wolfSSL · aidangarske · Jun 19, 2026 · Jun 22, 2026 · Jun 24, 2026 · Jun 25, 2026
diff --git a/.github/workflows/tinytls13.yml b/.github/workflows/tinytls13.yml
@@ -0,0 +1,154 @@
+name: Tiny TLS 1.3 Tests
+
+# START OF COMMON SECTION
+on:
+  push:
+    branches: [ 'release/**' ]
+  pull_request:
+    types: [opened, synchronize, reopened, ready_for_review]
+    branches: [ '*' ]
+  schedule:
+    - cron: '42 10 * * 1-5'
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+# END OF COMMON SECTION
+
+permissions:
+  contents: read
+
+jobs:
+  # Build + make check every --enable-tinytls13 spelling on one runner via
+  # .github/scripts/parallel-make-check.py (see psk.yml for the pattern).
+  make_check:
+    name: make check
+    if: ${{ (github.repository_owner == 'wolfssl') && (github.event_name != 'pull_request' || github.event.pull_request.draft == false) }}
+    runs-on: ubuntu-24.04
+    timeout-minutes: 10
+    steps:
+      - uses: actions/checkout@v5
+        name: Checkout wolfSSL
+
+      - name: Install dependencies
+        uses: ./.github/actions/install-apt-deps
+        with:
+          packages: autoconf automake libtool build-essential bubblewrap
+          ghcr-debs-tag: ubuntu-24.04-minimal
+
+      - name: Set up ccache
+        uses: ./.github/actions/ccache-setup
+        with:
+          workflow-id: tinytls13
+          read-only: ${{ github.event_name == 'pull_request' }}
+          max-size: 100M
+
+      - name: Allow unprivileged user namespaces (for bwrap)
+        run: sudo sysctl -w kernel.apparmor_restrict_unprivileged_userns=0 || true
+
+      # Every tiny TLS 1.3 profile/adder spelling, so each is proven to build
+      # and pass make check (which runs the TLS handshake test suite) out of
+      # the box. Server is enabled where a config needs the server-side tests.
+      # The psk-p256 and cert-rsaverify configs strip to combinations
+      # (ECDHE-only ECC without certs, RSA verify only) that the OpenSSL-compat
+      # API unit suite (coupled to examples via BUILD_TESTS) does not gate for.
+      # Rather than carry test-harness edits for those, they build static with
+      # --disable-examples, skip make check ("check": false), and instead run
+      # wolfcrypt/test/testwolfcrypt plus examples/tls13/tls13_memio.c
+      # (a self-contained in-memory TLS 1.3 handshake) for real crypto and
+      # handshake verification.
+      - name: Build and test all tinytls13 configs
+        run: |
+          cat > "$RUNNER_TEMP/tinytls13-configs.json" <<'EOF'
+          [
+          {"name": "tinytls13-psk-x25519", "minutes": 1,
+           "configure": ["--enable-tinytls13=psk,server", "--disable-mlkem"]},
+          {"name": "tinytls13-psk-p256", "minutes": 1, "check": false,
+           "configure": ["--enable-tinytls13=psk,p256,server", "--enable-static", "--disable-shared", "--disable-examples", "--disable-mlkem"],
+           "run": [["make", "wolfcrypt/test/testwolfcrypt"], ["./wolfcrypt/test/testwolfcrypt"],
+                   ["cc", "-I.", "-I..", "../examples/tls13/tls13_memio.c", "src/.libs/libwolfssl.a", "-lm", "-o", "tls13_memio"],
+                   ["./tls13_memio"]]},
+          {"name": "tinytls13-psk-staticmem", "minutes": 1,
+           "configure": ["--enable-tinytls13=psk,server,staticmem", "--disable-mlkem"]},
+          {"name": "tinytls13-psk-mldsa", "minutes": 1,
+           "configure": ["--enable-tinytls13=psk,server,mldsa", "--disable-mlkem"]},
+          {"name": "tinytls13-psk-sha384", "minutes": 1,
+           "configure": ["--enable-tinytls13=psk,server,sha384", "--disable-mlkem"]},
+          {"name": "tinytls13-cert", "minutes": 1,
+           "configure": ["--enable-tinytls13=cert,server", "--disable-mlkem"]},
+          {"name": "tinytls13-cert-sha384", "minutes": 1,
+           "configure": ["--enable-tinytls13=cert,server,sha384", "--disable-mlkem"]},
+          {"name": "tinytls13-cert-mutualauth", "minutes": 1,
+           "configure": ["--enable-tinytls13=cert,mutualauth,server", "--disable-mlkem"]},
+          {"name": "tinytls13-cert-rsaverify", "minutes": 1, "check": false,
+           "configure": ["--enable-tinytls13=cert,server,rsaverify", "--enable-static", "--disable-shared", "--disable-examples", "--disable-mlkem"],
+           "run": [["make", "wolfcrypt/test/testwolfcrypt"], ["./wolfcrypt/test/testwolfcrypt"],
+                   ["cc", "-I.", "-I..", "../examples/tls13/tls13_memio.c", "src/.libs/libwolfssl.a", "-lm", "-o", "tls13_memio"],
+                   ["./tls13_memio"]]},
+          {"name": "tinytls13-cert-mldsa", "minutes": 1,
+           "configure": ["--enable-tinytls13=cert,server,mldsa", "--enable-static", "--disable-mlkem"],
+           "run": [["cc", "-I.", "-I..", "../examples/tls13/tls13_memio.c", "src/.libs/libwolfssl.a", "-lm", "-o", "tls13_memio"],
+                   ["./tls13_memio"]]},
+          {"name": "tinytls13-psk-client-only", "minutes": 1,
+           "configure": ["--enable-tinytls13=psk", "--disable-mlkem"]},
+          {"name": "tinytls13-cert-client-only", "minutes": 1,
+           "configure": ["--enable-tinytls13=cert", "--disable-mlkem"]},
+          {"name": "tinytls13-psk-asm", "minutes": 1,
+           "configure": ["--enable-tinytls13=psk,server,asm", "--disable-mlkem"]},
+          {"name": "tinytls13-cert-asm", "minutes": 1,
+           "configure": ["--enable-tinytls13=cert,server,asm", "--disable-mlkem"]},
+          {"name": "tinytls13-cert-chacha", "minutes": 1, "check": false,
+           "configure": ["--enable-tinytls13=cert,server", "--enable-static", "--disable-shared", "--disable-examples", "--disable-mlkem"],
+           "cflags": "-DHAVE_CHACHA -DHAVE_POLY1305",
+           "run": [["cc", "-I.", "-I..", "../examples/tls13/tls13_memio.c", "src/.libs/libwolfssl.a", "-lm", "-o", "tls13_memio"],
+                   ["./tls13_memio", "TLS13-CHACHA20-POLY1305-SHA256"]]},
+          {"name": "tinytls13-cert-aes256", "minutes": 1, "check": false,
+           "configure": ["--enable-tinytls13=cert,server,sha384", "--enable-static", "--disable-shared", "--disable-examples", "--disable-mlkem"],
+           "cflags": "-DWOLFSSL_AES_256",
+           "run": [["cc", "-I.", "-I..", "../examples/tls13/tls13_memio.c", "src/.libs/libwolfssl.a", "-lm", "-o", "tls13_memio"],
+                   ["./tls13_memio", "TLS13-AES256-GCM-SHA384"]]},
+          {"name": "tinytls13-psk-mlkem", "minutes": 1,
+           "configure": ["--enable-tinytls13=psk,server", "--enable-static"],
+           "run": [["cc", "-I.", "-I..", "../examples/tls13/tls13_memio.c", "src/.libs/libwolfssl.a", "-lm", "-o", "tls13_memio"],
+                   ["./tls13_memio", "-", "mlkem"]]},
+          {"name": "tinytls13-cert-staticmem", "minutes": 1, "check": false,
+           "configure": ["--enable-tinytls13=cert,server,staticmem", "--enable-static", "--disable-shared", "--disable-examples", "--disable-mlkem"],
+           "run": [["make", "wolfcrypt/test/testwolfcrypt"], ["./wolfcrypt/test/testwolfcrypt"],
+                   ["cc", "-I.", "-I..", "../examples/tls13/tls13_memio.c", "src/.libs/libwolfssl.a", "-lm", "-o", "tls13_memio"],
+                   ["./tls13_memio"]]},
+          {"name": "tinytls13-nomalloc", "minutes": 1, "check": false,
+           "configure": ["--enable-tinytls13=psk,server,staticmem", "--enable-static", "--disable-shared", "--disable-examples", "--disable-crypttests", "--disable-mlkem"],
+           "cflags": "-DWOLFSSL_NO_MALLOC"},
+          {"name": "tinytls13-combo-cert-mutualauth-sha384", "minutes": 1,
+           "configure": ["--enable-tinytls13=cert,mutualauth,server,sha384", "--disable-mlkem"]},
+          {"name": "tinytls13-combo-cert-mldsa-sha384", "minutes": 1,
+           "configure": ["--enable-tinytls13=cert,server,mldsa,sha384", "--enable-static", "--disable-mlkem"],
+           "run": [["cc", "-I.", "-I..", "../examples/tls13/tls13_memio.c", "src/.libs/libwolfssl.a", "-lm", "-o", "tls13_memio"],
+                   ["./tls13_memio"]]},
+          {"name": "tinytls13-bare", "minutes": 1,
+           "configure": ["--enable-tinytls13", "--disable-mlkem"]},
+          {"name": "tinytls13-usersettings", "minutes": 1, "check": false,
+           "user_settings": "examples/configs/user_settings_tinytls13.h",
+           "configure": ["--enable-usersettings", "--enable-static", "--disable-shared", "--disable-examples", "--disable-crypttests"]}
+          ]
+          EOF
+          .github/scripts/parallel-make-check.py \
+            ${{ github.event_name == 'schedule' && '--build-only' || '' }} \
+            --private-dir=certs \
+            "$RUNNER_TEMP/tinytls13-configs.json"
+
+      - name: ccache stats
+        if: always()
+        run: ccache -s || true
+
+      - name: Upload logs on failure
+        if: failure()
+        uses: actions/upload-artifact@v6
+        with:
+          retention-days: 7
+          name: tinytls13-logs
+          path: |
+            build-*/make-check.log
+            build-*/test-suite.log
+            build-*/config.log
+          if-no-files-found: ignore
diff --git a/.wolfssl_known_macro_extras b/.wolfssl_known_macro_extras
@@ -948,6 +948,7 @@ WOLFSSL_TICKET_ENC_CBC_HMAC
 WOLFSSL_TICKET_ENC_CHACHA20_POLY1305
 WOLFSSL_TICKET_ENC_HMAC_SHA384
 WOLFSSL_TICKET_ENC_HMAC_SHA512
+WOLFSSL_TINY_TLS13_NO_DEFAULT_CURVE
 WOLFSSL_TI_CURRTIME
 WOLFSSL_TLS13_DRAFT
 WOLFSSL_TLS13_IGNORE_AEAD_LIMITS

diff --git a/certs/mldsa/ecc-leaf-mldsa44.pem b/certs/mldsa/ecc-leaf-mldsa44.pem
@@ -0,0 +1,61 @@
+-----BEGIN CERTIFICATE-----
+MIIK4zCCAVmgAwIBAgIUWxTZmWEP7xd/6kP8yG6lrPoDI0EwCwYJYIZIAWUDBAMR
+MFoxCzAJBgNVBAYTAlVTMRAwDgYDVQQIDAdNb250YW5hMRAwDgYDVQQHDAdCb3pl
+bWFuMRAwDgYDVQQKDAd3b2xmU1NMMRUwEwYDVQQDDAxUZXN0IG1sZHNhNDQwHhcN
+MjYwNjI5MjA0MjExWhcNMzYwNjI2MjA0MjExWjAUMRIwEAYDVQQDDAlsb2NhbGhv
+c3QwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAS7M6xMJ1BKxkqlBMM83p8223It
+zpTqK/rLIAk5LBboYQLpr03TApOaMVuXkiF/8M8Y2pERAjSG6CBYMwuANInYo0Iw
+QDAdBgNVHQ4EFgQUXV0m76x+NvmbdhUrSiUCI++yiTAwHwYDVR0jBBgwFoAUswU7
+xg6AYh+iTpNtmT4TaDnG/DIwCwYJYIZIAWUDBAMRA4IJdQBRjK3IylTYl8c3Xr5o
+BPVm8ERo5JxgRVYWclOVjuTlVYjnBg1ldXnyhXDjrq9cWDzYAbsjDD8AF6n2KlWK
+YtQ+PDGt9owu4tYuHKHSE3KTsUEXLrZV0sUr1gR6SDGhbKaGTa3mHs+/qTOyh/5U
+e2uKuGCr6mVa6QNJnvomq31KcPh52RaBEtpP04zJ3PfR+XEToXLKDS8/q6tLtuAI
+5WBUiLMz2f5LW3/ShM5g4ANQNUjp2GgOZp5zx/en/1GyqVep7QJgdY//fj9LSRqP
+jkyVSVRf+kOdG5FK1du8pysnZRy5+hj7QVRcuFIcaXfs9ak2xd7A2tti486WzUIF
+vVDAhkxNRc6Kk5o0dm7uO+EyiPvtvPw94TOuXp6aPZJfBaYc+DeN2L+yNHDBJu22
+wR+1f4vKsRCcZE82J93RfWp86PO9OWFMdghX/GRHC+GF6bR9gvXjXLnYpl5rIQ6q
+Y68CNM1oWp6jCNW273X505pvijAoG3m/9JL8XkRbGuhXli/1fKWuo03Plbha9sbe
+zPpc/I6Srq3LUcvmbajt+rDzuFRPpweLimAToqtji6eqx/RGusdtROGROd1/e9PI
+PEWd9DxfQxttyo+maJ9+o4jB+MIRwCdVp+GYiEDalBXdUd5GmqY2Y64UnzxaATq7
+scLJWX3UKN0DPhAfJOQgXnExlkCTg7as3jQ7M3xmfEO1L+v91dRW4PT+yBQxfVm0
+1NCmQ058PT0udeqkuMdrEgkdxoRRPN4uoDj08U/0hCaJOLbE2WkgEekdCaIjrJz7
+rTpnOrJ9ey3KIUBJLm6uGkqc81na6kRlELU4/1g54O73plpn6+85NUU8sCSs9WqL
+uYHDyYskyL+1FbplOtpubCk8hAxQ+cls/uM7mkEms0bjFEej428HlGkVjp9iJP4v
+bYdjctEOSbebnujWHT8RnmkIhV68bAQWiNDEoHxvI8GBY4lDrllfXBhxCDVs2mJa
+MfTLBRI8ZyiBiDatT04aghySMMuJG2GSu3AoSNTilhpziMVrIYP62aopjSdmoUcH
+XLMcUrjtjx4ssINqzEqZXqeW+knaSNdeDtPk1ECiBG5amPpB18GOAAhBYrS+8SNZ
+gmyKs5S9l9qLhQZ/ZHWF4BT1BC29gQ863fobxrUd6XSu/WJSoOMCmY+tRFbeQ74U
+Q0lTJK995Mru7L7YZEsbYaZsa/pwK7lnaOD+XDmq5P9RV0KTI//zTrQHhnBonViW
+gbIoa21eJCvTbax0Jcczd7FvjbFf8zfYzKNq532ZTdzMiZ9Z15ic1EfSArQwy1BC
+lsuX8yQIVHt1SdbZFjW0JQycrbDdYC6A4UFA/Ce8SAOf3qMViIw8eGU2aNtwOf/Q
+YWfJ+dfhfE6QeQe3sj87j00Hp4k9DG/20zb4W2kMl043xsTa6DzMujSE7Af82zgt
+6x5rXhdDph63KQ1E35tiuPekoALnmgEZV5Jg/Ze459ugXlseGNeXIA+6he3iKO3J
+gqVLOQQSTXP6nUX4R4E/eI7FnaWFXk+wVWuOgBzLmvyZrjecC1vgnl2j0mvsXbVN
+cvIaezO0vB9WcudUs6d4RsnH/yGIvx05FfYWa5iVBhSbugGsn5QfeMBr6UQwQOoh
+MAqgSMrgB4UAgiR/zxai/Uyd82rpFaCHNa61j4G/TFHFYyTVCyl2Ru4fhTINF2wD
+IM4ZV1qX9Lt65G+/I80I2KZLs2j5huFqMhWApBFdJ2Mxhqg0T+zDgWtK64RxExKH
+bzcsiFjBaKBQV6HNxdfmL5K29vR59q4R/FxXmxtqZaZAEMY3rg1mdMNqmea6qO6Z
+LBaWytwugs5cSiJJjoyUEoBVGyxDj6kG0qyHCdZ376ryqDAimR/SZDLjfyr9WQdt
+/dZ462aaywPjvb+6D9NZHkronNqcOsEyct6O+n15E8j7c1lXc7G5SWGYz2bfgYvs
+1VSn+KNsYth9xp67Sx+x2WsGEB3jbR12HybkOBD4EGVIsNgnRW3N2SkJQP2i6UjW
+WCHWL0qJwdx/Umv08zo0ACApemUr3u5UWW+5twNiEjzk+oymsQ2Z8fbzA58qBuK4
+Yp3eepqozA3ELg9fizfo/+itibHVEHlepjttxbCVfLpAb2psRD/733ZAhV1hLrV8
+2Nvou8LqoJY2L01q06OPPgFYpb+e6AdtEv6n2pF0JMK4BVHTAIJIgBCaAoagkQtX
+4Nhk+90oA3WKkYkxRKI7dbExMa2wPo2EqS04D1GjFuvnvEhF+KXYUJlIlnyrLnpw
+UAJc8jN1v6U3yPwnOS2VMD1bEs/Dc1v97rgqk7lTNjJNJBub7jkLf4kc9wXsuGld
+YZPqpb51vgkG9+k/f31LMQ4uFNvPPg/TodUi//4smlTYkTiC20eIgp9hXU9YbRJ0
+aH2DcnADL1Zd+L5BUhSmgTSyaViIRUdUOO1G/cRV7MnRx72ufgyTv5yJHcRqS1Qb
+W98tnQPDKNb8RsYbvdRnOSpuxEIcfKv7zigdvXuIg4I+XJeBeuICjcLYWcvwJSLa
+ouilseTBoMhxFQsPSc/rRuRWWa9quwVwuhippKrXnadjcBD4d14nez6+ipiTlW4+
+Hu5JjqHTkBdzdgZCZ223eIobuzul3YNnHoYp15rL1Puphmefpw6ySJDWWLfMm3Wz
+4IlpnLoj7MdYRTnb6UP3Y/9uRxfb7LzTuvVKBXsZxLjKhxTL+uFyA0E7glPGypFs
+sDl2CErC+yfY7dCGFJIHr+JbegqKZyliIX/Zf1ZRNHg5eGtPrQrATIh96QoOKWKO
+T0eD1OWf/V3ySUhD5bW+2DHRLWp9vjxAGHI656nGJEfDaOyOpSkhTBBLPZM7n+0+
+Cu+dU/VZgaX+uVGmJLKlcQJUi+G90XGYysHzvjwWE4p04f2vOn1JvZGepOwDk+hA
+n1mMN1eHSyXf560GCh0uCzBqW26Faotfq6JNNGa6t5AGAtxaoL/gxLuH1aevaYJY
+fcb6hbfpVI35UqIwCqeNQz8afvBYN0zg1xoByfmHwcoOoPX4lAogW3jbAGWoLw52
+GTUqbdT76LW8hvTUYYzOA+o4vi9CXtIQl1YUS9cunynNgmrNlPtzOisWu1RvaXgW
+Fa3pAXLiYRAfAkIRwmElXIbnfxEXaJCWsrbn9/3+Bh4kKDNkb3a7y9Lf4/YJJ11s
+b4SPpMXO2N7o6/T4BxI1OkBKUVRspcXI1OPn6uzu9f7/AAAAAAAAAAAAAAAAAAAA
+AAAACxkpPg==
+-----END CERTIFICATE-----
diff --git a/certs/mldsa/include.am b/certs/mldsa/include.am
@@ -28,6 +28,7 @@ EXTRA_DIST += \
 		 certs/mldsa/mldsa44-key.pem \
 		 certs/mldsa/mldsa44-cert.pem \
 		 certs/mldsa/mldsa44-cert.der \
+		 certs/mldsa/ecc-leaf-mldsa44.pem \
 		 certs/mldsa/mldsa65-key.pem \
 		 certs/mldsa/mldsa65-cert.pem \
 		 certs/mldsa/mldsa65-cert.der \

diff --git a/certs/renewcerts.sh b/certs/renewcerts.sh
@@ -1109,6 +1109,26 @@ EOF
 
             echo "End of ML-DSA-${level} section"
         done
+
+        # ECC P-256 leaf signed by the ML-DSA-44 CA; used by
+        # examples/tls13/tls13_memio.c to drive ML-DSA cert verify.
+        echo "Generating ecc-leaf-mldsa44.pem (P-256 leaf signed by ML-DSA-44 CA)..."
+        cat > mldsa/ecc-leaf.ext <<EOF
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid:always
+EOF
+        "$OPENSSL3" req -new -key ecc-key.pem -subj "/CN=localhost" \
+            -out mldsa/ecc-leaf-mldsa44.csr
+        check_result $? "ecc-leaf-mldsa44 request"
+
+        "$OPENSSL3" x509 -req -in mldsa/ecc-leaf-mldsa44.csr \
+            -CA mldsa/mldsa44-cert.pem -CAkey mldsa/mldsa44-key.pem \
+            -CAcreateserial -days 3650 -extfile mldsa/ecc-leaf.ext \
+            -out mldsa/ecc-leaf-mldsa44.pem
+        check_result $? "ecc-leaf-mldsa44 certificate"
+
+        rm -f mldsa/ecc-leaf-mldsa44.csr mldsa/ecc-leaf.ext mldsa/mldsa44-cert.srl
+        echo "End of ecc-leaf-mldsa44 section"
         echo "---------------------------------------------------------------------"
     else
         echo "Skipping ML-DSA cert generation (no OpenSSL 3.3+ with ML-DSA support found)"

diff --git a/certs/rsapss/ecc-leaf-rsapss.pem b/certs/rsapss/ecc-leaf-rsapss.pem
@@ -0,0 +1,20 @@
+-----BEGIN CERTIFICATE-----
+MIIDNDCCAeigAwIBAgIUcQ837WSJJkEpm5bqUbCnYmh4tPcwQQYJKoZIhvcNAQEK
+MDSgDzANBglghkgBZQMEAgEFAKEcMBoGCSqGSIb3DQEBCDANBglghkgBZQMEAgEF
+AKIDAgEgMIGyMQswCQYDVQQGEwJVUzEQMA4GA1UECAwHTW9udGFuYTEQMA4GA1UE
+BwwHQm96ZW1hbjEXMBUGA1UECgwOd29sZlNTTF9SU0FQU1MxEjAQBgNVBAsMCUNB
+LVJTQVBTUzEYMBYGA1UEAwwPd3d3LndvbGZzc2wuY29tMR8wHQYJKoZIhvcNAQkB
+FhBpbmZvQHdvbGZzc2wuY29tMRcwFQYKCZImiZPyLGQBAQwHd29sZlNTTDAeFw0y
+NjA2MjkyMDQyMTFaFw0zNjA2MjYyMDQyMTFaMBQxEjAQBgNVBAMMCWxvY2FsaG9z
+dDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABLszrEwnUErGSqUEwzzenzbbci3O
+lOor+ssgCTksFuhhAumvTdMCk5oxW5eSIX/wzxjakRECNIboIFgzC4A0idijQjBA
+MB0GA1UdDgQWBBRdXSbvrH42+Zt2FStKJQIj77KJMDAfBgNVHSMEGDAWgBSeDODT
+37ZL8xljXMpsk4aiFFORMTBBBgkqhkiG9w0BAQowNKAPMA0GCWCGSAFlAwQCAQUA
+oRwwGgYJKoZIhvcNAQEIMA0GCWCGSAFlAwQCAQUAogMCASADggEBAFijyXPfkDdV
+J/cZg6W5e9pRHpeXlxHLbcX8tcsGE9/la9rLcUtqSi5pWgK4OehwlrKrzufFjkZr
+JfyLTjYMuYkkv4NStJZD3XOYRZ5/qIcZX3U2b2Xm3GKW/H7vnuLKrd3wKed315+z
+FCYkKPIS04fKTGqb03ZyClCAmzHv2YPpezHsIXJGSJh0YsVsdM/WDKEjuOlL0CRm
+UyTsrMNZjqlvMhgGP5GsyTOEbYM8KvfkPn9xyzw7Dmwz4+BAc1LvRoBkS+UAgiZB
+gLn9OK5d2mRlcwmgMGDJQm1vaSrXZ/eQBrdVLUGLChjWvw+rPouAZaZVbBhE8q1C
+UaqgwTLH/tY=
+-----END CERTIFICATE-----
diff --git a/certs/rsapss/include.am b/certs/rsapss/include.am
@@ -3,6 +3,7 @@
 #
 
 EXTRA_DIST += \
+         certs/rsapss/ecc-leaf-rsapss.pem \
          certs/rsapss/ca-rsapss.der \
          certs/rsapss/ca-rsapss.pem \
          certs/rsapss/ca-rsapss-key.der \

diff --git a/certs/rsapss/renew-rsapss-certs.sh b/certs/rsapss/renew-rsapss-certs.sh
@@ -207,4 +207,24 @@ mv tmp.pem client-3072-rsapss.pem
 echo "End of section"
 echo "---------------------------------------------------------------------"
 
+############################################################
+###### ecc-leaf-rsapss.pem: P-256 leaf signed by ca ########
+############################################################
+# Drives RSA-PSS cert verify with a tiny ECC leaf key in
+# examples/tls13/tls13_memio.c.
+echo "Updating ecc-leaf-rsapss.pem"
+echo ""
+cat > ecc-leaf.ext <<EOF
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid:always
+EOF
+openssl req -new -key ../ecc-key.pem -subj "/CN=localhost" -out ecc-leaf-rsapss.csr
+check_result $? "Generate request"
+
+openssl x509 -req -in ecc-leaf-rsapss.csr -days 3650 -extfile ecc-leaf.ext -CA ca-rsapss.pem -CAkey ca-rsapss-priv.pem -sigopt rsa_padding_mode:pss -CAcreateserial -out ecc-leaf-rsapss.pem
+check_result $? "Generate certificate"
+rm -f ecc-leaf-rsapss.csr ecc-leaf.ext ca-rsapss.srl
+echo "End of section"
+echo "---------------------------------------------------------------------"
+