From 3be7eacea976aa68310c786fcc312e5fd279aa3c Mon Sep 17 00:00:00 2001
From: David Garske <david@wolfssl.com>
Date: Wed, 24 Oct 2018 10:55:39 -0700
Subject: [PATCH] Added client/server certs and keys for P-384-bit signed by
 P-384 CA. Fix for broken certs/ecc/genecc.sh script. Added simple P-384
 cipher suite test.

---
 certs/client-ecc384-cert.der | Bin 0 -> 754 bytes
 certs/client-ecc384-cert.pem |  18 ++++++
 certs/client-ecc384-key.der  | Bin 0 -> 167 bytes
 certs/client-ecc384-key.pem  |   6 ++
 certs/crl/gencrls.sh         |  18 +++---
 certs/crl/include.am         |   3 +-
 certs/crl/wolfssl.cnf        | 110 +++++++++++++++++++++++++++++++++++
 certs/ecc/genecc.sh          |  62 ++++++++++++++++----
 certs/ecc/include.am         |   4 +-
 certs/ecc/wolfssl.cnf        |  14 ++---
 certs/ecc/wolfssl_384.cnf    | 110 +++++++++++++++++++++++++++++++++++
 certs/server-ecc384-cert.der | Bin 0 -> 918 bytes
 certs/server-ecc384-cert.pem |  22 +++++++
 certs/server-ecc384-key.der  | Bin 0 -> 167 bytes
 certs/server-ecc384-key.pem  |   6 ++
 tests/test.conf              |  14 +++++
 16 files changed, 356 insertions(+), 31 deletions(-)
 create mode 100644 certs/client-ecc384-cert.der
 create mode 100644 certs/client-ecc384-cert.pem
 create mode 100644 certs/client-ecc384-key.der
 create mode 100644 certs/client-ecc384-key.pem
 create mode 100644 certs/crl/wolfssl.cnf
 create mode 100644 certs/ecc/wolfssl_384.cnf
 create mode 100644 certs/server-ecc384-cert.der
 create mode 100644 certs/server-ecc384-cert.pem
 create mode 100644 certs/server-ecc384-key.der
 create mode 100644 certs/server-ecc384-key.pem

diff --git a/certs/client-ecc384-cert.der b/certs/client-ecc384-cert.der
new file mode 100644
index 0000000000000000000000000000000000000000..9bf89c7f124920c0d9747f44c44531a1de34080d
GIT binary patch
literal 754
zcmXqLVtQxL#8kY1nTe5!iAjLbfQyYotIgw_EekWVLF05oZUas>=1>+kVW!YvLtz6!
z5Ql?@D?G6{BQr0(BtOqkz<>`V$j-waoSIltl9LJ(;o@O0&(BE<4)!q=F%SZ&;pX9X
zNi9pw$uG!F%_}jKFc1TYGV}14mzV2-)D{=#=q2ap8p<2UvT*{P(e|B}k&{tOATuv5
z-vLR1ft)z6p@pG=p{1d*iJ^f}lsK;mh-(Pt8Z=I$(B-Z<nFS@8$uKW-^KiL3I~!Y=
zIOk+i<nS^B0XBAU05dVNv1&K6Feou6F|ec^;jm3xzEJc^FqiV?wcO|WPkfmnyX?lM
zJSD+jJKxVd@JrLqgW>1DL(9CRmkX`Pp5P<1drfQ}U(&e(h40SgH>Mvixt#H@^G*3_
zN&QYQ+47&$z0;U7mL{#A+Iaf0irMSd#f=jT8hgQUDJ#svWWWH7NzQ~e55~41PK=B!
zEX+)-3xHwH94gDlBE}*j_vwQ4k3UOK+u!N>I$g^tc!Sf=D+cl)X=N5*tTl+NesEaL
zN8(D+?n^B_bGTS1H3$U<fzyF3KO^IRuz3$4=BcuX8HliPXtOc0va&NX!C5TGDUCUk
z!61#vkl_n&#i2j%zPihZL@nHF#PU}_yT@=p3(IcxHGfN5<X-tEepz3zc1O~qtFtp#
zAAfuH1W-%opK^`qpJ(Uos{Zp`*eRw{JfJLf&$=x&$CSQ&$SZoLSgv=)I=91ZOM1~$
J!LYM0Q~?di=HdVV

literal 0
HcmV?d00001

diff --git a/certs/client-ecc384-cert.pem b/certs/client-ecc384-cert.pem
new file mode 100644
index 000000000..e8392fcf1
--- /dev/null
+++ b/certs/client-ecc384-cert.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC7jCCAnOgAwIBAgICEAEwCgYIKoZIzj0EAwMwgZcxCzAJBgNVBAYTAlVTMRMw
+EQYDVQQIDApXYXNoaW5ndG9uMRAwDgYDVQQHDAdTZWF0dGxlMRAwDgYDVQQKDAd3
+b2xmU1NMMRQwEgYDVQQLDAtEZXZlbG9wbWVudDEYMBYGA1UEAwwPd3d3LndvbGZz
+c2wuY29tMR8wHQYJKoZIhvcNAQkBFhBpbmZvQHdvbGZzc2wuY29tMB4XDTE4MTAx
+OTEzNDEwMloXDTQ4MTAxMTEzNDEwMlowgZYxCzAJBgNVBAYTAlVTMRMwEQYDVQQI
+DApXYXNoaW5ndG9uMRAwDgYDVQQHDAdTZWF0dGxlMRAwDgYDVQQKDAdFbGlwdGlj
+MRMwEQYDVQQLDApFQ0MzODRDbGl0MRgwFgYDVQQDDA93d3cud29sZnNzbC5jb20x
+HzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb20wdjAQBgcqhkjOPQIBBgUr
+gQQAIgNiAARmxAg9ZqehFdRTCiOzrQvOj8j0mB2m2LJuIhH6ue+ZwPopPkgA+f7C
+pkobpxKoa5BMHLusXW4OYs5wIPdDd9iXx3TTaP6J7HfLGS+JSh13+ZdLZgJopWKv
+lYHL4yQ264WjgZAwgY0wCQYDVR0TBAIwADARBglghkgBhvhCAQEEBAMCBaAwHQYD
+VR0OBBYEFB7y0Bv4/KXLP9yK9ZcqQlOwQvnUMB8GA1UdIwQYMBaAFKvgwyZMGNRy
+u9KEjJwKBZKAElNSMA4GA1UdDwEB/wQEAwIF4DAdBgNVHSUEFjAUBggrBgEFBQcD
+AgYIKwYBBQUHAwQwCgYIKoZIzj0EAwMDaQAwZgIxAPQNeML87vVHHBRaob0yBP0Q
+K4wxvwQEuyes/XSEHupNYfSvcK24YuLVm2mrx+3NyAIxAIn8dyiX85tuunv89xNC
+XIkXUHZlvK60fMYi9PBucuYhdy7UO22IRrRncuURVs3oJQ==
+-----END CERTIFICATE-----
diff --git a/certs/client-ecc384-key.der b/certs/client-ecc384-key.der
new file mode 100644
index 0000000000000000000000000000000000000000..96b8270e0e89ba96e7ed41b787eb8231a57ec502
GIT binary patch
literal 167
zcmV;Y09gMpfusTf0R%90om0F0Hp{42W0l%YOntXmSicN|q&1?{G)iBR9pG-Yq|^j9
zItk{i6reDV1vi$U2L=Tzfdl{|p=1MM00d^l2t8(}p%v6q3L~?v3(k+o^q3u{*s^XS
z5&F6BnZWufK1cxh{=%k88>bSeYmiJFyR2Pq4r0!5AooLe*q6t2(`f#Q?03r<FNsPW
Vclnn~W&&uXVy~5f%i|<A>xEL#ON#&i

literal 0
HcmV?d00001

diff --git a/certs/client-ecc384-key.pem b/certs/client-ecc384-key.pem
new file mode 100644
index 000000000..c12526d3d
--- /dev/null
+++ b/certs/client-ecc384-key.pem
@@ -0,0 +1,6 @@
+-----BEGIN PRIVATE KEY-----
+MIG2AgEAMBAGByqGSM49AgEGBSuBBAAiBIGeMIGbAgEBBDB1nVO7/TbLqFdjldpO
+TH23WVi/DIOkNaLUNEpfkh3gbrWk1AQ2OgnmrBSgMI8FN5ahZANiAARmxAg9Zqeh
+FdRTCiOzrQvOj8j0mB2m2LJuIhH6ue+ZwPopPkgA+f7CpkobpxKoa5BMHLusXW4O
+Ys5wIPdDd9iXx3TTaP6J7HfLGS+JSh13+ZdLZgJopWKvlYHL4yQ264U=
+-----END PRIVATE KEY-----
diff --git a/certs/crl/gencrls.sh b/certs/crl/gencrls.sh
index 6a0f15c33..7cf4bf6e4 100755
--- a/certs/crl/gencrls.sh
+++ b/certs/crl/gencrls.sh
@@ -17,25 +17,23 @@ setup_files() {
     mkdir demoCA || exit 1
     touch ./demoCA/index.txt || exit 1
     touch ./index.txt || exit 1
-    touch ../ecc/index.txt || exit 1
+    touch ../crl/index.txt || exit 1
     touch ./crlnumber || exit 1
-    touch ../ecc/crlnumber || exit 1
+    touch ../crl/crlnumber || exit 1
     echo "01" >> crlnumber || exit 1
-    echo "01" >> ../ecc/crlnumber || exit 1
+    echo "01" >> ../crl/crlnumber || exit 1
     touch ./blank.index.txt || exit 1
     touch ./demoCA/index.txt.attr || exit 1
-    touch ../ecc/index.txt.attr || exit 1
+    touch ../crl/index.txt.attr || exit 1
 }
 
 cleanup_files() {
     rm blank.index.txt || exit 1
     rm index.* || exit 1
     rm crlnumber* || exit 1
-    rm ../ecc/crlnumber* || exit 1
-    rm ../ecc/index.* || exit 1
-    rm -r demoCA || exit 1
+    rm -rf demoCA || exit 1
     echo "Removed ../wolfssl.cnf, blank.index.txt, index.*, crlnumber*, demoCA/"
-    echo "        ../ecc/index.txt"
+    echo "        ../crl/index.txt"
     echo ""
     exit 0
 }
@@ -171,12 +169,12 @@ mv tmp eccSrvCRL.pem
 
 # caEccCrl
 echo "Step 21"
-openssl ca -config ../ecc/wolfssl.cnf -gencrl -crldays 1000 -out caEccCrl.pem -keyfile ../ca-ecc-key.pem -cert ../ca-ecc-cert.pem
+openssl ca -config ./wolfssl.cnf -gencrl -crldays 1000 -out caEccCrl.pem -keyfile ../ca-ecc-key.pem -cert ../ca-ecc-cert.pem
 check_result $?
 
 # ca-ecc384-cert
 echo "Step 22"
-openssl ca -config ../ecc/wolfssl.cnf -gencrl -crldays 1000 -out caEcc384Crl.pem -keyfile ../ca-ecc384-key.pem -cert ../ca-ecc384-cert.pem
+openssl ca -config ./wolfssl.cnf -gencrl -crldays 1000 -out caEcc384Crl.pem -keyfile ../ca-ecc384-key.pem -cert ../ca-ecc384-cert.pem
 check_result $?
 
 exit 0
diff --git a/certs/crl/include.am b/certs/crl/include.am
index 0cdd3a91c..c5d635df8 100644
--- a/certs/crl/include.am
+++ b/certs/crl/include.am
@@ -9,7 +9,8 @@ EXTRA_DIST += \
 	     certs/crl/eccCliCRL.pem \
 	     certs/crl/crl2.pem \
 	     certs/crl/caEccCrl.pem \
-	     certs/crl/caEcc384Crl.pem
+	     certs/crl/caEcc384Crl.pem \
+	     certs/crl/wolfssl.cnf
 
 EXTRA_DIST += \
 	     certs/crl/crl.revoked
diff --git a/certs/crl/wolfssl.cnf b/certs/crl/wolfssl.cnf
new file mode 100644
index 000000000..78593cb8e
--- /dev/null
+++ b/certs/crl/wolfssl.cnf
@@ -0,0 +1,110 @@
+[ ca ]
+# `man ca`
+default_ca = CA_default
+
+[ CA_default ]
+# Directory and file locations relevant to where the script is executing
+dir               = .
+certs             = $dir/../
+new_certs_dir     = $dir/../
+database          = $dir/../crl/index.txt
+serial            = $dir/../crl/serial
+# This should come from the system disregard local pathing
+RANDFILE          = $dir/private/.rand
+
+# The root key and root certificate.
+private_key       = $dir/../ca-ecc-key.pem
+certificate       = $dir/../ca-ecc-cert.pem
+
+# For certificate revocation lists.
+crlnumber         = $dir/../crl/crlnumber
+crl_extensions    = crl_ext
+default_crl_days  = 1000
+
+# SHA-1 is deprecated, so use SHA-2 instead.
+default_md        = sha256
+
+name_opt          = ca_default
+cert_opt          = ca_default
+default_days      = 3650
+preserve          = no
+policy            = policy_loose
+
+
+[ policy_strict ]
+# The root CA should only sign intermediate certificates that match.
+# See the POLICY FORMAT section of `man ca`.
+countryName             = match
+stateOrProvinceName     = match
+organizationName        = match
+organizationalUnitName  = optional
+commonName              = supplied
+emailAddress            = optional
+
+[ policy_loose ]
+# Allow the intermediate CA to sign a more diverse range of certificates.
+# See the POLICY FORMAT section of the `ca` man page.
+countryName             = optional
+stateOrProvinceName     = optional
+localityName            = optional
+organizationName        = optional
+organizationalUnitName  = optional
+commonName              = supplied
+emailAddress            = optional
+
+[ req ]
+# Options for the `req` tool (`man req`).
+default_bits        = 2048
+distinguished_name  = req_distinguished_name
+string_mask         = utf8only
+
+# SHA-1 is deprecated, so use SHA-2 instead.
+default_md          = sha256
+
+# Extension to add when the -x509 option is used.
+x509_extensions     = v3_ca
+
+[ req_distinguished_name ]
+countryName                     = US
+stateOrProvinceName             = Washington
+localityName                    = Seattle
+0.organizationName              = wolfSSL
+organizationalUnitName          = Development
+commonName                      = www.wolfssl.com
+emailAddress                    = info@wolfssl.com
+
+[ v3_ca ]
+# Extensions for a typical CA (`man x509v3_config`).
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid:always,issuer
+basicConstraints = critical, CA:true
+keyUsage = critical, digitalSignature, cRLSign, keyCertSign
+
+[ v3_intermediate_ca ]
+# Extensions for a typical intermediate CA (`man x509v3_config`).
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid:always,issuer
+basicConstraints = critical, CA:true, pathlen:0
+keyUsage = critical, digitalSignature, cRLSign, keyCertSign
+
+[ usr_cert ]
+# Extensions for client certificates (`man x509v3_config`).
+basicConstraints = CA:FALSE
+nsCertType = client, email
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid,issuer
+keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment
+extendedKeyUsage = clientAuth, emailProtection
+
+[ server_cert ]
+# Extensions for server certificates (`man x509v3_config`).
+basicConstraints = CA:FALSE
+nsCertType = server
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid,issuer:always
+keyUsage = critical, digitalSignature, keyEncipherment, keyAgreement
+extendedKeyUsage = serverAuth
+
+[ crl_ext ]
+# Extension for CRLs (`man x509v3_config`).
+authorityKeyIdentifier=keyid:always
diff --git a/certs/ecc/genecc.sh b/certs/ecc/genecc.sh
index ef28371ba..2efb033c9 100755
--- a/certs/ecc/genecc.sh
+++ b/certs/ecc/genecc.sh
@@ -13,21 +13,17 @@ echo 2000 > ./certs/ecc/crlnumber
 
 # generate ECC 256-bit CA
 openssl ecparam -out ./certs/ca-ecc-key.par -name prime256v1
-openssl req -config ./certs/ecc/wolfssl.cnf -extensions v3_ca -x509 -nodes -newkey ec:./certs/ca-ecc-key.par -keyout ./certs/ca-ecc-key.pem -out ./certs/ca-ecc-cert.pem -sha256 -days 7300 -batch -subj "/C=US/ST=Washington/L=Seattle/O=wolfSSL/OU=Development/CN=www.wolfssl.com/emailAddress=info@wolfssl.com"
+openssl req -config ./certs/ecc/wolfssl.cnf -extensions v3_ca -x509 -nodes -newkey ec:./certs/ca-ecc-key.par -keyout ./certs/ca-ecc-key.pem -out ./certs/ca-ecc-cert.pem -sha256 \
+	-days 7300 -batch -subj "/C=US/ST=Washington/L=Seattle/O=wolfSSL/OU=Development/CN=www.wolfssl.com/emailAddress=info@wolfssl.com"
 
 openssl x509 -in ./certs/ca-ecc-cert.pem -inform PEM -out ./certs/ca-ecc-cert.der -outform DER
 openssl ec -in ./certs/ca-ecc-key.pem -inform PEM -out ./certs/ca-ecc-key.der -outform DER
 
 rm ./certs/ca-ecc-key.par
 
-# generate ECC 384-bit CA
-openssl ecparam -out ./certs/ca-ecc384-key.par -name secp384r1
-openssl req -config ./certs/ecc/wolfssl.cnf -extensions v3_ca -x509 -nodes -newkey ec:./certs/ca-ecc384-key.par -keyout ./certs/ca-ecc384-key.pem -out ./certs/ca-ecc384-cert.pem -sha384 -days 7300 -batch -subj "/C=US/ST=Washington/L=Seattle/O=wolfSSL/OU=Development/CN=www.wolfssl.com/emailAddress=info@wolfssl.com"
+# Gen CA CRL
+openssl ca -config ./certs/ecc/wolfssl.cnf -gencrl -crldays 1000 -out ./certs/crl/caEccCrl.pem -keyfile ./certs/ca-ecc-key.pem -cert ./certs/ca-ecc-cert.pem
 
-openssl x509 -in ./certs/ca-ecc384-cert.pem -inform PEM -out ./certs/ca-ecc384-cert.der -outform DER
-openssl ec -in ./certs/ca-ecc384-key.pem -inform PEM -out ./certs/ca-ecc384-key.der -outform DER
-
-rm ./certs/ca-ecc384-key.par
 
 
 # Generate ECC 256-bit server cert
@@ -40,9 +36,53 @@ openssl x509 -in ./certs/server-ecc.pem -outform der -out ./certs/server-ecc.der
 
 rm ./certs/server-ecc-req.pem 
 
-# Gen CRL
-openssl ca -config ./certs/ecc/wolfssl.cnf -gencrl -crldays 1000 -out ./certs/crl/caEccCrl.pem -keyfile ./certs/ca-ecc-key.pem -cert ./certs/ca-ecc-cert.pem
-openssl ca -config ./certs/ecc/wolfssl.cnf -gencrl -crldays 1000 -out ./certs/crl/caEcc384Crl.pem -keyfile ./certs/ca-ecc384-key.pem -cert ./certs/ca-ecc384-cert.pem
+
+
+# generate ECC 384-bit CA
+openssl ecparam -out ./certs/ca-ecc384-key.par -name secp384r1
+openssl req -config ./certs/ecc/wolfssl_384.cnf -extensions v3_ca -x509 -nodes -newkey ec:./certs/ca-ecc384-key.par -keyout ./certs/ca-ecc384-key.pem -out ./certs/ca-ecc384-cert.pem -sha384 \
+	-days 7300 -batch -subj "/C=US/ST=Washington/L=Seattle/O=wolfSSL/OU=Development/CN=www.wolfssl.com/emailAddress=info@wolfssl.com"
+
+openssl x509 -in ./certs/ca-ecc384-cert.pem -inform PEM -out ./certs/ca-ecc384-cert.der -outform DER
+openssl ec -in ./certs/ca-ecc384-key.pem -inform PEM -out ./certs/ca-ecc384-key.der -outform DER
+
+rm ./certs/ca-ecc384-key.par
+
+# Gen CA CRL
+openssl ca -config ./certs/ecc/wolfssl_384.cnf -gencrl -crldays 1000 -out ./certs/crl/caEcc384Crl.pem -keyfile ./certs/ca-ecc384-key.pem -cert ./certs/ca-ecc384-cert.pem
+
+
+
+# Generate ECC 384-bit server cert
+openssl ecparam -out ./certs/server-ecc384-key.par -name secp384r1
+openssl req -config ./certs/ecc/wolfssl_384.cnf -sha384 -x509 -nodes -newkey ec:./certs/server-ecc384-key.par -keyout ./certs/server-ecc384-key.pem -out ./certs/server-ecc384-req.pem \
+	-subj "/C=US/ST=Washington/L=Seattle/O=Eliptic/OU=ECC384Srv/CN=www.wolfssl.com/emailAddress=info@wolfssl.com/"
+openssl req -config ./certs/ecc/wolfssl_384.cnf -sha384 -new -key ./certs/server-ecc384-key.pem -out ./certs/server-ecc384-req.pem \
+	-subj "/C=US/ST=Washington/L=Seattle/O=Eliptic/OU=ECC384Srv/CN=www.wolfssl.com/emailAddress=info@wolfssl.com/"
+openssl ec -in ./certs/server-ecc384-key.pem -inform PEM -out ./certs/server-ecc384-key.der -outform DER
+
+# Sign server certificate
+openssl ca -config ./certs/ecc/wolfssl_384.cnf -extensions server_cert -days 10950 -notext -md sha384 -in ./certs/server-ecc384-req.pem -out ./certs/server-ecc384-cert.pem
+openssl x509 -in ./certs/server-ecc384-cert.pem -outform der -out ./certs/server-ecc384-cert.der
+
+rm ./certs/server-ecc384-req.pem 
+rm ./certs/server-ecc384-key.par
+
+# Generate ECC 384-bit client cert
+openssl ecparam -out ./certs/client-ecc384-key.par -name secp384r1
+openssl req -config ./certs/ecc/wolfssl_384.cnf -sha384 -x509 -nodes -newkey ec:./certs/client-ecc384-key.par -keyout ./certs/client-ecc384-key.pem -out ./certs/client-ecc384-req.pem \
+	-subj "/C=US/ST=Washington/L=Seattle/O=Eliptic/OU=ECC384Cli/CN=www.wolfssl.com/emailAddress=info@wolfssl.com/"
+openssl req -config ./certs/ecc/wolfssl_384.cnf -sha384 -new -key ./certs/client-ecc384-key.pem -out ./certs/client-ecc384-req.pem \
+	-subj "/C=US/ST=Washington/L=Seattle/O=Eliptic/OU=ECC384Clit/CN=www.wolfssl.com/emailAddress=info@wolfssl.com/"
+openssl ec -in ./certs/client-ecc384-key.pem -inform PEM -out ./certs/client-ecc384-key.der -outform DER
+
+# Sign client certificate
+openssl ca -config ./certs/ecc/wolfssl_384.cnf -extensions usr_cert -days 10950 -notext -md sha384 -in ./certs/client-ecc384-req.pem -out ./certs/client-ecc384-cert.pem
+openssl x509 -in ./certs/client-ecc384-cert.pem -outform der -out ./certs/client-ecc384-cert.der
+
+rm ./certs/client-ecc384-req.pem 
+rm ./certs/client-ecc384-key.par
+
 
 # Also manually need to:
 # 1. Copy ./certs/server-ecc.der into ./certs/test/server-cert-ecc-badsig.der `cp ./certs/server-ecc.der ./certs/test/server-cert-ecc-badsig.der`
diff --git a/certs/ecc/include.am b/certs/ecc/include.am
index 3c4eddbd4..b9897c1c2 100644
--- a/certs/ecc/include.am
+++ b/certs/ecc/include.am
@@ -4,5 +4,5 @@
 
 EXTRA_DIST += \
 	     certs/ecc/genecc.sh \
-	     certs/ecc/wolfssl.cnf
-
+	     certs/ecc/wolfssl.cnf \
+	     certs/ecc/wolfssl_384.cnf
diff --git a/certs/ecc/wolfssl.cnf b/certs/ecc/wolfssl.cnf
index 969fdb9a3..a974aeb35 100644
--- a/certs/ecc/wolfssl.cnf
+++ b/certs/ecc/wolfssl.cnf
@@ -5,19 +5,19 @@ default_ca = CA_default
 [ CA_default ]
 # Directory and file locations relevant to where the script is executing
 dir               = .
-certs             = $dir/../
-new_certs_dir     = $dir/../
-database          = $dir/../ecc/index.txt
-serial            = $dir/../ecc/serial
+certs             = $dir/certs
+new_certs_dir     = $dir/certs
+database          = $dir/certs/ecc/index.txt
+serial            = $dir/certs/ecc/serial
 # This should come from the system disregard local pathing
 RANDFILE          = $dir/private/.rand
 
 # The root key and root certificate.
-private_key       = $dir/../ca-ecc-key.pem
-certificate       = $dir/../ca-ecc-cert.pem
+private_key       = $dir/certs/ca-ecc-key.pem
+certificate       = $dir/certs/ca-ecc-cert.pem
 
 # For certificate revocation lists.
-crlnumber         = $dir/../ecc/crlnumber
+crlnumber         = $dir/certs/ecc/crlnumber
 crl_extensions    = crl_ext
 default_crl_days  = 1000
 
diff --git a/certs/ecc/wolfssl_384.cnf b/certs/ecc/wolfssl_384.cnf
new file mode 100644
index 000000000..7cb35f709
--- /dev/null
+++ b/certs/ecc/wolfssl_384.cnf
@@ -0,0 +1,110 @@
+[ ca ]
+# `man ca`
+default_ca = CA_default
+
+[ CA_default ]
+# Directory and file locations relevant to where the script is executing
+dir               = .
+certs             = $dir/certs
+new_certs_dir     = $dir/certs
+database          = $dir/certs/ecc/index.txt
+serial            = $dir/certs/ecc/serial
+# This should come from the system disregard local pathing
+RANDFILE          = $dir/private/.rand
+
+# The root key and root certificate.
+private_key       = $dir/certs/ca-ecc384-key.pem
+certificate       = $dir/certs/ca-ecc384-cert.pem
+
+# For certificate revocation lists.
+crlnumber         = $dir/certs/ecc/crlnumber
+crl_extensions    = crl_ext
+default_crl_days  = 1000
+
+# SHA-384 is default
+default_md        = sha384
+
+name_opt          = ca_default
+cert_opt          = ca_default
+default_days      = 3650
+preserve          = no
+policy            = policy_loose
+
+
+[ policy_strict ]
+# The root CA should only sign intermediate certificates that match.
+# See the POLICY FORMAT section of `man ca`.
+countryName             = match
+stateOrProvinceName     = match
+organizationName        = match
+organizationalUnitName  = optional
+commonName              = supplied
+emailAddress            = optional
+
+[ policy_loose ]
+# Allow the intermediate CA to sign a more diverse range of certificates.
+# See the POLICY FORMAT section of the `ca` man page.
+countryName             = optional
+stateOrProvinceName     = optional
+localityName            = optional
+organizationName        = optional
+organizationalUnitName  = optional
+commonName              = supplied
+emailAddress            = optional
+
+[ req ]
+# Options for the `req` tool (`man req`).
+default_bits        = 2048
+distinguished_name  = req_distinguished_name
+string_mask         = utf8only
+
+# SHA-384 is default
+default_md          = sha384
+
+# Extension to add when the -x509 option is used.
+x509_extensions     = v3_ca
+
+[ req_distinguished_name ]
+countryName                     = US
+stateOrProvinceName             = Washington
+localityName                    = Seattle
+0.organizationName              = wolfSSL
+organizationalUnitName          = Development
+commonName                      = www.wolfssl.com
+emailAddress                    = info@wolfssl.com
+
+[ v3_ca ]
+# Extensions for a typical CA (`man x509v3_config`).
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid:always,issuer
+basicConstraints = critical, CA:true
+keyUsage = critical, digitalSignature, cRLSign, keyCertSign
+
+[ v3_intermediate_ca ]
+# Extensions for a typical intermediate CA (`man x509v3_config`).
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid:always,issuer
+basicConstraints = critical, CA:true, pathlen:0
+keyUsage = critical, digitalSignature, cRLSign, keyCertSign
+
+[ usr_cert ]
+# Extensions for client certificates (`man x509v3_config`).
+basicConstraints = CA:FALSE
+nsCertType = client, email
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid,issuer
+keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment
+extendedKeyUsage = clientAuth, emailProtection
+
+[ server_cert ]
+# Extensions for server certificates (`man x509v3_config`).
+basicConstraints = CA:FALSE
+nsCertType = server
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid,issuer:always
+keyUsage = critical, digitalSignature, keyEncipherment, keyAgreement
+extendedKeyUsage = serverAuth
+
+[ crl_ext ]
+# Extension for CRLs (`man x509v3_config`).
+authorityKeyIdentifier=keyid:always
diff --git a/certs/server-ecc384-cert.der b/certs/server-ecc384-cert.der
new file mode 100644
index 0000000000000000000000000000000000000000..ea466cb11e0f7af77e7954d8a3bf142e6f168e4b
GIT binary patch
literal 918
zcmXqLVxDBs#4NFZnTe5!iAjLLfQyYotIgw_EekWVLF05oZUas>=1>+kVW!YvLtz6!
z5Ql?@D?G6{BQr0(BtOqkz<>`V$j-waoSIltl9LJ(;o@O0&(BE<4)!q=F%SZ&;pX9X
zNi9pw$uG!F%_}jKFc1TYGV}14mzV2-)D{=#=q2ap8p<2UvT*{P(e|B}k&{tOATuv5
z-vLR1ft)z6p@pG=p{1d*iGhi6lsK;mh-(Pt8Z=I&(B-Z<nFS@8$%aA(0uYyTx;i@>
zTbKkFl~LmEGN5tn;P7Q)WMkECWMNQZPGVqrb$+tH4(D!55&p20!wy^S^Cho)TIkJi
zhGqKyhc7Lr?T(+gDeKHu%lQ6+$d8QQqO=)vGPuu&s;<wS;lZ_{<m5{61w4m;Uslfe
z$6}Kl&|$sPzb4(}yY<TA=hBA*<CG-cEN)^nHE3cq1V^T<Fbk6b128H%6WTl&+kQAP
zGP1BRGqE`U1D!ckmXAe@MWo64Q>y;wEeyx@u>GxcD)mmicy5nD;~9{=GE3tTgT{jm
zBC8)9R`Zd#QndS0OV1oG)=3RQ!9fcf=PqfSHFy(F6DPwTOO_>kOLN-6$yS!1k?}vs
z_slB{gh9SjW#Iv30c|!$R#tXqM&#_koWWp_%4Ep!V%9ZQnR%5)U;2N#&SQADx3*#S
ztDTo#&wFvy>foKM)z2iucWmPg@YJ2m`{(%f*<B}@3<5ZLXLHET5<l`>+rw*i%5s@$
kt84z4ruJ9<I5*R)m?i%~xailYpZ_Ay&WwDl7kqa;03%Zm;s5{u

literal 0
HcmV?d00001

diff --git a/certs/server-ecc384-cert.pem b/certs/server-ecc384-cert.pem
new file mode 100644
index 000000000..ed415bf8e
--- /dev/null
+++ b/certs/server-ecc384-cert.pem
@@ -0,0 +1,22 @@
+-----BEGIN CERTIFICATE-----
+MIIDkjCCAxigAwIBAgICEAAwCgYIKoZIzj0EAwMwgZcxCzAJBgNVBAYTAlVTMRMw
+EQYDVQQIDApXYXNoaW5ndG9uMRAwDgYDVQQHDAdTZWF0dGxlMRAwDgYDVQQKDAd3
+b2xmU1NMMRQwEgYDVQQLDAtEZXZlbG9wbWVudDEYMBYGA1UEAwwPd3d3LndvbGZz
+c2wuY29tMR8wHQYJKoZIhvcNAQkBFhBpbmZvQHdvbGZzc2wuY29tMB4XDTE4MTAx
+OTEzNDA0M1oXDTQ4MTAxMTEzNDA0M1owgZUxCzAJBgNVBAYTAlVTMRMwEQYDVQQI
+DApXYXNoaW5ndG9uMRAwDgYDVQQHDAdTZWF0dGxlMRAwDgYDVQQKDAdFbGlwdGlj
+MRIwEAYDVQQLDAlFQ0MzODRTcnYxGDAWBgNVBAMMD3d3dy53b2xmc3NsLmNvbTEf
+MB0GCSqGSIb3DQEJARYQaW5mb0B3b2xmc3NsLmNvbTB2MBAGByqGSM49AgEGBSuB
+BAAiA2IABOrPk08sCbs5FA9WZMNAtN8OY67lcUsAzASX/+HpOJa7X5Gyasy1OV+P
+cFnxAfZaKwFsaAvPVSWvbZhICqh0yakXoAzD+9MjaP4EPGNQiDu5T3xnNPc7qXPn
+G8NRXiIY7KOCATUwggExMAkGA1UdEwQCMAAwEQYJYIZIAYb4QgEBBAQDAgZAMB0G
+A1UdDgQWBBSCO/JlL/O0AMa8Bv15QnVLZdHOvDCBzAYDVR0jBIHEMIHBgBSr4MMm
+TBjUcrvShIycCgWSgBJTUqGBnaSBmjCBlzELMAkGA1UEBhMCVVMxEzARBgNVBAgM
+Cldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxEDAOBgNVBAoMB3dvbGZTU0wx
+FDASBgNVBAsMC0RldmVsb3BtZW50MRgwFgYDVQQDDA93d3cud29sZnNzbC5jb20x
+HzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb22CCQD8OQSkDqVshzAOBgNV
+HQ8BAf8EBAMCA6gwEwYDVR0lBAwwCgYIKwYBBQUHAwEwCgYIKoZIzj0EAwMDaAAw
+ZQIxAOia1gUcnnky9I/5RZ4A7r19gJvqudLrnujFOsHcaqvmGVe4tg1QSS2TDfzH
+t5uKyQIwUAkNmwgdmhfE5ytISptkpxyWq3z8NWWPefjOmUpzBG/gVxX1Wvn+Wc2Z
+WeMuU92v
+-----END CERTIFICATE-----
diff --git a/certs/server-ecc384-key.der b/certs/server-ecc384-key.der
new file mode 100644
index 0000000000000000000000000000000000000000..9dde676428a64f2b2dc29fd76ce9600e11be468b
GIT binary patch
literal 167
zcmV;Y09gMpfusTf0R%9l<p$^m7Cx(q_+Uf8U?tnSd;S?U2vucv;@sc?i)(1#&u@Sd
z&UrWME1Y}8XdHB)2L=Tzfdl{|p=1MM00ipKlTR!OyEzmOR%F9KwBHV6uH|t{0L%oJ
z|KaI4mb+h(vTDq=IbV-(S@8k(S}Or;XbaC(C9iFmND8QQ$*C8h48!}=BWV5vJY!IZ
VJGoDMXEgUasdMKW!%<!$80<#@Nc{i+

literal 0
HcmV?d00001

diff --git a/certs/server-ecc384-key.pem b/certs/server-ecc384-key.pem
new file mode 100644
index 000000000..5d3d61d0c
--- /dev/null
+++ b/certs/server-ecc384-key.pem
@@ -0,0 +1,6 @@
+-----BEGIN PRIVATE KEY-----
+MIG2AgEAMBAGByqGSM49AgEGBSuBBAAiBIGeMIGbAgEBBDCk5QboBhY+q4n4YEPA
+YCXbunv+GTUIVWV24tzgAYtraN/Pb4ASznk36yuce8RoHHShZANiAATqz5NPLAm7
+ORQPVmTDQLTfDmOu5XFLAMwEl//h6TiWu1+RsmrMtTlfj3BZ8QH2WisBbGgLz1Ul
+r22YSAqodMmpF6AMw/vTI2j+BDxjUIg7uU98ZzT3O6lz5xvDUV4iGOw=
+-----END PRIVATE KEY-----
diff --git a/tests/test.conf b/tests/test.conf
index a678f52c4..faad62e6e 100644
--- a/tests/test.conf
+++ b/tests/test.conf
@@ -2364,3 +2364,17 @@
 -v 3
 -l ECDHE-RSA-AES256-GCM-SHA384
 -H useSupCurve
+
+# server TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384 with P-384 Certs and CA
+-v 3
+-l ECDHE-ECDSA-AES256-GCM-SHA384
+-c ./certs/server-ecc384-cert.pem
+-k ./certs/server-ecc384-key.pem
+-A ./certs/ca-ecc384-cert.pem
+
+# client TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384 with P-384 Certs and CA
+-v 3
+-l ECDHE-ECDSA-AES256-GCM-SHA384
+-c ./certs/client-ecc384-cert.pem
+-k ./certs/client-ecc384-key.pem
+-A ./certs/ca-ecc384-cert.pem