TLS 1.3: Fix P-521 algorithm matching

Digest size compared to key size - P521 has large key size.
Fixed to round down.
Added P-521 keys and certificates.
Added testing of P-521 keys and certificcates to unittest.

Makefile.am

@@ -19,6 +19,7 @@ dist_doc_DATA=
 dist_noinst_SCRIPTS =
 noinst_SCRIPTS =
 check_SCRIPTS =
+noinst_DATA =
 
 #includes additional rules from aminclude.am
 @INC_AMINCLUDE@

certs/include.am

@@ -106,6 +106,7 @@ include certs/crl/include.am
 include certs/ecc/include.am
 include certs/ed25519/include.am
 include certs/ed448/include.am
+include certs/p521/include.am
 include certs/external/include.am
 include certs/ocsp/include.am
 include certs/statickeys/include.am

certs/p521/ca-p521-key.pem

@@ -0,0 +1,6 @@
+-----BEGIN PUBLIC KEY-----
+MIGbMBAGByqGSM49AgEGBSuBBAAjA4GGAAQALRgkLeTbbMNpm9sYZzPxYGiUFM2R
+Sldl7zb6JIKI7Mfwy0hFbpZff+t2vkRAwxnAM2jEBgSOwiWxloMiDnvHsvwBhpHt
+Q1044AwljbPbsdzetyGAz4feZPQhPi2veb320ABLgXn69xCqGc1A1x51NFMpA+1I
+VCHlj5W1m0GNX91y0lo=
+-----END PUBLIC KEY-----

certs/p521/ca-p521-priv.pem

@@ -0,0 +1,7 @@
+-----BEGIN EC PRIVATE KEY-----
+MIHcAgEBBEIB29qI0BYpdJXJ61gEQtz5rWlWL8B+ZKslEzyZlA5Z2iAKjwKUxd6Q
+js0MrD6yn1lne9FGISDUo+sjDDOiQvxx8F2gBwYFK4EEACOhgYkDgYYABAAtGCQt
+5Ntsw2mb2xhnM/FgaJQUzZFKV2XvNvokgojsx/DLSEVull9/63a+REDDGcAzaMQG
+BI7CJbGWgyIOe8ey/AGGke1DXTjgDCWNs9ux3N63IYDPh95k9CE+La95vfbQAEuB
+efr3EKoZzUDXHnU0UykD7UhUIeWPlbWbQY1f3XLSWg==
+-----END EC PRIVATE KEY-----

certs/p521/ca-p521.pem

@@ -0,0 +1,63 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number: 1 (0x1)
+        Signature Algorithm: ecdsa-with-SHA256
+        Issuer: C = US, ST = Montana, L = Bozeman, O = wolfSSL_P521, OU = Root-P521, CN = www.wolfssl.com, emailAddress = info@wolfssl.com
+        Validity
+            Not Before: Sep 14 23:57:18 2020 GMT
+            Not After : Jun 11 23:57:18 2023 GMT
+        Subject: C = US, ST = Montana, L = Bozeman, O = wolfSSL_p521, OU = CA-p521, CN = www.wolfssl.com, emailAddress = info@wolfssl.com
+        Subject Public Key Info:
+            Public Key Algorithm: id-ecPublicKey
+                Public-Key: (521 bit)
+                pub:
+                    04:00:2d:18:24:2d:e4:db:6c:c3:69:9b:db:18:67:
+                    33:f1:60:68:94:14:cd:91:4a:57:65:ef:36:fa:24:
+                    82:88:ec:c7:f0:cb:48:45:6e:96:5f:7f:eb:76:be:
+                    44:40:c3:19:c0:33:68:c4:06:04:8e:c2:25:b1:96:
+                    83:22:0e:7b:c7:b2:fc:01:86:91:ed:43:5d:38:e0:
+                    0c:25:8d:b3:db:b1:dc:de:b7:21:80:cf:87:de:64:
+                    f4:21:3e:2d:af:79:bd:f6:d0:00:4b:81:79:fa:f7:
+                    10:aa:19:cd:40:d7:1e:75:34:53:29:03:ed:48:54:
+                    21:e5:8f:95:b5:9b:41:8d:5f:dd:72:d2:5a
+                ASN1 OID: secp521r1
+                NIST CURVE: P-521
+        X509v3 extensions:
+            X509v3 Subject Key Identifier: 
+                40:89:1D:30:5E:0C:6E:D5:3D:C6:D5:25:90:DA:B6:42:67:ED:E9:82
+            X509v3 Authority Key Identifier: 
+                keyid:64:A7:68:95:53:33:18:A2:20:92:BC:64:55:A6:AB:CA:76:68:9B:C8
+
+            X509v3 Basic Constraints: critical
+                CA:TRUE
+            X509v3 Key Usage: critical
+                Digital Signature, Certificate Sign, CRL Sign
+    Signature Algorithm: ecdsa-with-SHA256
+         30:81:87:02:41:60:cd:fa:94:0d:23:c3:4e:3c:b1:6e:d9:b6:
+         5b:0e:97:1e:a4:df:0a:7c:05:2e:61:0c:d7:c0:e5:86:16:0c:
+         7b:01:a5:33:9a:e6:31:a0:62:91:da:dc:22:d1:ba:4f:75:43:
+         94:43:67:91:20:08:66:96:27:53:b2:61:0e:59:0a:50:02:42:
+         01:ec:87:8d:ca:6d:e0:bf:30:ba:ef:37:13:ad:f6:d1:c4:fc:
+         b5:e5:4b:96:c2:83:a0:d8:ed:04:73:85:8d:54:d7:e9:9a:67:
+         8a:cf:11:36:4a:f2:2f:85:5a:24:5e:3c:79:e1:a7:c4:ec:78:
+         82:7a:52:25:c4:55:57:95:0e:6f:c9:d5
+-----BEGIN CERTIFICATE-----
+MIIDBzCCAmmgAwIBAgIBATAKBggqhkjOPQQDAjCBlzELMAkGA1UEBhMCVVMxEDAO
+BgNVBAgMB01vbnRhbmExEDAOBgNVBAcMB0JvemVtYW4xFTATBgNVBAoMDHdvbGZT
+U0xfUDUyMTESMBAGA1UECwwJUm9vdC1QNTIxMRgwFgYDVQQDDA93d3cud29sZnNz
+bC5jb20xHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb20wHhcNMjAwOTE0
+MjM1NzE4WhcNMjMwNjExMjM1NzE4WjCBlTELMAkGA1UEBhMCVVMxEDAOBgNVBAgM
+B01vbnRhbmExEDAOBgNVBAcMB0JvemVtYW4xFTATBgNVBAoMDHdvbGZTU0xfcDUy
+MTEQMA4GA1UECwwHQ0EtcDUyMTEYMBYGA1UEAwwPd3d3LndvbGZzc2wuY29tMR8w
+HQYJKoZIhvcNAQkBFhBpbmZvQHdvbGZzc2wuY29tMIGbMBAGByqGSM49AgEGBSuB
+BAAjA4GGAAQALRgkLeTbbMNpm9sYZzPxYGiUFM2RSldl7zb6JIKI7Mfwy0hFbpZf
+f+t2vkRAwxnAM2jEBgSOwiWxloMiDnvHsvwBhpHtQ1044AwljbPbsdzetyGAz4fe
+ZPQhPi2veb320ABLgXn69xCqGc1A1x51NFMpA+1IVCHlj5W1m0GNX91y0lqjYzBh
+MB0GA1UdDgQWBBRAiR0wXgxu1T3G1SWQ2rZCZ+3pgjAfBgNVHSMEGDAWgBRkp2iV
+UzMYoiCSvGRVpqvKdmibyDAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIB
+hjAKBggqhkjOPQQDAgOBiwAwgYcCQWDN+pQNI8NOPLFu2bZbDpcepN8KfAUuYQzX
+wOWGFgx7AaUzmuYxoGKR2twi0bpPdUOUQ2eRIAhmlidTsmEOWQpQAkIB7IeNym3g
+vzC67zcTrfbRxPy15UuWwoOg2O0Ec4WNVNfpmmeKzxE2SvIvhVokXjx54afE7HiC
+elIlxFVXlQ5vydU=
+-----END CERTIFICATE-----

certs/p521/client-p521-key.pem

@@ -0,0 +1,6 @@
+-----BEGIN PUBLIC KEY-----
+MIGbMBAGByqGSM49AgEGBSuBBAAjA4GGAAQBYm7xAOzYmVibgGv+LPGy8MhI36zS
+O3Epq/BmY9iOtcjC/JlE4kWxWnu5cwHaeeycJic0RSbViUtE/mlOchTji7wADwmi
+A8Na3JWC9vn2nP+1a3WVS6QoXZ6QBNHAHtX9Q54eg8ARKysHbal6ENdn51E3JNi/
+Aw2LtUBcT9YTc0K8kdk=
+-----END PUBLIC KEY-----

certs/p521/client-p521-priv.pem

@@ -0,0 +1,7 @@
+-----BEGIN EC PRIVATE KEY-----
+MIHcAgEBBEIBaJEzU+KQaBGPqqh2DPcqBxuSKqeCPfqDznDIwmCC/hiIaNpqg0Z4
+5OnpzFF/7YECMu4mh8ztYz85J/DXF3ehpDagBwYFK4EEACOhgYkDgYYABAFibvEA
+7NiZWJuAa/4s8bLwyEjfrNI7cSmr8GZj2I61yML8mUTiRbFae7lzAdp57JwmJzRF
+JtWJS0T+aU5yFOOLvAAPCaIDw1rclYL2+fac/7VrdZVLpChdnpAE0cAe1f1Dnh6D
+wBErKwdtqXoQ12fnUTck2L8DDYu1QFxP1hNzQryR2Q==
+-----END EC PRIVATE KEY-----

certs/p521/client-p521.pem

@@ -0,0 +1,73 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number:
+            24:9d:c6:98:df:09:87:30:42:bd:e6:4f:86:05:af:dc:82:89:d7:0e
+        Signature Algorithm: ecdsa-with-SHA256
+        Issuer: C = US, ST = Montana, L = Bozeman, O = wolfSSL_p521, OU = Client-p521, CN = www.wolfssl.com, emailAddress = info@wolfssl.com
+        Validity
+            Not Before: Sep 14 23:57:18 2020 GMT
+            Not After : Jun 11 23:57:18 2023 GMT
+        Subject: C = US, ST = Montana, L = Bozeman, O = wolfSSL_p521, OU = Client-p521, CN = www.wolfssl.com, emailAddress = info@wolfssl.com
+        Subject Public Key Info:
+            Public Key Algorithm: id-ecPublicKey
+                Public-Key: (521 bit)
+                pub:
+                    04:01:62:6e:f1:00:ec:d8:99:58:9b:80:6b:fe:2c:
+                    f1:b2:f0:c8:48:df:ac:d2:3b:71:29:ab:f0:66:63:
+                    d8:8e:b5:c8:c2:fc:99:44:e2:45:b1:5a:7b:b9:73:
+                    01:da:79:ec:9c:26:27:34:45:26:d5:89:4b:44:fe:
+                    69:4e:72:14:e3:8b:bc:00:0f:09:a2:03:c3:5a:dc:
+                    95:82:f6:f9:f6:9c:ff:b5:6b:75:95:4b:a4:28:5d:
+                    9e:90:04:d1:c0:1e:d5:fd:43:9e:1e:83:c0:11:2b:
+                    2b:07:6d:a9:7a:10:d7:67:e7:51:37:24:d8:bf:03:
+                    0d:8b:b5:40:5c:4f:d6:13:73:42:bc:91:d9
+                ASN1 OID: secp521r1
+                NIST CURVE: P-521
+        X509v3 extensions:
+            X509v3 Subject Key Identifier: 
+                20:E1:BF:57:E5:F3:C3:0C:72:84:6A:C6:DF:BC:22:D0:B7:25:E5:A4
+            X509v3 Authority Key Identifier: 
+                keyid:20:E1:BF:57:E5:F3:C3:0C:72:84:6A:C6:DF:BC:22:D0:B7:25:E5:A4
+                DirName:/C=US/ST=Montana/L=Bozeman/O=wolfSSL_p521/OU=Client-p521/CN=www.wolfssl.com/emailAddress=info@wolfssl.com
+                serial:24:9D:C6:98:DF:09:87:30:42:BD:E6:4F:86:05:AF:DC:82:89:D7:0E
+
+            X509v3 Basic Constraints: 
+                CA:TRUE
+            X509v3 Subject Alternative Name: 
+                DNS:example.com, IP Address:127.0.0.1
+            X509v3 Extended Key Usage: 
+                TLS Web Server Authentication, TLS Web Client Authentication
+    Signature Algorithm: ecdsa-with-SHA256
+         30:81:87:02:42:01:e1:85:a5:0e:81:ff:b0:2a:d3:b8:73:8c:
+         1d:8e:1f:42:4c:de:cb:d1:63:69:ce:53:d0:2a:52:14:e4:7a:
+         2f:1e:c4:0b:1b:db:1e:36:97:72:ed:9b:2f:d4:93:79:06:ec:
+         41:6c:6c:18:28:99:56:b6:0b:58:c4:bc:47:db:64:a8:7e:02:
+         41:2b:d0:32:2e:03:81:32:f3:9a:65:58:a4:51:7e:9a:ad:c2:
+         99:bf:21:f1:a1:70:61:4b:ee:8e:df:3b:9c:79:e3:12:b4:3b:
+         9e:64:da:d0:ef:5b:50:7b:a1:b0:30:8f:af:66:71:9d:41:20:
+         cf:e8:9c:bd:f5:3b:c4:fe:00:43:35:24
+-----BEGIN CERTIFICATE-----
+MIIECTCCA2ugAwIBAgIUJJ3GmN8JhzBCveZPhgWv3IKJ1w4wCgYIKoZIzj0EAwIw
+gZkxCzAJBgNVBAYTAlVTMRAwDgYDVQQIDAdNb250YW5hMRAwDgYDVQQHDAdCb3pl
+bWFuMRUwEwYDVQQKDAx3b2xmU1NMX3A1MjExFDASBgNVBAsMC0NsaWVudC1wNTIx
+MRgwFgYDVQQDDA93d3cud29sZnNzbC5jb20xHzAdBgkqhkiG9w0BCQEWEGluZm9A
+d29sZnNzbC5jb20wHhcNMjAwOTE0MjM1NzE4WhcNMjMwNjExMjM1NzE4WjCBmTEL
+MAkGA1UEBhMCVVMxEDAOBgNVBAgMB01vbnRhbmExEDAOBgNVBAcMB0JvemVtYW4x
+FTATBgNVBAoMDHdvbGZTU0xfcDUyMTEUMBIGA1UECwwLQ2xpZW50LXA1MjExGDAW
+BgNVBAMMD3d3dy53b2xmc3NsLmNvbTEfMB0GCSqGSIb3DQEJARYQaW5mb0B3b2xm
+c3NsLmNvbTCBmzAQBgcqhkjOPQIBBgUrgQQAIwOBhgAEAWJu8QDs2JlYm4Br/izx
+svDISN+s0jtxKavwZmPYjrXIwvyZROJFsVp7uXMB2nnsnCYnNEUm1YlLRP5pTnIU
+44u8AA8JogPDWtyVgvb59pz/tWt1lUukKF2ekATRwB7V/UOeHoPAESsrB22pehDX
+Z+dRNyTYvwMNi7VAXE/WE3NCvJHZo4IBSjCCAUYwHQYDVR0OBBYEFCDhv1fl88MM
+coRqxt+8ItC3JeWkMIHZBgNVHSMEgdEwgc6AFCDhv1fl88MMcoRqxt+8ItC3JeWk
+oYGfpIGcMIGZMQswCQYDVQQGEwJVUzEQMA4GA1UECAwHTW9udGFuYTEQMA4GA1UE
+BwwHQm96ZW1hbjEVMBMGA1UECgwMd29sZlNTTF9wNTIxMRQwEgYDVQQLDAtDbGll
+bnQtcDUyMTEYMBYGA1UEAwwPd3d3LndvbGZzc2wuY29tMR8wHQYJKoZIhvcNAQkB
+FhBpbmZvQHdvbGZzc2wuY29tghQkncaY3wmHMEK95k+GBa/cgonXDjAMBgNVHRME
+BTADAQH/MBwGA1UdEQQVMBOCC2V4YW1wbGUuY29thwR/AAABMB0GA1UdJQQWMBQG
+CCsGAQUFBwMBBggrBgEFBQcDAjAKBggqhkjOPQQDAgOBiwAwgYcCQgHhhaUOgf+w
+KtO4c4wdjh9CTN7L0WNpzlPQKlIU5HovHsQLG9seNpdy7Zsv1JN5BuxBbGwYKJlW
+tgtYxLxH22SofgJBK9AyLgOBMvOaZVikUX6arcKZvyHxoXBhS+6O3zuceeMStDue
+ZNrQ71tQe6GwMI+vZnGdQSDP6Jy99TvE/gBDNSQ=
+-----END CERTIFICATE-----

certs/p521/gen-p521-certs.sh

@@ -0,0 +1,105 @@
+#!/bin/bash
+
+check_result(){
+    if [ $1 -ne 0 ]; then
+        echo "Failed at \"$2\", Abort"
+        exit 1
+    else
+        echo "Step Succeeded!"
+    fi
+}
+
+openssl pkey -in root-p521-priv.pem -noout >/dev/null 2>&1
+if [ $? -ne 0 ]; then
+    echo "OpenSSL does not support P521"
+    echo "Skipping P521 certificate renewal"
+    exit 0
+fi
+
+############################################################
+###### update the self-signed root-p521.pem ###############
+############################################################
+echo "Updating root-p521.pem"
+echo ""
+#pipe the following arguments to openssl req...
+echo -e "US\\nMontana\\nBozeman\\nwolfSSL_P521\\nRoot-P521\\nwww.wolfssl.com\\ninfo@wolfssl.com\\n.\\n.\\n" | \
+openssl req -new -key root-p521-priv.pem -config ../renewcerts/wolfssl.cnf -nodes -out root-p521.csr
+check_result $? "Generate request"
+
+openssl x509 -req -in root-p521.csr -days 1000 -extfile ../renewcerts/wolfssl.cnf -extensions ca_ecc_cert -signkey root-p521-priv.pem -out root-p521.pem
+check_result $? "Generate certificate"
+rm root-p521.csr
+
+openssl x509 -in root-p521.pem -outform DER > root-p521.der
+check_result $? "Convert to DER"
+openssl x509 -in root-p521.pem -text > tmp.pem
+check_result $? "Add text"
+mv tmp.pem root-p521.pem
+echo "End of section"
+echo "---------------------------------------------------------------------"
+
+############################################################
+###### update ca-p521.pem signed by root ##################
+############################################################
+echo "Updating ca-p521.pem"
+echo ""
+#pipe the following arguments to openssl req...
+echo -e "US\\nMontana\\nBozeman\\nwolfSSL_p521\\nCA-p521\\nwww.wolfssl.com\\ninfo@wolfssl.com\\n\\n\\n\\n" | openssl req -new -key ca-p521-priv.pem -config ../renewcerts/wolfssl.cnf -nodes -out ca-p521.csr
+check_result $? "Generate request"
+
+openssl x509 -req -in ca-p521.csr -days 1000 -extfile ../renewcerts/wolfssl.cnf -extensions ca_ecc_cert -CA root-p521.pem -CAkey root-p521-priv.pem -set_serial 01 -out ca-p521.pem
+check_result $? "Generate certificate"
+rm ca-p521.csr
+
+openssl x509 -in ca-p521.pem -outform DER > ca-p521.der
+check_result $? "Convert to DER"
+openssl x509 -in ca-p521.pem -text > tmp.pem
+check_result $? "Add text"
+mv tmp.pem ca-p521.pem
+echo "End of section"
+echo "---------------------------------------------------------------------"
+
+############################################################
+###### update server-p521.pem signed by ca ################
+############################################################
+echo "Updating server-p521.pem"
+echo ""
+#pipe the following arguments to openssl req...
+echo -e "US\\nMontana\\nBozeman\\nwolfSSL_p521\\nServer-p521\\nwww.wolfssl.com\\ninfo@wolfssl.com\\n\\n\\n\\n" | openssl req -new -key server-p521-priv.pem -config ../renewcerts/wolfssl.cnf -nodes -out server-p521.csr
+check_result $? "Generate request"
+
+openssl x509 -req -in server-p521.csr -days 1000 -extfile ../renewcerts/wolfssl.cnf -extensions server_ecc -CA ca-p521.pem -CAkey ca-p521-priv.pem -set_serial 01 -out server-p521-cert.pem
+check_result $? "Generate certificate"
+rm server-p521.csr
+
+openssl x509 -in server-p521-cert.pem -outform DER > server-p521.der
+check_result $? "Convert to DER"
+openssl x509 -in server-p521-cert.pem -text > tmp.pem
+check_result $? "Add text"
+mv tmp.pem server-p521-cert.pem
+cat server-p521-cert.pem ca-p521.pem > server-p521.pem
+check_result $? "Add CA into server cert"
+echo "End of section"
+echo "---------------------------------------------------------------------"
+
+############################################################
+###### update the self-signed client-p521.pem #############
+############################################################
+echo "Updating client-p521.pem"
+echo ""
+#pipe the following arguments to openssl req...
+echo -e "US\\nMontana\\nBozeman\\nwolfSSL_p521\\nClient-p521\\nwww.wolfssl.com\\ninfo@wolfssl.com\\n\\n\\n\\n" | openssl req -new -key client-p521-priv.pem -config ../renewcerts/wolfssl.cnf -nodes -out client-p521.csr
+check_result $? "Generate request"
+
+openssl x509 -req -in client-p521.csr -days 1000 -extfile ../renewcerts/wolfssl.cnf -extensions wolfssl_opts -signkey client-p521-priv.pem -out client-p521.pem
+check_result $? "Generate certificate"
+rm client-p521.csr
+
+openssl x509 -in client-p521.pem -outform DER > client-p521.der
+check_result $? "Convert to DER"
+openssl x509 -in client-p521.pem -text > tmp.pem
+check_result $? "Add text"
+mv tmp.pem client-p521.pem
+echo "End of section"
+echo "---------------------------------------------------------------------"
+

certs/p521/gen-p521-keys.sh

@@ -0,0 +1,16 @@
+#!/bin/sh
+
+for key in root ca server client
+do
+
+  openssl ecparam -name secp521r1 -genkey -noout > ${key}-p521-priv.pem
+
+  openssl pkey -in ${key}-p521-priv.pem -outform DER -out ${key}-p521-priv.der
+
+  openssl pkey -in ${key}-p521-priv.pem -outform PEM -pubout -out ${key}-p521-key.pem
+
+  openssl pkey -in ${key}-p521-priv.pem -outform DER -pubout -out ${key}-p521-key.der
+
+done
+
+

certs/p521/include.am

@@ -0,0 +1,38 @@
+# vim:ft=automake
+# All paths should be given relative to the root
+#
+
+EXTRA_DIST += \
+         certs/p521/ca-p521.der \
+         certs/p521/ca-p521.pem \
+         certs/p521/ca-p521-key.der \
+         certs/p521/ca-p521-key.pem \
+         certs/p521/ca-p521-priv.der \
+         certs/p521/ca-p521-priv.pem \
+         certs/p521/client-p521.der \
+         certs/p521/client-p521.pem \
+         certs/p521/client-p521-key.der \
+         certs/p521/client-p521-key.pem \
+         certs/p521/client-p521-priv.der \
+         certs/p521/client-p521-priv.pem \
+         certs/p521/root-p521.der \
+         certs/p521/root-p521.pem \
+         certs/p521/root-p521-key.der \
+         certs/p521/root-p521-key.pem \
+         certs/p521/root-p521-priv.der \
+         certs/p521/root-p521-priv.pem \
+         certs/p521/server-p521.der \
+         certs/p521/server-p521.pem \
+         certs/p521/server-p521-cert.pem \
+         certs/p521/server-p521-key.der \
+         certs/p521/server-p521-key.pem \
+         certs/p521/server-p521-priv.der \
+         certs/p521/server-p521-priv.pem
+
+if BUILD_FIPS_V2
+else
+noinst_DATA+= \
+         certs/p521/gen-p521-certs.sh \
+         certs/p521/gen-p521-keys.sh
+endif
+

certs/p521/root-p521-key.pem

@@ -0,0 +1,6 @@
+-----BEGIN PUBLIC KEY-----
+MIGbMBAGByqGSM49AgEGBSuBBAAjA4GGAAQBQWDU5cw32/RMEsz2ejLM8hy3UxW9
+X1Pvy3OpyBRsb33FfLS7jlbCQ0X7WBzGRT1/5U6AzETBBnp14WnJiqgBet8ARElz
+nC9QP4OgHovRqvsIDJAFDQwXMVE+1oU7CRKC0aYIzchPalrIjI5dv9rMW5Wh6Fop
+eCKyukmhhcZIinFTjYk=
+-----END PUBLIC KEY-----

certs/p521/root-p521-priv.pem

@@ -0,0 +1,7 @@
+-----BEGIN EC PRIVATE KEY-----
+MIHcAgEBBEIB+0L/Wo+9bKC8iEmkLdgQkDyeJkbDp0bmhUqOevrpeBqs/Q/0dtg9
+WFwp7ceTJkuLr/osgWrNpTxgVscecuiYRGSgBwYFK4EEACOhgYkDgYYABAFBYNTl
+zDfb9EwSzPZ6MszyHLdTFb1fU+/Lc6nIFGxvfcV8tLuOVsJDRftYHMZFPX/lToDM
+RMEGenXhacmKqAF63wBESXOcL1A/g6Aei9Gq+wgMkAUNDBcxUT7WhTsJEoLRpgjN
+yE9qWsiMjl2/2sxblaHoWil4IrK6SaGFxkiKcVONiQ==
+-----END EC PRIVATE KEY-----

certs/p521/root-p521.pem

@@ -0,0 +1,64 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number:
+            23:0c:f9:b8:9a:a1:1d:4f:ec:23:8f:4b:f2:20:5d:7d:ac:43:4e:98
+        Signature Algorithm: ecdsa-with-SHA256
+        Issuer: C = US, ST = Montana, L = Bozeman, O = wolfSSL_P521, OU = Root-P521, CN = www.wolfssl.com, emailAddress = info@wolfssl.com
+        Validity
+            Not Before: Sep 14 23:57:18 2020 GMT
+            Not After : Jun 11 23:57:18 2023 GMT
+        Subject: C = US, ST = Montana, L = Bozeman, O = wolfSSL_P521, OU = Root-P521, CN = www.wolfssl.com, emailAddress = info@wolfssl.com
+        Subject Public Key Info:
+            Public Key Algorithm: id-ecPublicKey
+                Public-Key: (521 bit)
+                pub:
+                    04:01:41:60:d4:e5:cc:37:db:f4:4c:12:cc:f6:7a:
+                    32:cc:f2:1c:b7:53:15:bd:5f:53:ef:cb:73:a9:c8:
+                    14:6c:6f:7d:c5:7c:b4:bb:8e:56:c2:43:45:fb:58:
+                    1c:c6:45:3d:7f:e5:4e:80:cc:44:c1:06:7a:75:e1:
+                    69:c9:8a:a8:01:7a:df:00:44:49:73:9c:2f:50:3f:
+                    83:a0:1e:8b:d1:aa:fb:08:0c:90:05:0d:0c:17:31:
+                    51:3e:d6:85:3b:09:12:82:d1:a6:08:cd:c8:4f:6a:
+                    5a:c8:8c:8e:5d:bf:da:cc:5b:95:a1:e8:5a:29:78:
+                    22:b2:ba:49:a1:85:c6:48:8a:71:53:8d:89
+                ASN1 OID: secp521r1
+                NIST CURVE: P-521
+        X509v3 extensions:
+            X509v3 Subject Key Identifier: 
+                64:A7:68:95:53:33:18:A2:20:92:BC:64:55:A6:AB:CA:76:68:9B:C8
+            X509v3 Authority Key Identifier: 
+                keyid:64:A7:68:95:53:33:18:A2:20:92:BC:64:55:A6:AB:CA:76:68:9B:C8
+
+            X509v3 Basic Constraints: critical
+                CA:TRUE
+            X509v3 Key Usage: critical
+                Digital Signature, Certificate Sign, CRL Sign
+    Signature Algorithm: ecdsa-with-SHA256
+         30:81:87:02:41:55:16:68:aa:bc:e1:5e:b6:d3:4c:3e:aa:e6:
+         64:e6:ca:94:ec:7d:0f:a8:ea:70:00:33:26:95:27:bd:23:ae:
+         69:5b:29:60:28:1e:0d:fa:69:3d:21:36:f9:9d:80:74:b1:ae:
+         d0:2c:bd:12:13:ce:98:0c:69:39:ab:99:88:90:17:02:02:42:
+         01:f7:b2:95:d0:bf:64:4d:f9:2e:0e:98:40:00:1c:a7:0a:b3:
+         2e:09:f8:c2:27:56:3e:b4:2a:c0:fc:1a:3a:87:c6:6f:ac:20:
+         d4:df:90:f0:00:88:a0:a6:63:79:74:9c:91:c0:ce:7c:21:6b:
+         65:64:a8:fb:83:48:78:eb:78:e0:51:95
+-----BEGIN CERTIFICATE-----
+MIIDHDCCAn6gAwIBAgIUIwz5uJqhHU/sI49L8iBdfaxDTpgwCgYIKoZIzj0EAwIw
+gZcxCzAJBgNVBAYTAlVTMRAwDgYDVQQIDAdNb250YW5hMRAwDgYDVQQHDAdCb3pl
+bWFuMRUwEwYDVQQKDAx3b2xmU1NMX1A1MjExEjAQBgNVBAsMCVJvb3QtUDUyMTEY
+MBYGA1UEAwwPd3d3LndvbGZzc2wuY29tMR8wHQYJKoZIhvcNAQkBFhBpbmZvQHdv
+bGZzc2wuY29tMB4XDTIwMDkxNDIzNTcxOFoXDTIzMDYxMTIzNTcxOFowgZcxCzAJ
+BgNVBAYTAlVTMRAwDgYDVQQIDAdNb250YW5hMRAwDgYDVQQHDAdCb3plbWFuMRUw
+EwYDVQQKDAx3b2xmU1NMX1A1MjExEjAQBgNVBAsMCVJvb3QtUDUyMTEYMBYGA1UE
+AwwPd3d3LndvbGZzc2wuY29tMR8wHQYJKoZIhvcNAQkBFhBpbmZvQHdvbGZzc2wu
+Y29tMIGbMBAGByqGSM49AgEGBSuBBAAjA4GGAAQBQWDU5cw32/RMEsz2ejLM8hy3
+UxW9X1Pvy3OpyBRsb33FfLS7jlbCQ0X7WBzGRT1/5U6AzETBBnp14WnJiqgBet8A
+RElznC9QP4OgHovRqvsIDJAFDQwXMVE+1oU7CRKC0aYIzchPalrIjI5dv9rMW5Wh
+6FopeCKyukmhhcZIinFTjYmjYzBhMB0GA1UdDgQWBBRkp2iVUzMYoiCSvGRVpqvK
+dmibyDAfBgNVHSMEGDAWgBRkp2iVUzMYoiCSvGRVpqvKdmibyDAPBgNVHRMBAf8E
+BTADAQH/MA4GA1UdDwEB/wQEAwIBhjAKBggqhkjOPQQDAgOBiwAwgYcCQVUWaKq8
+4V6200w+quZk5sqU7H0PqOpwADMmlSe9I65pWylgKB4N+mk9ITb5nYB0sa7QLL0S
+E86YDGk5q5mIkBcCAkIB97KV0L9kTfkuDphAABynCrMuCfjCJ1Y+tCrA/Bo6h8Zv
+rCDU35DwAIigpmN5dJyRwM58IWtlZKj7g0h463jgUZU=
+-----END CERTIFICATE-----

certs/p521/server-p521-cert.pem

@@ -0,0 +1,68 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number: 1 (0x1)
+        Signature Algorithm: ecdsa-with-SHA256
+        Issuer: C = US, ST = Montana, L = Bozeman, O = wolfSSL_p521, OU = CA-p521, CN = www.wolfssl.com, emailAddress = info@wolfssl.com
+        Validity
+            Not Before: Sep 14 23:57:18 2020 GMT
+            Not After : Jun 11 23:57:18 2023 GMT
+        Subject: C = US, ST = Montana, L = Bozeman, O = wolfSSL_p521, OU = Server-p521, CN = www.wolfssl.com, emailAddress = info@wolfssl.com
+        Subject Public Key Info:
+            Public Key Algorithm: id-ecPublicKey
+                Public-Key: (521 bit)
+                pub:
+                    04:00:de:70:69:f6:d1:9e:c4:fe:5f:82:52:98:ce:
+                    52:c1:6a:4c:12:22:0f:76:88:22:11:a5:0d:a6:02:
+                    47:91:ab:79:8d:f6:08:70:2d:20:14:15:df:1b:57:
+                    58:b3:51:ab:20:a8:2b:bd:6a:3f:a9:ee:c2:6d:ae:
+                    99:44:b4:a1:12:10:70:00:ca:1f:14:1d:b0:e7:0c:
+                    41:18:52:37:04:a7:84:53:a1:02:46:93:1f:d5:60:
+                    63:a6:2e:7d:8d:ea:3f:e0:5b:e5:c8:6e:1f:a7:d9:
+                    a3:59:e5:96:27:22:f4:02:2b:af:5b:78:1f:13:a8:
+                    22:8b:ec:ae:01:7d:c0:61:13:a4:35:0a:21
+                ASN1 OID: secp521r1
+                NIST CURVE: P-521
+        X509v3 extensions:
+            X509v3 Subject Key Identifier: 
+                85:86:9F:AE:73:5F:94:77:27:3B:15:15:C6:79:07:A8:42:4B:1E:F3
+            X509v3 Authority Key Identifier: 
+                keyid:40:89:1D:30:5E:0C:6E:D5:3D:C6:D5:25:90:DA:B6:42:67:ED:E9:82
+
+            X509v3 Basic Constraints: critical
+                CA:FALSE
+            X509v3 Key Usage: critical
+                Digital Signature, Key Encipherment, Key Agreement
+            X509v3 Extended Key Usage: 
+                TLS Web Server Authentication
+            Netscape Cert Type: 
+                SSL Server
+    Signature Algorithm: ecdsa-with-SHA256
+         30:81:88:02:42:01:95:31:ef:ac:8f:c7:79:c8:b1:27:21:70:
+         24:d1:78:d6:d4:da:d0:1d:44:52:6f:3f:0a:f1:33:ac:70:14:
+         cf:62:e6:23:a8:a5:30:04:e1:40:7b:05:c5:45:c9:be:b0:32:
+         d5:00:77:c7:6b:1d:37:7a:2c:83:02:9d:ef:5d:9e:9c:91:02:
+         42:01:f8:7c:5b:fc:b3:1a:26:2c:b4:41:c8:bf:0d:ae:74:5a:
+         0d:25:10:7d:9d:33:ec:5c:29:c0:7c:6a:96:f3:28:b6:06:de:
+         13:1f:b1:a1:76:38:ea:a1:db:81:21:b6:81:0c:8f:67:b7:3d:
+         7b:6b:e0:72:67:e3:d1:71:11:92:8b:d0:f1
+-----BEGIN CERTIFICATE-----
+MIIDMTCCApKgAwIBAgIBATAKBggqhkjOPQQDAjCBlTELMAkGA1UEBhMCVVMxEDAO
+BgNVBAgMB01vbnRhbmExEDAOBgNVBAcMB0JvemVtYW4xFTATBgNVBAoMDHdvbGZT
+U0xfcDUyMTEQMA4GA1UECwwHQ0EtcDUyMTEYMBYGA1UEAwwPd3d3LndvbGZzc2wu
+Y29tMR8wHQYJKoZIhvcNAQkBFhBpbmZvQHdvbGZzc2wuY29tMB4XDTIwMDkxNDIz
+NTcxOFoXDTIzMDYxMTIzNTcxOFowgZkxCzAJBgNVBAYTAlVTMRAwDgYDVQQIDAdN
+b250YW5hMRAwDgYDVQQHDAdCb3plbWFuMRUwEwYDVQQKDAx3b2xmU1NMX3A1MjEx
+FDASBgNVBAsMC1NlcnZlci1wNTIxMRgwFgYDVQQDDA93d3cud29sZnNzbC5jb20x
+HzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb20wgZswEAYHKoZIzj0CAQYF
+K4EEACMDgYYABADecGn20Z7E/l+CUpjOUsFqTBIiD3aIIhGlDaYCR5GreY32CHAt
+IBQV3xtXWLNRqyCoK71qP6nuwm2umUS0oRIQcADKHxQdsOcMQRhSNwSnhFOhAkaT
+H9VgY6YufY3qP+Bb5chuH6fZo1nllici9AIrr1t4HxOoIovsrgF9wGETpDUKIaOB
+iTCBhjAdBgNVHQ4EFgQUhYafrnNflHcnOxUVxnkHqEJLHvMwHwYDVR0jBBgwFoAU
+QIkdMF4MbtU9xtUlkNq2Qmft6YIwDAYDVR0TAQH/BAIwADAOBgNVHQ8BAf8EBAMC
+A6gwEwYDVR0lBAwwCgYIKwYBBQUHAwEwEQYJYIZIAYb4QgEBBAQDAgZAMAoGCCqG
+SM49BAMCA4GMADCBiAJCAZUx76yPx3nIsSchcCTReNbU2tAdRFJvPwrxM6xwFM9i
+5iOopTAE4UB7BcVFyb6wMtUAd8drHTd6LIMCne9dnpyRAkIB+Hxb/LMaJiy0Qci/
+Da50Wg0lEH2dM+xcKcB8apbzKLYG3hMfsaF2OOqh24EhtoEMj2e3PXtr4HJn49Fx
+EZKL0PE=
+-----END CERTIFICATE-----

certs/p521/server-p521-key.pem

@@ -0,0 +1,6 @@
+-----BEGIN PUBLIC KEY-----
+MIGbMBAGByqGSM49AgEGBSuBBAAjA4GGAAQA3nBp9tGexP5fglKYzlLBakwSIg92
+iCIRpQ2mAkeRq3mN9ghwLSAUFd8bV1izUasgqCu9aj+p7sJtrplEtKESEHAAyh8U
+HbDnDEEYUjcEp4RToQJGkx/VYGOmLn2N6j/gW+XIbh+n2aNZ5ZYnIvQCK69beB8T
+qCKL7K4BfcBhE6Q1CiE=
+-----END PUBLIC KEY-----

certs/p521/server-p521-priv.pem

@@ -0,0 +1,7 @@
+-----BEGIN EC PRIVATE KEY-----
+MIHcAgEBBEIBA/UQ99abMXYOwp9KaXiqAj86ltsFQghlThjy9iBcnWkX1HwOvRd7
+cQFcIMmwK3LwktTPTcFOo0hgfvdwPKVlVJSgBwYFK4EEACOhgYkDgYYABADecGn2
+0Z7E/l+CUpjOUsFqTBIiD3aIIhGlDaYCR5GreY32CHAtIBQV3xtXWLNRqyCoK71q
+P6nuwm2umUS0oRIQcADKHxQdsOcMQRhSNwSnhFOhAkaTH9VgY6YufY3qP+Bb5chu
+H6fZo1nllici9AIrr1t4HxOoIovsrgF9wGETpDUKIQ==
+-----END EC PRIVATE KEY-----

certs/p521/server-p521.pem

@@ -0,0 +1,131 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number: 1 (0x1)
+        Signature Algorithm: ecdsa-with-SHA256
+        Issuer: C = US, ST = Montana, L = Bozeman, O = wolfSSL_p521, OU = CA-p521, CN = www.wolfssl.com, emailAddress = info@wolfssl.com
+        Validity
+            Not Before: Sep 14 23:57:18 2020 GMT
+            Not After : Jun 11 23:57:18 2023 GMT
+        Subject: C = US, ST = Montana, L = Bozeman, O = wolfSSL_p521, OU = Server-p521, CN = www.wolfssl.com, emailAddress = info@wolfssl.com
+        Subject Public Key Info:
+            Public Key Algorithm: id-ecPublicKey
+                Public-Key: (521 bit)
+                pub:
+                    04:00:de:70:69:f6:d1:9e:c4:fe:5f:82:52:98:ce:
+                    52:c1:6a:4c:12:22:0f:76:88:22:11:a5:0d:a6:02:
+                    47:91:ab:79:8d:f6:08:70:2d:20:14:15:df:1b:57:
+                    58:b3:51:ab:20:a8:2b:bd:6a:3f:a9:ee:c2:6d:ae:
+                    99:44:b4:a1:12:10:70:00:ca:1f:14:1d:b0:e7:0c:
+                    41:18:52:37:04:a7:84:53:a1:02:46:93:1f:d5:60:
+                    63:a6:2e:7d:8d:ea:3f:e0:5b:e5:c8:6e:1f:a7:d9:
+                    a3:59:e5:96:27:22:f4:02:2b:af:5b:78:1f:13:a8:
+                    22:8b:ec:ae:01:7d:c0:61:13:a4:35:0a:21
+                ASN1 OID: secp521r1
+                NIST CURVE: P-521
+        X509v3 extensions:
+            X509v3 Subject Key Identifier: 
+                85:86:9F:AE:73:5F:94:77:27:3B:15:15:C6:79:07:A8:42:4B:1E:F3
+            X509v3 Authority Key Identifier: 
+                keyid:40:89:1D:30:5E:0C:6E:D5:3D:C6:D5:25:90:DA:B6:42:67:ED:E9:82
+
+            X509v3 Basic Constraints: critical
+                CA:FALSE
+            X509v3 Key Usage: critical
+                Digital Signature, Key Encipherment, Key Agreement
+            X509v3 Extended Key Usage: 
+                TLS Web Server Authentication
+            Netscape Cert Type: 
+                SSL Server
+    Signature Algorithm: ecdsa-with-SHA256
+         30:81:88:02:42:01:95:31:ef:ac:8f:c7:79:c8:b1:27:21:70:
+         24:d1:78:d6:d4:da:d0:1d:44:52:6f:3f:0a:f1:33:ac:70:14:
+         cf:62:e6:23:a8:a5:30:04:e1:40:7b:05:c5:45:c9:be:b0:32:
+         d5:00:77:c7:6b:1d:37:7a:2c:83:02:9d:ef:5d:9e:9c:91:02:
+         42:01:f8:7c:5b:fc:b3:1a:26:2c:b4:41:c8:bf:0d:ae:74:5a:
+         0d:25:10:7d:9d:33:ec:5c:29:c0:7c:6a:96:f3:28:b6:06:de:
+         13:1f:b1:a1:76:38:ea:a1:db:81:21:b6:81:0c:8f:67:b7:3d:
+         7b:6b:e0:72:67:e3:d1:71:11:92:8b:d0:f1
+-----BEGIN CERTIFICATE-----
+MIIDMTCCApKgAwIBAgIBATAKBggqhkjOPQQDAjCBlTELMAkGA1UEBhMCVVMxEDAO
+BgNVBAgMB01vbnRhbmExEDAOBgNVBAcMB0JvemVtYW4xFTATBgNVBAoMDHdvbGZT
+U0xfcDUyMTEQMA4GA1UECwwHQ0EtcDUyMTEYMBYGA1UEAwwPd3d3LndvbGZzc2wu
+Y29tMR8wHQYJKoZIhvcNAQkBFhBpbmZvQHdvbGZzc2wuY29tMB4XDTIwMDkxNDIz
+NTcxOFoXDTIzMDYxMTIzNTcxOFowgZkxCzAJBgNVBAYTAlVTMRAwDgYDVQQIDAdN
+b250YW5hMRAwDgYDVQQHDAdCb3plbWFuMRUwEwYDVQQKDAx3b2xmU1NMX3A1MjEx
+FDASBgNVBAsMC1NlcnZlci1wNTIxMRgwFgYDVQQDDA93d3cud29sZnNzbC5jb20x
+HzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb20wgZswEAYHKoZIzj0CAQYF
+K4EEACMDgYYABADecGn20Z7E/l+CUpjOUsFqTBIiD3aIIhGlDaYCR5GreY32CHAt
+IBQV3xtXWLNRqyCoK71qP6nuwm2umUS0oRIQcADKHxQdsOcMQRhSNwSnhFOhAkaT
+H9VgY6YufY3qP+Bb5chuH6fZo1nllici9AIrr1t4HxOoIovsrgF9wGETpDUKIaOB
+iTCBhjAdBgNVHQ4EFgQUhYafrnNflHcnOxUVxnkHqEJLHvMwHwYDVR0jBBgwFoAU
+QIkdMF4MbtU9xtUlkNq2Qmft6YIwDAYDVR0TAQH/BAIwADAOBgNVHQ8BAf8EBAMC
+A6gwEwYDVR0lBAwwCgYIKwYBBQUHAwEwEQYJYIZIAYb4QgEBBAQDAgZAMAoGCCqG
+SM49BAMCA4GMADCBiAJCAZUx76yPx3nIsSchcCTReNbU2tAdRFJvPwrxM6xwFM9i
+5iOopTAE4UB7BcVFyb6wMtUAd8drHTd6LIMCne9dnpyRAkIB+Hxb/LMaJiy0Qci/
+Da50Wg0lEH2dM+xcKcB8apbzKLYG3hMfsaF2OOqh24EhtoEMj2e3PXtr4HJn49Fx
+EZKL0PE=
+-----END CERTIFICATE-----
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number: 1 (0x1)
+        Signature Algorithm: ecdsa-with-SHA256
+        Issuer: C = US, ST = Montana, L = Bozeman, O = wolfSSL_P521, OU = Root-P521, CN = www.wolfssl.com, emailAddress = info@wolfssl.com
+        Validity
+            Not Before: Sep 14 23:57:18 2020 GMT
+            Not After : Jun 11 23:57:18 2023 GMT
+        Subject: C = US, ST = Montana, L = Bozeman, O = wolfSSL_p521, OU = CA-p521, CN = www.wolfssl.com, emailAddress = info@wolfssl.com
+        Subject Public Key Info:
+            Public Key Algorithm: id-ecPublicKey
+                Public-Key: (521 bit)
+                pub:
+                    04:00:2d:18:24:2d:e4:db:6c:c3:69:9b:db:18:67:
+                    33:f1:60:68:94:14:cd:91:4a:57:65:ef:36:fa:24:
+                    82:88:ec:c7:f0:cb:48:45:6e:96:5f:7f:eb:76:be:
+                    44:40:c3:19:c0:33:68:c4:06:04:8e:c2:25:b1:96:
+                    83:22:0e:7b:c7:b2:fc:01:86:91:ed:43:5d:38:e0:
+                    0c:25:8d:b3:db:b1:dc:de:b7:21:80:cf:87:de:64:
+                    f4:21:3e:2d:af:79:bd:f6:d0:00:4b:81:79:fa:f7:
+                    10:aa:19:cd:40:d7:1e:75:34:53:29:03:ed:48:54:
+                    21:e5:8f:95:b5:9b:41:8d:5f:dd:72:d2:5a
+                ASN1 OID: secp521r1
+                NIST CURVE: P-521
+        X509v3 extensions:
+            X509v3 Subject Key Identifier: 
+                40:89:1D:30:5E:0C:6E:D5:3D:C6:D5:25:90:DA:B6:42:67:ED:E9:82
+            X509v3 Authority Key Identifier: 
+                keyid:64:A7:68:95:53:33:18:A2:20:92:BC:64:55:A6:AB:CA:76:68:9B:C8
+
+            X509v3 Basic Constraints: critical
+                CA:TRUE
+            X509v3 Key Usage: critical
+                Digital Signature, Certificate Sign, CRL Sign
+    Signature Algorithm: ecdsa-with-SHA256
+         30:81:87:02:41:60:cd:fa:94:0d:23:c3:4e:3c:b1:6e:d9:b6:
+         5b:0e:97:1e:a4:df:0a:7c:05:2e:61:0c:d7:c0:e5:86:16:0c:
+         7b:01:a5:33:9a:e6:31:a0:62:91:da:dc:22:d1:ba:4f:75:43:
+         94:43:67:91:20:08:66:96:27:53:b2:61:0e:59:0a:50:02:42:
+         01:ec:87:8d:ca:6d:e0:bf:30:ba:ef:37:13:ad:f6:d1:c4:fc:
+         b5:e5:4b:96:c2:83:a0:d8:ed:04:73:85:8d:54:d7:e9:9a:67:
+         8a:cf:11:36:4a:f2:2f:85:5a:24:5e:3c:79:e1:a7:c4:ec:78:
+         82:7a:52:25:c4:55:57:95:0e:6f:c9:d5
+-----BEGIN CERTIFICATE-----
+MIIDBzCCAmmgAwIBAgIBATAKBggqhkjOPQQDAjCBlzELMAkGA1UEBhMCVVMxEDAO
+BgNVBAgMB01vbnRhbmExEDAOBgNVBAcMB0JvemVtYW4xFTATBgNVBAoMDHdvbGZT
+U0xfUDUyMTESMBAGA1UECwwJUm9vdC1QNTIxMRgwFgYDVQQDDA93d3cud29sZnNz
+bC5jb20xHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb20wHhcNMjAwOTE0
+MjM1NzE4WhcNMjMwNjExMjM1NzE4WjCBlTELMAkGA1UEBhMCVVMxEDAOBgNVBAgM
+B01vbnRhbmExEDAOBgNVBAcMB0JvemVtYW4xFTATBgNVBAoMDHdvbGZTU0xfcDUy
+MTEQMA4GA1UECwwHQ0EtcDUyMTEYMBYGA1UEAwwPd3d3LndvbGZzc2wuY29tMR8w
+HQYJKoZIhvcNAQkBFhBpbmZvQHdvbGZzc2wuY29tMIGbMBAGByqGSM49AgEGBSuB
+BAAjA4GGAAQALRgkLeTbbMNpm9sYZzPxYGiUFM2RSldl7zb6JIKI7Mfwy0hFbpZf
+f+t2vkRAwxnAM2jEBgSOwiWxloMiDnvHsvwBhpHtQ1044AwljbPbsdzetyGAz4fe
+ZPQhPi2veb320ABLgXn69xCqGc1A1x51NFMpA+1IVCHlj5W1m0GNX91y0lqjYzBh
+MB0GA1UdDgQWBBRAiR0wXgxu1T3G1SWQ2rZCZ+3pgjAfBgNVHSMEGDAWgBRkp2iV
+UzMYoiCSvGRVpqvKdmibyDAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIB
+hjAKBggqhkjOPQQDAgOBiwAwgYcCQWDN+pQNI8NOPLFu2bZbDpcepN8KfAUuYQzX
+wOWGFgx7AaUzmuYxoGKR2twi0bpPdUOUQ2eRIAhmlidTsmEOWQpQAkIB7IeNym3g
+vzC67zcTrfbRxPy15UuWwoOg2O0Ec4WNVNfpmmeKzxE2SvIvhVokXjx54afE7HiC
+elIlxFVXlQ5vydU=
+-----END CERTIFICATE-----

certs/renewcerts.sh

@@ -504,7 +504,7 @@ run_renewcerts(){
     echo "---------------------------------------------------------------------"
 
     ############################################################
-    ########## generate PKCS7 bundles ##########################
+    ########## generate Ed448 certificates #####################
     ############################################################
     echo "Renewing Ed448 certificates"
     cd ed448
@@ -513,6 +513,16 @@ run_renewcerts(){
     echo "End of section"
     echo "---------------------------------------------------------------------"
 
+    ############################################################
+    ########## generate P-521 certificates #####################
+    ############################################################
+    echo "Renewing Ed448 certificates"
+    cd p521
+    ./gen-p521-certs.sh
+    cd ..
+    echo "End of section"
+    echo "---------------------------------------------------------------------"
+
     ############################################################
     ###### update the ecc-rsa-server.p12 file ##################
     ############################################################

src/internal.c

@@ -19461,7 +19461,7 @@ int PickHashSigAlgo(WOLFSSL* ssl, const byte* hashSigAlgo, word32 hashSigAlgoSz)
     #if defined(WOLFSSL_TLS13) && defined(HAVE_ECC)
         if (IsAtLeastTLSv1_3(ssl->version) && sigAlgo == ssl->suites->sigAlgo &&
                                                    sigAlgo == ecc_dsa_sa_algo) {
-
+            int curveSz = ssl->buffers.keySz & (~0x3);
             int digestSz = GetMacDigestSize(hashAlgo);
             if (digestSz <= 0)
                 continue;
@@ -19469,7 +19469,7 @@ int PickHashSigAlgo(WOLFSSL* ssl, const byte* hashSigAlgo, word32 hashSigAlgoSz)
             /* TLS 1.3 signature algorithms for ECDSA match hash length with
              * key size.
              */
-            if (digestSz != ssl->buffers.keySz)
+            if (digestSz != curveSz)
                 continue;
 
             ssl->suites->hashAlgo = hashAlgo;

tests/include.am

@@ -49,5 +49,6 @@ EXTRA_DIST += tests/test.conf \
               tests/test-chains.conf \
               tests/test-altchains.conf \
               tests/test-trustpeer.conf \
-              tests/test-dhprime.conf
+              tests/test-dhprime.conf \
+              tests/test-p521.conf
 DISTCLEANFILES+= tests/.libs/unit.test

tests/suites.c

@@ -879,6 +879,18 @@ int SuiteTest(int argc, char** argv)
         goto exit;
     }
 #endif
+#if (defined(HAVE_ECC521) || defined(HAVE_ALL_CURVES)) && \
+                                                         defined(WOLFSSL_SHA512)
+    /* add P-521 certificate cipher suite tests */
+    strcpy(argv0[1], "tests/test-p521.conf");
+    printf("starting P-521 extra cipher suite tests\n");
+    test_harness(&args);
+    if (args.return_code != 0) {
+        printf("error from script %d\n", args.return_code);
+        args.return_code = EXIT_FAILURE;
+        goto exit;
+    }
+#endif
 #ifdef WOLFSSL_DTLS
     /* add dtls extra suites */
     strcpy(argv0[1], "tests/test-dtls.conf");

tests/test-p521.conf

@@ -0,0 +1,61 @@
+# server TLSv1.2 ECDHE-ECDSA-AES128-GCM-SHA256
+-v 3
+-l ECDHE-ECDSA-AES128-GCM-SHA256
+-c ./certs/p521/server-p521.pem
+-k ./certs/p521/server-p521-priv.pem
+-d
+
+# client TLSv1.2 ECDHE-ECDSA-AES128-GCM-SHA256
+-v 3
+-l ECDHE-ECDSA-AES128-GCM-SHA256
+-A ./certs/p521/root-p521.pem
+-C
+
+# server TLSv1.2 ECDHE-ECDSA-AES128-GCM-SHA256
+-v 3
+-l ECDHE-ECDSA-AES128-GCM-SHA256
+-c ./certs/p521/server-p521.pem
+-k ./certs/p521/server-p521-priv.pem
+-A ./certs/p521/client-p521.pem
+-V
+# Remove -V when CRL for P-521 certificates available.
+
+# client TLSv1.2 ECDHE-ECDSA-AES128-GCM-SHA256
+-v 3
+-l ECDHE-ECDSA-AES128-GCM-SHA256
+-c ./certs/p521/client-p521.pem
+-k ./certs/p521/client-p521-priv.pem
+-A ./certs/p521/root-p521.pem
+-C
+
+# server TLSv1.3 TLS13-AES128-GCM-SHA256
+-v 4
+-l TLS13-AES128-GCM-SHA256
+-c ./certs/p521/server-p521.pem
+-k ./certs/p521/server-p521-priv.pem
+-d
+
+# client TLSv1.3 TLS13-AES128-GCM-SHA256
+-v 4
+-l TLS13-AES128-GCM-SHA256
+-A ./certs/p521/root-p521.pem
+-C
+
+# Enable when CRL for P-521 certificates available.
+# server TLSv1.3 TLS13-AES128-GCM-SHA256
+-v 4
+-l TLS13-AES128-GCM-SHA256
+-c ./certs/p521/server-p521.pem
+-k ./certs/p521/server-p521-priv.pem
+-A ./certs/p521/client-p521.pem
+-V
+# Remove -V when CRL for P-521 certificates available.
+
+# client TLSv1.3 TLS13-AES128-GCM-SHA256
+-v 4
+-l TLS13-AES128-GCM-SHA256
+-c ./certs/p521/client-p521.pem
+-k ./certs/p521/client-p521-priv.pem
+-A ./certs/p521/root-p521.pem
+-C
+