Added TLS v1.2 and v1.3 test cases for ECC Koblitz and Brainpool curves (both server auth and mutual auth). Cipher suites: `ECDHE-ECDSA-AES128-GCM-SHA256`, `ECDH-ECDSA-AES128-GCM-SHA256` and `TLS13-AES128-GCM-SHA256`.

certs/ecc/bp256r1-key.pem

@@ -0,0 +1,5 @@
+-----BEGIN EC PRIVATE KEY-----
+MHgCAQEEIALRjSn7gQicLnRopI92xvo14rrdLVl0IEzDB40t3Pa7oAsGCSskAwMC
+CAEBB6FEA0IABC7vJ8tXOtxiJba1QlzuKVbjqM6GbkRSIxXIQ8BiEBYeSsuI0HXg
+OGuAhGSfcKrYuzOQwduBRq7pgckDabXOres=
+-----END EC PRIVATE KEY-----

certs/ecc/client-bp256r1-cert.pem

@@ -0,0 +1,57 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number:
+            23:c2:32:32:87:c0:20:35:77:e6:56:4b:ba:d3:ba:19:de:0e:ed:9e
+        Signature Algorithm: ecdsa-with-SHA256
+        Issuer: C = US, ST = Washington, L = Seattle, O = Eliptic, OU = ECC256BPR1-CLI, CN = www.wolfssl.com, emailAddress = info@wolfssl.com
+        Validity
+            Not Before: Oct 15 20:13:58 2020 GMT
+            Not After : Oct 13 20:13:58 2030 GMT
+        Subject: C = US, ST = Washington, L = Seattle, O = Eliptic, OU = ECC256BPR1-CLI, CN = www.wolfssl.com, emailAddress = info@wolfssl.com
+        Subject Public Key Info:
+            Public Key Algorithm: id-ecPublicKey
+                Public-Key: (256 bit)
+                pub:
+                    04:2e:ef:27:cb:57:3a:dc:62:25:b6:b5:42:5c:ee:
+                    29:56:e3:a8:ce:86:6e:44:52:23:15:c8:43:c0:62:
+                    10:16:1e:4a:cb:88:d0:75:e0:38:6b:80:84:64:9f:
+                    70:aa:d8:bb:33:90:c1:db:81:46:ae:e9:81:c9:03:
+                    69:b5:ce:ad:eb
+                ASN1 OID: brainpoolP256r1
+        X509v3 extensions:
+            X509v3 Basic Constraints: 
+                CA:FALSE
+            Netscape Cert Type: 
+                SSL Client, S/MIME
+            X509v3 Subject Key Identifier: 
+                B4:1B:3B:4F:65:F2:BF:9E:8A:8F:E3:33:96:44:1F:67:EA:B3:34:D5
+            X509v3 Authority Key Identifier: 
+                keyid:B4:1B:3B:4F:65:F2:BF:9E:8A:8F:E3:33:96:44:1F:67:EA:B3:34:D5
+
+            X509v3 Key Usage: critical
+                Digital Signature, Non Repudiation, Key Encipherment
+            X509v3 Extended Key Usage: 
+                TLS Web Client Authentication, E-mail Protection
+    Signature Algorithm: ecdsa-with-SHA256
+         30:44:02:20:28:b6:b4:eb:ae:c1:9b:71:0a:15:92:93:d6:2d:
+         12:a6:ff:2d:2a:f5:23:a8:e2:df:6c:d9:33:d4:7f:e9:2e:08:
+         02:20:33:eb:45:aa:c1:7c:36:c1:60:52:09:0e:2d:e4:2a:49:
+         1d:d8:b2:c5:79:3e:be:d4:61:c5:14:d0:b6:f2:42:d4
+-----BEGIN CERTIFICATE-----
+MIICyTCCAnCgAwIBAgIUI8IyMofAIDV35lZLutO6Gd4O7Z4wCgYIKoZIzj0EAwIw
+gZoxCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApXYXNoaW5ndG9uMRAwDgYDVQQHDAdT
+ZWF0dGxlMRAwDgYDVQQKDAdFbGlwdGljMRcwFQYDVQQLDA5FQ0MyNTZCUFIxLUNM
+STEYMBYGA1UEAwwPd3d3LndvbGZzc2wuY29tMR8wHQYJKoZIhvcNAQkBFhBpbmZv
+QHdvbGZzc2wuY29tMB4XDTIwMTAxNTIwMTM1OFoXDTMwMTAxMzIwMTM1OFowgZox
+CzAJBgNVBAYTAlVTMRMwEQYDVQQIDApXYXNoaW5ndG9uMRAwDgYDVQQHDAdTZWF0
+dGxlMRAwDgYDVQQKDAdFbGlwdGljMRcwFQYDVQQLDA5FQ0MyNTZCUFIxLUNMSTEY
+MBYGA1UEAwwPd3d3LndvbGZzc2wuY29tMR8wHQYJKoZIhvcNAQkBFhBpbmZvQHdv
+bGZzc2wuY29tMFowFAYHKoZIzj0CAQYJKyQDAwIIAQEHA0IABC7vJ8tXOtxiJba1
+QlzuKVbjqM6GbkRSIxXIQ8BiEBYeSsuI0HXgOGuAhGSfcKrYuzOQwduBRq7pgckD
+abXOreujgZAwgY0wCQYDVR0TBAIwADARBglghkgBhvhCAQEEBAMCBaAwHQYDVR0O
+BBYEFLQbO09l8r+eio/jM5ZEH2fqszTVMB8GA1UdIwQYMBaAFLQbO09l8r+eio/j
+M5ZEH2fqszTVMA4GA1UdDwEB/wQEAwIF4DAdBgNVHSUEFjAUBggrBgEFBQcDAgYI
+KwYBBQUHAwQwCgYIKoZIzj0EAwIDRwAwRAIgKLa0667Bm3EKFZKT1i0Spv8tKvUj
+qOLfbNkz1H/pLggCIDPrRarBfDbBYFIJDi3kKkkd2LLFeT6+1GHFFNC28kLU
+-----END CERTIFICATE-----

certs/ecc/client-secp256k1-cert.pem

@@ -0,0 +1,57 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number:
+            3d:12:fd:a2:a8:15:63:d8:4e:3f:48:81:46:92:ae:65:f3:27:7f:f2
+        Signature Algorithm: ecdsa-with-SHA256
+        Issuer: C = US, ST = Washington, L = Seattle, O = Eliptic, OU = ECC256K1-CLI, CN = www.wolfssl.com, emailAddress = info@wolfssl.com
+        Validity
+            Not Before: Oct 15 20:13:49 2020 GMT
+            Not After : Oct 13 20:13:49 2030 GMT
+        Subject: C = US, ST = Washington, L = Seattle, O = Eliptic, OU = ECC256K1-CLI, CN = www.wolfssl.com, emailAddress = info@wolfssl.com
+        Subject Public Key Info:
+            Public Key Algorithm: id-ecPublicKey
+                Public-Key: (256 bit)
+                pub:
+                    04:d7:0d:0b:f1:0e:22:88:fe:fb:d5:e5:e1:09:a4:
+                    3e:90:76:b3:29:cb:d9:13:60:b7:ea:88:82:d7:8c:
+                    b6:db:21:dc:93:0f:e9:58:bb:c5:f2:a2:c2:f5:23:
+                    36:c5:d5:eb:24:a6:24:db:ee:02:b0:05:31:a6:33:
+                    1f:cd:79:82:10
+                ASN1 OID: secp256k1
+        X509v3 extensions:
+            X509v3 Basic Constraints: 
+                CA:FALSE
+            Netscape Cert Type: 
+                SSL Client, S/MIME
+            X509v3 Subject Key Identifier: 
+                44:6A:D8:71:6D:AB:62:18:21:02:27:23:90:BF:1D:77:B6:79:4B:77
+            X509v3 Authority Key Identifier: 
+                keyid:44:6A:D8:71:6D:AB:62:18:21:02:27:23:90:BF:1D:77:B6:79:4B:77
+
+            X509v3 Key Usage: critical
+                Digital Signature, Non Repudiation, Key Encipherment
+            X509v3 Extended Key Usage: 
+                TLS Web Client Authentication, E-mail Protection
+    Signature Algorithm: ecdsa-with-SHA256
+         30:45:02:20:73:08:4a:18:d1:ad:81:f6:5c:59:27:da:36:9a:
+         cd:fb:4e:97:5a:58:b3:61:fe:b0:ec:7e:76:ca:0c:5a:d3:c1:
+         02:21:00:a5:05:b4:f5:2f:d3:bf:71:d4:0c:fb:bf:a0:64:0b:
+         cd:bb:18:ef:df:92:bc:5c:cc:6c:74:82:c8:52:5a:f6:46
+-----BEGIN CERTIFICATE-----
+MIICwjCCAmigAwIBAgIUPRL9oqgVY9hOP0iBRpKuZfMnf/IwCgYIKoZIzj0EAwIw
+gZgxCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApXYXNoaW5ndG9uMRAwDgYDVQQHDAdT
+ZWF0dGxlMRAwDgYDVQQKDAdFbGlwdGljMRUwEwYDVQQLDAxFQ0MyNTZLMS1DTEkx
+GDAWBgNVBAMMD3d3dy53b2xmc3NsLmNvbTEfMB0GCSqGSIb3DQEJARYQaW5mb0B3
+b2xmc3NsLmNvbTAeFw0yMDEwMTUyMDEzNDlaFw0zMDEwMTMyMDEzNDlaMIGYMQsw
+CQYDVQQGEwJVUzETMBEGA1UECAwKV2FzaGluZ3RvbjEQMA4GA1UEBwwHU2VhdHRs
+ZTEQMA4GA1UECgwHRWxpcHRpYzEVMBMGA1UECwwMRUNDMjU2SzEtQ0xJMRgwFgYD
+VQQDDA93d3cud29sZnNzbC5jb20xHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNz
+bC5jb20wVjAQBgcqhkjOPQIBBgUrgQQACgNCAATXDQvxDiKI/vvV5eEJpD6QdrMp
+y9kTYLfqiILXjLbbIdyTD+lYu8XyosL1IzbF1eskpiTb7gKwBTGmMx/NeYIQo4GQ
+MIGNMAkGA1UdEwQCMAAwEQYJYIZIAYb4QgEBBAQDAgWgMB0GA1UdDgQWBBREathx
+batiGCECJyOQvx13tnlLdzAfBgNVHSMEGDAWgBREathxbatiGCECJyOQvx13tnlL
+dzAOBgNVHQ8BAf8EBAMCBeAwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwME
+MAoGCCqGSM49BAMCA0gAMEUCIHMIShjRrYH2XFkn2jaazftOl1pYs2H+sOx+dsoM
+WtPBAiEApQW09S/Tv3HUDPu/oGQLzbsY79+SvFzMbHSCyFJa9kY=
+-----END CERTIFICATE-----

certs/ecc/genecc.sh

@@ -88,6 +88,39 @@ rm ./certs/client-ecc384-req.pem
 rm ./certs/client-ecc384-key.par
 
 
+# Generate ECC Kerberos Keys
+if [ -f ./certs/ecc/secp256k1-key.pem ]; then
+	openssl ecparam -name secp256k1 -genkey -noout -out ./certs/ecc/secp256k1-key.pem
+	openssl ec -in ./certs/ecc/secp256k1-key.pem -inform PEM -out ./certs/ecc/secp256k1-key.der -outform DER
+fi
+# Create self-signed ECC Kerberos certificates
+openssl req -config ./certs/ecc/wolfssl.cnf -sha256 -new -key ./certs/ecc/secp256k1-key.pem -out ./certs/ecc/server-secp256k1-req.pem -subj "/C=US/ST=Washington/L=Seattle/O=Eliptic/OU=ECC256K1-SRV/CN=www.wolfssl.com/emailAddress=info@wolfssl.com/"
+openssl x509 -req -in ./certs/ecc/server-secp256k1-req.pem -days 3650 -extfile ./certs/ecc/wolfssl.cnf -extensions server_cert -signkey ./certs/ecc/secp256k1-key.pem -text -out ./certs/ecc/server-secp256k1-cert.pem
+openssl x509 -inform pem -in ./certs/ecc/server-secp256k1-cert.pem -outform der -out ./certs/ecc/server-secp256k1-cert.der
+rm ./certs/ecc/server-secp256k1-req.pem
+
+openssl req -config ./certs/ecc/wolfssl.cnf -sha256 -new -key ./certs/ecc/secp256k1-key.pem -out ./certs/ecc/client-secp256k1-req.pem -subj "/C=US/ST=Washington/L=Seattle/O=Eliptic/OU=ECC256K1-CLI/CN=www.wolfssl.com/emailAddress=info@wolfssl.com/"
+openssl x509 -req -in ./certs/ecc/client-secp256k1-req.pem -days 3650 -extfile ./certs/ecc/wolfssl.cnf -extensions usr_cert -signkey ./certs/ecc/secp256k1-key.pem -text -out ./certs/ecc/client-secp256k1-cert.pem
+openssl x509 -inform pem -in ./certs/ecc/client-secp256k1-cert.pem -outform der -out ./certs/ecc/client-secp256k1-cert.der
+rm ./certs/ecc/client-secp256k1-req.pem
+
+# Generate ECC Brainpool Keys
+if [ -f ./certs/ecc/bp256r1-key.pem ]; then
+	openssl ecparam -name brainpoolP256r1 -genkey -noout -out ./certs/ecc/bp256r1-key.pem
+	openssl ec -in ./certs/ecc/bp256r1-key.pem -inform PEM -out ./certs/ecc/bp256r1-key.der -outform DER
+fi
+# Create self-signed ECC Brainpool certificates
+openssl req -config ./certs/ecc/wolfssl.cnf -sha256 -new -key ./certs/ecc/bp256r1-key.pem -out ./certs/ecc/server-bp256r1-req.pem -subj "/C=US/ST=Washington/L=Seattle/O=Eliptic/OU=ECC256BPR1-SRV/CN=www.wolfssl.com/emailAddress=info@wolfssl.com/"
+openssl x509 -req -in ./certs/ecc/server-bp256r1-req.pem -days 3650 -extfile ./certs/ecc/wolfssl.cnf -extensions server_cert -signkey ./certs/ecc/bp256r1-key.pem -text -out ./certs/ecc/server-bp256r1-cert.pem
+openssl x509 -inform pem -in ./certs/ecc/server-bp256r1-cert.pem -outform der -out ./certs/ecc/server-bp256r1-cert.der
+rm ./certs/ecc/server-bp256r1-req.pem
+
+openssl req -config ./certs/ecc/wolfssl.cnf -sha256 -new -key ./certs/ecc/bp256r1-key.pem -out ./certs/ecc/client-bp256r1-req.pem -subj "/C=US/ST=Washington/L=Seattle/O=Eliptic/OU=ECC256BPR1-CLI/CN=www.wolfssl.com/emailAddress=info@wolfssl.com/"
+openssl x509 -req -in ./certs/ecc/client-bp256r1-req.pem -days 3650 -extfile ./certs/ecc/wolfssl.cnf -extensions usr_cert -signkey ./certs/ecc/bp256r1-key.pem -text -out ./certs/ecc/client-bp256r1-cert.pem
+openssl x509 -inform pem -in ./certs/ecc/client-bp256r1-cert.pem -outform der -out ./certs/ecc/client-bp256r1-cert.der
+rm ./certs/ecc/client-bp256r1-req.pem
+
+
 # Also manually need to:
 # 1. Copy ./certs/server-ecc.der into ./certs/test/server-cert-ecc-badsig.der `cp ./certs/server-ecc.der ./certs/test/server-cert-ecc-badsig.der`
 # 2. Modify last byte so its invalidates signature in ./certs/test/server-cert-ecc-badsig.der

certs/ecc/include.am

@@ -6,3 +6,21 @@ EXTRA_DIST += \
 	     certs/ecc/genecc.sh \
 	     certs/ecc/wolfssl.cnf \
 	     certs/ecc/wolfssl_384.cnf
+
+# Koblitz Curves
+EXTRA_DIST += \
+	     certs/ecc/secp256k1-key.der \
+		 certs/ecc/secp256k1-key.pem \
+		 certs/ecc/client-secp256k1-cert.der \
+		 certs/ecc/client-secp256k1-cert.pem \
+		 certs/ecc/server-secp256k1-cert.der \
+		 certs/ecc/server-secp256k1-cert.pem
+
+# Brainpool Curves
+EXTRA_DIST += \
+		 certs/ecc/bp256r1-key.der \
+		 certs/ecc/bp256r1-key.pem \
+		 certs/ecc/client-bp256r1-cert.der \
+		 certs/ecc/client-bp256r1-cert.pem \
+		 certs/ecc/server-bp256r1-cert.der \
+		 certs/ecc/server-bp256r1-cert.pem

certs/ecc/secp256k1-key.pem

@@ -0,0 +1,5 @@
+-----BEGIN EC PRIVATE KEY-----
+MHQCAQEEILlFjaVww/Q8MLWZOcmS3ZCx3VCJWWoNXxRYRA3e4IApoAcGBSuBBAAK
+oUQDQgAE1w0L8Q4iiP771eXhCaQ+kHazKcvZE2C36oiC14y22yHckw/pWLvF8qLC
+9SM2xdXrJKYk2+4CsAUxpjMfzXmCEA==
+-----END EC PRIVATE KEY-----

certs/ecc/server-bp256r1-cert.pem

@@ -0,0 +1,63 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number:
+            2f:f8:fa:8b:cf:ec:8f:2c:bc:40:fb:95:a0:3e:04:db:dd:c5:7f:08
+        Signature Algorithm: ecdsa-with-SHA256
+        Issuer: C = US, ST = Washington, L = Seattle, O = Eliptic, OU = ECC256BPR1-SRV, CN = www.wolfssl.com, emailAddress = info@wolfssl.com
+        Validity
+            Not Before: Oct 15 20:13:55 2020 GMT
+            Not After : Oct 13 20:13:55 2030 GMT
+        Subject: C = US, ST = Washington, L = Seattle, O = Eliptic, OU = ECC256BPR1-SRV, CN = www.wolfssl.com, emailAddress = info@wolfssl.com
+        Subject Public Key Info:
+            Public Key Algorithm: id-ecPublicKey
+                Public-Key: (256 bit)
+                pub:
+                    04:2e:ef:27:cb:57:3a:dc:62:25:b6:b5:42:5c:ee:
+                    29:56:e3:a8:ce:86:6e:44:52:23:15:c8:43:c0:62:
+                    10:16:1e:4a:cb:88:d0:75:e0:38:6b:80:84:64:9f:
+                    70:aa:d8:bb:33:90:c1:db:81:46:ae:e9:81:c9:03:
+                    69:b5:ce:ad:eb
+                ASN1 OID: brainpoolP256r1
+        X509v3 extensions:
+            X509v3 Basic Constraints: 
+                CA:FALSE
+            Netscape Cert Type: 
+                SSL Server
+            X509v3 Subject Key Identifier: 
+                B4:1B:3B:4F:65:F2:BF:9E:8A:8F:E3:33:96:44:1F:67:EA:B3:34:D5
+            X509v3 Authority Key Identifier: 
+                keyid:B4:1B:3B:4F:65:F2:BF:9E:8A:8F:E3:33:96:44:1F:67:EA:B3:34:D5
+                DirName:/C=US/ST=Washington/L=Seattle/O=Eliptic/OU=ECC256BPR1-SRV/CN=www.wolfssl.com/emailAddress=info@wolfssl.com
+                serial:2F:F8:FA:8B:CF:EC:8F:2C:BC:40:FB:95:A0:3E:04:DB:DD:C5:7F:08
+
+            X509v3 Key Usage: critical
+                Digital Signature, Key Encipherment, Key Agreement
+            X509v3 Extended Key Usage: 
+                TLS Web Server Authentication
+    Signature Algorithm: ecdsa-with-SHA256
+         30:45:02:21:00:81:37:b3:f7:a7:e7:9d:1b:62:3f:25:20:02:
+         45:93:45:5c:91:23:1b:8b:bc:09:0c:f7:ef:51:29:a4:90:ec:
+         91:02:20:74:dd:26:c3:eb:24:e1:33:ce:b4:c6:f8:5f:9f:99:
+         6d:2b:9a:ee:ac:33:d8:08:29:19:3c:00:f1:83:de:a6:af
+-----BEGIN CERTIFICATE-----
+MIIDfjCCAySgAwIBAgIUL/j6i8/sjyy8QPuVoD4E293FfwgwCgYIKoZIzj0EAwIw
+gZoxCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApXYXNoaW5ndG9uMRAwDgYDVQQHDAdT
+ZWF0dGxlMRAwDgYDVQQKDAdFbGlwdGljMRcwFQYDVQQLDA5FQ0MyNTZCUFIxLVNS
+VjEYMBYGA1UEAwwPd3d3LndvbGZzc2wuY29tMR8wHQYJKoZIhvcNAQkBFhBpbmZv
+QHdvbGZzc2wuY29tMB4XDTIwMTAxNTIwMTM1NVoXDTMwMTAxMzIwMTM1NVowgZox
+CzAJBgNVBAYTAlVTMRMwEQYDVQQIDApXYXNoaW5ndG9uMRAwDgYDVQQHDAdTZWF0
+dGxlMRAwDgYDVQQKDAdFbGlwdGljMRcwFQYDVQQLDA5FQ0MyNTZCUFIxLVNSVjEY
+MBYGA1UEAwwPd3d3LndvbGZzc2wuY29tMR8wHQYJKoZIhvcNAQkBFhBpbmZvQHdv
+bGZzc2wuY29tMFowFAYHKoZIzj0CAQYJKyQDAwIIAQEHA0IABC7vJ8tXOtxiJba1
+QlzuKVbjqM6GbkRSIxXIQ8BiEBYeSsuI0HXgOGuAhGSfcKrYuzOQwduBRq7pgckD
+abXOreujggFDMIIBPzAJBgNVHRMEAjAAMBEGCWCGSAGG+EIBAQQEAwIGQDAdBgNV
+HQ4EFgQUtBs7T2Xyv56Kj+MzlkQfZ+qzNNUwgdoGA1UdIwSB0jCBz4AUtBs7T2Xy
+v56Kj+MzlkQfZ+qzNNWhgaCkgZ0wgZoxCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApX
+YXNoaW5ndG9uMRAwDgYDVQQHDAdTZWF0dGxlMRAwDgYDVQQKDAdFbGlwdGljMRcw
+FQYDVQQLDA5FQ0MyNTZCUFIxLVNSVjEYMBYGA1UEAwwPd3d3LndvbGZzc2wuY29t
+MR8wHQYJKoZIhvcNAQkBFhBpbmZvQHdvbGZzc2wuY29tghQv+PqLz+yPLLxA+5Wg
+PgTb3cV/CDAOBgNVHQ8BAf8EBAMCA6gwEwYDVR0lBAwwCgYIKwYBBQUHAwEwCgYI
+KoZIzj0EAwIDSAAwRQIhAIE3s/en550bYj8lIAJFk0VckSMbi7wJDPfvUSmkkOyR
+AiB03SbD6yThM860xvhfn5ltK5rurDPYCCkZPADxg96mrw==
+-----END CERTIFICATE-----

certs/ecc/server-secp256k1-cert.pem

@@ -0,0 +1,63 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number:
+            60:d5:b7:78:ff:06:14:3b:1e:c5:ba:8b:dd:5e:67:b2:16:aa:b2:c7
+        Signature Algorithm: ecdsa-with-SHA256
+        Issuer: C = US, ST = Washington, L = Seattle, O = Eliptic, OU = ECC256K1-SRV, CN = www.wolfssl.com, emailAddress = info@wolfssl.com
+        Validity
+            Not Before: Oct 15 20:13:46 2020 GMT
+            Not After : Oct 13 20:13:46 2030 GMT
+        Subject: C = US, ST = Washington, L = Seattle, O = Eliptic, OU = ECC256K1-SRV, CN = www.wolfssl.com, emailAddress = info@wolfssl.com
+        Subject Public Key Info:
+            Public Key Algorithm: id-ecPublicKey
+                Public-Key: (256 bit)
+                pub:
+                    04:d7:0d:0b:f1:0e:22:88:fe:fb:d5:e5:e1:09:a4:
+                    3e:90:76:b3:29:cb:d9:13:60:b7:ea:88:82:d7:8c:
+                    b6:db:21:dc:93:0f:e9:58:bb:c5:f2:a2:c2:f5:23:
+                    36:c5:d5:eb:24:a6:24:db:ee:02:b0:05:31:a6:33:
+                    1f:cd:79:82:10
+                ASN1 OID: secp256k1
+        X509v3 extensions:
+            X509v3 Basic Constraints: 
+                CA:FALSE
+            Netscape Cert Type: 
+                SSL Server
+            X509v3 Subject Key Identifier: 
+                44:6A:D8:71:6D:AB:62:18:21:02:27:23:90:BF:1D:77:B6:79:4B:77
+            X509v3 Authority Key Identifier: 
+                keyid:44:6A:D8:71:6D:AB:62:18:21:02:27:23:90:BF:1D:77:B6:79:4B:77
+                DirName:/C=US/ST=Washington/L=Seattle/O=Eliptic/OU=ECC256K1-SRV/CN=www.wolfssl.com/emailAddress=info@wolfssl.com
+                serial:60:D5:B7:78:FF:06:14:3B:1E:C5:BA:8B:DD:5E:67:B2:16:AA:B2:C7
+
+            X509v3 Key Usage: critical
+                Digital Signature, Key Encipherment, Key Agreement
+            X509v3 Extended Key Usage: 
+                TLS Web Server Authentication
+    Signature Algorithm: ecdsa-with-SHA256
+         30:44:02:20:01:71:b5:5f:e4:5b:b7:95:b4:59:9a:b0:dc:ef:
+         64:01:76:ef:04:07:d8:b4:44:e5:db:86:e4:05:8c:c1:22:19:
+         02:20:3e:93:fb:30:f9:4c:89:39:35:df:b3:79:d5:29:bb:2b:
+         08:84:8a:f8:55:7c:f9:68:d6:2c:11:28:af:a9:33:0f
+-----BEGIN CERTIFICATE-----
+MIIDczCCAxqgAwIBAgIUYNW3eP8GFDsexbqL3V5nshaqsscwCgYIKoZIzj0EAwIw
+gZgxCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApXYXNoaW5ndG9uMRAwDgYDVQQHDAdT
+ZWF0dGxlMRAwDgYDVQQKDAdFbGlwdGljMRUwEwYDVQQLDAxFQ0MyNTZLMS1TUlYx
+GDAWBgNVBAMMD3d3dy53b2xmc3NsLmNvbTEfMB0GCSqGSIb3DQEJARYQaW5mb0B3
+b2xmc3NsLmNvbTAeFw0yMDEwMTUyMDEzNDZaFw0zMDEwMTMyMDEzNDZaMIGYMQsw
+CQYDVQQGEwJVUzETMBEGA1UECAwKV2FzaGluZ3RvbjEQMA4GA1UEBwwHU2VhdHRs
+ZTEQMA4GA1UECgwHRWxpcHRpYzEVMBMGA1UECwwMRUNDMjU2SzEtU1JWMRgwFgYD
+VQQDDA93d3cud29sZnNzbC5jb20xHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNz
+bC5jb20wVjAQBgcqhkjOPQIBBgUrgQQACgNCAATXDQvxDiKI/vvV5eEJpD6QdrMp
+y9kTYLfqiILXjLbbIdyTD+lYu8XyosL1IzbF1eskpiTb7gKwBTGmMx/NeYIQo4IB
+QTCCAT0wCQYDVR0TBAIwADARBglghkgBhvhCAQEEBAMCBkAwHQYDVR0OBBYEFERq
+2HFtq2IYIQInI5C/HXe2eUt3MIHYBgNVHSMEgdAwgc2AFERq2HFtq2IYIQInI5C/
+HXe2eUt3oYGepIGbMIGYMQswCQYDVQQGEwJVUzETMBEGA1UECAwKV2FzaGluZ3Rv
+bjEQMA4GA1UEBwwHU2VhdHRsZTEQMA4GA1UECgwHRWxpcHRpYzEVMBMGA1UECwwM
+RUNDMjU2SzEtU1JWMRgwFgYDVQQDDA93d3cud29sZnNzbC5jb20xHzAdBgkqhkiG
+9w0BCQEWEGluZm9Ad29sZnNzbC5jb22CFGDVt3j/BhQ7HsW6i91eZ7IWqrLHMA4G
+A1UdDwEB/wQEAwIDqDATBgNVHSUEDDAKBggrBgEFBQcDATAKBggqhkjOPQQDAgNH
+ADBEAiABcbVf5Fu3lbRZmrDc72QBdu8EB9i0ROXbhuQFjMEiGQIgPpP7MPlMiTk1
+37N51Sm7KwiEivhVfPlo1iwRKK+pMw8=
+-----END CERTIFICATE-----

tests/include.am

@@ -49,5 +49,6 @@ EXTRA_DIST += tests/test.conf \
               tests/test-altchains.conf \
               tests/test-trustpeer.conf \
               tests/test-dhprime.conf \
-              tests/test-p521.conf
+              tests/test-p521.conf \
+              test-ecc-cust-curves.conf
 DISTCLEANFILES+= tests/.libs/unit.test

tests/suites.c

@@ -882,8 +882,8 @@ int SuiteTest(int argc, char** argv)
         goto exit;
     }
 #endif
-#if (defined(HAVE_ECC521) || defined(HAVE_ALL_CURVES)) && \
-                                                         defined(WOLFSSL_SHA512)
+#if defined(HAVE_ECC) && defined(WOLFSSL_SHA512) && \
+    (defined(HAVE_ECC521) || defined(HAVE_ALL_CURVES))
     /* add P-521 certificate cipher suite tests */
     strcpy(argv0[1], "tests/test-p521.conf");
     printf("starting P-521 extra cipher suite tests\n");
@@ -894,6 +894,18 @@ int SuiteTest(int argc, char** argv)
         goto exit;
     }
 #endif
+#if defined(HAVE_ECC) && !defined(NO_SHA256) && defined(WOLFSSL_CUSTOM_CURVES) && \
+    defined(HAVE_ECC_KOBLITZ) && defined(HAVE_ECC_BRAINPOOL)
+    /* TLS non-NIST curves (Koblitz / Brainpool) */
+    strcpy(argv0[1], "tests/test-ecc-cust-curves.conf");
+    printf("starting TLS test of non-NIST curves (Koblitz / Brainpool)\n");
+    test_harness(&args);
+    if (args.return_code != 0) {
+        printf("error from script %d\n", args.return_code);
+        args.return_code = EXIT_FAILURE;
+        goto exit;
+    }
+#endif
 #ifdef WOLFSSL_DTLS
     /* add dtls extra suites */
     strcpy(argv0[1], "tests/test-dtls.conf");

tests/test-ecc-cust-curves.conf

@@ -0,0 +1,181 @@
+# ----- secp256k1 ------
+# server TLSv1.2 ECDHE-ECDSA-AES128-GCM-SHA256
+-v 3
+-l ECDHE-ECDSA-AES128-GCM-SHA256
+-c ./certs/ecc/server-secp256k1-cert.pem
+-k ./certs/ecc/secp256k1-key.pem
+-d
+
+# client TLSv1.2 ECDHE-ECDSA-AES128-GCM-SHA256
+-v 3
+-l ECDHE-ECDSA-AES128-GCM-SHA256
+-A ./certs/ecc/server-secp256k1-cert.pem
+-x
+-C
+
+# server TLSv1.2 ECDH-ECDSA-AES128-GCM-SHA256 (static)
+-v 3
+-l ECDH-ECDSA-AES128-GCM-SHA256
+-c ./certs/ecc/server-secp256k1-cert.pem
+-k ./certs/ecc/secp256k1-key.pem
+-d
+
+# client TLSv1.2 ECDH-ECDSA-AES128-GCM-SHA256 (static)
+-v 3
+-l ECDH-ECDSA-AES128-GCM-SHA256
+-A ./certs/ecc/server-secp256k1-cert.pem
+-x
+-C
+
+# server TLSv1.3 TLS13-AES128-GCM-SHA256
+-v 4
+-l TLS13-AES128-GCM-SHA256
+-c ./certs/ecc/server-secp256k1-cert.pem
+-k ./certs/ecc/secp256k1-key.pem
+-d
+
+# client TLSv1.3 TLS13-AES128-GCM-SHA256
+-v 4
+-l TLS13-AES128-GCM-SHA256
+-A ./certs/ecc/server-secp256k1-cert.pem
+-x
+-C
+
+# server TLSv1.2 ECDHE-ECDSA-AES128-GCM-SHA256 (mutual auth)
+-v 3
+-l ECDHE-ECDSA-AES128-GCM-SHA256
+-c ./certs/ecc/server-secp256k1-cert.pem
+-k ./certs/ecc/secp256k1-key.pem
+-A ./certs/ecc/client-secp256k1-cert.pem
+-V
+
+# client TLSv1.2 ECDHE-ECDSA-AES128-GCM-SHA256 (mutal auth)
+-v 3
+-l ECDHE-ECDSA-AES128-GCM-SHA256
+-c ./certs/ecc/client-secp256k1-cert.pem
+-k ./certs/ecc/secp256k1-key.pem
+-A ./certs/ecc/server-secp256k1-cert.pem
+-C
+
+# server TLSv1.2 ECDH-ECDSA-AES128-GCM-SHA256 (static - mutual auth)
+-v 3
+-l ECDH-ECDSA-AES128-GCM-SHA256
+-c ./certs/ecc/server-secp256k1-cert.pem
+-k ./certs/ecc/secp256k1-key.pem
+-A ./certs/ecc/client-secp256k1-cert.pem
+-V
+
+# client TLSv1.2 ECDH-ECDSA-AES128-GCM-SHA256 (static - mutal auth)
+-v 3
+-l ECDH-ECDSA-AES128-GCM-SHA256
+-c ./certs/ecc/client-secp256k1-cert.pem
+-k ./certs/ecc/secp256k1-key.pem
+-A ./certs/ecc/server-secp256k1-cert.pem
+-C
+
+# server TLSv1.3 TLS13-AES128-GCM-SHA256 (mutal auth)
+-v 4
+-l TLS13-AES128-GCM-SHA256
+-c ./certs/ecc/server-secp256k1-cert.pem
+-k ./certs/ecc/secp256k1-key.pem
+-A ./certs/ecc/client-secp256k1-cert.pem
+-V
+
+# client TLSv1.3 TLS13-AES128-GCM-SHA256 (mutal auth)
+-v 4
+-l TLS13-AES128-GCM-SHA256
+-c ./certs/ecc/client-secp256k1-cert.pem
+-k ./certs/ecc/secp256k1-key.pem
+-A ./certs/ecc/server-secp256k1-cert.pem
+-C
+
+# ----- bp256r1 ------
+# server TLSv1.2 ECDHE-ECDSA-AES128-GCM-SHA256
+-v 3
+-l ECDHE-ECDSA-AES128-GCM-SHA256
+-c ./certs/ecc/server-bp256r1-cert.pem
+-k ./certs/ecc/bp256r1-key.pem
+-d
+
+# client TLSv1.2 ECDHE-ECDSA-AES128-GCM-SHA256
+-v 3
+-l ECDHE-ECDSA-AES128-GCM-SHA256
+-A ./certs/ecc/server-bp256r1-cert.pem
+-x
+-C
+
+# server TLSv1.2 ECDH-ECDSA-AES128-GCM-SHA256 (static)
+-v 3
+-l ECDH-ECDSA-AES128-GCM-SHA256
+-c ./certs/ecc/server-bp256r1-cert.pem
+-k ./certs/ecc/bp256r1-key.pem
+-d
+
+# client TLSv1.2 ECDH-ECDSA-AES128-GCM-SHA256 (static)
+-v 3
+-l ECDH-ECDSA-AES128-GCM-SHA256
+-A ./certs/ecc/server-bp256r1-cert.pem
+-x
+-C
+
+# server TLSv1.3 TLS13-AES128-GCM-SHA256
+-v 4
+-l TLS13-AES128-GCM-SHA256
+-c ./certs/ecc/server-bp256r1-cert.pem
+-k ./certs/ecc/bp256r1-key.pem
+-d
+
+# client TLSv1.3 TLS13-AES128-GCM-SHA256
+-v 4
+-l TLS13-AES128-GCM-SHA256
+-A ./certs/ecc/server-bp256r1-cert.pem
+-x
+-C
+
+# server TLSv1.2 ECDHE-ECDSA-AES128-GCM-SHA256 (mutual auth)
+-v 3
+-l ECDHE-ECDSA-AES128-GCM-SHA256
+-c ./certs/ecc/server-bp256r1-cert.pem
+-k ./certs/ecc/bp256r1-key.pem
+-A ./certs/ecc/client-bp256r1-cert.pem
+-V
+
+# client TLSv1.2 ECDHE-ECDSA-AES128-GCM-SHA256 (mutal auth)
+-v 3
+-l ECDHE-ECDSA-AES128-GCM-SHA256
+-c ./certs/ecc/client-bp256r1-cert.pem
+-k ./certs/ecc/bp256r1-key.pem
+-A ./certs/ecc/server-bp256r1-cert.pem
+-C
+
+# server TLSv1.2 ECDH-ECDSA-AES128-GCM-SHA256 (static - mutual auth)
+-v 3
+-l ECDH-ECDSA-AES128-GCM-SHA256
+-c ./certs/ecc/server-bp256r1-cert.pem
+-k ./certs/ecc/bp256r1-key.pem
+-A ./certs/ecc/client-bp256r1-cert.pem
+-V
+
+# client TLSv1.2 ECDH-ECDSA-AES128-GCM-SHA256 (static - mutal auth)
+-v 3
+-l ECDH-ECDSA-AES128-GCM-SHA256
+-c ./certs/ecc/client-bp256r1-cert.pem
+-k ./certs/ecc/bp256r1-key.pem
+-A ./certs/ecc/server-bp256r1-cert.pem
+-C
+
+# server TLSv1.3 TLS13-AES128-GCM-SHA256 (mutal auth)
+-v 4
+-l TLS13-AES128-GCM-SHA256
+-c ./certs/ecc/server-bp256r1-cert.pem
+-k ./certs/ecc/bp256r1-key.pem
+-A ./certs/ecc/client-bp256r1-cert.pem
+-V
+
+# client TLSv1.3 TLS13-AES128-GCM-SHA256 (mutal auth)
+-v 4
+-l TLS13-AES128-GCM-SHA256
+-c ./certs/ecc/client-bp256r1-cert.pem
+-k ./certs/ecc/bp256r1-key.pem
+-A ./certs/ecc/server-bp256r1-cert.pem
+-C