU=Development/CN=www.wolfssl.com/emailAddress=info@wolfssl.com"
+
+openssl x509 -in ./certs/ca-ecc384-cert.pem -inform PEM -out ./certs/ca-ecc384-cert.der -outform DER
+openssl ec -in ./certs/ca-ecc384-key.pem -inform PEM -out ./certs/ca-ecc384-key.der -outform DER
+
+rm ./certs/ca-ecc384-key.par
+
+
+# Generate ECC 256-bit server cert
+openssl req -config ./certs/ecc/wolfssl.cnf -sha256 -new -key ./certs/ecc-key.pem -out ./certs/server-ecc-req.pem -subj "/C=US/ST=Washington/L=Seattle/O=Eliptic/OU=ECC/CN=www.wolfssl.com/emailAddress=info@wolfssl.com/"
+openssl x509 -req -in ./certs/server-ecc-req.pem -CA ./certs/ca-ecc-cert.pem -CAkey ./certs/ca-ecc-key.pem -CAcreateserial -out ./certs/server-ecc.pem -sha256
+
+# Sign server certificate
+openssl ca -config ./certs/ecc/wolfssl.cnf -extensions server_cert -days 3650 -notext -md sha256 -in ./certs/server-ecc-req.pem -out ./certs/server-ecc.pem
+openssl x509 -in ./certs/server-ecc.pem -outform der -out ./certs/server-ecc.der
+
+rm ./certs/server-ecc-req.pem 
+
+# Gen CRL
+openssl ca -config ./certs/ecc/wolfssl.cnf -gencrl -crldays 1000 -out ./certs/crl/caEccCrl.pem -keyfile ./certs/ca-ecc-key.pem -cert ./certs/ca-ecc-cert.pem
+openssl ca -config ./certs/ecc/wolfssl.cnf -gencrl -crldays 1000 -out ./certs/crl/caEcc384Crl.pem -keyfile ./certs/ca-ecc384-key.pem -cert ./certs/ca-ecc384-cert.pem
+
+# Also manually need to:
+# 1. Copy ./certs/server-ecc.der into ./certs/test/server-cert-ecc-badsig.der `cp ./certs/server-ecc.der ./certs/test/server-cert-ecc-badsig.der`
+# 2. Modify last byte so its invalidates signature in ./certs/test/server-cert-ecc-badsig.der
+# 3. Covert bad cert to pem `openssl x509 -inform der -in ./certs/test/server-cert-ecc-badsig.der -outform pem -out ./certs/test/server-cert-ecc-badsig.pem`
+# 4. Update AKID's for CA's in test.c certext_test() function akid_ecc.

certs/ecc/include.am

@@ -0,0 +1,8 @@
+# vim:ft=automake
+# All paths should be given relative to the root
+#
+
+EXTRA_DIST += \
+	     certs/ecc/genecc.sh \
+	     certs/ecc/wolfssl.cnf
+

certs/ecc/wolfssl.cnf

@@ -0,0 +1,109 @@
+[ ca ]
+# `man ca`
+default_ca = CA_default
+
+[ CA_default ]
+# Directory and file locations.
+dir               = .
+certs             = $dir/certs
+new_certs_dir     = $dir/certs
+database          = $dir/certs/ecc/index.txt
+serial            = $dir/certs/ecc/serial
+RANDFILE          = $dir/private/.rand
+
+# The root key and root certificate.
+private_key       = $dir/certs/ca-ecc-key.pem
+certificate       = $dir/certs/ca-ecc-cert.pem
+
+# For certificate revocation lists.
+crlnumber         = $dir/certs/ecc/crlnumber
+crl_extensions    = crl_ext
+default_crl_days  = 1000
+
+# SHA-1 is deprecated, so use SHA-2 instead.
+default_md        = sha256
+
+name_opt          = ca_default
+cert_opt          = ca_default
+default_days      = 3650
+preserve          = no
+policy            = policy_loose
+
+
+[ policy_strict ]
+# The root CA should only sign intermediate certificates that match.
+# See the POLICY FORMAT section of `man ca`.
+countryName             = match
+stateOrProvinceName     = match
+organizationName        = match
+organizationalUnitName  = optional
+commonName              = supplied
+emailAddress            = optional
+
+[ policy_loose ]
+# Allow the intermediate CA to sign a more diverse range of certificates.
+# See the POLICY FORMAT section of the `ca` man page.
+countryName             = optional
+stateOrProvinceName     = optional
+localityName            = optional
+organizationName        = optional
+organizationalUnitName  = optional
+commonName              = supplied
+emailAddress            = optional
+
+[ req ]
+# Options for the `req` tool (`man req`).
+default_bits        = 2048
+distinguished_name  = req_distinguished_name
+string_mask         = utf8only
+
+# SHA-1 is deprecated, so use SHA-2 instead.
+default_md          = sha256
+
+# Extension to add when the -x509 option is used.
+x509_extensions     = v3_ca
+
+[ req_distinguished_name ]
+countryName                     = US
+stateOrProvinceName             = Washington
+localityName                    = Seattle
+0.organizationName              = wolfSSL
+organizationalUnitName          = Development
+commonName                      = www.wolfssl.com
+emailAddress                    = info@wolfssl.com
+
+[ v3_ca ]
+# Extensions for a typical CA (`man x509v3_config`).
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid:always,issuer
+basicConstraints = critical, CA:true
+keyUsage = critical, digitalSignature, cRLSign, keyCertSign
+
+[ v3_intermediate_ca ]
+# Extensions for a typical intermediate CA (`man x509v3_config`).
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid:always,issuer
+basicConstraints = critical, CA:true, pathlen:0
+keyUsage = critical, digitalSignature, cRLSign, keyCertSign
+
+[ usr_cert ]
+# Extensions for client certificates (`man x509v3_config`).
+basicConstraints = CA:FALSE
+nsCertType = client, email
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid,issuer
+keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment
+extendedKeyUsage = clientAuth, emailProtection
+
+[ server_cert ]
+# Extensions for server certificates (`man x509v3_config`).
+basicConstraints = CA:FALSE
+nsCertType = server
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid,issuer:always
+keyUsage = critical, digitalSignature, keyEncipherment
+extendedKeyUsage = serverAuth
+
+[ crl_ext ]
+# Extension for CRLs (`man x509v3_config`).
+authorityKeyIdentifier=keyid:always

certs/include.am

@@ -21,6 +21,7 @@ EXTRA_DIST += \
 	     certs/dh2048.pem \
 	     certs/server-cert.pem \
 	     certs/server-ecc.pem \
+	     certs/server-ecc-self.pem \
 	     certs/server-ecc-comp.pem \
 	     certs/server-ecc-rsa.pem \
 	     certs/server-keyEnc.pem \
@@ -35,8 +36,8 @@ EXTRA_DIST += \
 	     certs/wolfssl-website-ca.pem \
 	     certs/test-servercert.p12 \
 	     certs/dsaparams.pem \
-             certs/ecc-privOnlyKey.pem \
-             certs/ecc-privOnlyCert.pem \
+	     certs/ecc-privOnlyKey.pem \
+	     certs/ecc-privOnlyCert.pem \
 	     certs/dh3072.pem \
 	     certs/client-cert-3072.pem \
 	     certs/client-key-3072.pem
@@ -58,25 +59,40 @@ EXTRA_DIST += \
 	     certs/server-cert.der \
 	     certs/server-ecc-comp.der \
 	     certs/server-ecc.der \
+	     certs/server-ecc-self.der \
 	     certs/server-ecc-rsa.der \
 	     certs/server-cert-chain.der
 EXTRA_DIST += \
-             certs/ed25519/ca-ed25519.der \
-             certs/ed25519/ca-ed25519-key.der \
-             certs/ed25519/ca-ed25519-key.pem \
-             certs/ed25519/ca-ed25519.pem \
-             certs/ed25519/client-ed25519.der \
-             certs/ed25519/client-ed25519-key.der \
-             certs/ed25519/client-ed25519-key.pem \
-             certs/ed25519/client-ed25519.pem \
-             certs/ed25519/root-ed25519.der \
-             certs/ed25519/root-ed25519-key.der \
-             certs/ed25519/root-ed25519-key.pem \
-             certs/ed25519/root-ed25519.pem \
-             certs/ed25519/server-ed25519.der \
-             certs/ed25519/server-ed25519-key.der \
-             certs/ed25519/server-ed25519-key.pem \
-             certs/ed25519/server-ed25519.pem
+         certs/ed25519/ca-ed25519.der \
+         certs/ed25519/ca-ed25519-key.der \
+         certs/ed25519/ca-ed25519-key.pem \
+         certs/ed25519/ca-ed25519.pem \
+         certs/ed25519/client-ed25519.der \
+         certs/ed25519/client-ed25519-key.der \
+         certs/ed25519/client-ed25519-key.pem \
+         certs/ed25519/client-ed25519.pem \
+         certs/ed25519/root-ed25519.der \
+         certs/ed25519/root-ed25519-key.der \
+         certs/ed25519/root-ed25519-key.pem \
+         certs/ed25519/root-ed25519.pem \
+         certs/ed25519/server-ed25519.der \
+         certs/ed25519/server-ed25519-key.der \
+         certs/ed25519/server-ed25519-key.pem \
+         certs/ed25519/server-ed25519.pem
+
+# ECC CA prime256v1
+EXTRA_DIST += \
+		 certs/ca-ecc-cert.der \
+		 certs/ca-ecc-cert.pem \
+		 certs/ca-ecc-key.der \
+		 certs/ca-ecc-key.pem
+
+# ECC CA SECP384R1
+EXTRA_DIST += \
+		 certs/ca-ecc384-cert.der \
+		 certs/ca-ecc384-cert.pem \
+		 certs/ca-ecc384-key.der \
+		 certs/ca-ecc384-key.pem
 
 dist_doc_DATA+= certs/taoCert.txt
 
@@ -85,3 +101,4 @@ EXTRA_DIST+= certs/ntru-key.raw
 include certs/test/include.am
 include certs/test-pathlen/include.am
 include certs/test/include.am
+include certs/ecc/include.am

certs/server-ecc-self.pem

@@ -0,0 +1,56 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number:
+            ef:46:c7:a4:9b:bb:60:d3
+    Signature Algorithm: ecdsa-with-SHA256
+        Issuer: C=US, ST=Washington, L=Seattle, O=Eliptic, OU=ECC, CN=www.wolfssl.com/emailAddress=info@wolfssl.com
+        Validity
+            Not Before: Aug 11 20:07:38 2016 GMT
+            Not After : May  8 20:07:38 2019 GMT
+        Subject: C=US, ST=Washington, L=Seattle, O=Eliptic, OU=ECC, CN=www.wolfssl.com/emailAddress=info@wolfssl.com
+        Subject Public Key Info:
+            Public Key Algorithm: id-ecPublicKey
+                Public-Key: (256 bit)
+                pub: 
+                    04:bb:33:ac:4c:27:50:4a:c6:4a:a5:04:c3:3c:de:
+                    9f:36:db:72:2d:ce:94:ea:2b:fa:cb:20:09:39:2c:
+                    16:e8:61:02:e9:af:4d:d3:02:93:9a:31:5b:97:92:
+                    21:7f:f0:cf:18:da:91:11:02:34:86:e8:20:58:33:
+                    0b:80:34:89:d8
+                ASN1 OID: prime256v1
+                NIST CURVE: P-256
+        X509v3 extensions:
+            X509v3 Subject Key Identifier: 
+                5D:5D:26:EF:AC:7E:36:F9:9B:76:15:2B:4A:25:02:23:EF:B2:89:30
+            X509v3 Authority Key Identifier: 
+                keyid:5D:5D:26:EF:AC:7E:36:F9:9B:76:15:2B:4A:25:02:23:EF:B2:89:30
+                DirName:/C=US/ST=Washington/L=Seattle/O=Eliptic/OU=ECC/CN=www.wolfssl.com/emailAddress=info@wolfssl.com
+                serial:EF:46:C7:A4:9B:BB:60:D3
+
+            X509v3 Basic Constraints: 
+                CA:TRUE
+    Signature Algorithm: ecdsa-with-SHA256
+         30:46:02:21:00:f1:d0:a6:3e:83:33:24:d1:7a:05:5f:1e:0e:
+         bd:7d:6b:33:e9:f2:86:f3:f3:3d:a9:ef:6a:87:31:b3:b7:7e:
+         50:02:21:00:f0:60:dd:ce:a2:db:56:ec:d9:f4:e4:e3:25:d4:
+         b0:c9:25:7d:ca:7a:5d:ba:c4:b2:f6:7d:04:c7:bd:62:c9:20
+-----BEGIN CERTIFICATE-----
+MIIDEDCCArWgAwIBAgIJAO9Gx6Sbu2DTMAoGCCqGSM49BAMCMIGPMQswCQYDVQQG
+EwJVUzETMBEGA1UECAwKV2FzaGluZ3RvbjEQMA4GA1UEBwwHU2VhdHRsZTEQMA4G
+A1UECgwHRWxpcHRpYzEMMAoGA1UECwwDRUNDMRgwFgYDVQQDDA93d3cud29sZnNz
+bC5jb20xHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb20wHhcNMTYwODEx
+MjAwNzM4WhcNMTkwNTA4MjAwNzM4WjCBjzELMAkGA1UEBhMCVVMxEzARBgNVBAgM
+Cldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxEDAOBgNVBAoMB0VsaXB0aWMx
+DDAKBgNVBAsMA0VDQzEYMBYGA1UEAwwPd3d3LndvbGZzc2wuY29tMR8wHQYJKoZI
+hvcNAQkBFhBpbmZvQHdvbGZzc2wuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcD
+QgAEuzOsTCdQSsZKpQTDPN6fNttyLc6U6iv6yyAJOSwW6GEC6a9N0wKTmjFbl5Ih
+f/DPGNqREQI0huggWDMLgDSJ2KOB9zCB9DAdBgNVHQ4EFgQUXV0m76x+NvmbdhUr
+SiUCI++yiTAwgcQGA1UdIwSBvDCBuYAUXV0m76x+NvmbdhUrSiUCI++yiTChgZWk
+gZIwgY8xCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApXYXNoaW5ndG9uMRAwDgYDVQQH
+DAdTZWF0dGxlMRAwDgYDVQQKDAdFbGlwdGljMQwwCgYDVQQLDANFQ0MxGDAWBgNV
+BAMMD3d3dy53b2xmc3NsLmNvbTEfMB0GCSqGSIb3DQEJARYQaW5mb0B3b2xmc3Ns
+LmNvbYIJAO9Gx6Sbu2DTMAwGA1UdEwQFMAMBAf8wCgYIKoZIzj0EAwIDSQAwRgIh
+APHQpj6DMyTRegVfHg69fWsz6fKG8/M9qe9qhzGzt35QAiEA8GDdzqLbVuzZ9OTj
+JdSwySV9ynpdusSy9n0Ex71iySA=
+-----END CERTIFICATE-----

certs/server-ecc.pem

@@ -1,13 +1,12 @@
 Certificate:
     Data:
         Version: 3 (0x2)
-        Serial Number:
-            ef:46:c7:a4:9b:bb:60:d3
+        Serial Number: 4096 (0x1000)
     Signature Algorithm: ecdsa-with-SHA256
-        Issuer: C=US, ST=Washington, L=Seattle, O=Eliptic, OU=ECC, CN=www.wolfssl.com/emailAddress=info@wolfssl.com
+        Issuer: C=US, ST=Washington, L=Seattle, O=wolfSSL, OU=Development, CN=www.wolfssl.com/emailAddress=info@wolfssl.com
         Validity
-            Not Before: Aug 11 20:07:38 2016 GMT
-            Not After : May  8 20:07:38 2019 GMT
+            Not Before: Oct 19 19:06:49 2017 GMT
+            Not After : Oct 17 19:06:49 2027 GMT
         Subject: C=US, ST=Washington, L=Seattle, O=Eliptic, OU=ECC, CN=www.wolfssl.com/emailAddress=info@wolfssl.com
         Subject Public Key Info:
             Public Key Algorithm: id-ecPublicKey
@@ -19,38 +18,44 @@ Certificate:
                     21:7f:f0:cf:18:da:91:11:02:34:86:e8:20:58:33:
                     0b:80:34:89:d8
                 ASN1 OID: prime256v1
-                NIST CURVE: P-256
         X509v3 extensions:
+            X509v3 Basic Constraints: 
+                CA:FALSE
+            Netscape Cert Type: 
+                SSL Server
             X509v3 Subject Key Identifier: 
                 5D:5D:26:EF:AC:7E:36:F9:9B:76:15:2B:4A:25:02:23:EF:B2:89:30
             X509v3 Authority Key Identifier: 
-                keyid:5D:5D:26:EF:AC:7E:36:F9:9B:76:15:2B:4A:25:02:23:EF:B2:89:30
-                DirName:/C=US/ST=Washington/L=Seattle/O=Eliptic/OU=ECC/CN=www.wolfssl.com/emailAddress=info@wolfssl.com
-                serial:EF:46:C7:A4:9B:BB:60:D3
+                keyid:FD:9D:85:D5:C1:6F:47:EA:C6:75:96:59:25:37:46:8C:61:DB:E1:C3
+                DirName:/C=US/ST=Washington/L=Seattle/O=wolfSSL/OU=Development/CN=www.wolfssl.com/emailAddress=info@wolfssl.com
+                serial:98:6A:0C:F4:02:43:A6:28
 
-            X509v3 Basic Constraints: 
-                CA:TRUE
+            X509v3 Key Usage: critical
+                Digital Signature, Key Encipherment
+            X509v3 Extended Key Usage: 
+                TLS Web Server Authentication
     Signature Algorithm: ecdsa-with-SHA256
-         30:46:02:21:00:f1:d0:a6:3e:83:33:24:d1:7a:05:5f:1e:0e:
-         bd:7d:6b:33:e9:f2:86:f3:f3:3d:a9:ef:6a:87:31:b3:b7:7e:
-         50:02:21:00:f0:60:dd:ce:a2:db:56:ec:d9:f4:e4:e3:25:d4:
-         b0:c9:25:7d:ca:7a:5d:ba:c4:b2:f6:7d:04:c7:bd:62:c9:20
+         30:45:02:21:00:ce:09:22:ab:21:c1:30:80:33:4b:b4:75:19:
+         0b:37:e5:18:c6:6a:48:b1:a6:2a:0c:d0:91:96:d3:97:db:75:
+         cf:02:20:03:97:6b:90:e1:2e:20:10:e7:bf:c3:25:97:4d:a8:
+         07:9e:14:86:99:bd:87:98:fd:2e:d2:4d:1f:da:52:92:b9
 -----BEGIN CERTIFICATE-----
-MIIDEDCCArWgAwIBAgIJAO9Gx6Sbu2DTMAoGCCqGSM49BAMCMIGPMQswCQYDVQQG
-EwJVUzETMBEGA1UECAwKV2FzaGluZ3RvbjEQMA4GA1UEBwwHU2VhdHRsZTEQMA4G
-A1UECgwHRWxpcHRpYzEMMAoGA1UECwwDRUNDMRgwFgYDVQQDDA93d3cud29sZnNz
-bC5jb20xHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb20wHhcNMTYwODEx
-MjAwNzM4WhcNMTkwNTA4MjAwNzM4WjCBjzELMAkGA1UEBhMCVVMxEzARBgNVBAgM
-Cldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxEDAOBgNVBAoMB0VsaXB0aWMx
-DDAKBgNVBAsMA0VDQzEYMBYGA1UEAwwPd3d3LndvbGZzc2wuY29tMR8wHQYJKoZI
-hvcNAQkBFhBpbmZvQHdvbGZzc2wuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcD
-QgAEuzOsTCdQSsZKpQTDPN6fNttyLc6U6iv6yyAJOSwW6GEC6a9N0wKTmjFbl5Ih
-f/DPGNqREQI0huggWDMLgDSJ2KOB9zCB9DAdBgNVHQ4EFgQUXV0m76x+NvmbdhUr
-SiUCI++yiTAwgcQGA1UdIwSBvDCBuYAUXV0m76x+NvmbdhUrSiUCI++yiTChgZWk
-gZIwgY8xCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApXYXNoaW5ndG9uMRAwDgYDVQQH
-DAdTZWF0dGxlMRAwDgYDVQQKDAdFbGlwdGljMQwwCgYDVQQLDANFQ0MxGDAWBgNV
-BAMMD3d3dy53b2xmc3NsLmNvbTEfMB0GCSqGSIb3DQEJARYQaW5mb0B3b2xmc3Ns
-LmNvbYIJAO9Gx6Sbu2DTMAwGA1UdEwQFMAMBAf8wCgYIKoZIzj0EAwIDSQAwRgIh
-APHQpj6DMyTRegVfHg69fWsz6fKG8/M9qe9qhzGzt35QAiEA8GDdzqLbVuzZ9OTj
-JdSwySV9ynpdusSy9n0Ex71iySA=
+MIIDTzCCAvWgAwIBAgICEAAwCgYIKoZIzj0EAwIwgZcxCzAJBgNVBAYTAlVTMRMw
+EQYDVQQIDApXYXNoaW5ndG9uMRAwDgYDVQQHDAdTZWF0dGxlMRAwDgYDVQQKDAd3
+b2xmU1NMMRQwEgYDVQQLDAtEZXZlbG9wbWVudDEYMBYGA1UEAwwPd3d3LndvbGZz
+c2wuY29tMR8wHQYJKoZIhvcNAQkBFhBpbmZvQHdvbGZzc2wuY29tMB4XDTE3MTAx
+OTE5MDY0OVoXDTI3MTAxNzE5MDY0OVowgY8xCzAJBgNVBAYTAlVTMRMwEQYDVQQI
+DApXYXNoaW5ndG9uMRAwDgYDVQQHDAdTZWF0dGxlMRAwDgYDVQQKDAdFbGlwdGlj
+MQwwCgYDVQQLDANFQ0MxGDAWBgNVBAMMD3d3dy53b2xmc3NsLmNvbTEfMB0GCSqG
+SIb3DQEJARYQaW5mb0B3b2xmc3NsLmNvbTBZMBMGByqGSM49AgEGCCqGSM49AwEH
+A0IABLszrEwnUErGSqUEwzzenzbbci3OlOor+ssgCTksFuhhAumvTdMCk5oxW5eS
+IX/wzxjakRECNIboIFgzC4A0idijggE1MIIBMTAJBgNVHRMEAjAAMBEGCWCGSAGG
++EIBAQQEAwIGQDAdBgNVHQ4EFgQUXV0m76x+NvmbdhUrSiUCI++yiTAwgcwGA1Ud
+IwSBxDCBwYAU/Z2F1cFvR+rGdZZZJTdGjGHb4cOhgZ2kgZowgZcxCzAJBgNVBAYT
+AlVTMRMwEQYDVQQIDApXYXNoaW5ndG9uMRAwDgYDVQQHDAdTZWF0dGxlMRAwDgYD
+VQQKDAd3b2xmU1NMMRQwEgYDVQQLDAtEZXZlbG9wbWVudDEYMBYGA1UEAwwPd3d3
+LndvbGZzc2wuY29tMR8wHQYJKoZIhvcNAQkBFhBpbmZvQHdvbGZzc2wuY29tggkA
+mGoM9AJDpigwDgYDVR0PAQH/BAQDAgWgMBMGA1UdJQQMMAoGCCsGAQUFBwMBMAoG
+CCqGSM49BAMCA0gAMEUCIQDOCSKrIcEwgDNLtHUZCzflGMZqSLGmKgzQkZbTl9t1
+zwIgA5drkOEuIBDnv8Mll02oB54Uhpm9h5j9LtJNH9pSkrk=
 -----END CERTIFICATE-----

certs/test/include.am

@@ -11,3 +11,9 @@ EXTRA_DIST += \
 	     certs/test/gen-ext-certs.sh \
          certs/test/server-duplicate-policy.pem
 
+# The certs/server-cert with the last byte (signature byte) changed
+EXTRA_DIST += \
+         certs/test/server-cert-rsa-badsig.der \
+         certs/test/server-cert-rsa-badsig.pem \
+		 certs/test/server-cert-ecc-badsig.der \
+         certs/test/server-cert-ecc-badsig.pem

certs/test/server-cert-ecc-badsig.pem

@@ -0,0 +1,20 @@
+-----BEGIN CERTIFICATE-----
+MIIDTzCCAvWgAwIBAgICEAAwCgYIKoZIzj0EAwIwgZcxCzAJBgNVBAYTAlVTMRMw
+EQYDVQQIDApXYXNoaW5ndG9uMRAwDgYDVQQHDAdTZWF0dGxlMRAwDgYDVQQKDAd3
+b2xmU1NMMRQwEgYDVQQLDAtEZXZlbG9wbWVudDEYMBYGA1UEAwwPd3d3LndvbGZz
+c2wuY29tMR8wHQYJKoZIhvcNAQkBFhBpbmZvQHdvbGZzc2wuY29tMB4XDTE3MTAx
+OTE5MDY0OVoXDTI3MTAxNzE5MDY0OVowgY8xCzAJBgNVBAYTAlVTMRMwEQYDVQQI
+DApXYXNoaW5ndG9uMRAwDgYDVQQHDAdTZWF0dGxlMRAwDgYDVQQKDAdFbGlwdGlj
+MQwwCgYDVQQLDANFQ0MxGDAWBgNVBAMMD3d3dy53b2xmc3NsLmNvbTEfMB0GCSqG
+SIb3DQEJARYQaW5mb0B3b2xmc3NsLmNvbTBZMBMGByqGSM49AgEGCCqGSM49AwEH
+A0IABLszrEwnUErGSqUEwzzenzbbci3OlOor+ssgCTksFuhhAumvTdMCk5oxW5eS
+IX/wzxjakRECNIboIFgzC4A0idijggE1MIIBMTAJBgNVHRMEAjAAMBEGCWCGSAGG
++EIBAQQEAwIGQDAdBgNVHQ4EFgQUXV0m76x+NvmbdhUrSiUCI++yiTAwgcwGA1Ud
+IwSBxDCBwYAU/Z2F1cFvR+rGdZZZJTdGjGHb4cOhgZ2kgZowgZcxCzAJBgNVBAYT
+AlVTMRMwEQYDVQQIDApXYXNoaW5ndG9uMRAwDgYDVQQHDAdTZWF0dGxlMRAwDgYD
+VQQKDAd3b2xmU1NMMRQwEgYDVQQLDAtEZXZlbG9wbWVudDEYMBYGA1UEAwwPd3d3
+LndvbGZzc2wuY29tMR8wHQYJKoZIhvcNAQkBFhBpbmZvQHdvbGZzc2wuY29tggkA
+mGoM9AJDpigwDgYDVR0PAQH/BAQDAgWgMBMGA1UdJQQMMAoGCCsGAQUFBwMBMAoG
+CCqGSM49BAMCA0gAMEUCIQDOCSKrIcEwgDNLtHUZCzflGMZqSLGmKgzQkZbTl9t1
+zwIgA5drkOEuIBDnv8Mll02oB54Uhpm9h5j9LtJNH9pSkro=
+-----END CERTIFICATE-----

certs/test/server-cert-rsa-badsig.pem

@@ -0,0 +1,27 @@
+-----BEGIN CERTIFICATE-----
+MIIEnjCCA4agAwIBAgIBATANBgkqhkiG9w0BAQsFADCBlDELMAkGA1UEBhMCVVMx
+EDAOBgNVBAgMB01vbnRhbmExEDAOBgNVBAcMB0JvemVtYW4xETAPBgNVBAoMCFNh
+d3Rvb3RoMRMwEQYDVQQLDApDb25zdWx0aW5nMRgwFgYDVQQDDA93d3cud29sZnNz
+bC5jb20xHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb20wHhcNMTYwODEx
+MjAwNzM3WhcNMTkwNTA4MjAwNzM3WjCBkDELMAkGA1UEBhMCVVMxEDAOBgNVBAgM
+B01vbnRhbmExEDAOBgNVBAcMB0JvemVtYW4xEDAOBgNVBAoMB3dvbGZTU0wxEDAO
+BgNVBAsMB1N1cHBvcnQxGDAWBgNVBAMMD3d3dy53b2xmc3NsLmNvbTEfMB0GCSqG
+SIb3DQEJARYQaW5mb0B3b2xmc3NsLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEP
+ADCCAQoCggEBAMCVCOFXQfJxbbfSRUEnAWXGRa7yvCQwuJXOL07W9hyIvHyf+6hn
+f/5cnFF194rKB+c1L4/hvXvAL3yrZKgX/Mpde7rgIeVyLm8uhtiVc9qsG1O5Xz/X
+GQ0lT+FjY1GLC2Q/rUO4pRxcNLOuAKBjxfZ/C1loeHOmjBipAm2vwxkBLrgQ48bM
+QLRpo0YzaYduxLsXpvPo3a1zvHsvIbX9ZlEMvVSz4W1fHLwjc9EJA4kU0hC5ZMMq
+0KGWSrzh1Bpbx6DAwWN4D0Q3MDKWgDIjlaF3uhPSl3PiXSXJag3DOWCktLBpQkIJ
+6dgIvDMgs1gip6rrxOHmYYPF0pbf2dBPrdcCAwEAAaOB/DCB+TAdBgNVHQ4EFgQU
+sxEyyZKYhOLJ+NA7bgNCyh8OjjwwgckGA1UdIwSBwTCBvoAUJ45nEXTDJh0/7TNj
+s6TYHTDl6NWhgZqkgZcwgZQxCzAJBgNVBAYTAlVTMRAwDgYDVQQIDAdNb250YW5h
+MRAwDgYDVQQHDAdCb3plbWFuMREwDwYDVQQKDAhTYXd0b290aDETMBEGA1UECwwK
+Q29uc3VsdGluZzEYMBYGA1UEAwwPd3d3LndvbGZzc2wuY29tMR8wHQYJKoZIhvcN
+AQkBFhBpbmZvQHdvbGZzc2wuY29tggkAt7aQM2YbayMwDAYDVR0TBAUwAwEB/zAN
+BgkqhkiG9w0BAQsFAAOCAQEAUf4q3wd+Q8pmjRXEK9tXsgZtDZBm/6UknBTvgfKk
+q5mpakkgpdJx5xw8mQfHR/zolrT1QjDOOQFL0cLovJWEh85VXZefz3jzVpulCG2s
+9qVcxO8+KjmmSCYpey3gzaaMV0gLuzEywr/ZQ0xHJRiBqMkzgkGbumGG14STFyQl
+NspNY2tPlXnYYOAe9azBiqGxfoWOhyAvCDGtXsZKyGH0ngceoiLtc3yF7vpi3FA2
+qv3HnaoYBPvqzCxom7OpwpbYwcxafvcNngjgnSmLhEaP05Fqtbh6XMxPVQG4mkig
+lEPKJUdSCvf0vrDRcW2lUkplULKtTh3gbAHY+0OA5uQMOA==
+-----END CERTIFICATE-----

configure.ac

@@ -3631,6 +3631,18 @@ fi
 AM_CONDITIONAL([BUILD_TRUST_PEER_CERT], [test "x$have_tp" = "xyes"])
 
 
+# dertermine if we have key validation mechanism
+if test "x$ENABLED_ECC" = "xyes" || test "x$ENABLED_RSA" = "xyes"
+then
+    if test "x$ENABLED_ASN" = "xyes"
+    then
+        ENABLED_PKI="yes"
+    fi
+fi
+AM_CONDITIONAL([BUILD_PKI], [test "x$ENABLED_PKI" = "xyes"])
+
+
+
 ################################################################################
 # Check for build-type conflicts                                               #
 ################################################################################

examples/client/client.c

@@ -736,7 +736,7 @@ static void Usage(void)
 #ifdef HAVE_WNR
     printf("-q <file>   Whitewood config file,      default %s\n", wnrConfig);
 #endif
-    printf("-H          Force use of the default cipher suite list\n");
+    printf("-H <arg>    Internal tests [defCipherList, badCert]\n");
 #ifdef WOLFSSL_TLS13
     printf("-J          Use HelloRetryRequest to choose group for KE\n");
     printf("-K          Key Exchange for PSK not using (EC)DHE\n");
@@ -826,6 +826,7 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args)
     unsigned char alpn_opt = 0;
     char*  cipherList = NULL;
     int    useDefCipherList = 0;
+    int    useBadCert = 0;
     const char* verifyCert = caCertFile;
     const char* ourCert    = cliCertFile;
     const char* ourKey     = cliKeyFile;
@@ -887,7 +888,7 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args)
     ((func_args*)args)->return_code = -1; /* error state */
 
 #ifdef NO_RSA
-    verifyCert = (char*)eccCertFile;
+    verifyCert = (char*)caEccCertFile;
     ourCert    = (char*)cliEccCertFile;
     ourKey     = (char*)cliEccKeyFile;
 #endif
@@ -910,6 +911,7 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args)
     (void)updateKeysIVs;
     (void)useX25519;
     (void)helloRetry;
+    (void)useBadCert;
 
     StackTrap();
 
@@ -917,7 +919,7 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args)
     /* Not used: All used */
     while ((ch = mygetopt(argc, argv, "?"
             "ab:c:defgh:ijk:l:mnop:q:rstuv:wxyz"
-            "A:B:CDE:F:GHIJKL:M:NO:PQRS:TUVW:XYZ:"
+            "A:B:CDE:F:GH:IJKL:M:NO:PQRS:TUVW:XYZ:"
             "03:")) != -1) {
         switch (ch) {
             case '?' :
@@ -1026,7 +1028,18 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args)
                 break;
 
             case 'H' :
-                useDefCipherList = 1;
+                if (XSTRNCMP(myoptarg, "defCipherList", 13) == 0) {
+                    printf("Using default cipher list for testing\n");
+                    useDefCipherList = 1;
+                }
+                else if (XSTRNCMP(myoptarg, "badCert", 7) == 0) {
+                    printf("Using bad certificate for testing\n");
+                    useBadCert = 1;
+                }
+                else {
+                    Usage();
+                    exit(MY_EX_USAGE);
+                }
                 break;
 
             case 'A' :
@@ -1461,7 +1474,7 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args)
                 defaultCipherList = "PSK-AES128-CBC-SHA256";
         #endif
             if (wolfSSL_CTX_set_cipher_list(ctx,defaultCipherList)
-                                                                !=WOLFSSL_SUCCESS) {
+                                                            !=WOLFSSL_SUCCESS) {
                 wolfSSL_CTX_free(ctx);
                 err_sys("client can't set cipher list 2");
             }
@@ -1477,7 +1490,7 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args)
         if (cipherList == NULL || (cipherList && useDefCipherList)) {
             wolfSSL_CTX_allow_anon_cipher(ctx);
             if (wolfSSL_CTX_set_cipher_list(ctx,"ADH-AES128-SHA")
-                                                               != WOLFSSL_SUCCESS) {
+                                                           != WOLFSSL_SUCCESS) {
                 wolfSSL_CTX_free(ctx);
                 err_sys("client can't set cipher list 4");
             }
@@ -1531,7 +1544,7 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args)
     if (useClientCert){
 #if !defined(NO_FILESYSTEM)
         if (wolfSSL_CTX_use_certificate_chain_file(ctx, ourCert)
-                                                               != WOLFSSL_SUCCESS) {
+                                                           != WOLFSSL_SUCCESS) {
             wolfSSL_CTX_free(ctx);
             err_sys("can't load client cert file, check file and run from"
                     " wolfSSL home dir");
@@ -1549,10 +1562,19 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args)
 #endif  /* !defined(NO_FILESYSTEM) */
     }
 
+    /* for testing only - use client cert as CA to force no signer error */
+    if (useBadCert) {
+    #if !defined(NO_RSA)
+        verifyCert = "./certs/client-cert.pem";
+    #elif defined(HAVE_ECC)
+        verifyCert = "./certs/client-ecc-cert.pem";
+    #endif
+    }
+
     if (!usePsk && !useAnon && !useVerifyCb) {
 #if !defined(NO_FILESYSTEM)
         if (wolfSSL_CTX_load_verify_locations(ctx, verifyCert,0)
-                                                               != WOLFSSL_SUCCESS) {
+                                                           != WOLFSSL_SUCCESS) {
             wolfSSL_CTX_free(ctx);
             err_sys("can't load ca file, Please run from wolfSSL home dir");
         }
@@ -1562,7 +1584,8 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args)
 #ifdef HAVE_ECC
         /* load ecc verify too, echoserver uses it by default w/ ecc */
 #if !defined(NO_FILESYSTEM)
-        if (wolfSSL_CTX_load_verify_locations(ctx, eccCertFile, 0) != WOLFSSL_SUCCESS) {
+        if (wolfSSL_CTX_load_verify_locations(ctx, eccCertFile, 0)
+                                                           != WOLFSSL_SUCCESS) {
             wolfSSL_CTX_free(ctx);
             err_sys("can't load ecc ca file, Please run from wolfSSL home dir");
         }
@@ -1573,7 +1596,7 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args)
 #if defined(WOLFSSL_TRUST_PEER_CERT) && !defined(NO_FILESYSTEM)
         if (trustCert) {
             if ((ret = wolfSSL_CTX_trust_peer_cert(ctx, trustCert,
-                                            WOLFSSL_FILETYPE_PEM)) != WOLFSSL_SUCCESS) {
+                                    WOLFSSL_FILETYPE_PEM)) != WOLFSSL_SUCCESS) {
                 wolfSSL_CTX_free(ctx);
                 err_sys("can't load trusted peer cert file");
             }
@@ -1599,7 +1622,7 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args)
 #ifdef HAVE_SNI
     if (sniHostName)
         if (wolfSSL_CTX_UseSNI(ctx, 0, sniHostName, XSTRLEN(sniHostName))
-                                                               != WOLFSSL_SUCCESS) {
+                                                           != WOLFSSL_SUCCESS) {
             wolfSSL_CTX_free(ctx);
             err_sys("UseSNI failed");
     }
@@ -1634,11 +1657,11 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args)
 #if defined(HAVE_CURVE25519) && defined(HAVE_SUPPORTED_CURVES)
     if (useX25519) {
         if (wolfSSL_CTX_UseSupportedCurve(ctx, WOLFSSL_ECC_X25519)
-                                                               != WOLFSSL_SUCCESS) {
+                                                           != WOLFSSL_SUCCESS) {
             err_sys("unable to support X25519");
         }
         if (wolfSSL_CTX_UseSupportedCurve(ctx, WOLFSSL_ECC_SECP256R1)
-                                                               != WOLFSSL_SUCCESS) {
+                                                           != WOLFSSL_SUCCESS) {
             err_sys("unable to support secp256r1");
         }
     }
@@ -1688,7 +1711,8 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args)
     if (doMcast) {
 #ifdef WOLFSSL_MULTICAST
         wolfSSL_CTX_mcast_set_member_id(ctx, mcastID);
-        if (wolfSSL_CTX_set_cipher_list(ctx, "WDM-NULL-SHA256") != WOLFSSL_SUCCESS) {
+        if (wolfSSL_CTX_set_cipher_list(ctx, "WDM-NULL-SHA256")
+                                                           != WOLFSSL_SUCCESS) {
             wolfSSL_CTX_free(ctx);
             err_sys("Couldn't set multicast cipher list.");
         }
@@ -1733,7 +1757,8 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args)
         }
         if (onlyKeyShare == 0 || onlyKeyShare == 1) {
         #ifdef HAVE_FFDHE_2048
-            if (wolfSSL_UseKeyShare(ssl, WOLFSSL_FFDHE_2048) != WOLFSSL_SUCCESS) {
+            if (wolfSSL_UseKeyShare(ssl, WOLFSSL_FFDHE_2048)
+                                                           != WOLFSSL_SUCCESS) {
                 err_sys("unable to use DH 2048-bit parameters");
             }
         #endif
@@ -1756,7 +1781,7 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args)
         XMEMSET(sr, 0x5A, sizeof(sr));
 
         if (wolfSSL_set_secret(ssl, 1, pms, sizeof(pms), cr, sr, suite)
-                                                               != WOLFSSL_SUCCESS) {
+                                                           != WOLFSSL_SUCCESS) {
             wolfSSL_CTX_free(ctx);
             err_sys("unable to set mcast secret");
         }
@@ -1778,7 +1803,7 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args)
         switch (statusRequest) {
             case WOLFSSL_CSR_OCSP:
                 if (wolfSSL_UseOCSPStapling(ssl, WOLFSSL_CSR_OCSP,
-                                   WOLFSSL_CSR_OCSP_USE_NONCE) != WOLFSSL_SUCCESS) {
+                               WOLFSSL_CSR_OCSP_USE_NONCE) != WOLFSSL_SUCCESS) {
                     wolfSSL_free(ssl);
                     wolfSSL_CTX_free(ctx);
                     err_sys("UseCertificateStatusRequest failed");
@@ -1796,7 +1821,7 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args)
             case WOLFSSL_CSR2_OCSP:
                 if (wolfSSL_UseOCSPStaplingV2(ssl,
                     WOLFSSL_CSR2_OCSP, WOLFSSL_CSR2_OCSP_USE_NONCE)
-                                                               != WOLFSSL_SUCCESS) {
+                                                           != WOLFSSL_SUCCESS) {
                     wolfSSL_free(ssl);
                     wolfSSL_CTX_free(ctx);
                     err_sys("UseCertificateStatusRequest failed");
@@ -1805,7 +1830,7 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args)
             case WOLFSSL_CSR2_OCSP_MULTI:
                 if (wolfSSL_UseOCSPStaplingV2(ssl,
                     WOLFSSL_CSR2_OCSP_MULTI, 0)
-                                                               != WOLFSSL_SUCCESS) {
+                                                           != WOLFSSL_SUCCESS) {
                     wolfSSL_free(ssl);
                     wolfSSL_CTX_free(ctx);
                     err_sys("UseCertificateStatusRequest failed");
@@ -1846,7 +1871,7 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args)
             err_sys("can't enable crl check");
         }
         if (wolfSSL_LoadCRL(ssl, crlPemDir, WOLFSSL_FILETYPE_PEM, 0)
-                                                               != WOLFSSL_SUCCESS) {
+                                                           != WOLFSSL_SUCCESS) {
             wolfSSL_free(ssl);
             wolfSSL_CTX_free(ctx);
             err_sys("can't load crl, check crlfile and date validity");

examples/echoclient/echoclient.c

@@ -139,7 +139,7 @@ void echoclient_test(void* args)
         err_sys("can't load ca file, Please run from wolfSSL home dir");
     #endif
     #ifdef HAVE_ECC
-        if (SSL_CTX_load_verify_locations(ctx, eccCertFile, 0) != WOLFSSL_SUCCESS)
+        if (SSL_CTX_load_verify_locations(ctx, caEccCertFile, 0) != WOLFSSL_SUCCESS)
             err_sys("can't load ca file, Please run from wolfSSL home dir");
     #endif
 #elif !defined(NO_CERTS)

examples/server/server.c

@@ -411,7 +411,7 @@ static void Usage(void)
 #endif
     printf("-g          Return basic HTML web page\n");
     printf("-C <num>    The number of connections to accept, default: 1\n");
-    printf("-H          Force use of the default cipher suite list\n");
+    printf("-H <arg>    Internal tests [defCipherList, badCert]\n");
 #ifdef WOLFSSL_TLS13
     printf("-K          Key Exchange for PSK not using (EC)DHE\n");
     printf("-U          Update keys and IVs before sending\n");
@@ -481,6 +481,7 @@ THREAD_RETURN CYASSL_THREAD server_test(void* args)
     unsigned char alpn_opt = 0;
     char*  cipherList = NULL;
     int    useDefCipherList = 0;
+    int    useBadCert = 0;
     const char* verifyCert = cliCertFile;
     const char* ourCert    = svrCertFile;
     const char* ourKey     = svrKeyFile;
@@ -561,6 +562,7 @@ THREAD_RETURN CYASSL_THREAD server_test(void* args)
     (void)readySignal;
     (void)updateKeysIVs;
     (void)mcastID;
+    (void)useBadCert;
 
 #ifdef CYASSL_TIRTOS
     fdOpenSession(Task_self());
@@ -572,7 +574,7 @@ THREAD_RETURN CYASSL_THREAD server_test(void* args)
     /* Not Used: h, m, t, y, z, F, M, T, V, W, X, Y */
     while ((ch = mygetopt(argc, argv, "?"
                 "abc:defgijk:l:nop:q:rsuv:wx"
-                "A:B:C:D:E:GHIJKL:NO:PQR:S:UYZ:"
+                "A:B:C:D:E:GH:IJKL:NO:PQR:S:UYZ:"
                 "03:")) != -1) {
         switch (ch) {
             case '?' :
@@ -656,7 +658,18 @@ THREAD_RETURN CYASSL_THREAD server_test(void* args)
                 break;
 
             case 'H' :
-                useDefCipherList = 1;
+                if (XSTRNCMP(myoptarg, "defCipherList", 13) == 0) {
+                    printf("Using default cipher list for testing\n");
+                    useDefCipherList = 1;
+                }
+                else if (XSTRNCMP(myoptarg, "badCert", 7) == 0) {
+                    printf("Using bad certificate for testing\n");
+                    useBadCert = 1;
+                }
+                else {
+                    Usage();
+                    exit(MY_EX_USAGE);
+                }
                 break;
 
             case 'A' :
@@ -969,6 +982,15 @@ THREAD_RETURN CYASSL_THREAD server_test(void* args)
 #endif
 
 #if !defined(NO_CERTS)
+    /* for testing only - use bad cert as server cert for sig confirm err */
+    if (useBadCert) {
+    #if !defined(NO_RSA)
+        ourCert = "./certs/test/server-cert-rsa-badsig.pem";
+    #elif defined(HAVE_ECC)
+        ourCert = "./certs/test/server-cert-ecc-badsig.pem";
+    #endif
+    }
+
     if ((!usePsk || usePskPlus) && !useAnon) {
     #if !defined(NO_FILESYSTEM)
         if (SSL_CTX_use_certificate_chain_file(ctx, ourCert)
@@ -1063,8 +1085,8 @@ THREAD_RETURN CYASSL_THREAD server_test(void* args)
        if using PSK Plus then verify peer certs except PSK suites */
     if (doCliCertCheck && (usePsk == 0 || usePskPlus) && useAnon == 0) {
         SSL_CTX_set_verify(ctx, WOLFSSL_VERIFY_PEER |
-                                ((usePskPlus)? WOLFSSL_VERIFY_FAIL_EXCEPT_PSK :
-                                WOLFSSL_VERIFY_FAIL_IF_NO_PEER_CERT),0);
+                            (usePskPlus ? WOLFSSL_VERIFY_FAIL_EXCEPT_PSK :
+                                WOLFSSL_VERIFY_FAIL_IF_NO_PEER_CERT), 0);
         if (SSL_CTX_load_verify_locations(ctx, verifyCert, 0) != WOLFSSL_SUCCESS)
             err_sys_ex(runWithErrors, "can't load ca file, Please run from wolfSSL home dir");
         #ifdef WOLFSSL_TRUST_PEER_CERT

gencertbuf.pl

@@ -26,7 +26,19 @@ my @fileList_ecc = (
         [ "./certs/ecc-keyPub.der",        "ecc_key_pub_der_256" ],
         [ "./certs/server-ecc-comp.der",   "serv_ecc_comp_der_256" ],
         [ "./certs/server-ecc-rsa.der",    "serv_ecc_rsa_der_256" ],
-        [ "./certs/server-ecc.der",        "serv_ecc_der_256" ]
+        [ "./certs/server-ecc.der",        "serv_ecc_der_256" ],
+        [ "./certs/ca-ecc-key.der",        "ca_ecc_key_der_256" ],
+        [ "./certs/ca-ecc-cert.der",       "ca_ecc_cert_der_256" ],
+        [ "./certs/ca-ecc384-key.der",     "ca_ecc_key_der_384" ],
+        [ "./certs/ca-ecc384-cert.der",    "ca_ecc_cert_der_384" ]
+        );
+
+
+# ed25519 keys and certs
+# Used with HAVE_ED25519 define.
+my @fileList_ed = (
+        [ "./certs/ed25519/server-ed25519.der",    "server_ed25519_cert" ],
+        [ "./certs/ed25519/ca-ed25519.der",        "ca_ed25519_cert" ]
         );
 
 # 1024-bit certs/keys to be converted
@@ -64,6 +76,7 @@ my @fileList_2048 = (
 # ----------------------------------------------------------------------------
 
 my $num_ecc = @fileList_ecc;
+my $num_ed = @fileList_ed;
 my $num_1024 = @fileList_1024;
 my $num_2048 = @fileList_2048;
 
@@ -109,7 +122,7 @@ for (my $i = 0; $i < $num_2048; $i++) {
 
 print OUT_FILE "#endif /* USE_CERT_BUFFERS_2048 */\n\n";
 
-# convert and print 256-bit cert/keys
+# convert and print ECC cert/keys
 print OUT_FILE "#if defined(HAVE_ECC) && defined(USE_CERT_BUFFERS_256)\n\n";
 for (my $i = 0; $i < $num_ecc; $i++) {
 
@@ -147,6 +160,23 @@ static const unsigned char dh_g[] =
 {
   0x02,
 };\n\n";
+
+# convert and print ed25519 cert/keys
+print OUT_FILE "#if defined(HAVE_ED25519)\n\n";
+for (my $i = 0; $i < $num_ed; $i++) {
+
+    my $fname = $fileList_ed[$i][0];
+    my $sname = $fileList_ed[$i][1];
+
+    print OUT_FILE "/* $fname, ED25519 */\n";
+    print OUT_FILE "static const unsigned char $sname\[] =\n";
+    print OUT_FILE "{\n";
+    file_to_hex($fname);
+    print OUT_FILE "};\n";
+    print OUT_FILE "static const int sizeof_$sname = sizeof($sname);\n\n";
+}
+print OUT_FILE "#endif /* HAVE_ED25519 */\n\n";
+
 print OUT_FILE "#endif /* WOLFSSL_CERTS_TEST_H */\n\n";
 
 # close certs_test.h file

scripts/include.am

@@ -11,6 +11,12 @@ endif
 if BUILD_EXAMPLE_SERVERS
 
 dist_noinst_SCRIPTS+= scripts/resume.test
+
+# only run this test if we have the ability to support cert validation
+if BUILD_PKI
+dist_noinst_SCRIPTS+= scripts/tls-cert-fail.test
+endif
+
 EXTRA_DIST+= scripts/benchmark.test
 
 if BUILD_CRL

scripts/openssl.test

@@ -269,9 +269,12 @@ do
         psk=""
         adh=""
         port=$openssl_port
+        caCert=""
         case $wolfSuite in
         *ECDH-RSA*)
             port=$ecdh_port ;;
+        *ECDHE-ECDSA*|*ECDH-ECDSA*)
+            caCert="-A./certs/ca-ecc-cert.pem" ;;
         *PSK*)
             psk="-s " ;;
         *ADH*)
@@ -280,10 +283,10 @@ do
 
         if [ $version -lt 4 ]
         then
-            ./examples/client/client -p $port -g -r -l $wolfSuite -v $version $psk $adh
+            ./examples/client/client -p $port -g -r -l $wolfSuite -v $version $psk $adh $caCert
         else
             # do all versions
-            ./examples/client/client -p $port -g -r -l $wolfSuite $psk $adh
+            ./examples/client/client -p $port -g -r -l $wolfSuite $psk $adh $caCert
         fi
 
         client_result=$?

scripts/tls-cert-fail.test

@@ -0,0 +1,173 @@
+#!/bin/sh
+
+#tls-cert-fail.test
+
+asn_no_signer_e="-188"
+asn_sig_confirm_e="-155"
+exit_code=1
+counter=0
+
+# need a unique resume port since may run the same time as testsuite
+# use server port zero hack to get one
+tls_port=0
+
+#no_pid tells us process was never started if -1
+no_pid=-1
+
+#server_pid captured on startup, stores the id of the server process
+server_pid=$no_pid
+
+# let's use absolute path to a local dir (make distcheck may be in sub dir)
+# also let's add some randomness by adding pid in case multiple 'make check's
+# per source tree
+ready_file=`pwd`/wolfssl_tls_ready$$
+
+remove_ready_file() {
+    if test -e $ready_file; then
+        echo -e "removing existing ready file"
+        rm $ready_file
+    fi
+}
+
+# trap this function so if user aborts with ^C or other kill signal we still
+# get an exit that will in turn clean up the file system
+abort_trap() {
+    echo "script aborted"
+
+    if  [ $server_pid != $no_pid ]
+    then
+        echo "killing server"
+        kill -9 $server_pid
+    fi
+
+    exit_code=2 #different exit code in case of user interrupt
+
+    echo "got abort signal, exiting with $exit_code"
+    exit $exit_code
+}
+trap abort_trap INT TERM
+
+
+# trap this function so that if we exit on an error the file system will still
+# be restored and the other tests may still pass. Never call this function
+# instead use "exit <some value>" and this function will run automatically
+restore_file_system() {
+    remove_ready_file
+}
+trap restore_file_system EXIT
+
+run_tls_no_signer_test() {
+    echo -e "\nStarting example server for tls no signer fail test...\n"
+
+    remove_ready_file
+
+    # starts the server on tls_port, -R generates ready file to be used as a
+    # mutex lock. We capture the processid into the variable server_pid
+    ./examples/server/server -R $ready_file -p $tls_port &
+    server_pid=$!
+
+    while [ ! -s $ready_file -a "$counter" -lt 20 ]; do
+        echo -e "waiting for ready file..."
+        sleep 0.1
+        counter=$((counter+ 1))
+    done
+
+    if test -e $ready_file; then
+        echo -e "found ready file, starting client..."
+    else
+        echo -e "NO ready file ending test..."
+        exit 1
+    fi
+
+    # get created port 0 ephemeral port
+    tls_port=`cat $ready_file`
+
+    # starts client on tls_port and captures the output from client
+    capture_out=$(./examples/client/client -p $tls_port -H badCert 2>&1)
+    client_result=$?
+
+    wait $server_pid
+    server_result=$?
+
+    case  "$capture_out" in
+    *$asn_no_signer_e*)
+        # only exit with zero on detection of the expected error code
+        echo ""
+        echo "$capture_out"
+        echo ""
+        echo "No signer error as expected! Test pass"
+        echo ""
+        exit_code=0
+        ;;
+    *)
+        echo ""
+        echo "Client did not return asn_no_signer_e as expected: $capture_out"
+        echo ""
+        exit_code=1
+    esac
+}
+
+run_tls_sig_confirm_test() {
+    echo -e "\nStarting example server for tls sig confirm fail test...\n"
+
+    remove_ready_file
+
+    # starts the server on tls_port, -R generates ready file to be used as a
+    # mutex lock. We capture the processid into the variable server_pid
+    ./examples/server/server -R $ready_file -p $tls_port -H badCert &
+    server_pid=$!
+
+    while [ ! -s $ready_file -a "$counter" -lt 20 ]; do
+        echo -e "waiting for ready file..."
+        sleep 0.1
+        counter=$((counter+ 1))
+    done
+
+    if test -e $ready_file; then
+        echo -e "found ready file, starting client..."
+    else
+        echo -e "NO ready file ending test..."
+        exit 1
+    fi
+
+    # get created port 0 ephemeral port
+    tls_port=`cat $ready_file`
+
+    # starts client on tls_port and captures the output from client
+    capture_out=$(./examples/client/client -p $tls_port 2>&1)
+    client_result=$?
+
+    wait $server_pid
+    server_result=$?
+
+    case  "$capture_out" in
+    *$asn_sig_confirm_e*)
+        # only exit with zero on detection of the expected error code
+        echo ""
+        echo "$capture_out"
+        echo ""
+        echo "Sig confirm error as expected! Test pass"
+        echo ""
+        exit_code=0
+        ;;
+    *)
+        echo ""
+        echo "Client did not return asn_sig_confirm_e as expected: $capture_out"
+        echo ""
+        exit_code=1
+    esac
+}
+
+
+######### begin program #########
+
+# run the test
+run_tls_no_signer_test
+
+tls_port=0
+run_tls_sig_confirm_test
+
+echo "exiting with $exit_code"
+exit $exit_code
+########## end program ##########
+

scripts/tls13.test

@@ -181,7 +181,7 @@ port=0
 ./examples/server/server -v 4 -A certs/client-ecc-cert.pem -c certs/server-ecc.pem -k certs/ecc-key.pem -R $ready_file -p $port &
 server_pid=$!
 create_port
-./examples/client/client -v 4 -A certs/server-ecc.pem -c certs/client-ecc-cert.pem -k certs/ecc-client-key.pem -p $port
+./examples/client/client -v 4 -A certs/ca-ecc-cert.pem -c certs/client-ecc-cert.pem -k certs/ecc-client-key.pem -p $port
 RESULT=$?
 remove_ready_file
 if [ $RESULT -ne 0 ]; then

tests/api.c

@@ -10641,7 +10641,7 @@ static void test_wc_ecc_get_curve_id_from_params(void)
     {
         int ret = 0;
         /* self-signed ECC cert, so use server cert as CA */
-        const char* ca_cert = "./certs/server-ecc.pem";
+        const char* ca_cert = "./certs/ca-ecc-cert.pem";
         const char* server_cert = "./certs/server-ecc.der";
         byte* cert_buf = NULL;
         size_t cert_sz = 0;

tests/suites.c

@@ -54,7 +54,7 @@ static char flagSep[] = " ";
     static char portFlag[] = "-p";
     static char svrPort[] = "0";
 #endif
-static char forceDefCipherListFlag[] = "-H";
+static char forceDefCipherListFlag[] = "-HdefCipherList";
 
 #ifdef WOLFSSL_ASYNC_CRYPT
     static int devId = INVALID_DEVID;

tests/test-dtls.conf

@@ -29,7 +29,7 @@
 -u
 -v 3
 -l ECDHE-ECDSA-CHACHA20-POLY1305
--A ./certs/server-ecc.pem
+-A ./certs/ca-ecc-cert.pem
 
 # server TLSv1.2 DHE-PSK-CHACHA20-POLY1305
 -u
@@ -98,7 +98,7 @@
 -u
 -v 3
 -l ECDHE-ECDSA-CHACHA20-POLY1305-OLD
--A ./certs/server-ecc.pem
+-A ./certs/ca-ecc-cert.pem
 
 # server DTLSv1 IDEA-CBC-SHA
 -u
@@ -291,7 +291,7 @@
 -u
 -v 1
 -l ECDHE-ECDSA-NULL-SHA
--A ./certs/server-ecc.pem
+-A ./certs/ca-ecc-cert.pem
 
 # server TLSv1.1 ECDHE-ECDSA-NULL-SHA
 -u
@@ -304,7 +304,7 @@
 -u
 -v 2
 -l ECDHE-ECDSA-NULL-SHA
--A ./certs/server-ecc.pem
+-A ./certs/ca-ecc-cert.pem
 
 # server TLSv1.2 ECDHE-ECDSA-NULL-SHA
 -u
@@ -317,7 +317,7 @@
 -u
 -v 3
 -l ECDHE-ECDSA-NULL-SHA
--A ./certs/server-ecc.pem
+-A ./certs/ca-ecc-cert.pem
 
 # server DTLSv1.1 ECDHE-ECDSA-DES3
 -u
@@ -330,7 +330,7 @@
 -u
 -v 2
 -l ECDHE-ECDSA-DES-CBC3-SHA
--A ./certs/server-ecc.pem
+-A ./certs/ca-ecc-cert.pem
 
 # server DTLSv1.1 ECDHE-ECDSA-AES128
 -u
@@ -343,7 +343,7 @@
 -u
 -v 2
 -l ECDHE-ECDSA-AES128-SHA
--A ./certs/server-ecc.pem
+-A ./certs/ca-ecc-cert.pem
 
 # server DTLSv1.1 ECDHE-ECDSA-AES256
 -u
@@ -356,7 +356,7 @@
 -u
 -v 2
 -l ECDHE-ECDSA-AES256-SHA
--A ./certs/server-ecc.pem
+-A ./certs/ca-ecc-cert.pem
 
 # server DTLSv1.2 ECDHE-ECDSA-DES3
 -u
@@ -369,7 +369,7 @@
 -u
 -v 3
 -l ECDHE-ECDSA-DES-CBC3-SHA
--A ./certs/server-ecc.pem
+-A ./certs/ca-ecc-cert.pem
 
 # server DTLSv1.2 ECDHE-ECDSA-AES128
 -u
@@ -382,7 +382,7 @@
 -u
 -v 3
 -l ECDHE-ECDSA-AES128-SHA
--A ./certs/server-ecc.pem
+-A ./certs/ca-ecc-cert.pem
 
 # server DTLSv1.2 ECDHE-ECDSA-AES128-SHA256
 -u
@@ -395,7 +395,7 @@
 -u
 -v 3
 -l ECDHE-ECDSA-AES128-SHA256
--A ./certs/server-ecc.pem
+-A ./certs/ca-ecc-cert.pem
 
 # server DTLSv1.2 ECDHE-ECDSA-AES256
 -u
@@ -408,7 +408,7 @@
 -u
 -v 3
 -l ECDHE-ECDSA-AES256-SHA
--A ./certs/server-ecc.pem
+-A ./certs/ca-ecc-cert.pem
 
 # server DTLSv1.1 ECDH-RSA-DES3
 -u
@@ -505,7 +505,7 @@
 -u
 -v 2
 -l ECDH-ECDSA-DES-CBC3-SHA
--A ./certs/server-ecc.pem
+-A ./certs/ca-ecc-cert.pem
 
 # server DTLSv1.1 ECDH-ECDSA-AES128
 -u
@@ -518,7 +518,7 @@
 -u
 -v 2
 -l ECDH-ECDSA-AES128-SHA
--A ./certs/server-ecc.pem
+-A ./certs/ca-ecc-cert.pem
 
 # server DTLSv1.1 ECDH-ECDSA-AES256
 -u
@@ -531,7 +531,7 @@
 -u
 -v 2
 -l ECDH-ECDSA-AES256-SHA
--A ./certs/server-ecc.pem
+-A ./certs/ca-ecc-cert.pem
 
 # server DTLSv1.2 ECDH-ECDSA-DES3
 -u
@@ -544,7 +544,7 @@
 -u
 -v 3
 -l ECDH-ECDSA-DES-CBC3-SHA
--A ./certs/server-ecc.pem
+-A ./certs/ca-ecc-cert.pem
 
 # server DTLSv1.2 ECDH-ECDSA-AES128
 -u
@@ -557,7 +557,7 @@
 -u
 -v 3
 -l ECDH-ECDSA-AES128-SHA
--A ./certs/server-ecc.pem
+-A ./certs/ca-ecc-cert.pem
 
 # server DTLSv1.2 ECDH-ECDSA-AES128-SHA256
 -u
@@ -570,7 +570,7 @@
 -u
 -v 3
 -l ECDH-ECDSA-AES128-SHA256
--A ./certs/server-ecc.pem
+-A ./certs/ca-ecc-cert.pem
 
 # server DTLSv1.2 ECDH-ECDSA-AES256
 -u
@@ -583,7 +583,7 @@
 -u
 -v 3
 -l ECDH-ECDSA-AES256-SHA
--A ./certs/server-ecc.pem
+-A ./certs/ca-ecc-cert.pem
 
 # server DTLSv1.2 ECDHE-RSA-AES256-SHA384
 -u
@@ -606,7 +606,7 @@
 -u
 -v 3
 -l ECDHE-ECDSA-AES256-SHA384
--A ./certs/server-ecc.pem
+-A ./certs/ca-ecc-cert.pem
 
 # server DTLSv1.2 ECDH-RSA-AES256-SHA384
 -u
@@ -631,7 +631,7 @@
 -u
 -v 3
 -l ECDH-ECDSA-AES256-SHA384
--A ./certs/server-ecc.pem
+-A ./certs/ca-ecc-cert.pem
 
 # server TLSv1 ECDHE-PSK-AES128-SHA256
 -s
@@ -788,7 +788,7 @@
 -u
 -v 3
 -l ECDHE-ECDSA-AES128-GCM-SHA256
--A ./certs/server-ecc.pem
+-A ./certs/ca-ecc-cert.pem
 
 # server DTLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384
 -u
@@ -801,7 +801,7 @@
 -u
 -v 3
 -l ECDHE-ECDSA-AES256-GCM-SHA384
--A ./certs/server-ecc.pem
+-A ./certs/ca-ecc-cert.pem
 
 # server DTLSv1.2 ECDH-ECDSA-AES128-GCM-SHA256
 -u
@@ -814,7 +814,7 @@
 -u
 -v 3
 -l ECDH-ECDSA-AES128-GCM-SHA256
--A ./certs/server-ecc.pem
+-A ./certs/ca-ecc-cert.pem
 
 # server DTLSv1.2 ECDH-ECDSA-AES256-GCM-SHA384
 -u
@@ -827,7 +827,7 @@
 -u
 -v 3
 -l ECDH-ECDSA-AES256-GCM-SHA384
--A ./certs/server-ecc.pem
+-A ./certs/ca-ecc-cert.pem
 
 # server DTLSv1.2 ECDHE-RSA-AES128-GCM-SHA256
 -u
@@ -908,7 +908,7 @@
 -u
 -v 3
 -l ECDHE-ECDSA-AES128-CCM
--A ./certs/server-ecc.pem
+-A ./certs/ca-ecc-cert.pem
 
 # server DTLSv1.2 ECDHE-ECDSA-AES128-CCM-8
 -u
@@ -921,7 +921,7 @@
 -u
 -v 3
 -l ECDHE-ECDSA-AES128-CCM-8
--A ./certs/server-ecc.pem
+-A ./certs/ca-ecc-cert.pem
 
 # server DTLSv1.2 ECDHE-ECDSA-AES256-CCM-8
 -u
@@ -934,7 +934,7 @@
 -u
 -v 3
 -l ECDHE-ECDSA-AES256-CCM-8
--A ./certs/server-ecc.pem
+-A ./certs/ca-ecc-cert.pem
 
 # server DTLSv1.2 ADH-AES128-SHA
 -u

tests/test-qsh.conf

@@ -53,7 +53,7 @@
 # client TLSv1.2 ECDHE-ECDSA-CHACHA20-POLY1305-OLD
 -v 3
 -l QSH:ECDHE-ECDSA-CHACHA20-POLY1305-OLD
--A ./certs/server-ecc.pem
+-A ./certs/ca-ecc-cert.pem
 
 # server TLSv1.2 DHE-RSA-CHACHA20-POLY1305
 -v 3
@@ -80,7 +80,7 @@
 # client TLSv1.2 ECDHE-ECDSA-CHACHA20-POLY1305
 -v 3
 -l QSH:ECDHE-ECDSA-CHACHA20-POLY1305
--A ./certs/server-ecc.pem
+-A ./certs/ca-ecc-cert.pem
 
 # server SSLv3 RC4-SHA
 -v 0
@@ -339,7 +339,7 @@
 # client TLSv1 ECDHE-ECDSA-NULL-SHA
 -v 1
 -l QSH:ECDHE-ECDSA-NULL-SHA
--A ./certs/server-ecc.pem
+-A ./certs/ca-ecc-cert.pem
 
 # server TLSv1.1 ECDHE-ECDSA-NULL-SHA
 -v 2
@@ -350,7 +350,7 @@
 # client TLSv1 ECDHE-ECDSA-NULL-SHA
 -v 2
 -l QSH:ECDHE-ECDSA-NULL-SHA
--A ./certs/server-ecc.pem
+-A ./certs/ca-ecc-cert.pem
 
 # server TLSv1.2 ECDHE-ECDSA-NULL-SHA
 -v 3
@@ -361,7 +361,7 @@
 # client TLSv1.2 ECDHE-ECDSA-NULL-SHA
 -v 3
 -l QSH:ECDHE-ECDSA-NULL-SHA
--A ./certs/server-ecc.pem
+-A ./certs/ca-ecc-cert.pem
 
 # server TLSv1.1 ECDHE-RSA-RC4
 -v 2
@@ -444,7 +444,7 @@
 # client TLSv1 ECDHE-ECDSA-RC4
 -v 1
 -l QSH:ECDHE-ECDSA-RC4-SHA
--A ./certs/server-ecc.pem
+-A ./certs/ca-ecc-cert.pem
 
 # server TLSv1 ECDHE-ECDSA-DES3
 -v 1
@@ -455,7 +455,7 @@
 # client TLSv1 ECDHE-ECDSA-DES3
 -v 1
 -l QSH:ECDHE-ECDSA-DES-CBC3-SHA
--A ./certs/server-ecc.pem
+-A ./certs/ca-ecc-cert.pem
 
 # server TLSv1 ECDHE-ECDSA-AES128 
 -v 1
@@ -466,7 +466,7 @@
 # client TLSv1 ECDHE-ECDSA-AES128 
 -v 1
 -l QSH:ECDHE-ECDSA-AES128-SHA
--A ./certs/server-ecc.pem
+-A ./certs/ca-ecc-cert.pem
 
 # server TLSv1 ECDHE-ECDSA-AES256
 -v 1
@@ -477,7 +477,7 @@
 # client TLSv1 ECDHE-ECDSA-AES256
 -v 1
 -l QSH:ECDHE-ECDSA-AES256-SHA
--A ./certs/server-ecc.pem
+-A ./certs/ca-ecc-cert.pem
 
 # server TLSv1.1 ECDHE-EDCSA-RC4
 -v 2
@@ -488,7 +488,7 @@
 # client TLSv1.1 ECDHE-ECDSA-RC4
 -v 2
 -l QSH:ECDHE-ECDSA-RC4-SHA
--A ./certs/server-ecc.pem
+-A ./certs/ca-ecc-cert.pem
 
 # server TLSv1.1 ECDHE-ECDSA-DES3
 -v 2
@@ -499,7 +499,7 @@
 # client TLSv1.1 ECDHE-ECDSA-DES3
 -v 2
 -l QSH:ECDHE-ECDSA-DES-CBC3-SHA
--A ./certs/server-ecc.pem
+-A ./certs/ca-ecc-cert.pem
 
 # server TLSv1.1 ECDHE-ECDSA-AES128 
 -v 2
@@ -510,7 +510,7 @@
 # client TLSv1.1 ECDHE-ECDSA-AES128 
 -v 2
 -l QSH:ECDHE-ECDSA-AES128-SHA
--A ./certs/server-ecc.pem
+-A ./certs/ca-ecc-cert.pem
 
 # server TLSv1.1 ECDHE-ECDSA-AES256
 -v 2
@@ -521,7 +521,7 @@
 # client TLSv1.1 ECDHE-ECDSA-AES256
 -v 2
 -l QSH:ECDHE-ECDSA-AES256-SHA
--A ./certs/server-ecc.pem
+-A ./certs/ca-ecc-cert.pem
 
 # server TLSv1.2 ECDHE-ECDSA-RC4
 -v 3
@@ -532,7 +532,7 @@
 # client TLSv1.2 ECDHE-ECDSA-RC4
 -v 3
 -l QSH:ECDHE-ECDSA-RC4-SHA
--A ./certs/server-ecc.pem
+-A ./certs/ca-ecc-cert.pem
 
 # server TLSv1.2 ECDHE-ECDSA-DES3
 -v 3
@@ -543,7 +543,7 @@
 # client TLSv1.2 ECDHE-ECDSA-DES3
 -v 3
 -l QSH:ECDHE-ECDSA-DES-CBC3-SHA
--A ./certs/server-ecc.pem
+-A ./certs/ca-ecc-cert.pem
 
 # server TLSv1.2 ECDHE-ECDSA-AES128 
 -v 3
@@ -554,7 +554,7 @@
 # client TLSv1.2 ECDHE-ECDSA-AES128 
 -v 3
 -l QSH:ECDHE-ECDSA-AES128-SHA
--A ./certs/server-ecc.pem
+-A ./certs/ca-ecc-cert.pem
 
 # server TLSv1.2 ECDHE-ECDSA-AES128-SHA256
 -v 3
@@ -565,7 +565,7 @@
 # client TLSv1.2 ECDHE-ECDSA-AES128-SHA256
 -v 3
 -l QSH:ECDHE-ECDSA-AES128-SHA256
--A ./certs/server-ecc.pem
+-A ./certs/ca-ecc-cert.pem
 
 # server TLSv1.2 ECDHE-ECDSA-AES256
 -v 3
@@ -576,7 +576,7 @@
 # client TLSv1.2 ECDHE-ECDSA-AES256
 -v 3
 -l QSH:ECDHE-ECDSA-AES256-SHA
--A ./certs/server-ecc.pem
+-A ./certs/ca-ecc-cert.pem
 
 # server TLSv1 ECDH-RSA-RC4
 -v 1
@@ -717,7 +717,7 @@
 # client TLSv1 ECDH-ECDSA-RC4
 -v 1
 -l QSH:ECDH-ECDSA-RC4-SHA
--A ./certs/server-ecc.pem
+-A ./certs/ca-ecc-cert.pem
 
 # server TLSv1 ECDH-ECDSA-DES3
 -v 1
@@ -728,7 +728,7 @@
 # client TLSv1 ECDH-ECDSA-DES3
 -v 1
 -l QSH:ECDH-ECDSA-DES-CBC3-SHA
--A ./certs/server-ecc.pem
+-A ./certs/ca-ecc-cert.pem
 
 # server TLSv1 ECDH-ECDSA-AES128 
 -v 1
@@ -739,7 +739,7 @@
 # client TLSv1 ECDH-ECDSA-AES128 
 -v 1
 -l QSH:ECDH-ECDSA-AES128-SHA
--A ./certs/server-ecc.pem
+-A ./certs/ca-ecc-cert.pem
 
 # server TLSv1 ECDH-ECDSA-AES256
 -v 1
@@ -750,7 +750,7 @@
 # client TLSv1 ECDH-ECDSA-AES256
 -v 1
 -l QSH:ECDH-ECDSA-AES256-SHA
--A ./certs/server-ecc.pem
+-A ./certs/ca-ecc-cert.pem
 
 # server TLSv1.1 ECDH-EDCSA-RC4
 -v 2
@@ -761,7 +761,7 @@
 # client TLSv1.1 ECDH-ECDSA-RC4
 -v 2
 -l QSH:ECDH-ECDSA-RC4-SHA
--A ./certs/server-ecc.pem
+-A ./certs/ca-ecc-cert.pem
 
 # server TLSv1.1 ECDH-ECDSA-DES3
 -v 2
@@ -772,7 +772,7 @@
 # client TLSv1.1 ECDH-ECDSA-DES3
 -v 2
 -l QSH:ECDH-ECDSA-DES-CBC3-SHA
--A ./certs/server-ecc.pem
+-A ./certs/ca-ecc-cert.pem
 
 # server TLSv1.1 ECDH-ECDSA-AES128 
 -v 2
@@ -783,7 +783,7 @@
 # client TLSv1.1 ECDH-ECDSA-AES128 
 -v 2
 -l QSH:ECDH-ECDSA-AES128-SHA
--A ./certs/server-ecc.pem
+-A ./certs/ca-ecc-cert.pem
 
 # server TLSv1.1 ECDH-ECDSA-AES256
 -v 2
@@ -794,7 +794,7 @@
 # client TLSv1.1 ECDH-ECDSA-AES256
 -v 2
 -l QSH:ECDH-ECDSA-AES256-SHA
--A ./certs/server-ecc.pem
+-A ./certs/ca-ecc-cert.pem
 
 # server TLSv1.2 ECDHE-ECDSA-RC4
 -v 3
@@ -805,7 +805,7 @@
 # client TLSv1.2 ECDH-ECDSA-RC4
 -v 3
 -l QSH:ECDH-ECDSA-RC4-SHA
--A ./certs/server-ecc.pem
+-A ./certs/ca-ecc-cert.pem
 
 # server TLSv1.2 ECDH-ECDSA-DES3
 -v 3
@@ -816,7 +816,7 @@
 # client TLSv1.2 ECDH-ECDSA-DES3
 -v 3
 -l QSH:ECDH-ECDSA-DES-CBC3-SHA
--A ./certs/server-ecc.pem
+-A ./certs/ca-ecc-cert.pem
 
 # server TLSv1.2 ECDH-ECDSA-AES128 
 -v 3
@@ -827,7 +827,7 @@
 # client TLSv1.2 ECDH-ECDSA-AES128 
 -v 3
 -l QSH:ECDH-ECDSA-AES128-SHA
--A ./certs/server-ecc.pem
+-A ./certs/ca-ecc-cert.pem
 
 # server TLSv1.2 ECDH-ECDSA-AES128-SHA256
 -v 3
@@ -838,7 +838,7 @@
 # client TLSv1.2 ECDH-ECDSA-AES128-SHA256 
 -v 3
 -l QSH:ECDH-ECDSA-AES128-SHA256
--A ./certs/server-ecc.pem
+-A ./certs/ca-ecc-cert.pem
 
 # server TLSv1.2 ECDH-ECDSA-AES256
 -v 3
@@ -849,7 +849,7 @@
 # client TLSv1.2 ECDH-ECDSA-AES256
 -v 3
 -l QSH:ECDH-ECDSA-AES256-SHA
--A ./certs/server-ecc.pem
+-A ./certs/ca-ecc-cert.pem
 
 # server TLSv1.2 ECDHE-RSA-AES256-SHA384
 -v 3
@@ -868,7 +868,7 @@
 # client TLSv1.2 ECDHE-ECDSA-AES256-SHA384
 -v 3
 -l QSH:ECDHE-ECDSA-AES256-SHA384
--A ./certs/server-ecc.pem
+-A ./certs/ca-ecc-cert.pem
 
 # server TLSv1.2 ECDH-RSA-AES256-SHA384 
 -v 3
@@ -889,7 +889,7 @@
 # client TLSv1.2 ECDH-ECDSA-AES256-SHA384 
 -v 3
 -l QSH:ECDH-ECDSA-AES256-SHA384
--A ./certs/server-ecc.pem
+-A ./certs/ca-ecc-cert.pem
 
 # server TLSv1 HC128-SHA
 -v 1
@@ -1646,7 +1646,7 @@
 # client TLSv1.2 ECDHE-ECDSA-AES128-GCM-SHA256 
 -v 3
 -l QSH:ECDHE-ECDSA-AES128-GCM-SHA256
--A ./certs/server-ecc.pem
+-A ./certs/ca-ecc-cert.pem
 
 # server TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384
 -v 3
@@ -1657,7 +1657,7 @@
 # client TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384
 -v 3
 -l QSH:ECDHE-ECDSA-AES256-GCM-SHA384
--A ./certs/server-ecc.pem
+-A ./certs/ca-ecc-cert.pem
 
 # server TLSv1.2 ECDH-ECDSA-AES128-GCM-SHA256 
 -v 3
@@ -1668,7 +1668,7 @@
 # client TLSv1.2 ECDH-ECDSA-AES128-GCM-SHA256 
 -v 3
 -l QSH:ECDH-ECDSA-AES128-GCM-SHA256
--A ./certs/server-ecc.pem
+-A ./certs/ca-ecc-cert.pem
 
 # server TLSv1.2 ECDH-ECDSA-AES256-GCM-SHA384
 -v 3
@@ -1679,7 +1679,7 @@
 # client TLSv1.2 ECDH-ECDSA-AES256-GCM-SHA384
 -v 3
 -l QSH:ECDH-ECDSA-AES256-GCM-SHA384
--A ./certs/server-ecc.pem
+-A ./certs/ca-ecc-cert.pem
 
 # server TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256 
 -v 3
@@ -1778,7 +1778,7 @@
 # client TLSv1.2 ECDHE-ECDSA-AES128-CCM
 -v 3
 -l QSH:ECDHE-ECDSA-AES128-CCM
--A ./certs/server-ecc.pem
+-A ./certs/ca-ecc-cert.pem
 
 # server TLSv1.2 ECDHE-ECDSA-AES128-CCM-8
 -v 3
@@ -1789,7 +1789,7 @@
 # client TLSv1.2 ECDHE-ECDSA-AES128-CCM-8
 -v 3
 -l QSH:ECDHE-ECDSA-AES128-CCM-8
--A ./certs/server-ecc.pem
+-A ./certs/ca-ecc-cert.pem
 
 # server TLSv1.2 ECDHE-ECDSA-AES256-CCM-8
 -v 3
@@ -1800,7 +1800,7 @@
 # client TLSv1.2 ECDHE-ECDSA-AES256-CCM-8
 -v 3
 -l QSH:ECDHE-ECDSA-AES256-CCM-8
--A ./certs/server-ecc.pem
+-A ./certs/ca-ecc-cert.pem
 
 # server TLSv1.2 PSK-AES128-CCM
 -s

tests/test-sctp.conf

@@ -29,7 +29,7 @@
 -G
 -v 2
 -l ECDHE-ECDSA-CHACHA20-POLY1305
--A ./certs/server-ecc.pem
+-A ./certs/ca-ecc-cert.pem
 
 # server DTLSv1.2 DHE-RSA-CHACHA20-POLY1305
 -G
@@ -62,7 +62,7 @@
 -G
 -v 3
 -l ECDHE-ECDSA-CHACHA20-POLY1305
--A ./certs/server-ecc.pem
+-A ./certs/ca-ecc-cert.pem
 
 # server TLSv1.2 DHE-PSK-CHACHA20-POLY1305
 -G
@@ -131,7 +131,7 @@
 -G
 -v 3
 -l ECDHE-ECDSA-CHACHA20-POLY1305-OLD
--A ./certs/server-ecc.pem
+-A ./certs/ca-ecc-cert.pem
 
 # server DTLSv1 RC4-SHA
 -G
@@ -364,7 +364,7 @@
 -G
 -v 1
 -l ECDHE-ECDSA-NULL-SHA
--A ./certs/server-ecc.pem
+-A ./certs/ca-ecc-cert.pem
 
 # server TLSv1.1 ECDHE-ECDSA-NULL-SHA
 -G
@@ -377,7 +377,7 @@
 -G
 -v 2
 -l ECDHE-ECDSA-NULL-SHA
--A ./certs/server-ecc.pem
+-A ./certs/ca-ecc-cert.pem
 
 # server TLSv1.2 ECDHE-ECDSA-NULL-SHA
 -G
@@ -390,7 +390,7 @@
 -G
 -v 3
 -l ECDHE-ECDSA-NULL-SHA
--A ./certs/server-ecc.pem
+-A ./certs/ca-ecc-cert.pem
 
 # server DTLSv1.1 ECDHE-EDCSA-RC4
 -G
@@ -403,7 +403,7 @@
 -G
 -v 2
 -l ECDHE-ECDSA-RC4-SHA
--A ./certs/server-ecc.pem
+-A ./certs/ca-ecc-cert.pem
 
 # server DTLSv1.1 ECDHE-ECDSA-DES3
 -G
@@ -416,7 +416,7 @@
 -G
 -v 2
 -l ECDHE-ECDSA-DES-CBC3-SHA
--A ./certs/server-ecc.pem
+-A ./certs/ca-ecc-cert.pem
 
 # server DTLSv1.1 ECDHE-ECDSA-AES128 
 -G
@@ -429,7 +429,7 @@
 -G
 -v 2
 -l ECDHE-ECDSA-AES128-SHA
--A ./certs/server-ecc.pem
+-A ./certs/ca-ecc-cert.pem
 
 # server DTLSv1.1 ECDHE-ECDSA-AES256
 -G
@@ -442,7 +442,7 @@
 -G
 -v 2
 -l ECDHE-ECDSA-AES256-SHA
--A ./certs/server-ecc.pem
+-A ./certs/ca-ecc-cert.pem
 
 # server DTLSv1.2 ECDHE-ECDSA-RC4
 -G
@@ -455,7 +455,7 @@
 -G
 -v 3
 -l ECDHE-ECDSA-RC4-SHA
--A ./certs/server-ecc.pem
+-A ./certs/ca-ecc-cert.pem
 
 # server DTLSv1.2 ECDHE-ECDSA-DES3
 -G
@@ -468,7 +468,7 @@
 -G
 -v 3
 -l ECDHE-ECDSA-DES-CBC3-SHA
--A ./certs/server-ecc.pem
+-A ./certs/ca-ecc-cert.pem
 
 # server DTLSv1.2 ECDHE-ECDSA-AES128 
 -G
@@ -481,7 +481,7 @@
 -G
 -v 3
 -l ECDHE-ECDSA-AES128-SHA
--A ./certs/server-ecc.pem
+-A ./certs/ca-ecc-cert.pem
 
 # server DTLSv1.2 ECDHE-ECDSA-AES128-SHA256
 -G
@@ -494,7 +494,7 @@
 -G
 -v 3
 -l ECDHE-ECDSA-AES128-SHA256
--A ./certs/server-ecc.pem
+-A ./certs/ca-ecc-cert.pem
 
 # server DTLSv1.2 ECDHE-ECDSA-AES256
 -G
@@ -507,7 +507,7 @@
 -G
 -v 3
 -l ECDHE-ECDSA-AES256-SHA
--A ./certs/server-ecc.pem
+-A ./certs/ca-ecc-cert.pem
 
 # server DTLSv1.1 ECDH-RSA-RC4
 -G
@@ -628,7 +628,7 @@
 -G
 -v 2
 -l ECDH-ECDSA-RC4-SHA
--A ./certs/server-ecc.pem
+-A ./certs/ca-ecc-cert.pem
 
 # server DTLSv1.1 ECDH-ECDSA-DES3
 -G
@@ -641,7 +641,7 @@
 -G
 -v 2
 -l ECDH-ECDSA-DES-CBC3-SHA
--A ./certs/server-ecc.pem
+-A ./certs/ca-ecc-cert.pem
 
 # server DTLSv1.1 ECDH-ECDSA-AES128 
 -G
@@ -654,7 +654,7 @@
 -G
 -v 2
 -l ECDH-ECDSA-AES128-SHA
--A ./certs/server-ecc.pem
+-A ./certs/ca-ecc-cert.pem
 
 # server DTLSv1.1 ECDH-ECDSA-AES256
 -G
@@ -667,7 +667,7 @@
 -G
 -v 2
 -l ECDH-ECDSA-AES256-SHA
--A ./certs/server-ecc.pem
+-A ./certs/ca-ecc-cert.pem
 
 # server DTLSv1.2 ECDHE-ECDSA-RC4
 -G
@@ -680,7 +680,7 @@
 -G
 -v 3
 -l ECDH-ECDSA-RC4-SHA
--A ./certs/server-ecc.pem
+-A ./certs/ca-ecc-cert.pem
 
 # server DTLSv1.2 ECDH-ECDSA-DES3
 -G
@@ -693,7 +693,7 @@
 -G
 -v 3
 -l ECDH-ECDSA-DES-CBC3-SHA
--A ./certs/server-ecc.pem
+-A ./certs/ca-ecc-cert.pem
 
 # server DTLSv1.2 ECDH-ECDSA-AES128 
 -G
@@ -706,7 +706,7 @@
 -G
 -v 3
 -l ECDH-ECDSA-AES128-SHA
--A ./certs/server-ecc.pem
+-A ./certs/ca-ecc-cert.pem
 
 # server DTLSv1.2 ECDH-ECDSA-AES128-SHA256
 -G
@@ -719,7 +719,7 @@
 -G
 -v 3
 -l ECDH-ECDSA-AES128-SHA256
--A ./certs/server-ecc.pem
+-A ./certs/ca-ecc-cert.pem
 
 # server DTLSv1.2 ECDH-ECDSA-AES256
 -G
@@ -732,7 +732,7 @@
 -G
 -v 3
 -l ECDH-ECDSA-AES256-SHA
--A ./certs/server-ecc.pem
+-A ./certs/ca-ecc-cert.pem
 
 # server DTLSv1.2 ECDHE-RSA-AES256-SHA384 
 -G
@@ -755,7 +755,7 @@
 -G
 -v 3
 -l ECDHE-ECDSA-AES256-SHA384
--A ./certs/server-ecc.pem
+-A ./certs/ca-ecc-cert.pem
 
 # server DTLSv1.2 ECDH-RSA-AES256-SHA384 
 -G
@@ -780,7 +780,7 @@
 -G
 -v 3
 -l ECDH-ECDSA-AES256-SHA384
--A ./certs/server-ecc.pem
+-A ./certs/ca-ecc-cert.pem
 
 # server TLSv1 ECDHE-PSK-AES128-SHA256
 -s
@@ -937,7 +937,7 @@
 -G
 -v 3
 -l ECDHE-ECDSA-AES128-GCM-SHA256
--A ./certs/server-ecc.pem
+-A ./certs/ca-ecc-cert.pem
 
 # server DTLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384
 -G
@@ -950,7 +950,7 @@
 -G
 -v 3
 -l ECDHE-ECDSA-AES256-GCM-SHA384
--A ./certs/server-ecc.pem
+-A ./certs/ca-ecc-cert.pem
 
 # server DTLSv1.2 ECDH-ECDSA-AES128-GCM-SHA256 
 -G
@@ -963,7 +963,7 @@
 -G
 -v 3
 -l ECDH-ECDSA-AES128-GCM-SHA256
--A ./certs/server-ecc.pem
+-A ./certs/ca-ecc-cert.pem
 
 # server DTLSv1.2 ECDH-ECDSA-AES256-GCM-SHA384
 -G
@@ -976,7 +976,7 @@
 -G
 -v 3
 -l ECDH-ECDSA-AES256-GCM-SHA384
--A ./certs/server-ecc.pem
+-A ./certs/ca-ecc-cert.pem
 
 # server DTLSv1.2 ECDHE-RSA-AES128-GCM-SHA256 
 -G
@@ -1057,7 +1057,7 @@
 -G
 -v 3
 -l ECDHE-ECDSA-AES128-CCM
--A ./certs/server-ecc.pem
+-A ./certs/ca-ecc-cert.pem
 
 # server DTLSv1.2 ECDHE-ECDSA-AES128-CCM-8
 -G
@@ -1070,7 +1070,7 @@
 -G
 -v 3
 -l ECDHE-ECDSA-AES128-CCM-8
--A ./certs/server-ecc.pem
+-A ./certs/ca-ecc-cert.pem
 
 # server DTLSv1.2 ECDHE-ECDSA-AES256-CCM-8
 -G
@@ -1083,7 +1083,7 @@
 -G
 -v 3
 -l ECDHE-ECDSA-AES256-CCM-8
--A ./certs/server-ecc.pem
+-A ./certs/ca-ecc-cert.pem
 
 # server DTLSv1.2 ADH-AES128-SHA
 -G

tests/test-sig.conf

@@ -18,7 +18,7 @@
 # client TLSv1 ECDHE-ECDSA-AES128
 -v 1
 -l ECDHE-ECDSA-AES128-SHA
--A ./certs/server-ecc.pem
+-A ./certs/ca-ecc-cert.pem
 
 # server TLSv1 ECDHE-ECDSA-AES128
 -v 1
@@ -62,7 +62,7 @@
 # client TLSv1.1 ECDHE-ECDSA-AES128
 -v 2
 -l ECDHE-ECDSA-AES128-SHA
--A ./certs/server-ecc.pem
+-A ./certs/ca-ecc-cert.pem
 
 # server TLSv1.1 ECDHE-ECDSA-AES128
 -v 2
@@ -106,7 +106,7 @@
 # client TLSv1.2 ECDHE-ECDSA-AES128
 -v 3
 -l ECDHE-ECDSA-AES128-SHA
--A ./certs/server-ecc.pem
+-A ./certs/ca-ecc-cert.pem
 
 # server TLSv1.2 ECDHE-ECDSA-AES128-SHA256
 -v 3

tests/test-tls13.conf

@@ -47,7 +47,7 @@
 # client TLSv1.3 TLS13-CHACH20-POLY1305-SHA256
 -v 4
 -l TLS13-CHACH20-POLY1305-SHA256
--A ./certs/server-ecc.pem
+-A ./certs/ca-ecc-cert.pem
 
 # server TLSv1.3 TLS13-AES128-GCM-SHA256
 -v 4
@@ -58,7 +58,7 @@
 # client TLSv1.3 TLS13-AES128-GCM-SHA256
 -v 4
 -l TLS13-AES128-GCM-SHA256
--A ./certs/server-ecc.pem
+-A ./certs/ca-ecc-cert.pem
 
 # server TLSv1.3 TLS13-AES256-GCM-SHA384
 -v 4
@@ -69,7 +69,7 @@
 # client TLSv1.3 TLS13-AES256-GCM-SHA384
 -v 4
 -l TLS13-AES256-GCM-SHA384
--A ./certs/server-ecc.pem
+-A ./certs/ca-ecc-cert.pem
 
 # server TLSv1.3 TLS13-AES128-CCM-SHA256
 -v 4
@@ -80,7 +80,7 @@
 # client TLSv1.3 TLS13-AES128-CCM-SHA256
 -v 4
 -l TLS13-AES128-CCM-SHA256
--A ./certs/server-ecc.pem
+-A ./certs/ca-ecc-cert.pem
 
 # server TLSv1.3 TLS13-AES128-CCM-8-SHA256
 -v 4
@@ -91,7 +91,7 @@
 # client TLSv1.3 TLS13-AES128-CCM-8-SHA256
 -v 4
 -l TLS13-AES128-CCM-8-SHA256
--A ./certs/server-ecc.pem
+-A ./certs/ca-ecc-cert.pem
 
 # server TLSv1.3 TLS13-AES128-GCM-SHA256
 -v 4
@@ -102,7 +102,7 @@
 # client TLSv1.3 TLS13-AES128-GCM-SHA256
 -v 4
 -l TLS13-AES128-GCM-SHA256
--A ./certs/server-ecc.pem
+-A ./certs/ca-ecc-cert.pem
 -t
 
 # server TLSv1.3 accepting EarlyData

tests/test.conf

@@ -23,7 +23,7 @@
 # client TLSv1.2 ECDHE-ECDSA-CHACHA20-POLY1305
 -v 3
 -l ECDHE-ECDSA-CHACHA20-POLY1305
--A ./certs/server-ecc.pem
+-A ./certs/ca-ecc-cert.pem
 
 # server TLSv1.2 DHE-PSK-CHACHA20-POLY1305
 -v 3
@@ -80,7 +80,7 @@
 # client TLSv1.2 ECDHE-ECDSA-CHACHA20-POLY1305-OLD
 -v 3
 -l ECDHE-ECDSA-CHACHA20-POLY1305-OLD
--A ./certs/server-ecc.pem
+-A ./certs/ca-ecc-cert.pem
 
 # server SSLv3 RC4-SHA
 -v 0
@@ -411,7 +411,7 @@
 # client TLSv1 ECDHE-ECDSA-NULL-SHA
 -v 1
 -l ECDHE-ECDSA-NULL-SHA
--A ./certs/server-ecc.pem
+-A ./certs/ca-ecc-cert.pem
 
 # server TLSv1.1 ECDHE-ECDSA-NULL-SHA
 -v 2
@@ -422,7 +422,7 @@
 # client TLSv1 ECDHE-ECDSA-NULL-SHA
 -v 2
 -l ECDHE-ECDSA-NULL-SHA
--A ./certs/server-ecc.pem
+-A ./certs/ca-ecc-cert.pem
 
 # server TLSv1.2 ECDHE-ECDSA-NULL-SHA
 -v 3
@@ -433,7 +433,7 @@
 # client TLSv1.2 ECDHE-ECDSA-NULL-SHA
 -v 3
 -l ECDHE-ECDSA-NULL-SHA
--A ./certs/server-ecc.pem
+-A ./certs/ca-ecc-cert.pem
 
 # server TLSv1 ECDHE-ECDSA-RC4
 -v 1
@@ -444,7 +444,7 @@
 # client TLSv1 ECDHE-ECDSA-RC4
 -v 1
 -l ECDHE-ECDSA-RC4-SHA
--A ./certs/server-ecc.pem
+-A ./certs/ca-ecc-cert.pem
 
 # server TLSv1 ECDHE-ECDSA-DES3
 -v 1
@@ -455,7 +455,7 @@
 # client TLSv1 ECDHE-ECDSA-DES3
 -v 1
 -l ECDHE-ECDSA-DES-CBC3-SHA
--A ./certs/server-ecc.pem
+-A ./certs/ca-ecc-cert.pem
 
 # server TLSv1 ECDHE-ECDSA-AES128
 -v 1
@@ -466,7 +466,7 @@
 # client TLSv1 ECDHE-ECDSA-AES128
 -v 1
 -l ECDHE-ECDSA-AES128-SHA
--A ./certs/server-ecc.pem
+-A ./certs/ca-ecc-cert.pem
 
 # server TLSv1 ECDHE-ECDSA-AES256
 -v 1
@@ -477,7 +477,7 @@
 # client TLSv1 ECDHE-ECDSA-AES256
 -v 1
 -l ECDHE-ECDSA-AES256-SHA
--A ./certs/server-ecc.pem
+-A ./certs/ca-ecc-cert.pem
 
 # server TLSv1.1 ECDHE-EDCSA-RC4
 -v 2
@@ -488,7 +488,7 @@
 # client TLSv1.1 ECDHE-ECDSA-RC4
 -v 2
 -l ECDHE-ECDSA-RC4-SHA
--A ./certs/server-ecc.pem
+-A ./certs/ca-ecc-cert.pem
 
 # server TLSv1.1 ECDHE-ECDSA-DES3
 -v 2
@@ -499,7 +499,7 @@
 # client TLSv1.1 ECDHE-ECDSA-DES3
 -v 2
 -l ECDHE-ECDSA-DES-CBC3-SHA
--A ./certs/server-ecc.pem
+-A ./certs/ca-ecc-cert.pem
 
 # server TLSv1.1 ECDHE-ECDSA-AES128
 -v 2
@@ -510,7 +510,7 @@
 # client TLSv1.1 ECDHE-ECDSA-AES128
 -v 2
 -l ECDHE-ECDSA-AES128-SHA
--A ./certs/server-ecc.pem
+-A ./certs/ca-ecc-cert.pem
 
 # server TLSv1.1 ECDHE-ECDSA-AES256
 -v 2
@@ -521,7 +521,7 @@
 # client TLSv1.1 ECDHE-ECDSA-AES256
 -v 2
 -l ECDHE-ECDSA-AES256-SHA
--A ./certs/server-ecc.pem
+-A ./certs/ca-ecc-cert.pem
 
 # server TLSv1.2 ECDHE-ECDSA-RC4
 -v 3
@@ -532,7 +532,7 @@
 # client TLSv1.2 ECDHE-ECDSA-RC4
 -v 3
 -l ECDHE-ECDSA-RC4-SHA
--A ./certs/server-ecc.pem
+-A ./certs/ca-ecc-cert.pem
 
 # server TLSv1.2 ECDHE-ECDSA-DES3
 -v 3
@@ -543,7 +543,7 @@
 # client TLSv1.2 ECDHE-ECDSA-DES3
 -v 3
 -l ECDHE-ECDSA-DES-CBC3-SHA
--A ./certs/server-ecc.pem
+-A ./certs/ca-ecc-cert.pem
 
 # server TLSv1.2 ECDHE-ECDSA-AES128
 -v 3
@@ -554,7 +554,7 @@
 # client TLSv1.2 ECDHE-ECDSA-AES128
 -v 3
 -l ECDHE-ECDSA-AES128-SHA
--A ./certs/server-ecc.pem
+-A ./certs/ca-ecc-cert.pem
 
 # server TLSv1.2 ECDHE-ECDSA-AES128-SHA256
 -v 3
@@ -565,7 +565,7 @@
 # client TLSv1.2 ECDHE-ECDSA-AES128-SHA256
 -v 3
 -l ECDHE-ECDSA-AES128-SHA256
--A ./certs/server-ecc.pem
+-A ./certs/ca-ecc-cert.pem
 
 # server TLSv1.2 ECDHE-ECDSA-AES256
 -v 3
@@ -576,7 +576,7 @@
 # client TLSv1.2 ECDHE-ECDSA-AES256
 -v 3
 -l ECDHE-ECDSA-AES256-SHA
--A ./certs/server-ecc.pem
+-A ./certs/ca-ecc-cert.pem
 
 # server TLSv1 ECDH-RSA-RC4
 -v 1
@@ -717,7 +717,7 @@
 # client TLSv1 ECDH-ECDSA-RC4
 -v 1
 -l ECDH-ECDSA-RC4-SHA
--A ./certs/server-ecc.pem
+-A ./certs/ca-ecc-cert.pem
 
 # server TLSv1 ECDH-ECDSA-DES3
 -v 1
@@ -728,7 +728,7 @@
 # client TLSv1 ECDH-ECDSA-DES3
 -v 1
 -l ECDH-ECDSA-DES-CBC3-SHA
--A ./certs/server-ecc.pem
+-A ./certs/ca-ecc-cert.pem
 
 # server TLSv1 ECDH-ECDSA-AES128
 -v 1
@@ -739,7 +739,7 @@
 # client TLSv1 ECDH-ECDSA-AES128
 -v 1
 -l ECDH-ECDSA-AES128-SHA
--A ./certs/server-ecc.pem
+-A ./certs/ca-ecc-cert.pem
 
 # server TLSv1 ECDH-ECDSA-AES256
 -v 1
@@ -750,7 +750,7 @@
 # client TLSv1 ECDH-ECDSA-AES256
 -v 1
 -l ECDH-ECDSA-AES256-SHA
--A ./certs/server-ecc.pem
+-A ./certs/ca-ecc-cert.pem
 
 # server TLSv1.1 ECDH-EDCSA-RC4
 -v 2
@@ -761,7 +761,7 @@
 # client TLSv1.1 ECDH-ECDSA-RC4
 -v 2
 -l ECDH-ECDSA-RC4-SHA
--A ./certs/server-ecc.pem
+-A ./certs/ca-ecc-cert.pem
 
 # server TLSv1.1 ECDH-ECDSA-DES3
 -v 2
@@ -772,7 +772,7 @@
 # client TLSv1.1 ECDH-ECDSA-DES3
 -v 2
 -l ECDH-ECDSA-DES-CBC3-SHA
--A ./certs/server-ecc.pem
+-A ./certs/ca-ecc-cert.pem
 
 # server TLSv1.1 ECDH-ECDSA-AES128
 -v 2
@@ -783,7 +783,7 @@
 # client TLSv1.1 ECDH-ECDSA-AES128
 -v 2
 -l ECDH-ECDSA-AES128-SHA
--A ./certs/server-ecc.pem
+-A ./certs/ca-ecc-cert.pem
 
 # server TLSv1.1 ECDH-ECDSA-AES256
 -v 2
@@ -794,7 +794,7 @@
 # client TLSv1.1 ECDH-ECDSA-AES256
 -v 2
 -l ECDH-ECDSA-AES256-SHA
--A ./certs/server-ecc.pem
+-A ./certs/ca-ecc-cert.pem
 
 # server TLSv1.2 ECDHE-ECDSA-RC4
 -v 3
@@ -805,7 +805,7 @@
 # client TLSv1.2 ECDH-ECDSA-RC4
 -v 3
 -l ECDH-ECDSA-RC4-SHA
--A ./certs/server-ecc.pem
+-A ./certs/ca-ecc-cert.pem
 
 # server TLSv1.2 ECDH-ECDSA-DES3
 -v 3
@@ -816,7 +816,7 @@
 # client TLSv1.2 ECDH-ECDSA-DES3
 -v 3
 -l ECDH-ECDSA-DES-CBC3-SHA
--A ./certs/server-ecc.pem
+-A ./certs/ca-ecc-cert.pem
 
 # server TLSv1.2 ECDH-ECDSA-AES128
 -v 3
@@ -827,7 +827,7 @@
 # client TLSv1.2 ECDH-ECDSA-AES128
 -v 3
 -l ECDH-ECDSA-AES128-SHA
--A ./certs/server-ecc.pem
+-A ./certs/ca-ecc-cert.pem
 
 # server TLSv1.2 ECDH-ECDSA-AES128-SHA256
 -v 3
@@ -838,7 +838,7 @@
 # client TLSv1.2 ECDH-ECDSA-AES128-SHA256
 -v 3
 -l ECDH-ECDSA-AES128-SHA256
--A ./certs/server-ecc.pem
+-A ./certs/ca-ecc-cert.pem
 
 # server TLSv1.2 ECDH-ECDSA-AES256
 -v 3
@@ -849,7 +849,7 @@
 # client TLSv1.2 ECDH-ECDSA-AES256
 -v 3
 -l ECDH-ECDSA-AES256-SHA
--A ./certs/server-ecc.pem
+-A ./certs/ca-ecc-cert.pem
 
 # server TLSv1.2 ECDHE-RSA-AES256-SHA384
 -v 3
@@ -868,7 +868,7 @@
 # client TLSv1.2 ECDHE-ECDSA-AES256-SHA384
 -v 3
 -l ECDHE-ECDSA-AES256-SHA384
--A ./certs/server-ecc.pem
+-A ./certs/ca-ecc-cert.pem
 
 # server TLSv1.2 ECDH-RSA-AES256-SHA384
 -v 3
@@ -889,7 +889,7 @@
 # client TLSv1.2 ECDH-ECDSA-AES256-SHA384
 -v 3
 -l ECDH-ECDSA-AES256-SHA384
--A ./certs/server-ecc.pem
+-A ./certs/ca-ecc-cert.pem
 
 # server TLSv1 HC128-SHA
 -v 1
@@ -1662,7 +1662,7 @@
 # client TLSv1.2 ECDHE-ECDSA-AES128-GCM-SHA256
 -v 3
 -l ECDHE-ECDSA-AES128-GCM-SHA256
--A ./certs/server-ecc.pem
+-A ./certs/ca-ecc-cert.pem
 
 # server TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384
 -v 3
@@ -1673,7 +1673,7 @@
 # client TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384
 -v 3
 -l ECDHE-ECDSA-AES256-GCM-SHA384
--A ./certs/server-ecc.pem
+-A ./certs/ca-ecc-cert.pem
 
 # server TLSv1.2 ECDH-ECDSA-AES128-GCM-SHA256
 -v 3
@@ -1684,7 +1684,7 @@
 # client TLSv1.2 ECDH-ECDSA-AES128-GCM-SHA256
 -v 3
 -l ECDH-ECDSA-AES128-GCM-SHA256
--A ./certs/server-ecc.pem
+-A ./certs/ca-ecc-cert.pem
 
 # server TLSv1.2 ECDH-ECDSA-AES256-GCM-SHA384
 -v 3
@@ -1695,7 +1695,7 @@
 # client TLSv1.2 ECDH-ECDSA-AES256-GCM-SHA384
 -v 3
 -l ECDH-ECDSA-AES256-GCM-SHA384
--A ./certs/server-ecc.pem
+-A ./certs/ca-ecc-cert.pem
 
 # server TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256
 -v 3
@@ -1794,7 +1794,7 @@
 # client TLSv1.2 ECDHE-ECDSA-AES128-CCM
 -v 3
 -l ECDHE-ECDSA-AES128-CCM
--A ./certs/server-ecc.pem
+-A ./certs/ca-ecc-cert.pem
 
 # server TLSv1.2 ECDHE-ECDSA-AES128-CCM-8
 -v 3
@@ -1805,7 +1805,7 @@
 # client TLSv1.2 ECDHE-ECDSA-AES128-CCM-8
 -v 3
 -l ECDHE-ECDSA-AES128-CCM-8
--A ./certs/server-ecc.pem
+-A ./certs/ca-ecc-cert.pem
 
 # server TLSv1.2 ECDHE-ECDSA-AES256-CCM-8
 -v 3
@@ -1816,7 +1816,7 @@
 # client TLSv1.2 ECDHE-ECDSA-AES256-CCM-8
 -v 3
 -l ECDHE-ECDSA-AES256-CCM-8
--A ./certs/server-ecc.pem
+-A ./certs/ca-ecc-cert.pem
 
 # server TLSv1.2 PSK-AES128-CCM
 -s
@@ -2187,7 +2187,7 @@
 # client TLSv1.2 ECDHE-ECDSA-CHACHA20-POLY1305
 -v 3
 -l ECDHE-ECDSA-CHACHA20-POLY1305
--A ./certs/server-ecc.pem
+-A ./certs/ca-ecc-cert.pem
 -t
 
 # server TLSv1.2 private-only key

wolfcrypt/src/asn.c

@@ -162,7 +162,8 @@ ASN Options:
     #define XTIME(t1)       mqx_time((t1))
     #define HAVE_GMTIME_R
 
-#elif defined(FREESCALE_KSDK_BM) || defined(FREESCALE_FREE_RTOS) || defined(FREESCALE_KSDK_FREERTOS)
+#elif defined(FREESCALE_KSDK_BM) || defined(FREESCALE_FREE_RTOS) || \
+        defined(FREESCALE_KSDK_FREERTOS)
     #include <time.h>
     #ifndef XTIME
         /*extern time_t ksdk_time(time_t* timer);*/
@@ -763,7 +764,10 @@ static int GetInteger7Bit(const byte* input, word32* inOutIdx, word32 maxIdx)
     return b;
 }
 
-#if !defined(NO_DSA) || defined(HAVE_ECC) || (!defined(NO_RSA) && (defined(WOLFSSL_CERT_GEN) || (defined(WOLFSSL_KEY_GEN) && !defined(HAVE_USER_RSA))))
+#if !defined(NO_DSA) || defined(HAVE_ECC) || \
+   (!defined(NO_RSA) && \
+        (defined(WOLFSSL_CERT_GEN) || \
+        (defined(WOLFSSL_KEY_GEN) && !defined(HAVE_USER_RSA))))
 /* Set the DER/BER encoding of the ASN.1 INTEGER header.
  *
  * len        Length of data to encode.
@@ -786,7 +790,8 @@ static int SetASNInt(int len, byte firstByte, byte* output)
 }
 #endif
 
-#if !defined(NO_DSA) || defined(HAVE_ECC) || defined(WOLFSSL_CERT_GEN) || (defined(WOLFSSL_KEY_GEN) && !defined(NO_RSA) && !defined(HAVE_USER_RSA))
+#if !defined(NO_DSA) || defined(HAVE_ECC) || defined(WOLFSSL_CERT_GEN) || \
+    (defined(WOLFSSL_KEY_GEN) && !defined(NO_RSA) && !defined(HAVE_USER_RSA))
 /* Set the DER/BER encoding of the ASN.1 INTEGER element with an mp_int.
  * The number is assumed to be positive.
  *
@@ -851,8 +856,7 @@ static int SetASNIntRSA(mp_int* n, byte* output)
 
     return idx;
 }
-#endif /* !NO_RSA && (WOLFSSL_CERT_GEN || (WOLFSSL_KEY_GEN &&
-                                           !HAVE_USER_RSA))) */
+#endif /* !NO_RSA && HAVE_USER_RSA && WOLFSSL_CERT_GEN */
 
 /* Windows header clash for WinCE using GetVersion */
 WOLFSSL_LOCAL int GetMyVersion(const byte* input, word32* inOutIdx,
@@ -4295,7 +4299,7 @@ static int SetCurve(ecc_key* key, byte* output)
     return idx;
 }
 
-#endif /* HAVE_ECC && WOLFSSL_CERT_GEN */
+#endif /* HAVE_ECC && (WOLFSSL_CERT_GEN || WOLFSSL_KEY_GEN) */
 
 
 static INLINE int IsSigAlgoECDSA(int algoOID)
@@ -6668,9 +6672,10 @@ int wc_DerToPemEx(const byte* der, word32 derSz, byte* output, word32 outSz,
     return outLen + headerLen + footerLen;
 }
 
-#endif /* WOLFSSL_KEY_GEN || WOLFSSL_CERT_GEN */
+#endif /* WOLFSSL_KEY_GEN || WOLFSSL_CERT_GEN || OPENSSL_EXTRA */
 
-#if !defined(NO_RSA) && (defined(WOLFSSL_CERT_GEN) || (defined(WOLFSSL_KEY_GEN) && !defined(HAVE_USER_RSA)))
+#if !defined(NO_RSA) && (defined(WOLFSSL_CERT_GEN) || \
+        (defined(WOLFSSL_KEY_GEN) && !defined(HAVE_USER_RSA)))
 /* USER RSA ifdef portions used instead of refactor in consideration for
    possible fips build */
 /* Write a public RSA key to output */
@@ -6932,7 +6937,7 @@ int wc_RsaKeyToPublicDer(RsaKey* key, byte* output, word32 inLen)
 #endif /* WOLFSSL_KEY_GEN && !NO_RSA && !HAVE_USER_RSA */
 
 
-#if defined(WOLFSSL_CERT_GEN) && !defined(NO_RSA)
+#ifdef WOLFSSL_CERT_GEN
 
 /* Initialize and Set Certificate defaults:
    version    = 3 (0x2)
@@ -7082,8 +7087,8 @@ static word32 SetUTF8String(word32 len, byte* output)
 
 #endif /* WOLFSSL_CERT_REQ */
 
+#endif /*WOLFSSL_CERT_GEN */
 
-#endif /* defined(WOLFSSL_CERT_GEN) && !defined(NO_RSA) */
 #if defined(HAVE_ECC) && (defined(WOLFSSL_CERT_GEN) || defined(WOLFSSL_KEY_GEN))
 
 /* Write a public ECC key to output */
@@ -7216,6 +7221,7 @@ int wc_EccPublicKeyToDer(ecc_key* key, byte* output, word32 inLen,
     return SetEccPublicKey(output, key, with_AlgCurve);
 }
 #endif /* HAVE_ECC && (WOLFSSL_CERT_GEN || WOLFSSL_KEY_GEN) */
+
 #if defined(HAVE_ED25519) && (defined(WOLFSSL_CERT_GEN) || \
                               defined(WOLFSSL_KEY_GEN))
 
@@ -7320,7 +7326,9 @@ int wc_Ed25519PublicKeyToDer(ed25519_key* key, byte* output, word32 inLen,
     return SetEd25519PublicKey(output, key, withAlg);
 }
 #endif /* HAVE_ED25519 && (WOLFSSL_CERT_GEN || WOLFSSL_KEY_GEN) */
-#if defined(WOLFSSL_CERT_GEN) && !defined(NO_RSA)
+
+
+#ifdef WOLFSSL_CERT_GEN
 
 static INLINE byte itob(int number)
 {
@@ -8163,14 +8171,13 @@ static int EncodeCert(Cert* cert, DerCert* der, RsaKey* rsaKey, ecc_key* eccKey,
 {
     int ret;
 
-    (void)eccKey;
-    (void)ntruKey;
-    (void)ntruSz;
-    (void)ed25519Key;
-
     if (cert == NULL || der == NULL || rng == NULL)
         return BAD_FUNC_ARG;
 
+    /* make sure at least one key type is provided */
+    if (rsaKey == NULL && eccKey == NULL && ed25519Key == NULL && ntruKey == NULL)
+        return PUBLIC_KEY_E;
+
     /* init */
     XMEMSET(der, 0, sizeof(DerCert));
 
@@ -8198,32 +8205,28 @@ static int EncodeCert(Cert* cert, DerCert* der, RsaKey* rsaKey, ecc_key* eccKey,
         return ALGO_ID_E;
 
     /* public key */
+#ifndef NO_RSA
     if (cert->keyType == RSA_KEY) {
         if (rsaKey == NULL)
             return PUBLIC_KEY_E;
         der->publicKeySz = SetRsaPublicKey(der->publicKey, rsaKey,
                                            sizeof(der->publicKey), 1);
-        if (der->publicKeySz <= 0)
-            return PUBLIC_KEY_E;
     }
+#endif
 
 #ifdef HAVE_ECC
     if (cert->keyType == ECC_KEY) {
         if (eccKey == NULL)
             return PUBLIC_KEY_E;
         der->publicKeySz = SetEccPublicKey(der->publicKey, eccKey, 1);
-        if (der->publicKeySz <= 0)
-            return PUBLIC_KEY_E;
     }
-#endif /* HAVE_ECC */
+#endif
 
 #ifdef HAVE_ED25519
     if (cert->keyType == ED25519_KEY) {
         if (ed25519Key == NULL)
             return PUBLIC_KEY_E;
         der->publicKeySz = SetEd25519PublicKey(der->publicKey, ed25519Key, 1);
-        if (der->publicKeySz <= 0)
-            return PUBLIC_KEY_E;
     }
 #endif
 
@@ -8232,22 +8235,30 @@ static int EncodeCert(Cert* cert, DerCert* der, RsaKey* rsaKey, ecc_key* eccKey,
         word32 rc;
         word16 encodedSz;
 
-        rc  = ntru_crypto_ntru_encrypt_publicKey2SubjectPublicKeyInfo( ntruSz,
+        if (ntruKey == NULL)
+            return PUBLIC_KEY_E;
+
+        rc  = ntru_crypto_ntru_encrypt_publicKey2SubjectPublicKeyInfo(ntruSz,
                                                    ntruKey, &encodedSz, NULL);
         if (rc != NTRU_OK)
             return PUBLIC_KEY_E;
         if (encodedSz > MAX_PUBLIC_KEY_SZ)
             return PUBLIC_KEY_E;
 
-        rc  = ntru_crypto_ntru_encrypt_publicKey2SubjectPublicKeyInfo( ntruSz,
+        rc  = ntru_crypto_ntru_encrypt_publicKey2SubjectPublicKeyInfo(ntruSz,
                                          ntruKey, &encodedSz, der->publicKey);
         if (rc != NTRU_OK)
             return PUBLIC_KEY_E;
 
         der->publicKeySz = encodedSz;
     }
+#else
+    (void)ntruSz;
 #endif /* HAVE_NTRU */
 
+    if (der->publicKeySz <= 0)
+        return PUBLIC_KEY_E;
+
     der->validitySz = 0;
 #ifdef WOLFSSL_ALT_NAMES
     /* date validity copy ? */
@@ -8800,6 +8811,9 @@ static int EncodeCertReq(Cert* cert, DerCert* der, RsaKey* rsaKey,
     if (cert == NULL || der == NULL)
         return BAD_FUNC_ARG;
 
+    if (rsaKey == NULL && eccKey == NULL && ed25519Key == NULL)
+            return PUBLIC_KEY_E;
+
     /* init */
     XMEMSET(der, 0, sizeof(DerCert));
 
@@ -8812,34 +8826,31 @@ static int EncodeCertReq(Cert* cert, DerCert* der, RsaKey* rsaKey,
         return SUBJECT_E;
 
     /* public key */
+#ifndef NO_RSA
     if (cert->keyType == RSA_KEY) {
         if (rsaKey == NULL)
             return PUBLIC_KEY_E;
         der->publicKeySz = SetRsaPublicKey(der->publicKey, rsaKey,
                                            sizeof(der->publicKey), 1);
-        if (der->publicKeySz <= 0)
-            return PUBLIC_KEY_E;
     }
+#endif
 
 #ifdef HAVE_ECC
     if (cert->keyType == ECC_KEY) {
-        if (eccKey == NULL)
-            return PUBLIC_KEY_E;
         der->publicKeySz = SetEccPublicKey(der->publicKey, eccKey, 1);
-        if (der->publicKeySz <= 0)
-            return PUBLIC_KEY_E;
     }
-#endif /* HAVE_ECC */
+#endif
 
 #ifdef HAVE_ED25519
     if (cert->keyType == ED25519_KEY) {
         if (ed25519Key == NULL)
             return PUBLIC_KEY_E;
         der->publicKeySz = SetEd25519PublicKey(der->publicKey, ed25519Key, 1);
-        if (der->publicKeySz <= 0)
-            return PUBLIC_KEY_E;
     }
-#endif /* HAVE_ED25519 */
+#endif
+
+    if (der->publicKeySz <= 0)
+        return PUBLIC_KEY_E;
 
     /* set the extensions */
     der->extensionsSz = 0;
@@ -9167,24 +9178,17 @@ int wc_MakeSelfCert(Cert* cert, byte* buffer, word32 buffSz,
 
 #ifdef WOLFSSL_CERT_EXT
 
-/* Set KID from RSA or ECC public key */
+/* Set KID from public key */
 static int SetKeyIdFromPublicKey(Cert *cert, RsaKey *rsakey, ecc_key *eckey,
                                  byte *ntruKey, word16 ntruKeySz,
                                  ed25519_key* ed25519Key, int kid_type)
 {
-    byte    *buffer;
-    int     bufferSz, ret;
-
-#ifndef HAVE_NTRU
-    (void)ntruKeySz;
-#endif
+    byte *buffer;
+    int   bufferSz, ret;
 
     if (cert == NULL ||
         (rsakey == NULL && eckey == NULL && ntruKey == NULL &&
                                             ed25519Key == NULL) ||
-        (rsakey != NULL && eckey != NULL) ||
-        (rsakey != NULL && ntruKey != NULL) ||
-        (ntruKey != NULL && eckey != NULL) ||
         (kid_type != SKID_TYPE && kid_type != AKID_TYPE))
         return BAD_FUNC_ARG;
 
@@ -9193,31 +9197,35 @@ static int SetKeyIdFromPublicKey(Cert *cert, RsaKey *rsakey, ecc_key *eckey,
     if (buffer == NULL)
         return MEMORY_E;
 
+    /* Public Key */
+    bufferSz = -1;
+#ifndef NO_RSA
     /* RSA public key */
     if (rsakey != NULL)
         bufferSz = SetRsaPublicKey(buffer, rsakey, MAX_PUBLIC_KEY_SZ, 0);
+#endif
 #ifdef HAVE_ECC
     /* ECC public key */
-    else if (eckey != NULL)
+    if (eckey != NULL)
         bufferSz = SetEccPublicKey(buffer, eckey, 0);
-#endif /* HAVE_ECC */
+#endif
 #ifdef HAVE_NTRU
     /* NTRU public key */
-    else if (ntruKey != NULL) {
+    if (ntruKey != NULL) {
         bufferSz = MAX_PUBLIC_KEY_SZ;
         ret = ntru_crypto_ntru_encrypt_publicKey2SubjectPublicKeyInfo(
                         ntruKeySz, ntruKey, (word16 *)(&bufferSz), buffer);
         if (ret != NTRU_OK)
             bufferSz = -1;
     }
+#else
+    (void)ntruKeySz;
 #endif
 #ifdef HAVE_ED25519
     /* ED25519 public key */
-    else if (ed25519Key != NULL)
+    if (ed25519Key != NULL)
         bufferSz = SetEd25519PublicKey(buffer, ed25519Key, 0);
-#endif /* HAVE_ECC */
-    else
-        bufferSz = -1;
+#endif
 
     if (bufferSz <= 0) {
         XFREE(buffer, cert->heap, DYNAMIC_TYPE_TMP_BUFFER);
@@ -9338,6 +9346,7 @@ int wc_SetSubjectKeyId(Cert *cert, const char* file)
     }
 
     /* Load PubKey in internal structure */
+#ifndef NO_RSA
     rsakey = (RsaKey*) XMALLOC(sizeof(RsaKey), cert->heap, DYNAMIC_TYPE_RSA);
     if (rsakey == NULL) {
         XFREE(der, cert->heap, DYNAMIC_TYPE_CERT);
@@ -9353,11 +9362,15 @@ int wc_SetSubjectKeyId(Cert *cert, const char* file)
 
     idx = 0;
     ret = wc_RsaPublicKeyDecode(der, &idx, rsakey, derSz);
-    if (ret != 0) {
+    if (ret != 0)
+#endif
+    {
+#ifndef NO_RSA
         WOLFSSL_MSG("wc_RsaPublicKeyDecode failed");
         wc_FreeRsaKey(rsakey);
         XFREE(rsakey, cert->heap, DYNAMIC_TYPE_RSA);
         rsakey = NULL;
+#endif
 #ifdef HAVE_ECC
         /* Check to load ecc public key */
         eckey = (ecc_key*) XMALLOC(sizeof(ecc_key), cert->heap,
@@ -9393,8 +9406,10 @@ int wc_SetSubjectKeyId(Cert *cert, const char* file)
 
     ret = wc_SetSubjectKeyIdFromPublicKey(cert, rsakey, eckey);
 
+#ifndef NO_RSA
     wc_FreeRsaKey(rsakey);
     XFREE(rsakey, cert->heap, DYNAMIC_TYPE_RSA);
+#endif
 #ifdef HAVE_ECC
     wc_ecc_free(eckey);
     XFREE(eckey, cert->heap, DYNAMIC_TYPE_ECC);
@@ -9766,9 +9781,7 @@ static int SetDatesFromCert(Cert* cert, const byte* der, int derSz)
     return ret < 0 ? ret : 0;
 }
 
-
-#endif /* WOLFSSL_ALT_NAMES && !NO_RSA */
-
+#endif /* WOLFSSL_ALT_NAMES */
 
 /* Set cn name from der buffer, return 0 on success */
 static int SetNameFromCert(CertName* cn, const byte* der, int derSz)

wolfssl/certs_test.h

@@ -2077,87 +2077,286 @@ static const int sizeof_serv_ecc_rsa_der_256 = sizeof(serv_ecc_rsa_der_256);
 /* ./certs/server-ecc.der, ECC */
 static const unsigned char serv_ecc_der_256[] =
 {
-	0x30, 0x82, 0x03, 0x10, 0x30, 0x82, 0x02, 0xB5, 0xA0, 0x03, 
-	0x02, 0x01, 0x02, 0x02, 0x09, 0x00, 0xEF, 0x46, 0xC7, 0xA4, 
-	0x9B, 0xBB, 0x60, 0xD3, 0x30, 0x0A, 0x06, 0x08, 0x2A, 0x86, 
-	0x48, 0xCE, 0x3D, 0x04, 0x03, 0x02, 0x30, 0x81, 0x8F, 0x31, 
+	0x30, 0x82, 0x03, 0x4F, 0x30, 0x82, 0x02, 0xF5, 0xA0, 0x03, 
+	0x02, 0x01, 0x02, 0x02, 0x02, 0x10, 0x00, 0x30, 0x0A, 0x06, 
+	0x08, 0x2A, 0x86, 0x48, 0xCE, 0x3D, 0x04, 0x03, 0x02, 0x30, 
+	0x81, 0x97, 0x31, 0x0B, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 
+	0x06, 0x13, 0x02, 0x55, 0x53, 0x31, 0x13, 0x30, 0x11, 0x06, 
+	0x03, 0x55, 0x04, 0x08, 0x0C, 0x0A, 0x57, 0x61, 0x73, 0x68, 
+	0x69, 0x6E, 0x67, 0x74, 0x6F, 0x6E, 0x31, 0x10, 0x30, 0x0E, 
+	0x06, 0x03, 0x55, 0x04, 0x07, 0x0C, 0x07, 0x53, 0x65, 0x61, 
+	0x74, 0x74, 0x6C, 0x65, 0x31, 0x10, 0x30, 0x0E, 0x06, 0x03, 
+	0x55, 0x04, 0x0A, 0x0C, 0x07, 0x77, 0x6F, 0x6C, 0x66, 0x53, 
+	0x53, 0x4C, 0x31, 0x14, 0x30, 0x12, 0x06, 0x03, 0x55, 0x04, 
+	0x0B, 0x0C, 0x0B, 0x44, 0x65, 0x76, 0x65, 0x6C, 0x6F, 0x70, 
+	0x6D, 0x65, 0x6E, 0x74, 0x31, 0x18, 0x30, 0x16, 0x06, 0x03, 
+	0x55, 0x04, 0x03, 0x0C, 0x0F, 0x77, 0x77, 0x77, 0x2E, 0x77, 
+	0x6F, 0x6C, 0x66, 0x73, 0x73, 0x6C, 0x2E, 0x63, 0x6F, 0x6D, 
+	0x31, 0x1F, 0x30, 0x1D, 0x06, 0x09, 0x2A, 0x86, 0x48, 0x86, 
+	0xF7, 0x0D, 0x01, 0x09, 0x01, 0x16, 0x10, 0x69, 0x6E, 0x66, 
+	0x6F, 0x40, 0x77, 0x6F, 0x6C, 0x66, 0x73, 0x73, 0x6C, 0x2E, 
+	0x63, 0x6F, 0x6D, 0x30, 0x1E, 0x17, 0x0D, 0x31, 0x37, 0x31, 
+	0x30, 0x31, 0x39, 0x31, 0x39, 0x30, 0x36, 0x34, 0x39, 0x5A, 
+	0x17, 0x0D, 0x32, 0x37, 0x31, 0x30, 0x31, 0x37, 0x31, 0x39, 
+	0x30, 0x36, 0x34, 0x39, 0x5A, 0x30, 0x81, 0x8F, 0x31, 0x0B, 
+	0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x55, 
+	0x53, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x08, 
+	0x0C, 0x0A, 0x57, 0x61, 0x73, 0x68, 0x69, 0x6E, 0x67, 0x74, 
+	0x6F, 0x6E, 0x31, 0x10, 0x30, 0x0E, 0x06, 0x03, 0x55, 0x04, 
+	0x07, 0x0C, 0x07, 0x53, 0x65, 0x61, 0x74, 0x74, 0x6C, 0x65, 
+	0x31, 0x10, 0x30, 0x0E, 0x06, 0x03, 0x55, 0x04, 0x0A, 0x0C, 
+	0x07, 0x45, 0x6C, 0x69, 0x70, 0x74, 0x69, 0x63, 0x31, 0x0C, 
+	0x30, 0x0A, 0x06, 0x03, 0x55, 0x04, 0x0B, 0x0C, 0x03, 0x45, 
+	0x43, 0x43, 0x31, 0x18, 0x30, 0x16, 0x06, 0x03, 0x55, 0x04, 
+	0x03, 0x0C, 0x0F, 0x77, 0x77, 0x77, 0x2E, 0x77, 0x6F, 0x6C, 
+	0x66, 0x73, 0x73, 0x6C, 0x2E, 0x63, 0x6F, 0x6D, 0x31, 0x1F, 
+	0x30, 0x1D, 0x06, 0x09, 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 
+	0x01, 0x09, 0x01, 0x16, 0x10, 0x69, 0x6E, 0x66, 0x6F, 0x40, 
+	0x77, 0x6F, 0x6C, 0x66, 0x73, 0x73, 0x6C, 0x2E, 0x63, 0x6F, 
+	0x6D, 0x30, 0x59, 0x30, 0x13, 0x06, 0x07, 0x2A, 0x86, 0x48, 
+	0xCE, 0x3D, 0x02, 0x01, 0x06, 0x08, 0x2A, 0x86, 0x48, 0xCE, 
+	0x3D, 0x03, 0x01, 0x07, 0x03, 0x42, 0x00, 0x04, 0xBB, 0x33, 
+	0xAC, 0x4C, 0x27, 0x50, 0x4A, 0xC6, 0x4A, 0xA5, 0x04, 0xC3, 
+	0x3C, 0xDE, 0x9F, 0x36, 0xDB, 0x72, 0x2D, 0xCE, 0x94, 0xEA, 
+	0x2B, 0xFA, 0xCB, 0x20, 0x09, 0x39, 0x2C, 0x16, 0xE8, 0x61, 
+	0x02, 0xE9, 0xAF, 0x4D, 0xD3, 0x02, 0x93, 0x9A, 0x31, 0x5B, 
+	0x97, 0x92, 0x21, 0x7F, 0xF0, 0xCF, 0x18, 0xDA, 0x91, 0x11, 
+	0x02, 0x34, 0x86, 0xE8, 0x20, 0x58, 0x33, 0x0B, 0x80, 0x34, 
+	0x89, 0xD8, 0xA3, 0x82, 0x01, 0x35, 0x30, 0x82, 0x01, 0x31, 
+	0x30, 0x09, 0x06, 0x03, 0x55, 0x1D, 0x13, 0x04, 0x02, 0x30, 
+	0x00, 0x30, 0x11, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x86, 
+	0xF8, 0x42, 0x01, 0x01, 0x04, 0x04, 0x03, 0x02, 0x06, 0x40, 
+	0x30, 0x1D, 0x06, 0x03, 0x55, 0x1D, 0x0E, 0x04, 0x16, 0x04, 
+	0x14, 0x5D, 0x5D, 0x26, 0xEF, 0xAC, 0x7E, 0x36, 0xF9, 0x9B, 
+	0x76, 0x15, 0x2B, 0x4A, 0x25, 0x02, 0x23, 0xEF, 0xB2, 0x89, 
+	0x30, 0x30, 0x81, 0xCC, 0x06, 0x03, 0x55, 0x1D, 0x23, 0x04, 
+	0x81, 0xC4, 0x30, 0x81, 0xC1, 0x80, 0x14, 0xFD, 0x9D, 0x85, 
+	0xD5, 0xC1, 0x6F, 0x47, 0xEA, 0xC6, 0x75, 0x96, 0x59, 0x25, 
+	0x37, 0x46, 0x8C, 0x61, 0xDB, 0xE1, 0xC3, 0xA1, 0x81, 0x9D, 
+	0xA4, 0x81, 0x9A, 0x30, 0x81, 0x97, 0x31, 0x0B, 0x30, 0x09, 
+	0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x55, 0x53, 0x31, 
+	0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x08, 0x0C, 0x0A, 
+	0x57, 0x61, 0x73, 0x68, 0x69, 0x6E, 0x67, 0x74, 0x6F, 0x6E, 
+	0x31, 0x10, 0x30, 0x0E, 0x06, 0x03, 0x55, 0x04, 0x07, 0x0C, 
+	0x07, 0x53, 0x65, 0x61, 0x74, 0x74, 0x6C, 0x65, 0x31, 0x10, 
+	0x30, 0x0E, 0x06, 0x03, 0x55, 0x04, 0x0A, 0x0C, 0x07, 0x77, 
+	0x6F, 0x6C, 0x66, 0x53, 0x53, 0x4C, 0x31, 0x14, 0x30, 0x12, 
+	0x06, 0x03, 0x55, 0x04, 0x0B, 0x0C, 0x0B, 0x44, 0x65, 0x76, 
+	0x65, 0x6C, 0x6F, 0x70, 0x6D, 0x65, 0x6E, 0x74, 0x31, 0x18, 
+	0x30, 0x16, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0C, 0x0F, 0x77, 
+	0x77, 0x77, 0x2E, 0x77, 0x6F, 0x6C, 0x66, 0x73, 0x73, 0x6C, 
+	0x2E, 0x63, 0x6F, 0x6D, 0x31, 0x1F, 0x30, 0x1D, 0x06, 0x09, 
+	0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x09, 0x01, 0x16, 
+	0x10, 0x69, 0x6E, 0x66, 0x6F, 0x40, 0x77, 0x6F, 0x6C, 0x66, 
+	0x73, 0x73, 0x6C, 0x2E, 0x63, 0x6F, 0x6D, 0x82, 0x09, 0x00, 
+	0x98, 0x6A, 0x0C, 0xF4, 0x02, 0x43, 0xA6, 0x28, 0x30, 0x0E, 
+	0x06, 0x03, 0x55, 0x1D, 0x0F, 0x01, 0x01, 0xFF, 0x04, 0x04, 
+	0x03, 0x02, 0x05, 0xA0, 0x30, 0x13, 0x06, 0x03, 0x55, 0x1D, 
+	0x25, 0x04, 0x0C, 0x30, 0x0A, 0x06, 0x08, 0x2B, 0x06, 0x01, 
+	0x05, 0x05, 0x07, 0x03, 0x01, 0x30, 0x0A, 0x06, 0x08, 0x2A, 
+	0x86, 0x48, 0xCE, 0x3D, 0x04, 0x03, 0x02, 0x03, 0x48, 0x00, 
+	0x30, 0x45, 0x02, 0x21, 0x00, 0xCE, 0x09, 0x22, 0xAB, 0x21, 
+	0xC1, 0x30, 0x80, 0x33, 0x4B, 0xB4, 0x75, 0x19, 0x0B, 0x37, 
+	0xE5, 0x18, 0xC6, 0x6A, 0x48, 0xB1, 0xA6, 0x2A, 0x0C, 0xD0, 
+	0x91, 0x96, 0xD3, 0x97, 0xDB, 0x75, 0xCF, 0x02, 0x20, 0x03, 
+	0x97, 0x6B, 0x90, 0xE1, 0x2E, 0x20, 0x10, 0xE7, 0xBF, 0xC3, 
+	0x25, 0x97, 0x4D, 0xA8, 0x07, 0x9E, 0x14, 0x86, 0x99, 0xBD, 
+	0x87, 0x98, 0xFD, 0x2E, 0xD2, 0x4D, 0x1F, 0xDA, 0x52, 0x92, 
+	0xB9
+};
+static const int sizeof_serv_ecc_der_256 = sizeof(serv_ecc_der_256);
+
+/* ./certs/ca-ecc-key.der, ECC */
+static const unsigned char ca_ecc_key_der_256[] =
+{
+	0x30, 0x77, 0x02, 0x01, 0x01, 0x04, 0x20, 0xAC, 0xB8, 0xFA, 
+	0x16, 0x7D, 0x18, 0xD6, 0x43, 0x7B, 0x92, 0xB8, 0xD2, 0xA6, 
+	0x60, 0x6D, 0x44, 0x0E, 0xAA, 0xB9, 0x0F, 0x1C, 0x3A, 0x5B, 
+	0x57, 0xD0, 0x5F, 0x67, 0x11, 0xCB, 0xAB, 0x48, 0x87, 0xA0, 
+	0x0A, 0x06, 0x08, 0x2A, 0x86, 0x48, 0xCE, 0x3D, 0x03, 0x01, 
+	0x07, 0xA1, 0x44, 0x03, 0x42, 0x00, 0x04, 0xE6, 0x38, 0xDF, 
+	0x16, 0xE3, 0x4B, 0xEA, 0xAA, 0x9F, 0x91, 0xA3, 0xF3, 0x32, 
+	0x40, 0xF6, 0x6C, 0x7E, 0xA1, 0x55, 0x01, 0x38, 0x05, 0xFE, 
+	0x6B, 0x39, 0x37, 0x1C, 0xEA, 0xF9, 0xF9, 0x4D, 0x87, 0x4B, 
+	0x2D, 0x2F, 0x4B, 0x54, 0xE5, 0x9B, 0x4A, 0x1A, 0xBA, 0x0D, 
+	0x02, 0xA5, 0x1C, 0xEC, 0xC1, 0x51, 0x30, 0xC9, 0x3C, 0x94, 
+	0xAC, 0x2E, 0x5B, 0x2F, 0x40, 0xF6, 0x3C, 0xA7, 0x7A, 0xD0, 
+	0x68
+};
+static const int sizeof_ca_ecc_key_der_256 = sizeof(ca_ecc_key_der_256);
+
+/* ./certs/ca-ecc-cert.der, ECC */
+static const unsigned char ca_ecc_cert_der_256[] =
+{
+	0x30, 0x82, 0x02, 0x89, 0x30, 0x82, 0x02, 0x30, 0xA0, 0x03, 
+	0x02, 0x01, 0x02, 0x02, 0x09, 0x00, 0x98, 0x6A, 0x0C, 0xF4, 
+	0x02, 0x43, 0xA6, 0x28, 0x30, 0x0A, 0x06, 0x08, 0x2A, 0x86, 
+	0x48, 0xCE, 0x3D, 0x04, 0x03, 0x02, 0x30, 0x81, 0x97, 0x31, 
 	0x0B, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 
 	0x55, 0x53, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 
 	0x08, 0x0C, 0x0A, 0x57, 0x61, 0x73, 0x68, 0x69, 0x6E, 0x67, 
 	0x74, 0x6F, 0x6E, 0x31, 0x10, 0x30, 0x0E, 0x06, 0x03, 0x55, 
 	0x04, 0x07, 0x0C, 0x07, 0x53, 0x65, 0x61, 0x74, 0x74, 0x6C, 
 	0x65, 0x31, 0x10, 0x30, 0x0E, 0x06, 0x03, 0x55, 0x04, 0x0A, 
-	0x0C, 0x07, 0x45, 0x6C, 0x69, 0x70, 0x74, 0x69, 0x63, 0x31, 
-	0x0C, 0x30, 0x0A, 0x06, 0x03, 0x55, 0x04, 0x0B, 0x0C, 0x03, 
-	0x45, 0x43, 0x43, 0x31, 0x18, 0x30, 0x16, 0x06, 0x03, 0x55, 
-	0x04, 0x03, 0x0C, 0x0F, 0x77, 0x77, 0x77, 0x2E, 0x77, 0x6F, 
-	0x6C, 0x66, 0x73, 0x73, 0x6C, 0x2E, 0x63, 0x6F, 0x6D, 0x31, 
-	0x1F, 0x30, 0x1D, 0x06, 0x09, 0x2A, 0x86, 0x48, 0x86, 0xF7, 
-	0x0D, 0x01, 0x09, 0x01, 0x16, 0x10, 0x69, 0x6E, 0x66, 0x6F, 
-	0x40, 0x77, 0x6F, 0x6C, 0x66, 0x73, 0x73, 0x6C, 0x2E, 0x63, 
-	0x6F, 0x6D, 0x30, 0x1E, 0x17, 0x0D, 0x31, 0x36, 0x30, 0x38, 
-	0x31, 0x31, 0x32, 0x30, 0x30, 0x37, 0x33, 0x38, 0x5A, 0x17, 
-	0x0D, 0x31, 0x39, 0x30, 0x35, 0x30, 0x38, 0x32, 0x30, 0x30, 
-	0x37, 0x33, 0x38, 0x5A, 0x30, 0x81, 0x8F, 0x31, 0x0B, 0x30, 
-	0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x55, 0x53, 
-	0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x08, 0x0C, 
-	0x0A, 0x57, 0x61, 0x73, 0x68, 0x69, 0x6E, 0x67, 0x74, 0x6F, 
-	0x6E, 0x31, 0x10, 0x30, 0x0E, 0x06, 0x03, 0x55, 0x04, 0x07, 
-	0x0C, 0x07, 0x53, 0x65, 0x61, 0x74, 0x74, 0x6C, 0x65, 0x31, 
-	0x10, 0x30, 0x0E, 0x06, 0x03, 0x55, 0x04, 0x0A, 0x0C, 0x07, 
-	0x45, 0x6C, 0x69, 0x70, 0x74, 0x69, 0x63, 0x31, 0x0C, 0x30, 
-	0x0A, 0x06, 0x03, 0x55, 0x04, 0x0B, 0x0C, 0x03, 0x45, 0x43, 
-	0x43, 0x31, 0x18, 0x30, 0x16, 0x06, 0x03, 0x55, 0x04, 0x03, 
+	0x0C, 0x07, 0x77, 0x6F, 0x6C, 0x66, 0x53, 0x53, 0x4C, 0x31, 
+	0x14, 0x30, 0x12, 0x06, 0x03, 0x55, 0x04, 0x0B, 0x0C, 0x0B, 
+	0x44, 0x65, 0x76, 0x65, 0x6C, 0x6F, 0x70, 0x6D, 0x65, 0x6E, 
+	0x74, 0x31, 0x18, 0x30, 0x16, 0x06, 0x03, 0x55, 0x04, 0x03, 
 	0x0C, 0x0F, 0x77, 0x77, 0x77, 0x2E, 0x77, 0x6F, 0x6C, 0x66, 
 	0x73, 0x73, 0x6C, 0x2E, 0x63, 0x6F, 0x6D, 0x31, 0x1F, 0x30, 
 	0x1D, 0x06, 0x09, 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 
 	0x09, 0x01, 0x16, 0x10, 0x69, 0x6E, 0x66, 0x6F, 0x40, 0x77, 
 	0x6F, 0x6C, 0x66, 0x73, 0x73, 0x6C, 0x2E, 0x63, 0x6F, 0x6D, 
-	0x30, 0x59, 0x30, 0x13, 0x06, 0x07, 0x2A, 0x86, 0x48, 0xCE, 
-	0x3D, 0x02, 0x01, 0x06, 0x08, 0x2A, 0x86, 0x48, 0xCE, 0x3D, 
-	0x03, 0x01, 0x07, 0x03, 0x42, 0x00, 0x04, 0xBB, 0x33, 0xAC, 
-	0x4C, 0x27, 0x50, 0x4A, 0xC6, 0x4A, 0xA5, 0x04, 0xC3, 0x3C, 
-	0xDE, 0x9F, 0x36, 0xDB, 0x72, 0x2D, 0xCE, 0x94, 0xEA, 0x2B, 
-	0xFA, 0xCB, 0x20, 0x09, 0x39, 0x2C, 0x16, 0xE8, 0x61, 0x02, 
-	0xE9, 0xAF, 0x4D, 0xD3, 0x02, 0x93, 0x9A, 0x31, 0x5B, 0x97, 
-	0x92, 0x21, 0x7F, 0xF0, 0xCF, 0x18, 0xDA, 0x91, 0x11, 0x02, 
-	0x34, 0x86, 0xE8, 0x20, 0x58, 0x33, 0x0B, 0x80, 0x34, 0x89, 
-	0xD8, 0xA3, 0x81, 0xF7, 0x30, 0x81, 0xF4, 0x30, 0x1D, 0x06, 
-	0x03, 0x55, 0x1D, 0x0E, 0x04, 0x16, 0x04, 0x14, 0x5D, 0x5D, 
-	0x26, 0xEF, 0xAC, 0x7E, 0x36, 0xF9, 0x9B, 0x76, 0x15, 0x2B, 
-	0x4A, 0x25, 0x02, 0x23, 0xEF, 0xB2, 0x89, 0x30, 0x30, 0x81, 
-	0xC4, 0x06, 0x03, 0x55, 0x1D, 0x23, 0x04, 0x81, 0xBC, 0x30, 
-	0x81, 0xB9, 0x80, 0x14, 0x5D, 0x5D, 0x26, 0xEF, 0xAC, 0x7E, 
-	0x36, 0xF9, 0x9B, 0x76, 0x15, 0x2B, 0x4A, 0x25, 0x02, 0x23, 
-	0xEF, 0xB2, 0x89, 0x30, 0xA1, 0x81, 0x95, 0xA4, 0x81, 0x92, 
-	0x30, 0x81, 0x8F, 0x31, 0x0B, 0x30, 0x09, 0x06, 0x03, 0x55, 
-	0x04, 0x06, 0x13, 0x02, 0x55, 0x53, 0x31, 0x13, 0x30, 0x11, 
-	0x06, 0x03, 0x55, 0x04, 0x08, 0x0C, 0x0A, 0x57, 0x61, 0x73, 
-	0x68, 0x69, 0x6E, 0x67, 0x74, 0x6F, 0x6E, 0x31, 0x10, 0x30, 
-	0x0E, 0x06, 0x03, 0x55, 0x04, 0x07, 0x0C, 0x07, 0x53, 0x65, 
-	0x61, 0x74, 0x74, 0x6C, 0x65, 0x31, 0x10, 0x30, 0x0E, 0x06, 
-	0x03, 0x55, 0x04, 0x0A, 0x0C, 0x07, 0x45, 0x6C, 0x69, 0x70, 
-	0x74, 0x69, 0x63, 0x31, 0x0C, 0x30, 0x0A, 0x06, 0x03, 0x55, 
-	0x04, 0x0B, 0x0C, 0x03, 0x45, 0x43, 0x43, 0x31, 0x18, 0x30, 
+	0x30, 0x1E, 0x17, 0x0D, 0x31, 0x37, 0x31, 0x30, 0x31, 0x39, 
+	0x31, 0x39, 0x30, 0x36, 0x34, 0x39, 0x5A, 0x17, 0x0D, 0x33, 
+	0x37, 0x31, 0x30, 0x31, 0x34, 0x31, 0x39, 0x30, 0x36, 0x34, 
+	0x39, 0x5A, 0x30, 0x81, 0x97, 0x31, 0x0B, 0x30, 0x09, 0x06, 
+	0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x55, 0x53, 0x31, 0x13, 
+	0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x08, 0x0C, 0x0A, 0x57, 
+	0x61, 0x73, 0x68, 0x69, 0x6E, 0x67, 0x74, 0x6F, 0x6E, 0x31, 
+	0x10, 0x30, 0x0E, 0x06, 0x03, 0x55, 0x04, 0x07, 0x0C, 0x07, 
+	0x53, 0x65, 0x61, 0x74, 0x74, 0x6C, 0x65, 0x31, 0x10, 0x30, 
+	0x0E, 0x06, 0x03, 0x55, 0x04, 0x0A, 0x0C, 0x07, 0x77, 0x6F, 
+	0x6C, 0x66, 0x53, 0x53, 0x4C, 0x31, 0x14, 0x30, 0x12, 0x06, 
+	0x03, 0x55, 0x04, 0x0B, 0x0C, 0x0B, 0x44, 0x65, 0x76, 0x65, 
+	0x6C, 0x6F, 0x70, 0x6D, 0x65, 0x6E, 0x74, 0x31, 0x18, 0x30, 
 	0x16, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0C, 0x0F, 0x77, 0x77, 
 	0x77, 0x2E, 0x77, 0x6F, 0x6C, 0x66, 0x73, 0x73, 0x6C, 0x2E, 
 	0x63, 0x6F, 0x6D, 0x31, 0x1F, 0x30, 0x1D, 0x06, 0x09, 0x2A, 
 	0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x09, 0x01, 0x16, 0x10, 
 	0x69, 0x6E, 0x66, 0x6F, 0x40, 0x77, 0x6F, 0x6C, 0x66, 0x73, 
-	0x73, 0x6C, 0x2E, 0x63, 0x6F, 0x6D, 0x82, 0x09, 0x00, 0xEF, 
-	0x46, 0xC7, 0xA4, 0x9B, 0xBB, 0x60, 0xD3, 0x30, 0x0C, 0x06, 
-	0x03, 0x55, 0x1D, 0x13, 0x04, 0x05, 0x30, 0x03, 0x01, 0x01, 
-	0xFF, 0x30, 0x0A, 0x06, 0x08, 0x2A, 0x86, 0x48, 0xCE, 0x3D, 
-	0x04, 0x03, 0x02, 0x03, 0x49, 0x00, 0x30, 0x46, 0x02, 0x21, 
-	0x00, 0xF1, 0xD0, 0xA6, 0x3E, 0x83, 0x33, 0x24, 0xD1, 0x7A, 
-	0x05, 0x5F, 0x1E, 0x0E, 0xBD, 0x7D, 0x6B, 0x33, 0xE9, 0xF2, 
-	0x86, 0xF3, 0xF3, 0x3D, 0xA9, 0xEF, 0x6A, 0x87, 0x31, 0xB3, 
-	0xB7, 0x7E, 0x50, 0x02, 0x21, 0x00, 0xF0, 0x60, 0xDD, 0xCE, 
-	0xA2, 0xDB, 0x56, 0xEC, 0xD9, 0xF4, 0xE4, 0xE3, 0x25, 0xD4, 
-	0xB0, 0xC9, 0x25, 0x7D, 0xCA, 0x7A, 0x5D, 0xBA, 0xC4, 0xB2, 
-	0xF6, 0x7D, 0x04, 0xC7, 0xBD, 0x62, 0xC9, 0x20
+	0x73, 0x6C, 0x2E, 0x63, 0x6F, 0x6D, 0x30, 0x59, 0x30, 0x13, 
+	0x06, 0x07, 0x2A, 0x86, 0x48, 0xCE, 0x3D, 0x02, 0x01, 0x06, 
+	0x08, 0x2A, 0x86, 0x48, 0xCE, 0x3D, 0x03, 0x01, 0x07, 0x03, 
+	0x42, 0x00, 0x04, 0xE6, 0x38, 0xDF, 0x16, 0xE3, 0x4B, 0xEA, 
+	0xAA, 0x9F, 0x91, 0xA3, 0xF3, 0x32, 0x40, 0xF6, 0x6C, 0x7E, 
+	0xA1, 0x55, 0x01, 0x38, 0x05, 0xFE, 0x6B, 0x39, 0x37, 0x1C, 
+	0xEA, 0xF9, 0xF9, 0x4D, 0x87, 0x4B, 0x2D, 0x2F, 0x4B, 0x54, 
+	0xE5, 0x9B, 0x4A, 0x1A, 0xBA, 0x0D, 0x02, 0xA5, 0x1C, 0xEC, 
+	0xC1, 0x51, 0x30, 0xC9, 0x3C, 0x94, 0xAC, 0x2E, 0x5B, 0x2F, 
+	0x40, 0xF6, 0x3C, 0xA7, 0x7A, 0xD0, 0x68, 0xA3, 0x63, 0x30, 
+	0x61, 0x30, 0x1D, 0x06, 0x03, 0x55, 0x1D, 0x0E, 0x04, 0x16, 
+	0x04, 0x14, 0xFD, 0x9D, 0x85, 0xD5, 0xC1, 0x6F, 0x47, 0xEA, 
+	0xC6, 0x75, 0x96, 0x59, 0x25, 0x37, 0x46, 0x8C, 0x61, 0xDB, 
+	0xE1, 0xC3, 0x30, 0x1F, 0x06, 0x03, 0x55, 0x1D, 0x23, 0x04, 
+	0x18, 0x30, 0x16, 0x80, 0x14, 0xFD, 0x9D, 0x85, 0xD5, 0xC1, 
+	0x6F, 0x47, 0xEA, 0xC6, 0x75, 0x96, 0x59, 0x25, 0x37, 0x46, 
+	0x8C, 0x61, 0xDB, 0xE1, 0xC3, 0x30, 0x0F, 0x06, 0x03, 0x55, 
+	0x1D, 0x13, 0x01, 0x01, 0xFF, 0x04, 0x05, 0x30, 0x03, 0x01, 
+	0x01, 0xFF, 0x30, 0x0E, 0x06, 0x03, 0x55, 0x1D, 0x0F, 0x01, 
+	0x01, 0xFF, 0x04, 0x04, 0x03, 0x02, 0x01, 0x86, 0x30, 0x0A, 
+	0x06, 0x08, 0x2A, 0x86, 0x48, 0xCE, 0x3D, 0x04, 0x03, 0x02, 
+	0x03, 0x47, 0x00, 0x30, 0x44, 0x02, 0x20, 0x03, 0xCF, 0x3F, 
+	0x6E, 0x26, 0xF7, 0x76, 0xBE, 0x98, 0x81, 0x20, 0x57, 0x6B, 
+	0x4A, 0x55, 0xF7, 0x16, 0x19, 0x21, 0xA0, 0x4C, 0xC8, 0xA1, 
+	0x19, 0x83, 0x4C, 0x66, 0x55, 0x2D, 0x43, 0x36, 0xE1, 0x02, 
+	0x20, 0x4D, 0x26, 0x29, 0x2B, 0xF2, 0x38, 0x94, 0x85, 0x7E, 
+	0xA0, 0x13, 0xB6, 0xC5, 0x8D, 0x61, 0xBE, 0x96, 0x15, 0xAD, 
+	0xFE, 0xAE, 0x61, 0xED, 0xA1, 0x88, 0xF9, 0x79, 0xC6, 0x40, 
+	0x57, 0xE4, 0x9B
 };
-static const int sizeof_serv_ecc_der_256 = sizeof(serv_ecc_der_256);
+static const int sizeof_ca_ecc_cert_der_256 = sizeof(ca_ecc_cert_der_256);
+
+/* ./certs/ca-ecc384-key.der, ECC */
+static const unsigned char ca_ecc_key_der_384[] =
+{
+	0x30, 0x81, 0xA4, 0x02, 0x01, 0x01, 0x04, 0x30, 0x25, 0x7B, 
+	0x71, 0xAC, 0x46, 0x4C, 0xF2, 0xC4, 0xA5, 0x59, 0x86, 0xF6, 
+	0x09, 0xB4, 0x73, 0x84, 0xC4, 0x18, 0x04, 0xA4, 0x1A, 0x23, 
+	0x75, 0x80, 0xCE, 0x5E, 0x09, 0x5C, 0x04, 0xE0, 0xAD, 0x04, 
+	0x8E, 0x5F, 0xD7, 0xC7, 0x91, 0xE7, 0x76, 0xCB, 0x8A, 0xEF, 
+	0xC0, 0xF1, 0x34, 0x28, 0xEE, 0x5C, 0xA0, 0x07, 0x06, 0x05, 
+	0x2B, 0x81, 0x04, 0x00, 0x22, 0xA1, 0x64, 0x03, 0x62, 0x00, 
+	0x04, 0x11, 0x3C, 0x5C, 0xD0, 0x64, 0x22, 0xA7, 0x0F, 0xC8, 
+	0xB6, 0x40, 0x84, 0xD7, 0xE9, 0x42, 0x13, 0x88, 0xB9, 0x11, 
+	0xB5, 0x8D, 0x9E, 0xBB, 0x40, 0xB4, 0x9E, 0xF7, 0x20, 0x35, 
+	0x2B, 0xF5, 0xDC, 0x59, 0x70, 0x00, 0x19, 0x32, 0x63, 0xDE, 
+	0x56, 0x55, 0x6A, 0x0B, 0xD5, 0x29, 0xBA, 0xC1, 0x26, 0x53, 
+	0x3F, 0x11, 0xB4, 0x9C, 0xD1, 0x0E, 0x23, 0xBF, 0x03, 0x2B, 
+	0x46, 0x45, 0x4E, 0x65, 0xF4, 0x77, 0x22, 0x0A, 0x63, 0xE2, 
+	0x49, 0x5D, 0xF0, 0xA7, 0x8C, 0x29, 0x49, 0x00, 0x33, 0x00, 
+	0xB1, 0x40, 0x19, 0xBF, 0x67, 0x3F, 0xD1, 0xF2, 0x4E, 0x6E, 
+	0x1D, 0x18, 0x81, 0x50, 0xEB, 0x13, 0x6A
+};
+static const int sizeof_ca_ecc_key_der_384 = sizeof(ca_ecc_key_der_384);
+
+/* ./certs/ca-ecc384-cert.der, ECC */
+static const unsigned char ca_ecc_cert_der_384[] =
+{
+	0x30, 0x82, 0x02, 0xC7, 0x30, 0x82, 0x02, 0x4D, 0xA0, 0x03, 
+	0x02, 0x01, 0x02, 0x02, 0x09, 0x00, 0xA8, 0x45, 0x77, 0x67, 
+	0x97, 0x27, 0xF9, 0x20, 0x30, 0x0A, 0x06, 0x08, 0x2A, 0x86, 
+	0x48, 0xCE, 0x3D, 0x04, 0x03, 0x03, 0x30, 0x81, 0x97, 0x31, 
+	0x0B, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 
+	0x55, 0x53, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 
+	0x08, 0x0C, 0x0A, 0x57, 0x61, 0x73, 0x68, 0x69, 0x6E, 0x67, 
+	0x74, 0x6F, 0x6E, 0x31, 0x10, 0x30, 0x0E, 0x06, 0x03, 0x55, 
+	0x04, 0x07, 0x0C, 0x07, 0x53, 0x65, 0x61, 0x74, 0x74, 0x6C, 
+	0x65, 0x31, 0x10, 0x30, 0x0E, 0x06, 0x03, 0x55, 0x04, 0x0A, 
+	0x0C, 0x07, 0x77, 0x6F, 0x6C, 0x66, 0x53, 0x53, 0x4C, 0x31, 
+	0x14, 0x30, 0x12, 0x06, 0x03, 0x55, 0x04, 0x0B, 0x0C, 0x0B, 
+	0x44, 0x65, 0x76, 0x65, 0x6C, 0x6F, 0x70, 0x6D, 0x65, 0x6E, 
+	0x74, 0x31, 0x18, 0x30, 0x16, 0x06, 0x03, 0x55, 0x04, 0x03, 
+	0x0C, 0x0F, 0x77, 0x77, 0x77, 0x2E, 0x77, 0x6F, 0x6C, 0x66, 
+	0x73, 0x73, 0x6C, 0x2E, 0x63, 0x6F, 0x6D, 0x31, 0x1F, 0x30, 
+	0x1D, 0x06, 0x09, 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 
+	0x09, 0x01, 0x16, 0x10, 0x69, 0x6E, 0x66, 0x6F, 0x40, 0x77, 
+	0x6F, 0x6C, 0x66, 0x73, 0x73, 0x6C, 0x2E, 0x63, 0x6F, 0x6D, 
+	0x30, 0x1E, 0x17, 0x0D, 0x31, 0x37, 0x31, 0x30, 0x31, 0x39, 
+	0x31, 0x39, 0x30, 0x36, 0x34, 0x39, 0x5A, 0x17, 0x0D, 0x33, 
+	0x37, 0x31, 0x30, 0x31, 0x34, 0x31, 0x39, 0x30, 0x36, 0x34, 
+	0x39, 0x5A, 0x30, 0x81, 0x97, 0x31, 0x0B, 0x30, 0x09, 0x06, 
+	0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x55, 0x53, 0x31, 0x13, 
+	0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x08, 0x0C, 0x0A, 0x57, 
+	0x61, 0x73, 0x68, 0x69, 0x6E, 0x67, 0x74, 0x6F, 0x6E, 0x31, 
+	0x10, 0x30, 0x0E, 0x06, 0x03, 0x55, 0x04, 0x07, 0x0C, 0x07, 
+	0x53, 0x65, 0x61, 0x74, 0x74, 0x6C, 0x65, 0x31, 0x10, 0x30, 
+	0x0E, 0x06, 0x03, 0x55, 0x04, 0x0A, 0x0C, 0x07, 0x77, 0x6F, 
+	0x6C, 0x66, 0x53, 0x53, 0x4C, 0x31, 0x14, 0x30, 0x12, 0x06, 
+	0x03, 0x55, 0x04, 0x0B, 0x0C, 0x0B, 0x44, 0x65, 0x76, 0x65, 
+	0x6C, 0x6F, 0x70, 0x6D, 0x65, 0x6E, 0x74, 0x31, 0x18, 0x30, 
+	0x16, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0C, 0x0F, 0x77, 0x77, 
+	0x77, 0x2E, 0x77, 0x6F, 0x6C, 0x66, 0x73, 0x73, 0x6C, 0x2E, 
+	0x63, 0x6F, 0x6D, 0x31, 0x1F, 0x30, 0x1D, 0x06, 0x09, 0x2A, 
+	0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x09, 0x01, 0x16, 0x10, 
+	0x69, 0x6E, 0x66, 0x6F, 0x40, 0x77, 0x6F, 0x6C, 0x66, 0x73, 
+	0x73, 0x6C, 0x2E, 0x63, 0x6F, 0x6D, 0x30, 0x76, 0x30, 0x10, 
+	0x06, 0x07, 0x2A, 0x86, 0x48, 0xCE, 0x3D, 0x02, 0x01, 0x06, 
+	0x05, 0x2B, 0x81, 0x04, 0x00, 0x22, 0x03, 0x62, 0x00, 0x04, 
+	0x11, 0x3C, 0x5C, 0xD0, 0x64, 0x22, 0xA7, 0x0F, 0xC8, 0xB6, 
+	0x40, 0x84, 0xD7, 0xE9, 0x42, 0x13, 0x88, 0xB9, 0x11, 0xB5, 
+	0x8D, 0x9E, 0xBB, 0x40, 0xB4, 0x9E, 0xF7, 0x20, 0x35, 0x2B, 
+	0xF5, 0xDC, 0x59, 0x70, 0x00, 0x19, 0x32, 0x63, 0xDE, 0x56, 
+	0x55, 0x6A, 0x0B, 0xD5, 0x29, 0xBA, 0xC1, 0x26, 0x53, 0x3F, 
+	0x11, 0xB4, 0x9C, 0xD1, 0x0E, 0x23, 0xBF, 0x03, 0x2B, 0x46, 
+	0x45, 0x4E, 0x65, 0xF4, 0x77, 0x22, 0x0A, 0x63, 0xE2, 0x49, 
+	0x5D, 0xF0, 0xA7, 0x8C, 0x29, 0x49, 0x00, 0x33, 0x00, 0xB1, 
+	0x40, 0x19, 0xBF, 0x67, 0x3F, 0xD1, 0xF2, 0x4E, 0x6E, 0x1D, 
+	0x18, 0x81, 0x50, 0xEB, 0x13, 0x6A, 0xA3, 0x63, 0x30, 0x61, 
+	0x30, 0x1D, 0x06, 0x03, 0x55, 0x1D, 0x0E, 0x04, 0x16, 0x04, 
+	0x14, 0x97, 0xFD, 0xB4, 0x6D, 0xCE, 0x08, 0xB3, 0x02, 0x57, 
+	0xAB, 0xF3, 0x40, 0xD6, 0x1D, 0xAC, 0x75, 0x32, 0x35, 0xAA, 
+	0xF2, 0x30, 0x1F, 0x06, 0x03, 0x55, 0x1D, 0x23, 0x04, 0x18, 
+	0x30, 0x16, 0x80, 0x14, 0x97, 0xFD, 0xB4, 0x6D, 0xCE, 0x08, 
+	0xB3, 0x02, 0x57, 0xAB, 0xF3, 0x40, 0xD6, 0x1D, 0xAC, 0x75, 
+	0x32, 0x35, 0xAA, 0xF2, 0x30, 0x0F, 0x06, 0x03, 0x55, 0x1D, 
+	0x13, 0x01, 0x01, 0xFF, 0x04, 0x05, 0x30, 0x03, 0x01, 0x01, 
+	0xFF, 0x30, 0x0E, 0x06, 0x03, 0x55, 0x1D, 0x0F, 0x01, 0x01, 
+	0xFF, 0x04, 0x04, 0x03, 0x02, 0x01, 0x86, 0x30, 0x0A, 0x06, 
+	0x08, 0x2A, 0x86, 0x48, 0xCE, 0x3D, 0x04, 0x03, 0x03, 0x03, 
+	0x68, 0x00, 0x30, 0x65, 0x02, 0x31, 0x00, 0x9D, 0x49, 0x9E, 
+	0x68, 0x10, 0x55, 0xB3, 0x92, 0x89, 0x23, 0xCF, 0x58, 0xFB, 
+	0x04, 0xEE, 0xAB, 0xED, 0x3E, 0x3C, 0xF6, 0x94, 0x66, 0xD1, 
+	0xBD, 0x16, 0x8E, 0xCA, 0x52, 0x9F, 0x39, 0xF3, 0xD6, 0x47, 
+	0xC0, 0xCB, 0x45, 0xE2, 0x1E, 0xC6, 0xDD, 0x50, 0x08, 0x37, 
+	0x37, 0xBA, 0xAE, 0xE6, 0x72, 0x02, 0x30, 0x6B, 0x38, 0x53, 
+	0x41, 0x32, 0x3E, 0x55, 0x84, 0x39, 0x65, 0x9B, 0xA7, 0x40, 
+	0x98, 0x05, 0xCD, 0x16, 0xFE, 0xDD, 0x54, 0x3A, 0x38, 0x19, 
+	0xF0, 0x63, 0xB9, 0xC1, 0x45, 0x46, 0xDC, 0xB4, 0x4D, 0x47, 
+	0x21, 0x49, 0xFC, 0x5B, 0x63, 0xA8, 0x16, 0x4C, 0xD8, 0x3F, 
+	0x3B, 0xA8, 0xC9, 0xFB, 0xFA
+};
+static const int sizeof_ca_ecc_cert_der_384 = sizeof(ca_ecc_cert_der_384);
 
 #endif /* HAVE_ECC && USE_CERT_BUFFERS_256 */
 
@@ -2183,158 +2382,142 @@ static const unsigned char dh_g[] =
   0x02,
 };
 
-#ifdef HAVE_ED25519
-/*
- * Subject: /C=US/ST=Montana/L=Bozeman/SN=Leaf/O=wolfSSL/OU=ED25519/CN=www.wolfssl.com/emailAddress=info@wolfssl.com
- * Issuer:  /C=US/ST=Montana/L=Bozeman/SN=CA/O=wolfSSL/OU=ED25519/CN=www.wolfssl.com/emailAddress=info@wolfssl.com
- */
-static const unsigned char server_ed25519_pkey[44] = {
-    0x30, 0x2A, 0x30, 0x05, 0x06, 0x03, 0x2B, 0x65, 0x70, 0x03, 
-    0x21, 0x00, 0x1A, 0x30, 0x88, 0x18, 0x47, 0x2F, 0x97, 0xDA, 
-    0x04, 0xF4, 0xA4, 0xE3, 0xBD, 0x6C, 0x0C, 0x16, 0xB9, 0x48, 
-    0xC1, 0xD1, 0x42, 0xD7, 0x8E, 0x92, 0x84, 0xA0, 0x74, 0x2A, 
-    0x43, 0x9E, 0x0E, 0x29
-};
-static const int sizeof_server_ed25519_pkey = sizeof(server_ed25519_pkey);
+#if defined(HAVE_ED25519)
 
-static const unsigned char server_ed25519_cert[591] = {
-    0x30, 0x82, 0x02, 0x4B, 0x30, 0x82, 0x01, 0xFD, 0xA0, 0x03, 
-    0x02, 0x01, 0x02, 0x02, 0x08, 0x01, 0xD0, 0x92, 0x10, 0x6A, 
-    0x5A, 0x46, 0x57, 0x30, 0x05, 0x06, 0x03, 0x2B, 0x65, 0x70, 
-    0x30, 0x81, 0x9D, 0x31, 0x0B, 0x30, 0x09, 0x06, 0x03, 0x55, 
-    0x04, 0x06, 0x13, 0x02, 0x55, 0x53, 0x31, 0x10, 0x30, 0x0E, 
-    0x06, 0x03, 0x55, 0x04, 0x08, 0x0C, 0x07, 0x4D, 0x6F, 0x6E, 
-    0x74, 0x61, 0x6E, 0x61, 0x31, 0x10, 0x30, 0x0E, 0x06, 0x03, 
-    0x55, 0x04, 0x07, 0x0C, 0x07, 0x42, 0x6F, 0x7A, 0x65, 0x6D, 
-    0x61, 0x6E, 0x31, 0x0B, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 
-    0x04, 0x0C, 0x02, 0x43, 0x41, 0x31, 0x10, 0x30, 0x0E, 0x06, 
-    0x03, 0x55, 0x04, 0x0A, 0x0C, 0x07, 0x77, 0x6F, 0x6C, 0x66, 
-    0x53, 0x53, 0x4C, 0x31, 0x10, 0x30, 0x0E, 0x06, 0x03, 0x55, 
-    0x04, 0x0B, 0x0C, 0x07, 0x45, 0x44, 0x32, 0x35, 0x35, 0x31, 
-    0x39, 0x31, 0x18, 0x30, 0x16, 0x06, 0x03, 0x55, 0x04, 0x03, 
-    0x0C, 0x0F, 0x77, 0x77, 0x77, 0x2E, 0x77, 0x6F, 0x6C, 0x66, 
-    0x73, 0x73, 0x6C, 0x2E, 0x63, 0x6F, 0x6D, 0x31, 0x1F, 0x30, 
-    0x1D, 0x06, 0x09, 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 
-    0x09, 0x01, 0x16, 0x10, 0x69, 0x6E, 0x66, 0x6F, 0x40, 0x77, 
-    0x6F, 0x6C, 0x66, 0x73, 0x73, 0x6C, 0x2E, 0x63, 0x6F, 0x6D, 
-    0x30, 0x22, 0x18, 0x0F, 0x32, 0x30, 0x31, 0x37, 0x30, 0x35, 
-    0x32, 0x38, 0x32, 0x33, 0x32, 0x36, 0x32, 0x39, 0x5A, 0x18, 
-    0x0F, 0x32, 0x30, 0x31, 0x39, 0x30, 0x35, 0x32, 0x39, 0x32, 
-    0x33, 0x32, 0x36, 0x32, 0x39, 0x5A, 0x30, 0x81, 0x9F, 0x31, 
-    0x0B, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 
-    0x55, 0x53, 0x31, 0x10, 0x30, 0x0E, 0x06, 0x03, 0x55, 0x04, 
-    0x08, 0x0C, 0x07, 0x4D, 0x6F, 0x6E, 0x74, 0x61, 0x6E, 0x61, 
-    0x31, 0x10, 0x30, 0x0E, 0x06, 0x03, 0x55, 0x04, 0x07, 0x0C, 
-    0x07, 0x42, 0x6F, 0x7A, 0x65, 0x6D, 0x61, 0x6E, 0x31, 0x0D, 
-    0x30, 0x0B, 0x06, 0x03, 0x55, 0x04, 0x04, 0x0C, 0x04, 0x4C, 
-    0x65, 0x61, 0x66, 0x31, 0x10, 0x30, 0x0E, 0x06, 0x03, 0x55, 
-    0x04, 0x0A, 0x0C, 0x07, 0x77, 0x6F, 0x6C, 0x66, 0x53, 0x53, 
-    0x4C, 0x31, 0x10, 0x30, 0x0E, 0x06, 0x03, 0x55, 0x04, 0x0B, 
-    0x0C, 0x07, 0x45, 0x44, 0x32, 0x35, 0x35, 0x31, 0x39, 0x31, 
-    0x18, 0x30, 0x16, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0C, 0x0F, 
-    0x77, 0x77, 0x77, 0x2E, 0x77, 0x6F, 0x6C, 0x66, 0x73, 0x73, 
-    0x6C, 0x2E, 0x63, 0x6F, 0x6D, 0x31, 0x1F, 0x30, 0x1D, 0x06, 
-    0x09, 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x09, 0x01, 
-    0x16, 0x10, 0x69, 0x6E, 0x66, 0x6F, 0x40, 0x77, 0x6F, 0x6C, 
-    0x66, 0x73, 0x73, 0x6C, 0x2E, 0x63, 0x6F, 0x6D, 0x30, 0x2A, 
-    0x30, 0x05, 0x06, 0x03, 0x2B, 0x65, 0x70, 0x03, 0x21, 0x00, 
-    0x1A, 0x30, 0x88, 0x18, 0x47, 0x2F, 0x97, 0xDA, 0x04, 0xF4, 
-    0xA4, 0xE3, 0xBD, 0x6C, 0x0C, 0x16, 0xB9, 0x48, 0xC1, 0xD1, 
-    0x42, 0xD7, 0x8E, 0x92, 0x84, 0xA0, 0x74, 0x2A, 0x43, 0x9E, 
-    0x0E, 0x29, 0xA3, 0x53, 0x30, 0x51, 0x30, 0x1D, 0x06, 0x03, 
-    0x55, 0x1D, 0x0E, 0x04, 0x16, 0x04, 0x14, 0xF6, 0xB2, 0x84, 
-    0x1A, 0x95, 0xB4, 0x70, 0x32, 0x53, 0xFE, 0xD9, 0xEB, 0x9B, 
-    0x29, 0x80, 0x4B, 0xD6, 0xB5, 0xF1, 0xC0, 0x30, 0x1F, 0x06, 
-    0x03, 0x55, 0x1D, 0x23, 0x04, 0x18, 0x30, 0x16, 0x80, 0x14, 
-    0x92, 0xD5, 0x0B, 0xDA, 0xF1, 0x04, 0x8B, 0xB9, 0xA1, 0x8B, 
-    0x03, 0x02, 0x9F, 0x58, 0x00, 0x35, 0x36, 0x07, 0x7A, 0xC9, 
-    0x30, 0x0F, 0x06, 0x03, 0x55, 0x1D, 0x0F, 0x01, 0x01, 0xFF, 
-    0x04, 0x05, 0x03, 0x02, 0x06, 0xC0, 0x00, 0x30, 0x05, 0x06, 
-    0x03, 0x2B, 0x65, 0x70, 0x03, 0x41, 0x00, 0x12, 0x56, 0x77, 
-    0x0C, 0x96, 0x42, 0x98, 0xDA, 0xC9, 0x15, 0x6C, 0x4E, 0x48, 
-    0x95, 0x05, 0x1D, 0xD0, 0x78, 0x32, 0xF8, 0x86, 0x46, 0x9A, 
-    0x46, 0x9B, 0x64, 0x8B, 0x31, 0xB0, 0x19, 0x6B, 0x77, 0x99, 
-    0x8B, 0xFF, 0xFC, 0x02, 0x36, 0x05, 0x0B, 0x69, 0x37, 0x87, 
-    0x62, 0x75, 0xDA, 0x50, 0x2C, 0x2D, 0x5D, 0x52, 0x94, 0x3F, 
-    0x00, 0x9D, 0x18, 0x45, 0x6F, 0x37, 0x12, 0x8E, 0xF4, 0xE4, 
-    0x00
+/* ./certs/ed25519/server-ed25519.der, ED25519 */
+static const unsigned char server_ed25519_cert[] =
+{
+	0x30, 0x82, 0x02, 0x4B, 0x30, 0x82, 0x01, 0xFD, 0xA0, 0x03, 
+	0x02, 0x01, 0x02, 0x02, 0x08, 0x01, 0xD0, 0x92, 0x10, 0x6A, 
+	0x5A, 0x46, 0x57, 0x30, 0x05, 0x06, 0x03, 0x2B, 0x65, 0x70, 
+	0x30, 0x81, 0x9D, 0x31, 0x0B, 0x30, 0x09, 0x06, 0x03, 0x55, 
+	0x04, 0x06, 0x13, 0x02, 0x55, 0x53, 0x31, 0x10, 0x30, 0x0E, 
+	0x06, 0x03, 0x55, 0x04, 0x08, 0x0C, 0x07, 0x4D, 0x6F, 0x6E, 
+	0x74, 0x61, 0x6E, 0x61, 0x31, 0x10, 0x30, 0x0E, 0x06, 0x03, 
+	0x55, 0x04, 0x07, 0x0C, 0x07, 0x42, 0x6F, 0x7A, 0x65, 0x6D, 
+	0x61, 0x6E, 0x31, 0x0B, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 
+	0x04, 0x0C, 0x02, 0x43, 0x41, 0x31, 0x10, 0x30, 0x0E, 0x06, 
+	0x03, 0x55, 0x04, 0x0A, 0x0C, 0x07, 0x77, 0x6F, 0x6C, 0x66, 
+	0x53, 0x53, 0x4C, 0x31, 0x10, 0x30, 0x0E, 0x06, 0x03, 0x55, 
+	0x04, 0x0B, 0x0C, 0x07, 0x45, 0x44, 0x32, 0x35, 0x35, 0x31, 
+	0x39, 0x31, 0x18, 0x30, 0x16, 0x06, 0x03, 0x55, 0x04, 0x03, 
+	0x0C, 0x0F, 0x77, 0x77, 0x77, 0x2E, 0x77, 0x6F, 0x6C, 0x66, 
+	0x73, 0x73, 0x6C, 0x2E, 0x63, 0x6F, 0x6D, 0x31, 0x1F, 0x30, 
+	0x1D, 0x06, 0x09, 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 
+	0x09, 0x01, 0x16, 0x10, 0x69, 0x6E, 0x66, 0x6F, 0x40, 0x77, 
+	0x6F, 0x6C, 0x66, 0x73, 0x73, 0x6C, 0x2E, 0x63, 0x6F, 0x6D, 
+	0x30, 0x22, 0x18, 0x0F, 0x32, 0x30, 0x31, 0x37, 0x30, 0x35, 
+	0x32, 0x38, 0x32, 0x33, 0x32, 0x36, 0x32, 0x39, 0x5A, 0x18, 
+	0x0F, 0x32, 0x30, 0x31, 0x39, 0x30, 0x35, 0x32, 0x39, 0x32, 
+	0x33, 0x32, 0x36, 0x32, 0x39, 0x5A, 0x30, 0x81, 0x9F, 0x31, 
+	0x0B, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 
+	0x55, 0x53, 0x31, 0x10, 0x30, 0x0E, 0x06, 0x03, 0x55, 0x04, 
+	0x08, 0x0C, 0x07, 0x4D, 0x6F, 0x6E, 0x74, 0x61, 0x6E, 0x61, 
+	0x31, 0x10, 0x30, 0x0E, 0x06, 0x03, 0x55, 0x04, 0x07, 0x0C, 
+	0x07, 0x42, 0x6F, 0x7A, 0x65, 0x6D, 0x61, 0x6E, 0x31, 0x0D, 
+	0x30, 0x0B, 0x06, 0x03, 0x55, 0x04, 0x04, 0x0C, 0x04, 0x4C, 
+	0x65, 0x61, 0x66, 0x31, 0x10, 0x30, 0x0E, 0x06, 0x03, 0x55, 
+	0x04, 0x0A, 0x0C, 0x07, 0x77, 0x6F, 0x6C, 0x66, 0x53, 0x53, 
+	0x4C, 0x31, 0x10, 0x30, 0x0E, 0x06, 0x03, 0x55, 0x04, 0x0B, 
+	0x0C, 0x07, 0x45, 0x44, 0x32, 0x35, 0x35, 0x31, 0x39, 0x31, 
+	0x18, 0x30, 0x16, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0C, 0x0F, 
+	0x77, 0x77, 0x77, 0x2E, 0x77, 0x6F, 0x6C, 0x66, 0x73, 0x73, 
+	0x6C, 0x2E, 0x63, 0x6F, 0x6D, 0x31, 0x1F, 0x30, 0x1D, 0x06, 
+	0x09, 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x09, 0x01, 
+	0x16, 0x10, 0x69, 0x6E, 0x66, 0x6F, 0x40, 0x77, 0x6F, 0x6C, 
+	0x66, 0x73, 0x73, 0x6C, 0x2E, 0x63, 0x6F, 0x6D, 0x30, 0x2A, 
+	0x30, 0x05, 0x06, 0x03, 0x2B, 0x65, 0x70, 0x03, 0x21, 0x00, 
+	0x1A, 0x30, 0x88, 0x18, 0x47, 0x2F, 0x97, 0xDA, 0x04, 0xF4, 
+	0xA4, 0xE3, 0xBD, 0x6C, 0x0C, 0x16, 0xB9, 0x48, 0xC1, 0xD1, 
+	0x42, 0xD7, 0x8E, 0x92, 0x84, 0xA0, 0x74, 0x2A, 0x43, 0x9E, 
+	0x0E, 0x29, 0xA3, 0x53, 0x30, 0x51, 0x30, 0x1D, 0x06, 0x03, 
+	0x55, 0x1D, 0x0E, 0x04, 0x16, 0x04, 0x14, 0xF6, 0xB2, 0x84, 
+	0x1A, 0x95, 0xB4, 0x70, 0x32, 0x53, 0xFE, 0xD9, 0xEB, 0x9B, 
+	0x29, 0x80, 0x4B, 0xD6, 0xB5, 0xF1, 0xC0, 0x30, 0x1F, 0x06, 
+	0x03, 0x55, 0x1D, 0x23, 0x04, 0x18, 0x30, 0x16, 0x80, 0x14, 
+	0x92, 0xD5, 0x0B, 0xDA, 0xF1, 0x04, 0x8B, 0xB9, 0xA1, 0x8B, 
+	0x03, 0x02, 0x9F, 0x58, 0x00, 0x35, 0x36, 0x07, 0x7A, 0xC9, 
+	0x30, 0x0F, 0x06, 0x03, 0x55, 0x1D, 0x0F, 0x01, 0x01, 0xFF, 
+	0x04, 0x05, 0x03, 0x02, 0x06, 0xC0, 0x00, 0x30, 0x05, 0x06, 
+	0x03, 0x2B, 0x65, 0x70, 0x03, 0x41, 0x00, 0x12, 0x56, 0x77, 
+	0x0C, 0x96, 0x42, 0x98, 0xDA, 0xC9, 0x15, 0x6C, 0x4E, 0x48, 
+	0x95, 0x05, 0x1D, 0xD0, 0x78, 0x32, 0xF8, 0x86, 0x46, 0x9A, 
+	0x46, 0x9B, 0x64, 0x8B, 0x31, 0xB0, 0x19, 0x6B, 0x77, 0x99, 
+	0x8B, 0xFF, 0xFC, 0x02, 0x36, 0x05, 0x0B, 0x69, 0x37, 0x87, 
+	0x62, 0x75, 0xDA, 0x50, 0x2C, 0x2D, 0x5D, 0x52, 0x94, 0x3F, 
+	0x00, 0x9D, 0x18, 0x45, 0x6F, 0x37, 0x12, 0x8E, 0xF4, 0xE4, 
+	0x00
 };
 static const int sizeof_server_ed25519_cert = sizeof(server_ed25519_cert);
 
-static const unsigned char ca_ed25519_pkey[44] = {
-    0x30, 0x2A, 0x30, 0x05, 0x06, 0x03, 0x2B, 0x65, 0x70, 0x03, 
-    0x21, 0x00, 0x41, 0x07, 0xEC, 0x75, 0x0C, 0x68, 0x72, 0x12, 
-    0x3C, 0x04, 0x82, 0x07, 0x6E, 0x16, 0x6F, 0x40, 0x41, 0x6D, 
-    0xA4, 0x8F, 0x08, 0xF2, 0xE2, 0x9D, 0xA7, 0x43, 0xC2, 0x24, 
-    0x28, 0x98, 0x7E, 0xAC
-};
-static const int sizeof_ca_ed25519_pkey = sizeof(ca_ed25519_pkey);
-
-static const unsigned char ca_ed25519_cert[605] = {
-    0x30, 0x82, 0x02, 0x59, 0x30, 0x82, 0x02, 0x0B, 0xA0, 0x03, 
-    0x02, 0x01, 0x02, 0x02, 0x08, 0x01, 0xF6, 0xE1, 0x3E, 0xBC, 
-    0x79, 0xA1, 0x85, 0x30, 0x05, 0x06, 0x03, 0x2B, 0x65, 0x70, 
-    0x30, 0x81, 0x9F, 0x31, 0x0B, 0x30, 0x09, 0x06, 0x03, 0x55, 
-    0x04, 0x06, 0x13, 0x02, 0x55, 0x53, 0x31, 0x10, 0x30, 0x0E, 
-    0x06, 0x03, 0x55, 0x04, 0x08, 0x0C, 0x07, 0x4D, 0x6F, 0x6E, 
-    0x74, 0x61, 0x6E, 0x61, 0x31, 0x10, 0x30, 0x0E, 0x06, 0x03, 
-    0x55, 0x04, 0x07, 0x0C, 0x07, 0x42, 0x6F, 0x7A, 0x65, 0x6D, 
-    0x61, 0x6E, 0x31, 0x0D, 0x30, 0x0B, 0x06, 0x03, 0x55, 0x04, 
-    0x04, 0x0C, 0x04, 0x52, 0x6F, 0x6F, 0x74, 0x31, 0x10, 0x30, 
-    0x0E, 0x06, 0x03, 0x55, 0x04, 0x0A, 0x0C, 0x07, 0x77, 0x6F, 
-    0x6C, 0x66, 0x53, 0x53, 0x4C, 0x31, 0x10, 0x30, 0x0E, 0x06, 
-    0x03, 0x55, 0x04, 0x0B, 0x0C, 0x07, 0x45, 0x44, 0x32, 0x35, 
-    0x35, 0x31, 0x39, 0x31, 0x18, 0x30, 0x16, 0x06, 0x03, 0x55, 
-    0x04, 0x03, 0x0C, 0x0F, 0x77, 0x77, 0x77, 0x2E, 0x77, 0x6F, 
-    0x6C, 0x66, 0x73, 0x73, 0x6C, 0x2E, 0x63, 0x6F, 0x6D, 0x31, 
-    0x1F, 0x30, 0x1D, 0x06, 0x09, 0x2A, 0x86, 0x48, 0x86, 0xF7, 
-    0x0D, 0x01, 0x09, 0x01, 0x16, 0x10, 0x69, 0x6E, 0x66, 0x6F, 
-    0x40, 0x77, 0x6F, 0x6C, 0x66, 0x73, 0x73, 0x6C, 0x2E, 0x63, 
-    0x6F, 0x6D, 0x30, 0x22, 0x18, 0x0F, 0x32, 0x30, 0x31, 0x37, 
-    0x30, 0x35, 0x32, 0x38, 0x32, 0x33, 0x32, 0x36, 0x32, 0x39, 
-    0x5A, 0x18, 0x0F, 0x32, 0x30, 0x31, 0x39, 0x30, 0x35, 0x32, 
-    0x39, 0x32, 0x33, 0x32, 0x36, 0x32, 0x39, 0x5A, 0x30, 0x81, 
-    0x9D, 0x31, 0x0B, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 
-    0x13, 0x02, 0x55, 0x53, 0x31, 0x10, 0x30, 0x0E, 0x06, 0x03, 
-    0x55, 0x04, 0x08, 0x0C, 0x07, 0x4D, 0x6F, 0x6E, 0x74, 0x61, 
-    0x6E, 0x61, 0x31, 0x10, 0x30, 0x0E, 0x06, 0x03, 0x55, 0x04, 
-    0x07, 0x0C, 0x07, 0x42, 0x6F, 0x7A, 0x65, 0x6D, 0x61, 0x6E, 
-    0x31, 0x0B, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x04, 0x0C, 
-    0x02, 0x43, 0x41, 0x31, 0x10, 0x30, 0x0E, 0x06, 0x03, 0x55, 
-    0x04, 0x0A, 0x0C, 0x07, 0x77, 0x6F, 0x6C, 0x66, 0x53, 0x53, 
-    0x4C, 0x31, 0x10, 0x30, 0x0E, 0x06, 0x03, 0x55, 0x04, 0x0B, 
-    0x0C, 0x07, 0x45, 0x44, 0x32, 0x35, 0x35, 0x31, 0x39, 0x31, 
-    0x18, 0x30, 0x16, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0C, 0x0F, 
-    0x77, 0x77, 0x77, 0x2E, 0x77, 0x6F, 0x6C, 0x66, 0x73, 0x73, 
-    0x6C, 0x2E, 0x63, 0x6F, 0x6D, 0x31, 0x1F, 0x30, 0x1D, 0x06, 
-    0x09, 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x09, 0x01, 
-    0x16, 0x10, 0x69, 0x6E, 0x66, 0x6F, 0x40, 0x77, 0x6F, 0x6C, 
-    0x66, 0x73, 0x73, 0x6C, 0x2E, 0x63, 0x6F, 0x6D, 0x30, 0x2A, 
-    0x30, 0x05, 0x06, 0x03, 0x2B, 0x65, 0x70, 0x03, 0x21, 0x00, 
-    0x41, 0x07, 0xEC, 0x75, 0x0C, 0x68, 0x72, 0x12, 0x3C, 0x04, 
-    0x82, 0x07, 0x6E, 0x16, 0x6F, 0x40, 0x41, 0x6D, 0xA4, 0x8F, 
-    0x08, 0xF2, 0xE2, 0x9D, 0xA7, 0x43, 0xC2, 0x24, 0x28, 0x98, 
-    0x7E, 0xAC, 0xA3, 0x61, 0x30, 0x5F, 0x30, 0x0C, 0x06, 0x03, 
-    0x55, 0x1D, 0x13, 0x04, 0x05, 0x30, 0x03, 0x01, 0x01, 0xFF, 
-    0x30, 0x1D, 0x06, 0x03, 0x55, 0x1D, 0x0E, 0x04, 0x16, 0x04, 
-    0x14, 0x92, 0xD5, 0x0B, 0xDA, 0xF1, 0x04, 0x8B, 0xB9, 0xA1, 
-    0x8B, 0x03, 0x02, 0x9F, 0x58, 0x00, 0x35, 0x36, 0x07, 0x7A, 
-    0xC9, 0x30, 0x1F, 0x06, 0x03, 0x55, 0x1D, 0x23, 0x04, 0x18, 
-    0x30, 0x16, 0x80, 0x14, 0x86, 0xC0, 0x27, 0xE9, 0x9E, 0xFA, 
-    0x85, 0xC1, 0xFD, 0xE3, 0x6F, 0xFC, 0x54, 0x59, 0x72, 0x37, 
-    0xC7, 0x33, 0x92, 0xBB, 0x30, 0x0F, 0x06, 0x03, 0x55, 0x1D, 
-    0x0F, 0x01, 0x01, 0xFF, 0x04, 0x05, 0x03, 0x02, 0x01, 0xC6, 
-    0x00, 0x30, 0x05, 0x06, 0x03, 0x2B, 0x65, 0x70, 0x03, 0x41, 
-    0x00, 0x22, 0x1B, 0x06, 0x17, 0xC0, 0x11, 0x74, 0x1F, 0x64, 
-    0xD1, 0xA3, 0xF6, 0x7B, 0x06, 0x00, 0x1A, 0x0B, 0x50, 0x8E, 
-    0xEB, 0xB1, 0x63, 0x92, 0x45, 0xBA, 0xDC, 0xE2, 0xC1, 0x68, 
-    0x14, 0x23, 0x0C, 0x6E, 0x2C, 0x95, 0x3C, 0xB1, 0x1C, 0x19, 
-    0x27, 0x98, 0x50, 0x3E, 0x55, 0x51, 0xCC, 0xC4, 0x49, 0x58, 
-    0xAF, 0xB9, 0x46, 0x4F, 0xED, 0x9C, 0x57, 0x38, 0x04, 0x29, 
-    0xD4, 0xA9, 0x12, 0xFE, 0x08
+/* ./certs/ed25519/ca-ed25519.der, ED25519 */
+static const unsigned char ca_ed25519_cert[] =
+{
+	0x30, 0x82, 0x02, 0x59, 0x30, 0x82, 0x02, 0x0B, 0xA0, 0x03, 
+	0x02, 0x01, 0x02, 0x02, 0x08, 0x01, 0xF6, 0xE1, 0x3E, 0xBC, 
+	0x79, 0xA1, 0x85, 0x30, 0x05, 0x06, 0x03, 0x2B, 0x65, 0x70, 
+	0x30, 0x81, 0x9F, 0x31, 0x0B, 0x30, 0x09, 0x06, 0x03, 0x55, 
+	0x04, 0x06, 0x13, 0x02, 0x55, 0x53, 0x31, 0x10, 0x30, 0x0E, 
+	0x06, 0x03, 0x55, 0x04, 0x08, 0x0C, 0x07, 0x4D, 0x6F, 0x6E, 
+	0x74, 0x61, 0x6E, 0x61, 0x31, 0x10, 0x30, 0x0E, 0x06, 0x03, 
+	0x55, 0x04, 0x07, 0x0C, 0x07, 0x42, 0x6F, 0x7A, 0x65, 0x6D, 
+	0x61, 0x6E, 0x31, 0x0D, 0x30, 0x0B, 0x06, 0x03, 0x55, 0x04, 
+	0x04, 0x0C, 0x04, 0x52, 0x6F, 0x6F, 0x74, 0x31, 0x10, 0x30, 
+	0x0E, 0x06, 0x03, 0x55, 0x04, 0x0A, 0x0C, 0x07, 0x77, 0x6F, 
+	0x6C, 0x66, 0x53, 0x53, 0x4C, 0x31, 0x10, 0x30, 0x0E, 0x06, 
+	0x03, 0x55, 0x04, 0x0B, 0x0C, 0x07, 0x45, 0x44, 0x32, 0x35, 
+	0x35, 0x31, 0x39, 0x31, 0x18, 0x30, 0x16, 0x06, 0x03, 0x55, 
+	0x04, 0x03, 0x0C, 0x0F, 0x77, 0x77, 0x77, 0x2E, 0x77, 0x6F, 
+	0x6C, 0x66, 0x73, 0x73, 0x6C, 0x2E, 0x63, 0x6F, 0x6D, 0x31, 
+	0x1F, 0x30, 0x1D, 0x06, 0x09, 0x2A, 0x86, 0x48, 0x86, 0xF7, 
+	0x0D, 0x01, 0x09, 0x01, 0x16, 0x10, 0x69, 0x6E, 0x66, 0x6F, 
+	0x40, 0x77, 0x6F, 0x6C, 0x66, 0x73, 0x73, 0x6C, 0x2E, 0x63, 
+	0x6F, 0x6D, 0x30, 0x22, 0x18, 0x0F, 0x32, 0x30, 0x31, 0x37, 
+	0x30, 0x35, 0x32, 0x38, 0x32, 0x33, 0x32, 0x36, 0x32, 0x39, 
+	0x5A, 0x18, 0x0F, 0x32, 0x30, 0x31, 0x39, 0x30, 0x35, 0x32, 
+	0x39, 0x32, 0x33, 0x32, 0x36, 0x32, 0x39, 0x5A, 0x30, 0x81, 
+	0x9D, 0x31, 0x0B, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 
+	0x13, 0x02, 0x55, 0x53, 0x31, 0x10, 0x30, 0x0E, 0x06, 0x03, 
+	0x55, 0x04, 0x08, 0x0C, 0x07, 0x4D, 0x6F, 0x6E, 0x74, 0x61, 
+	0x6E, 0x61, 0x31, 0x10, 0x30, 0x0E, 0x06, 0x03, 0x55, 0x04, 
+	0x07, 0x0C, 0x07, 0x42, 0x6F, 0x7A, 0x65, 0x6D, 0x61, 0x6E, 
+	0x31, 0x0B, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x04, 0x0C, 
+	0x02, 0x43, 0x41, 0x31, 0x10, 0x30, 0x0E, 0x06, 0x03, 0x55, 
+	0x04, 0x0A, 0x0C, 0x07, 0x77, 0x6F, 0x6C, 0x66, 0x53, 0x53, 
+	0x4C, 0x31, 0x10, 0x30, 0x0E, 0x06, 0x03, 0x55, 0x04, 0x0B, 
+	0x0C, 0x07, 0x45, 0x44, 0x32, 0x35, 0x35, 0x31, 0x39, 0x31, 
+	0x18, 0x30, 0x16, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0C, 0x0F, 
+	0x77, 0x77, 0x77, 0x2E, 0x77, 0x6F, 0x6C, 0x66, 0x73, 0x73, 
+	0x6C, 0x2E, 0x63, 0x6F, 0x6D, 0x31, 0x1F, 0x30, 0x1D, 0x06, 
+	0x09, 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x09, 0x01, 
+	0x16, 0x10, 0x69, 0x6E, 0x66, 0x6F, 0x40, 0x77, 0x6F, 0x6C, 
+	0x66, 0x73, 0x73, 0x6C, 0x2E, 0x63, 0x6F, 0x6D, 0x30, 0x2A, 
+	0x30, 0x05, 0x06, 0x03, 0x2B, 0x65, 0x70, 0x03, 0x21, 0x00, 
+	0x41, 0x07, 0xEC, 0x75, 0x0C, 0x68, 0x72, 0x12, 0x3C, 0x04, 
+	0x82, 0x07, 0x6E, 0x16, 0x6F, 0x40, 0x41, 0x6D, 0xA4, 0x8F, 
+	0x08, 0xF2, 0xE2, 0x9D, 0xA7, 0x43, 0xC2, 0x24, 0x28, 0x98, 
+	0x7E, 0xAC, 0xA3, 0x61, 0x30, 0x5F, 0x30, 0x0C, 0x06, 0x03, 
+	0x55, 0x1D, 0x13, 0x04, 0x05, 0x30, 0x03, 0x01, 0x01, 0xFF, 
+	0x30, 0x1D, 0x06, 0x03, 0x55, 0x1D, 0x0E, 0x04, 0x16, 0x04, 
+	0x14, 0x92, 0xD5, 0x0B, 0xDA, 0xF1, 0x04, 0x8B, 0xB9, 0xA1, 
+	0x8B, 0x03, 0x02, 0x9F, 0x58, 0x00, 0x35, 0x36, 0x07, 0x7A, 
+	0xC9, 0x30, 0x1F, 0x06, 0x03, 0x55, 0x1D, 0x23, 0x04, 0x18, 
+	0x30, 0x16, 0x80, 0x14, 0x86, 0xC0, 0x27, 0xE9, 0x9E, 0xFA, 
+	0x85, 0xC1, 0xFD, 0xE3, 0x6F, 0xFC, 0x54, 0x59, 0x72, 0x37, 
+	0xC7, 0x33, 0x92, 0xBB, 0x30, 0x0F, 0x06, 0x03, 0x55, 0x1D, 
+	0x0F, 0x01, 0x01, 0xFF, 0x04, 0x05, 0x03, 0x02, 0x01, 0xC6, 
+	0x00, 0x30, 0x05, 0x06, 0x03, 0x2B, 0x65, 0x70, 0x03, 0x41, 
+	0x00, 0x22, 0x1B, 0x06, 0x17, 0xC0, 0x11, 0x74, 0x1F, 0x64, 
+	0xD1, 0xA3, 0xF6, 0x7B, 0x06, 0x00, 0x1A, 0x0B, 0x50, 0x8E, 
+	0xEB, 0xB1, 0x63, 0x92, 0x45, 0xBA, 0xDC, 0xE2, 0xC1, 0x68, 
+	0x14, 0x23, 0x0C, 0x6E, 0x2C, 0x95, 0x3C, 0xB1, 0x1C, 0x19, 
+	0x27, 0x98, 0x50, 0x3E, 0x55, 0x51, 0xCC, 0xC4, 0x49, 0x58, 
+	0xAF, 0xB9, 0x46, 0x4F, 0xED, 0x9C, 0x57, 0x38, 0x04, 0x29, 
+	0xD4, 0xA9, 0x12, 0xFE, 0x08
 };
 static const int sizeof_ca_ed25519_cert = sizeof(ca_ed25519_cert);
-#endif
+
+#endif /* HAVE_ED25519 */
 
 #endif /* WOLFSSL_CERTS_TEST_H */
 

wolfssl/test.h

@@ -265,6 +265,7 @@
 #define dhParamFile    "certs/dh2048.pem"
 #define cliEccKeyFile  "certs/ecc-client-key.pem"
 #define cliEccCertFile "certs/client-ecc-cert.pem"
+#define caEccCertFile  "certs/ca-ecc-cert/pem"
 #define crlPemDir      "certs/crl"
 #ifdef HAVE_WNR
     /* Whitewood netRandom default config file */
@@ -283,6 +284,7 @@
 #define dhParamFile    "./certs/dh2048.pem"
 #define cliEccKeyFile  "./certs/ecc-client-key.pem"
 #define cliEccCertFile "./certs/client-ecc-cert.pem"
+#define caEccCertFile  "./certs/ca-ecc-cert.pem"
 #define crlPemDir      "./certs/crl"
 #ifdef HAVE_WNR
     /* Whitewood netRandom default config file */