Scripts for testing ECC ciphersuites.

#!/bin/sh

# For a list of supported curves, use "apps/openssl ecparam -list_curves".

# Path to the openssl distribution

OPENSSL_DIR=../..

# Path to the openssl program

OPENSSL_CMD=$OPENSSL_DIR/apps/openssl

# Option to find configuration file

OPENSSL_CNF="-config $OPENSSL_DIR/apps/openssl.cnf"

# Directory where certificates are stored

CERTS_DIR=./Certs

# Directory where private key files are stored

KEYS_DIR=$CERTS_DIR

# Directory where combo files (containing a certificate and corresponding

# private key together) are stored

COMBO_DIR=$CERTS_DIR

# cat command

CAT=/bin/cat

# rm command

RM=/bin/rm

# The certificate will expire these many days after the issue date.

DAYS=1500

TEST_CA_FILE=rsa1024TestCA

TEST_SERVER_CURVE=sect163r1

TEST_SERVER_FILE=sect163r1-rsaTestServer

TEST_SERVER_DN="/C=US/ST=CA/L=Mountain View/O=Sun Microsystems, Inc./OU=Sun Microsystems Laboratories/CN=Test Server (sect163r1 key signed with RSA)"

TEST_CLIENT_CURVE=sect163r1

TEST_CLIENT_FILE=sect163r1-rsaTestClient

TEST_CLIENT_DN="/C=US/ST=CA/L=Mountain View/O=Sun Microsystems, Inc./OU=Sun Microsystems Laboratories/CN=Test Client (sect163r1 key signed with RSA)"

# Generating an EC certificate involves the following main steps

# 1. Generating curve parameters (if needed)

# 2. Generating a certificate request

# 3. Signing the certificate request 

# 4. [Optional] One can combine the cert and private key into a single

#    file and also delete the certificate request

echo "GENERATING A TEST SERVER CERTIFICATE (ECC key signed with RSA)"

echo "=============================================================="

$OPENSSL_CMD ecparam -name $TEST_SERVER_CURVE -out $TEST_SERVER_CURVE.pem

$OPENSSL_CMD req $OPENSSL_CNF -nodes -subj "$TEST_SERVER_DN" \

    -keyout $KEYS_DIR/$TEST_SERVER_FILE.key.pem \

    -newkey ecdsa:$TEST_SERVER_CURVE.pem -new \

    -out $CERTS_DIR/$TEST_SERVER_FILE.req.pem

$OPENSSL_CMD x509 -req -days $DAYS \

    -in $CERTS_DIR/$TEST_SERVER_FILE.req.pem \

    -CA $CERTS_DIR/$TEST_CA_FILE.cert.pem \

    -CAkey $KEYS_DIR/$TEST_CA_FILE.key.pem \

    -out $CERTS_DIR/$TEST_SERVER_FILE.cert.pem -CAcreateserial

# Display the certificate 

$OPENSSL_CMD x509 -in $CERTS_DIR/$TEST_SERVER_FILE.cert.pem -text

# Place the certificate and key in a common file

$OPENSSL_CMD x509 -in $CERTS_DIR/$TEST_SERVER_FILE.cert.pem -issuer -subject \

	 > $COMBO_DIR/$TEST_SERVER_FILE.pem

$CAT $KEYS_DIR/$TEST_SERVER_FILE.key.pem >> $COMBO_DIR/$TEST_SERVER_FILE.pem

# Remove the cert request file (no longer needed)

$RM $CERTS_DIR/$TEST_SERVER_FILE.req.pem

echo "GENERATING A TEST CLIENT CERTIFICATE (ECC key signed with RSA)"

echo "=============================================================="

$OPENSSL_CMD ecparam -name $TEST_CLIENT_CURVE -out $TEST_CLIENT_CURVE.pem

$OPENSSL_CMD req $OPENSSL_CNF -nodes -subj "$TEST_CLIENT_DN" \

	     -keyout $KEYS_DIR/$TEST_CLIENT_FILE.key.pem \

	     -newkey ecdsa:$TEST_CLIENT_CURVE.pem -new \

	     -out $CERTS_DIR/$TEST_CLIENT_FILE.req.pem

$OPENSSL_CMD x509 -req -days $DAYS \

    -in $CERTS_DIR/$TEST_CLIENT_FILE.req.pem \

    -CA $CERTS_DIR/$TEST_CA_FILE.cert.pem \

    -CAkey $KEYS_DIR/$TEST_CA_FILE.key.pem \

    -out $CERTS_DIR/$TEST_CLIENT_FILE.cert.pem -CAcreateserial

# Display the certificate 

$OPENSSL_CMD x509 -in $CERTS_DIR/$TEST_CLIENT_FILE.cert.pem -text

# Place the certificate and key in a common file

$OPENSSL_CMD x509 -in $CERTS_DIR/$TEST_CLIENT_FILE.cert.pem -issuer -subject \

	 > $COMBO_DIR/$TEST_CLIENT_FILE.pem

$CAT $KEYS_DIR/$TEST_CLIENT_FILE.key.pem >> $COMBO_DIR/$TEST_CLIENT_FILE.pem

# Remove the cert request file (no longer needed)

$RM $CERTS_DIR/$TEST_CLIENT_FILE.req.pem

#!/bin/sh

# For a list of supported curves, use "apps/openssl ecparam -list_curves".

# Path to the openssl distribution

OPENSSL_DIR=../..

# Path to the openssl program

OPENSSL_CMD=$OPENSSL_DIR/apps/openssl

# Option to find configuration file

OPENSSL_CNF="-config $OPENSSL_DIR/apps/openssl.cnf"

# Directory where certificates are stored

CERTS_DIR=./Certs

# Directory where private key files are stored

KEYS_DIR=$CERTS_DIR

# Directory where combo files (containing a certificate and corresponding

# private key together) are stored

COMBO_DIR=$CERTS_DIR

# cat command

CAT=/bin/cat

# rm command

RM=/bin/rm

# The certificate will expire these many days after the issue date.

DAYS=1500

TEST_CA_CURVE=secp160r1

TEST_CA_FILE=secp160r1TestCA

TEST_CA_DN="/C=US/ST=CA/L=Mountain View/O=Sun Microsystems, Inc./OU=Sun Microsystems Laboratories/CN=Test CA (Elliptic curve secp160r1)"

TEST_SERVER_CURVE=secp160r2

TEST_SERVER_FILE=secp160r2TestServer

TEST_SERVER_DN="/C=US/ST=CA/L=Mountain View/O=Sun Microsystems, Inc./OU=Sun Microsystems Laboratories/CN=Test Server (Elliptic curve secp160r2)"

TEST_CLIENT_CURVE=secp160r2

TEST_CLIENT_FILE=secp160r2TestClient

TEST_CLIENT_DN="/C=US/ST=CA/L=Mountain View/O=Sun Microsystems, Inc./OU=Sun Microsystems Laboratories/CN=Test Client (Elliptic curve secp160r2)"

# Generating an EC certificate involves the following main steps

# 1. Generating curve parameters (if needed)

# 2. Generating a certificate request

# 3. Signing the certificate request 

# 4. [Optional] One can combine the cert and private key into a single

#    file and also delete the certificate request

echo "Generating self-signed CA certificate (on curve $TEST_CA_CURVE)"

echo "==============================================================="

$OPENSSL_CMD ecparam -name $TEST_CA_CURVE -out $TEST_CA_CURVE.pem

# Generate a new certificate request in $TEST_CA_FILE.req.pem. A 

# new ecdsa (actually ECC) key pair is generated on the parameters in

# $TEST_CA_CURVE.pem and the private key is saved in $TEST_CA_FILE.key.pem

# WARNING: By using the -nodes option, we force the private key to be 

# stored in the clear (rather than encrypted with a password).

$OPENSSL_CMD req $OPENSSL_CNF -nodes -subj "$TEST_CA_DN" \

    -keyout $KEYS_DIR/$TEST_CA_FILE.key.pem \

    -newkey ecdsa:$TEST_CA_CURVE.pem -new \

    -out $CERTS_DIR/$TEST_CA_FILE.req.pem

# Sign the certificate request in $TEST_CA_FILE.req.pem using the

# private key in $TEST_CA_FILE.key.pem and include the CA extension.

# Make the certificate valid for 1500 days from the time of signing.

# The certificate is written into $TEST_CA_FILE.cert.pem

$OPENSSL_CMD x509 -req -days $DAYS \

    -in $CERTS_DIR/$TEST_CA_FILE.req.pem \

    -extfile $OPENSSL_DIR/apps/openssl.cnf \

    -extensions v3_ca \

    -signkey $KEYS_DIR/$TEST_CA_FILE.key.pem \

    -out $CERTS_DIR/$TEST_CA_FILE.cert.pem

# Display the certificate

$OPENSSL_CMD x509 -in $CERTS_DIR/$TEST_CA_FILE.cert.pem -text

# Place the certificate and key in a common file

$OPENSSL_CMD x509 -in $CERTS_DIR/$TEST_CA_FILE.cert.pem -issuer -subject \

	 > $COMBO_DIR/$TEST_CA_FILE.pem

$CAT $KEYS_DIR/$TEST_CA_FILE.key.pem >> $COMBO_DIR/$TEST_CA_FILE.pem

# Remove the cert request file (no longer needed)

$RM $CERTS_DIR/$TEST_CA_FILE.req.pem

echo "GENERATING A TEST SERVER CERTIFICATE (on elliptic curve $TEST_SERVER_CURVE)"

echo "=========================================================================="

# Generate parameters for curve $TEST_SERVER_CURVE, if needed

$OPENSSL_CMD ecparam -name $TEST_SERVER_CURVE -out $TEST_SERVER_CURVE.pem

# Generate a new certificate request in $TEST_SERVER_FILE.req.pem. A 

# new ecdsa (actually ECC) key pair is generated on the parameters in

# $TEST_SERVER_CURVE.pem and the private key is saved in 

# $TEST_SERVER_FILE.key.pem

# WARNING: By using the -nodes option, we force the private key to be 

# stored in the clear (rather than encrypted with a password).

$OPENSSL_CMD req $OPENSSL_CNF -nodes -subj "$TEST_SERVER_DN" \

    -keyout $KEYS_DIR/$TEST_SERVER_FILE.key.pem \

    -newkey ecdsa:$TEST_SERVER_CURVE.pem -new \

    -out $CERTS_DIR/$TEST_SERVER_FILE.req.pem

# Sign the certificate request in $TEST_SERVER_FILE.req.pem using the

# CA certificate in $TEST_CA_FILE.cert.pem and the CA private key in

# $TEST_CA_FILE.key.pem. Since we do not have an existing serial number

# file for this CA, create one. Make the certificate valid for $DAYS days

# from the time of signing. The certificate is written into 

# $TEST_SERVER_FILE.cert.pem

$OPENSSL_CMD x509 -req -days $DAYS \

    -in $CERTS_DIR/$TEST_SERVER_FILE.req.pem \

    -CA $CERTS_DIR/$TEST_CA_FILE.cert.pem \

    -CAkey $KEYS_DIR/$TEST_CA_FILE.key.pem \

    -out $CERTS_DIR/$TEST_SERVER_FILE.cert.pem -CAcreateserial

# Display the certificate 

$OPENSSL_CMD x509 -in $CERTS_DIR/$TEST_SERVER_FILE.cert.pem -text

# Place the certificate and key in a common file

$OPENSSL_CMD x509 -in $CERTS_DIR/$TEST_SERVER_FILE.cert.pem -issuer -subject \

	 > $COMBO_DIR/$TEST_SERVER_FILE.pem

$CAT $KEYS_DIR/$TEST_SERVER_FILE.key.pem >> $COMBO_DIR/$TEST_SERVER_FILE.pem

# Remove the cert request file (no longer needed)

$RM $CERTS_DIR/$TEST_SERVER_FILE.req.pem

echo "GENERATING A TEST CLIENT CERTIFICATE (on elliptic curve $TEST_CLIENT_CURVE)"

echo "=========================================================================="

# Generate parameters for curve $TEST_CLIENT_CURVE, if needed

$OPENSSL_CMD ecparam -name $TEST_CLIENT_CURVE -out $TEST_CLIENT_CURVE.pem

# Generate a new certificate request in $TEST_CLIENT_FILE.req.pem. A 

# new ecdsa (actually ECC) key pair is generated on the parameters in

# $TEST_CLIENT_CURVE.pem and the private key is saved in 

# $TEST_CLIENT_FILE.key.pem

# WARNING: By using the -nodes option, we force the private key to be 

# stored in the clear (rather than encrypted with a password).

$OPENSSL_CMD req $OPENSSL_CNF -nodes -subj "$TEST_CLIENT_DN" \

	     -keyout $KEYS_DIR/$TEST_CLIENT_FILE.key.pem \

	     -newkey ecdsa:$TEST_CLIENT_CURVE.pem -new \

	     -out $CERTS_DIR/$TEST_CLIENT_FILE.req.pem

# Sign the certificate request in $TEST_CLIENT_FILE.req.pem using the

# CA certificate in $TEST_CA_FILE.cert.pem and the CA private key in

# $TEST_CA_FILE.key.pem. Since we do not have an existing serial number

# file for this CA, create one. Make the certificate valid for $DAYS days

# from the time of signing. The certificate is written into 

# $TEST_CLIENT_FILE.cert.pem

$OPENSSL_CMD x509 -req -days $DAYS \

    -in $CERTS_DIR/$TEST_CLIENT_FILE.req.pem \

    -CA $CERTS_DIR/$TEST_CA_FILE.cert.pem \

    -CAkey $KEYS_DIR/$TEST_CA_FILE.key.pem \

    -out $CERTS_DIR/$TEST_CLIENT_FILE.cert.pem -CAcreateserial

# Display the certificate 

$OPENSSL_CMD x509 -in $CERTS_DIR/$TEST_CLIENT_FILE.cert.pem -text

# Place the certificate and key in a common file

$OPENSSL_CMD x509 -in $CERTS_DIR/$TEST_CLIENT_FILE.cert.pem -issuer -subject \

	 > $COMBO_DIR/$TEST_CLIENT_FILE.pem

$CAT $KEYS_DIR/$TEST_CLIENT_FILE.key.pem >> $COMBO_DIR/$TEST_CLIENT_FILE.pem

# Remove the cert request file (no longer needed)

$RM $CERTS_DIR/$TEST_CLIENT_FILE.req.pem

############################################################################

#OLD STUFF (ignore this)

#

#These are the commands I used, but you may wish to add -named_curve to the first command per our discussion about parameter encoding in certificates.

#

#apps/openssl ecdsaparam -out nist192.param.pem -NIST_192

#

#apps/openssl ecdsaparam -out nistB163.param.pem -named_curve -NIST_B163

# the nodes option causes output key to be stored unencrypted

#apps/openssl req -nodes -keyout nistB163.priv.pem -newkey ecdsa:nistB163.param.pem -new -out nistB163.req.pem

#apps/openssl x509 -req -in nistB163.req.pem -extfile apps/cert.cnf -extensions v3_ca -signkey nistB163.priv.pem -out nistB163.cert.pem

#

#crypto/x509/x509_ext.c  has X509_EXTENSION *X509_get_ext(X509 *x, int loc)

#crypto/asn1/t_x509.c    has code to print certificates

#crypto/x509v3/v3_prn.c  has code to print extensions X509V3_extensions_print

Scripts for using ECC ciphersuites with test/testssl.

Use ECCcertgen.sh, RSAcertgen.sh, ECC-RSAcertgen.sh to generate

root, client and server certs of the following types:

     ECC certs signed with ECDSA

     RSA certs signed with RSA

     ECC certs signed with RSA

Afterwards, you can use ssltest.sh to run the various tests;

specify one of the following options:

     aecdh, ecdh-ecdsa, ecdhe-ecdsa, ecdh-rsa, ecdhe-rsa

#!/bin/sh

# For a list of supported curves, use "apps/openssl ecparam -list_curves".

# Path to the openssl distribution

OPENSSL_DIR=../..

# Path to the openssl program

OPENSSL_CMD=$OPENSSL_DIR/apps/openssl

# Option to find configuration file

OPENSSL_CNF="-config $OPENSSL_DIR/apps/openssl.cnf"

# Directory where certificates are stored

CERTS_DIR=./Certs

# Directory where private key files are stored

KEYS_DIR=$CERTS_DIR

# Directory where combo files (containing a certificate and corresponding

# private key together) are stored

COMBO_DIR=$CERTS_DIR

# cat command

CAT=/bin/cat

# rm command

RM=/bin/rm

# The certificate will expire these many days after the issue date.

DAYS=1500

TEST_CA_FILE=rsa1024TestCA

TEST_CA_DN="/C=US/ST=CA/L=Mountain View/O=Sun Microsystems, Inc./OU=Sun Microsystems Laboratories/CN=Test CA (1024 bit RSA)"

TEST_SERVER_FILE=rsa1024TestServer

TEST_SERVER_DN="/C=US/ST=CA/L=Mountain View/O=Sun Microsystems, Inc./OU=Sun Microsystems Laboratories/CN=Test Server (1024 bit RSA)"

TEST_CLIENT_FILE=rsa1024TestClient

TEST_CLIENT_DN="/C=US/ST=CA/L=Mountain View/O=Sun Microsystems, Inc./OU=Sun Microsystems Laboratories/CN=Test Client (1024 bit RSA)"

# Generating an EC certificate involves the following main steps

# 1. Generating curve parameters (if needed)

# 2. Generating a certificate request

# 3. Signing the certificate request 

# 4. [Optional] One can combine the cert and private key into a single

#    file and also delete the certificate request

echo "Generating self-signed CA certificate (RSA)"

echo "==========================================="

$OPENSSL_CMD req $OPENSSL_CNF -nodes -subj "$TEST_CA_DN" \

    -keyout $KEYS_DIR/$TEST_CA_FILE.key.pem \

    -newkey rsa:1024 -new \

    -out $CERTS_DIR/$TEST_CA_FILE.req.pem

$OPENSSL_CMD x509 -req -days $DAYS \

    -in $CERTS_DIR/$TEST_CA_FILE.req.pem \

    -extfile $OPENSSL_DIR/apps/openssl.cnf \

    -extensions v3_ca \

    -signkey $KEYS_DIR/$TEST_CA_FILE.key.pem \

    -out $CERTS_DIR/$TEST_CA_FILE.cert.pem

# Display the certificate

$OPENSSL_CMD x509 -in $CERTS_DIR/$TEST_CA_FILE.cert.pem -text

# Place the certificate and key in a common file

$OPENSSL_CMD x509 -in $CERTS_DIR/$TEST_CA_FILE.cert.pem -issuer -subject \

	 > $COMBO_DIR/$TEST_CA_FILE.pem

$CAT $KEYS_DIR/$TEST_CA_FILE.key.pem >> $COMBO_DIR/$TEST_CA_FILE.pem

# Remove the cert request file (no longer needed)

$RM $CERTS_DIR/$TEST_CA_FILE.req.pem

echo "GENERATING A TEST SERVER CERTIFICATE (RSA)"

echo "=========================================="

$OPENSSL_CMD req $OPENSSL_CNF -nodes -subj "$TEST_SERVER_DN" \

    -keyout $KEYS_DIR/$TEST_SERVER_FILE.key.pem \

    -newkey rsa:1024 -new \

    -out $CERTS_DIR/$TEST_SERVER_FILE.req.pem

$OPENSSL_CMD x509 -req -days $DAYS \

    -in $CERTS_DIR/$TEST_SERVER_FILE.req.pem \

    -CA $CERTS_DIR/$TEST_CA_FILE.cert.pem \

    -CAkey $KEYS_DIR/$TEST_CA_FILE.key.pem \

    -out $CERTS_DIR/$TEST_SERVER_FILE.cert.pem -CAcreateserial

# Display the certificate 

$OPENSSL_CMD x509 -in $CERTS_DIR/$TEST_SERVER_FILE.cert.pem -text

# Place the certificate and key in a common file

$OPENSSL_CMD x509 -in $CERTS_DIR/$TEST_SERVER_FILE.cert.pem -issuer -subject \

	 > $COMBO_DIR/$TEST_SERVER_FILE.pem

$CAT $KEYS_DIR/$TEST_SERVER_FILE.key.pem >> $COMBO_DIR/$TEST_SERVER_FILE.pem

# Remove the cert request file (no longer needed)

$RM $CERTS_DIR/$TEST_SERVER_FILE.req.pem

echo "GENERATING A TEST CLIENT CERTIFICATE (RSA)"

echo "=========================================="

$OPENSSL_CMD req $OPENSSL_CNF -nodes -subj "$TEST_CLIENT_DN" \

	     -keyout $KEYS_DIR/$TEST_CLIENT_FILE.key.pem \

	     -newkey rsa:1024 -new \

	     -out $CERTS_DIR/$TEST_CLIENT_FILE.req.pem

$OPENSSL_CMD x509 -req -days $DAYS \

    -in $CERTS_DIR/$TEST_CLIENT_FILE.req.pem \

    -CA $CERTS_DIR/$TEST_CA_FILE.cert.pem \

    -CAkey $KEYS_DIR/$TEST_CA_FILE.key.pem \

    -out $CERTS_DIR/$TEST_CLIENT_FILE.cert.pem -CAcreateserial

# Display the certificate 

$OPENSSL_CMD x509 -in $CERTS_DIR/$TEST_CLIENT_FILE.cert.pem -text

# Place the certificate and key in a common file

$OPENSSL_CMD x509 -in $CERTS_DIR/$TEST_CLIENT_FILE.cert.pem -issuer -subject \

	 > $COMBO_DIR/$TEST_CLIENT_FILE.pem

$CAT $KEYS_DIR/$TEST_CLIENT_FILE.key.pem >> $COMBO_DIR/$TEST_CLIENT_FILE.pem

# Remove the cert request file (no longer needed)

$RM $CERTS_DIR/$TEST_CLIENT_FILE.req.pem

#! /bin/sh

# Tests ECC cipher suites using ssltest. Requires one argument which could

# be aecdh or ecdh-ecdsa or ecdhe-ecdsa or ecdh-rsa or ecdhe-rsa.

# A second optional argument can be one of ssl2 ssl3 or tls1

if [ "$1" = "" ]; then

  (echo "Usage: $0 test [ protocol ]"

   echo "   where test is one of aecdh, ecdh-ecdsa, ecdhe-ecdsa, ecdh-rsa, ecdhe-rsa"

   echo "   and protocol (optional) is one of ssl2, ssl3, tls1"

   echo "Run RSAcertgen.sh, ECC-RSAcertgen.sh, ECCcertgen.sh first."

  ) >&2

  exit 1

fi

OPENSSL_DIR=../..

CERTS_DIR=./Certs

SSLTEST=$OPENSSL_DIR/test/ssltest

# SSL protocol version to test (one of ssl2 ssl3 or tls1)"

SSLVERSION=

# These don't really require any certificates

AECDH_CIPHER_LIST="EXP-AECDH-RC4-40-SHA EXP-AECDH-DES-40-CBC-SHA AECDH-DES-CBC3-SHA AECDH-DES-CBC-SHA AECDH-RC4-SHA AECDH-NULL-SHA"

# These require ECC certificates signed with ECDSA

# The EC public key must be authorized for key agreement.

ECDH_ECDSA_CIPHER_LIST="EXP-ECDH-ECDSA-RC4-56-SHA EXP-ECDH-ECDSA-RC4-40-SHA ECDH-ECDSA-AES256-SHA ECDH-ECDSA-AES128-SHA ECDH-ECDSA-DES-CBC3-SHA ECDH-ECDSA-DES-CBC-SHA ECDH-ECDSA-RC4-SHA ECDH-ECDSA-NULL-SHA"

# These require ECC certificates.

# The EC public key must be authorized for digital signature.

ECDHE_ECDSA_CIPHER_LIST="ECDHE-ECDSA-AES128-SHA"

# These require ECC certificates signed with RSA.

# The EC public key must be authorized for key agreement.

ECDH_RSA_CIPHER_LIST="EXP-ECDH-RSA-RC4-56-SHA EXP-ECDH-RSA-RC4-40-SHA ECDH-RSA-AES256-SHA ECDH-RSA-AES128-SHA ECDH-RSA-DES-CBC3-SHA ECDH-RSA-DES-CBC-SHA ECDH-RSA-RC4-SHA ECDH-RSA-NULL-SHA"

# These require RSA certificates.

# The RSA public key must be authorized for digital signature.

ECDHE_RSA_CIPHER_LIST="ECDHE-RSA-AES128-SHA"

# List of Elliptic curves over which we wish to test generation of

# ephemeral ECDH keys when using AECDH or ECDHE ciphers

# NOTE: secp192r1 = prime192v1 and secp256r1 = prime256v1

#ELLIPTIC_CURVE_LIST="secp112r1 sect113r2 secp128r1 sect131r1 secp160k1 sect163r2 wap-wsg-idm-ecid-wtls7 c2pnb163v3 c2pnb176v3 c2tnb191v3 secp192r1 prime192v3 sect193r2 secp224r1 wap-wsg-idm-ecid-wtls10 sect239k1 prime239v2 secp256r1 prime256v1 sect283k1 secp384r1 sect409r1 secp521r1 sect571r1"

ELLIPTIC_CURVE_LIST="sect163k1 sect163r1 sect163r2 sect193r1 sect193r2 sect233k1 sect233r1 sect239k1 sect283k1 sect283r1 sect409k1 sect409r1 sect571k1 sect571r1 secp160k1 secp160r1 secp160r2 secp192k1 prime192v1 secp224k1 secp224r1 secp256k1 prime256v1 secp384r1 secp521r1"

DEFAULT_CURVE="sect163r2"

if [ "$2" = "" ]; then

    if [ "$SSL_VERSION" = "" ]; then

	SSL_VERSION=""

    else

	SSL_VERSION="-$SSL_VERSION"

    fi

else

    SSL_VERSION="-$2"

fi

#==============================================================

# Anonymous cipher suites do not require key or certificate files

# but ssltest expects a cert file and complains if it can't

# open the default one.

SERVER_PEM=$OPENSSL_DIR/apps/server.pem

if [ "$1" = "aecdh" ]; then

for cipher in $AECDH_CIPHER_LIST

do

    echo "Testing $cipher"

    $SSLTEST $SSL_VERSION -cert $SERVER_PEM -cipher $cipher 

done

#--------------------------------------------------------------

for curve in $ELLIPTIC_CURVE_LIST

do

    echo "Testing AECDH-NULL-SHA (with $curve)"

    $SSLTEST $SSL_VERSION -cert $SERVER_PEM \

	-named_curve $curve -cipher AECDH-NULL-SHA

done

for curve in $ELLIPTIC_CURVE_LIST

do

    echo "Testing EXP-AECDH-RC4-40-SHA (with $curve)"

    $SSLTEST $SSL_VERSION -cert $SERVER_PEM \

	-named_curve $curve -cipher EXP-AECDH-RC4-40-SHA

done

fi

#==============================================================

# Both ECDH-ECDSA and ECDHE-ECDSA cipher suites require 

# the server to have an ECC certificate signed with ECDSA.

CA_PEM=$CERTS_DIR/secp160r1TestCA.pem

SERVER_PEM=$CERTS_DIR/secp160r2TestServer.pem

CLIENT_PEM=$CERTS_DIR/secp160r2TestClient.pem

if [ "$1" = "ecdh-ecdsa" ]; then

for cipher in $ECDH_ECDSA_CIPHER_LIST

do

    echo "Testing $cipher (with server authentication)"

    $SSLTEST $SSL_VERSION -CAfile $CA_PEM \

	-cert $SERVER_PEM -server_auth \

	-cipher $cipher

    echo "Testing $cipher (with server and client authentication)"

    $SSLTEST $SSL_VERSION -CAfile $CA_PEM \

	-cert $SERVER_PEM -server_auth \

	-c_cert $CLIENT_PEM -client_auth \

	-cipher $cipher

done

fi

#==============================================================

if [ "$1" = "ecdhe-ecdsa" ]; then

for cipher in $ECDHE_ECDSA_CIPHER_LIST

do

    echo "Testing $cipher (with server authentication)"

    $SSLTEST $SSL_VERSION -CAfile $CA_PEM \

	-cert $SERVER_PEM -server_auth \

	-cipher $cipher -named_curve $DEFAULT_CURVE

    echo "Testing $cipher (with server and client authentication)"

    $SSLTEST $SSL_VERSION -CAfile $CA_PEM \

	-cert $SERVER_PEM -server_auth \

	-c_cert $CLIENT_PEM -client_auth \

	-cipher $cipher -named_curve $DEFAULT_CURVE

done

#--------------------------------------------------------------

for curve in $ELLIPTIC_CURVE_LIST

do

    echo "Testing ECDHE-ECDSA-AES128-SHA (2-way auth with $curve)"

    $SSLTEST $SSL_VERSION -CAfile $CA_PEM \

	-cert $SERVER_PEM -server_auth \

	-c_cert $CLIENT_PEM -client_auth \

	-cipher ECDHE-ECDSA-AES128-SHA -named_curve $curve 

done

fi

#==============================================================

# ECDH-RSA cipher suites require the server to have an ECC

# certificate signed with RSA.

CA_PEM=$CERTS_DIR/rsa1024TestCA.pem

SERVER_PEM=$CERTS_DIR/sect163r1-rsaTestServer.pem

CLIENT_PEM=$CERTS_DIR/sect163r1-rsaTestClient.pem

if [ "$1" = "ecdh-rsa" ]; then

for cipher in $ECDH_RSA_CIPHER_LIST

do

    echo "Testing $cipher (with server authentication)"

    $SSLTEST $SSL_VERSION -CAfile $CA_PEM \

	-cert $SERVER_PEM -server_auth \

	-cipher $cipher

    echo "Testing $cipher (with server and client authentication)"

    $SSLTEST $SSL_VERSION -CAfile $CA_PEM \

	-cert $SERVER_PEM -server_auth \

	-c_cert $CLIENT_PEM -client_auth \

	-cipher $cipher

done

fi

#==============================================================

# ECDHE-RSA cipher suites require the server to have an RSA cert.

CA_PEM=$CERTS_DIR/rsa1024TestCA.pem

SERVER_PEM=$CERTS_DIR/rsa1024TestServer.pem

CLIENT_PEM=$CERTS_DIR/rsa1024TestClient.pem

if [ "$1" = "ecdhe-rsa" ]; then

for cipher in $ECDHE_RSA_CIPHER_LIST

do

    echo "Testing $cipher (with server authentication)"

    $SSLTEST $SSL_VERSION -CAfile $CA_PEM \

	-cert $SERVER_PEM -server_auth \

	-cipher $cipher -named_curve $DEFAULT_CURVE

    echo "Testing $cipher (with server and client authentication)"

    $SSLTEST $SSL_VERSION -CAfile $CA_PEM \

	-cert $SERVER_PEM -server_auth \

	-c_cert $CLIENT_PEM -client_auth \

	-cipher $cipher -named_curve $DEFAULT_CURVE

done

fi

#==============================================================