Handle "acceptable" Wycheproof inputs unambiguously.

This CL updates the JSON conversion to preserve the flags. A
WycheproofResult now captures both "result" and "flags". An "acceptable"
test case's validity is determined by its flags. By default, we consider
an "acceptable" case as invalid, but a test driver may mark some of them
as valid by listing the flags as a parameter.

Previously, some Wycheproof tests (I think it was x25519_tests.txt?) did
not contain enough information to resolve this unambiguously. This has
since been fixed.

This also makes the converted files smaller because we no longer expand the
flags into comments.

Change-Id: I2ca02d7f1b95f250409e8b23c4ad7bb595d77fdf
Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/39188
Commit-Queue: Adam Langley <agl@google.com>
Reviewed-by: Adam Langley <agl@google.com>
diff --git a/crypto/cipher_extra/aead_test.cc b/crypto/cipher_extra/aead_test.cc
index 520ad72..bb3db9e 100644
--- a/crypto/cipher_extra/aead_test.cc
+++ b/crypto/cipher_extra/aead_test.cc
@@ -728,8 +728,8 @@
   size_t out_len;
   // Wycheproof tags small AES-GCM IVs as "acceptable" and otherwise does not
   // use it in AEADs. Any AES-GCM IV that isn't 96 bits is absurd, but our API
-  // supports those, so we treat "acceptable" as "valid" here.
-  if (result != WycheproofResult::kInvalid) {
+  // supports those, so we treat SmallIv tests as valid.
+  if (result.IsValid({"SmallIv"})) {
     // Decryption should succeed.
     ASSERT_TRUE(EVP_AEAD_CTX_open(ctx.get(), out.data(), &out_len, out.size(),
                                   iv.data(), iv.size(), ct_and_tag.data(),
diff --git a/crypto/cipher_extra/cipher_test.cc b/crypto/cipher_extra/cipher_test.cc
index 0a96bf3..a28e6e3 100644
--- a/crypto/cipher_extra/cipher_test.cc
+++ b/crypto/cipher_extra/cipher_test.cc
@@ -357,7 +357,7 @@
                                              17, 31, 32, 33, 63, 64, 65, 512};
     for (size_t chunk : chunk_sizes) {
       SCOPED_TRACE(chunk);
-      if (result == WycheproofResult::kValid) {
+      if (result.IsValid()) {
         ASSERT_TRUE(EVP_DecryptInit_ex(ctx.get(), cipher, nullptr, key.data(),
                                        iv.data()));
         ASSERT_TRUE(DoCipher(ctx.get(), &out, ct, chunk));
diff --git a/crypto/cmac/cmac_test.cc b/crypto/cmac/cmac_test.cc
index bd6651d..e8a220a 100644
--- a/crypto/cmac/cmac_test.cc
+++ b/crypto/cmac/cmac_test.cc
@@ -148,7 +148,7 @@
         // Some test vectors intentionally give the wrong key size. Our API
         // requires the caller pick the sized CBC primitive, so these tests
         // aren't useful for us.
-        EXPECT_EQ(WycheproofResult::kInvalid, result);
+        EXPECT_FALSE(result.IsValid());
         return;
     }
 
@@ -164,7 +164,7 @@
     // Truncate the tag, if requested.
     out_len = std::min(out_len, tag_len);
 
-    if (result == WycheproofResult::kValid) {
+    if (result.IsValid()) {
       EXPECT_EQ(Bytes(tag), Bytes(out, out_len));
 
       // Test the streaming API as well.
diff --git a/crypto/curve25519/x25519_test.cc b/crypto/curve25519/x25519_test.cc
index 9578dd0..1bf398f 100644
--- a/crypto/curve25519/x25519_test.cc
+++ b/crypto/curve25519/x25519_test.cc
@@ -23,6 +23,7 @@
 #include "../internal.h"
 #include "../test/file_test.h"
 #include "../test/test_util.h"
+#include "../test/wycheproof_util.h"
 
 
 TEST(X25519Test, TestVector) {
@@ -132,11 +133,8 @@
       t->IgnoreInstruction("curve");
       t->IgnoreAttribute("curve");
 
-      // Our implementation tolerates the Wycheproof "acceptable"
-      // inputs. Wycheproof's valid vs. acceptable criteria does not match our
-      // X25519 return value, so we test only the overall output.
-      t->IgnoreAttribute("result");
-
+      WycheproofResult result;
+      ASSERT_TRUE(GetWycheproofResult(t, &result));
       std::vector<uint8_t> priv, pub, shared;
       ASSERT_TRUE(t->GetBytes(&priv, "private"));
       ASSERT_TRUE(t->GetBytes(&pub, "public"));
@@ -144,7 +142,8 @@
       ASSERT_EQ(32u, priv.size());
       ASSERT_EQ(32u, pub.size());
       uint8_t secret[32];
-      X25519(secret, priv.data(), pub.data());
+      int ret = X25519(secret, priv.data(), pub.data());
+      EXPECT_EQ(ret, result.IsValid({"NonCanonicalPublic", "Twist"}) ? 1 : 0);
       EXPECT_EQ(Bytes(secret), Bytes(shared));
   });
 }
diff --git a/crypto/ecdh_extra/ecdh_test.cc b/crypto/ecdh_extra/ecdh_test.cc
index 52e49f1..4b88754 100644
--- a/crypto/ecdh_extra/ecdh_test.cc
+++ b/crypto/ecdh_extra/ecdh_test.cc
@@ -140,22 +140,16 @@
   ASSERT_TRUE(GetWycheproofResult(t, &result));
   std::vector<uint8_t> shared;
   ASSERT_TRUE(t->GetBytes(&shared, "shared"));
+  // BoringSSL supports compressed coordinates.
+  bool is_valid = result.IsValid({"CompressedPoint"});
 
   // Wycheproof stores the peer key in an SPKI to mimic a Java API mistake.
   // This is non-standard and error-prone.
   CBS cbs;
   CBS_init(&cbs, peer_spki.data(), peer_spki.size());
   bssl::UniquePtr<EVP_PKEY> peer_evp(EVP_parse_public_key(&cbs));
-  if (!peer_evp) {
-    // Note some of Wycheproof's "acceptable" entries are unsupported by
-    // BoringSSL because they test explicit curves (forbidden by RFC 5480),
-    // while others are supported because they used compressed coordinates. If
-    // the peer key fails to parse, we consider it to match "acceptable", but if
-    // the resulting shared secret matches below, it too matches "acceptable".
-    //
-    // TODO(davidben): Use the flags field to disambiguate these. Possibly
-    // first get the Wycheproof folks to use flags more consistently.
-    EXPECT_NE(WycheproofResult::kValid, result);
+  if (!peer_evp || CBS_len(&cbs) != 0) {
+    EXPECT_FALSE(is_valid);
     return;
   }
   EC_KEY *peer_ec = EVP_PKEY_get0_EC_KEY(peer_evp.get());
@@ -170,11 +164,11 @@
   int ret =
       ECDH_compute_key(actual.data(), actual.size(),
                        EC_KEY_get0_public_key(peer_ec), key.get(), nullptr);
-  if (result == WycheproofResult::kInvalid) {
-    EXPECT_EQ(-1, ret);
-  } else {
+  if (is_valid) {
     EXPECT_EQ(static_cast<int>(actual.size()), ret);
     EXPECT_EQ(Bytes(shared), Bytes(actual.data(), static_cast<size_t>(ret)));
+  } else {
+    EXPECT_EQ(-1, ret);
   }
 }
 
diff --git a/crypto/evp/evp_test.cc b/crypto/evp/evp_test.cc
index 4846fbc..9932982 100644
--- a/crypto/evp/evp_test.cc
+++ b/crypto/evp/evp_test.cc
@@ -645,13 +645,7 @@
       bool sig_ok = DSA_check_signature(&valid, digest, digest_len, sig.data(),
                                         sig.size(), dsa) &&
                     valid;
-      if (result == WycheproofResult::kValid) {
-        EXPECT_TRUE(sig_ok);
-      } else if (result == WycheproofResult::kInvalid) {
-        EXPECT_FALSE(sig_ok);
-      } else {
-        // this is a legacy signature, which may or may not be accepted.
-      }
+      EXPECT_EQ(sig_ok, result.IsValid());
     } else {
       bssl::ScopedEVP_MD_CTX ctx;
       EVP_PKEY_CTX *pctx;
@@ -664,14 +658,12 @@
       }
       int ret = EVP_DigestVerify(ctx.get(), sig.data(), sig.size(), msg.data(),
                                  msg.size());
-      if (result == WycheproofResult::kValid) {
-        EXPECT_EQ(1, ret);
-      } else if (result == WycheproofResult::kInvalid) {
-        EXPECT_EQ(0, ret);
-      } else {
-        // this is a legacy signature, which may or may not be accepted.
-        EXPECT_TRUE(ret == 1 || ret == 0);
-      }
+      // BoringSSL does not enforce policies on weak keys and leaves it to the
+      // caller.
+      EXPECT_EQ(ret,
+                result.IsValid({"SmallModulus", "SmallPublicKey", "WeakHash"})
+                    ? 1
+                    : 0);
     }
   });
 }
diff --git a/crypto/fipsmodule/aes/aes_test.cc b/crypto/fipsmodule/aes/aes_test.cc
index 5061e01..4c913d3 100644
--- a/crypto/fipsmodule/aes/aes_test.cc
+++ b/crypto/fipsmodule/aes/aes_test.cc
@@ -176,7 +176,7 @@
     WycheproofResult result;
     ASSERT_TRUE(GetWycheproofResult(t, &result));
 
-    if (result != WycheproofResult::kInvalid) {
+    if (result.IsValid()) {
       ASSERT_GE(ct.size(), 8u);
 
       AES_KEY aes;
@@ -218,7 +218,10 @@
     // should pass. However, both RFC 5649 and SP 800-38F section 5.3.1 say that
     // the minimum length is one. Therefore we consider test cases with an empty
     // message to be invalid.
-    if (result != WycheproofResult::kInvalid && !msg.empty()) {
+    //
+    // Wycheproof marks various weak parameters as acceptable. We do not enforce
+    // policy in the library, so we map those flags to valid.
+    if (result.IsValid({"SmallKey", "WeakWrapping"}) && !msg.empty()) {
       AES_KEY aes;
       ASSERT_EQ(0, AES_set_decrypt_key(key.data(), 8 * key.size(), &aes));
       std::vector<uint8_t> out(ct.size() - 8);
diff --git a/crypto/hkdf/hkdf_test.cc b/crypto/hkdf/hkdf_test.cc
index 504e927..793506f 100644
--- a/crypto/hkdf/hkdf_test.cc
+++ b/crypto/hkdf/hkdf_test.cc
@@ -286,8 +286,8 @@
     std::vector<uint8_t> out(atoi(size_str.c_str()));
     bool ret = HKDF(out.data(), out.size(), md, ikm.data(), ikm.size(),
                     salt.data(), salt.size(), info.data(), info.size());
-    EXPECT_EQ(result == WycheproofResult::kValid, ret);
-    if (result == WycheproofResult::kValid) {
+    EXPECT_EQ(result.IsValid(), ret);
+    if (result.IsValid()) {
       EXPECT_EQ(Bytes(okm), Bytes(out));
     }
   });
diff --git a/crypto/hmac_extra/hmac_test.cc b/crypto/hmac_extra/hmac_test.cc
index b96abbd..c2d6199 100644
--- a/crypto/hmac_extra/hmac_test.cc
+++ b/crypto/hmac_extra/hmac_test.cc
@@ -142,7 +142,7 @@
     WycheproofResult result;
     ASSERT_TRUE(GetWycheproofResult(t, &result));
 
-    if (result != WycheproofResult::kValid) {
+    if (!result.IsValid()) {
       // Wycheproof tests assume the HMAC implementation checks the MAC. Ours
       // simply computes the HMAC, so skip the tests with invalid outputs.
       return;
diff --git a/crypto/test/wycheproof_util.cc b/crypto/test/wycheproof_util.cc
index 8f7dfeb..cd870dd 100644
--- a/crypto/test/wycheproof_util.cc
+++ b/crypto/test/wycheproof_util.cc
@@ -14,6 +14,10 @@
 
 #include "./wycheproof_util.h"
 
+#include <stdlib.h>
+
+#include <algorithm>
+
 #include <openssl/bn.h>
 #include <openssl/digest.h>
 #include <openssl/ec.h>
@@ -22,21 +26,55 @@
 #include "./file_test.h"
 
 
+bool WycheproofResult::IsValid(
+    const std::vector<std::string> &acceptable_flags) const {
+  switch (raw_result) {
+    case WycheproofRawResult::kValid:
+      return true;
+    case WycheproofRawResult::kInvalid:
+      return false;
+    case WycheproofRawResult::kAcceptable:
+      for (const auto &flag : flags) {
+        if (std::find(acceptable_flags.begin(), acceptable_flags.end(), flag) ==
+            acceptable_flags.end()) {
+          return false;
+        }
+      }
+      return true;
+  }
+
+  abort();
+}
+
 bool GetWycheproofResult(FileTest *t, WycheproofResult *out) {
   std::string result;
   if (!t->GetAttribute(&result, "result")) {
     return false;
   }
   if (result == "valid") {
-    *out = WycheproofResult::kValid;
+    out->raw_result = WycheproofRawResult::kValid;
   } else if (result == "invalid") {
-    *out = WycheproofResult::kInvalid;
+    out->raw_result = WycheproofRawResult::kInvalid;
   } else if (result == "acceptable") {
-    *out = WycheproofResult::kAcceptable;
+    out->raw_result = WycheproofRawResult::kAcceptable;
   } else {
     t->PrintLine("Bad result string '%s'", result.c_str());
     return false;
   }
+
+  out->flags.clear();
+  if (t->HasAttribute("flags")) {
+    std::string flags = t->GetAttributeOrDie("flags");
+    size_t idx = 0;
+    while (idx < flags.size()) {
+      size_t comma = flags.find(',', idx);
+      if (comma == std::string::npos) {
+        comma = flags.size();
+      }
+      out->flags.push_back(flags.substr(idx, comma - idx));
+      idx = comma + 1;
+    }
+  }
   return true;
 }
 
diff --git a/crypto/test/wycheproof_util.h b/crypto/test/wycheproof_util.h
index 4d8a14c..67e0ed3 100644
--- a/crypto/test/wycheproof_util.h
+++ b/crypto/test/wycheproof_util.h
@@ -17,18 +17,31 @@
 
 #include <openssl/base.h>
 
+#include <string>
+#include <vector>
+
 
 // This header contains convenience functions for Wycheproof tests.
 
 class FileTest;
 
-enum class WycheproofResult {
+enum class WycheproofRawResult {
   kValid,
   kInvalid,
   kAcceptable,
 };
 
-// GetWycheproofResult sets |*out| to the parsed "result" key of |t|.
+struct WycheproofResult {
+  WycheproofRawResult raw_result;
+  std::vector<std::string> flags;
+
+  // IsValid returns true if the Wycheproof test should be considered valid. A
+  // test result of "acceptable" is treated as valid if all flags are included
+  // in |acceptable_flags| and invalid otherwise.
+  bool IsValid(const std::vector<std::string> &acceptable_flags = {}) const;
+};
+
+// GetWycheproofResult sets |*out| to the parsed "result" and "flags" keys of |t|.
 bool GetWycheproofResult(FileTest *t, WycheproofResult *out);
 
 // GetWycheproofDigest returns a digest function using the Wycheproof name, or
diff --git a/third_party/wycheproof_testvectors/aes_cbc_pkcs5_test.txt b/third_party/wycheproof_testvectors/aes_cbc_pkcs5_test.txt
index f15837c..0a259b8 100644
--- a/third_party/wycheproof_testvectors/aes_cbc_pkcs5_test.txt
+++ b/third_party/wycheproof_testvectors/aes_cbc_pkcs5_test.txt
@@ -206,9 +206,7 @@
 key = db4f3e5e3795cc09a073fa6a81e5a6bc
 msg = 
 result = invalid
-# The ciphertext in this test vector is the message encrypted with an invalid or
-# unexpected padding. This allows to find implementations that are not properly
-# checking the padding during decryption.
+flags = BadPadding
 
 # tcId = 26
 # zero padding
@@ -217,9 +215,7 @@
 key = db4f3e5e3795cc09a073fa6a81e5a6bc
 msg = 6162636465666768
 result = invalid
-# The ciphertext in this test vector is the message encrypted with an invalid or
-# unexpected padding. This allows to find implementations that are not properly
-# checking the padding during decryption.
+flags = BadPadding
 
 # tcId = 27
 # zero padding
@@ -228,9 +224,7 @@
 key = db4f3e5e3795cc09a073fa6a81e5a6bc
 msg = 303132333435363738396162636465
 result = invalid
-# The ciphertext in this test vector is the message encrypted with an invalid or
-# unexpected padding. This allows to find implementations that are not properly
-# checking the padding during decryption.
+flags = BadPadding
 
 # tcId = 28
 # zero padding
@@ -239,9 +233,7 @@
 key = db4f3e5e3795cc09a073fa6a81e5a6bc
 msg = 30313233343536373839414243444546
 result = invalid
-# The ciphertext in this test vector is the message encrypted with an invalid or
-# unexpected padding. This allows to find implementations that are not properly
-# checking the padding during decryption.
+flags = BadPadding
 
 # tcId = 29
 # zero padding
@@ -250,9 +242,7 @@
 key = db4f3e5e3795cc09a073fa6a81e5a6bc
 msg = 3031323334353637383941424344454647
 result = invalid
-# The ciphertext in this test vector is the message encrypted with an invalid or
-# unexpected padding. This allows to find implementations that are not properly
-# checking the padding during decryption.
+flags = BadPadding
 
 # tcId = 30
 # padding with 0xff
@@ -261,9 +251,7 @@
 key = db4f3e5e3795cc09a073fa6a81e5a6bc
 msg = 
 result = invalid
-# The ciphertext in this test vector is the message encrypted with an invalid or
-# unexpected padding. This allows to find implementations that are not properly
-# checking the padding during decryption.
+flags = BadPadding
 
 # tcId = 31
 # padding with 0xff
@@ -272,9 +260,7 @@
 key = db4f3e5e3795cc09a073fa6a81e5a6bc
 msg = 6162636465666768
 result = invalid
-# The ciphertext in this test vector is the message encrypted with an invalid or
-# unexpected padding. This allows to find implementations that are not properly
-# checking the padding during decryption.
+flags = BadPadding
 
 # tcId = 32
 # padding with 0xff
@@ -283,9 +269,7 @@
 key = db4f3e5e3795cc09a073fa6a81e5a6bc
 msg = 303132333435363738396162636465
 result = invalid
-# The ciphertext in this test vector is the message encrypted with an invalid or
-# unexpected padding. This allows to find implementations that are not properly
-# checking the padding during decryption.
+flags = BadPadding
 
 # tcId = 33
 # padding with 0xff
@@ -294,9 +278,7 @@
 key = db4f3e5e3795cc09a073fa6a81e5a6bc
 msg = 30313233343536373839414243444546
 result = invalid
-# The ciphertext in this test vector is the message encrypted with an invalid or
-# unexpected padding. This allows to find implementations that are not properly
-# checking the padding during decryption.
+flags = BadPadding
 
 # tcId = 34
 # padding with 0xff
@@ -305,9 +287,7 @@
 key = db4f3e5e3795cc09a073fa6a81e5a6bc
 msg = 3031323334353637383941424344454647
 result = invalid
-# The ciphertext in this test vector is the message encrypted with an invalid or
-# unexpected padding. This allows to find implementations that are not properly
-# checking the padding during decryption.
+flags = BadPadding
 
 # tcId = 35
 # bit padding
@@ -316,9 +296,7 @@
 key = db4f3e5e3795cc09a073fa6a81e5a6bc
 msg = 
 result = invalid
-# The ciphertext in this test vector is the message encrypted with an invalid or
-# unexpected padding. This allows to find implementations that are not properly
-# checking the padding during decryption.
+flags = BadPadding
 
 # tcId = 36
 # bit padding
@@ -327,9 +305,7 @@
 key = db4f3e5e3795cc09a073fa6a81e5a6bc
 msg = 6162636465666768
 result = invalid
-# The ciphertext in this test vector is the message encrypted with an invalid or
-# unexpected padding. This allows to find implementations that are not properly
-# checking the padding during decryption.
+flags = BadPadding
 
 # tcId = 37
 # bit padding
@@ -338,9 +314,7 @@
 key = db4f3e5e3795cc09a073fa6a81e5a6bc
 msg = 303132333435363738396162636465
 result = invalid
-# The ciphertext in this test vector is the message encrypted with an invalid or
-# unexpected padding. This allows to find implementations that are not properly
-# checking the padding during decryption.
+flags = BadPadding
 
 # tcId = 38
 # bit padding
@@ -349,9 +323,7 @@
 key = db4f3e5e3795cc09a073fa6a81e5a6bc
 msg = 30313233343536373839414243444546
 result = invalid
-# The ciphertext in this test vector is the message encrypted with an invalid or
-# unexpected padding. This allows to find implementations that are not properly
-# checking the padding during decryption.
+flags = BadPadding
 
 # tcId = 39
 # bit padding
@@ -360,9 +332,7 @@
 key = db4f3e5e3795cc09a073fa6a81e5a6bc
 msg = 3031323334353637383941424344454647
 result = invalid
-# The ciphertext in this test vector is the message encrypted with an invalid or
-# unexpected padding. This allows to find implementations that are not properly
-# checking the padding during decryption.
+flags = BadPadding
 
 # tcId = 40
 # padding longer than 1 block
@@ -371,9 +341,7 @@
 key = db4f3e5e3795cc09a073fa6a81e5a6bc
 msg = 
 result = invalid
-# The ciphertext in this test vector is the message encrypted with an invalid or
-# unexpected padding. This allows to find implementations that are not properly
-# checking the padding during decryption.
+flags = BadPadding
 
 # tcId = 41
 # padding longer than 1 block
@@ -382,9 +350,7 @@
 key = db4f3e5e3795cc09a073fa6a81e5a6bc
 msg = 6162636465666768
 result = invalid
-# The ciphertext in this test vector is the message encrypted with an invalid or
-# unexpected padding. This allows to find implementations that are not properly
-# checking the padding during decryption.
+flags = BadPadding
 
 # tcId = 42
 # padding longer than 1 block
@@ -393,9 +359,7 @@
 key = db4f3e5e3795cc09a073fa6a81e5a6bc
 msg = 303132333435363738396162636465
 result = invalid
-# The ciphertext in this test vector is the message encrypted with an invalid or
-# unexpected padding. This allows to find implementations that are not properly
-# checking the padding during decryption.
+flags = BadPadding
 
 # tcId = 43
 # padding longer than 1 block
@@ -404,9 +368,7 @@
 key = db4f3e5e3795cc09a073fa6a81e5a6bc
 msg = 30313233343536373839414243444546
 result = invalid
-# The ciphertext in this test vector is the message encrypted with an invalid or
-# unexpected padding. This allows to find implementations that are not properly
-# checking the padding during decryption.
+flags = BadPadding
 
 # tcId = 44
 # padding longer than 1 block
@@ -415,9 +377,7 @@
 key = db4f3e5e3795cc09a073fa6a81e5a6bc
 msg = 3031323334353637383941424344454647
 result = invalid
-# The ciphertext in this test vector is the message encrypted with an invalid or
-# unexpected padding. This allows to find implementations that are not properly
-# checking the padding during decryption.
+flags = BadPadding
 
 # tcId = 45
 # ANSI X.923 padding
@@ -426,9 +386,7 @@
 key = db4f3e5e3795cc09a073fa6a81e5a6bc
 msg = 
 result = invalid
-# The ciphertext in this test vector is the message encrypted with an invalid or
-# unexpected padding. This allows to find implementations that are not properly
-# checking the padding during decryption.
+flags = BadPadding
 
 # tcId = 46
 # ANSI X.923 padding
@@ -437,9 +395,7 @@
 key = db4f3e5e3795cc09a073fa6a81e5a6bc
 msg = 6162636465666768
 result = invalid
-# The ciphertext in this test vector is the message encrypted with an invalid or
-# unexpected padding. This allows to find implementations that are not properly
-# checking the padding during decryption.
+flags = BadPadding
 
 # tcId = 47
 # ANSI X.923 padding
@@ -448,9 +404,7 @@
 key = db4f3e5e3795cc09a073fa6a81e5a6bc
 msg = 30313233343536373839414243444546
 result = invalid
-# The ciphertext in this test vector is the message encrypted with an invalid or
-# unexpected padding. This allows to find implementations that are not properly
-# checking the padding during decryption.
+flags = BadPadding
 
 # tcId = 48
 # ANSI X.923 padding
@@ -459,9 +413,7 @@
 key = db4f3e5e3795cc09a073fa6a81e5a6bc
 msg = 3031323334353637383941424344454647
 result = invalid
-# The ciphertext in this test vector is the message encrypted with an invalid or
-# unexpected padding. This allows to find implementations that are not properly
-# checking the padding during decryption.
+flags = BadPadding
 
 # tcId = 49
 # ISO 10126 padding
@@ -470,9 +422,7 @@
 key = db4f3e5e3795cc09a073fa6a81e5a6bc
 msg = 
 result = invalid
-# The ciphertext in this test vector is the message encrypted with an invalid or
-# unexpected padding. This allows to find implementations that are not properly
-# checking the padding during decryption.
+flags = BadPadding
 
 # tcId = 50
 # ISO 10126 padding
@@ -481,9 +431,7 @@
 key = db4f3e5e3795cc09a073fa6a81e5a6bc
 msg = 6162636465666768
 result = invalid
-# The ciphertext in this test vector is the message encrypted with an invalid or
-# unexpected padding. This allows to find implementations that are not properly
-# checking the padding during decryption.
+flags = BadPadding
 
 # tcId = 51
 # ISO 10126 padding
@@ -492,9 +440,7 @@
 key = db4f3e5e3795cc09a073fa6a81e5a6bc
 msg = 30313233343536373839414243444546
 result = invalid
-# The ciphertext in this test vector is the message encrypted with an invalid or
-# unexpected padding. This allows to find implementations that are not properly
-# checking the padding during decryption.
+flags = BadPadding
 
 # tcId = 52
 # ISO 10126 padding
@@ -503,9 +449,7 @@
 key = db4f3e5e3795cc09a073fa6a81e5a6bc
 msg = 3031323334353637383941424344454647
 result = invalid
-# The ciphertext in this test vector is the message encrypted with an invalid or
-# unexpected padding. This allows to find implementations that are not properly
-# checking the padding during decryption.
+flags = BadPadding
 
 # tcId = 53
 # padding longer than message
@@ -514,9 +458,7 @@
 key = db4f3e5e3795cc09a073fa6a81e5a6bc
 msg = 
 result = invalid
-# The ciphertext in this test vector is the message encrypted with an invalid or
-# unexpected padding. This allows to find implementations that are not properly
-# checking the padding during decryption.
+flags = BadPadding
 
 # tcId = 54
 # padding longer than message
@@ -525,9 +467,7 @@
 key = db4f3e5e3795cc09a073fa6a81e5a6bc
 msg = 6162636465666768
 result = invalid
-# The ciphertext in this test vector is the message encrypted with an invalid or
-# unexpected padding. This allows to find implementations that are not properly
-# checking the padding during decryption.
+flags = BadPadding
 
 # tcId = 55
 # padding longer than message
@@ -536,9 +476,7 @@
 key = db4f3e5e3795cc09a073fa6a81e5a6bc
 msg = 303132333435363738396162636465
 result = invalid
-# The ciphertext in this test vector is the message encrypted with an invalid or
-# unexpected padding. This allows to find implementations that are not properly
-# checking the padding during decryption.
+flags = BadPadding
 
 # tcId = 56
 # padding longer than message
@@ -547,9 +485,7 @@
 key = db4f3e5e3795cc09a073fa6a81e5a6bc
 msg = 30313233343536373839414243444546
 result = invalid
-# The ciphertext in this test vector is the message encrypted with an invalid or
-# unexpected padding. This allows to find implementations that are not properly
-# checking the padding during decryption.
+flags = BadPadding
 
 # tcId = 57
 # padding longer than message
@@ -558,9 +494,7 @@
 key = db4f3e5e3795cc09a073fa6a81e5a6bc
 msg = 3031323334353637383941424344454647
 result = invalid
-# The ciphertext in this test vector is the message encrypted with an invalid or
-# unexpected padding. This allows to find implementations that are not properly
-# checking the padding during decryption.
+flags = BadPadding
 
 # tcId = 58
 #  invalid padding
@@ -569,9 +503,7 @@
 key = db4f3e5e3795cc09a073fa6a81e5a6bc
 msg = 
 result = invalid
-# The ciphertext in this test vector is the message encrypted with an invalid or
-# unexpected padding. This allows to find implementations that are not properly
-# checking the padding during decryption.
+flags = BadPadding
 
 # tcId = 59
 #  invalid padding
@@ -580,9 +512,7 @@
 key = db4f3e5e3795cc09a073fa6a81e5a6bc
 msg = 6162636465666768
 result = invalid
-# The ciphertext in this test vector is the message encrypted with an invalid or
-# unexpected padding. This allows to find implementations that are not properly
-# checking the padding during decryption.
+flags = BadPadding
 
 # tcId = 60
 #  invalid padding
@@ -591,9 +521,7 @@
 key = db4f3e5e3795cc09a073fa6a81e5a6bc
 msg = 30313233343536373839414243444546
 result = invalid
-# The ciphertext in this test vector is the message encrypted with an invalid or
-# unexpected padding. This allows to find implementations that are not properly
-# checking the padding during decryption.
+flags = BadPadding
 
 # tcId = 61
 #  invalid padding
@@ -602,9 +530,7 @@
 key = db4f3e5e3795cc09a073fa6a81e5a6bc
 msg = 3031323334353637383941424344454647
 result = invalid
-# The ciphertext in this test vector is the message encrypted with an invalid or
-# unexpected padding. This allows to find implementations that are not properly
-# checking the padding during decryption.
+flags = BadPadding
 
 [ivSize = 128]
 [keySize = 192]
@@ -808,9 +734,7 @@
 key = 9e20311eaf2eaf3e3a04bc52564e67313c84940a2996e3f2
 msg = 
 result = invalid
-# The ciphertext in this test vector is the message encrypted with an invalid or
-# unexpected padding. This allows to find implementations that are not properly
-# checking the padding during decryption.
+flags = BadPadding
 
 # tcId = 87
 # zero padding
@@ -819,9 +743,7 @@
 key = 9e20311eaf2eaf3e3a04bc52564e67313c84940a2996e3f2
 msg = 6162636465666768
 result = invalid
-# The ciphertext in this test vector is the message encrypted with an invalid or
-# unexpected padding. This allows to find implementations that are not properly
-# checking the padding during decryption.
+flags = BadPadding
 
 # tcId = 88
 # zero padding
@@ -830,9 +752,7 @@
 key = 9e20311eaf2eaf3e3a04bc52564e67313c84940a2996e3f2
 msg = 303132333435363738396162636465
 result = invalid
-# The ciphertext in this test vector is the message encrypted with an invalid or
-# unexpected padding. This allows to find implementations that are not properly
-# checking the padding during decryption.
+flags = BadPadding
 
 # tcId = 89
 # zero padding
@@ -841,9 +761,7 @@
 key = 9e20311eaf2eaf3e3a04bc52564e67313c84940a2996e3f2
 msg = 30313233343536373839414243444546
 result = invalid
-# The ciphertext in this test vector is the message encrypted with an invalid or
-# unexpected padding. This allows to find implementations that are not properly
-# checking the padding during decryption.
+flags = BadPadding
 
 # tcId = 90
 # zero padding
@@ -852,9 +770,7 @@
 key = 9e20311eaf2eaf3e3a04bc52564e67313c84940a2996e3f2
 msg = 3031323334353637383941424344454647
 result = invalid
-# The ciphertext in this test vector is the message encrypted with an invalid or
-# unexpected padding. This allows to find implementations that are not properly
-# checking the padding during decryption.
+flags = BadPadding
 
 # tcId = 91
 # padding with 0xff
@@ -863,9 +779,7 @@
 key = 9e20311eaf2eaf3e3a04bc52564e67313c84940a2996e3f2
 msg = 
 result = invalid
-# The ciphertext in this test vector is the message encrypted with an invalid or
-# unexpected padding. This allows to find implementations that are not properly
-# checking the padding during decryption.
+flags = BadPadding
 
 # tcId = 92
 # padding with 0xff
@@ -874,9 +788,7 @@
 key = 9e20311eaf2eaf3e3a04bc52564e67313c84940a2996e3f2
 msg = 6162636465666768
 result = invalid
-# The ciphertext in this test vector is the message encrypted with an invalid or
-# unexpected padding. This allows to find implementations that are not properly
-# checking the padding during decryption.
+flags = BadPadding
 
 # tcId = 93
 # padding with 0xff
@@ -885,9 +797,7 @@
 key = 9e20311eaf2eaf3e3a04bc52564e67313c84940a2996e3f2
 msg = 303132333435363738396162636465
 result = invalid
-# The ciphertext in this test vector is the message encrypted with an invalid or
-# unexpected padding. This allows to find implementations that are not properly
-# checking the padding during decryption.
+flags = BadPadding
 
 # tcId = 94
 # padding with 0xff
@@ -896,9 +806,7 @@
 key = 9e20311eaf2eaf3e3a04bc52564e67313c84940a2996e3f2
 msg = 30313233343536373839414243444546
 result = invalid
-# The ciphertext in this test vector is the message encrypted with an invalid or
-# unexpected padding. This allows to find implementations that are not properly
-# checking the padding during decryption.
+flags = BadPadding
 
 # tcId = 95
 # padding with 0xff
@@ -907,9 +815,7 @@
 key = 9e20311eaf2eaf3e3a04bc52564e67313c84940a2996e3f2
 msg = 3031323334353637383941424344454647
 result = invalid
-# The ciphertext in this test vector is the message encrypted with an invalid or
-# unexpected padding. This allows to find implementations that are not properly
-# checking the padding during decryption.
+flags = BadPadding
 
 # tcId = 96
 # bit padding
@@ -918,9 +824,7 @@
 key = 9e20311eaf2eaf3e3a04bc52564e67313c84940a2996e3f2
 msg = 
 result = invalid
-# The ciphertext in this test vector is the message encrypted with an invalid or
-# unexpected padding. This allows to find implementations that are not properly
-# checking the padding during decryption.
+flags = BadPadding
 
 # tcId = 97
 # bit padding
@@ -929,9 +833,7 @@
 key = 9e20311eaf2eaf3e3a04bc52564e67313c84940a2996e3f2
 msg = 6162636465666768
 result = invalid
-# The ciphertext in this test vector is the message encrypted with an invalid or
-# unexpected padding. This allows to find implementations that are not properly
-# checking the padding during decryption.
+flags = BadPadding
 
 # tcId = 98
 # bit padding
@@ -940,9 +842,7 @@
 key = 9e20311eaf2eaf3e3a04bc52564e67313c84940a2996e3f2
 msg = 303132333435363738396162636465
 result = invalid
-# The ciphertext in this test vector is the message encrypted with an invalid or
-# unexpected padding. This allows to find implementations that are not properly
-# checking the padding during decryption.
+flags = BadPadding
 
 # tcId = 99
 # bit padding
@@ -951,9 +851,7 @@
 key = 9e20311eaf2eaf3e3a04bc52564e67313c84940a2996e3f2
 msg = 30313233343536373839414243444546
 result = invalid
-# The ciphertext in this test vector is the message encrypted with an invalid or
-# unexpected padding. This allows to find implementations that are not properly
-# checking the padding during decryption.
+flags = BadPadding
 
 # tcId = 100
 # bit padding
@@ -962,9 +860,7 @@
 key = 9e20311eaf2eaf3e3a04bc52564e67313c84940a2996e3f2
 msg = 3031323334353637383941424344454647
 result = invalid
-# The ciphertext in this test vector is the message encrypted with an invalid or
-# unexpected padding. This allows to find implementations that are not properly
-# checking the padding during decryption.
+flags = BadPadding
 
 # tcId = 101
 # padding longer than 1 block
@@ -973,9 +869,7 @@
 key = 9e20311eaf2eaf3e3a04bc52564e67313c84940a2996e3f2
 msg = 
 result = invalid
-# The ciphertext in this test vector is the message encrypted with an invalid or
-# unexpected padding. This allows to find implementations that are not properly
-# checking the padding during decryption.
+flags = BadPadding
 
 # tcId = 102
 # padding longer than 1 block
@@ -984,9 +878,7 @@
 key = 9e20311eaf2eaf3e3a04bc52564e67313c84940a2996e3f2
 msg = 6162636465666768
 result = invalid
-# The ciphertext in this test vector is the message encrypted with an invalid or
-# unexpected padding. This allows to find implementations that are not properly
-# checking the padding during decryption.
+flags = BadPadding
 
 # tcId = 103
 # padding longer than 1 block
@@ -995,9 +887,7 @@
 key = 9e20311eaf2eaf3e3a04bc52564e67313c84940a2996e3f2
 msg = 303132333435363738396162636465
 result = invalid
-# The ciphertext in this test vector is the message encrypted with an invalid or
-# unexpected padding. This allows to find implementations that are not properly
-# checking the padding during decryption.
+flags = BadPadding
 
 # tcId = 104
 # padding longer than 1 block
@@ -1006,9 +896,7 @@
 key = 9e20311eaf2eaf3e3a04bc52564e67313c84940a2996e3f2
 msg = 30313233343536373839414243444546
 result = invalid
-# The ciphertext in this test vector is the message encrypted with an invalid or
-# unexpected padding. This allows to find implementations that are not properly
-# checking the padding during decryption.
+flags = BadPadding
 
 # tcId = 105
 # padding longer than 1 block
@@ -1017,9 +905,7 @@
 key = 9e20311eaf2eaf3e3a04bc52564e67313c84940a2996e3f2
 msg = 3031323334353637383941424344454647
 result = invalid
-# The ciphertext in this test vector is the message encrypted with an invalid or
-# unexpected padding. This allows to find implementations that are not properly
-# checking the padding during decryption.
+flags = BadPadding
 
 # tcId = 106
 # ANSI X.923 padding
@@ -1028,9 +914,7 @@
 key = 9e20311eaf2eaf3e3a04bc52564e67313c84940a2996e3f2
 msg = 
 result = invalid
-# The ciphertext in this test vector is the message encrypted with an invalid or
-# unexpected padding. This allows to find implementations that are not properly
-# checking the padding during decryption.
+flags = BadPadding
 
 # tcId = 107
 # ANSI X.923 padding
@@ -1039,9 +923,7 @@
 key = 9e20311eaf2eaf3e3a04bc52564e67313c84940a2996e3f2
 msg = 6162636465666768
 result = invalid
-# The ciphertext in this test vector is the message encrypted with an invalid or
-# unexpected padding. This allows to find implementations that are not properly
-# checking the padding during decryption.
+flags = BadPadding
 
 # tcId = 108
 # ANSI X.923 padding
@@ -1050,9 +932,7 @@
 key = 9e20311eaf2eaf3e3a04bc52564e67313c84940a2996e3f2
 msg = 30313233343536373839414243444546
 result = invalid
-# The ciphertext in this test vector is the message encrypted with an invalid or
-# unexpected padding. This allows to find implementations that are not properly
-# checking the padding during decryption.
+flags = BadPadding
 
 # tcId = 109
 # ANSI X.923 padding
@@ -1061,9 +941,7 @@
 key = 9e20311eaf2eaf3e3a04bc52564e67313c84940a2996e3f2
 msg = 3031323334353637383941424344454647
 result = invalid
-# The ciphertext in this test vector is the message encrypted with an invalid or
-# unexpected padding. This allows to find implementations that are not properly
-# checking the padding during decryption.
+flags = BadPadding
 
 # tcId = 110
 # ISO 10126 padding
@@ -1072,9 +950,7 @@
 key = 9e20311eaf2eaf3e3a04bc52564e67313c84940a2996e3f2
 msg = 
 result = invalid
-# The ciphertext in this test vector is the message encrypted with an invalid or
-# unexpected padding. This allows to find implementations that are not properly
-# checking the padding during decryption.
+flags = BadPadding
 
 # tcId = 111
 # ISO 10126 padding
@@ -1083,9 +959,7 @@
 key = 9e20311eaf2eaf3e3a04bc52564e67313c84940a2996e3f2
 msg = 6162636465666768
 result = invalid
-# The ciphertext in this test vector is the message encrypted with an invalid or
-# unexpected padding. This allows to find implementations that are not properly
-# checking the padding during decryption.
+flags = BadPadding
 
 # tcId = 112
 # ISO 10126 padding
@@ -1094,9 +968,7 @@
 key = 9e20311eaf2eaf3e3a04bc52564e67313c84940a2996e3f2
 msg = 30313233343536373839414243444546
 result = invalid
-# The ciphertext in this test vector is the message encrypted with an invalid or
-# unexpected padding. This allows to find implementations that are not properly
-# checking the padding during decryption.
+flags = BadPadding
 
 # tcId = 113
 # ISO 10126 padding
@@ -1105,9 +977,7 @@
 key = 9e20311eaf2eaf3e3a04bc52564e67313c84940a2996e3f2
 msg = 3031323334353637383941424344454647
 result = invalid
-# The ciphertext in this test vector is the message encrypted with an invalid or
-# unexpected padding. This allows to find implementations that are not properly
-# checking the padding during decryption.
+flags = BadPadding
 
 # tcId = 114
 # padding longer than message
@@ -1116,9 +986,7 @@
 key = 9e20311eaf2eaf3e3a04bc52564e67313c84940a2996e3f2
 msg = 
 result = invalid
-# The ciphertext in this test vector is the message encrypted with an invalid or
-# unexpected padding. This allows to find implementations that are not properly
-# checking the padding during decryption.
+flags = BadPadding
 
 # tcId = 115
 # padding longer than message
@@ -1127,9 +995,7 @@
 key = 9e20311eaf2eaf3e3a04bc52564e67313c84940a2996e3f2
 msg = 6162636465666768
 result = invalid
-# The ciphertext in this test vector is the message encrypted with an invalid or
-# unexpected padding. This allows to find implementations that are not properly
-# checking the padding during decryption.
+flags = BadPadding
 
 # tcId = 116
 # padding longer than message
@@ -1138,9 +1004,7 @@
 key = 9e20311eaf2eaf3e3a04bc52564e67313c84940a2996e3f2
 msg = 303132333435363738396162636465
 result = invalid
-# The ciphertext in this test vector is the message encrypted with an invalid or
-# unexpected padding. This allows to find implementations that are not properly
-# checking the padding during decryption.
+flags = BadPadding
 
 # tcId = 117
 # padding longer than message
@@ -1149,9 +1013,7 @@
 key = 9e20311eaf2eaf3e3a04bc52564e67313c84940a2996e3f2
 msg = 30313233343536373839414243444546
 result = invalid
-# The ciphertext in this test vector is the message encrypted with an invalid or
-# unexpected padding. This allows to find implementations that are not properly
-# checking the padding during decryption.
+flags = BadPadding
 
 # tcId = 118
 # padding longer than message
@@ -1160,9 +1022,7 @@
 key = 9e20311eaf2eaf3e3a04bc52564e67313c84940a2996e3f2
 msg = 3031323334353637383941424344454647
 result = invalid
-# The ciphertext in this test vector is the message encrypted with an invalid or
-# unexpected padding. This allows to find implementations that are not properly
-# checking the padding during decryption.
+flags = BadPadding
 
 # tcId = 119
 #  invalid padding
@@ -1171,9 +1031,7 @@
 key = 9e20311eaf2eaf3e3a04bc52564e67313c84940a2996e3f2
 msg = 
 result = invalid
-# The ciphertext in this test vector is the message encrypted with an invalid or
-# unexpected padding. This allows to find implementations that are not properly
-# checking the padding during decryption.
+flags = BadPadding
 
 # tcId = 120
 #  invalid padding
@@ -1182,9 +1040,7 @@
 key = 9e20311eaf2eaf3e3a04bc52564e67313c84940a2996e3f2
 msg = 6162636465666768
 result = invalid
-# The ciphertext in this test vector is the message encrypted with an invalid or
-# unexpected padding. This allows to find implementations that are not properly
-# checking the padding during decryption.
+flags = BadPadding
 
 # tcId = 121
 #  invalid padding
@@ -1193,9 +1049,7 @@
 key = 9e20311eaf2eaf3e3a04bc52564e67313c84940a2996e3f2
 msg = 30313233343536373839414243444546
 result = invalid
-# The ciphertext in this test vector is the message encrypted with an invalid or
-# unexpected padding. This allows to find implementations that are not properly
-# checking the padding during decryption.
+flags = BadPadding
 
 # tcId = 122
 #  invalid padding
@@ -1204,9 +1058,7 @@
 key = 9e20311eaf2eaf3e3a04bc52564e67313c84940a2996e3f2
 msg = 3031323334353637383941424344454647
 result = invalid
-# The ciphertext in this test vector is the message encrypted with an invalid or
-# unexpected padding. This allows to find implementations that are not properly
-# checking the padding during decryption.
+flags = BadPadding
 
 [ivSize = 128]
 [keySize = 256]
@@ -1410,9 +1262,7 @@
 key = 7c78f34dbce8f0557d43630266f59babd1cb92ba624bd1a8f45a2a91c84a804a
 msg = 
 result = invalid
-# The ciphertext in this test vector is the message encrypted with an invalid or
-# unexpected padding. This allows to find implementations that are not properly
-# checking the padding during decryption.
+flags = BadPadding
 
 # tcId = 148
 # zero padding
@@ -1421,9 +1271,7 @@
 key = 7c78f34dbce8f0557d43630266f59babd1cb92ba624bd1a8f45a2a91c84a804a
 msg = 6162636465666768
 result = invalid
-# The ciphertext in this test vector is the message encrypted with an invalid or
-# unexpected padding. This allows to find implementations that are not properly
-# checking the padding during decryption.
+flags = BadPadding
 
 # tcId = 149
 # zero padding
@@ -1432,9 +1280,7 @@
 key = 7c78f34dbce8f0557d43630266f59babd1cb92ba624bd1a8f45a2a91c84a804a
 msg = 303132333435363738396162636465
 result = invalid
-# The ciphertext in this test vector is the message encrypted with an invalid or
-# unexpected padding. This allows to find implementations that are not properly
-# checking the padding during decryption.
+flags = BadPadding
 
 # tcId = 150
 # zero padding
@@ -1443,9 +1289,7 @@
 key = 7c78f34dbce8f0557d43630266f59babd1cb92ba624bd1a8f45a2a91c84a804a
 msg = 30313233343536373839414243444546
 result = invalid
-# The ciphertext in this test vector is the message encrypted with an invalid or
-# unexpected padding. This allows to find implementations that are not properly
-# checking the padding during decryption.
+flags = BadPadding
 
 # tcId = 151
 # zero padding
@@ -1454,9 +1298,7 @@
 key = 7c78f34dbce8f0557d43630266f59babd1cb92ba624bd1a8f45a2a91c84a804a
 msg = 3031323334353637383941424344454647
 result = invalid
-# The ciphertext in this test vector is the message encrypted with an invalid or
-# unexpected padding. This allows to find implementations that are not properly
-# checking the padding during decryption.
+flags = BadPadding
 
 # tcId = 152
 # padding with 0xff
@@ -1465,9 +1307,7 @@
 key = 7c78f34dbce8f0557d43630266f59babd1cb92ba624bd1a8f45a2a91c84a804a
 msg = 
 result = invalid
-# The ciphertext in this test vector is the message encrypted with an invalid or
-# unexpected padding. This allows to find implementations that are not properly
-# checking the padding during decryption.
+flags = BadPadding
 
 # tcId = 153
 # padding with 0xff
@@ -1476,9 +1316,7 @@
 key = 7c78f34dbce8f0557d43630266f59babd1cb92ba624bd1a8f45a2a91c84a804a
 msg = 6162636465666768
 result = invalid
-# The ciphertext in this test vector is the message encrypted with an invalid or
-# unexpected padding. This allows to find implementations that are not properly
-# checking the padding during decryption.
+flags = BadPadding
 
 # tcId = 154
 # padding with 0xff
@@ -1487,9 +1325,7 @@
 key = 7c78f34dbce8f0557d43630266f59babd1cb92ba624bd1a8f45a2a91c84a804a
 msg = 303132333435363738396162636465
 result = invalid
-# The ciphertext in this test vector is the message encrypted with an invalid or
-# unexpected padding. This allows to find implementations that are not properly
-# checking the padding during decryption.
+flags = BadPadding
 
 # tcId = 155
 # padding with 0xff
@@ -1498,9 +1334,7 @@
 key = 7c78f34dbce8f0557d43630266f59babd1cb92ba624bd1a8f45a2a91c84a804a
 msg = 30313233343536373839414243444546
 result = invalid
-# The ciphertext in this test vector is the message encrypted with an invalid or
-# unexpected padding. This allows to find implementations that are not properly
-# checking the padding during decryption.
+flags = BadPadding
 
 # tcId = 156
 # padding with 0xff
@@ -1509,9 +1343,7 @@
 key = 7c78f34dbce8f0557d43630266f59babd1cb92ba624bd1a8f45a2a91c84a804a
 msg = 3031323334353637383941424344454647
 result = invalid
-# The ciphertext in this test vector is the message encrypted with an invalid or
-# unexpected padding. This allows to find implementations that are not properly
-# checking the padding during decryption.
+flags = BadPadding
 
 # tcId = 157
 # bit padding
@@ -1520,9 +1352,7 @@
 key = 7c78f34dbce8f0557d43630266f59babd1cb92ba624bd1a8f45a2a91c84a804a
 msg = 
 result = invalid
-# The ciphertext in this test vector is the message encrypted with an invalid or
-# unexpected padding. This allows to find implementations that are not properly
-# checking the padding during decryption.
+flags = BadPadding
 
 # tcId = 158
 # bit padding
@@ -1531,9 +1361,7 @@
 key = 7c78f34dbce8f0557d43630266f59babd1cb92ba624bd1a8f45a2a91c84a804a
 msg = 6162636465666768
 result = invalid
-# The ciphertext in this test vector is the message encrypted with an invalid or
-# unexpected padding. This allows to find implementations that are not properly
-# checking the padding during decryption.
+flags = BadPadding
 
 # tcId = 159
 # bit padding
@@ -1542,9 +1370,7 @@
 key = 7c78f34dbce8f0557d43630266f59babd1cb92ba624bd1a8f45a2a91c84a804a
 msg = 303132333435363738396162636465
 result = invalid
-# The ciphertext in this test vector is the message encrypted with an invalid or
-# unexpected padding. This allows to find implementations that are not properly
-# checking the padding during decryption.
+flags = BadPadding
 
 # tcId = 160
 # bit padding
@@ -1553,9 +1379,7 @@
 key = 7c78f34dbce8f0557d43630266f59babd1cb92ba624bd1a8f45a2a91c84a804a
 msg = 30313233343536373839414243444546
 result = invalid
-# The ciphertext in this test vector is the message encrypted with an invalid or
-# unexpected padding. This allows to find implementations that are not properly
-# checking the padding during decryption.
+flags = BadPadding
 
 # tcId = 161
 # bit padding
@@ -1564,9 +1388,7 @@
 key = 7c78f34dbce8f0557d43630266f59babd1cb92ba624bd1a8f45a2a91c84a804a
 msg = 3031323334353637383941424344454647
 result = invalid
-# The ciphertext in this test vector is the message encrypted with an invalid or
-# unexpected padding. This allows to find implementations that are not properly
-# checking the padding during decryption.
+flags = BadPadding
 
 # tcId = 162
 # padding longer than 1 block
@@ -1575,9 +1397,7 @@
 key = 7c78f34dbce8f0557d43630266f59babd1cb92ba624bd1a8f45a2a91c84a804a
 msg = 
 result = invalid
-# The ciphertext in this test vector is the message encrypted with an invalid or
-# unexpected padding. This allows to find implementations that are not properly
-# checking the padding during decryption.
+flags = BadPadding
 
 # tcId = 163
 # padding longer than 1 block
@@ -1586,9 +1406,7 @@
 key = 7c78f34dbce8f0557d43630266f59babd1cb92ba624bd1a8f45a2a91c84a804a
 msg = 6162636465666768
 result = invalid
-# The ciphertext in this test vector is the message encrypted with an invalid or
-# unexpected padding. This allows to find implementations that are not properly
-# checking the padding during decryption.
+flags = BadPadding
 
 # tcId = 164
 # padding longer than 1 block
@@ -1597,9 +1415,7 @@
 key = 7c78f34dbce8f0557d43630266f59babd1cb92ba624bd1a8f45a2a91c84a804a
 msg = 303132333435363738396162636465
 result = invalid
-# The ciphertext in this test vector is the message encrypted with an invalid or
-# unexpected padding. This allows to find implementations that are not properly
-# checking the padding during decryption.
+flags = BadPadding
 
 # tcId = 165
 # padding longer than 1 block
@@ -1608,9 +1424,7 @@
 key = 7c78f34dbce8f0557d43630266f59babd1cb92ba624bd1a8f45a2a91c84a804a
 msg = 30313233343536373839414243444546
 result = invalid
-# The ciphertext in this test vector is the message encrypted with an invalid or
-# unexpected padding. This allows to find implementations that are not properly
-# checking the padding during decryption.
+flags = BadPadding
 
 # tcId = 166
 # padding longer than 1 block
@@ -1619,9 +1433,7 @@
 key = 7c78f34dbce8f0557d43630266f59babd1cb92ba624bd1a8f45a2a91c84a804a
 msg = 3031323334353637383941424344454647
 result = invalid
-# The ciphertext in this test vector is the message encrypted with an invalid or
-# unexpected padding. This allows to find implementations that are not properly
-# checking the padding during decryption.
+flags = BadPadding
 
 # tcId = 167
 # ANSI X.923 padding
@@ -1630,9 +1442,7 @@
 key = 7c78f34dbce8f0557d43630266f59babd1cb92ba624bd1a8f45a2a91c84a804a
 msg = 
 result = invalid
-# The ciphertext in this test vector is the message encrypted with an invalid or
-# unexpected padding. This allows to find implementations that are not properly
-# checking the padding during decryption.
+flags = BadPadding
 
 # tcId = 168
 # ANSI X.923 padding
@@ -1641,9 +1451,7 @@
 key = 7c78f34dbce8f0557d43630266f59babd1cb92ba624bd1a8f45a2a91c84a804a
 msg = 6162636465666768
 result = invalid
-# The ciphertext in this test vector is the message encrypted with an invalid or
-# unexpected padding. This allows to find implementations that are not properly
-# checking the padding during decryption.
+flags = BadPadding
 
 # tcId = 169
 # ANSI X.923 padding
@@ -1652,9 +1460,7 @@
 key = 7c78f34dbce8f0557d43630266f59babd1cb92ba624bd1a8f45a2a91c84a804a
 msg = 30313233343536373839414243444546
 result = invalid
-# The ciphertext in this test vector is the message encrypted with an invalid or
-# unexpected padding. This allows to find implementations that are not properly
-# checking the padding during decryption.
+flags = BadPadding
 
 # tcId = 170
 # ANSI X.923 padding
@@ -1663,9 +1469,7 @@
 key = 7c78f34dbce8f0557d43630266f59babd1cb92ba624bd1a8f45a2a91c84a804a
 msg = 3031323334353637383941424344454647
 result = invalid
-# The ciphertext in this test vector is the message encrypted with an invalid or
-# unexpected padding. This allows to find implementations that are not properly
-# checking the padding during decryption.
+flags = BadPadding
 
 # tcId = 171
 # ISO 10126 padding
@@ -1674,9 +1478,7 @@
 key = 7c78f34dbce8f0557d43630266f59babd1cb92ba624bd1a8f45a2a91c84a804a
 msg = 
 result = invalid
-# The ciphertext in this test vector is the message encrypted with an invalid or
-# unexpected padding. This allows to find implementations that are not properly
-# checking the padding during decryption.
+flags = BadPadding
 
 # tcId = 172
 # ISO 10126 padding
@@ -1685,9 +1487,7 @@
 key = 7c78f34dbce8f0557d43630266f59babd1cb92ba624bd1a8f45a2a91c84a804a
 msg = 6162636465666768
 result = invalid
-# The ciphertext in this test vector is the message encrypted with an invalid or
-# unexpected padding. This allows to find implementations that are not properly
-# checking the padding during decryption.
+flags = BadPadding
 
 # tcId = 173
 # ISO 10126 padding
@@ -1696,9 +1496,7 @@
 key = 7c78f34dbce8f0557d43630266f59babd1cb92ba624bd1a8f45a2a91c84a804a
 msg = 30313233343536373839414243444546
 result = invalid
-# The ciphertext in this test vector is the message encrypted with an invalid or
-# unexpected padding. This allows to find implementations that are not properly
-# checking the padding during decryption.
+flags = BadPadding
 
 # tcId = 174
 # ISO 10126 padding
@@ -1707,9 +1505,7 @@
 key = 7c78f34dbce8f0557d43630266f59babd1cb92ba624bd1a8f45a2a91c84a804a
 msg = 3031323334353637383941424344454647
 result = invalid
-# The ciphertext in this test vector is the message encrypted with an invalid or
-# unexpected padding. This allows to find implementations that are not properly
-# checking the padding during decryption.
+flags = BadPadding
 
 # tcId = 175
 # padding longer than message
@@ -1718,9 +1514,7 @@
 key = 7c78f34dbce8f0557d43630266f59babd1cb92ba624bd1a8f45a2a91c84a804a
 msg = 
 result = invalid
-# The ciphertext in this test vector is the message encrypted with an invalid or
-# unexpected padding. This allows to find implementations that are not properly
-# checking the padding during decryption.
+flags = BadPadding
 
 # tcId = 176
 # padding longer than message
@@ -1729,9 +1523,7 @@
 key = 7c78f34dbce8f0557d43630266f59babd1cb92ba624bd1a8f45a2a91c84a804a
 msg = 6162636465666768
 result = invalid
-# The ciphertext in this test vector is the message encrypted with an invalid or
-# unexpected padding. This allows to find implementations that are not properly
-# checking the padding during decryption.
+flags = BadPadding
 
 # tcId = 177
 # padding longer than message
@@ -1740,9 +1532,7 @@
 key = 7c78f34dbce8f0557d43630266f59babd1cb92ba624bd1a8f45a2a91c84a804a
 msg = 303132333435363738396162636465
 result = invalid
-# The ciphertext in this test vector is the message encrypted with an invalid or
-# unexpected padding. This allows to find implementations that are not properly
-# checking the padding during decryption.
+flags = BadPadding
 
 # tcId = 178
 # padding longer than message
@@ -1751,9 +1541,7 @@
 key = 7c78f34dbce8f0557d43630266f59babd1cb92ba624bd1a8f45a2a91c84a804a
 msg = 30313233343536373839414243444546
 result = invalid
-# The ciphertext in this test vector is the message encrypted with an invalid or
-# unexpected padding. This allows to find implementations that are not properly
-# checking the padding during decryption.
+flags = BadPadding
 
 # tcId = 179
 # padding longer than message
@@ -1762,9 +1550,7 @@
 key = 7c78f34dbce8f0557d43630266f59babd1cb92ba624bd1a8f45a2a91c84a804a
 msg = 3031323334353637383941424344454647
 result = invalid
-# The ciphertext in this test vector is the message encrypted with an invalid or
-# unexpected padding. This allows to find implementations that are not properly
-# checking the padding during decryption.
+flags = BadPadding
 
 # tcId = 180
 #  invalid padding
@@ -1773,9 +1559,7 @@
 key = 7c78f34dbce8f0557d43630266f59babd1cb92ba624bd1a8f45a2a91c84a804a
 msg = 
 result = invalid
-# The ciphertext in this test vector is the message encrypted with an invalid or
-# unexpected padding. This allows to find implementations that are not properly
-# checking the padding during decryption.
+flags = BadPadding
 
 # tcId = 181
 #  invalid padding
@@ -1784,9 +1568,7 @@
 key = 7c78f34dbce8f0557d43630266f59babd1cb92ba624bd1a8f45a2a91c84a804a
 msg = 6162636465666768
 result = invalid
-# The ciphertext in this test vector is the message encrypted with an invalid or
-# unexpected padding. This allows to find implementations that are not properly
-# checking the padding during decryption.
+flags = BadPadding
 
 # tcId = 182
 #  invalid padding
@@ -1795,9 +1577,7 @@
 key = 7c78f34dbce8f0557d43630266f59babd1cb92ba624bd1a8f45a2a91c84a804a
 msg = 30313233343536373839414243444546
 result = invalid
-# The ciphertext in this test vector is the message encrypted with an invalid or
-# unexpected padding. This allows to find implementations that are not properly
-# checking the padding during decryption.
+flags = BadPadding
 
 # tcId = 183
 #  invalid padding
@@ -1806,7 +1586,5 @@
 key = 7c78f34dbce8f0557d43630266f59babd1cb92ba624bd1a8f45a2a91c84a804a
 msg = 3031323334353637383941424344454647
 result = invalid
-# The ciphertext in this test vector is the message encrypted with an invalid or
-# unexpected padding. This allows to find implementations that are not properly
-# checking the padding during decryption.
+flags = BadPadding
 
diff --git a/third_party/wycheproof_testvectors/aes_gcm_siv_test.txt b/third_party/wycheproof_testvectors/aes_gcm_siv_test.txt
index 3a4b556..9f0ba23 100644
--- a/third_party/wycheproof_testvectors/aes_gcm_siv_test.txt
+++ b/third_party/wycheproof_testvectors/aes_gcm_siv_test.txt
@@ -383,8 +383,7 @@
 msg = 43488548d88e6f774bcd2d52c18fbcc933a4e9a9613ff3edbe959ec59522adc098b3133b8d17b9e9dad631ad33752c95
 result = valid
 tag = 00000000000000000000000000000000
-# The counter for AES-GCM-SIV is reduced modulo 2**32. This test vector was
-# constructed to test for correct wrapping of the counter.
+flags = ConstructedIv
 
 # tcId = 40
 # Testing for ctr overflow
@@ -395,8 +394,7 @@
 msg = f012c6a7eb0e8af5bc45e015e7680a693dc709b95383f6a94babec1bc36e4be3cf4f55a31a94f11c6c3f90eed99682bc
 result = valid
 tag = ffffffffffffffffffffffffffffffff
-# The counter for AES-GCM-SIV is reduced modulo 2**32. This test vector was
-# constructed to test for correct wrapping of the counter.
+flags = ConstructedIv
 
 # tcId = 41
 # Testing for ctr overflow
@@ -407,8 +405,7 @@
 msg = 71ceee58179d6fb968521e9594dbf98cc0040f6aa38fe873c32a9b122d6cbfd51aa4778b3f4f37be7348690d97e2468b
 result = valid
 tag = fefffffffefffffffefffffffeffffff
-# The counter for AES-GCM-SIV is reduced modulo 2**32. This test vector was
-# constructed to test for correct wrapping of the counter.
+flags = ConstructedIv
 
 # tcId = 42
 # Testing for ctr overflow
@@ -419,8 +416,7 @@
 msg = 2e14f9e9a09ea204557367898a80dcad117af3666bea25762b70633a9f3614fbe631ba617c371fd5566d5e613496e69f
 result = valid
 tag = ffffff7f00112233445566778899aabb
-# The counter for AES-GCM-SIV is reduced modulo 2**32. This test vector was
-# constructed to test for correct wrapping of the counter.
+flags = ConstructedIv
 
 # tcId = 43
 # Testing for ctr overflow
@@ -431,8 +427,7 @@
 msg = 27fac75879c9d87cd52a0793137ba792f6f145148158eb538f2081e09cd0315986a7025045ecbb2ca1bb18a17bfcd567
 result = valid
 tag = ffffffffffffff7f0011223344556677
-# The counter for AES-GCM-SIV is reduced modulo 2**32. This test vector was
-# constructed to test for correct wrapping of the counter.
+flags = ConstructedIv
 
 # tcId = 44
 # Flipped bit 0 in tag
@@ -1153,8 +1148,7 @@
 msg = bdd411814564c4218d224d50591c818855a862a0a519ac0b3d71a2edb12aa71eb81959bcc6b84c45aa424c9aca0b7bdd
 result = valid
 tag = 00000000000000000000000000000000
-# The counter for AES-GCM-SIV is reduced modulo 2**32. This test vector was
-# constructed to test for correct wrapping of the counter.
+flags = ConstructedIv
 
 # tcId = 117
 # Testing for ctr overflow
@@ -1165,8 +1159,7 @@
 msg = d04846a01f472262e60a1cb4cfcbdcb05c3f819628a3a49395c5dae96c434b2417ce071699afa74a60c32c0bafd9c01a
 result = valid
 tag = ffffffffffffffffffffffffffffffff
-# The counter for AES-GCM-SIV is reduced modulo 2**32. This test vector was
-# constructed to test for correct wrapping of the counter.
+flags = ConstructedIv
 
 # tcId = 118
 # Testing for ctr overflow
@@ -1177,8 +1170,7 @@
 msg = 79637cee9decf33e3080de3d2c55bd21cd529ba8080b583edb6cfe13cda04bd00debe58b8cd48d6e02a1ecfc4d87923a
 result = valid
 tag = fefffffffefffffffefffffffeffffff
-# The counter for AES-GCM-SIV is reduced modulo 2**32. This test vector was
-# constructed to test for correct wrapping of the counter.
+flags = ConstructedIv
 
 # tcId = 119
 # Testing for ctr overflow
@@ -1189,8 +1181,7 @@
 msg = 6492a73880dac7f36743715b0fc7063d3e46a25044310bba5849ed88bfcb54b0adbe3978040bda849906e1aa09d1a8e3
 result = valid
 tag = ffffff7f00112233445566778899aabb
-# The counter for AES-GCM-SIV is reduced modulo 2**32. This test vector was
-# constructed to test for correct wrapping of the counter.
+flags = ConstructedIv
 
 # tcId = 120
 # Testing for ctr overflow
@@ -1201,8 +1192,7 @@
 msg = 7848d9e872f40bca1b82a4e7185fb75193b3496cc1dc2a72b86ed156ab8389e71687ed25eb6485e66561fa8c39853368
 result = valid
 tag = ffffffffffffff7f0011223344556677
-# The counter for AES-GCM-SIV is reduced modulo 2**32. This test vector was
-# constructed to test for correct wrapping of the counter.
+flags = ConstructedIv
 
 # tcId = 121
 # Flipped bit 0 in tag
diff --git a/third_party/wycheproof_testvectors/aes_gcm_test.txt b/third_party/wycheproof_testvectors/aes_gcm_test.txt
index e879921..4600340 100644
--- a/third_party/wycheproof_testvectors/aes_gcm_test.txt
+++ b/third_party/wycheproof_testvectors/aes_gcm_test.txt
@@ -500,9 +500,7 @@
 msg = 
 result = acceptable
 tag = 44aca00f42e4199b829a55e69b073d9e
-# AES-GCM leaks the authentication key if the same IV is used twice. Hence short
-# IV sizes are typically discouraged. This test vector uses an IV smaller than
-# 12 bytes
+flags = SmallIv
 
 # tcId = 52
 # small IV sizes
@@ -513,9 +511,7 @@
 msg = d8986df0241ed3297582c0c239c724cb
 result = acceptable
 tag = 3290aa95af505a742f517fabcc9b2094
-# AES-GCM leaks the authentication key if the same IV is used twice. Hence short
-# IV sizes are typically discouraged. This test vector uses an IV smaller than
-# 12 bytes
+flags = SmallIv
 
 [ivSize = 128]
 [keySize = 128]
@@ -584,8 +580,7 @@
 msg = 00000000000000000000000000000000000000000000000000000000000000000000000000000000
 result = valid
 tag = 152a65045fe674f97627427af5be22da
-# The counter for AES-GCM is reduced modulo 2**32. This test vector was
-# constructed to test for correct wrapping of the counter.
+flags = ConstructedIv
 
 # tcId = 60
 # J0:00000000000000000000000000000000
@@ -596,8 +591,7 @@
 msg = 00000000000000000000000000000000000000000000000000000000000000000000000000000000
 result = valid
 tag = 213a3cb93855d18e69337eee66aeec07
-# The counter for AES-GCM is reduced modulo 2**32. This test vector was
-# constructed to test for correct wrapping of the counter.
+flags = ConstructedIv
 
 # tcId = 61
 # J0:ffffffffffffffffffffffffffffffff
@@ -608,8 +602,7 @@
 msg = 00000000000000000000000000000000000000000000000000000000000000000000000000000000
 result = valid
 tag = 99b381bfa2af9751c39d1b6e86d1be6a
-# The counter for AES-GCM is reduced modulo 2**32. This test vector was
-# constructed to test for correct wrapping of the counter.
+flags = ConstructedIv
 
 # tcId = 62
 # J0:fffffffffffffffffffffffffffffffe
@@ -620,8 +613,7 @@
 msg = 00000000000000000000000000000000000000000000000000000000000000000000000000000000
 result = valid
 tag = 5281efc7f13ac8e14ccf5dca7bfbfdd1
-# The counter for AES-GCM is reduced modulo 2**32. This test vector was
-# constructed to test for correct wrapping of the counter.
+flags = ConstructedIv
 
 # tcId = 63
 # J0:fffffffffffffffffffffffffffffffd
@@ -632,8 +624,7 @@
 msg = 00000000000000000000000000000000000000000000000000000000000000000000000000000000
 result = valid
 tag = a3ea2c09ee4f8c8a12f45cddf9aeff81
-# The counter for AES-GCM is reduced modulo 2**32. This test vector was
-# constructed to test for correct wrapping of the counter.
+flags = ConstructedIv
 
 # tcId = 64
 # J0:000102030405060708090a0bffffffff
@@ -644,8 +635,7 @@
 msg = 00000000000000000000000000000000000000000000000000000000000000000000000000000000
 result = valid
 tag = 07eb2fe4a958f8434d40684899507c7c
-# The counter for AES-GCM is reduced modulo 2**32. This test vector was
-# constructed to test for correct wrapping of the counter.
+flags = ConstructedIv
 
 # tcId = 65
 # J0:000102030405060708090a0bfffffffe
@@ -656,8 +646,7 @@
 msg = 00000000000000000000000000000000000000000000000000000000000000000000000000000000
 result = valid
 tag = f145c2dcaf339eede427be934357eac0
-# The counter for AES-GCM is reduced modulo 2**32. This test vector was
-# constructed to test for correct wrapping of the counter.
+flags = ConstructedIv
 
 # tcId = 66
 # J0:000102030405060708090a0bfffffffd
@@ -668,8 +657,7 @@
 msg = 00000000000000000000000000000000000000000000000000000000000000000000000000000000
 result = valid
 tag = facd0bfe8701b7b4a2ba96d98af52bd9
-# The counter for AES-GCM is reduced modulo 2**32. This test vector was
-# constructed to test for correct wrapping of the counter.
+flags = ConstructedIv
 
 # tcId = 67
 # J0:000102030405060708090a0b7fffffff
@@ -680,8 +668,7 @@
 msg = 00000000000000000000000000000000000000000000000000000000000000000000000000000000
 result = valid
 tag = a03e729dcfd7a03155655fece8affd7e
-# The counter for AES-GCM is reduced modulo 2**32. This test vector was
-# constructed to test for correct wrapping of the counter.
+flags = ConstructedIv
 
 # tcId = 68
 # J0:000102030405060708090a0b7ffffffe
@@ -692,8 +679,7 @@
 msg = 00000000000000000000000000000000000000000000000000000000000000000000000000000000
 result = valid
 tag = 1e43926828bc9a1614c7b1639096c195
-# The counter for AES-GCM is reduced modulo 2**32. This test vector was
-# constructed to test for correct wrapping of the counter.
+flags = ConstructedIv
 
 # tcId = 69
 # J0:000102030405060708090a0bffff7fff
@@ -704,8 +690,7 @@
 msg = 00000000000000000000000000000000000000000000000000000000000000000000000000000000
 result = valid
 tag = f08baddf0b5285c91fc06a67fe4708ca
-# The counter for AES-GCM is reduced modulo 2**32. This test vector was
-# constructed to test for correct wrapping of the counter.
+flags = ConstructedIv
 
 # tcId = 70
 # J0:000102030405060708090a0bffff7ffe
@@ -716,8 +701,7 @@
 msg = 00000000000000000000000000000000000000000000000000000000000000000000000000000000
 result = valid
 tag = 62a4b6875c288345d6a454399eac1afa
-# The counter for AES-GCM is reduced modulo 2**32. This test vector was
-# constructed to test for correct wrapping of the counter.
+flags = ConstructedIv
 
 # tcId = 71
 # special case
@@ -1217,8 +1201,7 @@
 msg = 00000000000000000000000000000000000000000000000000000000000000000000000000000000
 result = valid
 tag = 09338a42f0acc14f97c064f52f5f1688
-# The counter for AES-GCM is reduced modulo 2**32. This test vector was
-# constructed to test for correct wrapping of the counter.
+flags = ConstructedIv
 
 # tcId = 122
 # J0:00000000000000000000000000000000
@@ -1229,8 +1212,7 @@
 msg = 00000000000000000000000000000000000000000000000000000000000000000000000000000000
 result = valid
 tag = 90be3606de58bd778fa5beff4a4102bd
-# The counter for AES-GCM is reduced modulo 2**32. This test vector was
-# constructed to test for correct wrapping of the counter.
+flags = ConstructedIv
 
 # tcId = 123
 # J0:ffffffffffffffffffffffffffffffff
@@ -1241,8 +1223,7 @@
 msg = 00000000000000000000000000000000000000000000000000000000000000000000000000000000
 result = valid
 tag = 6e4d6396125a10df5443bd0cbc8566d1
-# The counter for AES-GCM is reduced modulo 2**32. This test vector was
-# constructed to test for correct wrapping of the counter.
+flags = ConstructedIv
 
 # tcId = 124
 # J0:fffffffffffffffffffffffffffffffe
@@ -1253,8 +1234,7 @@
 msg = 00000000000000000000000000000000000000000000000000000000000000000000000000000000
 result = valid
 tag = dc481f172545268eff63ab0490403dc3
-# The counter for AES-GCM is reduced modulo 2**32. This test vector was
-# constructed to test for correct wrapping of the counter.
+flags = ConstructedIv
 
 # tcId = 125
 # J0:fffffffffffffffffffffffffffffffd
@@ -1265,8 +1245,7 @@
 msg = 00000000000000000000000000000000000000000000000000000000000000000000000000000000
 result = valid
 tag = 8a3a22bf2592958b930292aa47f590e8
-# The counter for AES-GCM is reduced modulo 2**32. This test vector was
-# constructed to test for correct wrapping of the counter.
+flags = ConstructedIv
 
 # tcId = 126
 # J0:000102030405060708090a0bffffffff
@@ -1277,8 +1256,7 @@
 msg = 00000000000000000000000000000000000000000000000000000000000000000000000000000000
 result = valid
 tag = 2db9dc1b7fd315df1c95432432fcf474
-# The counter for AES-GCM is reduced modulo 2**32. This test vector was
-# constructed to test for correct wrapping of the counter.
+flags = ConstructedIv
 
 # tcId = 127
 # J0:000102030405060708090a0bfffffffe
@@ -1289,8 +1267,7 @@
 msg = 00000000000000000000000000000000000000000000000000000000000000000000000000000000
 result = valid
 tag = 82ad967f7ac19084354f69a751443fb2
-# The counter for AES-GCM is reduced modulo 2**32. This test vector was
-# constructed to test for correct wrapping of the counter.
+flags = ConstructedIv
 
 # tcId = 128
 # J0:000102030405060708090a0bfffffffd
@@ -1301,8 +1278,7 @@
 msg = 00000000000000000000000000000000000000000000000000000000000000000000000000000000
 result = valid
 tag = 472d5dd582dc05ef5fc496b612023cb2
-# The counter for AES-GCM is reduced modulo 2**32. This test vector was
-# constructed to test for correct wrapping of the counter.
+flags = ConstructedIv
 
 # tcId = 129
 # J0:000102030405060708090a0b7fffffff
@@ -1313,8 +1289,7 @@
 msg = 00000000000000000000000000000000000000000000000000000000000000000000000000000000
 result = valid
 tag = caff723826df150934aee3201ba175e7
-# The counter for AES-GCM is reduced modulo 2**32. This test vector was
-# constructed to test for correct wrapping of the counter.
+flags = ConstructedIv
 
 # tcId = 130
 # J0:000102030405060708090a0b7ffffffe
@@ -1325,8 +1300,7 @@
 msg = 00000000000000000000000000000000000000000000000000000000000000000000000000000000
 result = valid
 tag = 3b08958be1286c2b4acba02b3674adb2
-# The counter for AES-GCM is reduced modulo 2**32. This test vector was
-# constructed to test for correct wrapping of the counter.
+flags = ConstructedIv
 
 # tcId = 131
 # J0:000102030405060708090a0bffff7fff
@@ -1337,8 +1311,7 @@
 msg = 00000000000000000000000000000000000000000000000000000000000000000000000000000000
 result = valid
 tag = c14d52208f0f51b816a48971eaf8ff7e
-# The counter for AES-GCM is reduced modulo 2**32. This test vector was
-# constructed to test for correct wrapping of the counter.
+flags = ConstructedIv
 
 # tcId = 132
 # J0:000102030405060708090a0bffff7ffe
@@ -1349,8 +1322,7 @@
 msg = 00000000000000000000000000000000000000000000000000000000000000000000000000000000
 result = valid
 tag = ea2d018099cd7925c507cef0ceddb0ae
-# The counter for AES-GCM is reduced modulo 2**32. This test vector was
-# constructed to test for correct wrapping of the counter.
+flags = ConstructedIv
 
 # tcId = 133
 # special case
@@ -1877,8 +1849,7 @@
 msg = 00000000000000000000000000000000000000000000000000000000000000000000000000000000
 result = valid
 tag = d5808a1bd11a01129bf3c6919aff2339
-# The counter for AES-GCM is reduced modulo 2**32. This test vector was
-# constructed to test for correct wrapping of the counter.
+flags = ConstructedIv
 
 # tcId = 187
 # J0:00000000000000000000000000000000
@@ -1889,8 +1860,7 @@
 msg = 00000000000000000000000000000000000000000000000000000000000000000000000000000000
 result = valid
 tag = 8132e865b69d64ef37db261f80cbbe24
-# The counter for AES-GCM is reduced modulo 2**32. This test vector was
-# constructed to test for correct wrapping of the counter.
+flags = ConstructedIv
 
 # tcId = 188
 # J0:ffffffffffffffffffffffffffffffff
@@ -1901,8 +1871,7 @@
 msg = 00000000000000000000000000000000000000000000000000000000000000000000000000000000
 result = valid
 tag = 155da6441ec071ef2d8e6cffbacc1c7c
-# The counter for AES-GCM is reduced modulo 2**32. This test vector was
-# constructed to test for correct wrapping of the counter.
+flags = ConstructedIv
 
 # tcId = 189
 # J0:fffffffffffffffffffffffffffffffe
@@ -1913,8 +1882,7 @@
 msg = 00000000000000000000000000000000000000000000000000000000000000000000000000000000
 result = valid
 tag = 6c574aa6a2490cc3b2f2f8f0ffbc56c4
-# The counter for AES-GCM is reduced modulo 2**32. This test vector was
-# constructed to test for correct wrapping of the counter.
+flags = ConstructedIv
 
 # tcId = 190
 # J0:fffffffffffffffffffffffffffffffd
@@ -1925,8 +1893,7 @@
 msg = 00000000000000000000000000000000000000000000000000000000000000000000000000000000
 result = valid
 tag = 8082a761e1d755344bf29622144e7d39
-# The counter for AES-GCM is reduced modulo 2**32. This test vector was
-# constructed to test for correct wrapping of the counter.
+flags = ConstructedIv
 
 # tcId = 191
 # J0:000102030405060708090a0bffffffff
@@ -1937,8 +1904,7 @@
 msg = 00000000000000000000000000000000000000000000000000000000000000000000000000000000
 result = valid
 tag = 033e0ef2953ebfd8425737c7d393f89a
-# The counter for AES-GCM is reduced modulo 2**32. This test vector was
-# constructed to test for correct wrapping of the counter.
+flags = ConstructedIv
 
 # tcId = 192
 # J0:000102030405060708090a0bfffffffe
@@ -1949,8 +1915,7 @@
 msg = 00000000000000000000000000000000000000000000000000000000000000000000000000000000
 result = valid
 tag = ca448bb7e52e897eca234ef343d057d0
-# The counter for AES-GCM is reduced modulo 2**32. This test vector was
-# constructed to test for correct wrapping of the counter.
+flags = ConstructedIv
 
 # tcId = 193
 # J0:000102030405060708090a0bfffffffd
@@ -1961,8 +1926,7 @@
 msg = 00000000000000000000000000000000000000000000000000000000000000000000000000000000
 result = valid
 tag = 84f49740e6757f63dd0df7cb7656d0ef
-# The counter for AES-GCM is reduced modulo 2**32. This test vector was
-# constructed to test for correct wrapping of the counter.
+flags = ConstructedIv
 
 # tcId = 194
 # J0:000102030405060708090a0b7fffffff
@@ -1973,8 +1937,7 @@
 msg = 00000000000000000000000000000000000000000000000000000000000000000000000000000000
 result = valid
 tag = 877e15d9889e69a99fcc6d727465c391
-# The counter for AES-GCM is reduced modulo 2**32. This test vector was
-# constructed to test for correct wrapping of the counter.
+flags = ConstructedIv
 
 # tcId = 195
 # J0:000102030405060708090a0b7ffffffe
@@ -1985,8 +1948,7 @@
 msg = 00000000000000000000000000000000000000000000000000000000000000000000000000000000
 result = valid
 tag = cd5757626945976ba9f0264bd6bee894
-# The counter for AES-GCM is reduced modulo 2**32. This test vector was
-# constructed to test for correct wrapping of the counter.
+flags = ConstructedIv
 
 # tcId = 196
 # J0:000102030405060708090a0bffff7fff
@@ -1997,8 +1959,7 @@
 msg = 00000000000000000000000000000000000000000000000000000000000000000000000000000000
 result = valid
 tag = b015d72da62c81cb4d267253b20db9e5
-# The counter for AES-GCM is reduced modulo 2**32. This test vector was
-# constructed to test for correct wrapping of the counter.
+flags = ConstructedIv
 
 # tcId = 197
 # J0:000102030405060708090a0bffff7ffe
@@ -2009,8 +1970,7 @@
 msg = 00000000000000000000000000000000000000000000000000000000000000000000000000000000
 result = valid
 tag = ee74ccb30d649ebf6916d05a7dbe5696
-# The counter for AES-GCM is reduced modulo 2**32. This test vector was
-# constructed to test for correct wrapping of the counter.
+flags = ConstructedIv
 
 # tcId = 198
 # special case
@@ -2342,9 +2302,7 @@
 msg = 
 result = invalid
 tag = cf71978ffcc778f3c85ac9c31b6fe191
-# AES-GCM does not allow an IV of length 0. Encrypting with such an IV leaks the
-# authentication key. Hence using an IV of length 0 is insecure even if the key
-# itself is only used for a single encryption.
+flags = ZeroLengthIv
 
 # tcId = 224
 # 0 size IV is not valid
@@ -2355,9 +2313,7 @@
 msg = 324ced6cd15ecc5b3741541e22c18ad9
 result = invalid
 tag = a2c7e8d7a19b884f742dfec3e76c75ee
-# AES-GCM does not allow an IV of length 0. Encrypting with such an IV leaks the
-# authentication key. Hence using an IV of length 0 is insecure even if the key
-# itself is only used for a single encryption.
+flags = ZeroLengthIv
 
 [ivSize = 0]
 [keySize = 192]
@@ -2372,9 +2328,7 @@
 msg = 
 result = invalid
 tag = ca69a2eb3a096ea36b1015d5dffff532
-# AES-GCM does not allow an IV of length 0. Encrypting with such an IV leaks the
-# authentication key. Hence using an IV of length 0 is insecure even if the key
-# itself is only used for a single encryption.
+flags = ZeroLengthIv
 
 # tcId = 226
 # 0 size IV is not valid
@@ -2385,9 +2339,7 @@
 msg = d62f302742d61d823ea991b93430d589
 result = invalid
 tag = 2c9488d53a0b2b5308c2757dfac7219f
-# AES-GCM does not allow an IV of length 0. Encrypting with such an IV leaks the
-# authentication key. Hence using an IV of length 0 is insecure even if the key
-# itself is only used for a single encryption.
+flags = ZeroLengthIv
 
 [ivSize = 0]
 [keySize = 256]
@@ -2402,9 +2354,7 @@
 msg = 
 result = invalid
 tag = 1726aa695fbaa21a1db88455c670a4b0
-# AES-GCM does not allow an IV of length 0. Encrypting with such an IV leaks the
-# authentication key. Hence using an IV of length 0 is insecure even if the key
-# itself is only used for a single encryption.
+flags = ZeroLengthIv
 
 # tcId = 228
 # 0 size IV is not valid
@@ -2415,9 +2365,7 @@
 msg = c314235341debfafa1526bb61044a7f1
 result = invalid
 tag = 8fe0520ad744a11f0ccfd228454363fa
-# AES-GCM does not allow an IV of length 0. Encrypting with such an IV leaks the
-# authentication key. Hence using an IV of length 0 is insecure even if the key
-# itself is only used for a single encryption.
+flags = ZeroLengthIv
 
 [ivSize = 8]
 [keySize = 128]
@@ -2432,9 +2380,7 @@
 msg = 
 result = acceptable
 tag = af498f701d2470695f6e7c8327a2398b
-# AES-GCM leaks the authentication key if the same IV is used twice. Hence short
-# IV sizes are typically discouraged. This test vector uses an IV smaller than
-# 12 bytes
+flags = SmallIv
 
 # tcId = 230
 # small IV sizes
@@ -2445,9 +2391,7 @@
 msg = f2d99a9f893378e0757d27c2e3a3101b
 result = acceptable
 tag = 96e6fd2cdc707e3ee0a1c90d34c9c36c
-# AES-GCM leaks the authentication key if the same IV is used twice. Hence short
-# IV sizes are typically discouraged. This test vector uses an IV smaller than
-# 12 bytes
+flags = SmallIv
 
 [ivSize = 16]
 [keySize = 128]
@@ -2462,9 +2406,7 @@
 msg = 
 result = acceptable
 tag = 4ccf1efb4da05b4ae4452aea42f5424b
-# AES-GCM leaks the authentication key if the same IV is used twice. Hence short
-# IV sizes are typically discouraged. This test vector uses an IV smaller than
-# 12 bytes
+flags = SmallIv
 
 # tcId = 232
 # small IV sizes
@@ -2475,9 +2417,7 @@
 msg = 5a6ad6db70591d1e520b0122f05021a0
 result = acceptable
 tag = 98f47a5279cebbcac214515710f6cd8a
-# AES-GCM leaks the authentication key if the same IV is used twice. Hence short
-# IV sizes are typically discouraged. This test vector uses an IV smaller than
-# 12 bytes
+flags = SmallIv
 
 [ivSize = 32]
 [keySize = 128]
@@ -2492,9 +2432,7 @@
 msg = 
 result = acceptable
 tag = e574b355bda2980e047e584feb1676ca
-# AES-GCM leaks the authentication key if the same IV is used twice. Hence short
-# IV sizes are typically discouraged. This test vector uses an IV smaller than
-# 12 bytes
+flags = SmallIv
 
 # tcId = 234
 # small IV sizes
@@ -2505,9 +2443,7 @@
 msg = c8f07ba1d65554a9bd40390c30c5529c
 result = acceptable
 tag = 5c0bb79d8240041edce0f94bd4bb384f
-# AES-GCM leaks the authentication key if the same IV is used twice. Hence short
-# IV sizes are typically discouraged. This test vector uses an IV smaller than
-# 12 bytes
+flags = SmallIv
 
 [ivSize = 48]
 [keySize = 128]
@@ -2522,9 +2458,7 @@
 msg = 
 result = acceptable
 tag = 1e2ed72af590cafb8647d185865f5463
-# AES-GCM leaks the authentication key if the same IV is used twice. Hence short
-# IV sizes are typically discouraged. This test vector uses an IV smaller than
-# 12 bytes
+flags = SmallIv
 
 # tcId = 236
 # small IV sizes
@@ -2535,9 +2469,7 @@
 msg = d021e53d9098a2df3d6b903cdad0cd9c
 result = acceptable
 tag = 9c0e22e5c41b1039ff5661ffaefa8e0f
-# AES-GCM leaks the authentication key if the same IV is used twice. Hence short
-# IV sizes are typically discouraged. This test vector uses an IV smaller than
-# 12 bytes
+flags = SmallIv
 
 [ivSize = 8]
 [keySize = 192]
@@ -2552,9 +2484,7 @@
 msg = 
 result = acceptable
 tag = 08d96edb5e22874cd10cb2256ca04bc6
-# AES-GCM leaks the authentication key if the same IV is used twice. Hence short
-# IV sizes are typically discouraged. This test vector uses an IV smaller than
-# 12 bytes
+flags = SmallIv
 
 # tcId = 238
 # small IV sizes
@@ -2565,9 +2495,7 @@
 msg = f2b7b2c9b312cf2af78f003df15c8e19
 result = acceptable
 tag = 96a132ed43924e98feb888ff682bdaef
-# AES-GCM leaks the authentication key if the same IV is used twice. Hence short
-# IV sizes are typically discouraged. This test vector uses an IV smaller than
-# 12 bytes
+flags = SmallIv
 
 [ivSize = 16]
 [keySize = 192]
@@ -2582,9 +2510,7 @@
 msg = 
 result = acceptable
 tag = 1f0d23070fcd748e25bf6454f5c9136e
-# AES-GCM leaks the authentication key if the same IV is used twice. Hence short
-# IV sizes are typically discouraged. This test vector uses an IV smaller than
-# 12 bytes
+flags = SmallIv
 
 # tcId = 240
 # small IV sizes
@@ -2595,9 +2521,7 @@
 msg = 3a2f5ad0eb216e546e0bcaa377b6cbc7
 result = acceptable
 tag = f6e0a979481f9957ddad0f21a777a73a
-# AES-GCM leaks the authentication key if the same IV is used twice. Hence short
-# IV sizes are typically discouraged. This test vector uses an IV smaller than
-# 12 bytes
+flags = SmallIv
 
 [ivSize = 32]
 [keySize = 192]
@@ -2612,9 +2536,7 @@
 msg = 
 result = acceptable
 tag = 1475563e3212f3b5e40062569afd71e3
-# AES-GCM leaks the authentication key if the same IV is used twice. Hence short
-# IV sizes are typically discouraged. This test vector uses an IV smaller than
-# 12 bytes
+flags = SmallIv
 
 # tcId = 242
 # small IV sizes
@@ -2625,9 +2547,7 @@
 msg = 6f79e18b4acd5a03d3a5f7e1a8d0f183
 result = acceptable
 tag = 03ab26993b701910a2e8ecccd2ba9e52
-# AES-GCM leaks the authentication key if the same IV is used twice. Hence short
-# IV sizes are typically discouraged. This test vector uses an IV smaller than
-# 12 bytes
+flags = SmallIv
 
 [ivSize = 48]
 [keySize = 192]
@@ -2642,9 +2562,7 @@
 msg = 
 result = acceptable
 tag = d7b9a6b58a97982916e83219fbf71b1e
-# AES-GCM leaks the authentication key if the same IV is used twice. Hence short
-# IV sizes are typically discouraged. This test vector uses an IV smaller than
-# 12 bytes
+flags = SmallIv
 
 # tcId = 244
 # small IV sizes
@@ -2655,9 +2573,7 @@
 msg = 4ba541a9914729216153801340ab1779
 result = acceptable
 tag = c052a55df3926a50990a532efe3d80ec
-# AES-GCM leaks the authentication key if the same IV is used twice. Hence short
-# IV sizes are typically discouraged. This test vector uses an IV smaller than
-# 12 bytes
+flags = SmallIv
 
 [ivSize = 64]
 [keySize = 192]
@@ -2672,9 +2588,7 @@
 msg = 
 result = acceptable
 tag = f94f2049a6560c470b3a7ca7bbc31a3d
-# AES-GCM leaks the authentication key if the same IV is used twice. Hence short
-# IV sizes are typically discouraged. This test vector uses an IV smaller than
-# 12 bytes
+flags = SmallIv
 
 # tcId = 246
 # small IV sizes
@@ -2685,9 +2599,7 @@
 msg = c4b1e05ca3d591f9543e64de3fc682ac
 result = acceptable
 tag = 7db7402224fd583e312bc0e61cf11366
-# AES-GCM leaks the authentication key if the same IV is used twice. Hence short
-# IV sizes are typically discouraged. This test vector uses an IV smaller than
-# 12 bytes
+flags = SmallIv
 
 [ivSize = 8]
 [keySize = 256]
@@ -2702,9 +2614,7 @@
 msg = 
 result = acceptable
 tag = 2a268bf3a75fd7b00ba230b904bbb014
-# AES-GCM leaks the authentication key if the same IV is used twice. Hence short
-# IV sizes are typically discouraged. This test vector uses an IV smaller than
-# 12 bytes
+flags = SmallIv
 
 # tcId = 248
 # small IV sizes
@@ -2715,9 +2625,7 @@
 msg = 976229f5538f9636476d69f0c328e29d
 result = acceptable
 tag = 8bbad4adc54b37a2b2f0f6e8617548c9
-# AES-GCM leaks the authentication key if the same IV is used twice. Hence short
-# IV sizes are typically discouraged. This test vector uses an IV smaller than
-# 12 bytes
+flags = SmallIv
 
 [ivSize = 16]
 [keySize = 256]
@@ -2732,9 +2640,7 @@
 msg = 
 result = acceptable
 tag = 1d978a693120c11f6d51a3ed88cd4ace
-# AES-GCM leaks the authentication key if the same IV is used twice. Hence short
-# IV sizes are typically discouraged. This test vector uses an IV smaller than
-# 12 bytes
+flags = SmallIv
 
 # tcId = 250
 # small IV sizes
@@ -2745,9 +2651,7 @@
 msg = 5341c78e4ce5bf8fbc3e077d1990dd5d
 result = acceptable
 tag = b63ff43c12073ec5572b1be70f17e231
-# AES-GCM leaks the authentication key if the same IV is used twice. Hence short
-# IV sizes are typically discouraged. This test vector uses an IV smaller than
-# 12 bytes
+flags = SmallIv
 
 [ivSize = 32]
 [keySize = 256]
@@ -2762,9 +2666,7 @@
 msg = 
 result = acceptable
 tag = ae6f7c9a29f0d8204ca50b14a1e0dcf2
-# AES-GCM leaks the authentication key if the same IV is used twice. Hence short
-# IV sizes are typically discouraged. This test vector uses an IV smaller than
-# 12 bytes
+flags = SmallIv
 
 # tcId = 252
 # small IV sizes
@@ -2775,9 +2677,7 @@
 msg = 33efb58c91e8c70271870ec00fe2e202
 result = acceptable
 tag = b824c33c13f289429659aa017c632f71
-# AES-GCM leaks the authentication key if the same IV is used twice. Hence short
-# IV sizes are typically discouraged. This test vector uses an IV smaller than
-# 12 bytes
+flags = SmallIv
 
 [ivSize = 48]
 [keySize = 256]
@@ -2792,9 +2692,7 @@
 msg = 
 result = acceptable
 tag = 3db16725fafc828d414ab61c16a6c38f
-# AES-GCM leaks the authentication key if the same IV is used twice. Hence short
-# IV sizes are typically discouraged. This test vector uses an IV smaller than
-# 12 bytes
+flags = SmallIv
 
 # tcId = 254
 # small IV sizes
@@ -2805,9 +2703,7 @@
 msg = 91222263b12cf5616a049cbe29ab9b5b
 result = acceptable
 tag = c8fc39906aca0c64e14a43ff750abd8a
-# AES-GCM leaks the authentication key if the same IV is used twice. Hence short
-# IV sizes are typically discouraged. This test vector uses an IV smaller than
-# 12 bytes
+flags = SmallIv
 
 [ivSize = 64]
 [keySize = 256]
@@ -2822,9 +2718,7 @@
 msg = 
 result = acceptable
 tag = 1311f9f830d729c189b74ec4f9080fa1
-# AES-GCM leaks the authentication key if the same IV is used twice. Hence short
-# IV sizes are typically discouraged. This test vector uses an IV smaller than
-# 12 bytes
+flags = SmallIv
 
 # tcId = 256
 # small IV sizes
@@ -2835,7 +2729,5 @@
 msg = 82e3e604d2be8fcab74f638d1e70f24c
 result = acceptable
 tag = af68a37cfefecc4ab99ba50a5353edca
-# AES-GCM leaks the authentication key if the same IV is used twice. Hence short
-# IV sizes are typically discouraged. This test vector uses an IV smaller than
-# 12 bytes
+flags = SmallIv
 
diff --git a/third_party/wycheproof_testvectors/dsa_test.txt b/third_party/wycheproof_testvectors/dsa_test.txt
index 3805f12..14ad490 100644
--- a/third_party/wycheproof_testvectors/dsa_test.txt
+++ b/third_party/wycheproof_testvectors/dsa_test.txt
@@ -18,11 +18,7 @@
 msg = 313233343030
 result = acceptable
 sig = 302c0214aa6a258fbf7d90e15614676d377df8b10e38db4a0214496d5220b5f67d3532d1f991203bc3523b964c3b
-# ASN encoded integers with a leading hex-digit in the range 8 .. F are
-# negative. If the first hex-digit of a positive integer is 8 .. F then a
-# leading 0 must be added. Some libraries forgot to do this and therefore
-# generated invalid DSA signatures. Some providers accept such legacy signatures
-# for compatibility.
+flags = NoLeadingZero
 
 # tcId = 2
 # valid
@@ -881,1287 +877,1001 @@
 msg = 313233343030
 result = invalid
 sig = 301a0201000215ff46f4c745f5af5bc1397672c06497fb68880b764f
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 145
 # Signatures with special case values for r and s.
 msg = 313233343030
 result = invalid
 sig = 3006020100020100
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 146
 # Signatures with special case values for r and s.
 msg = 313233343030
 result = invalid
 sig = 3006020100020101
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 147
 # Signatures with special case values for r and s.
 msg = 313233343030
 result = invalid
 sig = 30060201000201ff
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 148
 # Signatures with special case values for r and s.
 msg = 313233343030
 result = invalid
 sig = 301902010002145c859c5d0528521f6344c69fcdb4024bbbfa44d8
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 149
 # Signatures with special case values for r and s.
 msg = 313233343030
 result = invalid
 sig = 301902010002145c859c5d0528521f6344c69fcdb4024bbbfa44d9
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 150
 # Signatures with special case values for r and s.
 msg = 313233343030
 result = invalid
 sig = 301a020100021500b90b38ba0a50a43ec6898d3f9b68049777f489b0
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 151
 # Signatures with special case values for r and s.
 msg = 313233343030
 result = invalid
 sig = 301a020100021500b90b38ba0a50a43ec6898d3f9b68049777f489b1
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 152
 # Signatures with special case values for r and s.
 msg = 313233343030
 result = invalid
 sig = 301a020100021500b90b38ba0a50a43ec6898d3f9b68049777f489b2
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 153
 # Signatures with special case values for r and s.
 msg = 313233343030
 result = invalid
 sig = 301a0201000215010000000000000000000000000000000000000000
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 154
 # Signatures with special case values for r and s.
 msg = 313233343030
 result = invalid
 sig = 30818702010002818100b34ce9c1e78294d3258473842005d2a48c8c566cfca8f84c0606f2529b59a6d38aae071b53bb2167eaa4fc3b01fe176e787e481b6037aac62cbc3d089799536a869fa8cdfea1e8b1fd2d1cd3a30350859a2cd6b3ec2f9bfbb68bb11b4bbe2adaa18d64a93639543ae5e16293e311c0cf8c8d6e180df05d08c2fd2d93d570751f
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 155
 # Signatures with special case values for r and s.
 msg = 313233343030
 result = invalid
 sig = 3008020100090380fe01
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 156
 # Signatures with special case values for r and s.
 msg = 313233343030
 result = invalid
 sig = 3006020100090142
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 157
 # Signatures with special case values for r and s.
 msg = 313233343030
 result = invalid
 sig = 301a0201010215ff46f4c745f5af5bc1397672c06497fb68880b764f
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 158
 # Signatures with special case values for r and s.
 msg = 313233343030
 result = invalid
 sig = 3006020101020100
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 159
 # Signatures with special case values for r and s.
 msg = 313233343030
 result = invalid
 sig = 3006020101020101
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 160
 # Signatures with special case values for r and s.
 msg = 313233343030
 result = invalid
 sig = 30060201010201ff
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 161
 # Signatures with special case values for r and s.
 msg = 313233343030
 result = invalid
 sig = 301902010102145c859c5d0528521f6344c69fcdb4024bbbfa44d8
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 162
 # Signatures with special case values for r and s.
 msg = 313233343030
 result = invalid
 sig = 301902010102145c859c5d0528521f6344c69fcdb4024bbbfa44d9
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 163
 # Signatures with special case values for r and s.
 msg = 313233343030
 result = invalid
 sig = 301a020101021500b90b38ba0a50a43ec6898d3f9b68049777f489b0
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 164
 # Signatures with special case values for r and s.
 msg = 313233343030
 result = invalid
 sig = 301a020101021500b90b38ba0a50a43ec6898d3f9b68049777f489b1
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 165
 # Signatures with special case values for r and s.
 msg = 313233343030
 result = invalid
 sig = 301a020101021500b90b38ba0a50a43ec6898d3f9b68049777f489b2
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 166
 # Signatures with special case values for r and s.
 msg = 313233343030
 result = invalid
 sig = 301a0201010215010000000000000000000000000000000000000000
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 167
 # Signatures with special case values for r and s.
 msg = 313233343030
 result = invalid
 sig = 30818702010102818100b34ce9c1e78294d3258473842005d2a48c8c566cfca8f84c0606f2529b59a6d38aae071b53bb2167eaa4fc3b01fe176e787e481b6037aac62cbc3d089799536a869fa8cdfea1e8b1fd2d1cd3a30350859a2cd6b3ec2f9bfbb68bb11b4bbe2adaa18d64a93639543ae5e16293e311c0cf8c8d6e180df05d08c2fd2d93d570751f
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 168
 # Signatures with special case values for r and s.
 msg = 313233343030
 result = invalid
 sig = 3008020101090380fe01
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 169
 # Signatures with special case values for r and s.
 msg = 313233343030
 result = invalid
 sig = 3006020101090142
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 170
 # Signatures with special case values for r and s.
 msg = 313233343030
 result = invalid
 sig = 301a0201ff0215ff46f4c745f5af5bc1397672c06497fb68880b764f
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 171
 # Signatures with special case values for r and s.
 msg = 313233343030
 result = invalid
 sig = 30060201ff020100
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 172
 # Signatures with special case values for r and s.
 msg = 313233343030
 result = invalid
 sig = 30060201ff020101
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 173
 # Signatures with special case values for r and s.
 msg = 313233343030
 result = invalid
 sig = 30060201ff0201ff
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 174
 # Signatures with special case values for r and s.
 msg = 313233343030
 result = invalid
 sig = 30190201ff02145c859c5d0528521f6344c69fcdb4024bbbfa44d8
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 175
 # Signatures with special case values for r and s.
 msg = 313233343030
 result = invalid
 sig = 30190201ff02145c859c5d0528521f6344c69fcdb4024bbbfa44d9
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 176
 # Signatures with special case values for r and s.
 msg = 313233343030
 result = invalid
 sig = 301a0201ff021500b90b38ba0a50a43ec6898d3f9b68049777f489b0
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 177
 # Signatures with special case values for r and s.
 msg = 313233343030
 result = invalid
 sig = 301a0201ff021500b90b38ba0a50a43ec6898d3f9b68049777f489b1
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 178
 # Signatures with special case values for r and s.
 msg = 313233343030
 result = invalid
 sig = 301a0201ff021500b90b38ba0a50a43ec6898d3f9b68049777f489b2
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 179
 # Signatures with special case values for r and s.
 msg = 313233343030
 result = invalid
 sig = 301a0201ff0215010000000000000000000000000000000000000000
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 180
 # Signatures with special case values for r and s.
 msg = 313233343030
 result = invalid
 sig = 3081870201ff02818100b34ce9c1e78294d3258473842005d2a48c8c566cfca8f84c0606f2529b59a6d38aae071b53bb2167eaa4fc3b01fe176e787e481b6037aac62cbc3d089799536a869fa8cdfea1e8b1fd2d1cd3a30350859a2cd6b3ec2f9bfbb68bb11b4bbe2adaa18d64a93639543ae5e16293e311c0cf8c8d6e180df05d08c2fd2d93d570751f
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 181
 # Signatures with special case values for r and s.
 msg = 313233343030
 result = invalid
 sig = 30080201ff090380fe01
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 182
 # Signatures with special case values for r and s.
 msg = 313233343030
 result = invalid
 sig = 30060201ff090142
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 183
 # Signatures with special case values for r and s.
 msg = 313233343030
 result = invalid
 sig = 302d02145c859c5d0528521f6344c69fcdb4024bbbfa44d80215ff46f4c745f5af5bc1397672c06497fb68880b764f
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 184
 # Signatures with special case values for r and s.
 msg = 313233343030
 result = invalid
 sig = 301902145c859c5d0528521f6344c69fcdb4024bbbfa44d8020100
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 185
 # Signatures with special case values for r and s.
 msg = 313233343030
 result = invalid
 sig = 301902145c859c5d0528521f6344c69fcdb4024bbbfa44d8020101
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 186
 # Signatures with special case values for r and s.
 msg = 313233343030
 result = invalid
 sig = 301902145c859c5d0528521f6344c69fcdb4024bbbfa44d80201ff
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 187
 # Signatures with special case values for r and s.
 msg = 313233343030
 result = invalid
 sig = 302c02145c859c5d0528521f6344c69fcdb4024bbbfa44d802145c859c5d0528521f6344c69fcdb4024bbbfa44d8
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 188
 # Signatures with special case values for r and s.
 msg = 313233343030
 result = invalid
 sig = 302c02145c859c5d0528521f6344c69fcdb4024bbbfa44d802145c859c5d0528521f6344c69fcdb4024bbbfa44d9
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 189
 # Signatures with special case values for r and s.
 msg = 313233343030
 result = invalid
 sig = 302d02145c859c5d0528521f6344c69fcdb4024bbbfa44d8021500b90b38ba0a50a43ec6898d3f9b68049777f489b0
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 190
 # Signatures with special case values for r and s.
 msg = 313233343030
 result = invalid
 sig = 302d02145c859c5d0528521f6344c69fcdb4024bbbfa44d8021500b90b38ba0a50a43ec6898d3f9b68049777f489b1
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 191
 # Signatures with special case values for r and s.
 msg = 313233343030
 result = invalid
 sig = 302d02145c859c5d0528521f6344c69fcdb4024bbbfa44d8021500b90b38ba0a50a43ec6898d3f9b68049777f489b2
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 192
 # Signatures with special case values for r and s.
 msg = 313233343030
 result = invalid
 sig = 302d02145c859c5d0528521f6344c69fcdb4024bbbfa44d80215010000000000000000000000000000000000000000
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 193
 # Signatures with special case values for r and s.
 msg = 313233343030
 result = invalid
 sig = 30819a02145c859c5d0528521f6344c69fcdb4024bbbfa44d802818100b34ce9c1e78294d3258473842005d2a48c8c566cfca8f84c0606f2529b59a6d38aae071b53bb2167eaa4fc3b01fe176e787e481b6037aac62cbc3d089799536a869fa8cdfea1e8b1fd2d1cd3a30350859a2cd6b3ec2f9bfbb68bb11b4bbe2adaa18d64a93639543ae5e16293e311c0cf8c8d6e180df05d08c2fd2d93d570751f
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 194
 # Signatures with special case values for r and s.
 msg = 313233343030
 result = invalid
 sig = 301b02145c859c5d0528521f6344c69fcdb4024bbbfa44d8090380fe01
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 195
 # Signatures with special case values for r and s.
 msg = 313233343030
 result = invalid
 sig = 301902145c859c5d0528521f6344c69fcdb4024bbbfa44d8090142
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 196
 # Signatures with special case values for r and s.
 msg = 313233343030
 result = invalid
 sig = 302d02145c859c5d0528521f6344c69fcdb4024bbbfa44d90215ff46f4c745f5af5bc1397672c06497fb68880b764f
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 197
 # Signatures with special case values for r and s.
 msg = 313233343030
 result = invalid
 sig = 301902145c859c5d0528521f6344c69fcdb4024bbbfa44d9020100
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 198
 # Signatures with special case values for r and s.
 msg = 313233343030
 result = invalid
 sig = 301902145c859c5d0528521f6344c69fcdb4024bbbfa44d9020101
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 199
 # Signatures with special case values for r and s.
 msg = 313233343030
 result = invalid
 sig = 301902145c859c5d0528521f6344c69fcdb4024bbbfa44d90201ff
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 200
 # Signatures with special case values for r and s.
 msg = 313233343030
 result = invalid
 sig = 302c02145c859c5d0528521f6344c69fcdb4024bbbfa44d902145c859c5d0528521f6344c69fcdb4024bbbfa44d8
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 201
 # Signatures with special case values for r and s.
 msg = 313233343030
 result = invalid
 sig = 302c02145c859c5d0528521f6344c69fcdb4024bbbfa44d902145c859c5d0528521f6344c69fcdb4024bbbfa44d9
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 202
 # Signatures with special case values for r and s.
 msg = 313233343030
 result = invalid
 sig = 302d02145c859c5d0528521f6344c69fcdb4024bbbfa44d9021500b90b38ba0a50a43ec6898d3f9b68049777f489b0
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 203
 # Signatures with special case values for r and s.
 msg = 313233343030
 result = invalid
 sig = 302d02145c859c5d0528521f6344c69fcdb4024bbbfa44d9021500b90b38ba0a50a43ec6898d3f9b68049777f489b1
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 204
 # Signatures with special case values for r and s.
 msg = 313233343030
 result = invalid
 sig = 302d02145c859c5d0528521f6344c69fcdb4024bbbfa44d9021500b90b38ba0a50a43ec6898d3f9b68049777f489b2
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 205
 # Signatures with special case values for r and s.
 msg = 313233343030
 result = invalid
 sig = 302d02145c859c5d0528521f6344c69fcdb4024bbbfa44d90215010000000000000000000000000000000000000000
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 206
 # Signatures with special case values for r and s.
 msg = 313233343030
 result = invalid
 sig = 30819a02145c859c5d0528521f6344c69fcdb4024bbbfa44d902818100b34ce9c1e78294d3258473842005d2a48c8c566cfca8f84c0606f2529b59a6d38aae071b53bb2167eaa4fc3b01fe176e787e481b6037aac62cbc3d089799536a869fa8cdfea1e8b1fd2d1cd3a30350859a2cd6b3ec2f9bfbb68bb11b4bbe2adaa18d64a93639543ae5e16293e311c0cf8c8d6e180df05d08c2fd2d93d570751f
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 207
 # Signatures with special case values for r and s.
 msg = 313233343030
 result = invalid
 sig = 301b02145c859c5d0528521f6344c69fcdb4024bbbfa44d9090380fe01
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 208
 # Signatures with special case values for r and s.
 msg = 313233343030
 result = invalid
 sig = 301902145c859c5d0528521f6344c69fcdb4024bbbfa44d9090142
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 209
 # Signatures with special case values for r and s.
 msg = 313233343030
 result = invalid
 sig = 302e021500b90b38ba0a50a43ec6898d3f9b68049777f489b00215ff46f4c745f5af5bc1397672c06497fb68880b764f
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 210
 # Signatures with special case values for r and s.
 msg = 313233343030
 result = invalid
 sig = 301a021500b90b38ba0a50a43ec6898d3f9b68049777f489b0020100
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 211
 # Signatures with special case values for r and s.
 msg = 313233343030
 result = invalid
 sig = 301a021500b90b38ba0a50a43ec6898d3f9b68049777f489b0020101
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 212
 # Signatures with special case values for r and s.
 msg = 313233343030
 result = invalid
 sig = 301a021500b90b38ba0a50a43ec6898d3f9b68049777f489b00201ff
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 213
 # Signatures with special case values for r and s.
 msg = 313233343030
 result = invalid
 sig = 302d021500b90b38ba0a50a43ec6898d3f9b68049777f489b002145c859c5d0528521f6344c69fcdb4024bbbfa44d8
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 214
 # Signatures with special case values for r and s.
 msg = 313233343030
 result = invalid
 sig = 302d021500b90b38ba0a50a43ec6898d3f9b68049777f489b002145c859c5d0528521f6344c69fcdb4024bbbfa44d9
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 215
 # Signatures with special case values for r and s.
 msg = 313233343030
 result = invalid
 sig = 302e021500b90b38ba0a50a43ec6898d3f9b68049777f489b0021500b90b38ba0a50a43ec6898d3f9b68049777f489b0
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 216
 # Signatures with special case values for r and s.
 msg = 313233343030
 result = invalid
 sig = 302e021500b90b38ba0a50a43ec6898d3f9b68049777f489b0021500b90b38ba0a50a43ec6898d3f9b68049777f489b1
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 217
 # Signatures with special case values for r and s.
 msg = 313233343030
 result = invalid
 sig = 302e021500b90b38ba0a50a43ec6898d3f9b68049777f489b0021500b90b38ba0a50a43ec6898d3f9b68049777f489b2
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 218
 # Signatures with special case values for r and s.
 msg = 313233343030
 result = invalid
 sig = 302e021500b90b38ba0a50a43ec6898d3f9b68049777f489b00215010000000000000000000000000000000000000000
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 219
 # Signatures with special case values for r and s.
 msg = 313233343030
 result = invalid
 sig = 30819b021500b90b38ba0a50a43ec6898d3f9b68049777f489b002818100b34ce9c1e78294d3258473842005d2a48c8c566cfca8f84c0606f2529b59a6d38aae071b53bb2167eaa4fc3b01fe176e787e481b6037aac62cbc3d089799536a869fa8cdfea1e8b1fd2d1cd3a30350859a2cd6b3ec2f9bfbb68bb11b4bbe2adaa18d64a93639543ae5e16293e311c0cf8c8d6e180df05d08c2fd2d93d570751f
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 220
 # Signatures with special case values for r and s.
 msg = 313233343030
 result = invalid
 sig = 301c021500b90b38ba0a50a43ec6898d3f9b68049777f489b0090380fe01
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 221
 # Signatures with special case values for r and s.
 msg = 313233343030
 result = invalid
 sig = 301a021500b90b38ba0a50a43ec6898d3f9b68049777f489b0090142
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 222
 # Signatures with special case values for r and s.
 msg = 313233343030
 result = invalid
 sig = 302e021500b90b38ba0a50a43ec6898d3f9b68049777f489b10215ff46f4c745f5af5bc1397672c06497fb68880b764f
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 223
 # Signatures with special case values for r and s.
 msg = 313233343030
 result = invalid
 sig = 301a021500b90b38ba0a50a43ec6898d3f9b68049777f489b1020100
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 224
 # Signatures with special case values for r and s.
 msg = 313233343030
 result = invalid
 sig = 301a021500b90b38ba0a50a43ec6898d3f9b68049777f489b1020101
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 225
 # Signatures with special case values for r and s.
 msg = 313233343030
 result = invalid
 sig = 301a021500b90b38ba0a50a43ec6898d3f9b68049777f489b10201ff
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 226
 # Signatures with special case values for r and s.
 msg = 313233343030
 result = invalid
 sig = 302d021500b90b38ba0a50a43ec6898d3f9b68049777f489b102145c859c5d0528521f6344c69fcdb4024bbbfa44d8
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 227
 # Signatures with special case values for r and s.
 msg = 313233343030
 result = invalid
 sig = 302d021500b90b38ba0a50a43ec6898d3f9b68049777f489b102145c859c5d0528521f6344c69fcdb4024bbbfa44d9
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 228
 # Signatures with special case values for r and s.
 msg = 313233343030
 result = invalid
 sig = 302e021500b90b38ba0a50a43ec6898d3f9b68049777f489b1021500b90b38ba0a50a43ec6898d3f9b68049777f489b0
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 229
 # Signatures with special case values for r and s.
 msg = 313233343030
 result = invalid
 sig = 302e021500b90b38ba0a50a43ec6898d3f9b68049777f489b1021500b90b38ba0a50a43ec6898d3f9b68049777f489b1
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 230
 # Signatures with special case values for r and s.
 msg = 313233343030
 result = invalid
 sig = 302e021500b90b38ba0a50a43ec6898d3f9b68049777f489b1021500b90b38ba0a50a43ec6898d3f9b68049777f489b2
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 231
 # Signatures with special case values for r and s.
 msg = 313233343030
 result = invalid
 sig = 302e021500b90b38ba0a50a43ec6898d3f9b68049777f489b10215010000000000000000000000000000000000000000
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 232
 # Signatures with special case values for r and s.
 msg = 313233343030
 result = invalid
 sig = 30819b021500b90b38ba0a50a43ec6898d3f9b68049777f489b102818100b34ce9c1e78294d3258473842005d2a48c8c566cfca8f84c0606f2529b59a6d38aae071b53bb2167eaa4fc3b01fe176e787e481b6037aac62cbc3d089799536a869fa8cdfea1e8b1fd2d1cd3a30350859a2cd6b3ec2f9bfbb68bb11b4bbe2adaa18d64a93639543ae5e16293e311c0cf8c8d6e180df05d08c2fd2d93d570751f
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 233
 # Signatures with special case values for r and s.
 msg = 313233343030
 result = invalid
 sig = 301c021500b90b38ba0a50a43ec6898d3f9b68049777f489b1090380fe01
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 234
 # Signatures with special case values for r and s.
 msg = 313233343030
 result = invalid
 sig = 301a021500b90b38ba0a50a43ec6898d3f9b68049777f489b1090142
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 235
 # Signatures with special case values for r and s.
 msg = 313233343030
 result = invalid
 sig = 302e021500b90b38ba0a50a43ec6898d3f9b68049777f489b20215ff46f4c745f5af5bc1397672c06497fb68880b764f
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 236
 # Signatures with special case values for r and s.
 msg = 313233343030
 result = invalid
 sig = 301a021500b90b38ba0a50a43ec6898d3f9b68049777f489b2020100
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 237
 # Signatures with special case values for r and s.
 msg = 313233343030
 result = invalid
 sig = 301a021500b90b38ba0a50a43ec6898d3f9b68049777f489b2020101
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 238
 # Signatures with special case values for r and s.
 msg = 313233343030
 result = invalid
 sig = 301a021500b90b38ba0a50a43ec6898d3f9b68049777f489b20201ff
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 239
 # Signatures with special case values for r and s.
 msg = 313233343030
 result = invalid
 sig = 302d021500b90b38ba0a50a43ec6898d3f9b68049777f489b202145c859c5d0528521f6344c69fcdb4024bbbfa44d8
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 240
 # Signatures with special case values for r and s.
 msg = 313233343030
 result = invalid
 sig = 302d021500b90b38ba0a50a43ec6898d3f9b68049777f489b202145c859c5d0528521f6344c69fcdb4024bbbfa44d9
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 241
 # Signatures with special case values for r and s.
 msg = 313233343030
 result = invalid
 sig = 302e021500b90b38ba0a50a43ec6898d3f9b68049777f489b2021500b90b38ba0a50a43ec6898d3f9b68049777f489b0
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 242
 # Signatures with special case values for r and s.
 msg = 313233343030
 result = invalid
 sig = 302e021500b90b38ba0a50a43ec6898d3f9b68049777f489b2021500b90b38ba0a50a43ec6898d3f9b68049777f489b1
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 243
 # Signatures with special case values for r and s.
 msg = 313233343030
 result = invalid
 sig = 302e021500b90b38ba0a50a43ec6898d3f9b68049777f489b2021500b90b38ba0a50a43ec6898d3f9b68049777f489b2
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 244
 # Signatures with special case values for r and s.
 msg = 313233343030
 result = invalid
 sig = 302e021500b90b38ba0a50a43ec6898d3f9b68049777f489b20215010000000000000000000000000000000000000000
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 245
 # Signatures with special case values for r and s.
 msg = 313233343030
 result = invalid
 sig = 30819b021500b90b38ba0a50a43ec6898d3f9b68049777f489b202818100b34ce9c1e78294d3258473842005d2a48c8c566cfca8f84c0606f2529b59a6d38aae071b53bb2167eaa4fc3b01fe176e787e481b6037aac62cbc3d089799536a869fa8cdfea1e8b1fd2d1cd3a30350859a2cd6b3ec2f9bfbb68bb11b4bbe2adaa18d64a93639543ae5e16293e311c0cf8c8d6e180df05d08c2fd2d93d570751f
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 246
 # Signatures with special case values for r and s.
 msg = 313233343030
 result = invalid
 sig = 301c021500b90b38ba0a50a43ec6898d3f9b68049777f489b2090380fe01
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 247
 # Signatures with special case values for r and s.
 msg = 313233343030
 result = invalid
 sig = 301a021500b90b38ba0a50a43ec6898d3f9b68049777f489b2090142
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 248
 # Signatures with special case values for r and s.
 msg = 313233343030
 result = invalid
 sig = 302e02150100000000000000000000000000000000000000000215ff46f4c745f5af5bc1397672c06497fb68880b764f
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 249
 # Signatures with special case values for r and s.
 msg = 313233343030
 result = invalid
 sig = 301a0215010000000000000000000000000000000000000000020100
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 250
 # Signatures with special case values for r and s.
 msg = 313233343030
 result = invalid
 sig = 301a0215010000000000000000000000000000000000000000020101
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 251
 # Signatures with special case values for r and s.
 msg = 313233343030
 result = invalid
 sig = 301a02150100000000000000000000000000000000000000000201ff
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 252
 # Signatures with special case values for r and s.
 msg = 313233343030
 result = invalid
 sig = 302d021501000000000000000000000000000000000000000002145c859c5d0528521f6344c69fcdb4024bbbfa44d8
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 253
 # Signatures with special case values for r and s.
 msg = 313233343030
 result = invalid
 sig = 302d021501000000000000000000000000000000000000000002145c859c5d0528521f6344c69fcdb4024bbbfa44d9
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 254
 # Signatures with special case values for r and s.
 msg = 313233343030
 result = invalid
 sig = 302e0215010000000000000000000000000000000000000000021500b90b38ba0a50a43ec6898d3f9b68049777f489b0
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 255
 # Signatures with special case values for r and s.
 msg = 313233343030
 result = invalid
 sig = 302e0215010000000000000000000000000000000000000000021500b90b38ba0a50a43ec6898d3f9b68049777f489b1
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 256
 # Signatures with special case values for r and s.
 msg = 313233343030
 result = invalid
 sig = 302e0215010000000000000000000000000000000000000000021500b90b38ba0a50a43ec6898d3f9b68049777f489b2
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 257
 # Signatures with special case values for r and s.
 msg = 313233343030
 result = invalid
 sig = 302e02150100000000000000000000000000000000000000000215010000000000000000000000000000000000000000
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 258
 # Signatures with special case values for r and s.
 msg = 313233343030
 result = invalid
 sig = 30819b021501000000000000000000000000000000000000000002818100b34ce9c1e78294d3258473842005d2a48c8c566cfca8f84c0606f2529b59a6d38aae071b53bb2167eaa4fc3b01fe176e787e481b6037aac62cbc3d089799536a869fa8cdfea1e8b1fd2d1cd3a30350859a2cd6b3ec2f9bfbb68bb11b4bbe2adaa18d64a93639543ae5e16293e311c0cf8c8d6e180df05d08c2fd2d93d570751f
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 259
 # Signatures with special case values for r and s.
 msg = 313233343030
 result = invalid
 sig = 301c0215010000000000000000000000000000000000000000090380fe01
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 260
 # Signatures with special case values for r and s.
 msg = 313233343030
 result = invalid
 sig = 301a0215010000000000000000000000000000000000000000090142
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 261
 # Signatures with special case values for r and s.
 msg = 313233343030
 result = invalid
 sig = 30819b02818100b34ce9c1e78294d3258473842005d2a48c8c566cfca8f84c0606f2529b59a6d38aae071b53bb2167eaa4fc3b01fe176e787e481b6037aac62cbc3d089799536a869fa8cdfea1e8b1fd2d1cd3a30350859a2cd6b3ec2f9bfbb68bb11b4bbe2adaa18d64a93639543ae5e16293e311c0cf8c8d6e180df05d08c2fd2d93d570751f0215ff46f4c745f5af5bc1397672c06497fb68880b764f
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 262
 # Signatures with special case values for r and s.
 msg = 313233343030
 result = invalid
 sig = 30818702818100b34ce9c1e78294d3258473842005d2a48c8c566cfca8f84c0606f2529b59a6d38aae071b53bb2167eaa4fc3b01fe176e787e481b6037aac62cbc3d089799536a869fa8cdfea1e8b1fd2d1cd3a30350859a2cd6b3ec2f9bfbb68bb11b4bbe2adaa18d64a93639543ae5e16293e311c0cf8c8d6e180df05d08c2fd2d93d570751f020100
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 263
 # Signatures with special case values for r and s.
 msg = 313233343030
 result = invalid
 sig = 30818702818100b34ce9c1e78294d3258473842005d2a48c8c566cfca8f84c0606f2529b59a6d38aae071b53bb2167eaa4fc3b01fe176e787e481b6037aac62cbc3d089799536a869fa8cdfea1e8b1fd2d1cd3a30350859a2cd6b3ec2f9bfbb68bb11b4bbe2adaa18d64a93639543ae5e16293e311c0cf8c8d6e180df05d08c2fd2d93d570751f020101
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 264
 # Signatures with special case values for r and s.
 msg = 313233343030
 result = invalid
 sig = 30818702818100b34ce9c1e78294d3258473842005d2a48c8c566cfca8f84c0606f2529b59a6d38aae071b53bb2167eaa4fc3b01fe176e787e481b6037aac62cbc3d089799536a869fa8cdfea1e8b1fd2d1cd3a30350859a2cd6b3ec2f9bfbb68bb11b4bbe2adaa18d64a93639543ae5e16293e311c0cf8c8d6e180df05d08c2fd2d93d570751f0201ff
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 265
 # Signatures with special case values for r and s.
 msg = 313233343030
 result = invalid
 sig = 30819a02818100b34ce9c1e78294d3258473842005d2a48c8c566cfca8f84c0606f2529b59a6d38aae071b53bb2167eaa4fc3b01fe176e787e481b6037aac62cbc3d089799536a869fa8cdfea1e8b1fd2d1cd3a30350859a2cd6b3ec2f9bfbb68bb11b4bbe2adaa18d64a93639543ae5e16293e311c0cf8c8d6e180df05d08c2fd2d93d570751f02145c859c5d0528521f6344c69fcdb4024bbbfa44d8
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 266
 # Signatures with special case values for r and s.
 msg = 313233343030
 result = invalid
 sig = 30819a02818100b34ce9c1e78294d3258473842005d2a48c8c566cfca8f84c0606f2529b59a6d38aae071b53bb2167eaa4fc3b01fe176e787e481b6037aac62cbc3d089799536a869fa8cdfea1e8b1fd2d1cd3a30350859a2cd6b3ec2f9bfbb68bb11b4bbe2adaa18d64a93639543ae5e16293e311c0cf8c8d6e180df05d08c2fd2d93d570751f02145c859c5d0528521f6344c69fcdb4024bbbfa44d9
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 267
 # Signatures with special case values for r and s.
 msg = 313233343030
 result = invalid
 sig = 30819b02818100b34ce9c1e78294d3258473842005d2a48c8c566cfca8f84c0606f2529b59a6d38aae071b53bb2167eaa4fc3b01fe176e787e481b6037aac62cbc3d089799536a869fa8cdfea1e8b1fd2d1cd3a30350859a2cd6b3ec2f9bfbb68bb11b4bbe2adaa18d64a93639543ae5e16293e311c0cf8c8d6e180df05d08c2fd2d93d570751f021500b90b38ba0a50a43ec6898d3f9b68049777f489b0
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 268
 # Signatures with special case values for r and s.
 msg = 313233343030
 result = invalid
 sig = 30819b02818100b34ce9c1e78294d3258473842005d2a48c8c566cfca8f84c0606f2529b59a6d38aae071b53bb2167eaa4fc3b01fe176e787e481b6037aac62cbc3d089799536a869fa8cdfea1e8b1fd2d1cd3a30350859a2cd6b3ec2f9bfbb68bb11b4bbe2adaa18d64a93639543ae5e16293e311c0cf8c8d6e180df05d08c2fd2d93d570751f021500b90b38ba0a50a43ec6898d3f9b68049777f489b1
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 269
 # Signatures with special case values for r and s.
 msg = 313233343030
 result = invalid
 sig = 30819b02818100b34ce9c1e78294d3258473842005d2a48c8c566cfca8f84c0606f2529b59a6d38aae071b53bb2167eaa4fc3b01fe176e787e481b6037aac62cbc3d089799536a869fa8cdfea1e8b1fd2d1cd3a30350859a2cd6b3ec2f9bfbb68bb11b4bbe2adaa18d64a93639543ae5e16293e311c0cf8c8d6e180df05d08c2fd2d93d570751f021500b90b38ba0a50a43ec6898d3f9b68049777f489b2
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 270
 # Signatures with special case values for r and s.
 msg = 313233343030
 result = invalid
 sig = 30819b02818100b34ce9c1e78294d3258473842005d2a48c8c566cfca8f84c0606f2529b59a6d38aae071b53bb2167eaa4fc3b01fe176e787e481b6037aac62cbc3d089799536a869fa8cdfea1e8b1fd2d1cd3a30350859a2cd6b3ec2f9bfbb68bb11b4bbe2adaa18d64a93639543ae5e16293e311c0cf8c8d6e180df05d08c2fd2d93d570751f0215010000000000000000000000000000000000000000
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 271
 # Signatures with special case values for r and s.
 msg = 313233343030
 result = invalid
 sig = 3082010802818100b34ce9c1e78294d3258473842005d2a48c8c566cfca8f84c0606f2529b59a6d38aae071b53bb2167eaa4fc3b01fe176e787e481b6037aac62cbc3d089799536a869fa8cdfea1e8b1fd2d1cd3a30350859a2cd6b3ec2f9bfbb68bb11b4bbe2adaa18d64a93639543ae5e16293e311c0cf8c8d6e180df05d08c2fd2d93d570751f02818100b34ce9c1e78294d3258473842005d2a48c8c566cfca8f84c0606f2529b59a6d38aae071b53bb2167eaa4fc3b01fe176e787e481b6037aac62cbc3d089799536a869fa8cdfea1e8b1fd2d1cd3a30350859a2cd6b3ec2f9bfbb68bb11b4bbe2adaa18d64a93639543ae5e16293e311c0cf8c8d6e180df05d08c2fd2d93d570751f
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 272
 # Signatures with special case values for r and s.
 msg = 313233343030
 result = invalid
 sig = 30818902818100b34ce9c1e78294d3258473842005d2a48c8c566cfca8f84c0606f2529b59a6d38aae071b53bb2167eaa4fc3b01fe176e787e481b6037aac62cbc3d089799536a869fa8cdfea1e8b1fd2d1cd3a30350859a2cd6b3ec2f9bfbb68bb11b4bbe2adaa18d64a93639543ae5e16293e311c0cf8c8d6e180df05d08c2fd2d93d570751f090380fe01
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 273
 # Signatures with special case values for r and s.
 msg = 313233343030
 result = invalid
 sig = 30818702818100b34ce9c1e78294d3258473842005d2a48c8c566cfca8f84c0606f2529b59a6d38aae071b53bb2167eaa4fc3b01fe176e787e481b6037aac62cbc3d089799536a869fa8cdfea1e8b1fd2d1cd3a30350859a2cd6b3ec2f9bfbb68bb11b4bbe2adaa18d64a93639543ae5e16293e311c0cf8c8d6e180df05d08c2fd2d93d570751f090142
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 274
 # Signatures with special case values for r and s.
 msg = 313233343030
 result = invalid
 sig = 301c090380fe010215ff46f4c745f5af5bc1397672c06497fb68880b764f
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 275
 # Signatures with special case values for r and s.
 msg = 313233343030
 result = invalid
 sig = 3008090380fe01020100
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 276
 # Signatures with special case values for r and s.
 msg = 313233343030
 result = invalid
 sig = 3008090380fe01020101
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 277
 # Signatures with special case values for r and s.
 msg = 313233343030
 result = invalid
 sig = 3008090380fe010201ff
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 278
 # Signatures with special case values for r and s.
 msg = 313233343030
 result = invalid
 sig = 301b090380fe0102145c859c5d0528521f6344c69fcdb4024bbbfa44d8
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 279
 # Signatures with special case values for r and s.
 msg = 313233343030
 result = invalid
 sig = 301b090380fe0102145c859c5d0528521f6344c69fcdb4024bbbfa44d9
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 280
 # Signatures with special case values for r and s.
 msg = 313233343030
 result = invalid
 sig = 301c090380fe01021500b90b38ba0a50a43ec6898d3f9b68049777f489b0
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 281
 # Signatures with special case values for r and s.
 msg = 313233343030
 result = invalid
 sig = 301c090380fe01021500b90b38ba0a50a43ec6898d3f9b68049777f489b1
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 282
 # Signatures with special case values for r and s.
 msg = 313233343030
 result = invalid
 sig = 301c090380fe01021500b90b38ba0a50a43ec6898d3f9b68049777f489b2
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 283
 # Signatures with special case values for r and s.
 msg = 313233343030
 result = invalid
 sig = 301c090380fe010215010000000000000000000000000000000000000000
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 284
 # Signatures with special case values for r and s.
 msg = 313233343030
 result = invalid
 sig = 308189090380fe0102818100b34ce9c1e78294d3258473842005d2a48c8c566cfca8f84c0606f2529b59a6d38aae071b53bb2167eaa4fc3b01fe176e787e481b6037aac62cbc3d089799536a869fa8cdfea1e8b1fd2d1cd3a30350859a2cd6b3ec2f9bfbb68bb11b4bbe2adaa18d64a93639543ae5e16293e311c0cf8c8d6e180df05d08c2fd2d93d570751f
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 285
 # Signatures with special case values for r and s.
 msg = 313233343030
 result = invalid
 sig = 300a090380fe01090380fe01
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 286
 # Signatures with special case values for r and s.
 msg = 313233343030
 result = invalid
 sig = 3008090380fe01090142
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 287
 # Signature encoding contains wrong type.
@@ -2291,11 +2001,7 @@
 msg = 48656c6c6f
 result = acceptable
 sig = 303c021c1e41b479ad576905b960fe14eadb91b0ccf34843dab916173bb8c9cd021cade65988d237d30f9ef41dd424a4e1c8f16967cf3365813fe8786236
-# ASN encoded integers with a leading hex-digit in the range 8 .. F are
-# negative. If the first hex-digit of a positive integer is 8 .. F then a
-# leading 0 must be added. Some libraries forgot to do this and therefore
-# generated invalid DSA signatures. Some providers accept such legacy signatures
-# for compatibility.
+flags = NoLeadingZero
 
 # tcId = 304
 # valid
@@ -3154,1287 +2860,1001 @@
 msg = 48656c6c6f
 result = invalid
 sig = 3022020100021dff450969597a870820211805983688387a10cd4dcc451a7f3f432a96a3
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 447
 # Signatures with special case values for r and s.
 msg = 48656c6c6f
 result = invalid
 sig = 3006020100020100
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 448
 # Signatures with special case values for r and s.
 msg = 48656c6c6f
 result = invalid
 sig = 3006020100020101
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 449
 # Signatures with special case values for r and s.
 msg = 48656c6c6f
 result = invalid
 sig = 30060201000201ff
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 450
 # Signatures with special case values for r and s.
 msg = 48656c6c6f
 result = invalid
 sig = 3021020100021c5d7b4b5342bc7befef73fd33e4bbe3c2f7995919dd72c0605e6ab4ae
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 451
 # Signatures with special case values for r and s.
 msg = 48656c6c6f
 result = invalid
 sig = 3021020100021c5d7b4b5342bc7befef73fd33e4bbe3c2f7995919dd72c0605e6ab4af
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 452
 # Signatures with special case values for r and s.
 msg = 48656c6c6f
 result = invalid
 sig = 3022020100021d00baf696a68578f7dfdee7fa67c977c785ef32b233bae580c0bcd5695c
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 453
 # Signatures with special case values for r and s.
 msg = 48656c6c6f
 result = invalid
 sig = 3022020100021d00baf696a68578f7dfdee7fa67c977c785ef32b233bae580c0bcd5695d
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 454
 # Signatures with special case values for r and s.
 msg = 48656c6c6f
 result = invalid
 sig = 3022020100021d00baf696a68578f7dfdee7fa67c977c785ef32b233bae580c0bcd5695e
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 455
 # Signatures with special case values for r and s.
 msg = 48656c6c6f
 result = invalid
 sig = 3022020100021d0100000000000000000000000000000000000000000000000000000000
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 456
 # Signatures with special case values for r and s.
 msg = 48656c6c6f
 result = invalid
 sig = 3082010802010002820101008f7935d9b9aae9bfabed887acf4951b6f32ec59e3baf3718e8eac4961f3efd3606e74351a9c4183339b809e7c2ae1c539ba7475b85d011adb8b47987754984695cac0e8f14b3360828a22ffa27110a3d62a993453409a0fe696c4658f84bdd20819c3709a01057b195adcd00233dba5484b6291f9d648ef883448677979cec04b434a6ac2e75e9985de23db0292fc1118c9ffa9d8181e7338db792b730d7b9e349592f68099872153915ea3d6b8b4653c633458f803b32a4c2e0f27290256e4e3f8a3b0838a1c450e4e18c1a29a37ddf5ea143de4b66ff04903ed5cf1623e158d487c608e97f211cd81dca23cb6e380765f822e342be484c05763939601cd667
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 457
 # Signatures with special case values for r and s.
 msg = 48656c6c6f
 result = invalid
 sig = 3008020100090380fe01
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 458
 # Signatures with special case values for r and s.
 msg = 48656c6c6f
 result = invalid
 sig = 3006020100090142
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 459
 # Signatures with special case values for r and s.
 msg = 48656c6c6f
 result = invalid
 sig = 3022020101021dff450969597a870820211805983688387a10cd4dcc451a7f3f432a96a3
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 460
 # Signatures with special case values for r and s.
 msg = 48656c6c6f
 result = invalid
 sig = 3006020101020100
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 461
 # Signatures with special case values for r and s.
 msg = 48656c6c6f
 result = invalid
 sig = 3006020101020101
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 462
 # Signatures with special case values for r and s.
 msg = 48656c6c6f
 result = invalid
 sig = 30060201010201ff
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 463
 # Signatures with special case values for r and s.
 msg = 48656c6c6f
 result = invalid
 sig = 3021020101021c5d7b4b5342bc7befef73fd33e4bbe3c2f7995919dd72c0605e6ab4ae
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 464
 # Signatures with special case values for r and s.
 msg = 48656c6c6f
 result = invalid
 sig = 3021020101021c5d7b4b5342bc7befef73fd33e4bbe3c2f7995919dd72c0605e6ab4af
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 465
 # Signatures with special case values for r and s.
 msg = 48656c6c6f
 result = invalid
 sig = 3022020101021d00baf696a68578f7dfdee7fa67c977c785ef32b233bae580c0bcd5695c
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 466
 # Signatures with special case values for r and s.
 msg = 48656c6c6f
 result = invalid
 sig = 3022020101021d00baf696a68578f7dfdee7fa67c977c785ef32b233bae580c0bcd5695d
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 467
 # Signatures with special case values for r and s.
 msg = 48656c6c6f
 result = invalid
 sig = 3022020101021d00baf696a68578f7dfdee7fa67c977c785ef32b233bae580c0bcd5695e
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 468
 # Signatures with special case values for r and s.
 msg = 48656c6c6f
 result = invalid
 sig = 3022020101021d0100000000000000000000000000000000000000000000000000000000
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 469
 # Signatures with special case values for r and s.
 msg = 48656c6c6f
 result = invalid
 sig = 3082010802010102820101008f7935d9b9aae9bfabed887acf4951b6f32ec59e3baf3718e8eac4961f3efd3606e74351a9c4183339b809e7c2ae1c539ba7475b85d011adb8b47987754984695cac0e8f14b3360828a22ffa27110a3d62a993453409a0fe696c4658f84bdd20819c3709a01057b195adcd00233dba5484b6291f9d648ef883448677979cec04b434a6ac2e75e9985de23db0292fc1118c9ffa9d8181e7338db792b730d7b9e349592f68099872153915ea3d6b8b4653c633458f803b32a4c2e0f27290256e4e3f8a3b0838a1c450e4e18c1a29a37ddf5ea143de4b66ff04903ed5cf1623e158d487c608e97f211cd81dca23cb6e380765f822e342be484c05763939601cd667
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 470
 # Signatures with special case values for r and s.
 msg = 48656c6c6f
 result = invalid
 sig = 3008020101090380fe01
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 471
 # Signatures with special case values for r and s.
 msg = 48656c6c6f
 result = invalid
 sig = 3006020101090142
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 472
 # Signatures with special case values for r and s.
 msg = 48656c6c6f
 result = invalid
 sig = 30220201ff021dff450969597a870820211805983688387a10cd4dcc451a7f3f432a96a3
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 473
 # Signatures with special case values for r and s.
 msg = 48656c6c6f
 result = invalid
 sig = 30060201ff020100
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 474
 # Signatures with special case values for r and s.
 msg = 48656c6c6f
 result = invalid
 sig = 30060201ff020101
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 475
 # Signatures with special case values for r and s.
 msg = 48656c6c6f
 result = invalid
 sig = 30060201ff0201ff
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 476
 # Signatures with special case values for r and s.
 msg = 48656c6c6f
 result = invalid
 sig = 30210201ff021c5d7b4b5342bc7befef73fd33e4bbe3c2f7995919dd72c0605e6ab4ae
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 477
 # Signatures with special case values for r and s.
 msg = 48656c6c6f
 result = invalid
 sig = 30210201ff021c5d7b4b5342bc7befef73fd33e4bbe3c2f7995919dd72c0605e6ab4af
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 478
 # Signatures with special case values for r and s.
 msg = 48656c6c6f
 result = invalid
 sig = 30220201ff021d00baf696a68578f7dfdee7fa67c977c785ef32b233bae580c0bcd5695c
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 479
 # Signatures with special case values for r and s.
 msg = 48656c6c6f
 result = invalid
 sig = 30220201ff021d00baf696a68578f7dfdee7fa67c977c785ef32b233bae580c0bcd5695d
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 480
 # Signatures with special case values for r and s.
 msg = 48656c6c6f
 result = invalid
 sig = 30220201ff021d00baf696a68578f7dfdee7fa67c977c785ef32b233bae580c0bcd5695e
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 481
 # Signatures with special case values for r and s.
 msg = 48656c6c6f
 result = invalid
 sig = 30220201ff021d0100000000000000000000000000000000000000000000000000000000
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 482
 # Signatures with special case values for r and s.
 msg = 48656c6c6f
 result = invalid
 sig = 308201080201ff02820101008f7935d9b9aae9bfabed887acf4951b6f32ec59e3baf3718e8eac4961f3efd3606e74351a9c4183339b809e7c2ae1c539ba7475b85d011adb8b47987754984695cac0e8f14b3360828a22ffa27110a3d62a993453409a0fe696c4658f84bdd20819c3709a01057b195adcd00233dba5484b6291f9d648ef883448677979cec04b434a6ac2e75e9985de23db0292fc1118c9ffa9d8181e7338db792b730d7b9e349592f68099872153915ea3d6b8b4653c633458f803b32a4c2e0f27290256e4e3f8a3b0838a1c450e4e18c1a29a37ddf5ea143de4b66ff04903ed5cf1623e158d487c608e97f211cd81dca23cb6e380765f822e342be484c05763939601cd667
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 483
 # Signatures with special case values for r and s.
 msg = 48656c6c6f
 result = invalid
 sig = 30080201ff090380fe01
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 484
 # Signatures with special case values for r and s.
 msg = 48656c6c6f
 result = invalid
 sig = 30060201ff090142
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 485
 # Signatures with special case values for r and s.
 msg = 48656c6c6f
 result = invalid
 sig = 303d021c5d7b4b5342bc7befef73fd33e4bbe3c2f7995919dd72c0605e6ab4ae021dff450969597a870820211805983688387a10cd4dcc451a7f3f432a96a3
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 486
 # Signatures with special case values for r and s.
 msg = 48656c6c6f
 result = invalid
 sig = 3021021c5d7b4b5342bc7befef73fd33e4bbe3c2f7995919dd72c0605e6ab4ae020100
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 487
 # Signatures with special case values for r and s.
 msg = 48656c6c6f
 result = invalid
 sig = 3021021c5d7b4b5342bc7befef73fd33e4bbe3c2f7995919dd72c0605e6ab4ae020101
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 488
 # Signatures with special case values for r and s.
 msg = 48656c6c6f
 result = invalid
 sig = 3021021c5d7b4b5342bc7befef73fd33e4bbe3c2f7995919dd72c0605e6ab4ae0201ff
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 489
 # Signatures with special case values for r and s.
 msg = 48656c6c6f
 result = invalid
 sig = 303c021c5d7b4b5342bc7befef73fd33e4bbe3c2f7995919dd72c0605e6ab4ae021c5d7b4b5342bc7befef73fd33e4bbe3c2f7995919dd72c0605e6ab4ae
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 490
 # Signatures with special case values for r and s.
 msg = 48656c6c6f
 result = invalid
 sig = 303c021c5d7b4b5342bc7befef73fd33e4bbe3c2f7995919dd72c0605e6ab4ae021c5d7b4b5342bc7befef73fd33e4bbe3c2f7995919dd72c0605e6ab4af
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 491
 # Signatures with special case values for r and s.
 msg = 48656c6c6f
 result = invalid
 sig = 303d021c5d7b4b5342bc7befef73fd33e4bbe3c2f7995919dd72c0605e6ab4ae021d00baf696a68578f7dfdee7fa67c977c785ef32b233bae580c0bcd5695c
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 492
 # Signatures with special case values for r and s.
 msg = 48656c6c6f
 result = invalid
 sig = 303d021c5d7b4b5342bc7befef73fd33e4bbe3c2f7995919dd72c0605e6ab4ae021d00baf696a68578f7dfdee7fa67c977c785ef32b233bae580c0bcd5695d
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 493
 # Signatures with special case values for r and s.
 msg = 48656c6c6f
 result = invalid
 sig = 303d021c5d7b4b5342bc7befef73fd33e4bbe3c2f7995919dd72c0605e6ab4ae021d00baf696a68578f7dfdee7fa67c977c785ef32b233bae580c0bcd5695e
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 494
 # Signatures with special case values for r and s.
 msg = 48656c6c6f
 result = invalid
 sig = 303d021c5d7b4b5342bc7befef73fd33e4bbe3c2f7995919dd72c0605e6ab4ae021d0100000000000000000000000000000000000000000000000000000000
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 495
 # Signatures with special case values for r and s.
 msg = 48656c6c6f
 result = invalid
 sig = 30820123021c5d7b4b5342bc7befef73fd33e4bbe3c2f7995919dd72c0605e6ab4ae02820101008f7935d9b9aae9bfabed887acf4951b6f32ec59e3baf3718e8eac4961f3efd3606e74351a9c4183339b809e7c2ae1c539ba7475b85d011adb8b47987754984695cac0e8f14b3360828a22ffa27110a3d62a993453409a0fe696c4658f84bdd20819c3709a01057b195adcd00233dba5484b6291f9d648ef883448677979cec04b434a6ac2e75e9985de23db0292fc1118c9ffa9d8181e7338db792b730d7b9e349592f68099872153915ea3d6b8b4653c633458f803b32a4c2e0f27290256e4e3f8a3b0838a1c450e4e18c1a29a37ddf5ea143de4b66ff04903ed5cf1623e158d487c608e97f211cd81dca23cb6e380765f822e342be484c05763939601cd667
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 496
 # Signatures with special case values for r and s.
 msg = 48656c6c6f
 result = invalid
 sig = 3023021c5d7b4b5342bc7befef73fd33e4bbe3c2f7995919dd72c0605e6ab4ae090380fe01
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 497
 # Signatures with special case values for r and s.
 msg = 48656c6c6f
 result = invalid
 sig = 3021021c5d7b4b5342bc7befef73fd33e4bbe3c2f7995919dd72c0605e6ab4ae090142
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 498
 # Signatures with special case values for r and s.
 msg = 48656c6c6f
 result = invalid
 sig = 303d021c5d7b4b5342bc7befef73fd33e4bbe3c2f7995919dd72c0605e6ab4af021dff450969597a870820211805983688387a10cd4dcc451a7f3f432a96a3
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 499
 # Signatures with special case values for r and s.
 msg = 48656c6c6f
 result = invalid
 sig = 3021021c5d7b4b5342bc7befef73fd33e4bbe3c2f7995919dd72c0605e6ab4af020100
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 500
 # Signatures with special case values for r and s.
 msg = 48656c6c6f
 result = invalid
 sig = 3021021c5d7b4b5342bc7befef73fd33e4bbe3c2f7995919dd72c0605e6ab4af020101
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 501
 # Signatures with special case values for r and s.
 msg = 48656c6c6f
 result = invalid
 sig = 3021021c5d7b4b5342bc7befef73fd33e4bbe3c2f7995919dd72c0605e6ab4af0201ff
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 502
 # Signatures with special case values for r and s.
 msg = 48656c6c6f
 result = invalid
 sig = 303c021c5d7b4b5342bc7befef73fd33e4bbe3c2f7995919dd72c0605e6ab4af021c5d7b4b5342bc7befef73fd33e4bbe3c2f7995919dd72c0605e6ab4ae
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 503
 # Signatures with special case values for r and s.
 msg = 48656c6c6f
 result = invalid
 sig = 303c021c5d7b4b5342bc7befef73fd33e4bbe3c2f7995919dd72c0605e6ab4af021c5d7b4b5342bc7befef73fd33e4bbe3c2f7995919dd72c0605e6ab4af
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 504
 # Signatures with special case values for r and s.
 msg = 48656c6c6f
 result = invalid
 sig = 303d021c5d7b4b5342bc7befef73fd33e4bbe3c2f7995919dd72c0605e6ab4af021d00baf696a68578f7dfdee7fa67c977c785ef32b233bae580c0bcd5695c
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 505
 # Signatures with special case values for r and s.
 msg = 48656c6c6f
 result = invalid
 sig = 303d021c5d7b4b5342bc7befef73fd33e4bbe3c2f7995919dd72c0605e6ab4af021d00baf696a68578f7dfdee7fa67c977c785ef32b233bae580c0bcd5695d
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 506
 # Signatures with special case values for r and s.
 msg = 48656c6c6f
 result = invalid
 sig = 303d021c5d7b4b5342bc7befef73fd33e4bbe3c2f7995919dd72c0605e6ab4af021d00baf696a68578f7dfdee7fa67c977c785ef32b233bae580c0bcd5695e
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 507
 # Signatures with special case values for r and s.
 msg = 48656c6c6f
 result = invalid
 sig = 303d021c5d7b4b5342bc7befef73fd33e4bbe3c2f7995919dd72c0605e6ab4af021d0100000000000000000000000000000000000000000000000000000000
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 508
 # Signatures with special case values for r and s.
 msg = 48656c6c6f
 result = invalid
 sig = 30820123021c5d7b4b5342bc7befef73fd33e4bbe3c2f7995919dd72c0605e6ab4af02820101008f7935d9b9aae9bfabed887acf4951b6f32ec59e3baf3718e8eac4961f3efd3606e74351a9c4183339b809e7c2ae1c539ba7475b85d011adb8b47987754984695cac0e8f14b3360828a22ffa27110a3d62a993453409a0fe696c4658f84bdd20819c3709a01057b195adcd00233dba5484b6291f9d648ef883448677979cec04b434a6ac2e75e9985de23db0292fc1118c9ffa9d8181e7338db792b730d7b9e349592f68099872153915ea3d6b8b4653c633458f803b32a4c2e0f27290256e4e3f8a3b0838a1c450e4e18c1a29a37ddf5ea143de4b66ff04903ed5cf1623e158d487c608e97f211cd81dca23cb6e380765f822e342be484c05763939601cd667
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 509
 # Signatures with special case values for r and s.
 msg = 48656c6c6f
 result = invalid
 sig = 3023021c5d7b4b5342bc7befef73fd33e4bbe3c2f7995919dd72c0605e6ab4af090380fe01
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 510
 # Signatures with special case values for r and s.
 msg = 48656c6c6f
 result = invalid
 sig = 3021021c5d7b4b5342bc7befef73fd33e4bbe3c2f7995919dd72c0605e6ab4af090142
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 511
 # Signatures with special case values for r and s.
 msg = 48656c6c6f
 result = invalid
 sig = 303e021d00baf696a68578f7dfdee7fa67c977c785ef32b233bae580c0bcd5695c021dff450969597a870820211805983688387a10cd4dcc451a7f3f432a96a3
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 512
 # Signatures with special case values for r and s.
 msg = 48656c6c6f
 result = invalid
 sig = 3022021d00baf696a68578f7dfdee7fa67c977c785ef32b233bae580c0bcd5695c020100
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 513
 # Signatures with special case values for r and s.
 msg = 48656c6c6f
 result = invalid
 sig = 3022021d00baf696a68578f7dfdee7fa67c977c785ef32b233bae580c0bcd5695c020101
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 514
 # Signatures with special case values for r and s.
 msg = 48656c6c6f
 result = invalid
 sig = 3022021d00baf696a68578f7dfdee7fa67c977c785ef32b233bae580c0bcd5695c0201ff
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 515
 # Signatures with special case values for r and s.
 msg = 48656c6c6f
 result = invalid
 sig = 303d021d00baf696a68578f7dfdee7fa67c977c785ef32b233bae580c0bcd5695c021c5d7b4b5342bc7befef73fd33e4bbe3c2f7995919dd72c0605e6ab4ae
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 516
 # Signatures with special case values for r and s.
 msg = 48656c6c6f
 result = invalid
 sig = 303d021d00baf696a68578f7dfdee7fa67c977c785ef32b233bae580c0bcd5695c021c5d7b4b5342bc7befef73fd33e4bbe3c2f7995919dd72c0605e6ab4af
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 517
 # Signatures with special case values for r and s.
 msg = 48656c6c6f
 result = invalid
 sig = 303e021d00baf696a68578f7dfdee7fa67c977c785ef32b233bae580c0bcd5695c021d00baf696a68578f7dfdee7fa67c977c785ef32b233bae580c0bcd5695c
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 518
 # Signatures with special case values for r and s.
 msg = 48656c6c6f
 result = invalid
 sig = 303e021d00baf696a68578f7dfdee7fa67c977c785ef32b233bae580c0bcd5695c021d00baf696a68578f7dfdee7fa67c977c785ef32b233bae580c0bcd5695d
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 519
 # Signatures with special case values for r and s.
 msg = 48656c6c6f
 result = invalid
 sig = 303e021d00baf696a68578f7dfdee7fa67c977c785ef32b233bae580c0bcd5695c021d00baf696a68578f7dfdee7fa67c977c785ef32b233bae580c0bcd5695e
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 520
 # Signatures with special case values for r and s.
 msg = 48656c6c6f
 result = invalid
 sig = 303e021d00baf696a68578f7dfdee7fa67c977c785ef32b233bae580c0bcd5695c021d0100000000000000000000000000000000000000000000000000000000
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 521
 # Signatures with special case values for r and s.
 msg = 48656c6c6f
 result = invalid
 sig = 30820124021d00baf696a68578f7dfdee7fa67c977c785ef32b233bae580c0bcd5695c02820101008f7935d9b9aae9bfabed887acf4951b6f32ec59e3baf3718e8eac4961f3efd3606e74351a9c4183339b809e7c2ae1c539ba7475b85d011adb8b47987754984695cac0e8f14b3360828a22ffa27110a3d62a993453409a0fe696c4658f84bdd20819c3709a01057b195adcd00233dba5484b6291f9d648ef883448677979cec04b434a6ac2e75e9985de23db0292fc1118c9ffa9d8181e7338db792b730d7b9e349592f68099872153915ea3d6b8b4653c633458f803b32a4c2e0f27290256e4e3f8a3b0838a1c450e4e18c1a29a37ddf5ea143de4b66ff04903ed5cf1623e158d487c608e97f211cd81dca23cb6e380765f822e342be484c05763939601cd667
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 522
 # Signatures with special case values for r and s.
 msg = 48656c6c6f
 result = invalid
 sig = 3024021d00baf696a68578f7dfdee7fa67c977c785ef32b233bae580c0bcd5695c090380fe01
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 523
 # Signatures with special case values for r and s.
 msg = 48656c6c6f
 result = invalid
 sig = 3022021d00baf696a68578f7dfdee7fa67c977c785ef32b233bae580c0bcd5695c090142
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 524
 # Signatures with special case values for r and s.
 msg = 48656c6c6f
 result = invalid
 sig = 303e021d00baf696a68578f7dfdee7fa67c977c785ef32b233bae580c0bcd5695d021dff450969597a870820211805983688387a10cd4dcc451a7f3f432a96a3
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 525
 # Signatures with special case values for r and s.
 msg = 48656c6c6f
 result = invalid
 sig = 3022021d00baf696a68578f7dfdee7fa67c977c785ef32b233bae580c0bcd5695d020100
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 526
 # Signatures with special case values for r and s.
 msg = 48656c6c6f
 result = invalid
 sig = 3022021d00baf696a68578f7dfdee7fa67c977c785ef32b233bae580c0bcd5695d020101
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 527
 # Signatures with special case values for r and s.
 msg = 48656c6c6f
 result = invalid
 sig = 3022021d00baf696a68578f7dfdee7fa67c977c785ef32b233bae580c0bcd5695d0201ff
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 528
 # Signatures with special case values for r and s.
 msg = 48656c6c6f
 result = invalid
 sig = 303d021d00baf696a68578f7dfdee7fa67c977c785ef32b233bae580c0bcd5695d021c5d7b4b5342bc7befef73fd33e4bbe3c2f7995919dd72c0605e6ab4ae
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 529
 # Signatures with special case values for r and s.
 msg = 48656c6c6f
 result = invalid
 sig = 303d021d00baf696a68578f7dfdee7fa67c977c785ef32b233bae580c0bcd5695d021c5d7b4b5342bc7befef73fd33e4bbe3c2f7995919dd72c0605e6ab4af
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 530
 # Signatures with special case values for r and s.
 msg = 48656c6c6f
 result = invalid
 sig = 303e021d00baf696a68578f7dfdee7fa67c977c785ef32b233bae580c0bcd5695d021d00baf696a68578f7dfdee7fa67c977c785ef32b233bae580c0bcd5695c
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 531
 # Signatures with special case values for r and s.
 msg = 48656c6c6f
 result = invalid
 sig = 303e021d00baf696a68578f7dfdee7fa67c977c785ef32b233bae580c0bcd5695d021d00baf696a68578f7dfdee7fa67c977c785ef32b233bae580c0bcd5695d
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 532
 # Signatures with special case values for r and s.
 msg = 48656c6c6f
 result = invalid
 sig = 303e021d00baf696a68578f7dfdee7fa67c977c785ef32b233bae580c0bcd5695d021d00baf696a68578f7dfdee7fa67c977c785ef32b233bae580c0bcd5695e
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 533
 # Signatures with special case values for r and s.
 msg = 48656c6c6f
 result = invalid
 sig = 303e021d00baf696a68578f7dfdee7fa67c977c785ef32b233bae580c0bcd5695d021d0100000000000000000000000000000000000000000000000000000000
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 534
 # Signatures with special case values for r and s.
 msg = 48656c6c6f
 result = invalid
 sig = 30820124021d00baf696a68578f7dfdee7fa67c977c785ef32b233bae580c0bcd5695d02820101008f7935d9b9aae9bfabed887acf4951b6f32ec59e3baf3718e8eac4961f3efd3606e74351a9c4183339b809e7c2ae1c539ba7475b85d011adb8b47987754984695cac0e8f14b3360828a22ffa27110a3d62a993453409a0fe696c4658f84bdd20819c3709a01057b195adcd00233dba5484b6291f9d648ef883448677979cec04b434a6ac2e75e9985de23db0292fc1118c9ffa9d8181e7338db792b730d7b9e349592f68099872153915ea3d6b8b4653c633458f803b32a4c2e0f27290256e4e3f8a3b0838a1c450e4e18c1a29a37ddf5ea143de4b66ff04903ed5cf1623e158d487c608e97f211cd81dca23cb6e380765f822e342be484c05763939601cd667
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 535
 # Signatures with special case values for r and s.
 msg = 48656c6c6f
 result = invalid
 sig = 3024021d00baf696a68578f7dfdee7fa67c977c785ef32b233bae580c0bcd5695d090380fe01
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 536
 # Signatures with special case values for r and s.
 msg = 48656c6c6f
 result = invalid
 sig = 3022021d00baf696a68578f7dfdee7fa67c977c785ef32b233bae580c0bcd5695d090142
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 537
 # Signatures with special case values for r and s.
 msg = 48656c6c6f
 result = invalid
 sig = 303e021d00baf696a68578f7dfdee7fa67c977c785ef32b233bae580c0bcd5695e021dff450969597a870820211805983688387a10cd4dcc451a7f3f432a96a3
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 538
 # Signatures with special case values for r and s.
 msg = 48656c6c6f
 result = invalid
 sig = 3022021d00baf696a68578f7dfdee7fa67c977c785ef32b233bae580c0bcd5695e020100
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 539
 # Signatures with special case values for r and s.
 msg = 48656c6c6f
 result = invalid
 sig = 3022021d00baf696a68578f7dfdee7fa67c977c785ef32b233bae580c0bcd5695e020101
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 540
 # Signatures with special case values for r and s.
 msg = 48656c6c6f
 result = invalid
 sig = 3022021d00baf696a68578f7dfdee7fa67c977c785ef32b233bae580c0bcd5695e0201ff
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 541
 # Signatures with special case values for r and s.
 msg = 48656c6c6f
 result = invalid
 sig = 303d021d00baf696a68578f7dfdee7fa67c977c785ef32b233bae580c0bcd5695e021c5d7b4b5342bc7befef73fd33e4bbe3c2f7995919dd72c0605e6ab4ae
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 542
 # Signatures with special case values for r and s.
 msg = 48656c6c6f
 result = invalid
 sig = 303d021d00baf696a68578f7dfdee7fa67c977c785ef32b233bae580c0bcd5695e021c5d7b4b5342bc7befef73fd33e4bbe3c2f7995919dd72c0605e6ab4af
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 543
 # Signatures with special case values for r and s.
 msg = 48656c6c6f
 result = invalid
 sig = 303e021d00baf696a68578f7dfdee7fa67c977c785ef32b233bae580c0bcd5695e021d00baf696a68578f7dfdee7fa67c977c785ef32b233bae580c0bcd5695c
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 544
 # Signatures with special case values for r and s.
 msg = 48656c6c6f
 result = invalid
 sig = 303e021d00baf696a68578f7dfdee7fa67c977c785ef32b233bae580c0bcd5695e021d00baf696a68578f7dfdee7fa67c977c785ef32b233bae580c0bcd5695d
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 545
 # Signatures with special case values for r and s.
 msg = 48656c6c6f
 result = invalid
 sig = 303e021d00baf696a68578f7dfdee7fa67c977c785ef32b233bae580c0bcd5695e021d00baf696a68578f7dfdee7fa67c977c785ef32b233bae580c0bcd5695e
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 546
 # Signatures with special case values for r and s.
 msg = 48656c6c6f
 result = invalid
 sig = 303e021d00baf696a68578f7dfdee7fa67c977c785ef32b233bae580c0bcd5695e021d0100000000000000000000000000000000000000000000000000000000
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 547
 # Signatures with special case values for r and s.
 msg = 48656c6c6f
 result = invalid
 sig = 30820124021d00baf696a68578f7dfdee7fa67c977c785ef32b233bae580c0bcd5695e02820101008f7935d9b9aae9bfabed887acf4951b6f32ec59e3baf3718e8eac4961f3efd3606e74351a9c4183339b809e7c2ae1c539ba7475b85d011adb8b47987754984695cac0e8f14b3360828a22ffa27110a3d62a993453409a0fe696c4658f84bdd20819c3709a01057b195adcd00233dba5484b6291f9d648ef883448677979cec04b434a6ac2e75e9985de23db0292fc1118c9ffa9d8181e7338db792b730d7b9e349592f68099872153915ea3d6b8b4653c633458f803b32a4c2e0f27290256e4e3f8a3b0838a1c450e4e18c1a29a37ddf5ea143de4b66ff04903ed5cf1623e158d487c608e97f211cd81dca23cb6e380765f822e342be484c05763939601cd667
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 548
 # Signatures with special case values for r and s.
 msg = 48656c6c6f
 result = invalid
 sig = 3024021d00baf696a68578f7dfdee7fa67c977c785ef32b233bae580c0bcd5695e090380fe01
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 549
 # Signatures with special case values for r and s.
 msg = 48656c6c6f
 result = invalid
 sig = 3022021d00baf696a68578f7dfdee7fa67c977c785ef32b233bae580c0bcd5695e090142
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 550
 # Signatures with special case values for r and s.
 msg = 48656c6c6f
 result = invalid
 sig = 303e021d0100000000000000000000000000000000000000000000000000000000021dff450969597a870820211805983688387a10cd4dcc451a7f3f432a96a3
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 551
 # Signatures with special case values for r and s.
 msg = 48656c6c6f
 result = invalid
 sig = 3022021d0100000000000000000000000000000000000000000000000000000000020100
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 552
 # Signatures with special case values for r and s.
 msg = 48656c6c6f
 result = invalid
 sig = 3022021d0100000000000000000000000000000000000000000000000000000000020101
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 553
 # Signatures with special case values for r and s.
 msg = 48656c6c6f
 result = invalid
 sig = 3022021d01000000000000000000000000000000000000000000000000000000000201ff
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 554
 # Signatures with special case values for r and s.
 msg = 48656c6c6f
 result = invalid
 sig = 303d021d0100000000000000000000000000000000000000000000000000000000021c5d7b4b5342bc7befef73fd33e4bbe3c2f7995919dd72c0605e6ab4ae
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 555
 # Signatures with special case values for r and s.
 msg = 48656c6c6f
 result = invalid
 sig = 303d021d0100000000000000000000000000000000000000000000000000000000021c5d7b4b5342bc7befef73fd33e4bbe3c2f7995919dd72c0605e6ab4af
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 556
 # Signatures with special case values for r and s.
 msg = 48656c6c6f
 result = invalid
 sig = 303e021d0100000000000000000000000000000000000000000000000000000000021d00baf696a68578f7dfdee7fa67c977c785ef32b233bae580c0bcd5695c
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 557
 # Signatures with special case values for r and s.
 msg = 48656c6c6f
 result = invalid
 sig = 303e021d0100000000000000000000000000000000000000000000000000000000021d00baf696a68578f7dfdee7fa67c977c785ef32b233bae580c0bcd5695d
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 558
 # Signatures with special case values for r and s.
 msg = 48656c6c6f
 result = invalid
 sig = 303e021d0100000000000000000000000000000000000000000000000000000000021d00baf696a68578f7dfdee7fa67c977c785ef32b233bae580c0bcd5695e
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 559
 # Signatures with special case values for r and s.
 msg = 48656c6c6f
 result = invalid
 sig = 303e021d0100000000000000000000000000000000000000000000000000000000021d0100000000000000000000000000000000000000000000000000000000
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 560
 # Signatures with special case values for r and s.
 msg = 48656c6c6f
 result = invalid
 sig = 30820124021d010000000000000000000000000000000000000000000000000000000002820101008f7935d9b9aae9bfabed887acf4951b6f32ec59e3baf3718e8eac4961f3efd3606e74351a9c4183339b809e7c2ae1c539ba7475b85d011adb8b47987754984695cac0e8f14b3360828a22ffa27110a3d62a993453409a0fe696c4658f84bdd20819c3709a01057b195adcd00233dba5484b6291f9d648ef883448677979cec04b434a6ac2e75e9985de23db0292fc1118c9ffa9d8181e7338db792b730d7b9e349592f68099872153915ea3d6b8b4653c633458f803b32a4c2e0f27290256e4e3f8a3b0838a1c450e4e18c1a29a37ddf5ea143de4b66ff04903ed5cf1623e158d487c608e97f211cd81dca23cb6e380765f822e342be484c05763939601cd667
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 561
 # Signatures with special case values for r and s.
 msg = 48656c6c6f
 result = invalid
 sig = 3024021d0100000000000000000000000000000000000000000000000000000000090380fe01
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 562
 # Signatures with special case values for r and s.
 msg = 48656c6c6f
 result = invalid
 sig = 3022021d0100000000000000000000000000000000000000000000000000000000090142
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 563
 # Signatures with special case values for r and s.
 msg = 48656c6c6f
 result = invalid
 sig = 3082012402820101008f7935d9b9aae9bfabed887acf4951b6f32ec59e3baf3718e8eac4961f3efd3606e74351a9c4183339b809e7c2ae1c539ba7475b85d011adb8b47987754984695cac0e8f14b3360828a22ffa27110a3d62a993453409a0fe696c4658f84bdd20819c3709a01057b195adcd00233dba5484b6291f9d648ef883448677979cec04b434a6ac2e75e9985de23db0292fc1118c9ffa9d8181e7338db792b730d7b9e349592f68099872153915ea3d6b8b4653c633458f803b32a4c2e0f27290256e4e3f8a3b0838a1c450e4e18c1a29a37ddf5ea143de4b66ff04903ed5cf1623e158d487c608e97f211cd81dca23cb6e380765f822e342be484c05763939601cd667021dff450969597a870820211805983688387a10cd4dcc451a7f3f432a96a3
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 564
 # Signatures with special case values for r and s.
 msg = 48656c6c6f
 result = invalid
 sig = 3082010802820101008f7935d9b9aae9bfabed887acf4951b6f32ec59e3baf3718e8eac4961f3efd3606e74351a9c4183339b809e7c2ae1c539ba7475b85d011adb8b47987754984695cac0e8f14b3360828a22ffa27110a3d62a993453409a0fe696c4658f84bdd20819c3709a01057b195adcd00233dba5484b6291f9d648ef883448677979cec04b434a6ac2e75e9985de23db0292fc1118c9ffa9d8181e7338db792b730d7b9e349592f68099872153915ea3d6b8b4653c633458f803b32a4c2e0f27290256e4e3f8a3b0838a1c450e4e18c1a29a37ddf5ea143de4b66ff04903ed5cf1623e158d487c608e97f211cd81dca23cb6e380765f822e342be484c05763939601cd667020100
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 565
 # Signatures with special case values for r and s.
 msg = 48656c6c6f
 result = invalid
 sig = 3082010802820101008f7935d9b9aae9bfabed887acf4951b6f32ec59e3baf3718e8eac4961f3efd3606e74351a9c4183339b809e7c2ae1c539ba7475b85d011adb8b47987754984695cac0e8f14b3360828a22ffa27110a3d62a993453409a0fe696c4658f84bdd20819c3709a01057b195adcd00233dba5484b6291f9d648ef883448677979cec04b434a6ac2e75e9985de23db0292fc1118c9ffa9d8181e7338db792b730d7b9e349592f68099872153915ea3d6b8b4653c633458f803b32a4c2e0f27290256e4e3f8a3b0838a1c450e4e18c1a29a37ddf5ea143de4b66ff04903ed5cf1623e158d487c608e97f211cd81dca23cb6e380765f822e342be484c05763939601cd667020101
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 566
 # Signatures with special case values for r and s.
 msg = 48656c6c6f
 result = invalid
 sig = 3082010802820101008f7935d9b9aae9bfabed887acf4951b6f32ec59e3baf3718e8eac4961f3efd3606e74351a9c4183339b809e7c2ae1c539ba7475b85d011adb8b47987754984695cac0e8f14b3360828a22ffa27110a3d62a993453409a0fe696c4658f84bdd20819c3709a01057b195adcd00233dba5484b6291f9d648ef883448677979cec04b434a6ac2e75e9985de23db0292fc1118c9ffa9d8181e7338db792b730d7b9e349592f68099872153915ea3d6b8b4653c633458f803b32a4c2e0f27290256e4e3f8a3b0838a1c450e4e18c1a29a37ddf5ea143de4b66ff04903ed5cf1623e158d487c608e97f211cd81dca23cb6e380765f822e342be484c05763939601cd6670201ff
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 567
 # Signatures with special case values for r and s.
 msg = 48656c6c6f
 result = invalid
 sig = 3082012302820101008f7935d9b9aae9bfabed887acf4951b6f32ec59e3baf3718e8eac4961f3efd3606e74351a9c4183339b809e7c2ae1c539ba7475b85d011adb8b47987754984695cac0e8f14b3360828a22ffa27110a3d62a993453409a0fe696c4658f84bdd20819c3709a01057b195adcd00233dba5484b6291f9d648ef883448677979cec04b434a6ac2e75e9985de23db0292fc1118c9ffa9d8181e7338db792b730d7b9e349592f68099872153915ea3d6b8b4653c633458f803b32a4c2e0f27290256e4e3f8a3b0838a1c450e4e18c1a29a37ddf5ea143de4b66ff04903ed5cf1623e158d487c608e97f211cd81dca23cb6e380765f822e342be484c05763939601cd667021c5d7b4b5342bc7befef73fd33e4bbe3c2f7995919dd72c0605e6ab4ae
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 568
 # Signatures with special case values for r and s.
 msg = 48656c6c6f
 result = invalid
 sig = 3082012302820101008f7935d9b9aae9bfabed887acf4951b6f32ec59e3baf3718e8eac4961f3efd3606e74351a9c4183339b809e7c2ae1c539ba7475b85d011adb8b47987754984695cac0e8f14b3360828a22ffa27110a3d62a993453409a0fe696c4658f84bdd20819c3709a01057b195adcd00233dba5484b6291f9d648ef883448677979cec04b434a6ac2e75e9985de23db0292fc1118c9ffa9d8181e7338db792b730d7b9e349592f68099872153915ea3d6b8b4653c633458f803b32a4c2e0f27290256e4e3f8a3b0838a1c450e4e18c1a29a37ddf5ea143de4b66ff04903ed5cf1623e158d487c608e97f211cd81dca23cb6e380765f822e342be484c05763939601cd667021c5d7b4b5342bc7befef73fd33e4bbe3c2f7995919dd72c0605e6ab4af
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 569
 # Signatures with special case values for r and s.
 msg = 48656c6c6f
 result = invalid
 sig = 3082012402820101008f7935d9b9aae9bfabed887acf4951b6f32ec59e3baf3718e8eac4961f3efd3606e74351a9c4183339b809e7c2ae1c539ba7475b85d011adb8b47987754984695cac0e8f14b3360828a22ffa27110a3d62a993453409a0fe696c4658f84bdd20819c3709a01057b195adcd00233dba5484b6291f9d648ef883448677979cec04b434a6ac2e75e9985de23db0292fc1118c9ffa9d8181e7338db792b730d7b9e349592f68099872153915ea3d6b8b4653c633458f803b32a4c2e0f27290256e4e3f8a3b0838a1c450e4e18c1a29a37ddf5ea143de4b66ff04903ed5cf1623e158d487c608e97f211cd81dca23cb6e380765f822e342be484c05763939601cd667021d00baf696a68578f7dfdee7fa67c977c785ef32b233bae580c0bcd5695c
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 570
 # Signatures with special case values for r and s.
 msg = 48656c6c6f
 result = invalid
 sig = 3082012402820101008f7935d9b9aae9bfabed887acf4951b6f32ec59e3baf3718e8eac4961f3efd3606e74351a9c4183339b809e7c2ae1c539ba7475b85d011adb8b47987754984695cac0e8f14b3360828a22ffa27110a3d62a993453409a0fe696c4658f84bdd20819c3709a01057b195adcd00233dba5484b6291f9d648ef883448677979cec04b434a6ac2e75e9985de23db0292fc1118c9ffa9d8181e7338db792b730d7b9e349592f68099872153915ea3d6b8b4653c633458f803b32a4c2e0f27290256e4e3f8a3b0838a1c450e4e18c1a29a37ddf5ea143de4b66ff04903ed5cf1623e158d487c608e97f211cd81dca23cb6e380765f822e342be484c05763939601cd667021d00baf696a68578f7dfdee7fa67c977c785ef32b233bae580c0bcd5695d
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 571
 # Signatures with special case values for r and s.
 msg = 48656c6c6f
 result = invalid
 sig = 3082012402820101008f7935d9b9aae9bfabed887acf4951b6f32ec59e3baf3718e8eac4961f3efd3606e74351a9c4183339b809e7c2ae1c539ba7475b85d011adb8b47987754984695cac0e8f14b3360828a22ffa27110a3d62a993453409a0fe696c4658f84bdd20819c3709a01057b195adcd00233dba5484b6291f9d648ef883448677979cec04b434a6ac2e75e9985de23db0292fc1118c9ffa9d8181e7338db792b730d7b9e349592f68099872153915ea3d6b8b4653c633458f803b32a4c2e0f27290256e4e3f8a3b0838a1c450e4e18c1a29a37ddf5ea143de4b66ff04903ed5cf1623e158d487c608e97f211cd81dca23cb6e380765f822e342be484c05763939601cd667021d00baf696a68578f7dfdee7fa67c977c785ef32b233bae580c0bcd5695e
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 572
 # Signatures with special case values for r and s.
 msg = 48656c6c6f
 result = invalid
 sig = 3082012402820101008f7935d9b9aae9bfabed887acf4951b6f32ec59e3baf3718e8eac4961f3efd3606e74351a9c4183339b809e7c2ae1c539ba7475b85d011adb8b47987754984695cac0e8f14b3360828a22ffa27110a3d62a993453409a0fe696c4658f84bdd20819c3709a01057b195adcd00233dba5484b6291f9d648ef883448677979cec04b434a6ac2e75e9985de23db0292fc1118c9ffa9d8181e7338db792b730d7b9e349592f68099872153915ea3d6b8b4653c633458f803b32a4c2e0f27290256e4e3f8a3b0838a1c450e4e18c1a29a37ddf5ea143de4b66ff04903ed5cf1623e158d487c608e97f211cd81dca23cb6e380765f822e342be484c05763939601cd667021d0100000000000000000000000000000000000000000000000000000000
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 573
 # Signatures with special case values for r and s.
 msg = 48656c6c6f
 result = invalid
 sig = 3082020a02820101008f7935d9b9aae9bfabed887acf4951b6f32ec59e3baf3718e8eac4961f3efd3606e74351a9c4183339b809e7c2ae1c539ba7475b85d011adb8b47987754984695cac0e8f14b3360828a22ffa27110a3d62a993453409a0fe696c4658f84bdd20819c3709a01057b195adcd00233dba5484b6291f9d648ef883448677979cec04b434a6ac2e75e9985de23db0292fc1118c9ffa9d8181e7338db792b730d7b9e349592f68099872153915ea3d6b8b4653c633458f803b32a4c2e0f27290256e4e3f8a3b0838a1c450e4e18c1a29a37ddf5ea143de4b66ff04903ed5cf1623e158d487c608e97f211cd81dca23cb6e380765f822e342be484c05763939601cd66702820101008f7935d9b9aae9bfabed887acf4951b6f32ec59e3baf3718e8eac4961f3efd3606e74351a9c4183339b809e7c2ae1c539ba7475b85d011adb8b47987754984695cac0e8f14b3360828a22ffa27110a3d62a993453409a0fe696c4658f84bdd20819c3709a01057b195adcd00233dba5484b6291f9d648ef883448677979cec04b434a6ac2e75e9985de23db0292fc1118c9ffa9d8181e7338db792b730d7b9e349592f68099872153915ea3d6b8b4653c633458f803b32a4c2e0f27290256e4e3f8a3b0838a1c450e4e18c1a29a37ddf5ea143de4b66ff04903ed5cf1623e158d487c608e97f211cd81dca23cb6e380765f822e342be484c05763939601cd667
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 574
 # Signatures with special case values for r and s.
 msg = 48656c6c6f
 result = invalid
 sig = 3082010a02820101008f7935d9b9aae9bfabed887acf4951b6f32ec59e3baf3718e8eac4961f3efd3606e74351a9c4183339b809e7c2ae1c539ba7475b85d011adb8b47987754984695cac0e8f14b3360828a22ffa27110a3d62a993453409a0fe696c4658f84bdd20819c3709a01057b195adcd00233dba5484b6291f9d648ef883448677979cec04b434a6ac2e75e9985de23db0292fc1118c9ffa9d8181e7338db792b730d7b9e349592f68099872153915ea3d6b8b4653c633458f803b32a4c2e0f27290256e4e3f8a3b0838a1c450e4e18c1a29a37ddf5ea143de4b66ff04903ed5cf1623e158d487c608e97f211cd81dca23cb6e380765f822e342be484c05763939601cd667090380fe01
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 575
 # Signatures with special case values for r and s.
 msg = 48656c6c6f
 result = invalid
 sig = 3082010802820101008f7935d9b9aae9bfabed887acf4951b6f32ec59e3baf3718e8eac4961f3efd3606e74351a9c4183339b809e7c2ae1c539ba7475b85d011adb8b47987754984695cac0e8f14b3360828a22ffa27110a3d62a993453409a0fe696c4658f84bdd20819c3709a01057b195adcd00233dba5484b6291f9d648ef883448677979cec04b434a6ac2e75e9985de23db0292fc1118c9ffa9d8181e7338db792b730d7b9e349592f68099872153915ea3d6b8b4653c633458f803b32a4c2e0f27290256e4e3f8a3b0838a1c450e4e18c1a29a37ddf5ea143de4b66ff04903ed5cf1623e158d487c608e97f211cd81dca23cb6e380765f822e342be484c05763939601cd667090142
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 576
 # Signatures with special case values for r and s.
 msg = 48656c6c6f
 result = invalid
 sig = 3024090380fe01021dff450969597a870820211805983688387a10cd4dcc451a7f3f432a96a3
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 577
 # Signatures with special case values for r and s.
 msg = 48656c6c6f
 result = invalid
 sig = 3008090380fe01020100
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 578
 # Signatures with special case values for r and s.
 msg = 48656c6c6f
 result = invalid
 sig = 3008090380fe01020101
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 579
 # Signatures with special case values for r and s.
 msg = 48656c6c6f
 result = invalid
 sig = 3008090380fe010201ff
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 580
 # Signatures with special case values for r and s.
 msg = 48656c6c6f
 result = invalid
 sig = 3023090380fe01021c5d7b4b5342bc7befef73fd33e4bbe3c2f7995919dd72c0605e6ab4ae
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 581
 # Signatures with special case values for r and s.
 msg = 48656c6c6f
 result = invalid
 sig = 3023090380fe01021c5d7b4b5342bc7befef73fd33e4bbe3c2f7995919dd72c0605e6ab4af
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 582
 # Signatures with special case values for r and s.
 msg = 48656c6c6f
 result = invalid
 sig = 3024090380fe01021d00baf696a68578f7dfdee7fa67c977c785ef32b233bae580c0bcd5695c
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 583
 # Signatures with special case values for r and s.
 msg = 48656c6c6f
 result = invalid
 sig = 3024090380fe01021d00baf696a68578f7dfdee7fa67c977c785ef32b233bae580c0bcd5695d
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 584
 # Signatures with special case values for r and s.
 msg = 48656c6c6f
 result = invalid
 sig = 3024090380fe01021d00baf696a68578f7dfdee7fa67c977c785ef32b233bae580c0bcd5695e
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 585
 # Signatures with special case values for r and s.
 msg = 48656c6c6f
 result = invalid
 sig = 3024090380fe01021d0100000000000000000000000000000000000000000000000000000000
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 586
 # Signatures with special case values for r and s.
 msg = 48656c6c6f
 result = invalid
 sig = 3082010a090380fe0102820101008f7935d9b9aae9bfabed887acf4951b6f32ec59e3baf3718e8eac4961f3efd3606e74351a9c4183339b809e7c2ae1c539ba7475b85d011adb8b47987754984695cac0e8f14b3360828a22ffa27110a3d62a993453409a0fe696c4658f84bdd20819c3709a01057b195adcd00233dba5484b6291f9d648ef883448677979cec04b434a6ac2e75e9985de23db0292fc1118c9ffa9d8181e7338db792b730d7b9e349592f68099872153915ea3d6b8b4653c633458f803b32a4c2e0f27290256e4e3f8a3b0838a1c450e4e18c1a29a37ddf5ea143de4b66ff04903ed5cf1623e158d487c608e97f211cd81dca23cb6e380765f822e342be484c05763939601cd667
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 587
 # Signatures with special case values for r and s.
 msg = 48656c6c6f
 result = invalid
 sig = 300a090380fe01090380fe01
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 588
 # Signatures with special case values for r and s.
 msg = 48656c6c6f
 result = invalid
 sig = 3008090380fe01090142
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 589
 # Signature encoding contains wrong type.
@@ -4564,11 +3984,7 @@
 msg = 54657374
 result = acceptable
 sig = 303c021c9b6fe4a1cbd4467d7584ae382ae3130a580e61b969a6067373d5ee93021c5fe8234711d68fade4142c8cf60f385470480c386c062b38fb42b116
-# ASN encoded integers with a leading hex-digit in the range 8 .. F are
-# negative. If the first hex-digit of a positive integer is 8 .. F then a
-# leading 0 must be added. Some libraries forgot to do this and therefore
-# generated invalid DSA signatures. Some providers accept such legacy signatures
-# for compatibility.
+flags = NoLeadingZero
 
 # tcId = 606
 # valid
@@ -5427,1287 +4843,1001 @@
 msg = 54657374
 result = invalid
 sig = 3022020100021dff450969597a870820211805983688387a10cd4dcc451a7f3f432a96a3
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 749
 # Signatures with special case values for r and s.
 msg = 54657374
 result = invalid
 sig = 3006020100020100
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 750
 # Signatures with special case values for r and s.
 msg = 54657374
 result = invalid
 sig = 3006020100020101
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 751
 # Signatures with special case values for r and s.
 msg = 54657374
 result = invalid
 sig = 30060201000201ff
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 752
 # Signatures with special case values for r and s.
 msg = 54657374
 result = invalid
 sig = 3021020100021c5d7b4b5342bc7befef73fd33e4bbe3c2f7995919dd72c0605e6ab4ae
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 753
 # Signatures with special case values for r and s.
 msg = 54657374
 result = invalid
 sig = 3021020100021c5d7b4b5342bc7befef73fd33e4bbe3c2f7995919dd72c0605e6ab4af
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 754
 # Signatures with special case values for r and s.
 msg = 54657374
 result = invalid
 sig = 3022020100021d00baf696a68578f7dfdee7fa67c977c785ef32b233bae580c0bcd5695c
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 755
 # Signatures with special case values for r and s.
 msg = 54657374
 result = invalid
 sig = 3022020100021d00baf696a68578f7dfdee7fa67c977c785ef32b233bae580c0bcd5695d
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 756
 # Signatures with special case values for r and s.
 msg = 54657374
 result = invalid
 sig = 3022020100021d00baf696a68578f7dfdee7fa67c977c785ef32b233bae580c0bcd5695e
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 757
 # Signatures with special case values for r and s.
 msg = 54657374
 result = invalid
 sig = 3022020100021d0100000000000000000000000000000000000000000000000000000000
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 758
 # Signatures with special case values for r and s.
 msg = 54657374
 result = invalid
 sig = 3082010802010002820101008f7935d9b9aae9bfabed887acf4951b6f32ec59e3baf3718e8eac4961f3efd3606e74351a9c4183339b809e7c2ae1c539ba7475b85d011adb8b47987754984695cac0e8f14b3360828a22ffa27110a3d62a993453409a0fe696c4658f84bdd20819c3709a01057b195adcd00233dba5484b6291f9d648ef883448677979cec04b434a6ac2e75e9985de23db0292fc1118c9ffa9d8181e7338db792b730d7b9e349592f68099872153915ea3d6b8b4653c633458f803b32a4c2e0f27290256e4e3f8a3b0838a1c450e4e18c1a29a37ddf5ea143de4b66ff04903ed5cf1623e158d487c608e97f211cd81dca23cb6e380765f822e342be484c05763939601cd667
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 759
 # Signatures with special case values for r and s.
 msg = 54657374
 result = invalid
 sig = 3008020100090380fe01
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 760
 # Signatures with special case values for r and s.
 msg = 54657374
 result = invalid
 sig = 3006020100090142
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 761
 # Signatures with special case values for r and s.
 msg = 54657374
 result = invalid
 sig = 3022020101021dff450969597a870820211805983688387a10cd4dcc451a7f3f432a96a3
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 762
 # Signatures with special case values for r and s.
 msg = 54657374
 result = invalid
 sig = 3006020101020100
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 763
 # Signatures with special case values for r and s.
 msg = 54657374
 result = invalid
 sig = 3006020101020101
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 764
 # Signatures with special case values for r and s.
 msg = 54657374
 result = invalid
 sig = 30060201010201ff
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 765
 # Signatures with special case values for r and s.
 msg = 54657374
 result = invalid
 sig = 3021020101021c5d7b4b5342bc7befef73fd33e4bbe3c2f7995919dd72c0605e6ab4ae
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 766
 # Signatures with special case values for r and s.
 msg = 54657374
 result = invalid
 sig = 3021020101021c5d7b4b5342bc7befef73fd33e4bbe3c2f7995919dd72c0605e6ab4af
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 767
 # Signatures with special case values for r and s.
 msg = 54657374
 result = invalid
 sig = 3022020101021d00baf696a68578f7dfdee7fa67c977c785ef32b233bae580c0bcd5695c
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 768
 # Signatures with special case values for r and s.
 msg = 54657374
 result = invalid
 sig = 3022020101021d00baf696a68578f7dfdee7fa67c977c785ef32b233bae580c0bcd5695d
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 769
 # Signatures with special case values for r and s.
 msg = 54657374
 result = invalid
 sig = 3022020101021d00baf696a68578f7dfdee7fa67c977c785ef32b233bae580c0bcd5695e
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 770
 # Signatures with special case values for r and s.
 msg = 54657374
 result = invalid
 sig = 3022020101021d0100000000000000000000000000000000000000000000000000000000
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 771
 # Signatures with special case values for r and s.
 msg = 54657374
 result = invalid
 sig = 3082010802010102820101008f7935d9b9aae9bfabed887acf4951b6f32ec59e3baf3718e8eac4961f3efd3606e74351a9c4183339b809e7c2ae1c539ba7475b85d011adb8b47987754984695cac0e8f14b3360828a22ffa27110a3d62a993453409a0fe696c4658f84bdd20819c3709a01057b195adcd00233dba5484b6291f9d648ef883448677979cec04b434a6ac2e75e9985de23db0292fc1118c9ffa9d8181e7338db792b730d7b9e349592f68099872153915ea3d6b8b4653c633458f803b32a4c2e0f27290256e4e3f8a3b0838a1c450e4e18c1a29a37ddf5ea143de4b66ff04903ed5cf1623e158d487c608e97f211cd81dca23cb6e380765f822e342be484c05763939601cd667
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 772
 # Signatures with special case values for r and s.
 msg = 54657374
 result = invalid
 sig = 3008020101090380fe01
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 773
 # Signatures with special case values for r and s.
 msg = 54657374
 result = invalid
 sig = 3006020101090142
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 774
 # Signatures with special case values for r and s.
 msg = 54657374
 result = invalid
 sig = 30220201ff021dff450969597a870820211805983688387a10cd4dcc451a7f3f432a96a3
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 775
 # Signatures with special case values for r and s.
 msg = 54657374
 result = invalid
 sig = 30060201ff020100
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 776
 # Signatures with special case values for r and s.
 msg = 54657374
 result = invalid
 sig = 30060201ff020101
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 777
 # Signatures with special case values for r and s.
 msg = 54657374
 result = invalid
 sig = 30060201ff0201ff
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 778
 # Signatures with special case values for r and s.
 msg = 54657374
 result = invalid
 sig = 30210201ff021c5d7b4b5342bc7befef73fd33e4bbe3c2f7995919dd72c0605e6ab4ae
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 779
 # Signatures with special case values for r and s.
 msg = 54657374
 result = invalid
 sig = 30210201ff021c5d7b4b5342bc7befef73fd33e4bbe3c2f7995919dd72c0605e6ab4af
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 780
 # Signatures with special case values for r and s.
 msg = 54657374
 result = invalid
 sig = 30220201ff021d00baf696a68578f7dfdee7fa67c977c785ef32b233bae580c0bcd5695c
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 781
 # Signatures with special case values for r and s.
 msg = 54657374
 result = invalid
 sig = 30220201ff021d00baf696a68578f7dfdee7fa67c977c785ef32b233bae580c0bcd5695d
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 782
 # Signatures with special case values for r and s.
 msg = 54657374
 result = invalid
 sig = 30220201ff021d00baf696a68578f7dfdee7fa67c977c785ef32b233bae580c0bcd5695e
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 783
 # Signatures with special case values for r and s.
 msg = 54657374
 result = invalid
 sig = 30220201ff021d0100000000000000000000000000000000000000000000000000000000
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 784
 # Signatures with special case values for r and s.
 msg = 54657374
 result = invalid
 sig = 308201080201ff02820101008f7935d9b9aae9bfabed887acf4951b6f32ec59e3baf3718e8eac4961f3efd3606e74351a9c4183339b809e7c2ae1c539ba7475b85d011adb8b47987754984695cac0e8f14b3360828a22ffa27110a3d62a993453409a0fe696c4658f84bdd20819c3709a01057b195adcd00233dba5484b6291f9d648ef883448677979cec04b434a6ac2e75e9985de23db0292fc1118c9ffa9d8181e7338db792b730d7b9e349592f68099872153915ea3d6b8b4653c633458f803b32a4c2e0f27290256e4e3f8a3b0838a1c450e4e18c1a29a37ddf5ea143de4b66ff04903ed5cf1623e158d487c608e97f211cd81dca23cb6e380765f822e342be484c05763939601cd667
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 785
 # Signatures with special case values for r and s.
 msg = 54657374
 result = invalid
 sig = 30080201ff090380fe01
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 786
 # Signatures with special case values for r and s.
 msg = 54657374
 result = invalid
 sig = 30060201ff090142
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 787
 # Signatures with special case values for r and s.
 msg = 54657374
 result = invalid
 sig = 303d021c5d7b4b5342bc7befef73fd33e4bbe3c2f7995919dd72c0605e6ab4ae021dff450969597a870820211805983688387a10cd4dcc451a7f3f432a96a3
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 788
 # Signatures with special case values for r and s.
 msg = 54657374
 result = invalid
 sig = 3021021c5d7b4b5342bc7befef73fd33e4bbe3c2f7995919dd72c0605e6ab4ae020100
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 789
 # Signatures with special case values for r and s.
 msg = 54657374
 result = invalid
 sig = 3021021c5d7b4b5342bc7befef73fd33e4bbe3c2f7995919dd72c0605e6ab4ae020101
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 790
 # Signatures with special case values for r and s.
 msg = 54657374
 result = invalid
 sig = 3021021c5d7b4b5342bc7befef73fd33e4bbe3c2f7995919dd72c0605e6ab4ae0201ff
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 791
 # Signatures with special case values for r and s.
 msg = 54657374
 result = invalid
 sig = 303c021c5d7b4b5342bc7befef73fd33e4bbe3c2f7995919dd72c0605e6ab4ae021c5d7b4b5342bc7befef73fd33e4bbe3c2f7995919dd72c0605e6ab4ae
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 792
 # Signatures with special case values for r and s.
 msg = 54657374
 result = invalid
 sig = 303c021c5d7b4b5342bc7befef73fd33e4bbe3c2f7995919dd72c0605e6ab4ae021c5d7b4b5342bc7befef73fd33e4bbe3c2f7995919dd72c0605e6ab4af
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 793
 # Signatures with special case values for r and s.
 msg = 54657374
 result = invalid
 sig = 303d021c5d7b4b5342bc7befef73fd33e4bbe3c2f7995919dd72c0605e6ab4ae021d00baf696a68578f7dfdee7fa67c977c785ef32b233bae580c0bcd5695c
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 794
 # Signatures with special case values for r and s.
 msg = 54657374
 result = invalid
 sig = 303d021c5d7b4b5342bc7befef73fd33e4bbe3c2f7995919dd72c0605e6ab4ae021d00baf696a68578f7dfdee7fa67c977c785ef32b233bae580c0bcd5695d
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 795
 # Signatures with special case values for r and s.
 msg = 54657374
 result = invalid
 sig = 303d021c5d7b4b5342bc7befef73fd33e4bbe3c2f7995919dd72c0605e6ab4ae021d00baf696a68578f7dfdee7fa67c977c785ef32b233bae580c0bcd5695e
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 796
 # Signatures with special case values for r and s.
 msg = 54657374
 result = invalid
 sig = 303d021c5d7b4b5342bc7befef73fd33e4bbe3c2f7995919dd72c0605e6ab4ae021d0100000000000000000000000000000000000000000000000000000000
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 797
 # Signatures with special case values for r and s.
 msg = 54657374
 result = invalid
 sig = 30820123021c5d7b4b5342bc7befef73fd33e4bbe3c2f7995919dd72c0605e6ab4ae02820101008f7935d9b9aae9bfabed887acf4951b6f32ec59e3baf3718e8eac4961f3efd3606e74351a9c4183339b809e7c2ae1c539ba7475b85d011adb8b47987754984695cac0e8f14b3360828a22ffa27110a3d62a993453409a0fe696c4658f84bdd20819c3709a01057b195adcd00233dba5484b6291f9d648ef883448677979cec04b434a6ac2e75e9985de23db0292fc1118c9ffa9d8181e7338db792b730d7b9e349592f68099872153915ea3d6b8b4653c633458f803b32a4c2e0f27290256e4e3f8a3b0838a1c450e4e18c1a29a37ddf5ea143de4b66ff04903ed5cf1623e158d487c608e97f211cd81dca23cb6e380765f822e342be484c05763939601cd667
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 798
 # Signatures with special case values for r and s.
 msg = 54657374
 result = invalid
 sig = 3023021c5d7b4b5342bc7befef73fd33e4bbe3c2f7995919dd72c0605e6ab4ae090380fe01
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 799
 # Signatures with special case values for r and s.
 msg = 54657374
 result = invalid
 sig = 3021021c5d7b4b5342bc7befef73fd33e4bbe3c2f7995919dd72c0605e6ab4ae090142
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 800
 # Signatures with special case values for r and s.
 msg = 54657374
 result = invalid
 sig = 303d021c5d7b4b5342bc7befef73fd33e4bbe3c2f7995919dd72c0605e6ab4af021dff450969597a870820211805983688387a10cd4dcc451a7f3f432a96a3
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 801
 # Signatures with special case values for r and s.
 msg = 54657374
 result = invalid
 sig = 3021021c5d7b4b5342bc7befef73fd33e4bbe3c2f7995919dd72c0605e6ab4af020100
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 802
 # Signatures with special case values for r and s.
 msg = 54657374
 result = invalid
 sig = 3021021c5d7b4b5342bc7befef73fd33e4bbe3c2f7995919dd72c0605e6ab4af020101
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 803
 # Signatures with special case values for r and s.
 msg = 54657374
 result = invalid
 sig = 3021021c5d7b4b5342bc7befef73fd33e4bbe3c2f7995919dd72c0605e6ab4af0201ff
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 804
 # Signatures with special case values for r and s.
 msg = 54657374
 result = invalid
 sig = 303c021c5d7b4b5342bc7befef73fd33e4bbe3c2f7995919dd72c0605e6ab4af021c5d7b4b5342bc7befef73fd33e4bbe3c2f7995919dd72c0605e6ab4ae
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 805
 # Signatures with special case values for r and s.
 msg = 54657374
 result = invalid
 sig = 303c021c5d7b4b5342bc7befef73fd33e4bbe3c2f7995919dd72c0605e6ab4af021c5d7b4b5342bc7befef73fd33e4bbe3c2f7995919dd72c0605e6ab4af
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 806
 # Signatures with special case values for r and s.
 msg = 54657374
 result = invalid
 sig = 303d021c5d7b4b5342bc7befef73fd33e4bbe3c2f7995919dd72c0605e6ab4af021d00baf696a68578f7dfdee7fa67c977c785ef32b233bae580c0bcd5695c
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 807
 # Signatures with special case values for r and s.
 msg = 54657374
 result = invalid
 sig = 303d021c5d7b4b5342bc7befef73fd33e4bbe3c2f7995919dd72c0605e6ab4af021d00baf696a68578f7dfdee7fa67c977c785ef32b233bae580c0bcd5695d
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 808
 # Signatures with special case values for r and s.
 msg = 54657374
 result = invalid
 sig = 303d021c5d7b4b5342bc7befef73fd33e4bbe3c2f7995919dd72c0605e6ab4af021d00baf696a68578f7dfdee7fa67c977c785ef32b233bae580c0bcd5695e
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 809
 # Signatures with special case values for r and s.
 msg = 54657374
 result = invalid
 sig = 303d021c5d7b4b5342bc7befef73fd33e4bbe3c2f7995919dd72c0605e6ab4af021d0100000000000000000000000000000000000000000000000000000000
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 810
 # Signatures with special case values for r and s.
 msg = 54657374
 result = invalid
 sig = 30820123021c5d7b4b5342bc7befef73fd33e4bbe3c2f7995919dd72c0605e6ab4af02820101008f7935d9b9aae9bfabed887acf4951b6f32ec59e3baf3718e8eac4961f3efd3606e74351a9c4183339b809e7c2ae1c539ba7475b85d011adb8b47987754984695cac0e8f14b3360828a22ffa27110a3d62a993453409a0fe696c4658f84bdd20819c3709a01057b195adcd00233dba5484b6291f9d648ef883448677979cec04b434a6ac2e75e9985de23db0292fc1118c9ffa9d8181e7338db792b730d7b9e349592f68099872153915ea3d6b8b4653c633458f803b32a4c2e0f27290256e4e3f8a3b0838a1c450e4e18c1a29a37ddf5ea143de4b66ff04903ed5cf1623e158d487c608e97f211cd81dca23cb6e380765f822e342be484c05763939601cd667
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 811
 # Signatures with special case values for r and s.
 msg = 54657374
 result = invalid
 sig = 3023021c5d7b4b5342bc7befef73fd33e4bbe3c2f7995919dd72c0605e6ab4af090380fe01
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 812
 # Signatures with special case values for r and s.
 msg = 54657374
 result = invalid
 sig = 3021021c5d7b4b5342bc7befef73fd33e4bbe3c2f7995919dd72c0605e6ab4af090142
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 813
 # Signatures with special case values for r and s.
 msg = 54657374
 result = invalid
 sig = 303e021d00baf696a68578f7dfdee7fa67c977c785ef32b233bae580c0bcd5695c021dff450969597a870820211805983688387a10cd4dcc451a7f3f432a96a3
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 814
 # Signatures with special case values for r and s.
 msg = 54657374
 result = invalid
 sig = 3022021d00baf696a68578f7dfdee7fa67c977c785ef32b233bae580c0bcd5695c020100
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 815
 # Signatures with special case values for r and s.
 msg = 54657374
 result = invalid
 sig = 3022021d00baf696a68578f7dfdee7fa67c977c785ef32b233bae580c0bcd5695c020101
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 816
 # Signatures with special case values for r and s.
 msg = 54657374
 result = invalid
 sig = 3022021d00baf696a68578f7dfdee7fa67c977c785ef32b233bae580c0bcd5695c0201ff
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 817
 # Signatures with special case values for r and s.
 msg = 54657374
 result = invalid
 sig = 303d021d00baf696a68578f7dfdee7fa67c977c785ef32b233bae580c0bcd5695c021c5d7b4b5342bc7befef73fd33e4bbe3c2f7995919dd72c0605e6ab4ae
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 818
 # Signatures with special case values for r and s.
 msg = 54657374
 result = invalid
 sig = 303d021d00baf696a68578f7dfdee7fa67c977c785ef32b233bae580c0bcd5695c021c5d7b4b5342bc7befef73fd33e4bbe3c2f7995919dd72c0605e6ab4af
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 819
 # Signatures with special case values for r and s.
 msg = 54657374
 result = invalid
 sig = 303e021d00baf696a68578f7dfdee7fa67c977c785ef32b233bae580c0bcd5695c021d00baf696a68578f7dfdee7fa67c977c785ef32b233bae580c0bcd5695c
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 820
 # Signatures with special case values for r and s.
 msg = 54657374
 result = invalid
 sig = 303e021d00baf696a68578f7dfdee7fa67c977c785ef32b233bae580c0bcd5695c021d00baf696a68578f7dfdee7fa67c977c785ef32b233bae580c0bcd5695d
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 821
 # Signatures with special case values for r and s.
 msg = 54657374
 result = invalid
 sig = 303e021d00baf696a68578f7dfdee7fa67c977c785ef32b233bae580c0bcd5695c021d00baf696a68578f7dfdee7fa67c977c785ef32b233bae580c0bcd5695e
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 822
 # Signatures with special case values for r and s.
 msg = 54657374
 result = invalid
 sig = 303e021d00baf696a68578f7dfdee7fa67c977c785ef32b233bae580c0bcd5695c021d0100000000000000000000000000000000000000000000000000000000
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 823
 # Signatures with special case values for r and s.
 msg = 54657374
 result = invalid
 sig = 30820124021d00baf696a68578f7dfdee7fa67c977c785ef32b233bae580c0bcd5695c02820101008f7935d9b9aae9bfabed887acf4951b6f32ec59e3baf3718e8eac4961f3efd3606e74351a9c4183339b809e7c2ae1c539ba7475b85d011adb8b47987754984695cac0e8f14b3360828a22ffa27110a3d62a993453409a0fe696c4658f84bdd20819c3709a01057b195adcd00233dba5484b6291f9d648ef883448677979cec04b434a6ac2e75e9985de23db0292fc1118c9ffa9d8181e7338db792b730d7b9e349592f68099872153915ea3d6b8b4653c633458f803b32a4c2e0f27290256e4e3f8a3b0838a1c450e4e18c1a29a37ddf5ea143de4b66ff04903ed5cf1623e158d487c608e97f211cd81dca23cb6e380765f822e342be484c05763939601cd667
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 824
 # Signatures with special case values for r and s.
 msg = 54657374
 result = invalid
 sig = 3024021d00baf696a68578f7dfdee7fa67c977c785ef32b233bae580c0bcd5695c090380fe01
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 825
 # Signatures with special case values for r and s.
 msg = 54657374
 result = invalid
 sig = 3022021d00baf696a68578f7dfdee7fa67c977c785ef32b233bae580c0bcd5695c090142
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 826
 # Signatures with special case values for r and s.
 msg = 54657374
 result = invalid
 sig = 303e021d00baf696a68578f7dfdee7fa67c977c785ef32b233bae580c0bcd5695d021dff450969597a870820211805983688387a10cd4dcc451a7f3f432a96a3
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 827
 # Signatures with special case values for r and s.
 msg = 54657374
 result = invalid
 sig = 3022021d00baf696a68578f7dfdee7fa67c977c785ef32b233bae580c0bcd5695d020100
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 828
 # Signatures with special case values for r and s.
 msg = 54657374
 result = invalid
 sig = 3022021d00baf696a68578f7dfdee7fa67c977c785ef32b233bae580c0bcd5695d020101
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 829
 # Signatures with special case values for r and s.
 msg = 54657374
 result = invalid
 sig = 3022021d00baf696a68578f7dfdee7fa67c977c785ef32b233bae580c0bcd5695d0201ff
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 830
 # Signatures with special case values for r and s.
 msg = 54657374
 result = invalid
 sig = 303d021d00baf696a68578f7dfdee7fa67c977c785ef32b233bae580c0bcd5695d021c5d7b4b5342bc7befef73fd33e4bbe3c2f7995919dd72c0605e6ab4ae
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 831
 # Signatures with special case values for r and s.
 msg = 54657374
 result = invalid
 sig = 303d021d00baf696a68578f7dfdee7fa67c977c785ef32b233bae580c0bcd5695d021c5d7b4b5342bc7befef73fd33e4bbe3c2f7995919dd72c0605e6ab4af
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 832
 # Signatures with special case values for r and s.
 msg = 54657374
 result = invalid
 sig = 303e021d00baf696a68578f7dfdee7fa67c977c785ef32b233bae580c0bcd5695d021d00baf696a68578f7dfdee7fa67c977c785ef32b233bae580c0bcd5695c
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 833
 # Signatures with special case values for r and s.
 msg = 54657374
 result = invalid
 sig = 303e021d00baf696a68578f7dfdee7fa67c977c785ef32b233bae580c0bcd5695d021d00baf696a68578f7dfdee7fa67c977c785ef32b233bae580c0bcd5695d
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 834
 # Signatures with special case values for r and s.
 msg = 54657374
 result = invalid
 sig = 303e021d00baf696a68578f7dfdee7fa67c977c785ef32b233bae580c0bcd5695d021d00baf696a68578f7dfdee7fa67c977c785ef32b233bae580c0bcd5695e
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 835
 # Signatures with special case values for r and s.
 msg = 54657374
 result = invalid
 sig = 303e021d00baf696a68578f7dfdee7fa67c977c785ef32b233bae580c0bcd5695d021d0100000000000000000000000000000000000000000000000000000000
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 836
 # Signatures with special case values for r and s.
 msg = 54657374
 result = invalid
 sig = 30820124021d00baf696a68578f7dfdee7fa67c977c785ef32b233bae580c0bcd5695d02820101008f7935d9b9aae9bfabed887acf4951b6f32ec59e3baf3718e8eac4961f3efd3606e74351a9c4183339b809e7c2ae1c539ba7475b85d011adb8b47987754984695cac0e8f14b3360828a22ffa27110a3d62a993453409a0fe696c4658f84bdd20819c3709a01057b195adcd00233dba5484b6291f9d648ef883448677979cec04b434a6ac2e75e9985de23db0292fc1118c9ffa9d8181e7338db792b730d7b9e349592f68099872153915ea3d6b8b4653c633458f803b32a4c2e0f27290256e4e3f8a3b0838a1c450e4e18c1a29a37ddf5ea143de4b66ff04903ed5cf1623e158d487c608e97f211cd81dca23cb6e380765f822e342be484c05763939601cd667
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 837
 # Signatures with special case values for r and s.
 msg = 54657374
 result = invalid
 sig = 3024021d00baf696a68578f7dfdee7fa67c977c785ef32b233bae580c0bcd5695d090380fe01
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 838
 # Signatures with special case values for r and s.
 msg = 54657374
 result = invalid
 sig = 3022021d00baf696a68578f7dfdee7fa67c977c785ef32b233bae580c0bcd5695d090142
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 839
 # Signatures with special case values for r and s.
 msg = 54657374
 result = invalid
 sig = 303e021d00baf696a68578f7dfdee7fa67c977c785ef32b233bae580c0bcd5695e021dff450969597a870820211805983688387a10cd4dcc451a7f3f432a96a3
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 840
 # Signatures with special case values for r and s.
 msg = 54657374
 result = invalid
 sig = 3022021d00baf696a68578f7dfdee7fa67c977c785ef32b233bae580c0bcd5695e020100
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 841
 # Signatures with special case values for r and s.
 msg = 54657374
 result = invalid
 sig = 3022021d00baf696a68578f7dfdee7fa67c977c785ef32b233bae580c0bcd5695e020101
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 842
 # Signatures with special case values for r and s.
 msg = 54657374
 result = invalid
 sig = 3022021d00baf696a68578f7dfdee7fa67c977c785ef32b233bae580c0bcd5695e0201ff
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 843
 # Signatures with special case values for r and s.
 msg = 54657374
 result = invalid
 sig = 303d021d00baf696a68578f7dfdee7fa67c977c785ef32b233bae580c0bcd5695e021c5d7b4b5342bc7befef73fd33e4bbe3c2f7995919dd72c0605e6ab4ae
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 844
 # Signatures with special case values for r and s.
 msg = 54657374
 result = invalid
 sig = 303d021d00baf696a68578f7dfdee7fa67c977c785ef32b233bae580c0bcd5695e021c5d7b4b5342bc7befef73fd33e4bbe3c2f7995919dd72c0605e6ab4af
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 845
 # Signatures with special case values for r and s.
 msg = 54657374
 result = invalid
 sig = 303e021d00baf696a68578f7dfdee7fa67c977c785ef32b233bae580c0bcd5695e021d00baf696a68578f7dfdee7fa67c977c785ef32b233bae580c0bcd5695c
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 846
 # Signatures with special case values for r and s.
 msg = 54657374
 result = invalid
 sig = 303e021d00baf696a68578f7dfdee7fa67c977c785ef32b233bae580c0bcd5695e021d00baf696a68578f7dfdee7fa67c977c785ef32b233bae580c0bcd5695d
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 847
 # Signatures with special case values for r and s.
 msg = 54657374
 result = invalid
 sig = 303e021d00baf696a68578f7dfdee7fa67c977c785ef32b233bae580c0bcd5695e021d00baf696a68578f7dfdee7fa67c977c785ef32b233bae580c0bcd5695e
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 848
 # Signatures with special case values for r and s.
 msg = 54657374
 result = invalid
 sig = 303e021d00baf696a68578f7dfdee7fa67c977c785ef32b233bae580c0bcd5695e021d0100000000000000000000000000000000000000000000000000000000
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 849
 # Signatures with special case values for r and s.
 msg = 54657374
 result = invalid
 sig = 30820124021d00baf696a68578f7dfdee7fa67c977c785ef32b233bae580c0bcd5695e02820101008f7935d9b9aae9bfabed887acf4951b6f32ec59e3baf3718e8eac4961f3efd3606e74351a9c4183339b809e7c2ae1c539ba7475b85d011adb8b47987754984695cac0e8f14b3360828a22ffa27110a3d62a993453409a0fe696c4658f84bdd20819c3709a01057b195adcd00233dba5484b6291f9d648ef883448677979cec04b434a6ac2e75e9985de23db0292fc1118c9ffa9d8181e7338db792b730d7b9e349592f68099872153915ea3d6b8b4653c633458f803b32a4c2e0f27290256e4e3f8a3b0838a1c450e4e18c1a29a37ddf5ea143de4b66ff04903ed5cf1623e158d487c608e97f211cd81dca23cb6e380765f822e342be484c05763939601cd667
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 850
 # Signatures with special case values for r and s.
 msg = 54657374
 result = invalid
 sig = 3024021d00baf696a68578f7dfdee7fa67c977c785ef32b233bae580c0bcd5695e090380fe01
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 851
 # Signatures with special case values for r and s.
 msg = 54657374
 result = invalid
 sig = 3022021d00baf696a68578f7dfdee7fa67c977c785ef32b233bae580c0bcd5695e090142
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 852
 # Signatures with special case values for r and s.
 msg = 54657374
 result = invalid
 sig = 303e021d0100000000000000000000000000000000000000000000000000000000021dff450969597a870820211805983688387a10cd4dcc451a7f3f432a96a3
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 853
 # Signatures with special case values for r and s.
 msg = 54657374
 result = invalid
 sig = 3022021d0100000000000000000000000000000000000000000000000000000000020100
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 854
 # Signatures with special case values for r and s.
 msg = 54657374
 result = invalid
 sig = 3022021d0100000000000000000000000000000000000000000000000000000000020101
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 855
 # Signatures with special case values for r and s.
 msg = 54657374
 result = invalid
 sig = 3022021d01000000000000000000000000000000000000000000000000000000000201ff
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 856
 # Signatures with special case values for r and s.
 msg = 54657374
 result = invalid
 sig = 303d021d0100000000000000000000000000000000000000000000000000000000021c5d7b4b5342bc7befef73fd33e4bbe3c2f7995919dd72c0605e6ab4ae
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 857
 # Signatures with special case values for r and s.
 msg = 54657374
 result = invalid
 sig = 303d021d0100000000000000000000000000000000000000000000000000000000021c5d7b4b5342bc7befef73fd33e4bbe3c2f7995919dd72c0605e6ab4af
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 858
 # Signatures with special case values for r and s.
 msg = 54657374
 result = invalid
 sig = 303e021d0100000000000000000000000000000000000000000000000000000000021d00baf696a68578f7dfdee7fa67c977c785ef32b233bae580c0bcd5695c
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 859
 # Signatures with special case values for r and s.
 msg = 54657374
 result = invalid
 sig = 303e021d0100000000000000000000000000000000000000000000000000000000021d00baf696a68578f7dfdee7fa67c977c785ef32b233bae580c0bcd5695d
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 860
 # Signatures with special case values for r and s.
 msg = 54657374
 result = invalid
 sig = 303e021d0100000000000000000000000000000000000000000000000000000000021d00baf696a68578f7dfdee7fa67c977c785ef32b233bae580c0bcd5695e
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 861
 # Signatures with special case values for r and s.
 msg = 54657374
 result = invalid
 sig = 303e021d0100000000000000000000000000000000000000000000000000000000021d0100000000000000000000000000000000000000000000000000000000
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 862
 # Signatures with special case values for r and s.
 msg = 54657374
 result = invalid
 sig = 30820124021d010000000000000000000000000000000000000000000000000000000002820101008f7935d9b9aae9bfabed887acf4951b6f32ec59e3baf3718e8eac4961f3efd3606e74351a9c4183339b809e7c2ae1c539ba7475b85d011adb8b47987754984695cac0e8f14b3360828a22ffa27110a3d62a993453409a0fe696c4658f84bdd20819c3709a01057b195adcd00233dba5484b6291f9d648ef883448677979cec04b434a6ac2e75e9985de23db0292fc1118c9ffa9d8181e7338db792b730d7b9e349592f68099872153915ea3d6b8b4653c633458f803b32a4c2e0f27290256e4e3f8a3b0838a1c450e4e18c1a29a37ddf5ea143de4b66ff04903ed5cf1623e158d487c608e97f211cd81dca23cb6e380765f822e342be484c05763939601cd667
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 863
 # Signatures with special case values for r and s.
 msg = 54657374
 result = invalid
 sig = 3024021d0100000000000000000000000000000000000000000000000000000000090380fe01
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 864
 # Signatures with special case values for r and s.
 msg = 54657374
 result = invalid
 sig = 3022021d0100000000000000000000000000000000000000000000000000000000090142
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 865
 # Signatures with special case values for r and s.
 msg = 54657374
 result = invalid
 sig = 3082012402820101008f7935d9b9aae9bfabed887acf4951b6f32ec59e3baf3718e8eac4961f3efd3606e74351a9c4183339b809e7c2ae1c539ba7475b85d011adb8b47987754984695cac0e8f14b3360828a22ffa27110a3d62a993453409a0fe696c4658f84bdd20819c3709a01057b195adcd00233dba5484b6291f9d648ef883448677979cec04b434a6ac2e75e9985de23db0292fc1118c9ffa9d8181e7338db792b730d7b9e349592f68099872153915ea3d6b8b4653c633458f803b32a4c2e0f27290256e4e3f8a3b0838a1c450e4e18c1a29a37ddf5ea143de4b66ff04903ed5cf1623e158d487c608e97f211cd81dca23cb6e380765f822e342be484c05763939601cd667021dff450969597a870820211805983688387a10cd4dcc451a7f3f432a96a3
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 866
 # Signatures with special case values for r and s.
 msg = 54657374
 result = invalid
 sig = 3082010802820101008f7935d9b9aae9bfabed887acf4951b6f32ec59e3baf3718e8eac4961f3efd3606e74351a9c4183339b809e7c2ae1c539ba7475b85d011adb8b47987754984695cac0e8f14b3360828a22ffa27110a3d62a993453409a0fe696c4658f84bdd20819c3709a01057b195adcd00233dba5484b6291f9d648ef883448677979cec04b434a6ac2e75e9985de23db0292fc1118c9ffa9d8181e7338db792b730d7b9e349592f68099872153915ea3d6b8b4653c633458f803b32a4c2e0f27290256e4e3f8a3b0838a1c450e4e18c1a29a37ddf5ea143de4b66ff04903ed5cf1623e158d487c608e97f211cd81dca23cb6e380765f822e342be484c05763939601cd667020100
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 867
 # Signatures with special case values for r and s.
 msg = 54657374
 result = invalid
 sig = 3082010802820101008f7935d9b9aae9bfabed887acf4951b6f32ec59e3baf3718e8eac4961f3efd3606e74351a9c4183339b809e7c2ae1c539ba7475b85d011adb8b47987754984695cac0e8f14b3360828a22ffa27110a3d62a993453409a0fe696c4658f84bdd20819c3709a01057b195adcd00233dba5484b6291f9d648ef883448677979cec04b434a6ac2e75e9985de23db0292fc1118c9ffa9d8181e7338db792b730d7b9e349592f68099872153915ea3d6b8b4653c633458f803b32a4c2e0f27290256e4e3f8a3b0838a1c450e4e18c1a29a37ddf5ea143de4b66ff04903ed5cf1623e158d487c608e97f211cd81dca23cb6e380765f822e342be484c05763939601cd667020101
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 868
 # Signatures with special case values for r and s.
 msg = 54657374
 result = invalid
 sig = 3082010802820101008f7935d9b9aae9bfabed887acf4951b6f32ec59e3baf3718e8eac4961f3efd3606e74351a9c4183339b809e7c2ae1c539ba7475b85d011adb8b47987754984695cac0e8f14b3360828a22ffa27110a3d62a993453409a0fe696c4658f84bdd20819c3709a01057b195adcd00233dba5484b6291f9d648ef883448677979cec04b434a6ac2e75e9985de23db0292fc1118c9ffa9d8181e7338db792b730d7b9e349592f68099872153915ea3d6b8b4653c633458f803b32a4c2e0f27290256e4e3f8a3b0838a1c450e4e18c1a29a37ddf5ea143de4b66ff04903ed5cf1623e158d487c608e97f211cd81dca23cb6e380765f822e342be484c05763939601cd6670201ff
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 869
 # Signatures with special case values for r and s.
 msg = 54657374
 result = invalid
 sig = 3082012302820101008f7935d9b9aae9bfabed887acf4951b6f32ec59e3baf3718e8eac4961f3efd3606e74351a9c4183339b809e7c2ae1c539ba7475b85d011adb8b47987754984695cac0e8f14b3360828a22ffa27110a3d62a993453409a0fe696c4658f84bdd20819c3709a01057b195adcd00233dba5484b6291f9d648ef883448677979cec04b434a6ac2e75e9985de23db0292fc1118c9ffa9d8181e7338db792b730d7b9e349592f68099872153915ea3d6b8b4653c633458f803b32a4c2e0f27290256e4e3f8a3b0838a1c450e4e18c1a29a37ddf5ea143de4b66ff04903ed5cf1623e158d487c608e97f211cd81dca23cb6e380765f822e342be484c05763939601cd667021c5d7b4b5342bc7befef73fd33e4bbe3c2f7995919dd72c0605e6ab4ae
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 870
 # Signatures with special case values for r and s.
 msg = 54657374
 result = invalid
 sig = 3082012302820101008f7935d9b9aae9bfabed887acf4951b6f32ec59e3baf3718e8eac4961f3efd3606e74351a9c4183339b809e7c2ae1c539ba7475b85d011adb8b47987754984695cac0e8f14b3360828a22ffa27110a3d62a993453409a0fe696c4658f84bdd20819c3709a01057b195adcd00233dba5484b6291f9d648ef883448677979cec04b434a6ac2e75e9985de23db0292fc1118c9ffa9d8181e7338db792b730d7b9e349592f68099872153915ea3d6b8b4653c633458f803b32a4c2e0f27290256e4e3f8a3b0838a1c450e4e18c1a29a37ddf5ea143de4b66ff04903ed5cf1623e158d487c608e97f211cd81dca23cb6e380765f822e342be484c05763939601cd667021c5d7b4b5342bc7befef73fd33e4bbe3c2f7995919dd72c0605e6ab4af
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 871
 # Signatures with special case values for r and s.
 msg = 54657374
 result = invalid
 sig = 3082012402820101008f7935d9b9aae9bfabed887acf4951b6f32ec59e3baf3718e8eac4961f3efd3606e74351a9c4183339b809e7c2ae1c539ba7475b85d011adb8b47987754984695cac0e8f14b3360828a22ffa27110a3d62a993453409a0fe696c4658f84bdd20819c3709a01057b195adcd00233dba5484b6291f9d648ef883448677979cec04b434a6ac2e75e9985de23db0292fc1118c9ffa9d8181e7338db792b730d7b9e349592f68099872153915ea3d6b8b4653c633458f803b32a4c2e0f27290256e4e3f8a3b0838a1c450e4e18c1a29a37ddf5ea143de4b66ff04903ed5cf1623e158d487c608e97f211cd81dca23cb6e380765f822e342be484c05763939601cd667021d00baf696a68578f7dfdee7fa67c977c785ef32b233bae580c0bcd5695c
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 872
 # Signatures with special case values for r and s.
 msg = 54657374
 result = invalid
 sig = 3082012402820101008f7935d9b9aae9bfabed887acf4951b6f32ec59e3baf3718e8eac4961f3efd3606e74351a9c4183339b809e7c2ae1c539ba7475b85d011adb8b47987754984695cac0e8f14b3360828a22ffa27110a3d62a993453409a0fe696c4658f84bdd20819c3709a01057b195adcd00233dba5484b6291f9d648ef883448677979cec04b434a6ac2e75e9985de23db0292fc1118c9ffa9d8181e7338db792b730d7b9e349592f68099872153915ea3d6b8b4653c633458f803b32a4c2e0f27290256e4e3f8a3b0838a1c450e4e18c1a29a37ddf5ea143de4b66ff04903ed5cf1623e158d487c608e97f211cd81dca23cb6e380765f822e342be484c05763939601cd667021d00baf696a68578f7dfdee7fa67c977c785ef32b233bae580c0bcd5695d
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 873
 # Signatures with special case values for r and s.
 msg = 54657374
 result = invalid
 sig = 3082012402820101008f7935d9b9aae9bfabed887acf4951b6f32ec59e3baf3718e8eac4961f3efd3606e74351a9c4183339b809e7c2ae1c539ba7475b85d011adb8b47987754984695cac0e8f14b3360828a22ffa27110a3d62a993453409a0fe696c4658f84bdd20819c3709a01057b195adcd00233dba5484b6291f9d648ef883448677979cec04b434a6ac2e75e9985de23db0292fc1118c9ffa9d8181e7338db792b730d7b9e349592f68099872153915ea3d6b8b4653c633458f803b32a4c2e0f27290256e4e3f8a3b0838a1c450e4e18c1a29a37ddf5ea143de4b66ff04903ed5cf1623e158d487c608e97f211cd81dca23cb6e380765f822e342be484c05763939601cd667021d00baf696a68578f7dfdee7fa67c977c785ef32b233bae580c0bcd5695e
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 874
 # Signatures with special case values for r and s.
 msg = 54657374
 result = invalid
 sig = 3082012402820101008f7935d9b9aae9bfabed887acf4951b6f32ec59e3baf3718e8eac4961f3efd3606e74351a9c4183339b809e7c2ae1c539ba7475b85d011adb8b47987754984695cac0e8f14b3360828a22ffa27110a3d62a993453409a0fe696c4658f84bdd20819c3709a01057b195adcd00233dba5484b6291f9d648ef883448677979cec04b434a6ac2e75e9985de23db0292fc1118c9ffa9d8181e7338db792b730d7b9e349592f68099872153915ea3d6b8b4653c633458f803b32a4c2e0f27290256e4e3f8a3b0838a1c450e4e18c1a29a37ddf5ea143de4b66ff04903ed5cf1623e158d487c608e97f211cd81dca23cb6e380765f822e342be484c05763939601cd667021d0100000000000000000000000000000000000000000000000000000000
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 875
 # Signatures with special case values for r and s.
 msg = 54657374
 result = invalid
 sig = 3082020a02820101008f7935d9b9aae9bfabed887acf4951b6f32ec59e3baf3718e8eac4961f3efd3606e74351a9c4183339b809e7c2ae1c539ba7475b85d011adb8b47987754984695cac0e8f14b3360828a22ffa27110a3d62a993453409a0fe696c4658f84bdd20819c3709a01057b195adcd00233dba5484b6291f9d648ef883448677979cec04b434a6ac2e75e9985de23db0292fc1118c9ffa9d8181e7338db792b730d7b9e349592f68099872153915ea3d6b8b4653c633458f803b32a4c2e0f27290256e4e3f8a3b0838a1c450e4e18c1a29a37ddf5ea143de4b66ff04903ed5cf1623e158d487c608e97f211cd81dca23cb6e380765f822e342be484c05763939601cd66702820101008f7935d9b9aae9bfabed887acf4951b6f32ec59e3baf3718e8eac4961f3efd3606e74351a9c4183339b809e7c2ae1c539ba7475b85d011adb8b47987754984695cac0e8f14b3360828a22ffa27110a3d62a993453409a0fe696c4658f84bdd20819c3709a01057b195adcd00233dba5484b6291f9d648ef883448677979cec04b434a6ac2e75e9985de23db0292fc1118c9ffa9d8181e7338db792b730d7b9e349592f68099872153915ea3d6b8b4653c633458f803b32a4c2e0f27290256e4e3f8a3b0838a1c450e4e18c1a29a37ddf5ea143de4b66ff04903ed5cf1623e158d487c608e97f211cd81dca23cb6e380765f822e342be484c05763939601cd667
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 876
 # Signatures with special case values for r and s.
 msg = 54657374
 result = invalid
 sig = 3082010a02820101008f7935d9b9aae9bfabed887acf4951b6f32ec59e3baf3718e8eac4961f3efd3606e74351a9c4183339b809e7c2ae1c539ba7475b85d011adb8b47987754984695cac0e8f14b3360828a22ffa27110a3d62a993453409a0fe696c4658f84bdd20819c3709a01057b195adcd00233dba5484b6291f9d648ef883448677979cec04b434a6ac2e75e9985de23db0292fc1118c9ffa9d8181e7338db792b730d7b9e349592f68099872153915ea3d6b8b4653c633458f803b32a4c2e0f27290256e4e3f8a3b0838a1c450e4e18c1a29a37ddf5ea143de4b66ff04903ed5cf1623e158d487c608e97f211cd81dca23cb6e380765f822e342be484c05763939601cd667090380fe01
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 877
 # Signatures with special case values for r and s.
 msg = 54657374
 result = invalid
 sig = 3082010802820101008f7935d9b9aae9bfabed887acf4951b6f32ec59e3baf3718e8eac4961f3efd3606e74351a9c4183339b809e7c2ae1c539ba7475b85d011adb8b47987754984695cac0e8f14b3360828a22ffa27110a3d62a993453409a0fe696c4658f84bdd20819c3709a01057b195adcd00233dba5484b6291f9d648ef883448677979cec04b434a6ac2e75e9985de23db0292fc1118c9ffa9d8181e7338db792b730d7b9e349592f68099872153915ea3d6b8b4653c633458f803b32a4c2e0f27290256e4e3f8a3b0838a1c450e4e18c1a29a37ddf5ea143de4b66ff04903ed5cf1623e158d487c608e97f211cd81dca23cb6e380765f822e342be484c05763939601cd667090142
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 878
 # Signatures with special case values for r and s.
 msg = 54657374
 result = invalid
 sig = 3024090380fe01021dff450969597a870820211805983688387a10cd4dcc451a7f3f432a96a3
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 879
 # Signatures with special case values for r and s.
 msg = 54657374
 result = invalid
 sig = 3008090380fe01020100
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 880
 # Signatures with special case values for r and s.
 msg = 54657374
 result = invalid
 sig = 3008090380fe01020101
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 881
 # Signatures with special case values for r and s.
 msg = 54657374
 result = invalid
 sig = 3008090380fe010201ff
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 882
 # Signatures with special case values for r and s.
 msg = 54657374
 result = invalid
 sig = 3023090380fe01021c5d7b4b5342bc7befef73fd33e4bbe3c2f7995919dd72c0605e6ab4ae
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 883
 # Signatures with special case values for r and s.
 msg = 54657374
 result = invalid
 sig = 3023090380fe01021c5d7b4b5342bc7befef73fd33e4bbe3c2f7995919dd72c0605e6ab4af
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 884
 # Signatures with special case values for r and s.
 msg = 54657374
 result = invalid
 sig = 3024090380fe01021d00baf696a68578f7dfdee7fa67c977c785ef32b233bae580c0bcd5695c
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 885
 # Signatures with special case values for r and s.
 msg = 54657374
 result = invalid
 sig = 3024090380fe01021d00baf696a68578f7dfdee7fa67c977c785ef32b233bae580c0bcd5695d
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 886
 # Signatures with special case values for r and s.
 msg = 54657374
 result = invalid
 sig = 3024090380fe01021d00baf696a68578f7dfdee7fa67c977c785ef32b233bae580c0bcd5695e
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 887
 # Signatures with special case values for r and s.
 msg = 54657374
 result = invalid
 sig = 3024090380fe01021d0100000000000000000000000000000000000000000000000000000000
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 888
 # Signatures with special case values for r and s.
 msg = 54657374
 result = invalid
 sig = 3082010a090380fe0102820101008f7935d9b9aae9bfabed887acf4951b6f32ec59e3baf3718e8eac4961f3efd3606e74351a9c4183339b809e7c2ae1c539ba7475b85d011adb8b47987754984695cac0e8f14b3360828a22ffa27110a3d62a993453409a0fe696c4658f84bdd20819c3709a01057b195adcd00233dba5484b6291f9d648ef883448677979cec04b434a6ac2e75e9985de23db0292fc1118c9ffa9d8181e7338db792b730d7b9e349592f68099872153915ea3d6b8b4653c633458f803b32a4c2e0f27290256e4e3f8a3b0838a1c450e4e18c1a29a37ddf5ea143de4b66ff04903ed5cf1623e158d487c608e97f211cd81dca23cb6e380765f822e342be484c05763939601cd667
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 889
 # Signatures with special case values for r and s.
 msg = 54657374
 result = invalid
 sig = 300a090380fe01090380fe01
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 890
 # Signatures with special case values for r and s.
 msg = 54657374
 result = invalid
 sig = 3008090380fe01090142
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 891
 # Signature encoding contains wrong type.
diff --git a/third_party/wycheproof_testvectors/ecdh_secp224r1_test.txt b/third_party/wycheproof_testvectors/ecdh_secp224r1_test.txt
index 9354e30..9e339ae 100644
--- a/third_party/wycheproof_testvectors/ecdh_secp224r1_test.txt
+++ b/third_party/wycheproof_testvectors/ecdh_secp224r1_test.txt
@@ -20,8 +20,7 @@
 public = 3032301006072a8648ce3d020106052b81040021031e00027d8ac211e1228eb094e285a957d9912e93deee433ed777440ae9fc71
 result = acceptable
 shared = b8ecdb552d39228ee332bafe4886dbff272f7109edf933bc7542bd4f
-# The point in the public key is compressed. Not every library supports points
-# in compressed format.
+flags = CompressedPoint
 
 # tcId = 3
 # edge case for shared secret
@@ -533,9 +532,7 @@
 public = 304e301006072a8648ce3d020106052b81040021033a0004478e73465bb1183583f4064e67e8b4343af4a05d29dfc04eb60ac2302e5b9a3a1b32e4208d4c284ff26822e09c3a9a4683443e4a35175504
 result = valid
 shared = 475fd96e0eb8cb8f100a5d7fe043a7a6851d1d611da2643a3c6ae708
-# The private key has a special value. Implementations using addition
-# subtraction chains for the point multiplication may get the point at infinity
-# as an intermediate result. See CVE_2017_10176
+flags = AddSubChain
 
 # tcId = 76
 # edge case private key
@@ -543,9 +540,7 @@
 public = 304e301006072a8648ce3d020106052b81040021033a0004478e73465bb1183583f4064e67e8b4343af4a05d29dfc04eb60ac2302e5b9a3a1b32e4208d4c284ff26822e09c3a9a4683443e4a35175504
 result = valid
 shared = 41ef931d669d1f57d8bb95a01a92321da74be8c6cbc3bbe0b2e73ebd
-# The private key has a special value. Implementations using addition
-# subtraction chains for the point multiplication may get the point at infinity
-# as an intermediate result. See CVE_2017_10176
+flags = AddSubChain
 
 # tcId = 77
 # edge case private key
@@ -560,9 +555,7 @@
 public = 304e301006072a8648ce3d020106052b81040021033a0004478e73465bb1183583f4064e67e8b4343af4a05d29dfc04eb60ac2302e5b9a3a1b32e4208d4c284ff26822e09c3a9a4683443e4a35175504
 result = valid
 shared = 11ff15126411299cbd49e2b7542e69e91ef132e2551a16ecfebb23a3
-# The private key has a special value. Implementations using addition
-# subtraction chains for the point multiplication may get the point at infinity
-# as an intermediate result. See CVE_2017_10176
+flags = AddSubChain
 
 # tcId = 79
 # point is not on curve
@@ -688,12 +681,7 @@
 public = 304e301006072a8648ce3d020106052b81040021033a0004a10fb7bf22d299fc5bc43bd2d0e8da28af28ace8430bee28f9e5b57554275c0615d8d9a3011d7bc4c1c4cf4a834c8dc46f25b98854401a5d
 result = invalid
 shared = 
-# The public key has been modified and is invalid. An implementation should
-# always check whether the public key is valid and on the same curve as the
-# private key. The test vector includes the shared secret computed with the
-# original public key if the public point is on the curve of the private key.
-# Generating a shared secret other than the one with the original key likely
-# indicates that the bug is exploitable.
+flags = InvalidPublic
 
 # tcId = 97
 # public point = (0,0)
@@ -701,12 +689,7 @@
 public = 304e301006072a8648ce3d020106052b81040021033a00040000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
 result = invalid
 shared = 
-# The public key has been modified and is invalid. An implementation should
-# always check whether the public key is valid and on the same curve as the
-# private key. The test vector includes the shared secret computed with the
-# original public key if the public point is on the curve of the private key.
-# Generating a shared secret other than the one with the original key likely
-# indicates that the bug is exploitable.
+flags = InvalidPublic
 
 # tcId = 98
 # order = -26959946667150639794667015087019625940457807714424391721682722368061
@@ -714,20 +697,7 @@
 public = 308201133081d406072a8648ce3d02013081c8020101302806072a8648ce3d0101021d00ffffffffffffffffffffffffffffffff000000000000000000000001303c041cfffffffffffffffffffffffffffffffefffffffffffffffffffffffe041cb4050a850c04b3abf54132565044b0b7d7bfd8ba270b39432355ffb4043904b70e0cbd6bb4bf7f321390b94a03c1d356c21122343280d6115c1d21bd376388b5f723fb4c22dfe6cd4375a05a07476444d5819985007e34021dff0000000000000000000000000000e95d1f470fc1ec22d6baa3a3d5c3020101033a0004a10fb7bf22d299fc5bc43bd2d0e8da28af28ace8430bee28f9e5b57554275c0615d8d9a3011d7bc4c1c4cf4a834c8dc46f25b98854401a5b
 result = invalid
 shared = 9b992dad1c2b5dadd3b5aeb84b7a91fb6fe5f46e02ab2c7fa32696a7
-# The order of the public key has been modified. If this order is used in a
-# cryptographic primitive instead of the correct order then private keys may
-# leak. E.g. ECDHC in BC 1.52 suffered from this.
-# The public key has been modified and is invalid. An implementation should
-# always check whether the public key is valid and on the same curve as the
-# private key. The test vector includes the shared secret computed with the
-# original public key if the public point is on the curve of the private key.
-# Generating a shared secret other than the one with the original key likely
-# indicates that the bug is exploitable.
-# The public key does not use a named curve. RFC 3279 allows to encode such
-# curves by explicitly encoding, the parameters of the curve equation, modulus,
-# generator, order and cofactor. However, many crypto libraries only support
-# named curves. Modifying some of the EC parameters and encoding the
-# corresponding public key as an unnamed curve is a potential attack vector.
+flags = WrongOrder,InvalidPublic,UnnamedCurve
 
 # tcId = 99
 # order = 0
@@ -735,20 +705,7 @@
 public = 3081f73081b806072a8648ce3d02013081ac020101302806072a8648ce3d0101021d00ffffffffffffffffffffffffffffffff000000000000000000000001303c041cfffffffffffffffffffffffffffffffefffffffffffffffffffffffe041cb4050a850c04b3abf54132565044b0b7d7bfd8ba270b39432355ffb4043904b70e0cbd6bb4bf7f321390b94a03c1d356c21122343280d6115c1d21bd376388b5f723fb4c22dfe6cd4375a05a07476444d5819985007e34020100020101033a0004a10fb7bf22d299fc5bc43bd2d0e8da28af28ace8430bee28f9e5b57554275c0615d8d9a3011d7bc4c1c4cf4a834c8dc46f25b98854401a5b
 result = invalid
 shared = 9b992dad1c2b5dadd3b5aeb84b7a91fb6fe5f46e02ab2c7fa32696a7
-# The order of the public key has been modified. If this order is used in a
-# cryptographic primitive instead of the correct order then private keys may
-# leak. E.g. ECDHC in BC 1.52 suffered from this.
-# The public key has been modified and is invalid. An implementation should
-# always check whether the public key is valid and on the same curve as the
-# private key. The test vector includes the shared secret computed with the
-# original public key if the public point is on the curve of the private key.
-# Generating a shared secret other than the one with the original key likely
-# indicates that the bug is exploitable.
-# The public key does not use a named curve. RFC 3279 allows to encode such
-# curves by explicitly encoding, the parameters of the curve equation, modulus,
-# generator, order and cofactor. However, many crypto libraries only support
-# named curves. Modifying some of the EC parameters and encoding the
-# corresponding public key as an unnamed curve is a potential attack vector.
+flags = WrongOrder,InvalidPublic,UnnamedCurve
 
 # tcId = 100
 # order = 1
@@ -756,20 +713,7 @@
 public = 3081f73081b806072a8648ce3d02013081ac020101302806072a8648ce3d0101021d00ffffffffffffffffffffffffffffffff000000000000000000000001303c041cfffffffffffffffffffffffffffffffefffffffffffffffffffffffe041cb4050a850c04b3abf54132565044b0b7d7bfd8ba270b39432355ffb4043904b70e0cbd6bb4bf7f321390b94a03c1d356c21122343280d6115c1d21bd376388b5f723fb4c22dfe6cd4375a05a07476444d5819985007e34020101020101033a0004a10fb7bf22d299fc5bc43bd2d0e8da28af28ace8430bee28f9e5b57554275c0615d8d9a3011d7bc4c1c4cf4a834c8dc46f25b98854401a5b
 result = acceptable
 shared = 9b992dad1c2b5dadd3b5aeb84b7a91fb6fe5f46e02ab2c7fa32696a7
-# The order of the public key has been modified. If this order is used in a
-# cryptographic primitive instead of the correct order then private keys may
-# leak. E.g. ECDHC in BC 1.52 suffered from this.
-# A parameter that is typically not used for ECDH has been modified. Sometimes
-# libraries ignore small differences between public and private key. For
-# example, a library might ignore an incorrect cofactor in the public key. We
-# consider ignoring such changes as acceptable as long as these differences do
-# not change the outcome of the ECDH computation, i.e. as long as the
-# computation is done on the curve from the private key.
-# The public key does not use a named curve. RFC 3279 allows to encode such
-# curves by explicitly encoding, the parameters of the curve equation, modulus,
-# generator, order and cofactor. However, many crypto libraries only support
-# named curves. Modifying some of the EC parameters and encoding the
-# corresponding public key as an unnamed curve is a potential attack vector.
+flags = WrongOrder,UnusedParam,UnnamedCurve
 
 # tcId = 101
 # order = 6277101735386680763835789423207665314073163949517624387909
@@ -777,20 +721,7 @@
 public = 3082010f3081d006072a8648ce3d02013081c4020101302806072a8648ce3d0101021d00ffffffffffffffffffffffffffffffff000000000000000000000001303c041cfffffffffffffffffffffffffffffffefffffffffffffffffffffffe041cb4050a850c04b3abf54132565044b0b7d7bfd8ba270b39432355ffb4043904b70e0cbd6bb4bf7f321390b94a03c1d356c21122343280d6115c1d21bd376388b5f723fb4c22dfe6cd4375a05a07476444d5819985007e34021900ffffffffffffffffffffffffffff16a2e0b8f03e13dd2945020101033a0004a10fb7bf22d299fc5bc43bd2d0e8da28af28ace8430bee28f9e5b57554275c0615d8d9a3011d7bc4c1c4cf4a834c8dc46f25b98854401a5b
 result = acceptable
 shared = 9b992dad1c2b5dadd3b5aeb84b7a91fb6fe5f46e02ab2c7fa32696a7
-# The order of the public key has been modified. If this order is used in a
-# cryptographic primitive instead of the correct order then private keys may
-# leak. E.g. ECDHC in BC 1.52 suffered from this.
-# A parameter that is typically not used for ECDH has been modified. Sometimes
-# libraries ignore small differences between public and private key. For
-# example, a library might ignore an incorrect cofactor in the public key. We
-# consider ignoring such changes as acceptable as long as these differences do
-# not change the outcome of the ECDH computation, i.e. as long as the
-# computation is done on the curve from the private key.
-# The public key does not use a named curve. RFC 3279 allows to encode such
-# curves by explicitly encoding, the parameters of the curve equation, modulus,
-# generator, order and cofactor. However, many crypto libraries only support
-# named curves. Modifying some of the EC parameters and encoding the
-# corresponding public key as an unnamed curve is a potential attack vector.
+flags = WrongOrder,UnusedParam,UnnamedCurve
 
 # tcId = 102
 # generator = (0,0)
@@ -798,17 +729,7 @@
 public = 308201133081d406072a8648ce3d02013081c8020101302806072a8648ce3d0101021d00ffffffffffffffffffffffffffffffff000000000000000000000001303c041cfffffffffffffffffffffffffffffffefffffffffffffffffffffffe041cb4050a850c04b3abf54132565044b0b7d7bfd8ba270b39432355ffb40439040000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000021d00ffffffffffffffffffffffffffff16a2e0b8f03e13dd29455c5c2a3d020101033a0004a10fb7bf22d299fc5bc43bd2d0e8da28af28ace8430bee28f9e5b57554275c0615d8d9a3011d7bc4c1c4cf4a834c8dc46f25b98854401a5b
 result = acceptable
 shared = 9b992dad1c2b5dadd3b5aeb84b7a91fb6fe5f46e02ab2c7fa32696a7
-# A parameter that is typically not used for ECDH has been modified. Sometimes
-# libraries ignore small differences between public and private key. For
-# example, a library might ignore an incorrect cofactor in the public key. We
-# consider ignoring such changes as acceptable as long as these differences do
-# not change the outcome of the ECDH computation, i.e. as long as the
-# computation is done on the curve from the private key.
-# The public key does not use a named curve. RFC 3279 allows to encode such
-# curves by explicitly encoding, the parameters of the curve equation, modulus,
-# generator, order and cofactor. However, many crypto libraries only support
-# named curves. Modifying some of the EC parameters and encoding the
-# corresponding public key as an unnamed curve is a potential attack vector.
+flags = UnusedParam,UnnamedCurve
 
 # tcId = 103
 # generator not on curve
@@ -816,17 +737,7 @@
 public = 308201133081d406072a8648ce3d02013081c8020101302806072a8648ce3d0101021d00ffffffffffffffffffffffffffffffff000000000000000000000001303c041cfffffffffffffffffffffffffffffffefffffffffffffffffffffffe041cb4050a850c04b3abf54132565044b0b7d7bfd8ba270b39432355ffb4043904b70e0cbd6bb4bf7f321390b94a03c1d356c21122343280d6115c1d21bd376388b5f723fb4c22dfe6cd4375a05a07476444d5819985007e36021d00ffffffffffffffffffffffffffff16a2e0b8f03e13dd29455c5c2a3d020101033a0004a10fb7bf22d299fc5bc43bd2d0e8da28af28ace8430bee28f9e5b57554275c0615d8d9a3011d7bc4c1c4cf4a834c8dc46f25b98854401a5b
 result = acceptable
 shared = 9b992dad1c2b5dadd3b5aeb84b7a91fb6fe5f46e02ab2c7fa32696a7
-# A parameter that is typically not used for ECDH has been modified. Sometimes
-# libraries ignore small differences between public and private key. For
-# example, a library might ignore an incorrect cofactor in the public key. We
-# consider ignoring such changes as acceptable as long as these differences do
-# not change the outcome of the ECDH computation, i.e. as long as the
-# computation is done on the curve from the private key.
-# The public key does not use a named curve. RFC 3279 allows to encode such
-# curves by explicitly encoding, the parameters of the curve equation, modulus,
-# generator, order and cofactor. However, many crypto libraries only support
-# named curves. Modifying some of the EC parameters and encoding the
-# corresponding public key as an unnamed curve is a potential attack vector.
+flags = UnusedParam,UnnamedCurve
 
 # tcId = 104
 # cofactor = -1
@@ -834,17 +745,7 @@
 public = 308201133081d406072a8648ce3d02013081c8020101302806072a8648ce3d0101021d00ffffffffffffffffffffffffffffffff000000000000000000000001303c041cfffffffffffffffffffffffffffffffefffffffffffffffffffffffe041cb4050a850c04b3abf54132565044b0b7d7bfd8ba270b39432355ffb4043904b70e0cbd6bb4bf7f321390b94a03c1d356c21122343280d6115c1d21bd376388b5f723fb4c22dfe6cd4375a05a07476444d5819985007e34021d00ffffffffffffffffffffffffffff16a2e0b8f03e13dd29455c5c2a3d0201ff033a0004a10fb7bf22d299fc5bc43bd2d0e8da28af28ace8430bee28f9e5b57554275c0615d8d9a3011d7bc4c1c4cf4a834c8dc46f25b98854401a5b
 result = invalid
 shared = 9b992dad1c2b5dadd3b5aeb84b7a91fb6fe5f46e02ab2c7fa32696a7
-# The public key has been modified and is invalid. An implementation should
-# always check whether the public key is valid and on the same curve as the
-# private key. The test vector includes the shared secret computed with the
-# original public key if the public point is on the curve of the private key.
-# Generating a shared secret other than the one with the original key likely
-# indicates that the bug is exploitable.
-# The public key does not use a named curve. RFC 3279 allows to encode such
-# curves by explicitly encoding, the parameters of the curve equation, modulus,
-# generator, order and cofactor. However, many crypto libraries only support
-# named curves. Modifying some of the EC parameters and encoding the
-# corresponding public key as an unnamed curve is a potential attack vector.
+flags = InvalidPublic,UnnamedCurve
 
 # tcId = 105
 # cofactor = 0
@@ -852,17 +753,7 @@
 public = 308201133081d406072a8648ce3d02013081c8020101302806072a8648ce3d0101021d00ffffffffffffffffffffffffffffffff000000000000000000000001303c041cfffffffffffffffffffffffffffffffefffffffffffffffffffffffe041cb4050a850c04b3abf54132565044b0b7d7bfd8ba270b39432355ffb4043904b70e0cbd6bb4bf7f321390b94a03c1d356c21122343280d6115c1d21bd376388b5f723fb4c22dfe6cd4375a05a07476444d5819985007e34021d00ffffffffffffffffffffffffffff16a2e0b8f03e13dd29455c5c2a3d020100033a0004a10fb7bf22d299fc5bc43bd2d0e8da28af28ace8430bee28f9e5b57554275c0615d8d9a3011d7bc4c1c4cf4a834c8dc46f25b98854401a5b
 result = invalid
 shared = 9b992dad1c2b5dadd3b5aeb84b7a91fb6fe5f46e02ab2c7fa32696a7
-# The public key has been modified and is invalid. An implementation should
-# always check whether the public key is valid and on the same curve as the
-# private key. The test vector includes the shared secret computed with the
-# original public key if the public point is on the curve of the private key.
-# Generating a shared secret other than the one with the original key likely
-# indicates that the bug is exploitable.
-# The public key does not use a named curve. RFC 3279 allows to encode such
-# curves by explicitly encoding, the parameters of the curve equation, modulus,
-# generator, order and cofactor. However, many crypto libraries only support
-# named curves. Modifying some of the EC parameters and encoding the
-# corresponding public key as an unnamed curve is a potential attack vector.
+flags = InvalidPublic,UnnamedCurve
 
 # tcId = 106
 # cofactor = 2
@@ -870,17 +761,7 @@
 public = 308201133081d406072a8648ce3d02013081c8020101302806072a8648ce3d0101021d00ffffffffffffffffffffffffffffffff000000000000000000000001303c041cfffffffffffffffffffffffffffffffefffffffffffffffffffffffe041cb4050a850c04b3abf54132565044b0b7d7bfd8ba270b39432355ffb4043904b70e0cbd6bb4bf7f321390b94a03c1d356c21122343280d6115c1d21bd376388b5f723fb4c22dfe6cd4375a05a07476444d5819985007e34021d00ffffffffffffffffffffffffffff16a2e0b8f03e13dd29455c5c2a3d020102033a0004a10fb7bf22d299fc5bc43bd2d0e8da28af28ace8430bee28f9e5b57554275c0615d8d9a3011d7bc4c1c4cf4a834c8dc46f25b98854401a5b
 result = acceptable
 shared = 9b992dad1c2b5dadd3b5aeb84b7a91fb6fe5f46e02ab2c7fa32696a7
-# A parameter that is typically not used for ECDH has been modified. Sometimes
-# libraries ignore small differences between public and private key. For
-# example, a library might ignore an incorrect cofactor in the public key. We
-# consider ignoring such changes as acceptable as long as these differences do
-# not change the outcome of the ECDH computation, i.e. as long as the
-# computation is done on the curve from the private key.
-# The public key does not use a named curve. RFC 3279 allows to encode such
-# curves by explicitly encoding, the parameters of the curve equation, modulus,
-# generator, order and cofactor. However, many crypto libraries only support
-# named curves. Modifying some of the EC parameters and encoding the
-# corresponding public key as an unnamed curve is a potential attack vector.
+flags = UnusedParam,UnnamedCurve
 
 # tcId = 107
 # cofactor =
@@ -889,17 +770,7 @@
 public = 3082012f3081f006072a8648ce3d02013081e4020101302806072a8648ce3d0101021d00ffffffffffffffffffffffffffffffff000000000000000000000001303c041cfffffffffffffffffffffffffffffffefffffffffffffffffffffffe041cb4050a850c04b3abf54132565044b0b7d7bfd8ba270b39432355ffb4043904b70e0cbd6bb4bf7f321390b94a03c1d356c21122343280d6115c1d21bd376388b5f723fb4c22dfe6cd4375a05a07476444d5819985007e34021d00ffffffffffffffffffffffffffff16a2e0b8f03e13dd29455c5c2a3d021d00ffffffffffffffffffffffffffff16a2e0b8f03e13dd29455c5c2a3d033a0004a10fb7bf22d299fc5bc43bd2d0e8da28af28ace8430bee28f9e5b57554275c0615d8d9a3011d7bc4c1c4cf4a834c8dc46f25b98854401a5b
 result = invalid
 shared = 9b992dad1c2b5dadd3b5aeb84b7a91fb6fe5f46e02ab2c7fa32696a7
-# The public key has been modified and is invalid. An implementation should
-# always check whether the public key is valid and on the same curve as the
-# private key. The test vector includes the shared secret computed with the
-# original public key if the public point is on the curve of the private key.
-# Generating a shared secret other than the one with the original key likely
-# indicates that the bug is exploitable.
-# The public key does not use a named curve. RFC 3279 allows to encode such
-# curves by explicitly encoding, the parameters of the curve equation, modulus,
-# generator, order and cofactor. However, many crypto libraries only support
-# named curves. Modifying some of the EC parameters and encoding the
-# corresponding public key as an unnamed curve is a potential attack vector.
+flags = InvalidPublic,UnnamedCurve
 
 # tcId = 108
 # cofactor = None
@@ -907,17 +778,7 @@
 public = 308201103081d106072a8648ce3d02013081c5020101302806072a8648ce3d0101021d00ffffffffffffffffffffffffffffffff000000000000000000000001303c041cfffffffffffffffffffffffffffffffefffffffffffffffffffffffe041cb4050a850c04b3abf54132565044b0b7d7bfd8ba270b39432355ffb4043904b70e0cbd6bb4bf7f321390b94a03c1d356c21122343280d6115c1d21bd376388b5f723fb4c22dfe6cd4375a05a07476444d5819985007e34021d00ffffffffffffffffffffffffffff16a2e0b8f03e13dd29455c5c2a3d033a0004a10fb7bf22d299fc5bc43bd2d0e8da28af28ace8430bee28f9e5b57554275c0615d8d9a3011d7bc4c1c4cf4a834c8dc46f25b98854401a5b
 result = acceptable
 shared = 9b992dad1c2b5dadd3b5aeb84b7a91fb6fe5f46e02ab2c7fa32696a7
-# A parameter that is typically not used for ECDH has been modified. Sometimes
-# libraries ignore small differences between public and private key. For
-# example, a library might ignore an incorrect cofactor in the public key. We
-# consider ignoring such changes as acceptable as long as these differences do
-# not change the outcome of the ECDH computation, i.e. as long as the
-# computation is done on the curve from the private key.
-# The public key does not use a named curve. RFC 3279 allows to encode such
-# curves by explicitly encoding, the parameters of the curve equation, modulus,
-# generator, order and cofactor. However, many crypto libraries only support
-# named curves. Modifying some of the EC parameters and encoding the
-# corresponding public key as an unnamed curve is a potential attack vector.
+flags = UnusedParam,UnnamedCurve
 
 # tcId = 109
 # modified prime
@@ -925,20 +786,7 @@
 public = 308201133081d406072a8648ce3d02013081c8020101302806072a8648ce3d0101021d00c123da0a46a971da9468161e61a5c71a02e6c9bdb3392f4016fb457b303c041c3edc25f5b9568e256b97e9e19e5a38e4fd1936424cc6d0bfe904ba83041cb4050a850c04b3abf54132565044b0b7d7bfd8ba270b39432355ffb4043904000000000000000000285145f31ae4d40000000000000000000003387edad63d1a600740ce66b6f04d67ed06ea1a75c16294336ed05b3fa3021d00ffffffffffffffffffffffffffff16a2e0b8f03e13dd29455c5c2a3d020101033a0004000000000000000000285145f31ae4d40000000000000000000003387edad63d1a600740ce66b6f04d67ed06ea1a75c16294336ed05b3fa3
 result = invalid
 shared = 3de0a5036fcde544c72cbe33cedb8709549bc3b6a4d750ee0de4c80d
-# The modulus of the public key has been modified. The public point of the
-# public key has been chosen so that it is both a point on both the curve of the
-# modified public key and the private key.
-# The public key has been modified and is invalid. An implementation should
-# always check whether the public key is valid and on the same curve as the
-# private key. The test vector includes the shared secret computed with the
-# original public key if the public point is on the curve of the private key.
-# Generating a shared secret other than the one with the original key likely
-# indicates that the bug is exploitable.
-# The public key does not use a named curve. RFC 3279 allows to encode such
-# curves by explicitly encoding, the parameters of the curve equation, modulus,
-# generator, order and cofactor. However, many crypto libraries only support
-# named curves. Modifying some of the EC parameters and encoding the
-# corresponding public key as an unnamed curve is a potential attack vector.
+flags = ModifiedPrime,InvalidPublic,UnnamedCurve
 
 # tcId = 110
 # using secp256r1
@@ -946,12 +794,7 @@
 public = 3059301306072a8648ce3d020106082a8648ce3d03010703420004cbf6606595a3ee50f9fceaa2798c2740c82540516b4e5a7d361ff24e9dd15364e5408b2e679f9d5310d1f6893b36ce16b4a507509175fcb52aea53b781556b39
 result = invalid
 shared = 
-# The public key has been modified and is invalid. An implementation should
-# always check whether the public key is valid and on the same curve as the
-# private key. The test vector includes the shared secret computed with the
-# original public key if the public point is on the curve of the private key.
-# Generating a shared secret other than the one with the original key likely
-# indicates that the bug is exploitable.
+flags = InvalidPublic
 
 # tcId = 111
 # using secp256k1
@@ -959,12 +802,7 @@
 public = 3056301006072a8648ce3d020106052b8104000a03420004a1263e75b87ae0937060ff1472f330ee55cdf8f4329d6284a9ebfbcc856c11684225e72cbebff41e54fb6f00e11afe53a17937bedbf2df787f8ef9584f775838
 result = invalid
 shared = 
-# The public key has been modified and is invalid. An implementation should
-# always check whether the public key is valid and on the same curve as the
-# private key. The test vector includes the shared secret computed with the
-# original public key if the public point is on the curve of the private key.
-# Generating a shared secret other than the one with the original key likely
-# indicates that the bug is exploitable.
+flags = InvalidPublic
 
 # tcId = 112
 # a = 0
@@ -972,17 +810,7 @@
 public = 3081f83081b906072a8648ce3d02013081ad020101302806072a8648ce3d0101021d00ffffffffffffffffffffffffffffffff0000000000000000000000013021040100041cd0d5e347a38ce5b6e1f47edddd8a223bca45d2015de76ec835a4df57043904a10fb7bf22d299fc5bc43bd2d0e8da28af28ace8430bee28f9e5b57554275c0615d8d9a3011d7bc4c1c4cf4a834c8dc46f25b98854401a5b021d00ffffffffffffffffffffffffffff16a2e0b8f03e13dd29455c5c2a3d020101033a0004a10fb7bf22d299fc5bc43bd2d0e8da28af28ace8430bee28f9e5b57554275c0615d8d9a3011d7bc4c1c4cf4a834c8dc46f25b98854401a5b
 result = acceptable
 shared = 9b992dad1c2b5dadd3b5aeb84b7a91fb6fe5f46e02ab2c7fa32696a7
-# A parameter that is typically not used for ECDH has been modified. Sometimes
-# libraries ignore small differences between public and private key. For
-# example, a library might ignore an incorrect cofactor in the public key. We
-# consider ignoring such changes as acceptable as long as these differences do
-# not change the outcome of the ECDH computation, i.e. as long as the
-# computation is done on the curve from the private key.
-# The public key does not use a named curve. RFC 3279 allows to encode such
-# curves by explicitly encoding, the parameters of the curve equation, modulus,
-# generator, order and cofactor. However, many crypto libraries only support
-# named curves. Modifying some of the EC parameters and encoding the
-# corresponding public key as an unnamed curve is a potential attack vector.
+flags = UnusedParam,UnnamedCurve
 
 # tcId = 113
 # public key of order 3
@@ -990,21 +818,7 @@
 public = 308201133081d406072a8648ce3d02013081c8020101302806072a8648ce3d0101021d00ffffffffffffffffffffffffffffffff000000000000000000000001303c041cacb441c744c5af60905e78cd53b10f4aec9f30a302bb4ab0aeb53182041c2356bdcb3ae3e1c1e31741c951add1b2b0f87305d01021232aa22e0c043904bafbb7559c7335192c6f0cc5970e9c92a12e9af1a0cb5403d9bcc4eb7a545a1d9302be01456f17846a445ef45ff7c31710b08a6881dc11d1021d00ffffffffffffffffffffffffffff16a2e0b8f03e13dd29455c5c2a3d020101033a0004bafbb7559c7335192c6f0cc5970e9c92a12e9af1a0cb5403d9bcc4eb85aba5e26cfd41feba90e87b95bba10aa0083ce8ef4f75977e23ee30
 result = invalid
 shared = 
-# The vector contains a weak public key. The curve is not a named curve, the
-# public key point has order 3 and has been chosen to be on the same curve as
-# the private key. This test vector is used to check ECC implementations for
-# missing steps in the verification of the public key.
-# The public key has been modified and is invalid. An implementation should
-# always check whether the public key is valid and on the same curve as the
-# private key. The test vector includes the shared secret computed with the
-# original public key if the public point is on the curve of the private key.
-# Generating a shared secret other than the one with the original key likely
-# indicates that the bug is exploitable.
-# The public key does not use a named curve. RFC 3279 allows to encode such
-# curves by explicitly encoding, the parameters of the curve equation, modulus,
-# generator, order and cofactor. However, many crypto libraries only support
-# named curves. Modifying some of the EC parameters and encoding the
-# corresponding public key as an unnamed curve is a potential attack vector.
+flags = WeakPublicKey,InvalidPublic,UnnamedCurve
 
 # tcId = 114
 # Public key uses wrong curve: secp256r1
@@ -1117,8 +931,7 @@
 public = 3032301006072a8648ce3d020106052b81040021031e00020ca753db5ddeca474241f8d2dafc0844343fd0e37eded2f0192d51b2
 result = invalid
 shared = 
-# The point in the public key is compressed. Not every library supports points
-# in compressed format.
+flags = CompressedPoint
 
 # tcId = 130
 # long form encoding of length of sequence
@@ -1126,9 +939,7 @@
 public = 30814e301006072a8648ce3d020106052b81040021033a000486e2f72bccd974a3f1a4fc2cdcf22043eaf8be047de6be726b62001fda6f50f6df0b51bee99195d8a1a1c97e59e72fa4fcf8c1d21cb3da62
 result = acceptable
 shared = 85a70fc4dfc8509fb9ba1cfcf1879443e2ce176d794228029b10da63
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 131
 # long form encoding of length of sequence
@@ -1136,9 +947,7 @@
 public = 304f30811006072a8648ce3d020106052b81040021033a000486e2f72bccd974a3f1a4fc2cdcf22043eaf8be047de6be726b62001fda6f50f6df0b51bee99195d8a1a1c97e59e72fa4fcf8c1d21cb3da62
 result = acceptable
 shared = 85a70fc4dfc8509fb9ba1cfcf1879443e2ce176d794228029b10da63
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 132
 # length of sequence contains leading 0
@@ -1146,9 +955,7 @@
 public = 3082004e301006072a8648ce3d020106052b81040021033a000486e2f72bccd974a3f1a4fc2cdcf22043eaf8be047de6be726b62001fda6f50f6df0b51bee99195d8a1a1c97e59e72fa4fcf8c1d21cb3da62
 result = acceptable
 shared = 85a70fc4dfc8509fb9ba1cfcf1879443e2ce176d794228029b10da63
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 133
 # length of sequence contains leading 0
@@ -1156,9 +963,7 @@
 public = 30503082001006072a8648ce3d020106052b81040021033a000486e2f72bccd974a3f1a4fc2cdcf22043eaf8be047de6be726b62001fda6f50f6df0b51bee99195d8a1a1c97e59e72fa4fcf8c1d21cb3da62
 result = acceptable
 shared = 85a70fc4dfc8509fb9ba1cfcf1879443e2ce176d794228029b10da63
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 134
 # wrong length of sequence
@@ -1166,9 +971,7 @@
 public = 304f301006072a8648ce3d020106052b81040021033a000486e2f72bccd974a3f1a4fc2cdcf22043eaf8be047de6be726b62001fda6f50f6df0b51bee99195d8a1a1c97e59e72fa4fcf8c1d21cb3da62
 result = acceptable
 shared = 85a70fc4dfc8509fb9ba1cfcf1879443e2ce176d794228029b10da63
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 135
 # wrong length of sequence
@@ -1176,9 +979,7 @@
 public = 304d301006072a8648ce3d020106052b81040021033a000486e2f72bccd974a3f1a4fc2cdcf22043eaf8be047de6be726b62001fda6f50f6df0b51bee99195d8a1a1c97e59e72fa4fcf8c1d21cb3da62
 result = acceptable
 shared = 85a70fc4dfc8509fb9ba1cfcf1879443e2ce176d794228029b10da63
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 136
 # wrong length of sequence
@@ -1186,9 +987,7 @@
 public = 304e301106072a8648ce3d020106052b81040021033a000486e2f72bccd974a3f1a4fc2cdcf22043eaf8be047de6be726b62001fda6f50f6df0b51bee99195d8a1a1c97e59e72fa4fcf8c1d21cb3da62
 result = acceptable
 shared = 85a70fc4dfc8509fb9ba1cfcf1879443e2ce176d794228029b10da63
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 137
 # wrong length of sequence
@@ -1196,9 +995,7 @@
 public = 304e300f06072a8648ce3d020106052b81040021033a000486e2f72bccd974a3f1a4fc2cdcf22043eaf8be047de6be726b62001fda6f50f6df0b51bee99195d8a1a1c97e59e72fa4fcf8c1d21cb3da62
 result = acceptable
 shared = 85a70fc4dfc8509fb9ba1cfcf1879443e2ce176d794228029b10da63
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 138
 # uint32 overflow in length of sequence
@@ -1206,9 +1003,7 @@
 public = 3085010000004e301006072a8648ce3d020106052b81040021033a000486e2f72bccd974a3f1a4fc2cdcf22043eaf8be047de6be726b62001fda6f50f6df0b51bee99195d8a1a1c97e59e72fa4fcf8c1d21cb3da62
 result = acceptable
 shared = 85a70fc4dfc8509fb9ba1cfcf1879443e2ce176d794228029b10da63
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 139
 # uint32 overflow in length of sequence
@@ -1216,9 +1011,7 @@
 public = 30533085010000001006072a8648ce3d020106052b81040021033a000486e2f72bccd974a3f1a4fc2cdcf22043eaf8be047de6be726b62001fda6f50f6df0b51bee99195d8a1a1c97e59e72fa4fcf8c1d21cb3da62
 result = acceptable
 shared = 85a70fc4dfc8509fb9ba1cfcf1879443e2ce176d794228029b10da63
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 140
 # uint64 overflow in length of sequence
@@ -1226,9 +1019,7 @@
 public = 308901000000000000004e301006072a8648ce3d020106052b81040021033a000486e2f72bccd974a3f1a4fc2cdcf22043eaf8be047de6be726b62001fda6f50f6df0b51bee99195d8a1a1c97e59e72fa4fcf8c1d21cb3da62
 result = acceptable
 shared = 85a70fc4dfc8509fb9ba1cfcf1879443e2ce176d794228029b10da63
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 141
 # uint64 overflow in length of sequence
@@ -1236,9 +1027,7 @@
 public = 3057308901000000000000001006072a8648ce3d020106052b81040021033a000486e2f72bccd974a3f1a4fc2cdcf22043eaf8be047de6be726b62001fda6f50f6df0b51bee99195d8a1a1c97e59e72fa4fcf8c1d21cb3da62
 result = acceptable
 shared = 85a70fc4dfc8509fb9ba1cfcf1879443e2ce176d794228029b10da63
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 142
 # length of sequence = 2**31 - 1
@@ -1246,9 +1035,7 @@
 public = 30847fffffff301006072a8648ce3d020106052b81040021033a000486e2f72bccd974a3f1a4fc2cdcf22043eaf8be047de6be726b62001fda6f50f6df0b51bee99195d8a1a1c97e59e72fa4fcf8c1d21cb3da62
 result = acceptable
 shared = 85a70fc4dfc8509fb9ba1cfcf1879443e2ce176d794228029b10da63
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 143
 # length of sequence = 2**31 - 1
@@ -1256,9 +1043,7 @@
 public = 305230847fffffff06072a8648ce3d020106052b81040021033a000486e2f72bccd974a3f1a4fc2cdcf22043eaf8be047de6be726b62001fda6f50f6df0b51bee99195d8a1a1c97e59e72fa4fcf8c1d21cb3da62
 result = acceptable
 shared = 85a70fc4dfc8509fb9ba1cfcf1879443e2ce176d794228029b10da63
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 144
 # length of sequence = 2**32 - 1
@@ -1266,9 +1051,7 @@
 public = 3084ffffffff301006072a8648ce3d020106052b81040021033a000486e2f72bccd974a3f1a4fc2cdcf22043eaf8be047de6be726b62001fda6f50f6df0b51bee99195d8a1a1c97e59e72fa4fcf8c1d21cb3da62
 result = acceptable
 shared = 85a70fc4dfc8509fb9ba1cfcf1879443e2ce176d794228029b10da63
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 145
 # length of sequence = 2**32 - 1
@@ -1276,9 +1059,7 @@
 public = 30523084ffffffff06072a8648ce3d020106052b81040021033a000486e2f72bccd974a3f1a4fc2cdcf22043eaf8be047de6be726b62001fda6f50f6df0b51bee99195d8a1a1c97e59e72fa4fcf8c1d21cb3da62
 result = acceptable
 shared = 85a70fc4dfc8509fb9ba1cfcf1879443e2ce176d794228029b10da63
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 146
 # length of sequence = 2**40 - 1
@@ -1286,9 +1067,7 @@
 public = 3085ffffffffff301006072a8648ce3d020106052b81040021033a000486e2f72bccd974a3f1a4fc2cdcf22043eaf8be047de6be726b62001fda6f50f6df0b51bee99195d8a1a1c97e59e72fa4fcf8c1d21cb3da62
 result = acceptable
 shared = 85a70fc4dfc8509fb9ba1cfcf1879443e2ce176d794228029b10da63
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 147
 # length of sequence = 2**40 - 1
@@ -1296,9 +1075,7 @@
 public = 30533085ffffffffff06072a8648ce3d020106052b81040021033a000486e2f72bccd974a3f1a4fc2cdcf22043eaf8be047de6be726b62001fda6f50f6df0b51bee99195d8a1a1c97e59e72fa4fcf8c1d21cb3da62
 result = acceptable
 shared = 85a70fc4dfc8509fb9ba1cfcf1879443e2ce176d794228029b10da63
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 148
 # length of sequence = 2**64 - 1
@@ -1306,9 +1083,7 @@
 public = 3088ffffffffffffffff301006072a8648ce3d020106052b81040021033a000486e2f72bccd974a3f1a4fc2cdcf22043eaf8be047de6be726b62001fda6f50f6df0b51bee99195d8a1a1c97e59e72fa4fcf8c1d21cb3da62
 result = acceptable
 shared = 85a70fc4dfc8509fb9ba1cfcf1879443e2ce176d794228029b10da63
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 149
 # length of sequence = 2**64 - 1
@@ -1316,9 +1091,7 @@
 public = 30563088ffffffffffffffff06072a8648ce3d020106052b81040021033a000486e2f72bccd974a3f1a4fc2cdcf22043eaf8be047de6be726b62001fda6f50f6df0b51bee99195d8a1a1c97e59e72fa4fcf8c1d21cb3da62
 result = acceptable
 shared = 85a70fc4dfc8509fb9ba1cfcf1879443e2ce176d794228029b10da63
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 150
 # incorrect length of sequence
@@ -1326,9 +1099,7 @@
 public = 30ff301006072a8648ce3d020106052b81040021033a000486e2f72bccd974a3f1a4fc2cdcf22043eaf8be047de6be726b62001fda6f50f6df0b51bee99195d8a1a1c97e59e72fa4fcf8c1d21cb3da62
 result = acceptable
 shared = 85a70fc4dfc8509fb9ba1cfcf1879443e2ce176d794228029b10da63
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 151
 # incorrect length of sequence
@@ -1336,9 +1107,7 @@
 public = 304e30ff06072a8648ce3d020106052b81040021033a000486e2f72bccd974a3f1a4fc2cdcf22043eaf8be047de6be726b62001fda6f50f6df0b51bee99195d8a1a1c97e59e72fa4fcf8c1d21cb3da62
 result = acceptable
 shared = 85a70fc4dfc8509fb9ba1cfcf1879443e2ce176d794228029b10da63
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 152
 # indefinite length without termination
@@ -1346,9 +1115,7 @@
 public = 3080301006072a8648ce3d020106052b81040021033a000486e2f72bccd974a3f1a4fc2cdcf22043eaf8be047de6be726b62001fda6f50f6df0b51bee99195d8a1a1c97e59e72fa4fcf8c1d21cb3da62
 result = acceptable
 shared = 85a70fc4dfc8509fb9ba1cfcf1879443e2ce176d794228029b10da63
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 153
 # indefinite length without termination
@@ -1356,9 +1123,7 @@
 public = 304e308006072a8648ce3d020106052b81040021033a000486e2f72bccd974a3f1a4fc2cdcf22043eaf8be047de6be726b62001fda6f50f6df0b51bee99195d8a1a1c97e59e72fa4fcf8c1d21cb3da62
 result = acceptable
 shared = 85a70fc4dfc8509fb9ba1cfcf1879443e2ce176d794228029b10da63
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 154
 # indefinite length without termination
@@ -1366,9 +1131,7 @@
 public = 304e301006802a8648ce3d020106052b81040021033a000486e2f72bccd974a3f1a4fc2cdcf22043eaf8be047de6be726b62001fda6f50f6df0b51bee99195d8a1a1c97e59e72fa4fcf8c1d21cb3da62
 result = acceptable
 shared = 85a70fc4dfc8509fb9ba1cfcf1879443e2ce176d794228029b10da63
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 155
 # indefinite length without termination
@@ -1376,9 +1139,7 @@
 public = 304e301006072a8648ce3d020106802b81040021033a000486e2f72bccd974a3f1a4fc2cdcf22043eaf8be047de6be726b62001fda6f50f6df0b51bee99195d8a1a1c97e59e72fa4fcf8c1d21cb3da62
 result = acceptable
 shared = 85a70fc4dfc8509fb9ba1cfcf1879443e2ce176d794228029b10da63
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 156
 # indefinite length without termination
@@ -1386,9 +1147,7 @@
 public = 304e301006072a8648ce3d020106052b810400210380000486e2f72bccd974a3f1a4fc2cdcf22043eaf8be047de6be726b62001fda6f50f6df0b51bee99195d8a1a1c97e59e72fa4fcf8c1d21cb3da62
 result = acceptable
 shared = 85a70fc4dfc8509fb9ba1cfcf1879443e2ce176d794228029b10da63
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 157
 # removing sequence
@@ -1396,9 +1155,7 @@
 public = 
 result = acceptable
 shared = 85a70fc4dfc8509fb9ba1cfcf1879443e2ce176d794228029b10da63
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 158
 # removing sequence
@@ -1406,9 +1163,7 @@
 public = 303c033a000486e2f72bccd974a3f1a4fc2cdcf22043eaf8be047de6be726b62001fda6f50f6df0b51bee99195d8a1a1c97e59e72fa4fcf8c1d21cb3da62
 result = acceptable
 shared = 85a70fc4dfc8509fb9ba1cfcf1879443e2ce176d794228029b10da63
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 159
 # lonely sequence tag
@@ -1416,9 +1171,7 @@
 public = 30
 result = acceptable
 shared = 85a70fc4dfc8509fb9ba1cfcf1879443e2ce176d794228029b10da63
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 160
 # lonely sequence tag
@@ -1426,9 +1179,7 @@
 public = 303d30033a000486e2f72bccd974a3f1a4fc2cdcf22043eaf8be047de6be726b62001fda6f50f6df0b51bee99195d8a1a1c97e59e72fa4fcf8c1d21cb3da62
 result = acceptable
 shared = 85a70fc4dfc8509fb9ba1cfcf1879443e2ce176d794228029b10da63
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 161
 # appending 0's to sequence
@@ -1436,9 +1187,7 @@
 public = 3050301006072a8648ce3d020106052b81040021033a000486e2f72bccd974a3f1a4fc2cdcf22043eaf8be047de6be726b62001fda6f50f6df0b51bee99195d8a1a1c97e59e72fa4fcf8c1d21cb3da620000
 result = acceptable
 shared = 85a70fc4dfc8509fb9ba1cfcf1879443e2ce176d794228029b10da63
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 162
 # appending 0's to sequence
@@ -1446,9 +1195,7 @@
 public = 3050301206072a8648ce3d020106052b810400210000033a000486e2f72bccd974a3f1a4fc2cdcf22043eaf8be047de6be726b62001fda6f50f6df0b51bee99195d8a1a1c97e59e72fa4fcf8c1d21cb3da62
 result = acceptable
 shared = 85a70fc4dfc8509fb9ba1cfcf1879443e2ce176d794228029b10da63
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 163
 # prepending 0's to sequence
@@ -1456,9 +1203,7 @@
 public = 30500000301006072a8648ce3d020106052b81040021033a000486e2f72bccd974a3f1a4fc2cdcf22043eaf8be047de6be726b62001fda6f50f6df0b51bee99195d8a1a1c97e59e72fa4fcf8c1d21cb3da62
 result = acceptable
 shared = 85a70fc4dfc8509fb9ba1cfcf1879443e2ce176d794228029b10da63
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 164
 # prepending 0's to sequence
@@ -1466,9 +1211,7 @@
 public = 30503012000006072a8648ce3d020106052b81040021033a000486e2f72bccd974a3f1a4fc2cdcf22043eaf8be047de6be726b62001fda6f50f6df0b51bee99195d8a1a1c97e59e72fa4fcf8c1d21cb3da62
 result = acceptable
 shared = 85a70fc4dfc8509fb9ba1cfcf1879443e2ce176d794228029b10da63
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 165
 # appending unused 0's to sequence
@@ -1476,9 +1219,7 @@
 public = 304e301006072a8648ce3d020106052b81040021033a000486e2f72bccd974a3f1a4fc2cdcf22043eaf8be047de6be726b62001fda6f50f6df0b51bee99195d8a1a1c97e59e72fa4fcf8c1d21cb3da620000
 result = acceptable
 shared = 85a70fc4dfc8509fb9ba1cfcf1879443e2ce176d794228029b10da63
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 166
 # appending unused 0's to sequence
@@ -1486,9 +1227,7 @@
 public = 3050301006072a8648ce3d020106052b810400210000033a000486e2f72bccd974a3f1a4fc2cdcf22043eaf8be047de6be726b62001fda6f50f6df0b51bee99195d8a1a1c97e59e72fa4fcf8c1d21cb3da62
 result = acceptable
 shared = 85a70fc4dfc8509fb9ba1cfcf1879443e2ce176d794228029b10da63
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 167
 # appending null value to sequence
@@ -1496,9 +1235,7 @@
 public = 3050301006072a8648ce3d020106052b81040021033a000486e2f72bccd974a3f1a4fc2cdcf22043eaf8be047de6be726b62001fda6f50f6df0b51bee99195d8a1a1c97e59e72fa4fcf8c1d21cb3da620500
 result = acceptable
 shared = 85a70fc4dfc8509fb9ba1cfcf1879443e2ce176d794228029b10da63
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 168
 # appending null value to sequence
@@ -1506,9 +1243,7 @@
 public = 3050301206072a8648ce3d020106052b810400210500033a000486e2f72bccd974a3f1a4fc2cdcf22043eaf8be047de6be726b62001fda6f50f6df0b51bee99195d8a1a1c97e59e72fa4fcf8c1d21cb3da62
 result = acceptable
 shared = 85a70fc4dfc8509fb9ba1cfcf1879443e2ce176d794228029b10da63
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 169
 # including garbage
@@ -1516,9 +1251,7 @@
 public = 3053498177304e301006072a8648ce3d020106052b81040021033a000486e2f72bccd974a3f1a4fc2cdcf22043eaf8be047de6be726b62001fda6f50f6df0b51bee99195d8a1a1c97e59e72fa4fcf8c1d21cb3da62
 result = acceptable
 shared = 85a70fc4dfc8509fb9ba1cfcf1879443e2ce176d794228029b10da63
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 170
 # including garbage
@@ -1526,9 +1259,7 @@
 public = 30522500304e301006072a8648ce3d020106052b81040021033a000486e2f72bccd974a3f1a4fc2cdcf22043eaf8be047de6be726b62001fda6f50f6df0b51bee99195d8a1a1c97e59e72fa4fcf8c1d21cb3da62
 result = acceptable
 shared = 85a70fc4dfc8509fb9ba1cfcf1879443e2ce176d794228029b10da63
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 171
 # including garbage
@@ -1536,9 +1267,7 @@
 public = 3050304e301006072a8648ce3d020106052b81040021033a000486e2f72bccd974a3f1a4fc2cdcf22043eaf8be047de6be726b62001fda6f50f6df0b51bee99195d8a1a1c97e59e72fa4fcf8c1d21cb3da620004deadbeef
 result = acceptable
 shared = 85a70fc4dfc8509fb9ba1cfcf1879443e2ce176d794228029b10da63
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 172
 # including garbage
@@ -1546,9 +1275,7 @@
 public = 30533015498177301006072a8648ce3d020106052b81040021033a000486e2f72bccd974a3f1a4fc2cdcf22043eaf8be047de6be726b62001fda6f50f6df0b51bee99195d8a1a1c97e59e72fa4fcf8c1d21cb3da62
 result = acceptable
 shared = 85a70fc4dfc8509fb9ba1cfcf1879443e2ce176d794228029b10da63
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 173
 # including garbage
@@ -1556,9 +1283,7 @@
 public = 305230142500301006072a8648ce3d020106052b81040021033a000486e2f72bccd974a3f1a4fc2cdcf22043eaf8be047de6be726b62001fda6f50f6df0b51bee99195d8a1a1c97e59e72fa4fcf8c1d21cb3da62
 result = acceptable
 shared = 85a70fc4dfc8509fb9ba1cfcf1879443e2ce176d794228029b10da63
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 174
 # including garbage
@@ -1566,9 +1291,7 @@
 public = 30563012301006072a8648ce3d020106052b810400210004deadbeef033a000486e2f72bccd974a3f1a4fc2cdcf22043eaf8be047de6be726b62001fda6f50f6df0b51bee99195d8a1a1c97e59e72fa4fcf8c1d21cb3da62
 result = acceptable
 shared = 85a70fc4dfc8509fb9ba1cfcf1879443e2ce176d794228029b10da63
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 175
 # including garbage
@@ -1576,9 +1299,7 @@
 public = 30533015260c49817706072a8648ce3d020106052b81040021033a000486e2f72bccd974a3f1a4fc2cdcf22043eaf8be047de6be726b62001fda6f50f6df0b51bee99195d8a1a1c97e59e72fa4fcf8c1d21cb3da62
 result = acceptable
 shared = 85a70fc4dfc8509fb9ba1cfcf1879443e2ce176d794228029b10da63
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 176
 # including garbage
@@ -1586,9 +1307,7 @@
 public = 30523014260b250006072a8648ce3d020106052b81040021033a000486e2f72bccd974a3f1a4fc2cdcf22043eaf8be047de6be726b62001fda6f50f6df0b51bee99195d8a1a1c97e59e72fa4fcf8c1d21cb3da62
 result = acceptable
 shared = 85a70fc4dfc8509fb9ba1cfcf1879443e2ce176d794228029b10da63
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 177
 # including garbage
@@ -1596,9 +1315,7 @@
 public = 30563018260906072a8648ce3d02010004deadbeef06052b81040021033a000486e2f72bccd974a3f1a4fc2cdcf22043eaf8be047de6be726b62001fda6f50f6df0b51bee99195d8a1a1c97e59e72fa4fcf8c1d21cb3da62
 result = acceptable
 shared = 85a70fc4dfc8509fb9ba1cfcf1879443e2ce176d794228029b10da63
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 178
 # including garbage
@@ -1606,9 +1323,7 @@
 public = 3053301506072a8648ce3d0201260a49817706052b81040021033a000486e2f72bccd974a3f1a4fc2cdcf22043eaf8be047de6be726b62001fda6f50f6df0b51bee99195d8a1a1c97e59e72fa4fcf8c1d21cb3da62
 result = acceptable
 shared = 85a70fc4dfc8509fb9ba1cfcf1879443e2ce176d794228029b10da63
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 179
 # including garbage
@@ -1616,9 +1331,7 @@
 public = 3052301406072a8648ce3d02012609250006052b81040021033a000486e2f72bccd974a3f1a4fc2cdcf22043eaf8be047de6be726b62001fda6f50f6df0b51bee99195d8a1a1c97e59e72fa4fcf8c1d21cb3da62
 result = acceptable
 shared = 85a70fc4dfc8509fb9ba1cfcf1879443e2ce176d794228029b10da63
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 180
 # including garbage
@@ -1626,9 +1339,7 @@
 public = 3056301806072a8648ce3d0201260706052b810400210004deadbeef033a000486e2f72bccd974a3f1a4fc2cdcf22043eaf8be047de6be726b62001fda6f50f6df0b51bee99195d8a1a1c97e59e72fa4fcf8c1d21cb3da62
 result = acceptable
 shared = 85a70fc4dfc8509fb9ba1cfcf1879443e2ce176d794228029b10da63
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 181
 # including garbage
@@ -1636,9 +1347,7 @@
 public = 3053301006072a8648ce3d020106052b81040021233f498177033a000486e2f72bccd974a3f1a4fc2cdcf22043eaf8be047de6be726b62001fda6f50f6df0b51bee99195d8a1a1c97e59e72fa4fcf8c1d21cb3da62
 result = acceptable
 shared = 85a70fc4dfc8509fb9ba1cfcf1879443e2ce176d794228029b10da63
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 182
 # including garbage
@@ -1646,9 +1355,7 @@
 public = 3052301006072a8648ce3d020106052b81040021233e2500033a000486e2f72bccd974a3f1a4fc2cdcf22043eaf8be047de6be726b62001fda6f50f6df0b51bee99195d8a1a1c97e59e72fa4fcf8c1d21cb3da62
 result = acceptable
 shared = 85a70fc4dfc8509fb9ba1cfcf1879443e2ce176d794228029b10da63
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 183
 # including garbage
@@ -1656,9 +1363,7 @@
 public = 3056301006072a8648ce3d020106052b81040021233c033a000486e2f72bccd974a3f1a4fc2cdcf22043eaf8be047de6be726b62001fda6f50f6df0b51bee99195d8a1a1c97e59e72fa4fcf8c1d21cb3da620004deadbeef
 result = acceptable
 shared = 85a70fc4dfc8509fb9ba1cfcf1879443e2ce176d794228029b10da63
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 184
 # including undefined tags
@@ -1666,9 +1371,7 @@
 public = 3056aa00bb00cd00304e301006072a8648ce3d020106052b81040021033a000486e2f72bccd974a3f1a4fc2cdcf22043eaf8be047de6be726b62001fda6f50f6df0b51bee99195d8a1a1c97e59e72fa4fcf8c1d21cb3da62
 result = acceptable
 shared = 85a70fc4dfc8509fb9ba1cfcf1879443e2ce176d794228029b10da63
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 185
 # including undefined tags
@@ -1676,9 +1379,7 @@
 public = 3054aa02aabb304e301006072a8648ce3d020106052b81040021033a000486e2f72bccd974a3f1a4fc2cdcf22043eaf8be047de6be726b62001fda6f50f6df0b51bee99195d8a1a1c97e59e72fa4fcf8c1d21cb3da62
 result = acceptable
 shared = 85a70fc4dfc8509fb9ba1cfcf1879443e2ce176d794228029b10da63
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 186
 # including undefined tags
@@ -1686,9 +1387,7 @@
 public = 30563018aa00bb00cd00301006072a8648ce3d020106052b81040021033a000486e2f72bccd974a3f1a4fc2cdcf22043eaf8be047de6be726b62001fda6f50f6df0b51bee99195d8a1a1c97e59e72fa4fcf8c1d21cb3da62
 result = acceptable
 shared = 85a70fc4dfc8509fb9ba1cfcf1879443e2ce176d794228029b10da63
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 187
 # including undefined tags
@@ -1696,9 +1395,7 @@
 public = 30543016aa02aabb301006072a8648ce3d020106052b81040021033a000486e2f72bccd974a3f1a4fc2cdcf22043eaf8be047de6be726b62001fda6f50f6df0b51bee99195d8a1a1c97e59e72fa4fcf8c1d21cb3da62
 result = acceptable
 shared = 85a70fc4dfc8509fb9ba1cfcf1879443e2ce176d794228029b10da63
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 188
 # including undefined tags
@@ -1706,9 +1403,7 @@
 public = 30563018260faa00bb00cd0006072a8648ce3d020106052b81040021033a000486e2f72bccd974a3f1a4fc2cdcf22043eaf8be047de6be726b62001fda6f50f6df0b51bee99195d8a1a1c97e59e72fa4fcf8c1d21cb3da62
 result = acceptable
 shared = 85a70fc4dfc8509fb9ba1cfcf1879443e2ce176d794228029b10da63
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 189
 # including undefined tags
@@ -1716,9 +1411,7 @@
 public = 30543016260daa02aabb06072a8648ce3d020106052b81040021033a000486e2f72bccd974a3f1a4fc2cdcf22043eaf8be047de6be726b62001fda6f50f6df0b51bee99195d8a1a1c97e59e72fa4fcf8c1d21cb3da62
 result = acceptable
 shared = 85a70fc4dfc8509fb9ba1cfcf1879443e2ce176d794228029b10da63
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 190
 # including undefined tags
@@ -1726,9 +1419,7 @@
 public = 3056301806072a8648ce3d0201260daa00bb00cd0006052b81040021033a000486e2f72bccd974a3f1a4fc2cdcf22043eaf8be047de6be726b62001fda6f50f6df0b51bee99195d8a1a1c97e59e72fa4fcf8c1d21cb3da62
 result = acceptable
 shared = 85a70fc4dfc8509fb9ba1cfcf1879443e2ce176d794228029b10da63
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 191
 # including undefined tags
@@ -1736,9 +1427,7 @@
 public = 3054301606072a8648ce3d0201260baa02aabb06052b81040021033a000486e2f72bccd974a3f1a4fc2cdcf22043eaf8be047de6be726b62001fda6f50f6df0b51bee99195d8a1a1c97e59e72fa4fcf8c1d21cb3da62
 result = acceptable
 shared = 85a70fc4dfc8509fb9ba1cfcf1879443e2ce176d794228029b10da63
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 192
 # including undefined tags
@@ -1746,9 +1435,7 @@
 public = 3056301006072a8648ce3d020106052b810400212342aa00bb00cd00033a000486e2f72bccd974a3f1a4fc2cdcf22043eaf8be047de6be726b62001fda6f50f6df0b51bee99195d8a1a1c97e59e72fa4fcf8c1d21cb3da62
 result = acceptable
 shared = 85a70fc4dfc8509fb9ba1cfcf1879443e2ce176d794228029b10da63
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 193
 # including undefined tags
@@ -1756,9 +1443,7 @@
 public = 3054301006072a8648ce3d020106052b810400212340aa02aabb033a000486e2f72bccd974a3f1a4fc2cdcf22043eaf8be047de6be726b62001fda6f50f6df0b51bee99195d8a1a1c97e59e72fa4fcf8c1d21cb3da62
 result = acceptable
 shared = 85a70fc4dfc8509fb9ba1cfcf1879443e2ce176d794228029b10da63
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 194
 # truncated length of sequence
@@ -1766,9 +1451,7 @@
 public = 3081
 result = acceptable
 shared = 85a70fc4dfc8509fb9ba1cfcf1879443e2ce176d794228029b10da63
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 195
 # truncated length of sequence
@@ -1776,9 +1459,7 @@
 public = 303e3081033a000486e2f72bccd974a3f1a4fc2cdcf22043eaf8be047de6be726b62001fda6f50f6df0b51bee99195d8a1a1c97e59e72fa4fcf8c1d21cb3da62
 result = acceptable
 shared = 85a70fc4dfc8509fb9ba1cfcf1879443e2ce176d794228029b10da63
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 196
 # Replacing sequence with NULL
@@ -1786,9 +1467,7 @@
 public = 0500
 result = acceptable
 shared = 85a70fc4dfc8509fb9ba1cfcf1879443e2ce176d794228029b10da63
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 197
 # Replacing sequence with NULL
@@ -1796,9 +1475,7 @@
 public = 303e0500033a000486e2f72bccd974a3f1a4fc2cdcf22043eaf8be047de6be726b62001fda6f50f6df0b51bee99195d8a1a1c97e59e72fa4fcf8c1d21cb3da62
 result = acceptable
 shared = 85a70fc4dfc8509fb9ba1cfcf1879443e2ce176d794228029b10da63
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 198
 # changing tag value of sequence
@@ -1806,9 +1483,7 @@
 public = 2e4e301006072a8648ce3d020106052b81040021033a000486e2f72bccd974a3f1a4fc2cdcf22043eaf8be047de6be726b62001fda6f50f6df0b51bee99195d8a1a1c97e59e72fa4fcf8c1d21cb3da62
 result = acceptable
 shared = 85a70fc4dfc8509fb9ba1cfcf1879443e2ce176d794228029b10da63
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 199
 # changing tag value of sequence
@@ -1816,9 +1491,7 @@
 public = 2f4e301006072a8648ce3d020106052b81040021033a000486e2f72bccd974a3f1a4fc2cdcf22043eaf8be047de6be726b62001fda6f50f6df0b51bee99195d8a1a1c97e59e72fa4fcf8c1d21cb3da62
 result = acceptable
 shared = 85a70fc4dfc8509fb9ba1cfcf1879443e2ce176d794228029b10da63
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 200
 # changing tag value of sequence
@@ -1826,9 +1499,7 @@
 public = 314e301006072a8648ce3d020106052b81040021033a000486e2f72bccd974a3f1a4fc2cdcf22043eaf8be047de6be726b62001fda6f50f6df0b51bee99195d8a1a1c97e59e72fa4fcf8c1d21cb3da62
 result = acceptable
 shared = 85a70fc4dfc8509fb9ba1cfcf1879443e2ce176d794228029b10da63
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 201
 # changing tag value of sequence
@@ -1836,9 +1507,7 @@
 public = 324e301006072a8648ce3d020106052b81040021033a000486e2f72bccd974a3f1a4fc2cdcf22043eaf8be047de6be726b62001fda6f50f6df0b51bee99195d8a1a1c97e59e72fa4fcf8c1d21cb3da62
 result = acceptable
 shared = 85a70fc4dfc8509fb9ba1cfcf1879443e2ce176d794228029b10da63
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 202
 # changing tag value of sequence
@@ -1846,9 +1515,7 @@
 public = ff4e301006072a8648ce3d020106052b81040021033a000486e2f72bccd974a3f1a4fc2cdcf22043eaf8be047de6be726b62001fda6f50f6df0b51bee99195d8a1a1c97e59e72fa4fcf8c1d21cb3da62
 result = acceptable
 shared = 85a70fc4dfc8509fb9ba1cfcf1879443e2ce176d794228029b10da63
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 203
 # changing tag value of sequence
@@ -1856,9 +1523,7 @@
 public = 304e2e1006072a8648ce3d020106052b81040021033a000486e2f72bccd974a3f1a4fc2cdcf22043eaf8be047de6be726b62001fda6f50f6df0b51bee99195d8a1a1c97e59e72fa4fcf8c1d21cb3da62
 result = acceptable
 shared = 85a70fc4dfc8509fb9ba1cfcf1879443e2ce176d794228029b10da63
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 204
 # changing tag value of sequence
@@ -1866,9 +1531,7 @@
 public = 304e2f1006072a8648ce3d020106052b81040021033a000486e2f72bccd974a3f1a4fc2cdcf22043eaf8be047de6be726b62001fda6f50f6df0b51bee99195d8a1a1c97e59e72fa4fcf8c1d21cb3da62
 result = acceptable
 shared = 85a70fc4dfc8509fb9ba1cfcf1879443e2ce176d794228029b10da63
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 205
 # changing tag value of sequence
@@ -1876,9 +1539,7 @@
 public = 304e311006072a8648ce3d020106052b81040021033a000486e2f72bccd974a3f1a4fc2cdcf22043eaf8be047de6be726b62001fda6f50f6df0b51bee99195d8a1a1c97e59e72fa4fcf8c1d21cb3da62
 result = acceptable
 shared = 85a70fc4dfc8509fb9ba1cfcf1879443e2ce176d794228029b10da63
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 206
 # changing tag value of sequence
@@ -1886,9 +1547,7 @@
 public = 304e321006072a8648ce3d020106052b81040021033a000486e2f72bccd974a3f1a4fc2cdcf22043eaf8be047de6be726b62001fda6f50f6df0b51bee99195d8a1a1c97e59e72fa4fcf8c1d21cb3da62
 result = acceptable
 shared = 85a70fc4dfc8509fb9ba1cfcf1879443e2ce176d794228029b10da63
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 207
 # changing tag value of sequence
@@ -1896,9 +1555,7 @@
 public = 304eff1006072a8648ce3d020106052b81040021033a000486e2f72bccd974a3f1a4fc2cdcf22043eaf8be047de6be726b62001fda6f50f6df0b51bee99195d8a1a1c97e59e72fa4fcf8c1d21cb3da62
 result = acceptable
 shared = 85a70fc4dfc8509fb9ba1cfcf1879443e2ce176d794228029b10da63
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 208
 # dropping value of sequence
@@ -1906,9 +1563,7 @@
 public = 3000
 result = acceptable
 shared = 85a70fc4dfc8509fb9ba1cfcf1879443e2ce176d794228029b10da63
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 209
 # dropping value of sequence
@@ -1916,9 +1571,7 @@
 public = 303e3000033a000486e2f72bccd974a3f1a4fc2cdcf22043eaf8be047de6be726b62001fda6f50f6df0b51bee99195d8a1a1c97e59e72fa4fcf8c1d21cb3da62
 result = acceptable
 shared = 85a70fc4dfc8509fb9ba1cfcf1879443e2ce176d794228029b10da63
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 210
 # truncated sequence
@@ -1926,9 +1579,7 @@
 public = 304d301006072a8648ce3d020106052b81040021033a000486e2f72bccd974a3f1a4fc2cdcf22043eaf8be047de6be726b62001fda6f50f6df0b51bee99195d8a1a1c97e59e72fa4fcf8c1d21cb3da
 result = acceptable
 shared = 85a70fc4dfc8509fb9ba1cfcf1879443e2ce176d794228029b10da63
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 211
 # truncated sequence
@@ -1936,9 +1587,7 @@
 public = 304d1006072a8648ce3d020106052b81040021033a000486e2f72bccd974a3f1a4fc2cdcf22043eaf8be047de6be726b62001fda6f50f6df0b51bee99195d8a1a1c97e59e72fa4fcf8c1d21cb3da62
 result = acceptable
 shared = 85a70fc4dfc8509fb9ba1cfcf1879443e2ce176d794228029b10da63
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 212
 # truncated sequence
@@ -1946,9 +1595,7 @@
 public = 304d300f06072a8648ce3d020106052b810400033a000486e2f72bccd974a3f1a4fc2cdcf22043eaf8be047de6be726b62001fda6f50f6df0b51bee99195d8a1a1c97e59e72fa4fcf8c1d21cb3da62
 result = acceptable
 shared = 85a70fc4dfc8509fb9ba1cfcf1879443e2ce176d794228029b10da63
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 213
 # truncated sequence
@@ -1956,9 +1603,7 @@
 public = 304d300f072a8648ce3d020106052b81040021033a000486e2f72bccd974a3f1a4fc2cdcf22043eaf8be047de6be726b62001fda6f50f6df0b51bee99195d8a1a1c97e59e72fa4fcf8c1d21cb3da62
 result = acceptable
 shared = 85a70fc4dfc8509fb9ba1cfcf1879443e2ce176d794228029b10da63
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 214
 # indefinite length
@@ -1966,9 +1611,7 @@
 public = 3080301006072a8648ce3d020106052b81040021033a000486e2f72bccd974a3f1a4fc2cdcf22043eaf8be047de6be726b62001fda6f50f6df0b51bee99195d8a1a1c97e59e72fa4fcf8c1d21cb3da620000
 result = acceptable
 shared = 85a70fc4dfc8509fb9ba1cfcf1879443e2ce176d794228029b10da63
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 215
 # indefinite length
@@ -1976,9 +1619,7 @@
 public = 3050308006072a8648ce3d020106052b810400210000033a000486e2f72bccd974a3f1a4fc2cdcf22043eaf8be047de6be726b62001fda6f50f6df0b51bee99195d8a1a1c97e59e72fa4fcf8c1d21cb3da62
 result = acceptable
 shared = 85a70fc4dfc8509fb9ba1cfcf1879443e2ce176d794228029b10da63
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 216
 # indefinite length with truncated delimiter
@@ -1986,9 +1627,7 @@
 public = 3080301006072a8648ce3d020106052b81040021033a000486e2f72bccd974a3f1a4fc2cdcf22043eaf8be047de6be726b62001fda6f50f6df0b51bee99195d8a1a1c97e59e72fa4fcf8c1d21cb3da6200
 result = acceptable
 shared = 85a70fc4dfc8509fb9ba1cfcf1879443e2ce176d794228029b10da63
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 217
 # indefinite length with truncated delimiter
@@ -1996,9 +1635,7 @@
 public = 304f308006072a8648ce3d020106052b8104002100033a000486e2f72bccd974a3f1a4fc2cdcf22043eaf8be047de6be726b62001fda6f50f6df0b51bee99195d8a1a1c97e59e72fa4fcf8c1d21cb3da62
 result = acceptable
 shared = 85a70fc4dfc8509fb9ba1cfcf1879443e2ce176d794228029b10da63
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 218
 # indefinite length with additional element
@@ -2006,9 +1643,7 @@
 public = 3080301006072a8648ce3d020106052b81040021033a000486e2f72bccd974a3f1a4fc2cdcf22043eaf8be047de6be726b62001fda6f50f6df0b51bee99195d8a1a1c97e59e72fa4fcf8c1d21cb3da6205000000
 result = acceptable
 shared = 85a70fc4dfc8509fb9ba1cfcf1879443e2ce176d794228029b10da63
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 219
 # indefinite length with additional element
@@ -2016,9 +1651,7 @@
 public = 3052308006072a8648ce3d020106052b8104002105000000033a000486e2f72bccd974a3f1a4fc2cdcf22043eaf8be047de6be726b62001fda6f50f6df0b51bee99195d8a1a1c97e59e72fa4fcf8c1d21cb3da62
 result = acceptable
 shared = 85a70fc4dfc8509fb9ba1cfcf1879443e2ce176d794228029b10da63
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 220
 # indefinite length with truncated element
@@ -2026,9 +1659,7 @@
 public = 3080301006072a8648ce3d020106052b81040021033a000486e2f72bccd974a3f1a4fc2cdcf22043eaf8be047de6be726b62001fda6f50f6df0b51bee99195d8a1a1c97e59e72fa4fcf8c1d21cb3da62060811220000
 result = acceptable
 shared = 85a70fc4dfc8509fb9ba1cfcf1879443e2ce176d794228029b10da63
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 221
 # indefinite length with truncated element
@@ -2036,9 +1667,7 @@
 public = 3054308006072a8648ce3d020106052b81040021060811220000033a000486e2f72bccd974a3f1a4fc2cdcf22043eaf8be047de6be726b62001fda6f50f6df0b51bee99195d8a1a1c97e59e72fa4fcf8c1d21cb3da62
 result = acceptable
 shared = 85a70fc4dfc8509fb9ba1cfcf1879443e2ce176d794228029b10da63
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 222
 # indefinite length with garbage
@@ -2046,9 +1675,7 @@
 public = 3080301006072a8648ce3d020106052b81040021033a000486e2f72bccd974a3f1a4fc2cdcf22043eaf8be047de6be726b62001fda6f50f6df0b51bee99195d8a1a1c97e59e72fa4fcf8c1d21cb3da620000fe02beef
 result = acceptable
 shared = 85a70fc4dfc8509fb9ba1cfcf1879443e2ce176d794228029b10da63
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 223
 # indefinite length with garbage
@@ -2056,9 +1683,7 @@
 public = 3054308006072a8648ce3d020106052b810400210000fe02beef033a000486e2f72bccd974a3f1a4fc2cdcf22043eaf8be047de6be726b62001fda6f50f6df0b51bee99195d8a1a1c97e59e72fa4fcf8c1d21cb3da62
 result = acceptable
 shared = 85a70fc4dfc8509fb9ba1cfcf1879443e2ce176d794228029b10da63
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 224
 # indefinite length with nonempty EOC
@@ -2066,9 +1691,7 @@
 public = 3080301006072a8648ce3d020106052b81040021033a000486e2f72bccd974a3f1a4fc2cdcf22043eaf8be047de6be726b62001fda6f50f6df0b51bee99195d8a1a1c97e59e72fa4fcf8c1d21cb3da620002beef
 result = acceptable
 shared = 85a70fc4dfc8509fb9ba1cfcf1879443e2ce176d794228029b10da63
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 225
 # indefinite length with nonempty EOC
@@ -2076,9 +1699,7 @@
 public = 3052308006072a8648ce3d020106052b810400210002beef033a000486e2f72bccd974a3f1a4fc2cdcf22043eaf8be047de6be726b62001fda6f50f6df0b51bee99195d8a1a1c97e59e72fa4fcf8c1d21cb3da62
 result = acceptable
 shared = 85a70fc4dfc8509fb9ba1cfcf1879443e2ce176d794228029b10da63
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 226
 # prepend empty sequence
@@ -2086,9 +1707,7 @@
 public = 30503000301006072a8648ce3d020106052b81040021033a000486e2f72bccd974a3f1a4fc2cdcf22043eaf8be047de6be726b62001fda6f50f6df0b51bee99195d8a1a1c97e59e72fa4fcf8c1d21cb3da62
 result = acceptable
 shared = 85a70fc4dfc8509fb9ba1cfcf1879443e2ce176d794228029b10da63
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 227
 # prepend empty sequence
@@ -2096,9 +1715,7 @@
 public = 30503012300006072a8648ce3d020106052b81040021033a000486e2f72bccd974a3f1a4fc2cdcf22043eaf8be047de6be726b62001fda6f50f6df0b51bee99195d8a1a1c97e59e72fa4fcf8c1d21cb3da62
 result = acceptable
 shared = 85a70fc4dfc8509fb9ba1cfcf1879443e2ce176d794228029b10da63
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 228
 # append empty sequence
@@ -2106,9 +1723,7 @@
 public = 3050301006072a8648ce3d020106052b81040021033a000486e2f72bccd974a3f1a4fc2cdcf22043eaf8be047de6be726b62001fda6f50f6df0b51bee99195d8a1a1c97e59e72fa4fcf8c1d21cb3da623000
 result = acceptable
 shared = 85a70fc4dfc8509fb9ba1cfcf1879443e2ce176d794228029b10da63
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 229
 # append empty sequence
@@ -2116,9 +1731,7 @@
 public = 3050301206072a8648ce3d020106052b810400213000033a000486e2f72bccd974a3f1a4fc2cdcf22043eaf8be047de6be726b62001fda6f50f6df0b51bee99195d8a1a1c97e59e72fa4fcf8c1d21cb3da62
 result = acceptable
 shared = 85a70fc4dfc8509fb9ba1cfcf1879443e2ce176d794228029b10da63
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 230
 # append garbage with high tag number
@@ -2126,9 +1739,7 @@
 public = 3051301006072a8648ce3d020106052b81040021033a000486e2f72bccd974a3f1a4fc2cdcf22043eaf8be047de6be726b62001fda6f50f6df0b51bee99195d8a1a1c97e59e72fa4fcf8c1d21cb3da62bf7f00
 result = acceptable
 shared = 85a70fc4dfc8509fb9ba1cfcf1879443e2ce176d794228029b10da63
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 231
 # append garbage with high tag number
@@ -2136,9 +1747,7 @@
 public = 3051301306072a8648ce3d020106052b81040021bf7f00033a000486e2f72bccd974a3f1a4fc2cdcf22043eaf8be047de6be726b62001fda6f50f6df0b51bee99195d8a1a1c97e59e72fa4fcf8c1d21cb3da62
 result = acceptable
 shared = 85a70fc4dfc8509fb9ba1cfcf1879443e2ce176d794228029b10da63
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 232
 # sequence of sequence
@@ -2146,9 +1755,7 @@
 public = 3050304e301006072a8648ce3d020106052b81040021033a000486e2f72bccd974a3f1a4fc2cdcf22043eaf8be047de6be726b62001fda6f50f6df0b51bee99195d8a1a1c97e59e72fa4fcf8c1d21cb3da62
 result = acceptable
 shared = 85a70fc4dfc8509fb9ba1cfcf1879443e2ce176d794228029b10da63
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 233
 # sequence of sequence
@@ -2156,9 +1763,7 @@
 public = 30503012301006072a8648ce3d020106052b81040021033a000486e2f72bccd974a3f1a4fc2cdcf22043eaf8be047de6be726b62001fda6f50f6df0b51bee99195d8a1a1c97e59e72fa4fcf8c1d21cb3da62
 result = acceptable
 shared = 85a70fc4dfc8509fb9ba1cfcf1879443e2ce176d794228029b10da63
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 234
 # truncated sequence: removed last 1 elements
@@ -2166,9 +1771,7 @@
 public = 3012301006072a8648ce3d020106052b81040021
 result = acceptable
 shared = 85a70fc4dfc8509fb9ba1cfcf1879443e2ce176d794228029b10da63
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 235
 # truncated sequence: removed last 1 elements
@@ -2176,9 +1779,7 @@
 public = 3047300906072a8648ce3d0201033a000486e2f72bccd974a3f1a4fc2cdcf22043eaf8be047de6be726b62001fda6f50f6df0b51bee99195d8a1a1c97e59e72fa4fcf8c1d21cb3da62
 result = acceptable
 shared = 85a70fc4dfc8509fb9ba1cfcf1879443e2ce176d794228029b10da63
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 236
 # repeating element in sequence
@@ -2186,9 +1787,7 @@
 public = 30818a301006072a8648ce3d020106052b81040021033a000486e2f72bccd974a3f1a4fc2cdcf22043eaf8be047de6be726b62001fda6f50f6df0b51bee99195d8a1a1c97e59e72fa4fcf8c1d21cb3da62033a000486e2f72bccd974a3f1a4fc2cdcf22043eaf8be047de6be726b62001fda6f50f6df0b51bee99195d8a1a1c97e59e72fa4fcf8c1d21cb3da62
 result = acceptable
 shared = 85a70fc4dfc8509fb9ba1cfcf1879443e2ce176d794228029b10da63
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 237
 # repeating element in sequence
@@ -2196,9 +1795,7 @@
 public = 3055301706072a8648ce3d020106052b8104002106052b81040021033a000486e2f72bccd974a3f1a4fc2cdcf22043eaf8be047de6be726b62001fda6f50f6df0b51bee99195d8a1a1c97e59e72fa4fcf8c1d21cb3da62
 result = acceptable
 shared = 85a70fc4dfc8509fb9ba1cfcf1879443e2ce176d794228029b10da63
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 238
 # long form encoding of length of oid
@@ -2206,9 +1803,7 @@
 public = 304f30110681072a8648ce3d020106052b81040021033a000486e2f72bccd974a3f1a4fc2cdcf22043eaf8be047de6be726b62001fda6f50f6df0b51bee99195d8a1a1c97e59e72fa4fcf8c1d21cb3da62
 result = acceptable
 shared = 85a70fc4dfc8509fb9ba1cfcf1879443e2ce176d794228029b10da63
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 239
 # long form encoding of length of oid
@@ -2216,9 +1811,7 @@
 public = 304f301106072a8648ce3d02010681052b81040021033a000486e2f72bccd974a3f1a4fc2cdcf22043eaf8be047de6be726b62001fda6f50f6df0b51bee99195d8a1a1c97e59e72fa4fcf8c1d21cb3da62
 result = acceptable
 shared = 85a70fc4dfc8509fb9ba1cfcf1879443e2ce176d794228029b10da63
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 240
 # length of oid contains leading 0
@@ -2226,9 +1819,7 @@
 public = 30503012068200072a8648ce3d020106052b81040021033a000486e2f72bccd974a3f1a4fc2cdcf22043eaf8be047de6be726b62001fda6f50f6df0b51bee99195d8a1a1c97e59e72fa4fcf8c1d21cb3da62
 result = acceptable
 shared = 85a70fc4dfc8509fb9ba1cfcf1879443e2ce176d794228029b10da63
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 241
 # length of oid contains leading 0
@@ -2236,9 +1827,7 @@
 public = 3050301206072a8648ce3d0201068200052b81040021033a000486e2f72bccd974a3f1a4fc2cdcf22043eaf8be047de6be726b62001fda6f50f6df0b51bee99195d8a1a1c97e59e72fa4fcf8c1d21cb3da62
 result = acceptable
 shared = 85a70fc4dfc8509fb9ba1cfcf1879443e2ce176d794228029b10da63
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 242
 # wrong length of oid
@@ -2246,9 +1835,7 @@
 public = 304e301006082a8648ce3d020106052b81040021033a000486e2f72bccd974a3f1a4fc2cdcf22043eaf8be047de6be726b62001fda6f50f6df0b51bee99195d8a1a1c97e59e72fa4fcf8c1d21cb3da62
 result = acceptable
 shared = 85a70fc4dfc8509fb9ba1cfcf1879443e2ce176d794228029b10da63
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 243
 # wrong length of oid
@@ -2256,9 +1843,7 @@
 public = 304e301006062a8648ce3d020106052b81040021033a000486e2f72bccd974a3f1a4fc2cdcf22043eaf8be047de6be726b62001fda6f50f6df0b51bee99195d8a1a1c97e59e72fa4fcf8c1d21cb3da62
 result = acceptable
 shared = 85a70fc4dfc8509fb9ba1cfcf1879443e2ce176d794228029b10da63
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 244
 # wrong length of oid
@@ -2266,9 +1851,7 @@
 public = 304e301006072a8648ce3d020106062b81040021033a000486e2f72bccd974a3f1a4fc2cdcf22043eaf8be047de6be726b62001fda6f50f6df0b51bee99195d8a1a1c97e59e72fa4fcf8c1d21cb3da62
 result = acceptable
 shared = 85a70fc4dfc8509fb9ba1cfcf1879443e2ce176d794228029b10da63
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 245
 # wrong length of oid
@@ -2276,9 +1859,7 @@
 public = 304e301006072a8648ce3d020106042b81040021033a000486e2f72bccd974a3f1a4fc2cdcf22043eaf8be047de6be726b62001fda6f50f6df0b51bee99195d8a1a1c97e59e72fa4fcf8c1d21cb3da62
 result = acceptable
 shared = 85a70fc4dfc8509fb9ba1cfcf1879443e2ce176d794228029b10da63
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 246
 # uint32 overflow in length of oid
@@ -2286,9 +1867,7 @@
 public = 30533015068501000000072a8648ce3d020106052b81040021033a000486e2f72bccd974a3f1a4fc2cdcf22043eaf8be047de6be726b62001fda6f50f6df0b51bee99195d8a1a1c97e59e72fa4fcf8c1d21cb3da62
 result = acceptable
 shared = 85a70fc4dfc8509fb9ba1cfcf1879443e2ce176d794228029b10da63
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 247
 # uint32 overflow in length of oid
@@ -2296,9 +1875,7 @@
 public = 3053301506072a8648ce3d0201068501000000052b81040021033a000486e2f72bccd974a3f1a4fc2cdcf22043eaf8be047de6be726b62001fda6f50f6df0b51bee99195d8a1a1c97e59e72fa4fcf8c1d21cb3da62
 result = acceptable
 shared = 85a70fc4dfc8509fb9ba1cfcf1879443e2ce176d794228029b10da63
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 248
 # uint64 overflow in length of oid
@@ -2306,9 +1883,7 @@
 public = 3057301906890100000000000000072a8648ce3d020106052b81040021033a000486e2f72bccd974a3f1a4fc2cdcf22043eaf8be047de6be726b62001fda6f50f6df0b51bee99195d8a1a1c97e59e72fa4fcf8c1d21cb3da62
 result = acceptable
 shared = 85a70fc4dfc8509fb9ba1cfcf1879443e2ce176d794228029b10da63
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 249
 # uint64 overflow in length of oid
@@ -2316,9 +1891,7 @@
 public = 3057301906072a8648ce3d020106890100000000000000052b81040021033a000486e2f72bccd974a3f1a4fc2cdcf22043eaf8be047de6be726b62001fda6f50f6df0b51bee99195d8a1a1c97e59e72fa4fcf8c1d21cb3da62
 result = acceptable
 shared = 85a70fc4dfc8509fb9ba1cfcf1879443e2ce176d794228029b10da63
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 250
 # length of oid = 2**31 - 1
@@ -2326,9 +1899,7 @@
 public = 3052301406847fffffff2a8648ce3d020106052b81040021033a000486e2f72bccd974a3f1a4fc2cdcf22043eaf8be047de6be726b62001fda6f50f6df0b51bee99195d8a1a1c97e59e72fa4fcf8c1d21cb3da62
 result = acceptable
 shared = 85a70fc4dfc8509fb9ba1cfcf1879443e2ce176d794228029b10da63
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 251
 # length of oid = 2**31 - 1
@@ -2336,9 +1907,7 @@
 public = 3052301406072a8648ce3d020106847fffffff2b81040021033a000486e2f72bccd974a3f1a4fc2cdcf22043eaf8be047de6be726b62001fda6f50f6df0b51bee99195d8a1a1c97e59e72fa4fcf8c1d21cb3da62
 result = acceptable
 shared = 85a70fc4dfc8509fb9ba1cfcf1879443e2ce176d794228029b10da63
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 252
 # length of oid = 2**32 - 1
@@ -2346,9 +1915,7 @@
 public = 305230140684ffffffff2a8648ce3d020106052b81040021033a000486e2f72bccd974a3f1a4fc2cdcf22043eaf8be047de6be726b62001fda6f50f6df0b51bee99195d8a1a1c97e59e72fa4fcf8c1d21cb3da62
 result = acceptable
 shared = 85a70fc4dfc8509fb9ba1cfcf1879443e2ce176d794228029b10da63
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 253
 # length of oid = 2**32 - 1
@@ -2356,9 +1923,7 @@
 public = 3052301406072a8648ce3d02010684ffffffff2b81040021033a000486e2f72bccd974a3f1a4fc2cdcf22043eaf8be047de6be726b62001fda6f50f6df0b51bee99195d8a1a1c97e59e72fa4fcf8c1d21cb3da62
 result = acceptable
 shared = 85a70fc4dfc8509fb9ba1cfcf1879443e2ce176d794228029b10da63
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 254
 # length of oid = 2**40 - 1
@@ -2366,9 +1931,7 @@
 public = 305330150685ffffffffff2a8648ce3d020106052b81040021033a000486e2f72bccd974a3f1a4fc2cdcf22043eaf8be047de6be726b62001fda6f50f6df0b51bee99195d8a1a1c97e59e72fa4fcf8c1d21cb3da62
 result = acceptable
 shared = 85a70fc4dfc8509fb9ba1cfcf1879443e2ce176d794228029b10da63
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 255
 # length of oid = 2**40 - 1
@@ -2376,9 +1939,7 @@
 public = 3053301506072a8648ce3d02010685ffffffffff2b81040021033a000486e2f72bccd974a3f1a4fc2cdcf22043eaf8be047de6be726b62001fda6f50f6df0b51bee99195d8a1a1c97e59e72fa4fcf8c1d21cb3da62
 result = acceptable
 shared = 85a70fc4dfc8509fb9ba1cfcf1879443e2ce176d794228029b10da63
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 256
 # length of oid = 2**64 - 1
@@ -2386,9 +1947,7 @@
 public = 305630180688ffffffffffffffff2a8648ce3d020106052b81040021033a000486e2f72bccd974a3f1a4fc2cdcf22043eaf8be047de6be726b62001fda6f50f6df0b51bee99195d8a1a1c97e59e72fa4fcf8c1d21cb3da62
 result = acceptable
 shared = 85a70fc4dfc8509fb9ba1cfcf1879443e2ce176d794228029b10da63
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 257
 # length of oid = 2**64 - 1
@@ -2396,9 +1955,7 @@
 public = 3056301806072a8648ce3d02010688ffffffffffffffff2b81040021033a000486e2f72bccd974a3f1a4fc2cdcf22043eaf8be047de6be726b62001fda6f50f6df0b51bee99195d8a1a1c97e59e72fa4fcf8c1d21cb3da62
 result = acceptable
 shared = 85a70fc4dfc8509fb9ba1cfcf1879443e2ce176d794228029b10da63
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 258
 # incorrect length of oid
@@ -2406,9 +1963,7 @@
 public = 304e301006ff2a8648ce3d020106052b81040021033a000486e2f72bccd974a3f1a4fc2cdcf22043eaf8be047de6be726b62001fda6f50f6df0b51bee99195d8a1a1c97e59e72fa4fcf8c1d21cb3da62
 result = acceptable
 shared = 85a70fc4dfc8509fb9ba1cfcf1879443e2ce176d794228029b10da63
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 259
 # incorrect length of oid
@@ -2416,9 +1971,7 @@
 public = 304e301006072a8648ce3d020106ff2b81040021033a000486e2f72bccd974a3f1a4fc2cdcf22043eaf8be047de6be726b62001fda6f50f6df0b51bee99195d8a1a1c97e59e72fa4fcf8c1d21cb3da62
 result = acceptable
 shared = 85a70fc4dfc8509fb9ba1cfcf1879443e2ce176d794228029b10da63
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 260
 # removing oid
@@ -2426,9 +1979,7 @@
 public = 3045300706052b81040021033a000486e2f72bccd974a3f1a4fc2cdcf22043eaf8be047de6be726b62001fda6f50f6df0b51bee99195d8a1a1c97e59e72fa4fcf8c1d21cb3da62
 result = acceptable
 shared = 85a70fc4dfc8509fb9ba1cfcf1879443e2ce176d794228029b10da63
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 261
 # lonely oid tag
@@ -2436,9 +1987,7 @@
 public = 304630080606052b81040021033a000486e2f72bccd974a3f1a4fc2cdcf22043eaf8be047de6be726b62001fda6f50f6df0b51bee99195d8a1a1c97e59e72fa4fcf8c1d21cb3da62
 result = acceptable
 shared = 85a70fc4dfc8509fb9ba1cfcf1879443e2ce176d794228029b10da63
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 262
 # lonely oid tag
@@ -2446,9 +1995,7 @@
 public = 3048300a06072a8648ce3d020106033a000486e2f72bccd974a3f1a4fc2cdcf22043eaf8be047de6be726b62001fda6f50f6df0b51bee99195d8a1a1c97e59e72fa4fcf8c1d21cb3da62
 result = acceptable
 shared = 85a70fc4dfc8509fb9ba1cfcf1879443e2ce176d794228029b10da63
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 263
 # appending 0's to oid
@@ -2456,9 +2003,7 @@
 public = 3050301206092a8648ce3d0201000006052b81040021033a000486e2f72bccd974a3f1a4fc2cdcf22043eaf8be047de6be726b62001fda6f50f6df0b51bee99195d8a1a1c97e59e72fa4fcf8c1d21cb3da62
 result = acceptable
 shared = 85a70fc4dfc8509fb9ba1cfcf1879443e2ce176d794228029b10da63
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 264
 # appending 0's to oid
@@ -2466,9 +2011,7 @@
 public = 3050301206072a8648ce3d020106072b810400210000033a000486e2f72bccd974a3f1a4fc2cdcf22043eaf8be047de6be726b62001fda6f50f6df0b51bee99195d8a1a1c97e59e72fa4fcf8c1d21cb3da62
 result = acceptable
 shared = 85a70fc4dfc8509fb9ba1cfcf1879443e2ce176d794228029b10da63
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 265
 # prepending 0's to oid
@@ -2476,9 +2019,7 @@
 public = 30503012060900002a8648ce3d020106052b81040021033a000486e2f72bccd974a3f1a4fc2cdcf22043eaf8be047de6be726b62001fda6f50f6df0b51bee99195d8a1a1c97e59e72fa4fcf8c1d21cb3da62
 result = acceptable
 shared = 85a70fc4dfc8509fb9ba1cfcf1879443e2ce176d794228029b10da63
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 266
 # prepending 0's to oid
@@ -2486,9 +2027,7 @@
 public = 3050301206072a8648ce3d0201060700002b81040021033a000486e2f72bccd974a3f1a4fc2cdcf22043eaf8be047de6be726b62001fda6f50f6df0b51bee99195d8a1a1c97e59e72fa4fcf8c1d21cb3da62
 result = acceptable
 shared = 85a70fc4dfc8509fb9ba1cfcf1879443e2ce176d794228029b10da63
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 267
 # appending unused 0's to oid
@@ -2496,9 +2035,7 @@
 public = 3050301206072a8648ce3d0201000006052b81040021033a000486e2f72bccd974a3f1a4fc2cdcf22043eaf8be047de6be726b62001fda6f50f6df0b51bee99195d8a1a1c97e59e72fa4fcf8c1d21cb3da62
 result = acceptable
 shared = 85a70fc4dfc8509fb9ba1cfcf1879443e2ce176d794228029b10da63
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 268
 # appending null value to oid
@@ -2506,9 +2043,7 @@
 public = 3050301206092a8648ce3d0201050006052b81040021033a000486e2f72bccd974a3f1a4fc2cdcf22043eaf8be047de6be726b62001fda6f50f6df0b51bee99195d8a1a1c97e59e72fa4fcf8c1d21cb3da62
 result = acceptable
 shared = 85a70fc4dfc8509fb9ba1cfcf1879443e2ce176d794228029b10da63
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 269
 # appending null value to oid
@@ -2516,9 +2051,7 @@
 public = 3050301206072a8648ce3d020106072b810400210500033a000486e2f72bccd974a3f1a4fc2cdcf22043eaf8be047de6be726b62001fda6f50f6df0b51bee99195d8a1a1c97e59e72fa4fcf8c1d21cb3da62
 result = acceptable
 shared = 85a70fc4dfc8509fb9ba1cfcf1879443e2ce176d794228029b10da63
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 270
 # truncated length of oid
@@ -2526,9 +2059,7 @@
 public = 30473009068106052b81040021033a000486e2f72bccd974a3f1a4fc2cdcf22043eaf8be047de6be726b62001fda6f50f6df0b51bee99195d8a1a1c97e59e72fa4fcf8c1d21cb3da62
 result = acceptable
 shared = 85a70fc4dfc8509fb9ba1cfcf1879443e2ce176d794228029b10da63
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 271
 # truncated length of oid
@@ -2536,9 +2067,7 @@
 public = 3049300b06072a8648ce3d02010681033a000486e2f72bccd974a3f1a4fc2cdcf22043eaf8be047de6be726b62001fda6f50f6df0b51bee99195d8a1a1c97e59e72fa4fcf8c1d21cb3da62
 result = acceptable
 shared = 85a70fc4dfc8509fb9ba1cfcf1879443e2ce176d794228029b10da63
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 272
 # Replacing oid with NULL
@@ -2546,9 +2075,7 @@
 public = 30473009050006052b81040021033a000486e2f72bccd974a3f1a4fc2cdcf22043eaf8be047de6be726b62001fda6f50f6df0b51bee99195d8a1a1c97e59e72fa4fcf8c1d21cb3da62
 result = acceptable
 shared = 85a70fc4dfc8509fb9ba1cfcf1879443e2ce176d794228029b10da63
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 273
 # Replacing oid with NULL
@@ -2556,9 +2083,7 @@
 public = 3049300b06072a8648ce3d02010500033a000486e2f72bccd974a3f1a4fc2cdcf22043eaf8be047de6be726b62001fda6f50f6df0b51bee99195d8a1a1c97e59e72fa4fcf8c1d21cb3da62
 result = acceptable
 shared = 85a70fc4dfc8509fb9ba1cfcf1879443e2ce176d794228029b10da63
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 274
 # changing tag value of oid
@@ -2566,9 +2091,7 @@
 public = 304e301004072a8648ce3d020106052b81040021033a000486e2f72bccd974a3f1a4fc2cdcf22043eaf8be047de6be726b62001fda6f50f6df0b51bee99195d8a1a1c97e59e72fa4fcf8c1d21cb3da62
 result = acceptable
 shared = 85a70fc4dfc8509fb9ba1cfcf1879443e2ce176d794228029b10da63
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 275
 # changing tag value of oid
@@ -2576,9 +2099,7 @@
 public = 304e301005072a8648ce3d020106052b81040021033a000486e2f72bccd974a3f1a4fc2cdcf22043eaf8be047de6be726b62001fda6f50f6df0b51bee99195d8a1a1c97e59e72fa4fcf8c1d21cb3da62
 result = acceptable
 shared = 85a70fc4dfc8509fb9ba1cfcf1879443e2ce176d794228029b10da63
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 276
 # changing tag value of oid
@@ -2586,9 +2107,7 @@
 public = 304e301007072a8648ce3d020106052b81040021033a000486e2f72bccd974a3f1a4fc2cdcf22043eaf8be047de6be726b62001fda6f50f6df0b51bee99195d8a1a1c97e59e72fa4fcf8c1d21cb3da62
 result = acceptable
 shared = 85a70fc4dfc8509fb9ba1cfcf1879443e2ce176d794228029b10da63
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 277
 # changing tag value of oid
@@ -2596,9 +2115,7 @@
 public = 304e301008072a8648ce3d020106052b81040021033a000486e2f72bccd974a3f1a4fc2cdcf22043eaf8be047de6be726b62001fda6f50f6df0b51bee99195d8a1a1c97e59e72fa4fcf8c1d21cb3da62
 result = acceptable
 shared = 85a70fc4dfc8509fb9ba1cfcf1879443e2ce176d794228029b10da63
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 278
 # changing tag value of oid
@@ -2606,9 +2123,7 @@
 public = 304e3010ff072a8648ce3d020106052b81040021033a000486e2f72bccd974a3f1a4fc2cdcf22043eaf8be047de6be726b62001fda6f50f6df0b51bee99195d8a1a1c97e59e72fa4fcf8c1d21cb3da62
 result = acceptable
 shared = 85a70fc4dfc8509fb9ba1cfcf1879443e2ce176d794228029b10da63
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 279
 # changing tag value of oid
@@ -2616,9 +2131,7 @@
 public = 304e301006072a8648ce3d020104052b81040021033a000486e2f72bccd974a3f1a4fc2cdcf22043eaf8be047de6be726b62001fda6f50f6df0b51bee99195d8a1a1c97e59e72fa4fcf8c1d21cb3da62
 result = acceptable
 shared = 85a70fc4dfc8509fb9ba1cfcf1879443e2ce176d794228029b10da63
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 280
 # changing tag value of oid
@@ -2626,9 +2139,7 @@
 public = 304e301006072a8648ce3d020105052b81040021033a000486e2f72bccd974a3f1a4fc2cdcf22043eaf8be047de6be726b62001fda6f50f6df0b51bee99195d8a1a1c97e59e72fa4fcf8c1d21cb3da62
 result = acceptable
 shared = 85a70fc4dfc8509fb9ba1cfcf1879443e2ce176d794228029b10da63
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 281
 # changing tag value of oid
@@ -2636,9 +2147,7 @@
 public = 304e301006072a8648ce3d020107052b81040021033a000486e2f72bccd974a3f1a4fc2cdcf22043eaf8be047de6be726b62001fda6f50f6df0b51bee99195d8a1a1c97e59e72fa4fcf8c1d21cb3da62
 result = acceptable
 shared = 85a70fc4dfc8509fb9ba1cfcf1879443e2ce176d794228029b10da63
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 282
 # changing tag value of oid
@@ -2646,9 +2155,7 @@
 public = 304e301006072a8648ce3d020108052b81040021033a000486e2f72bccd974a3f1a4fc2cdcf22043eaf8be047de6be726b62001fda6f50f6df0b51bee99195d8a1a1c97e59e72fa4fcf8c1d21cb3da62
 result = acceptable
 shared = 85a70fc4dfc8509fb9ba1cfcf1879443e2ce176d794228029b10da63
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 283
 # changing tag value of oid
@@ -2656,9 +2163,7 @@
 public = 304e301006072a8648ce3d0201ff052b81040021033a000486e2f72bccd974a3f1a4fc2cdcf22043eaf8be047de6be726b62001fda6f50f6df0b51bee99195d8a1a1c97e59e72fa4fcf8c1d21cb3da62
 result = acceptable
 shared = 85a70fc4dfc8509fb9ba1cfcf1879443e2ce176d794228029b10da63
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 284
 # dropping value of oid
@@ -2666,9 +2171,7 @@
 public = 30473009060006052b81040021033a000486e2f72bccd974a3f1a4fc2cdcf22043eaf8be047de6be726b62001fda6f50f6df0b51bee99195d8a1a1c97e59e72fa4fcf8c1d21cb3da62
 result = acceptable
 shared = 85a70fc4dfc8509fb9ba1cfcf1879443e2ce176d794228029b10da63
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 285
 # dropping value of oid
@@ -2676,9 +2179,7 @@
 public = 3049300b06072a8648ce3d02010600033a000486e2f72bccd974a3f1a4fc2cdcf22043eaf8be047de6be726b62001fda6f50f6df0b51bee99195d8a1a1c97e59e72fa4fcf8c1d21cb3da62
 result = acceptable
 shared = 85a70fc4dfc8509fb9ba1cfcf1879443e2ce176d794228029b10da63
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 286
 # modify first byte of oid
@@ -2686,9 +2187,7 @@
 public = 304e30100607288648ce3d020106052b81040021033a000486e2f72bccd974a3f1a4fc2cdcf22043eaf8be047de6be726b62001fda6f50f6df0b51bee99195d8a1a1c97e59e72fa4fcf8c1d21cb3da62
 result = acceptable
 shared = 85a70fc4dfc8509fb9ba1cfcf1879443e2ce176d794228029b10da63
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 287
 # modify first byte of oid
@@ -2696,9 +2195,7 @@
 public = 304e301006072a8648ce3d020106052981040021033a000486e2f72bccd974a3f1a4fc2cdcf22043eaf8be047de6be726b62001fda6f50f6df0b51bee99195d8a1a1c97e59e72fa4fcf8c1d21cb3da62
 result = acceptable
 shared = 85a70fc4dfc8509fb9ba1cfcf1879443e2ce176d794228029b10da63
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 288
 # modify last byte of oid
@@ -2706,9 +2203,7 @@
 public = 304e301006072a8648ce3d028106052b81040021033a000486e2f72bccd974a3f1a4fc2cdcf22043eaf8be047de6be726b62001fda6f50f6df0b51bee99195d8a1a1c97e59e72fa4fcf8c1d21cb3da62
 result = acceptable
 shared = 85a70fc4dfc8509fb9ba1cfcf1879443e2ce176d794228029b10da63
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 289
 # modify last byte of oid
@@ -2716,9 +2211,7 @@
 public = 304e301006072a8648ce3d020106052b810400a1033a000486e2f72bccd974a3f1a4fc2cdcf22043eaf8be047de6be726b62001fda6f50f6df0b51bee99195d8a1a1c97e59e72fa4fcf8c1d21cb3da62
 result = acceptable
 shared = 85a70fc4dfc8509fb9ba1cfcf1879443e2ce176d794228029b10da63
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 290
 # truncated oid
@@ -2726,9 +2219,7 @@
 public = 304d300f06062a8648ce3d0206052b81040021033a000486e2f72bccd974a3f1a4fc2cdcf22043eaf8be047de6be726b62001fda6f50f6df0b51bee99195d8a1a1c97e59e72fa4fcf8c1d21cb3da62
 result = acceptable
 shared = 85a70fc4dfc8509fb9ba1cfcf1879443e2ce176d794228029b10da63
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 291
 # truncated oid
@@ -2736,9 +2227,7 @@
 public = 304d300f06068648ce3d020106052b81040021033a000486e2f72bccd974a3f1a4fc2cdcf22043eaf8be047de6be726b62001fda6f50f6df0b51bee99195d8a1a1c97e59e72fa4fcf8c1d21cb3da62
 result = acceptable
 shared = 85a70fc4dfc8509fb9ba1cfcf1879443e2ce176d794228029b10da63
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 292
 # truncated oid
@@ -2746,9 +2235,7 @@
 public = 304d300f06072a8648ce3d020106042b810400033a000486e2f72bccd974a3f1a4fc2cdcf22043eaf8be047de6be726b62001fda6f50f6df0b51bee99195d8a1a1c97e59e72fa4fcf8c1d21cb3da62
 result = acceptable
 shared = 85a70fc4dfc8509fb9ba1cfcf1879443e2ce176d794228029b10da63
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 293
 # truncated oid
@@ -2756,9 +2243,7 @@
 public = 304d300f06072a8648ce3d0201060481040021033a000486e2f72bccd974a3f1a4fc2cdcf22043eaf8be047de6be726b62001fda6f50f6df0b51bee99195d8a1a1c97e59e72fa4fcf8c1d21cb3da62
 result = acceptable
 shared = 85a70fc4dfc8509fb9ba1cfcf1879443e2ce176d794228029b10da63
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 294
 # wrong oid
@@ -2766,9 +2251,7 @@
 public = 304c300e06052b0e03021a06052b81040021033a000486e2f72bccd974a3f1a4fc2cdcf22043eaf8be047de6be726b62001fda6f50f6df0b51bee99195d8a1a1c97e59e72fa4fcf8c1d21cb3da62
 result = acceptable
 shared = 85a70fc4dfc8509fb9ba1cfcf1879443e2ce176d794228029b10da63
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 295
 # wrong oid
@@ -2776,9 +2259,7 @@
 public = 30503012060960864801650304020106052b81040021033a000486e2f72bccd974a3f1a4fc2cdcf22043eaf8be047de6be726b62001fda6f50f6df0b51bee99195d8a1a1c97e59e72fa4fcf8c1d21cb3da62
 result = acceptable
 shared = 85a70fc4dfc8509fb9ba1cfcf1879443e2ce176d794228029b10da63
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 296
 # wrong oid
@@ -2786,9 +2267,7 @@
 public = 304e301006072a8648ce3d020106052b0e03021a033a000486e2f72bccd974a3f1a4fc2cdcf22043eaf8be047de6be726b62001fda6f50f6df0b51bee99195d8a1a1c97e59e72fa4fcf8c1d21cb3da62
 result = acceptable
 shared = 85a70fc4dfc8509fb9ba1cfcf1879443e2ce176d794228029b10da63
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 297
 # wrong oid
@@ -2796,9 +2275,7 @@
 public = 3052301406072a8648ce3d02010609608648016503040201033a000486e2f72bccd974a3f1a4fc2cdcf22043eaf8be047de6be726b62001fda6f50f6df0b51bee99195d8a1a1c97e59e72fa4fcf8c1d21cb3da62
 result = acceptable
 shared = 85a70fc4dfc8509fb9ba1cfcf1879443e2ce176d794228029b10da63
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 298
 # longer oid
@@ -2806,9 +2283,7 @@
 public = 304f301106082a8648ce3d02010106052b81040021033a000486e2f72bccd974a3f1a4fc2cdcf22043eaf8be047de6be726b62001fda6f50f6df0b51bee99195d8a1a1c97e59e72fa4fcf8c1d21cb3da62
 result = acceptable
 shared = 85a70fc4dfc8509fb9ba1cfcf1879443e2ce176d794228029b10da63
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 299
 # longer oid
@@ -2816,9 +2291,7 @@
 public = 304f301106072a8648ce3d020106062b8104002101033a000486e2f72bccd974a3f1a4fc2cdcf22043eaf8be047de6be726b62001fda6f50f6df0b51bee99195d8a1a1c97e59e72fa4fcf8c1d21cb3da62
 result = acceptable
 shared = 85a70fc4dfc8509fb9ba1cfcf1879443e2ce176d794228029b10da63
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 300
 # oid with modified node
@@ -2826,9 +2299,7 @@
 public = 304e301006072a8648ce3d021106052b81040021033a000486e2f72bccd974a3f1a4fc2cdcf22043eaf8be047de6be726b62001fda6f50f6df0b51bee99195d8a1a1c97e59e72fa4fcf8c1d21cb3da62
 result = acceptable
 shared = 85a70fc4dfc8509fb9ba1cfcf1879443e2ce176d794228029b10da63
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 301
 # oid with modified node
@@ -2836,9 +2307,7 @@
 public = 30523014060b2a8648ce3d02888080800106052b81040021033a000486e2f72bccd974a3f1a4fc2cdcf22043eaf8be047de6be726b62001fda6f50f6df0b51bee99195d8a1a1c97e59e72fa4fcf8c1d21cb3da62
 result = acceptable
 shared = 85a70fc4dfc8509fb9ba1cfcf1879443e2ce176d794228029b10da63
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 302
 # oid with modified node
@@ -2846,9 +2315,7 @@
 public = 304e301006072a8648ce3d020106052b81040031033a000486e2f72bccd974a3f1a4fc2cdcf22043eaf8be047de6be726b62001fda6f50f6df0b51bee99195d8a1a1c97e59e72fa4fcf8c1d21cb3da62
 result = acceptable
 shared = 85a70fc4dfc8509fb9ba1cfcf1879443e2ce176d794228029b10da63
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 303
 # oid with modified node
@@ -2856,9 +2323,7 @@
 public = 3052301406072a8648ce3d020106092b8104008880808021033a000486e2f72bccd974a3f1a4fc2cdcf22043eaf8be047de6be726b62001fda6f50f6df0b51bee99195d8a1a1c97e59e72fa4fcf8c1d21cb3da62
 result = acceptable
 shared = 85a70fc4dfc8509fb9ba1cfcf1879443e2ce176d794228029b10da63
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 304
 # large integer in oid
@@ -2866,9 +2331,7 @@
 public = 3057301906102a8648ce3d028280808080808080800106052b81040021033a000486e2f72bccd974a3f1a4fc2cdcf22043eaf8be047de6be726b62001fda6f50f6df0b51bee99195d8a1a1c97e59e72fa4fcf8c1d21cb3da62
 result = acceptable
 shared = 85a70fc4dfc8509fb9ba1cfcf1879443e2ce176d794228029b10da63
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 305
 # large integer in oid
@@ -2876,9 +2339,7 @@
 public = 3057301906072a8648ce3d0201060e2b81040082808080808080808021033a000486e2f72bccd974a3f1a4fc2cdcf22043eaf8be047de6be726b62001fda6f50f6df0b51bee99195d8a1a1c97e59e72fa4fcf8c1d21cb3da62
 result = acceptable
 shared = 85a70fc4dfc8509fb9ba1cfcf1879443e2ce176d794228029b10da63
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 306
 # oid with invalid node
@@ -2886,9 +2347,7 @@
 public = 304f301106082a8648ce3d0201e006052b81040021033a000486e2f72bccd974a3f1a4fc2cdcf22043eaf8be047de6be726b62001fda6f50f6df0b51bee99195d8a1a1c97e59e72fa4fcf8c1d21cb3da62
 result = acceptable
 shared = 85a70fc4dfc8509fb9ba1cfcf1879443e2ce176d794228029b10da63
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 307
 # oid with invalid node
@@ -2896,9 +2355,7 @@
 public = 304f301106082a808648ce3d020106052b81040021033a000486e2f72bccd974a3f1a4fc2cdcf22043eaf8be047de6be726b62001fda6f50f6df0b51bee99195d8a1a1c97e59e72fa4fcf8c1d21cb3da62
 result = acceptable
 shared = 85a70fc4dfc8509fb9ba1cfcf1879443e2ce176d794228029b10da63
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 308
 # oid with invalid node
@@ -2906,9 +2363,7 @@
 public = 304f301106072a8648ce3d020106062b81040021e0033a000486e2f72bccd974a3f1a4fc2cdcf22043eaf8be047de6be726b62001fda6f50f6df0b51bee99195d8a1a1c97e59e72fa4fcf8c1d21cb3da62
 result = acceptable
 shared = 85a70fc4dfc8509fb9ba1cfcf1879443e2ce176d794228029b10da63
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 309
 # oid with invalid node
@@ -2916,9 +2371,7 @@
 public = 304f301106072a8648ce3d020106062b8081040021033a000486e2f72bccd974a3f1a4fc2cdcf22043eaf8be047de6be726b62001fda6f50f6df0b51bee99195d8a1a1c97e59e72fa4fcf8c1d21cb3da62
 result = acceptable
 shared = 85a70fc4dfc8509fb9ba1cfcf1879443e2ce176d794228029b10da63
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 310
 # long form encoding of length of bit string
@@ -2926,9 +2379,7 @@
 public = 304f301006072a8648ce3d020106052b8104002103813a000486e2f72bccd974a3f1a4fc2cdcf22043eaf8be047de6be726b62001fda6f50f6df0b51bee99195d8a1a1c97e59e72fa4fcf8c1d21cb3da62
 result = acceptable
 shared = 85a70fc4dfc8509fb9ba1cfcf1879443e2ce176d794228029b10da63
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 311
 # length of bit string contains leading 0
@@ -2936,9 +2387,7 @@
 public = 3050301006072a8648ce3d020106052b810400210382003a000486e2f72bccd974a3f1a4fc2cdcf22043eaf8be047de6be726b62001fda6f50f6df0b51bee99195d8a1a1c97e59e72fa4fcf8c1d21cb3da62
 result = acceptable
 shared = 85a70fc4dfc8509fb9ba1cfcf1879443e2ce176d794228029b10da63
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 312
 # wrong length of bit string
@@ -2946,9 +2395,7 @@
 public = 304e301006072a8648ce3d020106052b81040021033b000486e2f72bccd974a3f1a4fc2cdcf22043eaf8be047de6be726b62001fda6f50f6df0b51bee99195d8a1a1c97e59e72fa4fcf8c1d21cb3da62
 result = acceptable
 shared = 85a70fc4dfc8509fb9ba1cfcf1879443e2ce176d794228029b10da63
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 313
 # wrong length of bit string
@@ -2956,9 +2403,7 @@
 public = 304e301006072a8648ce3d020106052b810400210339000486e2f72bccd974a3f1a4fc2cdcf22043eaf8be047de6be726b62001fda6f50f6df0b51bee99195d8a1a1c97e59e72fa4fcf8c1d21cb3da62
 result = acceptable
 shared = 85a70fc4dfc8509fb9ba1cfcf1879443e2ce176d794228029b10da63
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 314
 # uint32 overflow in length of bit string
@@ -2966,9 +2411,7 @@
 public = 3053301006072a8648ce3d020106052b810400210385010000003a000486e2f72bccd974a3f1a4fc2cdcf22043eaf8be047de6be726b62001fda6f50f6df0b51bee99195d8a1a1c97e59e72fa4fcf8c1d21cb3da62
 result = acceptable
 shared = 85a70fc4dfc8509fb9ba1cfcf1879443e2ce176d794228029b10da63
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 315
 # uint64 overflow in length of bit string
@@ -2976,9 +2419,7 @@
 public = 3057301006072a8648ce3d020106052b81040021038901000000000000003a000486e2f72bccd974a3f1a4fc2cdcf22043eaf8be047de6be726b62001fda6f50f6df0b51bee99195d8a1a1c97e59e72fa4fcf8c1d21cb3da62
 result = acceptable
 shared = 85a70fc4dfc8509fb9ba1cfcf1879443e2ce176d794228029b10da63
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 316
 # length of bit string = 2**31 - 1
@@ -2986,9 +2427,7 @@
 public = 3052301006072a8648ce3d020106052b8104002103847fffffff000486e2f72bccd974a3f1a4fc2cdcf22043eaf8be047de6be726b62001fda6f50f6df0b51bee99195d8a1a1c97e59e72fa4fcf8c1d21cb3da62
 result = acceptable
 shared = 85a70fc4dfc8509fb9ba1cfcf1879443e2ce176d794228029b10da63
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 317
 # length of bit string = 2**32 - 1
@@ -2996,9 +2435,7 @@
 public = 3052301006072a8648ce3d020106052b810400210384ffffffff000486e2f72bccd974a3f1a4fc2cdcf22043eaf8be047de6be726b62001fda6f50f6df0b51bee99195d8a1a1c97e59e72fa4fcf8c1d21cb3da62
 result = acceptable
 shared = 85a70fc4dfc8509fb9ba1cfcf1879443e2ce176d794228029b10da63
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 318
 # length of bit string = 2**40 - 1
@@ -3006,9 +2443,7 @@
 public = 3053301006072a8648ce3d020106052b810400210385ffffffffff000486e2f72bccd974a3f1a4fc2cdcf22043eaf8be047de6be726b62001fda6f50f6df0b51bee99195d8a1a1c97e59e72fa4fcf8c1d21cb3da62
 result = acceptable
 shared = 85a70fc4dfc8509fb9ba1cfcf1879443e2ce176d794228029b10da63
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 319
 # length of bit string = 2**64 - 1
@@ -3016,9 +2451,7 @@
 public = 3056301006072a8648ce3d020106052b810400210388ffffffffffffffff000486e2f72bccd974a3f1a4fc2cdcf22043eaf8be047de6be726b62001fda6f50f6df0b51bee99195d8a1a1c97e59e72fa4fcf8c1d21cb3da62
 result = acceptable
 shared = 85a70fc4dfc8509fb9ba1cfcf1879443e2ce176d794228029b10da63
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 320
 # incorrect length of bit string
@@ -3026,9 +2459,7 @@
 public = 304e301006072a8648ce3d020106052b8104002103ff000486e2f72bccd974a3f1a4fc2cdcf22043eaf8be047de6be726b62001fda6f50f6df0b51bee99195d8a1a1c97e59e72fa4fcf8c1d21cb3da62
 result = acceptable
 shared = 85a70fc4dfc8509fb9ba1cfcf1879443e2ce176d794228029b10da63
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 321
 # lonely bit string tag
@@ -3036,9 +2467,7 @@
 public = 3013301006072a8648ce3d020106052b8104002103
 result = acceptable
 shared = 85a70fc4dfc8509fb9ba1cfcf1879443e2ce176d794228029b10da63
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 322
 # appending 0's to bit string
@@ -3046,9 +2475,7 @@
 public = 3050301006072a8648ce3d020106052b81040021033c000486e2f72bccd974a3f1a4fc2cdcf22043eaf8be047de6be726b62001fda6f50f6df0b51bee99195d8a1a1c97e59e72fa4fcf8c1d21cb3da620000
 result = acceptable
 shared = 85a70fc4dfc8509fb9ba1cfcf1879443e2ce176d794228029b10da63
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 323
 # prepending 0's to bit string
@@ -3056,9 +2483,7 @@
 public = 3050301006072a8648ce3d020106052b81040021033c0000000486e2f72bccd974a3f1a4fc2cdcf22043eaf8be047de6be726b62001fda6f50f6df0b51bee99195d8a1a1c97e59e72fa4fcf8c1d21cb3da62
 result = acceptable
 shared = 85a70fc4dfc8509fb9ba1cfcf1879443e2ce176d794228029b10da63
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 324
 # appending null value to bit string
@@ -3066,9 +2491,7 @@
 public = 3050301006072a8648ce3d020106052b81040021033c000486e2f72bccd974a3f1a4fc2cdcf22043eaf8be047de6be726b62001fda6f50f6df0b51bee99195d8a1a1c97e59e72fa4fcf8c1d21cb3da620500
 result = acceptable
 shared = 85a70fc4dfc8509fb9ba1cfcf1879443e2ce176d794228029b10da63
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 325
 # truncated length of bit string
@@ -3076,9 +2499,7 @@
 public = 3014301006072a8648ce3d020106052b810400210381
 result = acceptable
 shared = 85a70fc4dfc8509fb9ba1cfcf1879443e2ce176d794228029b10da63
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 326
 # Replacing bit string with NULL
@@ -3086,9 +2507,7 @@
 public = 3014301006072a8648ce3d020106052b810400210500
 result = acceptable
 shared = 85a70fc4dfc8509fb9ba1cfcf1879443e2ce176d794228029b10da63
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 327
 # changing tag value of bit string
@@ -3096,9 +2515,7 @@
 public = 304e301006072a8648ce3d020106052b81040021013a000486e2f72bccd974a3f1a4fc2cdcf22043eaf8be047de6be726b62001fda6f50f6df0b51bee99195d8a1a1c97e59e72fa4fcf8c1d21cb3da62
 result = acceptable
 shared = 85a70fc4dfc8509fb9ba1cfcf1879443e2ce176d794228029b10da63
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 328
 # changing tag value of bit string
@@ -3106,9 +2523,7 @@
 public = 304e301006072a8648ce3d020106052b81040021023a000486e2f72bccd974a3f1a4fc2cdcf22043eaf8be047de6be726b62001fda6f50f6df0b51bee99195d8a1a1c97e59e72fa4fcf8c1d21cb3da62
 result = acceptable
 shared = 85a70fc4dfc8509fb9ba1cfcf1879443e2ce176d794228029b10da63
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 329
 # changing tag value of bit string
@@ -3116,9 +2531,7 @@
 public = 304e301006072a8648ce3d020106052b81040021043a000486e2f72bccd974a3f1a4fc2cdcf22043eaf8be047de6be726b62001fda6f50f6df0b51bee99195d8a1a1c97e59e72fa4fcf8c1d21cb3da62
 result = acceptable
 shared = 85a70fc4dfc8509fb9ba1cfcf1879443e2ce176d794228029b10da63
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 330
 # changing tag value of bit string
@@ -3126,9 +2539,7 @@
 public = 304e301006072a8648ce3d020106052b81040021053a000486e2f72bccd974a3f1a4fc2cdcf22043eaf8be047de6be726b62001fda6f50f6df0b51bee99195d8a1a1c97e59e72fa4fcf8c1d21cb3da62
 result = acceptable
 shared = 85a70fc4dfc8509fb9ba1cfcf1879443e2ce176d794228029b10da63
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 331
 # changing tag value of bit string
@@ -3136,9 +2547,7 @@
 public = 304e301006072a8648ce3d020106052b81040021ff3a000486e2f72bccd974a3f1a4fc2cdcf22043eaf8be047de6be726b62001fda6f50f6df0b51bee99195d8a1a1c97e59e72fa4fcf8c1d21cb3da62
 result = acceptable
 shared = 85a70fc4dfc8509fb9ba1cfcf1879443e2ce176d794228029b10da63
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 332
 # dropping value of bit string
@@ -3146,9 +2555,7 @@
 public = 3014301006072a8648ce3d020106052b810400210300
 result = acceptable
 shared = 85a70fc4dfc8509fb9ba1cfcf1879443e2ce176d794228029b10da63
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 333
 # modify first byte of bit string
@@ -3156,9 +2563,7 @@
 public = 304e301006072a8648ce3d020106052b81040021033a020486e2f72bccd974a3f1a4fc2cdcf22043eaf8be047de6be726b62001fda6f50f6df0b51bee99195d8a1a1c97e59e72fa4fcf8c1d21cb3da62
 result = acceptable
 shared = 85a70fc4dfc8509fb9ba1cfcf1879443e2ce176d794228029b10da63
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 334
 # modify last byte of bit string
@@ -3166,9 +2571,7 @@
 public = 304e301006072a8648ce3d020106052b81040021033a000486e2f72bccd974a3f1a4fc2cdcf22043eaf8be047de6be726b62001fda6f50f6df0b51bee99195d8a1a1c97e59e72fa4fcf8c1d21cb3dae2
 result = acceptable
 shared = 85a70fc4dfc8509fb9ba1cfcf1879443e2ce176d794228029b10da63
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 335
 # truncated bit string
@@ -3176,9 +2579,7 @@
 public = 304d301006072a8648ce3d020106052b810400210339000486e2f72bccd974a3f1a4fc2cdcf22043eaf8be047de6be726b62001fda6f50f6df0b51bee99195d8a1a1c97e59e72fa4fcf8c1d21cb3da
 result = acceptable
 shared = 85a70fc4dfc8509fb9ba1cfcf1879443e2ce176d794228029b10da63
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 336
 # truncated bit string
@@ -3186,9 +2587,7 @@
 public = 304d301006072a8648ce3d020106052b8104002103390486e2f72bccd974a3f1a4fc2cdcf22043eaf8be047de6be726b62001fda6f50f6df0b51bee99195d8a1a1c97e59e72fa4fcf8c1d21cb3da62
 result = acceptable
 shared = 85a70fc4dfc8509fb9ba1cfcf1879443e2ce176d794228029b10da63
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 337
 # declaring bits as unused in bit string
@@ -3196,9 +2595,7 @@
 public = 304e301006072a8648ce3d020106052b81040021033a010486e2f72bccd974a3f1a4fc2cdcf22043eaf8be047de6be726b62001fda6f50f6df0b51bee99195d8a1a1c97e59e72fa4fcf8c1d21cb3da62
 result = acceptable
 shared = 85a70fc4dfc8509fb9ba1cfcf1879443e2ce176d794228029b10da63
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 338
 # unused bits in bit string
@@ -3206,9 +2603,7 @@
 public = 3052301006072a8648ce3d020106052b81040021033e200486e2f72bccd974a3f1a4fc2cdcf22043eaf8be047de6be726b62001fda6f50f6df0b51bee99195d8a1a1c97e59e72fa4fcf8c1d21cb3da6201020304
 result = acceptable
 shared = 85a70fc4dfc8509fb9ba1cfcf1879443e2ce176d794228029b10da63
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 339
 # unused bits in empty bit-string
@@ -3216,9 +2611,7 @@
 public = 3015301006072a8648ce3d020106052b81040021030103
 result = acceptable
 shared = 85a70fc4dfc8509fb9ba1cfcf1879443e2ce176d794228029b10da63
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 340
 # 128 unused bits
@@ -3226,7 +2619,5 @@
 public = 304e301006072a8648ce3d020106052b81040021033a800486e2f72bccd974a3f1a4fc2cdcf22043eaf8be047de6be726b62001fda6f50f6df0b51bee99195d8a1a1c97e59e72fa4fcf8c1d21cb3da62
 result = acceptable
 shared = 85a70fc4dfc8509fb9ba1cfcf1879443e2ce176d794228029b10da63
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
diff --git a/third_party/wycheproof_testvectors/ecdh_secp256r1_test.txt b/third_party/wycheproof_testvectors/ecdh_secp256r1_test.txt
index fe35b50..f4a348f 100644
--- a/third_party/wycheproof_testvectors/ecdh_secp256r1_test.txt
+++ b/third_party/wycheproof_testvectors/ecdh_secp256r1_test.txt
@@ -20,8 +20,7 @@
 public = 3039301306072a8648ce3d020106082a8648ce3d0301070322000362d5bd3372af75fe85a040715d0f502428e07046868b0bfdfa61d731afe44f26
 result = acceptable
 shared = 53020d908b0219328b658b525f26780e3ae12bcd952bb25a93bc0895e1714285
-# The point in the public key is compressed. Not every library supports points
-# in compressed format.
+flags = CompressedPoint
 
 # tcId = 3
 # edge case for shared secret
@@ -1303,9 +1302,7 @@
 public = 3059301306072a8648ce3d020106082a8648ce3d0301070342000431028f3377fc8f2b1967edaab90213acad0da9f50897f08f57537f78f116744743a1930189363bbde2ac4cbd1649cdc6f451add71dd2f16a8a867f2b17caa16b
 result = valid
 shared = f7407d61fdf581be4f564621d590ca9b7ba37f31396150f9922f1501da8c83ef
-# The private key has a special value. Implementations using addition
-# subtraction chains for the point multiplication may get the point at infinity
-# as an intermediate result. See CVE_2017_10176
+flags = AddSubChain
 
 # tcId = 186
 # edge case private key
@@ -1313,9 +1310,7 @@
 public = 3059301306072a8648ce3d020106082a8648ce3d0301070342000431028f3377fc8f2b1967edaab90213acad0da9f50897f08f57537f78f116744743a1930189363bbde2ac4cbd1649cdc6f451add71dd2f16a8a867f2b17caa16b
 result = valid
 shared = 82236fd272208693e0574555ca465c6cc512163486084fa57f5e1bd2e2ccc0b3
-# The private key has a special value. Implementations using addition
-# subtraction chains for the point multiplication may get the point at infinity
-# as an intermediate result. See CVE_2017_10176
+flags = AddSubChain
 
 # tcId = 187
 # edge case private key
@@ -1323,9 +1318,7 @@
 public = 3059301306072a8648ce3d020106082a8648ce3d0301070342000431028f3377fc8f2b1967edaab90213acad0da9f50897f08f57537f78f116744743a1930189363bbde2ac4cbd1649cdc6f451add71dd2f16a8a867f2b17caa16b
 result = valid
 shared = 06537149664dba1a9924654cb7f787ed224851b0df25ef53fcf54f8f26cd5f3f
-# The private key has a special value. Implementations using addition
-# subtraction chains for the point multiplication may get the point at infinity
-# as an intermediate result. See CVE_2017_10176
+flags = AddSubChain
 
 # tcId = 188
 # edge case private key
@@ -1333,9 +1326,7 @@
 public = 3059301306072a8648ce3d020106082a8648ce3d0301070342000431028f3377fc8f2b1967edaab90213acad0da9f50897f08f57537f78f116744743a1930189363bbde2ac4cbd1649cdc6f451add71dd2f16a8a867f2b17caa16b
 result = valid
 shared = f2b38539bce995d443c7bfeeefadc9e42cc2c89c60bf4e86eac95d51987bd112
-# The private key has a special value. Implementations using addition
-# subtraction chains for the point multiplication may get the point at infinity
-# as an intermediate result. See CVE_2017_10176
+flags = AddSubChain
 
 # tcId = 189
 # edge case private key
@@ -1350,9 +1341,7 @@
 public = 3059301306072a8648ce3d020106082a8648ce3d0301070342000431028f3377fc8f2b1967edaab90213acad0da9f50897f08f57537f78f116744743a1930189363bbde2ac4cbd1649cdc6f451add71dd2f16a8a867f2b17caa16b
 result = valid
 shared = 027b013a6f166db655d69d643c127ef8ace175311e667dff2520f5b5c75b7659
-# The private key has a special value. Implementations using addition
-# subtraction chains for the point multiplication may get the point at infinity
-# as an intermediate result. See CVE_2017_10176
+flags = AddSubChain
 
 # tcId = 191
 # CVE-2017-8932
@@ -1492,12 +1481,7 @@
 public = 3059301306072a8648ce3d020106082a8648ce3d030107034200041510264c189c3d523ff9916abd7069efa6968d8dc7ddb6457d7869b53ea60cdcfafb7ed4786da15d29ee59256f536da3575a4888c1bb0a95b256f4a7e9fd764c
 result = invalid
 shared = 
-# The public key has been modified and is invalid. An implementation should
-# always check whether the public key is valid and on the same curve as the
-# private key. The test vector includes the shared secret computed with the
-# original public key if the public point is on the curve of the private key.
-# Generating a shared secret other than the one with the original key likely
-# indicates that the bug is exploitable.
+flags = InvalidPublic
 
 # tcId = 211
 # public point = (0,0)
@@ -1505,12 +1489,7 @@
 public = 3059301306072a8648ce3d020106082a8648ce3d0301070342000400000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
 result = invalid
 shared = 
-# The public key has been modified and is invalid. An implementation should
-# always check whether the public key is valid and on the same curve as the
-# private key. The test vector includes the shared secret computed with the
-# original public key if the public point is on the curve of the private key.
-# Generating a shared secret other than the one with the original key likely
-# indicates that the bug is exploitable.
+flags = InvalidPublic
 
 # tcId = 212
 # order =
@@ -1519,20 +1498,7 @@
 public = 308201333081ec06072a8648ce3d02013081e0020101302c06072a8648ce3d0101022100ffffffff00000001000000000000000000000000ffffffffffffffffffffffff30440420ffffffff00000001000000000000000000000000fffffffffffffffffffffffc04205ac635d8aa3a93e7b3ebbd55769886bc651d06b0cc53b0f63bce3c3e27d2604b0441046b17d1f2e12c4247f8bce6e563a440f277037d812deb33a0f4a13945d898c2964fe342e2fe1a7f9b8ee7eb4a7c0f9e162bce33576b315ececbb6406837bf51f50221ff00000000ffffffff00000000000000004319055258e8617b0c46353d039cdaaf020101034200041510264c189c3d523ff9916abd7069efa6968d8dc7ddb6457d7869b53ea60cdcfafb7ed4786da15d29ee59256f536da3575a4888c1bb0a95b256f4a7e9fd764a
 result = invalid
 shared = d003f5cc83852584061f7a8a28bcb5671ecbda096e16e7accfa8f8d311a3db7a
-# The order of the public key has been modified. If this order is used in a
-# cryptographic primitive instead of the correct order then private keys may
-# leak. E.g. ECDHC in BC 1.52 suffered from this.
-# The public key has been modified and is invalid. An implementation should
-# always check whether the public key is valid and on the same curve as the
-# private key. The test vector includes the shared secret computed with the
-# original public key if the public point is on the curve of the private key.
-# Generating a shared secret other than the one with the original key likely
-# indicates that the bug is exploitable.
-# The public key does not use a named curve. RFC 3279 allows to encode such
-# curves by explicitly encoding, the parameters of the curve equation, modulus,
-# generator, order and cofactor. However, many crypto libraries only support
-# named curves. Modifying some of the EC parameters and encoding the
-# corresponding public key as an unnamed curve is a potential attack vector.
+flags = WrongOrder,InvalidPublic,UnnamedCurve
 
 # tcId = 213
 # order = 0
@@ -1540,20 +1506,7 @@
 public = 308201133081cc06072a8648ce3d02013081c0020101302c06072a8648ce3d0101022100ffffffff00000001000000000000000000000000ffffffffffffffffffffffff30440420ffffffff00000001000000000000000000000000fffffffffffffffffffffffc04205ac635d8aa3a93e7b3ebbd55769886bc651d06b0cc53b0f63bce3c3e27d2604b0441046b17d1f2e12c4247f8bce6e563a440f277037d812deb33a0f4a13945d898c2964fe342e2fe1a7f9b8ee7eb4a7c0f9e162bce33576b315ececbb6406837bf51f5020100020101034200041510264c189c3d523ff9916abd7069efa6968d8dc7ddb6457d7869b53ea60cdcfafb7ed4786da15d29ee59256f536da3575a4888c1bb0a95b256f4a7e9fd764a
 result = invalid
 shared = d003f5cc83852584061f7a8a28bcb5671ecbda096e16e7accfa8f8d311a3db7a
-# The order of the public key has been modified. If this order is used in a
-# cryptographic primitive instead of the correct order then private keys may
-# leak. E.g. ECDHC in BC 1.52 suffered from this.
-# The public key has been modified and is invalid. An implementation should
-# always check whether the public key is valid and on the same curve as the
-# private key. The test vector includes the shared secret computed with the
-# original public key if the public point is on the curve of the private key.
-# Generating a shared secret other than the one with the original key likely
-# indicates that the bug is exploitable.
-# The public key does not use a named curve. RFC 3279 allows to encode such
-# curves by explicitly encoding, the parameters of the curve equation, modulus,
-# generator, order and cofactor. However, many crypto libraries only support
-# named curves. Modifying some of the EC parameters and encoding the
-# corresponding public key as an unnamed curve is a potential attack vector.
+flags = WrongOrder,InvalidPublic,UnnamedCurve
 
 # tcId = 214
 # order = 1
@@ -1561,20 +1514,7 @@
 public = 308201133081cc06072a8648ce3d02013081c0020101302c06072a8648ce3d0101022100ffffffff00000001000000000000000000000000ffffffffffffffffffffffff30440420ffffffff00000001000000000000000000000000fffffffffffffffffffffffc04205ac635d8aa3a93e7b3ebbd55769886bc651d06b0cc53b0f63bce3c3e27d2604b0441046b17d1f2e12c4247f8bce6e563a440f277037d812deb33a0f4a13945d898c2964fe342e2fe1a7f9b8ee7eb4a7c0f9e162bce33576b315ececbb6406837bf51f5020101020101034200041510264c189c3d523ff9916abd7069efa6968d8dc7ddb6457d7869b53ea60cdcfafb7ed4786da15d29ee59256f536da3575a4888c1bb0a95b256f4a7e9fd764a
 result = acceptable
 shared = d003f5cc83852584061f7a8a28bcb5671ecbda096e16e7accfa8f8d311a3db7a
-# The order of the public key has been modified. If this order is used in a
-# cryptographic primitive instead of the correct order then private keys may
-# leak. E.g. ECDHC in BC 1.52 suffered from this.
-# A parameter that is typically not used for ECDH has been modified. Sometimes
-# libraries ignore small differences between public and private key. For
-# example, a library might ignore an incorrect cofactor in the public key. We
-# consider ignoring such changes as acceptable as long as these differences do
-# not change the outcome of the ECDH computation, i.e. as long as the
-# computation is done on the curve from the private key.
-# The public key does not use a named curve. RFC 3279 allows to encode such
-# curves by explicitly encoding, the parameters of the curve equation, modulus,
-# generator, order and cofactor. However, many crypto libraries only support
-# named curves. Modifying some of the EC parameters and encoding the
-# corresponding public key as an unnamed curve is a potential attack vector.
+flags = WrongOrder,UnusedParam,UnnamedCurve
 
 # tcId = 215
 # order = 26959946660873538060741835960514744168612397095220107664918121663170
@@ -1582,20 +1522,7 @@
 public = 3082012f3081e806072a8648ce3d02013081dc020101302c06072a8648ce3d0101022100ffffffff00000001000000000000000000000000ffffffffffffffffffffffff30440420ffffffff00000001000000000000000000000000fffffffffffffffffffffffc04205ac635d8aa3a93e7b3ebbd55769886bc651d06b0cc53b0f63bce3c3e27d2604b0441046b17d1f2e12c4247f8bce6e563a440f277037d812deb33a0f4a13945d898c2964fe342e2fe1a7f9b8ee7eb4a7c0f9e162bce33576b315ececbb6406837bf51f5021d00ffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2020101034200041510264c189c3d523ff9916abd7069efa6968d8dc7ddb6457d7869b53ea60cdcfafb7ed4786da15d29ee59256f536da3575a4888c1bb0a95b256f4a7e9fd764a
 result = acceptable
 shared = d003f5cc83852584061f7a8a28bcb5671ecbda096e16e7accfa8f8d311a3db7a
-# The order of the public key has been modified. If this order is used in a
-# cryptographic primitive instead of the correct order then private keys may
-# leak. E.g. ECDHC in BC 1.52 suffered from this.
-# A parameter that is typically not used for ECDH has been modified. Sometimes
-# libraries ignore small differences between public and private key. For
-# example, a library might ignore an incorrect cofactor in the public key. We
-# consider ignoring such changes as acceptable as long as these differences do
-# not change the outcome of the ECDH computation, i.e. as long as the
-# computation is done on the curve from the private key.
-# The public key does not use a named curve. RFC 3279 allows to encode such
-# curves by explicitly encoding, the parameters of the curve equation, modulus,
-# generator, order and cofactor. However, many crypto libraries only support
-# named curves. Modifying some of the EC parameters and encoding the
-# corresponding public key as an unnamed curve is a potential attack vector.
+flags = WrongOrder,UnusedParam,UnnamedCurve
 
 # tcId = 216
 # generator = (0,0)
@@ -1603,17 +1530,7 @@
 public = 308201333081ec06072a8648ce3d02013081e0020101302c06072a8648ce3d0101022100ffffffff00000001000000000000000000000000ffffffffffffffffffffffff30440420ffffffff00000001000000000000000000000000fffffffffffffffffffffffc04205ac635d8aa3a93e7b3ebbd55769886bc651d06b0cc53b0f63bce3c3e27d2604b04410400000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000022100ffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc632551020101034200041510264c189c3d523ff9916abd7069efa6968d8dc7ddb6457d7869b53ea60cdcfafb7ed4786da15d29ee59256f536da3575a4888c1bb0a95b256f4a7e9fd764a
 result = acceptable
 shared = d003f5cc83852584061f7a8a28bcb5671ecbda096e16e7accfa8f8d311a3db7a
-# A parameter that is typically not used for ECDH has been modified. Sometimes
-# libraries ignore small differences between public and private key. For
-# example, a library might ignore an incorrect cofactor in the public key. We
-# consider ignoring such changes as acceptable as long as these differences do
-# not change the outcome of the ECDH computation, i.e. as long as the
-# computation is done on the curve from the private key.
-# The public key does not use a named curve. RFC 3279 allows to encode such
-# curves by explicitly encoding, the parameters of the curve equation, modulus,
-# generator, order and cofactor. However, many crypto libraries only support
-# named curves. Modifying some of the EC parameters and encoding the
-# corresponding public key as an unnamed curve is a potential attack vector.
+flags = UnusedParam,UnnamedCurve
 
 # tcId = 217
 # generator not on curve
@@ -1621,17 +1538,7 @@
 public = 308201333081ec06072a8648ce3d02013081e0020101302c06072a8648ce3d0101022100ffffffff00000001000000000000000000000000ffffffffffffffffffffffff30440420ffffffff00000001000000000000000000000000fffffffffffffffffffffffc04205ac635d8aa3a93e7b3ebbd55769886bc651d06b0cc53b0f63bce3c3e27d2604b0441046b17d1f2e12c4247f8bce6e563a440f277037d812deb33a0f4a13945d898c2964fe342e2fe1a7f9b8ee7eb4a7c0f9e162bce33576b315ececbb6406837bf51f7022100ffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc632551020101034200041510264c189c3d523ff9916abd7069efa6968d8dc7ddb6457d7869b53ea60cdcfafb7ed4786da15d29ee59256f536da3575a4888c1bb0a95b256f4a7e9fd764a
 result = acceptable
 shared = d003f5cc83852584061f7a8a28bcb5671ecbda096e16e7accfa8f8d311a3db7a
-# A parameter that is typically not used for ECDH has been modified. Sometimes
-# libraries ignore small differences between public and private key. For
-# example, a library might ignore an incorrect cofactor in the public key. We
-# consider ignoring such changes as acceptable as long as these differences do
-# not change the outcome of the ECDH computation, i.e. as long as the
-# computation is done on the curve from the private key.
-# The public key does not use a named curve. RFC 3279 allows to encode such
-# curves by explicitly encoding, the parameters of the curve equation, modulus,
-# generator, order and cofactor. However, many crypto libraries only support
-# named curves. Modifying some of the EC parameters and encoding the
-# corresponding public key as an unnamed curve is a potential attack vector.
+flags = UnusedParam,UnnamedCurve
 
 # tcId = 218
 # cofactor = -1
@@ -1639,17 +1546,7 @@
 public = 308201333081ec06072a8648ce3d02013081e0020101302c06072a8648ce3d0101022100ffffffff00000001000000000000000000000000ffffffffffffffffffffffff30440420ffffffff00000001000000000000000000000000fffffffffffffffffffffffc04205ac635d8aa3a93e7b3ebbd55769886bc651d06b0cc53b0f63bce3c3e27d2604b0441046b17d1f2e12c4247f8bce6e563a440f277037d812deb33a0f4a13945d898c2964fe342e2fe1a7f9b8ee7eb4a7c0f9e162bce33576b315ececbb6406837bf51f5022100ffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc6325510201ff034200041510264c189c3d523ff9916abd7069efa6968d8dc7ddb6457d7869b53ea60cdcfafb7ed4786da15d29ee59256f536da3575a4888c1bb0a95b256f4a7e9fd764a
 result = invalid
 shared = d003f5cc83852584061f7a8a28bcb5671ecbda096e16e7accfa8f8d311a3db7a
-# The public key has been modified and is invalid. An implementation should
-# always check whether the public key is valid and on the same curve as the
-# private key. The test vector includes the shared secret computed with the
-# original public key if the public point is on the curve of the private key.
-# Generating a shared secret other than the one with the original key likely
-# indicates that the bug is exploitable.
-# The public key does not use a named curve. RFC 3279 allows to encode such
-# curves by explicitly encoding, the parameters of the curve equation, modulus,
-# generator, order and cofactor. However, many crypto libraries only support
-# named curves. Modifying some of the EC parameters and encoding the
-# corresponding public key as an unnamed curve is a potential attack vector.
+flags = InvalidPublic,UnnamedCurve
 
 # tcId = 219
 # cofactor = 0
@@ -1657,17 +1554,7 @@
 public = 308201333081ec06072a8648ce3d02013081e0020101302c06072a8648ce3d0101022100ffffffff00000001000000000000000000000000ffffffffffffffffffffffff30440420ffffffff00000001000000000000000000000000fffffffffffffffffffffffc04205ac635d8aa3a93e7b3ebbd55769886bc651d06b0cc53b0f63bce3c3e27d2604b0441046b17d1f2e12c4247f8bce6e563a440f277037d812deb33a0f4a13945d898c2964fe342e2fe1a7f9b8ee7eb4a7c0f9e162bce33576b315ececbb6406837bf51f5022100ffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc632551020100034200041510264c189c3d523ff9916abd7069efa6968d8dc7ddb6457d7869b53ea60cdcfafb7ed4786da15d29ee59256f536da3575a4888c1bb0a95b256f4a7e9fd764a
 result = invalid
 shared = d003f5cc83852584061f7a8a28bcb5671ecbda096e16e7accfa8f8d311a3db7a
-# The public key has been modified and is invalid. An implementation should
-# always check whether the public key is valid and on the same curve as the
-# private key. The test vector includes the shared secret computed with the
-# original public key if the public point is on the curve of the private key.
-# Generating a shared secret other than the one with the original key likely
-# indicates that the bug is exploitable.
-# The public key does not use a named curve. RFC 3279 allows to encode such
-# curves by explicitly encoding, the parameters of the curve equation, modulus,
-# generator, order and cofactor. However, many crypto libraries only support
-# named curves. Modifying some of the EC parameters and encoding the
-# corresponding public key as an unnamed curve is a potential attack vector.
+flags = InvalidPublic,UnnamedCurve
 
 # tcId = 220
 # cofactor = 2
@@ -1675,17 +1562,7 @@
 public = 308201333081ec06072a8648ce3d02013081e0020101302c06072a8648ce3d0101022100ffffffff00000001000000000000000000000000ffffffffffffffffffffffff30440420ffffffff00000001000000000000000000000000fffffffffffffffffffffffc04205ac635d8aa3a93e7b3ebbd55769886bc651d06b0cc53b0f63bce3c3e27d2604b0441046b17d1f2e12c4247f8bce6e563a440f277037d812deb33a0f4a13945d898c2964fe342e2fe1a7f9b8ee7eb4a7c0f9e162bce33576b315ececbb6406837bf51f5022100ffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc632551020102034200041510264c189c3d523ff9916abd7069efa6968d8dc7ddb6457d7869b53ea60cdcfafb7ed4786da15d29ee59256f536da3575a4888c1bb0a95b256f4a7e9fd764a
 result = acceptable
 shared = d003f5cc83852584061f7a8a28bcb5671ecbda096e16e7accfa8f8d311a3db7a
-# A parameter that is typically not used for ECDH has been modified. Sometimes
-# libraries ignore small differences between public and private key. For
-# example, a library might ignore an incorrect cofactor in the public key. We
-# consider ignoring such changes as acceptable as long as these differences do
-# not change the outcome of the ECDH computation, i.e. as long as the
-# computation is done on the curve from the private key.
-# The public key does not use a named curve. RFC 3279 allows to encode such
-# curves by explicitly encoding, the parameters of the curve equation, modulus,
-# generator, order and cofactor. However, many crypto libraries only support
-# named curves. Modifying some of the EC parameters and encoding the
-# corresponding public key as an unnamed curve is a potential attack vector.
+flags = UnusedParam,UnnamedCurve
 
 # tcId = 221
 # cofactor =
@@ -1694,17 +1571,7 @@
 public = 308201553082010d06072a8648ce3d020130820100020101302c06072a8648ce3d0101022100ffffffff00000001000000000000000000000000ffffffffffffffffffffffff30440420ffffffff00000001000000000000000000000000fffffffffffffffffffffffc04205ac635d8aa3a93e7b3ebbd55769886bc651d06b0cc53b0f63bce3c3e27d2604b0441046b17d1f2e12c4247f8bce6e563a440f277037d812deb33a0f4a13945d898c2964fe342e2fe1a7f9b8ee7eb4a7c0f9e162bce33576b315ececbb6406837bf51f5022100ffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc632551022100ffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc632551034200041510264c189c3d523ff9916abd7069efa6968d8dc7ddb6457d7869b53ea60cdcfafb7ed4786da15d29ee59256f536da3575a4888c1bb0a95b256f4a7e9fd764a
 result = invalid
 shared = d003f5cc83852584061f7a8a28bcb5671ecbda096e16e7accfa8f8d311a3db7a
-# The public key has been modified and is invalid. An implementation should
-# always check whether the public key is valid and on the same curve as the
-# private key. The test vector includes the shared secret computed with the
-# original public key if the public point is on the curve of the private key.
-# Generating a shared secret other than the one with the original key likely
-# indicates that the bug is exploitable.
-# The public key does not use a named curve. RFC 3279 allows to encode such
-# curves by explicitly encoding, the parameters of the curve equation, modulus,
-# generator, order and cofactor. However, many crypto libraries only support
-# named curves. Modifying some of the EC parameters and encoding the
-# corresponding public key as an unnamed curve is a potential attack vector.
+flags = InvalidPublic,UnnamedCurve
 
 # tcId = 222
 # cofactor = None
@@ -1712,17 +1579,7 @@
 public = 308201303081e906072a8648ce3d02013081dd020101302c06072a8648ce3d0101022100ffffffff00000001000000000000000000000000ffffffffffffffffffffffff30440420ffffffff00000001000000000000000000000000fffffffffffffffffffffffc04205ac635d8aa3a93e7b3ebbd55769886bc651d06b0cc53b0f63bce3c3e27d2604b0441046b17d1f2e12c4247f8bce6e563a440f277037d812deb33a0f4a13945d898c2964fe342e2fe1a7f9b8ee7eb4a7c0f9e162bce33576b315ececbb6406837bf51f5022100ffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc632551034200041510264c189c3d523ff9916abd7069efa6968d8dc7ddb6457d7869b53ea60cdcfafb7ed4786da15d29ee59256f536da3575a4888c1bb0a95b256f4a7e9fd764a
 result = acceptable
 shared = d003f5cc83852584061f7a8a28bcb5671ecbda096e16e7accfa8f8d311a3db7a
-# A parameter that is typically not used for ECDH has been modified. Sometimes
-# libraries ignore small differences between public and private key. For
-# example, a library might ignore an incorrect cofactor in the public key. We
-# consider ignoring such changes as acceptable as long as these differences do
-# not change the outcome of the ECDH computation, i.e. as long as the
-# computation is done on the curve from the private key.
-# The public key does not use a named curve. RFC 3279 allows to encode such
-# curves by explicitly encoding, the parameters of the curve equation, modulus,
-# generator, order and cofactor. However, many crypto libraries only support
-# named curves. Modifying some of the EC parameters and encoding the
-# corresponding public key as an unnamed curve is a potential attack vector.
+flags = UnusedParam,UnnamedCurve
 
 # tcId = 223
 # modified prime
@@ -1730,20 +1587,7 @@
 public = 308201333081ec06072a8648ce3d02013081e0020101302c06072a8648ce3d0101022100fd091059a6893635f900e9449d63f572b2aebc4cff7b4e5e33f1b200e8bbc1453044042002f6efa55976c9cb06ff16bb629c0a8d4d5143b40084b1a1cc0e4dff17443eb704205ac635d8aa3a93e7b3ebbd55769886bc651d06b0cc53b0f63bce3c3e27d2604b0441040000000000000000000006597fa94b1fd90000000000000000000000000000021b8c7dd77f9a95627922eceefea73f028f1ec95ba9b8fa95a3ad24bdf9fff414022100ffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc632551020101034200040000000000000000000006597fa94b1fd90000000000000000000000000000021b8c7dd77f9a95627922eceefea73f028f1ec95ba9b8fa95a3ad24bdf9fff414
 result = invalid
 shared = cea0fbd8f20abc8cf8127c132e29756d25ff1530a88bf5c9e22dc1c137c36be9
-# The modulus of the public key has been modified. The public point of the
-# public key has been chosen so that it is both a point on both the curve of the
-# modified public key and the private key.
-# The public key has been modified and is invalid. An implementation should
-# always check whether the public key is valid and on the same curve as the
-# private key. The test vector includes the shared secret computed with the
-# original public key if the public point is on the curve of the private key.
-# Generating a shared secret other than the one with the original key likely
-# indicates that the bug is exploitable.
-# The public key does not use a named curve. RFC 3279 allows to encode such
-# curves by explicitly encoding, the parameters of the curve equation, modulus,
-# generator, order and cofactor. However, many crypto libraries only support
-# named curves. Modifying some of the EC parameters and encoding the
-# corresponding public key as an unnamed curve is a potential attack vector.
+flags = ModifiedPrime,InvalidPublic,UnnamedCurve
 
 # tcId = 224
 # using secp224r1
@@ -1751,12 +1595,7 @@
 public = 304e301006072a8648ce3d020106052b81040021033a0004074f56dc2ea648ef89c3b72e23bbd2da36f60243e4d2067b70604af1c2165cec2f86603d60c8a611d5b84ba3d91dfe1a480825bcc4af3bcf
 result = invalid
 shared = 
-# The public key has been modified and is invalid. An implementation should
-# always check whether the public key is valid and on the same curve as the
-# private key. The test vector includes the shared secret computed with the
-# original public key if the public point is on the curve of the private key.
-# Generating a shared secret other than the one with the original key likely
-# indicates that the bug is exploitable.
+flags = InvalidPublic
 
 # tcId = 225
 # using secp256k1
@@ -1764,12 +1603,7 @@
 public = 3056301006072a8648ce3d020106052b8104000a03420004a1263e75b87ae0937060ff1472f330ee55cdf8f4329d6284a9ebfbcc856c11684225e72cbebff41e54fb6f00e11afe53a17937bedbf2df787f8ef9584f775838
 result = invalid
 shared = 
-# The public key has been modified and is invalid. An implementation should
-# always check whether the public key is valid and on the same curve as the
-# private key. The test vector includes the shared secret computed with the
-# original public key if the public point is on the curve of the private key.
-# Generating a shared secret other than the one with the original key likely
-# indicates that the bug is exploitable.
+flags = InvalidPublic
 
 # tcId = 226
 # a = 0
@@ -1777,17 +1611,7 @@
 public = 308201143081cd06072a8648ce3d02013081c1020101302c06072a8648ce3d0101022100ffffffff00000001000000000000000000000000ffffffffffffffffffffffff302504010004201b95c2f46065dbf0f3ff09153e4748ed71595e0774ba8e25c364ff1e6be039b70441041510264c189c3d523ff9916abd7069efa6968d8dc7ddb6457d7869b53ea60cdcfafb7ed4786da15d29ee59256f536da3575a4888c1bb0a95b256f4a7e9fd764a022100ffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc632551020101034200041510264c189c3d523ff9916abd7069efa6968d8dc7ddb6457d7869b53ea60cdcfafb7ed4786da15d29ee59256f536da3575a4888c1bb0a95b256f4a7e9fd764a
 result = acceptable
 shared = d003f5cc83852584061f7a8a28bcb5671ecbda096e16e7accfa8f8d311a3db7a
-# A parameter that is typically not used for ECDH has been modified. Sometimes
-# libraries ignore small differences between public and private key. For
-# example, a library might ignore an incorrect cofactor in the public key. We
-# consider ignoring such changes as acceptable as long as these differences do
-# not change the outcome of the ECDH computation, i.e. as long as the
-# computation is done on the curve from the private key.
-# The public key does not use a named curve. RFC 3279 allows to encode such
-# curves by explicitly encoding, the parameters of the curve equation, modulus,
-# generator, order and cofactor. However, many crypto libraries only support
-# named curves. Modifying some of the EC parameters and encoding the
-# corresponding public key as an unnamed curve is a potential attack vector.
+flags = UnusedParam,UnnamedCurve
 
 # tcId = 227
 # public key of order 3
@@ -1795,21 +1619,7 @@
 public = 308201333081ec06072a8648ce3d02013081e0020101302c06072a8648ce3d0101022100ffffffff00000001000000000000000000000000ffffffffffffffffffffffff304404207b5c92a0cac0f30673473f260f89926a14da905bc7e5e07df1e8df69059d98570420cb2eaa5643572372d5cba1e69f687d287fd62f5518322af2614ce512dd680a76044104843587c1bea197a1be63c67c9f1641c70f7d3cba49147e9fc0c9bb246e1498186049243e8e92743df2f9994d60f90ab21635e00183e69b317f00ad226da8f546022100ffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc63255102010103420004843587c1bea197a1be63c67c9f1641c70f7d3cba49147e9fc0c9bb246e1498189fb6dbc0716d8bc30d0666b29f06f54de9ca1fff7c1964ce80ff52dd92570ab9
 result = invalid
 shared = 
-# The vector contains a weak public key. The curve is not a named curve, the
-# public key point has order 3 and has been chosen to be on the same curve as
-# the private key. This test vector is used to check ECC implementations for
-# missing steps in the verification of the public key.
-# The public key has been modified and is invalid. An implementation should
-# always check whether the public key is valid and on the same curve as the
-# private key. The test vector includes the shared secret computed with the
-# original public key if the public point is on the curve of the private key.
-# Generating a shared secret other than the one with the original key likely
-# indicates that the bug is exploitable.
-# The public key does not use a named curve. RFC 3279 allows to encode such
-# curves by explicitly encoding, the parameters of the curve equation, modulus,
-# generator, order and cofactor. However, many crypto libraries only support
-# named curves. Modifying some of the EC parameters and encoding the
-# corresponding public key as an unnamed curve is a potential attack vector.
+flags = WeakPublicKey,InvalidPublic,UnnamedCurve
 
 # tcId = 228
 # Public key uses wrong curve: secp224r1
@@ -1922,8 +1732,7 @@
 public = 3039301306072a8648ce3d020106082a8648ce3d03010703220002fd4bf61763b46581fd9174d623516cf3c81edd40e29ffa2777fb6cb0ae3ce535
 result = invalid
 shared = 
-# The point in the public key is compressed. Not every library supports points
-# in compressed format.
+flags = CompressedPoint
 
 # tcId = 244
 # public key is a low order point on twist
@@ -1931,8 +1740,7 @@
 public = 3039301306072a8648ce3d020106082a8648ce3d03010703220003efdde3b32872a9effcf3b94cbf73aa7b39f9683ece9121b9852167f4e3da609b
 result = invalid
 shared = 
-# The point in the public key is compressed. Not every library supports points
-# in compressed format.
+flags = CompressedPoint
 
 # tcId = 245
 # public key is a low order point on twist
@@ -1940,8 +1748,7 @@
 public = 3039301306072a8648ce3d020106082a8648ce3d03010703220002efdde3b32872a9effcf3b94cbf73aa7b39f9683ece9121b9852167f4e3da609b
 result = invalid
 shared = 
-# The point in the public key is compressed. Not every library supports points
-# in compressed format.
+flags = CompressedPoint
 
 # tcId = 246
 # public key is a low order point on twist
@@ -1949,8 +1756,7 @@
 public = 3039301306072a8648ce3d020106082a8648ce3d03010703220002c49524b2adfd8f5f972ef554652836e2efb2d306c6d3b0689234cec93ae73db5
 result = invalid
 shared = 
-# The point in the public key is compressed. Not every library supports points
-# in compressed format.
+flags = CompressedPoint
 
 # tcId = 247
 # public key is a low order point on twist
@@ -1958,8 +1764,7 @@
 public = 3039301306072a8648ce3d020106082a8648ce3d0301070322000318f9bae7747cd844e98525b7ccd0daf6e1d20a818b2175a9a91e4eae5343bc98
 result = invalid
 shared = 
-# The point in the public key is compressed. Not every library supports points
-# in compressed format.
+flags = CompressedPoint
 
 # tcId = 248
 # public key is a low order point on twist
@@ -1967,8 +1772,7 @@
 public = 3039301306072a8648ce3d020106082a8648ce3d0301070322000218f9bae7747cd844e98525b7ccd0daf6e1d20a818b2175a9a91e4eae5343bc98
 result = invalid
 shared = 
-# The point in the public key is compressed. Not every library supports points
-# in compressed format.
+flags = CompressedPoint
 
 # tcId = 249
 # public key is a low order point on twist
@@ -1976,8 +1780,7 @@
 public = 3039301306072a8648ce3d020106082a8648ce3d03010703220003c49524b2adfd8f5f972ef554652836e2efb2d306c6d3b0689234cec93ae73db5
 result = invalid
 shared = 
-# The point in the public key is compressed. Not every library supports points
-# in compressed format.
+flags = CompressedPoint
 
 # tcId = 250
 # long form encoding of length of sequence
@@ -1985,9 +1788,7 @@
 public = 308159301306072a8648ce3d020106082a8648ce3d030107034200042998705a9a71c783e1cf4397dbed9375a44e4cb88053594b0ea982203b6363b063d0af4971d1c3813db3c7799f9f9324cbe1b90054c81b510ff6297160add66b
 result = acceptable
 shared = f0b6d851dcd8e9a8c474d695137962f082c4f2a1a2eefb182df58d88a72829e4
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 251
 # long form encoding of length of sequence
@@ -1995,9 +1796,7 @@
 public = 305a30811306072a8648ce3d020106082a8648ce3d030107034200042998705a9a71c783e1cf4397dbed9375a44e4cb88053594b0ea982203b6363b063d0af4971d1c3813db3c7799f9f9324cbe1b90054c81b510ff6297160add66b
 result = acceptable
 shared = f0b6d851dcd8e9a8c474d695137962f082c4f2a1a2eefb182df58d88a72829e4
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 252
 # length of sequence contains leading 0
@@ -2005,9 +1804,7 @@
 public = 30820059301306072a8648ce3d020106082a8648ce3d030107034200042998705a9a71c783e1cf4397dbed9375a44e4cb88053594b0ea982203b6363b063d0af4971d1c3813db3c7799f9f9324cbe1b90054c81b510ff6297160add66b
 result = acceptable
 shared = f0b6d851dcd8e9a8c474d695137962f082c4f2a1a2eefb182df58d88a72829e4
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 253
 # length of sequence contains leading 0
@@ -2015,9 +1812,7 @@
 public = 305b3082001306072a8648ce3d020106082a8648ce3d030107034200042998705a9a71c783e1cf4397dbed9375a44e4cb88053594b0ea982203b6363b063d0af4971d1c3813db3c7799f9f9324cbe1b90054c81b510ff6297160add66b
 result = acceptable
 shared = f0b6d851dcd8e9a8c474d695137962f082c4f2a1a2eefb182df58d88a72829e4
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 254
 # wrong length of sequence
@@ -2025,9 +1820,7 @@
 public = 305a301306072a8648ce3d020106082a8648ce3d030107034200042998705a9a71c783e1cf4397dbed9375a44e4cb88053594b0ea982203b6363b063d0af4971d1c3813db3c7799f9f9324cbe1b90054c81b510ff6297160add66b
 result = acceptable
 shared = f0b6d851dcd8e9a8c474d695137962f082c4f2a1a2eefb182df58d88a72829e4
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 255
 # wrong length of sequence
@@ -2035,9 +1828,7 @@
 public = 3058301306072a8648ce3d020106082a8648ce3d030107034200042998705a9a71c783e1cf4397dbed9375a44e4cb88053594b0ea982203b6363b063d0af4971d1c3813db3c7799f9f9324cbe1b90054c81b510ff6297160add66b
 result = acceptable
 shared = f0b6d851dcd8e9a8c474d695137962f082c4f2a1a2eefb182df58d88a72829e4
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 256
 # wrong length of sequence
@@ -2045,9 +1836,7 @@
 public = 3059301406072a8648ce3d020106082a8648ce3d030107034200042998705a9a71c783e1cf4397dbed9375a44e4cb88053594b0ea982203b6363b063d0af4971d1c3813db3c7799f9f9324cbe1b90054c81b510ff6297160add66b
 result = acceptable
 shared = f0b6d851dcd8e9a8c474d695137962f082c4f2a1a2eefb182df58d88a72829e4
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 257
 # wrong length of sequence
@@ -2055,9 +1844,7 @@
 public = 3059301206072a8648ce3d020106082a8648ce3d030107034200042998705a9a71c783e1cf4397dbed9375a44e4cb88053594b0ea982203b6363b063d0af4971d1c3813db3c7799f9f9324cbe1b90054c81b510ff6297160add66b
 result = acceptable
 shared = f0b6d851dcd8e9a8c474d695137962f082c4f2a1a2eefb182df58d88a72829e4
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 258
 # uint32 overflow in length of sequence
@@ -2065,9 +1852,7 @@
 public = 30850100000059301306072a8648ce3d020106082a8648ce3d030107034200042998705a9a71c783e1cf4397dbed9375a44e4cb88053594b0ea982203b6363b063d0af4971d1c3813db3c7799f9f9324cbe1b90054c81b510ff6297160add66b
 result = acceptable
 shared = f0b6d851dcd8e9a8c474d695137962f082c4f2a1a2eefb182df58d88a72829e4
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 259
 # uint32 overflow in length of sequence
@@ -2075,9 +1860,7 @@
 public = 305e3085010000001306072a8648ce3d020106082a8648ce3d030107034200042998705a9a71c783e1cf4397dbed9375a44e4cb88053594b0ea982203b6363b063d0af4971d1c3813db3c7799f9f9324cbe1b90054c81b510ff6297160add66b
 result = acceptable
 shared = f0b6d851dcd8e9a8c474d695137962f082c4f2a1a2eefb182df58d88a72829e4
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 260
 # uint64 overflow in length of sequence
@@ -2085,9 +1868,7 @@
 public = 3089010000000000000059301306072a8648ce3d020106082a8648ce3d030107034200042998705a9a71c783e1cf4397dbed9375a44e4cb88053594b0ea982203b6363b063d0af4971d1c3813db3c7799f9f9324cbe1b90054c81b510ff6297160add66b
 result = acceptable
 shared = f0b6d851dcd8e9a8c474d695137962f082c4f2a1a2eefb182df58d88a72829e4
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 261
 # uint64 overflow in length of sequence
@@ -2095,9 +1876,7 @@
 public = 3062308901000000000000001306072a8648ce3d020106082a8648ce3d030107034200042998705a9a71c783e1cf4397dbed9375a44e4cb88053594b0ea982203b6363b063d0af4971d1c3813db3c7799f9f9324cbe1b90054c81b510ff6297160add66b
 result = acceptable
 shared = f0b6d851dcd8e9a8c474d695137962f082c4f2a1a2eefb182df58d88a72829e4
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 262
 # length of sequence = 2**31 - 1
@@ -2105,9 +1884,7 @@
 public = 30847fffffff301306072a8648ce3d020106082a8648ce3d030107034200042998705a9a71c783e1cf4397dbed9375a44e4cb88053594b0ea982203b6363b063d0af4971d1c3813db3c7799f9f9324cbe1b90054c81b510ff6297160add66b
 result = acceptable
 shared = f0b6d851dcd8e9a8c474d695137962f082c4f2a1a2eefb182df58d88a72829e4
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 263
 # length of sequence = 2**31 - 1
@@ -2115,9 +1892,7 @@
 public = 305d30847fffffff06072a8648ce3d020106082a8648ce3d030107034200042998705a9a71c783e1cf4397dbed9375a44e4cb88053594b0ea982203b6363b063d0af4971d1c3813db3c7799f9f9324cbe1b90054c81b510ff6297160add66b
 result = acceptable
 shared = f0b6d851dcd8e9a8c474d695137962f082c4f2a1a2eefb182df58d88a72829e4
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 264
 # length of sequence = 2**32 - 1
@@ -2125,9 +1900,7 @@
 public = 3084ffffffff301306072a8648ce3d020106082a8648ce3d030107034200042998705a9a71c783e1cf4397dbed9375a44e4cb88053594b0ea982203b6363b063d0af4971d1c3813db3c7799f9f9324cbe1b90054c81b510ff6297160add66b
 result = acceptable
 shared = f0b6d851dcd8e9a8c474d695137962f082c4f2a1a2eefb182df58d88a72829e4
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 265
 # length of sequence = 2**32 - 1
@@ -2135,9 +1908,7 @@
 public = 305d3084ffffffff06072a8648ce3d020106082a8648ce3d030107034200042998705a9a71c783e1cf4397dbed9375a44e4cb88053594b0ea982203b6363b063d0af4971d1c3813db3c7799f9f9324cbe1b90054c81b510ff6297160add66b
 result = acceptable
 shared = f0b6d851dcd8e9a8c474d695137962f082c4f2a1a2eefb182df58d88a72829e4
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 266
 # length of sequence = 2**40 - 1
@@ -2145,9 +1916,7 @@
 public = 3085ffffffffff301306072a8648ce3d020106082a8648ce3d030107034200042998705a9a71c783e1cf4397dbed9375a44e4cb88053594b0ea982203b6363b063d0af4971d1c3813db3c7799f9f9324cbe1b90054c81b510ff6297160add66b
 result = acceptable
 shared = f0b6d851dcd8e9a8c474d695137962f082c4f2a1a2eefb182df58d88a72829e4
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 267
 # length of sequence = 2**40 - 1
@@ -2155,9 +1924,7 @@
 public = 305e3085ffffffffff06072a8648ce3d020106082a8648ce3d030107034200042998705a9a71c783e1cf4397dbed9375a44e4cb88053594b0ea982203b6363b063d0af4971d1c3813db3c7799f9f9324cbe1b90054c81b510ff6297160add66b
 result = acceptable
 shared = f0b6d851dcd8e9a8c474d695137962f082c4f2a1a2eefb182df58d88a72829e4
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 268
 # length of sequence = 2**64 - 1
@@ -2165,9 +1932,7 @@
 public = 3088ffffffffffffffff301306072a8648ce3d020106082a8648ce3d030107034200042998705a9a71c783e1cf4397dbed9375a44e4cb88053594b0ea982203b6363b063d0af4971d1c3813db3c7799f9f9324cbe1b90054c81b510ff6297160add66b
 result = acceptable
 shared = f0b6d851dcd8e9a8c474d695137962f082c4f2a1a2eefb182df58d88a72829e4
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 269
 # length of sequence = 2**64 - 1
@@ -2175,9 +1940,7 @@
 public = 30613088ffffffffffffffff06072a8648ce3d020106082a8648ce3d030107034200042998705a9a71c783e1cf4397dbed9375a44e4cb88053594b0ea982203b6363b063d0af4971d1c3813db3c7799f9f9324cbe1b90054c81b510ff6297160add66b
 result = acceptable
 shared = f0b6d851dcd8e9a8c474d695137962f082c4f2a1a2eefb182df58d88a72829e4
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 270
 # incorrect length of sequence
@@ -2185,9 +1948,7 @@
 public = 30ff301306072a8648ce3d020106082a8648ce3d030107034200042998705a9a71c783e1cf4397dbed9375a44e4cb88053594b0ea982203b6363b063d0af4971d1c3813db3c7799f9f9324cbe1b90054c81b510ff6297160add66b
 result = acceptable
 shared = f0b6d851dcd8e9a8c474d695137962f082c4f2a1a2eefb182df58d88a72829e4
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 271
 # incorrect length of sequence
@@ -2195,9 +1956,7 @@
 public = 305930ff06072a8648ce3d020106082a8648ce3d030107034200042998705a9a71c783e1cf4397dbed9375a44e4cb88053594b0ea982203b6363b063d0af4971d1c3813db3c7799f9f9324cbe1b90054c81b510ff6297160add66b
 result = acceptable
 shared = f0b6d851dcd8e9a8c474d695137962f082c4f2a1a2eefb182df58d88a72829e4
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 272
 # indefinite length without termination
@@ -2205,9 +1964,7 @@
 public = 3080301306072a8648ce3d020106082a8648ce3d030107034200042998705a9a71c783e1cf4397dbed9375a44e4cb88053594b0ea982203b6363b063d0af4971d1c3813db3c7799f9f9324cbe1b90054c81b510ff6297160add66b
 result = acceptable
 shared = f0b6d851dcd8e9a8c474d695137962f082c4f2a1a2eefb182df58d88a72829e4
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 273
 # indefinite length without termination
@@ -2215,9 +1972,7 @@
 public = 3059308006072a8648ce3d020106082a8648ce3d030107034200042998705a9a71c783e1cf4397dbed9375a44e4cb88053594b0ea982203b6363b063d0af4971d1c3813db3c7799f9f9324cbe1b90054c81b510ff6297160add66b
 result = acceptable
 shared = f0b6d851dcd8e9a8c474d695137962f082c4f2a1a2eefb182df58d88a72829e4
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 274
 # indefinite length without termination
@@ -2225,9 +1980,7 @@
 public = 3059301306802a8648ce3d020106082a8648ce3d030107034200042998705a9a71c783e1cf4397dbed9375a44e4cb88053594b0ea982203b6363b063d0af4971d1c3813db3c7799f9f9324cbe1b90054c81b510ff6297160add66b
 result = acceptable
 shared = f0b6d851dcd8e9a8c474d695137962f082c4f2a1a2eefb182df58d88a72829e4
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 275
 # indefinite length without termination
@@ -2235,9 +1988,7 @@
 public = 3059301306072a8648ce3d020106802a8648ce3d030107034200042998705a9a71c783e1cf4397dbed9375a44e4cb88053594b0ea982203b6363b063d0af4971d1c3813db3c7799f9f9324cbe1b90054c81b510ff6297160add66b
 result = acceptable
 shared = f0b6d851dcd8e9a8c474d695137962f082c4f2a1a2eefb182df58d88a72829e4
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 276
 # indefinite length without termination
@@ -2245,9 +1996,7 @@
 public = 3059301306072a8648ce3d020106082a8648ce3d030107038000042998705a9a71c783e1cf4397dbed9375a44e4cb88053594b0ea982203b6363b063d0af4971d1c3813db3c7799f9f9324cbe1b90054c81b510ff6297160add66b
 result = acceptable
 shared = f0b6d851dcd8e9a8c474d695137962f082c4f2a1a2eefb182df58d88a72829e4
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 277
 # removing sequence
@@ -2255,9 +2004,7 @@
 public = 
 result = acceptable
 shared = f0b6d851dcd8e9a8c474d695137962f082c4f2a1a2eefb182df58d88a72829e4
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 278
 # removing sequence
@@ -2265,9 +2012,7 @@
 public = 3044034200042998705a9a71c783e1cf4397dbed9375a44e4cb88053594b0ea982203b6363b063d0af4971d1c3813db3c7799f9f9324cbe1b90054c81b510ff6297160add66b
 result = acceptable
 shared = f0b6d851dcd8e9a8c474d695137962f082c4f2a1a2eefb182df58d88a72829e4
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 279
 # lonely sequence tag
@@ -2275,9 +2020,7 @@
 public = 30
 result = acceptable
 shared = f0b6d851dcd8e9a8c474d695137962f082c4f2a1a2eefb182df58d88a72829e4
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 280
 # lonely sequence tag
@@ -2285,9 +2028,7 @@
 public = 304530034200042998705a9a71c783e1cf4397dbed9375a44e4cb88053594b0ea982203b6363b063d0af4971d1c3813db3c7799f9f9324cbe1b90054c81b510ff6297160add66b
 result = acceptable
 shared = f0b6d851dcd8e9a8c474d695137962f082c4f2a1a2eefb182df58d88a72829e4
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 281
 # appending 0's to sequence
@@ -2295,9 +2036,7 @@
 public = 305b301306072a8648ce3d020106082a8648ce3d030107034200042998705a9a71c783e1cf4397dbed9375a44e4cb88053594b0ea982203b6363b063d0af4971d1c3813db3c7799f9f9324cbe1b90054c81b510ff6297160add66b0000
 result = acceptable
 shared = f0b6d851dcd8e9a8c474d695137962f082c4f2a1a2eefb182df58d88a72829e4
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 282
 # appending 0's to sequence
@@ -2305,9 +2044,7 @@
 public = 305b301506072a8648ce3d020106082a8648ce3d0301070000034200042998705a9a71c783e1cf4397dbed9375a44e4cb88053594b0ea982203b6363b063d0af4971d1c3813db3c7799f9f9324cbe1b90054c81b510ff6297160add66b
 result = acceptable
 shared = f0b6d851dcd8e9a8c474d695137962f082c4f2a1a2eefb182df58d88a72829e4
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 283
 # prepending 0's to sequence
@@ -2315,9 +2052,7 @@
 public = 305b0000301306072a8648ce3d020106082a8648ce3d030107034200042998705a9a71c783e1cf4397dbed9375a44e4cb88053594b0ea982203b6363b063d0af4971d1c3813db3c7799f9f9324cbe1b90054c81b510ff6297160add66b
 result = acceptable
 shared = f0b6d851dcd8e9a8c474d695137962f082c4f2a1a2eefb182df58d88a72829e4
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 284
 # prepending 0's to sequence
@@ -2325,9 +2060,7 @@
 public = 305b3015000006072a8648ce3d020106082a8648ce3d030107034200042998705a9a71c783e1cf4397dbed9375a44e4cb88053594b0ea982203b6363b063d0af4971d1c3813db3c7799f9f9324cbe1b90054c81b510ff6297160add66b
 result = acceptable
 shared = f0b6d851dcd8e9a8c474d695137962f082c4f2a1a2eefb182df58d88a72829e4
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 285
 # appending unused 0's to sequence
@@ -2335,9 +2068,7 @@
 public = 3059301306072a8648ce3d020106082a8648ce3d030107034200042998705a9a71c783e1cf4397dbed9375a44e4cb88053594b0ea982203b6363b063d0af4971d1c3813db3c7799f9f9324cbe1b90054c81b510ff6297160add66b0000
 result = acceptable
 shared = f0b6d851dcd8e9a8c474d695137962f082c4f2a1a2eefb182df58d88a72829e4
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 286
 # appending unused 0's to sequence
@@ -2345,9 +2076,7 @@
 public = 305b301306072a8648ce3d020106082a8648ce3d0301070000034200042998705a9a71c783e1cf4397dbed9375a44e4cb88053594b0ea982203b6363b063d0af4971d1c3813db3c7799f9f9324cbe1b90054c81b510ff6297160add66b
 result = acceptable
 shared = f0b6d851dcd8e9a8c474d695137962f082c4f2a1a2eefb182df58d88a72829e4
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 287
 # appending null value to sequence
@@ -2355,9 +2084,7 @@
 public = 305b301306072a8648ce3d020106082a8648ce3d030107034200042998705a9a71c783e1cf4397dbed9375a44e4cb88053594b0ea982203b6363b063d0af4971d1c3813db3c7799f9f9324cbe1b90054c81b510ff6297160add66b0500
 result = acceptable
 shared = f0b6d851dcd8e9a8c474d695137962f082c4f2a1a2eefb182df58d88a72829e4
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 288
 # appending null value to sequence
@@ -2365,9 +2092,7 @@
 public = 305b301506072a8648ce3d020106082a8648ce3d0301070500034200042998705a9a71c783e1cf4397dbed9375a44e4cb88053594b0ea982203b6363b063d0af4971d1c3813db3c7799f9f9324cbe1b90054c81b510ff6297160add66b
 result = acceptable
 shared = f0b6d851dcd8e9a8c474d695137962f082c4f2a1a2eefb182df58d88a72829e4
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 289
 # including garbage
@@ -2375,9 +2100,7 @@
 public = 305e4981773059301306072a8648ce3d020106082a8648ce3d030107034200042998705a9a71c783e1cf4397dbed9375a44e4cb88053594b0ea982203b6363b063d0af4971d1c3813db3c7799f9f9324cbe1b90054c81b510ff6297160add66b
 result = acceptable
 shared = f0b6d851dcd8e9a8c474d695137962f082c4f2a1a2eefb182df58d88a72829e4
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 290
 # including garbage
@@ -2385,9 +2108,7 @@
 public = 305d25003059301306072a8648ce3d020106082a8648ce3d030107034200042998705a9a71c783e1cf4397dbed9375a44e4cb88053594b0ea982203b6363b063d0af4971d1c3813db3c7799f9f9324cbe1b90054c81b510ff6297160add66b
 result = acceptable
 shared = f0b6d851dcd8e9a8c474d695137962f082c4f2a1a2eefb182df58d88a72829e4
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 291
 # including garbage
@@ -2395,9 +2116,7 @@
 public = 305b3059301306072a8648ce3d020106082a8648ce3d030107034200042998705a9a71c783e1cf4397dbed9375a44e4cb88053594b0ea982203b6363b063d0af4971d1c3813db3c7799f9f9324cbe1b90054c81b510ff6297160add66b0004deadbeef
 result = acceptable
 shared = f0b6d851dcd8e9a8c474d695137962f082c4f2a1a2eefb182df58d88a72829e4
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 292
 # including garbage
@@ -2405,9 +2124,7 @@
 public = 305e3018498177301306072a8648ce3d020106082a8648ce3d030107034200042998705a9a71c783e1cf4397dbed9375a44e4cb88053594b0ea982203b6363b063d0af4971d1c3813db3c7799f9f9324cbe1b90054c81b510ff6297160add66b
 result = acceptable
 shared = f0b6d851dcd8e9a8c474d695137962f082c4f2a1a2eefb182df58d88a72829e4
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 293
 # including garbage
@@ -2415,9 +2132,7 @@
 public = 305d30172500301306072a8648ce3d020106082a8648ce3d030107034200042998705a9a71c783e1cf4397dbed9375a44e4cb88053594b0ea982203b6363b063d0af4971d1c3813db3c7799f9f9324cbe1b90054c81b510ff6297160add66b
 result = acceptable
 shared = f0b6d851dcd8e9a8c474d695137962f082c4f2a1a2eefb182df58d88a72829e4
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 294
 # including garbage
@@ -2425,9 +2140,7 @@
 public = 30613015301306072a8648ce3d020106082a8648ce3d0301070004deadbeef034200042998705a9a71c783e1cf4397dbed9375a44e4cb88053594b0ea982203b6363b063d0af4971d1c3813db3c7799f9f9324cbe1b90054c81b510ff6297160add66b
 result = acceptable
 shared = f0b6d851dcd8e9a8c474d695137962f082c4f2a1a2eefb182df58d88a72829e4
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 295
 # including garbage
@@ -2435,9 +2148,7 @@
 public = 305e3018260c49817706072a8648ce3d020106082a8648ce3d030107034200042998705a9a71c783e1cf4397dbed9375a44e4cb88053594b0ea982203b6363b063d0af4971d1c3813db3c7799f9f9324cbe1b90054c81b510ff6297160add66b
 result = acceptable
 shared = f0b6d851dcd8e9a8c474d695137962f082c4f2a1a2eefb182df58d88a72829e4
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 296
 # including garbage
@@ -2445,9 +2156,7 @@
 public = 305d3017260b250006072a8648ce3d020106082a8648ce3d030107034200042998705a9a71c783e1cf4397dbed9375a44e4cb88053594b0ea982203b6363b063d0af4971d1c3813db3c7799f9f9324cbe1b90054c81b510ff6297160add66b
 result = acceptable
 shared = f0b6d851dcd8e9a8c474d695137962f082c4f2a1a2eefb182df58d88a72829e4
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 297
 # including garbage
@@ -2455,9 +2164,7 @@
 public = 3061301b260906072a8648ce3d02010004deadbeef06082a8648ce3d030107034200042998705a9a71c783e1cf4397dbed9375a44e4cb88053594b0ea982203b6363b063d0af4971d1c3813db3c7799f9f9324cbe1b90054c81b510ff6297160add66b
 result = acceptable
 shared = f0b6d851dcd8e9a8c474d695137962f082c4f2a1a2eefb182df58d88a72829e4
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 298
 # including garbage
@@ -2465,9 +2172,7 @@
 public = 305e301806072a8648ce3d0201260d49817706082a8648ce3d030107034200042998705a9a71c783e1cf4397dbed9375a44e4cb88053594b0ea982203b6363b063d0af4971d1c3813db3c7799f9f9324cbe1b90054c81b510ff6297160add66b
 result = acceptable
 shared = f0b6d851dcd8e9a8c474d695137962f082c4f2a1a2eefb182df58d88a72829e4
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 299
 # including garbage
@@ -2475,9 +2180,7 @@
 public = 305d301706072a8648ce3d0201260c250006082a8648ce3d030107034200042998705a9a71c783e1cf4397dbed9375a44e4cb88053594b0ea982203b6363b063d0af4971d1c3813db3c7799f9f9324cbe1b90054c81b510ff6297160add66b
 result = acceptable
 shared = f0b6d851dcd8e9a8c474d695137962f082c4f2a1a2eefb182df58d88a72829e4
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 300
 # including garbage
@@ -2485,9 +2188,7 @@
 public = 3061301b06072a8648ce3d0201260a06082a8648ce3d0301070004deadbeef034200042998705a9a71c783e1cf4397dbed9375a44e4cb88053594b0ea982203b6363b063d0af4971d1c3813db3c7799f9f9324cbe1b90054c81b510ff6297160add66b
 result = acceptable
 shared = f0b6d851dcd8e9a8c474d695137962f082c4f2a1a2eefb182df58d88a72829e4
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 301
 # including garbage
@@ -2495,9 +2196,7 @@
 public = 305e301306072a8648ce3d020106082a8648ce3d0301072347498177034200042998705a9a71c783e1cf4397dbed9375a44e4cb88053594b0ea982203b6363b063d0af4971d1c3813db3c7799f9f9324cbe1b90054c81b510ff6297160add66b
 result = acceptable
 shared = f0b6d851dcd8e9a8c474d695137962f082c4f2a1a2eefb182df58d88a72829e4
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 302
 # including garbage
@@ -2505,9 +2204,7 @@
 public = 305d301306072a8648ce3d020106082a8648ce3d03010723462500034200042998705a9a71c783e1cf4397dbed9375a44e4cb88053594b0ea982203b6363b063d0af4971d1c3813db3c7799f9f9324cbe1b90054c81b510ff6297160add66b
 result = acceptable
 shared = f0b6d851dcd8e9a8c474d695137962f082c4f2a1a2eefb182df58d88a72829e4
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 303
 # including garbage
@@ -2515,9 +2212,7 @@
 public = 3061301306072a8648ce3d020106082a8648ce3d0301072344034200042998705a9a71c783e1cf4397dbed9375a44e4cb88053594b0ea982203b6363b063d0af4971d1c3813db3c7799f9f9324cbe1b90054c81b510ff6297160add66b0004deadbeef
 result = acceptable
 shared = f0b6d851dcd8e9a8c474d695137962f082c4f2a1a2eefb182df58d88a72829e4
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 304
 # including undefined tags
@@ -2525,9 +2220,7 @@
 public = 3061aa00bb00cd003059301306072a8648ce3d020106082a8648ce3d030107034200042998705a9a71c783e1cf4397dbed9375a44e4cb88053594b0ea982203b6363b063d0af4971d1c3813db3c7799f9f9324cbe1b90054c81b510ff6297160add66b
 result = acceptable
 shared = f0b6d851dcd8e9a8c474d695137962f082c4f2a1a2eefb182df58d88a72829e4
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 305
 # including undefined tags
@@ -2535,9 +2228,7 @@
 public = 305faa02aabb3059301306072a8648ce3d020106082a8648ce3d030107034200042998705a9a71c783e1cf4397dbed9375a44e4cb88053594b0ea982203b6363b063d0af4971d1c3813db3c7799f9f9324cbe1b90054c81b510ff6297160add66b
 result = acceptable
 shared = f0b6d851dcd8e9a8c474d695137962f082c4f2a1a2eefb182df58d88a72829e4
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 306
 # including undefined tags
@@ -2545,9 +2236,7 @@
 public = 3061301baa00bb00cd00301306072a8648ce3d020106082a8648ce3d030107034200042998705a9a71c783e1cf4397dbed9375a44e4cb88053594b0ea982203b6363b063d0af4971d1c3813db3c7799f9f9324cbe1b90054c81b510ff6297160add66b
 result = acceptable
 shared = f0b6d851dcd8e9a8c474d695137962f082c4f2a1a2eefb182df58d88a72829e4
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 307
 # including undefined tags
@@ -2555,9 +2244,7 @@
 public = 305f3019aa02aabb301306072a8648ce3d020106082a8648ce3d030107034200042998705a9a71c783e1cf4397dbed9375a44e4cb88053594b0ea982203b6363b063d0af4971d1c3813db3c7799f9f9324cbe1b90054c81b510ff6297160add66b
 result = acceptable
 shared = f0b6d851dcd8e9a8c474d695137962f082c4f2a1a2eefb182df58d88a72829e4
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 308
 # including undefined tags
@@ -2565,9 +2252,7 @@
 public = 3061301b260faa00bb00cd0006072a8648ce3d020106082a8648ce3d030107034200042998705a9a71c783e1cf4397dbed9375a44e4cb88053594b0ea982203b6363b063d0af4971d1c3813db3c7799f9f9324cbe1b90054c81b510ff6297160add66b
 result = acceptable
 shared = f0b6d851dcd8e9a8c474d695137962f082c4f2a1a2eefb182df58d88a72829e4
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 309
 # including undefined tags
@@ -2575,9 +2260,7 @@
 public = 305f3019260daa02aabb06072a8648ce3d020106082a8648ce3d030107034200042998705a9a71c783e1cf4397dbed9375a44e4cb88053594b0ea982203b6363b063d0af4971d1c3813db3c7799f9f9324cbe1b90054c81b510ff6297160add66b
 result = acceptable
 shared = f0b6d851dcd8e9a8c474d695137962f082c4f2a1a2eefb182df58d88a72829e4
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 310
 # including undefined tags
@@ -2585,9 +2268,7 @@
 public = 3061301b06072a8648ce3d02012610aa00bb00cd0006082a8648ce3d030107034200042998705a9a71c783e1cf4397dbed9375a44e4cb88053594b0ea982203b6363b063d0af4971d1c3813db3c7799f9f9324cbe1b90054c81b510ff6297160add66b
 result = acceptable
 shared = f0b6d851dcd8e9a8c474d695137962f082c4f2a1a2eefb182df58d88a72829e4
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 311
 # including undefined tags
@@ -2595,9 +2276,7 @@
 public = 305f301906072a8648ce3d0201260eaa02aabb06082a8648ce3d030107034200042998705a9a71c783e1cf4397dbed9375a44e4cb88053594b0ea982203b6363b063d0af4971d1c3813db3c7799f9f9324cbe1b90054c81b510ff6297160add66b
 result = acceptable
 shared = f0b6d851dcd8e9a8c474d695137962f082c4f2a1a2eefb182df58d88a72829e4
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 312
 # including undefined tags
@@ -2605,9 +2284,7 @@
 public = 3061301306072a8648ce3d020106082a8648ce3d030107234aaa00bb00cd00034200042998705a9a71c783e1cf4397dbed9375a44e4cb88053594b0ea982203b6363b063d0af4971d1c3813db3c7799f9f9324cbe1b90054c81b510ff6297160add66b
 result = acceptable
 shared = f0b6d851dcd8e9a8c474d695137962f082c4f2a1a2eefb182df58d88a72829e4
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 313
 # including undefined tags
@@ -2615,9 +2292,7 @@
 public = 305f301306072a8648ce3d020106082a8648ce3d0301072348aa02aabb034200042998705a9a71c783e1cf4397dbed9375a44e4cb88053594b0ea982203b6363b063d0af4971d1c3813db3c7799f9f9324cbe1b90054c81b510ff6297160add66b
 result = acceptable
 shared = f0b6d851dcd8e9a8c474d695137962f082c4f2a1a2eefb182df58d88a72829e4
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 314
 # truncated length of sequence
@@ -2625,9 +2300,7 @@
 public = 3081
 result = acceptable
 shared = f0b6d851dcd8e9a8c474d695137962f082c4f2a1a2eefb182df58d88a72829e4
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 315
 # truncated length of sequence
@@ -2635,9 +2308,7 @@
 public = 30463081034200042998705a9a71c783e1cf4397dbed9375a44e4cb88053594b0ea982203b6363b063d0af4971d1c3813db3c7799f9f9324cbe1b90054c81b510ff6297160add66b
 result = acceptable
 shared = f0b6d851dcd8e9a8c474d695137962f082c4f2a1a2eefb182df58d88a72829e4
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 316
 # Replacing sequence with NULL
@@ -2645,9 +2316,7 @@
 public = 0500
 result = acceptable
 shared = f0b6d851dcd8e9a8c474d695137962f082c4f2a1a2eefb182df58d88a72829e4
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 317
 # Replacing sequence with NULL
@@ -2655,9 +2324,7 @@
 public = 30460500034200042998705a9a71c783e1cf4397dbed9375a44e4cb88053594b0ea982203b6363b063d0af4971d1c3813db3c7799f9f9324cbe1b90054c81b510ff6297160add66b
 result = acceptable
 shared = f0b6d851dcd8e9a8c474d695137962f082c4f2a1a2eefb182df58d88a72829e4
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 318
 # changing tag value of sequence
@@ -2665,9 +2332,7 @@
 public = 2e59301306072a8648ce3d020106082a8648ce3d030107034200042998705a9a71c783e1cf4397dbed9375a44e4cb88053594b0ea982203b6363b063d0af4971d1c3813db3c7799f9f9324cbe1b90054c81b510ff6297160add66b
 result = acceptable
 shared = f0b6d851dcd8e9a8c474d695137962f082c4f2a1a2eefb182df58d88a72829e4
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 319
 # changing tag value of sequence
@@ -2675,9 +2340,7 @@
 public = 2f59301306072a8648ce3d020106082a8648ce3d030107034200042998705a9a71c783e1cf4397dbed9375a44e4cb88053594b0ea982203b6363b063d0af4971d1c3813db3c7799f9f9324cbe1b90054c81b510ff6297160add66b
 result = acceptable
 shared = f0b6d851dcd8e9a8c474d695137962f082c4f2a1a2eefb182df58d88a72829e4
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 320
 # changing tag value of sequence
@@ -2685,9 +2348,7 @@
 public = 3159301306072a8648ce3d020106082a8648ce3d030107034200042998705a9a71c783e1cf4397dbed9375a44e4cb88053594b0ea982203b6363b063d0af4971d1c3813db3c7799f9f9324cbe1b90054c81b510ff6297160add66b
 result = acceptable
 shared = f0b6d851dcd8e9a8c474d695137962f082c4f2a1a2eefb182df58d88a72829e4
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 321
 # changing tag value of sequence
@@ -2695,9 +2356,7 @@
 public = 3259301306072a8648ce3d020106082a8648ce3d030107034200042998705a9a71c783e1cf4397dbed9375a44e4cb88053594b0ea982203b6363b063d0af4971d1c3813db3c7799f9f9324cbe1b90054c81b510ff6297160add66b
 result = acceptable
 shared = f0b6d851dcd8e9a8c474d695137962f082c4f2a1a2eefb182df58d88a72829e4
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 322
 # changing tag value of sequence
@@ -2705,9 +2364,7 @@
 public = ff59301306072a8648ce3d020106082a8648ce3d030107034200042998705a9a71c783e1cf4397dbed9375a44e4cb88053594b0ea982203b6363b063d0af4971d1c3813db3c7799f9f9324cbe1b90054c81b510ff6297160add66b
 result = acceptable
 shared = f0b6d851dcd8e9a8c474d695137962f082c4f2a1a2eefb182df58d88a72829e4
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 323
 # changing tag value of sequence
@@ -2715,9 +2372,7 @@
 public = 30592e1306072a8648ce3d020106082a8648ce3d030107034200042998705a9a71c783e1cf4397dbed9375a44e4cb88053594b0ea982203b6363b063d0af4971d1c3813db3c7799f9f9324cbe1b90054c81b510ff6297160add66b
 result = acceptable
 shared = f0b6d851dcd8e9a8c474d695137962f082c4f2a1a2eefb182df58d88a72829e4
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 324
 # changing tag value of sequence
@@ -2725,9 +2380,7 @@
 public = 30592f1306072a8648ce3d020106082a8648ce3d030107034200042998705a9a71c783e1cf4397dbed9375a44e4cb88053594b0ea982203b6363b063d0af4971d1c3813db3c7799f9f9324cbe1b90054c81b510ff6297160add66b
 result = acceptable
 shared = f0b6d851dcd8e9a8c474d695137962f082c4f2a1a2eefb182df58d88a72829e4
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 325
 # changing tag value of sequence
@@ -2735,9 +2388,7 @@
 public = 3059311306072a8648ce3d020106082a8648ce3d030107034200042998705a9a71c783e1cf4397dbed9375a44e4cb88053594b0ea982203b6363b063d0af4971d1c3813db3c7799f9f9324cbe1b90054c81b510ff6297160add66b
 result = acceptable
 shared = f0b6d851dcd8e9a8c474d695137962f082c4f2a1a2eefb182df58d88a72829e4
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 326
 # changing tag value of sequence
@@ -2745,9 +2396,7 @@
 public = 3059321306072a8648ce3d020106082a8648ce3d030107034200042998705a9a71c783e1cf4397dbed9375a44e4cb88053594b0ea982203b6363b063d0af4971d1c3813db3c7799f9f9324cbe1b90054c81b510ff6297160add66b
 result = acceptable
 shared = f0b6d851dcd8e9a8c474d695137962f082c4f2a1a2eefb182df58d88a72829e4
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 327
 # changing tag value of sequence
@@ -2755,9 +2404,7 @@
 public = 3059ff1306072a8648ce3d020106082a8648ce3d030107034200042998705a9a71c783e1cf4397dbed9375a44e4cb88053594b0ea982203b6363b063d0af4971d1c3813db3c7799f9f9324cbe1b90054c81b510ff6297160add66b
 result = acceptable
 shared = f0b6d851dcd8e9a8c474d695137962f082c4f2a1a2eefb182df58d88a72829e4
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 328
 # dropping value of sequence
@@ -2765,9 +2412,7 @@
 public = 3000
 result = acceptable
 shared = f0b6d851dcd8e9a8c474d695137962f082c4f2a1a2eefb182df58d88a72829e4
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 329
 # dropping value of sequence
@@ -2775,9 +2420,7 @@
 public = 30463000034200042998705a9a71c783e1cf4397dbed9375a44e4cb88053594b0ea982203b6363b063d0af4971d1c3813db3c7799f9f9324cbe1b90054c81b510ff6297160add66b
 result = acceptable
 shared = f0b6d851dcd8e9a8c474d695137962f082c4f2a1a2eefb182df58d88a72829e4
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 330
 # truncated sequence
@@ -2785,9 +2428,7 @@
 public = 3058301306072a8648ce3d020106082a8648ce3d030107034200042998705a9a71c783e1cf4397dbed9375a44e4cb88053594b0ea982203b6363b063d0af4971d1c3813db3c7799f9f9324cbe1b90054c81b510ff6297160add6
 result = acceptable
 shared = f0b6d851dcd8e9a8c474d695137962f082c4f2a1a2eefb182df58d88a72829e4
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 331
 # truncated sequence
@@ -2795,9 +2436,7 @@
 public = 30581306072a8648ce3d020106082a8648ce3d030107034200042998705a9a71c783e1cf4397dbed9375a44e4cb88053594b0ea982203b6363b063d0af4971d1c3813db3c7799f9f9324cbe1b90054c81b510ff6297160add66b
 result = acceptable
 shared = f0b6d851dcd8e9a8c474d695137962f082c4f2a1a2eefb182df58d88a72829e4
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 332
 # truncated sequence
@@ -2805,9 +2444,7 @@
 public = 3058301206072a8648ce3d020106082a8648ce3d0301034200042998705a9a71c783e1cf4397dbed9375a44e4cb88053594b0ea982203b6363b063d0af4971d1c3813db3c7799f9f9324cbe1b90054c81b510ff6297160add66b
 result = acceptable
 shared = f0b6d851dcd8e9a8c474d695137962f082c4f2a1a2eefb182df58d88a72829e4
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 333
 # truncated sequence
@@ -2815,9 +2452,7 @@
 public = 30583012072a8648ce3d020106082a8648ce3d030107034200042998705a9a71c783e1cf4397dbed9375a44e4cb88053594b0ea982203b6363b063d0af4971d1c3813db3c7799f9f9324cbe1b90054c81b510ff6297160add66b
 result = acceptable
 shared = f0b6d851dcd8e9a8c474d695137962f082c4f2a1a2eefb182df58d88a72829e4
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 334
 # indefinite length
@@ -2825,9 +2460,7 @@
 public = 3080301306072a8648ce3d020106082a8648ce3d030107034200042998705a9a71c783e1cf4397dbed9375a44e4cb88053594b0ea982203b6363b063d0af4971d1c3813db3c7799f9f9324cbe1b90054c81b510ff6297160add66b0000
 result = acceptable
 shared = f0b6d851dcd8e9a8c474d695137962f082c4f2a1a2eefb182df58d88a72829e4
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 335
 # indefinite length
@@ -2835,9 +2468,7 @@
 public = 305b308006072a8648ce3d020106082a8648ce3d0301070000034200042998705a9a71c783e1cf4397dbed9375a44e4cb88053594b0ea982203b6363b063d0af4971d1c3813db3c7799f9f9324cbe1b90054c81b510ff6297160add66b
 result = acceptable
 shared = f0b6d851dcd8e9a8c474d695137962f082c4f2a1a2eefb182df58d88a72829e4
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 336
 # indefinite length with truncated delimiter
@@ -2845,9 +2476,7 @@
 public = 3080301306072a8648ce3d020106082a8648ce3d030107034200042998705a9a71c783e1cf4397dbed9375a44e4cb88053594b0ea982203b6363b063d0af4971d1c3813db3c7799f9f9324cbe1b90054c81b510ff6297160add66b00
 result = acceptable
 shared = f0b6d851dcd8e9a8c474d695137962f082c4f2a1a2eefb182df58d88a72829e4
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 337
 # indefinite length with truncated delimiter
@@ -2855,9 +2484,7 @@
 public = 305a308006072a8648ce3d020106082a8648ce3d03010700034200042998705a9a71c783e1cf4397dbed9375a44e4cb88053594b0ea982203b6363b063d0af4971d1c3813db3c7799f9f9324cbe1b90054c81b510ff6297160add66b
 result = acceptable
 shared = f0b6d851dcd8e9a8c474d695137962f082c4f2a1a2eefb182df58d88a72829e4
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 338
 # indefinite length with additional element
@@ -2865,9 +2492,7 @@
 public = 3080301306072a8648ce3d020106082a8648ce3d030107034200042998705a9a71c783e1cf4397dbed9375a44e4cb88053594b0ea982203b6363b063d0af4971d1c3813db3c7799f9f9324cbe1b90054c81b510ff6297160add66b05000000
 result = acceptable
 shared = f0b6d851dcd8e9a8c474d695137962f082c4f2a1a2eefb182df58d88a72829e4
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 339
 # indefinite length with additional element
@@ -2875,9 +2500,7 @@
 public = 305d308006072a8648ce3d020106082a8648ce3d03010705000000034200042998705a9a71c783e1cf4397dbed9375a44e4cb88053594b0ea982203b6363b063d0af4971d1c3813db3c7799f9f9324cbe1b90054c81b510ff6297160add66b
 result = acceptable
 shared = f0b6d851dcd8e9a8c474d695137962f082c4f2a1a2eefb182df58d88a72829e4
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 340
 # indefinite length with truncated element
@@ -2885,9 +2508,7 @@
 public = 3080301306072a8648ce3d020106082a8648ce3d030107034200042998705a9a71c783e1cf4397dbed9375a44e4cb88053594b0ea982203b6363b063d0af4971d1c3813db3c7799f9f9324cbe1b90054c81b510ff6297160add66b060811220000
 result = acceptable
 shared = f0b6d851dcd8e9a8c474d695137962f082c4f2a1a2eefb182df58d88a72829e4
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 341
 # indefinite length with truncated element
@@ -2895,9 +2516,7 @@
 public = 305f308006072a8648ce3d020106082a8648ce3d030107060811220000034200042998705a9a71c783e1cf4397dbed9375a44e4cb88053594b0ea982203b6363b063d0af4971d1c3813db3c7799f9f9324cbe1b90054c81b510ff6297160add66b
 result = acceptable
 shared = f0b6d851dcd8e9a8c474d695137962f082c4f2a1a2eefb182df58d88a72829e4
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 342
 # indefinite length with garbage
@@ -2905,9 +2524,7 @@
 public = 3080301306072a8648ce3d020106082a8648ce3d030107034200042998705a9a71c783e1cf4397dbed9375a44e4cb88053594b0ea982203b6363b063d0af4971d1c3813db3c7799f9f9324cbe1b90054c81b510ff6297160add66b0000fe02beef
 result = acceptable
 shared = f0b6d851dcd8e9a8c474d695137962f082c4f2a1a2eefb182df58d88a72829e4
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 343
 # indefinite length with garbage
@@ -2915,9 +2532,7 @@
 public = 305f308006072a8648ce3d020106082a8648ce3d0301070000fe02beef034200042998705a9a71c783e1cf4397dbed9375a44e4cb88053594b0ea982203b6363b063d0af4971d1c3813db3c7799f9f9324cbe1b90054c81b510ff6297160add66b
 result = acceptable
 shared = f0b6d851dcd8e9a8c474d695137962f082c4f2a1a2eefb182df58d88a72829e4
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 344
 # indefinite length with nonempty EOC
@@ -2925,9 +2540,7 @@
 public = 3080301306072a8648ce3d020106082a8648ce3d030107034200042998705a9a71c783e1cf4397dbed9375a44e4cb88053594b0ea982203b6363b063d0af4971d1c3813db3c7799f9f9324cbe1b90054c81b510ff6297160add66b0002beef
 result = acceptable
 shared = f0b6d851dcd8e9a8c474d695137962f082c4f2a1a2eefb182df58d88a72829e4
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 345
 # indefinite length with nonempty EOC
@@ -2935,9 +2548,7 @@
 public = 305d308006072a8648ce3d020106082a8648ce3d0301070002beef034200042998705a9a71c783e1cf4397dbed9375a44e4cb88053594b0ea982203b6363b063d0af4971d1c3813db3c7799f9f9324cbe1b90054c81b510ff6297160add66b
 result = acceptable
 shared = f0b6d851dcd8e9a8c474d695137962f082c4f2a1a2eefb182df58d88a72829e4
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 346
 # prepend empty sequence
@@ -2945,9 +2556,7 @@
 public = 305b3000301306072a8648ce3d020106082a8648ce3d030107034200042998705a9a71c783e1cf4397dbed9375a44e4cb88053594b0ea982203b6363b063d0af4971d1c3813db3c7799f9f9324cbe1b90054c81b510ff6297160add66b
 result = acceptable
 shared = f0b6d851dcd8e9a8c474d695137962f082c4f2a1a2eefb182df58d88a72829e4
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 347
 # prepend empty sequence
@@ -2955,9 +2564,7 @@
 public = 305b3015300006072a8648ce3d020106082a8648ce3d030107034200042998705a9a71c783e1cf4397dbed9375a44e4cb88053594b0ea982203b6363b063d0af4971d1c3813db3c7799f9f9324cbe1b90054c81b510ff6297160add66b
 result = acceptable
 shared = f0b6d851dcd8e9a8c474d695137962f082c4f2a1a2eefb182df58d88a72829e4
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 348
 # append empty sequence
@@ -2965,9 +2572,7 @@
 public = 305b301306072a8648ce3d020106082a8648ce3d030107034200042998705a9a71c783e1cf4397dbed9375a44e4cb88053594b0ea982203b6363b063d0af4971d1c3813db3c7799f9f9324cbe1b90054c81b510ff6297160add66b3000
 result = acceptable
 shared = f0b6d851dcd8e9a8c474d695137962f082c4f2a1a2eefb182df58d88a72829e4
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 349
 # append empty sequence
@@ -2975,9 +2580,7 @@
 public = 305b301506072a8648ce3d020106082a8648ce3d0301073000034200042998705a9a71c783e1cf4397dbed9375a44e4cb88053594b0ea982203b6363b063d0af4971d1c3813db3c7799f9f9324cbe1b90054c81b510ff6297160add66b
 result = acceptable
 shared = f0b6d851dcd8e9a8c474d695137962f082c4f2a1a2eefb182df58d88a72829e4
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 350
 # append garbage with high tag number
@@ -2985,9 +2588,7 @@
 public = 305c301306072a8648ce3d020106082a8648ce3d030107034200042998705a9a71c783e1cf4397dbed9375a44e4cb88053594b0ea982203b6363b063d0af4971d1c3813db3c7799f9f9324cbe1b90054c81b510ff6297160add66bbf7f00
 result = acceptable
 shared = f0b6d851dcd8e9a8c474d695137962f082c4f2a1a2eefb182df58d88a72829e4
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 351
 # append garbage with high tag number
@@ -2995,9 +2596,7 @@
 public = 305c301606072a8648ce3d020106082a8648ce3d030107bf7f00034200042998705a9a71c783e1cf4397dbed9375a44e4cb88053594b0ea982203b6363b063d0af4971d1c3813db3c7799f9f9324cbe1b90054c81b510ff6297160add66b
 result = acceptable
 shared = f0b6d851dcd8e9a8c474d695137962f082c4f2a1a2eefb182df58d88a72829e4
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 352
 # sequence of sequence
@@ -3005,9 +2604,7 @@
 public = 305b3059301306072a8648ce3d020106082a8648ce3d030107034200042998705a9a71c783e1cf4397dbed9375a44e4cb88053594b0ea982203b6363b063d0af4971d1c3813db3c7799f9f9324cbe1b90054c81b510ff6297160add66b
 result = acceptable
 shared = f0b6d851dcd8e9a8c474d695137962f082c4f2a1a2eefb182df58d88a72829e4
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 353
 # sequence of sequence
@@ -3015,9 +2612,7 @@
 public = 305b3015301306072a8648ce3d020106082a8648ce3d030107034200042998705a9a71c783e1cf4397dbed9375a44e4cb88053594b0ea982203b6363b063d0af4971d1c3813db3c7799f9f9324cbe1b90054c81b510ff6297160add66b
 result = acceptable
 shared = f0b6d851dcd8e9a8c474d695137962f082c4f2a1a2eefb182df58d88a72829e4
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 354
 # truncated sequence: removed last 1 elements
@@ -3025,9 +2620,7 @@
 public = 3015301306072a8648ce3d020106082a8648ce3d030107
 result = acceptable
 shared = f0b6d851dcd8e9a8c474d695137962f082c4f2a1a2eefb182df58d88a72829e4
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 355
 # truncated sequence: removed last 1 elements
@@ -3035,9 +2628,7 @@
 public = 304f300906072a8648ce3d0201034200042998705a9a71c783e1cf4397dbed9375a44e4cb88053594b0ea982203b6363b063d0af4971d1c3813db3c7799f9f9324cbe1b90054c81b510ff6297160add66b
 result = acceptable
 shared = f0b6d851dcd8e9a8c474d695137962f082c4f2a1a2eefb182df58d88a72829e4
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 356
 # repeating element in sequence
@@ -3045,9 +2636,7 @@
 public = 30819d301306072a8648ce3d020106082a8648ce3d030107034200042998705a9a71c783e1cf4397dbed9375a44e4cb88053594b0ea982203b6363b063d0af4971d1c3813db3c7799f9f9324cbe1b90054c81b510ff6297160add66b034200042998705a9a71c783e1cf4397dbed9375a44e4cb88053594b0ea982203b6363b063d0af4971d1c3813db3c7799f9f9324cbe1b90054c81b510ff6297160add66b
 result = acceptable
 shared = f0b6d851dcd8e9a8c474d695137962f082c4f2a1a2eefb182df58d88a72829e4
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 357
 # repeating element in sequence
@@ -3055,9 +2644,7 @@
 public = 3063301d06072a8648ce3d020106082a8648ce3d03010706082a8648ce3d030107034200042998705a9a71c783e1cf4397dbed9375a44e4cb88053594b0ea982203b6363b063d0af4971d1c3813db3c7799f9f9324cbe1b90054c81b510ff6297160add66b
 result = acceptable
 shared = f0b6d851dcd8e9a8c474d695137962f082c4f2a1a2eefb182df58d88a72829e4
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 358
 # long form encoding of length of oid
@@ -3065,9 +2652,7 @@
 public = 305a30140681072a8648ce3d020106082a8648ce3d030107034200042998705a9a71c783e1cf4397dbed9375a44e4cb88053594b0ea982203b6363b063d0af4971d1c3813db3c7799f9f9324cbe1b90054c81b510ff6297160add66b
 result = acceptable
 shared = f0b6d851dcd8e9a8c474d695137962f082c4f2a1a2eefb182df58d88a72829e4
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 359
 # long form encoding of length of oid
@@ -3075,9 +2660,7 @@
 public = 305a301406072a8648ce3d02010681082a8648ce3d030107034200042998705a9a71c783e1cf4397dbed9375a44e4cb88053594b0ea982203b6363b063d0af4971d1c3813db3c7799f9f9324cbe1b90054c81b510ff6297160add66b
 result = acceptable
 shared = f0b6d851dcd8e9a8c474d695137962f082c4f2a1a2eefb182df58d88a72829e4
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 360
 # length of oid contains leading 0
@@ -3085,9 +2668,7 @@
 public = 305b3015068200072a8648ce3d020106082a8648ce3d030107034200042998705a9a71c783e1cf4397dbed9375a44e4cb88053594b0ea982203b6363b063d0af4971d1c3813db3c7799f9f9324cbe1b90054c81b510ff6297160add66b
 result = acceptable
 shared = f0b6d851dcd8e9a8c474d695137962f082c4f2a1a2eefb182df58d88a72829e4
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 361
 # length of oid contains leading 0
@@ -3095,9 +2676,7 @@
 public = 305b301506072a8648ce3d0201068200082a8648ce3d030107034200042998705a9a71c783e1cf4397dbed9375a44e4cb88053594b0ea982203b6363b063d0af4971d1c3813db3c7799f9f9324cbe1b90054c81b510ff6297160add66b
 result = acceptable
 shared = f0b6d851dcd8e9a8c474d695137962f082c4f2a1a2eefb182df58d88a72829e4
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 362
 # wrong length of oid
@@ -3105,9 +2684,7 @@
 public = 3059301306082a8648ce3d020106082a8648ce3d030107034200042998705a9a71c783e1cf4397dbed9375a44e4cb88053594b0ea982203b6363b063d0af4971d1c3813db3c7799f9f9324cbe1b90054c81b510ff6297160add66b
 result = acceptable
 shared = f0b6d851dcd8e9a8c474d695137962f082c4f2a1a2eefb182df58d88a72829e4
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 363
 # wrong length of oid
@@ -3115,9 +2692,7 @@
 public = 3059301306062a8648ce3d020106082a8648ce3d030107034200042998705a9a71c783e1cf4397dbed9375a44e4cb88053594b0ea982203b6363b063d0af4971d1c3813db3c7799f9f9324cbe1b90054c81b510ff6297160add66b
 result = acceptable
 shared = f0b6d851dcd8e9a8c474d695137962f082c4f2a1a2eefb182df58d88a72829e4
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 364
 # wrong length of oid
@@ -3125,9 +2700,7 @@
 public = 3059301306072a8648ce3d020106092a8648ce3d030107034200042998705a9a71c783e1cf4397dbed9375a44e4cb88053594b0ea982203b6363b063d0af4971d1c3813db3c7799f9f9324cbe1b90054c81b510ff6297160add66b
 result = acceptable
 shared = f0b6d851dcd8e9a8c474d695137962f082c4f2a1a2eefb182df58d88a72829e4
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 365
 # wrong length of oid
@@ -3135,9 +2708,7 @@
 public = 3059301306072a8648ce3d020106072a8648ce3d030107034200042998705a9a71c783e1cf4397dbed9375a44e4cb88053594b0ea982203b6363b063d0af4971d1c3813db3c7799f9f9324cbe1b90054c81b510ff6297160add66b
 result = acceptable
 shared = f0b6d851dcd8e9a8c474d695137962f082c4f2a1a2eefb182df58d88a72829e4
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 366
 # uint32 overflow in length of oid
@@ -3145,9 +2716,7 @@
 public = 305e3018068501000000072a8648ce3d020106082a8648ce3d030107034200042998705a9a71c783e1cf4397dbed9375a44e4cb88053594b0ea982203b6363b063d0af4971d1c3813db3c7799f9f9324cbe1b90054c81b510ff6297160add66b
 result = acceptable
 shared = f0b6d851dcd8e9a8c474d695137962f082c4f2a1a2eefb182df58d88a72829e4
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 367
 # uint32 overflow in length of oid
@@ -3155,9 +2724,7 @@
 public = 305e301806072a8648ce3d0201068501000000082a8648ce3d030107034200042998705a9a71c783e1cf4397dbed9375a44e4cb88053594b0ea982203b6363b063d0af4971d1c3813db3c7799f9f9324cbe1b90054c81b510ff6297160add66b
 result = acceptable
 shared = f0b6d851dcd8e9a8c474d695137962f082c4f2a1a2eefb182df58d88a72829e4
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 368
 # uint64 overflow in length of oid
@@ -3165,9 +2732,7 @@
 public = 3062301c06890100000000000000072a8648ce3d020106082a8648ce3d030107034200042998705a9a71c783e1cf4397dbed9375a44e4cb88053594b0ea982203b6363b063d0af4971d1c3813db3c7799f9f9324cbe1b90054c81b510ff6297160add66b
 result = acceptable
 shared = f0b6d851dcd8e9a8c474d695137962f082c4f2a1a2eefb182df58d88a72829e4
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 369
 # uint64 overflow in length of oid
@@ -3175,9 +2740,7 @@
 public = 3062301c06072a8648ce3d020106890100000000000000082a8648ce3d030107034200042998705a9a71c783e1cf4397dbed9375a44e4cb88053594b0ea982203b6363b063d0af4971d1c3813db3c7799f9f9324cbe1b90054c81b510ff6297160add66b
 result = acceptable
 shared = f0b6d851dcd8e9a8c474d695137962f082c4f2a1a2eefb182df58d88a72829e4
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 370
 # length of oid = 2**31 - 1
@@ -3185,9 +2748,7 @@
 public = 305d301706847fffffff2a8648ce3d020106082a8648ce3d030107034200042998705a9a71c783e1cf4397dbed9375a44e4cb88053594b0ea982203b6363b063d0af4971d1c3813db3c7799f9f9324cbe1b90054c81b510ff6297160add66b
 result = acceptable
 shared = f0b6d851dcd8e9a8c474d695137962f082c4f2a1a2eefb182df58d88a72829e4
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 371
 # length of oid = 2**31 - 1
@@ -3195,9 +2756,7 @@
 public = 305d301706072a8648ce3d020106847fffffff2a8648ce3d030107034200042998705a9a71c783e1cf4397dbed9375a44e4cb88053594b0ea982203b6363b063d0af4971d1c3813db3c7799f9f9324cbe1b90054c81b510ff6297160add66b
 result = acceptable
 shared = f0b6d851dcd8e9a8c474d695137962f082c4f2a1a2eefb182df58d88a72829e4
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 372
 # length of oid = 2**32 - 1
@@ -3205,9 +2764,7 @@
 public = 305d30170684ffffffff2a8648ce3d020106082a8648ce3d030107034200042998705a9a71c783e1cf4397dbed9375a44e4cb88053594b0ea982203b6363b063d0af4971d1c3813db3c7799f9f9324cbe1b90054c81b510ff6297160add66b
 result = acceptable
 shared = f0b6d851dcd8e9a8c474d695137962f082c4f2a1a2eefb182df58d88a72829e4
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 373
 # length of oid = 2**32 - 1
@@ -3215,9 +2772,7 @@
 public = 305d301706072a8648ce3d02010684ffffffff2a8648ce3d030107034200042998705a9a71c783e1cf4397dbed9375a44e4cb88053594b0ea982203b6363b063d0af4971d1c3813db3c7799f9f9324cbe1b90054c81b510ff6297160add66b
 result = acceptable
 shared = f0b6d851dcd8e9a8c474d695137962f082c4f2a1a2eefb182df58d88a72829e4
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 374
 # length of oid = 2**40 - 1
@@ -3225,9 +2780,7 @@
 public = 305e30180685ffffffffff2a8648ce3d020106082a8648ce3d030107034200042998705a9a71c783e1cf4397dbed9375a44e4cb88053594b0ea982203b6363b063d0af4971d1c3813db3c7799f9f9324cbe1b90054c81b510ff6297160add66b
 result = acceptable
 shared = f0b6d851dcd8e9a8c474d695137962f082c4f2a1a2eefb182df58d88a72829e4
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 375
 # length of oid = 2**40 - 1
@@ -3235,9 +2788,7 @@
 public = 305e301806072a8648ce3d02010685ffffffffff2a8648ce3d030107034200042998705a9a71c783e1cf4397dbed9375a44e4cb88053594b0ea982203b6363b063d0af4971d1c3813db3c7799f9f9324cbe1b90054c81b510ff6297160add66b
 result = acceptable
 shared = f0b6d851dcd8e9a8c474d695137962f082c4f2a1a2eefb182df58d88a72829e4
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 376
 # length of oid = 2**64 - 1
@@ -3245,9 +2796,7 @@
 public = 3061301b0688ffffffffffffffff2a8648ce3d020106082a8648ce3d030107034200042998705a9a71c783e1cf4397dbed9375a44e4cb88053594b0ea982203b6363b063d0af4971d1c3813db3c7799f9f9324cbe1b90054c81b510ff6297160add66b
 result = acceptable
 shared = f0b6d851dcd8e9a8c474d695137962f082c4f2a1a2eefb182df58d88a72829e4
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 377
 # length of oid = 2**64 - 1
@@ -3255,9 +2804,7 @@
 public = 3061301b06072a8648ce3d02010688ffffffffffffffff2a8648ce3d030107034200042998705a9a71c783e1cf4397dbed9375a44e4cb88053594b0ea982203b6363b063d0af4971d1c3813db3c7799f9f9324cbe1b90054c81b510ff6297160add66b
 result = acceptable
 shared = f0b6d851dcd8e9a8c474d695137962f082c4f2a1a2eefb182df58d88a72829e4
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 378
 # incorrect length of oid
@@ -3265,9 +2812,7 @@
 public = 3059301306ff2a8648ce3d020106082a8648ce3d030107034200042998705a9a71c783e1cf4397dbed9375a44e4cb88053594b0ea982203b6363b063d0af4971d1c3813db3c7799f9f9324cbe1b90054c81b510ff6297160add66b
 result = acceptable
 shared = f0b6d851dcd8e9a8c474d695137962f082c4f2a1a2eefb182df58d88a72829e4
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 379
 # incorrect length of oid
@@ -3275,9 +2820,7 @@
 public = 3059301306072a8648ce3d020106ff2a8648ce3d030107034200042998705a9a71c783e1cf4397dbed9375a44e4cb88053594b0ea982203b6363b063d0af4971d1c3813db3c7799f9f9324cbe1b90054c81b510ff6297160add66b
 result = acceptable
 shared = f0b6d851dcd8e9a8c474d695137962f082c4f2a1a2eefb182df58d88a72829e4
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 380
 # removing oid
@@ -3285,9 +2828,7 @@
 public = 3050300a06082a8648ce3d030107034200042998705a9a71c783e1cf4397dbed9375a44e4cb88053594b0ea982203b6363b063d0af4971d1c3813db3c7799f9f9324cbe1b90054c81b510ff6297160add66b
 result = acceptable
 shared = f0b6d851dcd8e9a8c474d695137962f082c4f2a1a2eefb182df58d88a72829e4
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 381
 # lonely oid tag
@@ -3295,9 +2836,7 @@
 public = 3051300b0606082a8648ce3d030107034200042998705a9a71c783e1cf4397dbed9375a44e4cb88053594b0ea982203b6363b063d0af4971d1c3813db3c7799f9f9324cbe1b90054c81b510ff6297160add66b
 result = acceptable
 shared = f0b6d851dcd8e9a8c474d695137962f082c4f2a1a2eefb182df58d88a72829e4
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 382
 # lonely oid tag
@@ -3305,9 +2844,7 @@
 public = 3050300a06072a8648ce3d020106034200042998705a9a71c783e1cf4397dbed9375a44e4cb88053594b0ea982203b6363b063d0af4971d1c3813db3c7799f9f9324cbe1b90054c81b510ff6297160add66b
 result = acceptable
 shared = f0b6d851dcd8e9a8c474d695137962f082c4f2a1a2eefb182df58d88a72829e4
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 383
 # appending 0's to oid
@@ -3315,9 +2852,7 @@
 public = 305b301506092a8648ce3d0201000006082a8648ce3d030107034200042998705a9a71c783e1cf4397dbed9375a44e4cb88053594b0ea982203b6363b063d0af4971d1c3813db3c7799f9f9324cbe1b90054c81b510ff6297160add66b
 result = acceptable
 shared = f0b6d851dcd8e9a8c474d695137962f082c4f2a1a2eefb182df58d88a72829e4
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 384
 # appending 0's to oid
@@ -3325,9 +2860,7 @@
 public = 305b301506072a8648ce3d0201060a2a8648ce3d0301070000034200042998705a9a71c783e1cf4397dbed9375a44e4cb88053594b0ea982203b6363b063d0af4971d1c3813db3c7799f9f9324cbe1b90054c81b510ff6297160add66b
 result = acceptable
 shared = f0b6d851dcd8e9a8c474d695137962f082c4f2a1a2eefb182df58d88a72829e4
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 385
 # prepending 0's to oid
@@ -3335,9 +2868,7 @@
 public = 305b3015060900002a8648ce3d020106082a8648ce3d030107034200042998705a9a71c783e1cf4397dbed9375a44e4cb88053594b0ea982203b6363b063d0af4971d1c3813db3c7799f9f9324cbe1b90054c81b510ff6297160add66b
 result = acceptable
 shared = f0b6d851dcd8e9a8c474d695137962f082c4f2a1a2eefb182df58d88a72829e4
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 386
 # prepending 0's to oid
@@ -3345,9 +2876,7 @@
 public = 305b301506072a8648ce3d0201060a00002a8648ce3d030107034200042998705a9a71c783e1cf4397dbed9375a44e4cb88053594b0ea982203b6363b063d0af4971d1c3813db3c7799f9f9324cbe1b90054c81b510ff6297160add66b
 result = acceptable
 shared = f0b6d851dcd8e9a8c474d695137962f082c4f2a1a2eefb182df58d88a72829e4
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 387
 # appending unused 0's to oid
@@ -3355,9 +2884,7 @@
 public = 305b301506072a8648ce3d0201000006082a8648ce3d030107034200042998705a9a71c783e1cf4397dbed9375a44e4cb88053594b0ea982203b6363b063d0af4971d1c3813db3c7799f9f9324cbe1b90054c81b510ff6297160add66b
 result = acceptable
 shared = f0b6d851dcd8e9a8c474d695137962f082c4f2a1a2eefb182df58d88a72829e4
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 388
 # appending null value to oid
@@ -3365,9 +2892,7 @@
 public = 305b301506092a8648ce3d0201050006082a8648ce3d030107034200042998705a9a71c783e1cf4397dbed9375a44e4cb88053594b0ea982203b6363b063d0af4971d1c3813db3c7799f9f9324cbe1b90054c81b510ff6297160add66b
 result = acceptable
 shared = f0b6d851dcd8e9a8c474d695137962f082c4f2a1a2eefb182df58d88a72829e4
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 389
 # appending null value to oid
@@ -3375,9 +2900,7 @@
 public = 305b301506072a8648ce3d0201060a2a8648ce3d0301070500034200042998705a9a71c783e1cf4397dbed9375a44e4cb88053594b0ea982203b6363b063d0af4971d1c3813db3c7799f9f9324cbe1b90054c81b510ff6297160add66b
 result = acceptable
 shared = f0b6d851dcd8e9a8c474d695137962f082c4f2a1a2eefb182df58d88a72829e4
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 390
 # truncated length of oid
@@ -3385,9 +2908,7 @@
 public = 3052300c068106082a8648ce3d030107034200042998705a9a71c783e1cf4397dbed9375a44e4cb88053594b0ea982203b6363b063d0af4971d1c3813db3c7799f9f9324cbe1b90054c81b510ff6297160add66b
 result = acceptable
 shared = f0b6d851dcd8e9a8c474d695137962f082c4f2a1a2eefb182df58d88a72829e4
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 391
 # truncated length of oid
@@ -3395,9 +2916,7 @@
 public = 3051300b06072a8648ce3d02010681034200042998705a9a71c783e1cf4397dbed9375a44e4cb88053594b0ea982203b6363b063d0af4971d1c3813db3c7799f9f9324cbe1b90054c81b510ff6297160add66b
 result = acceptable
 shared = f0b6d851dcd8e9a8c474d695137962f082c4f2a1a2eefb182df58d88a72829e4
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 392
 # Replacing oid with NULL
@@ -3405,9 +2924,7 @@
 public = 3052300c050006082a8648ce3d030107034200042998705a9a71c783e1cf4397dbed9375a44e4cb88053594b0ea982203b6363b063d0af4971d1c3813db3c7799f9f9324cbe1b90054c81b510ff6297160add66b
 result = acceptable
 shared = f0b6d851dcd8e9a8c474d695137962f082c4f2a1a2eefb182df58d88a72829e4
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 393
 # Replacing oid with NULL
@@ -3415,9 +2932,7 @@
 public = 3051300b06072a8648ce3d02010500034200042998705a9a71c783e1cf4397dbed9375a44e4cb88053594b0ea982203b6363b063d0af4971d1c3813db3c7799f9f9324cbe1b90054c81b510ff6297160add66b
 result = acceptable
 shared = f0b6d851dcd8e9a8c474d695137962f082c4f2a1a2eefb182df58d88a72829e4
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 394
 # changing tag value of oid
@@ -3425,9 +2940,7 @@
 public = 3059301304072a8648ce3d020106082a8648ce3d030107034200042998705a9a71c783e1cf4397dbed9375a44e4cb88053594b0ea982203b6363b063d0af4971d1c3813db3c7799f9f9324cbe1b90054c81b510ff6297160add66b
 result = acceptable
 shared = f0b6d851dcd8e9a8c474d695137962f082c4f2a1a2eefb182df58d88a72829e4
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 395
 # changing tag value of oid
@@ -3435,9 +2948,7 @@
 public = 3059301305072a8648ce3d020106082a8648ce3d030107034200042998705a9a71c783e1cf4397dbed9375a44e4cb88053594b0ea982203b6363b063d0af4971d1c3813db3c7799f9f9324cbe1b90054c81b510ff6297160add66b
 result = acceptable
 shared = f0b6d851dcd8e9a8c474d695137962f082c4f2a1a2eefb182df58d88a72829e4
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 396
 # changing tag value of oid
@@ -3445,9 +2956,7 @@
 public = 3059301307072a8648ce3d020106082a8648ce3d030107034200042998705a9a71c783e1cf4397dbed9375a44e4cb88053594b0ea982203b6363b063d0af4971d1c3813db3c7799f9f9324cbe1b90054c81b510ff6297160add66b
 result = acceptable
 shared = f0b6d851dcd8e9a8c474d695137962f082c4f2a1a2eefb182df58d88a72829e4
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 397
 # changing tag value of oid
@@ -3455,9 +2964,7 @@
 public = 3059301308072a8648ce3d020106082a8648ce3d030107034200042998705a9a71c783e1cf4397dbed9375a44e4cb88053594b0ea982203b6363b063d0af4971d1c3813db3c7799f9f9324cbe1b90054c81b510ff6297160add66b
 result = acceptable
 shared = f0b6d851dcd8e9a8c474d695137962f082c4f2a1a2eefb182df58d88a72829e4
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 398
 # changing tag value of oid
@@ -3465,9 +2972,7 @@
 public = 30593013ff072a8648ce3d020106082a8648ce3d030107034200042998705a9a71c783e1cf4397dbed9375a44e4cb88053594b0ea982203b6363b063d0af4971d1c3813db3c7799f9f9324cbe1b90054c81b510ff6297160add66b
 result = acceptable
 shared = f0b6d851dcd8e9a8c474d695137962f082c4f2a1a2eefb182df58d88a72829e4
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 399
 # changing tag value of oid
@@ -3475,9 +2980,7 @@
 public = 3059301306072a8648ce3d020104082a8648ce3d030107034200042998705a9a71c783e1cf4397dbed9375a44e4cb88053594b0ea982203b6363b063d0af4971d1c3813db3c7799f9f9324cbe1b90054c81b510ff6297160add66b
 result = acceptable
 shared = f0b6d851dcd8e9a8c474d695137962f082c4f2a1a2eefb182df58d88a72829e4
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 400
 # changing tag value of oid
@@ -3485,9 +2988,7 @@
 public = 3059301306072a8648ce3d020105082a8648ce3d030107034200042998705a9a71c783e1cf4397dbed9375a44e4cb88053594b0ea982203b6363b063d0af4971d1c3813db3c7799f9f9324cbe1b90054c81b510ff6297160add66b
 result = acceptable
 shared = f0b6d851dcd8e9a8c474d695137962f082c4f2a1a2eefb182df58d88a72829e4
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 401
 # changing tag value of oid
@@ -3495,9 +2996,7 @@
 public = 3059301306072a8648ce3d020107082a8648ce3d030107034200042998705a9a71c783e1cf4397dbed9375a44e4cb88053594b0ea982203b6363b063d0af4971d1c3813db3c7799f9f9324cbe1b90054c81b510ff6297160add66b
 result = acceptable
 shared = f0b6d851dcd8e9a8c474d695137962f082c4f2a1a2eefb182df58d88a72829e4
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 402
 # changing tag value of oid
@@ -3505,9 +3004,7 @@
 public = 3059301306072a8648ce3d020108082a8648ce3d030107034200042998705a9a71c783e1cf4397dbed9375a44e4cb88053594b0ea982203b6363b063d0af4971d1c3813db3c7799f9f9324cbe1b90054c81b510ff6297160add66b
 result = acceptable
 shared = f0b6d851dcd8e9a8c474d695137962f082c4f2a1a2eefb182df58d88a72829e4
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 403
 # changing tag value of oid
@@ -3515,9 +3012,7 @@
 public = 3059301306072a8648ce3d0201ff082a8648ce3d030107034200042998705a9a71c783e1cf4397dbed9375a44e4cb88053594b0ea982203b6363b063d0af4971d1c3813db3c7799f9f9324cbe1b90054c81b510ff6297160add66b
 result = acceptable
 shared = f0b6d851dcd8e9a8c474d695137962f082c4f2a1a2eefb182df58d88a72829e4
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 404
 # dropping value of oid
@@ -3525,9 +3020,7 @@
 public = 3052300c060006082a8648ce3d030107034200042998705a9a71c783e1cf4397dbed9375a44e4cb88053594b0ea982203b6363b063d0af4971d1c3813db3c7799f9f9324cbe1b90054c81b510ff6297160add66b
 result = acceptable
 shared = f0b6d851dcd8e9a8c474d695137962f082c4f2a1a2eefb182df58d88a72829e4
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 405
 # dropping value of oid
@@ -3535,9 +3028,7 @@
 public = 3051300b06072a8648ce3d02010600034200042998705a9a71c783e1cf4397dbed9375a44e4cb88053594b0ea982203b6363b063d0af4971d1c3813db3c7799f9f9324cbe1b90054c81b510ff6297160add66b
 result = acceptable
 shared = f0b6d851dcd8e9a8c474d695137962f082c4f2a1a2eefb182df58d88a72829e4
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 406
 # modify first byte of oid
@@ -3545,9 +3036,7 @@
 public = 305930130607288648ce3d020106082a8648ce3d030107034200042998705a9a71c783e1cf4397dbed9375a44e4cb88053594b0ea982203b6363b063d0af4971d1c3813db3c7799f9f9324cbe1b90054c81b510ff6297160add66b
 result = acceptable
 shared = f0b6d851dcd8e9a8c474d695137962f082c4f2a1a2eefb182df58d88a72829e4
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 407
 # modify first byte of oid
@@ -3555,9 +3044,7 @@
 public = 3059301306072a8648ce3d02010608288648ce3d030107034200042998705a9a71c783e1cf4397dbed9375a44e4cb88053594b0ea982203b6363b063d0af4971d1c3813db3c7799f9f9324cbe1b90054c81b510ff6297160add66b
 result = acceptable
 shared = f0b6d851dcd8e9a8c474d695137962f082c4f2a1a2eefb182df58d88a72829e4
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 408
 # modify last byte of oid
@@ -3565,9 +3052,7 @@
 public = 3059301306072a8648ce3d028106082a8648ce3d030107034200042998705a9a71c783e1cf4397dbed9375a44e4cb88053594b0ea982203b6363b063d0af4971d1c3813db3c7799f9f9324cbe1b90054c81b510ff6297160add66b
 result = acceptable
 shared = f0b6d851dcd8e9a8c474d695137962f082c4f2a1a2eefb182df58d88a72829e4
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 409
 # modify last byte of oid
@@ -3575,9 +3060,7 @@
 public = 3059301306072a8648ce3d020106082a8648ce3d030187034200042998705a9a71c783e1cf4397dbed9375a44e4cb88053594b0ea982203b6363b063d0af4971d1c3813db3c7799f9f9324cbe1b90054c81b510ff6297160add66b
 result = acceptable
 shared = f0b6d851dcd8e9a8c474d695137962f082c4f2a1a2eefb182df58d88a72829e4
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 410
 # truncated oid
@@ -3585,9 +3068,7 @@
 public = 3058301206062a8648ce3d0206082a8648ce3d030107034200042998705a9a71c783e1cf4397dbed9375a44e4cb88053594b0ea982203b6363b063d0af4971d1c3813db3c7799f9f9324cbe1b90054c81b510ff6297160add66b
 result = acceptable
 shared = f0b6d851dcd8e9a8c474d695137962f082c4f2a1a2eefb182df58d88a72829e4
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 411
 # truncated oid
@@ -3595,9 +3076,7 @@
 public = 3058301206068648ce3d020106082a8648ce3d030107034200042998705a9a71c783e1cf4397dbed9375a44e4cb88053594b0ea982203b6363b063d0af4971d1c3813db3c7799f9f9324cbe1b90054c81b510ff6297160add66b
 result = acceptable
 shared = f0b6d851dcd8e9a8c474d695137962f082c4f2a1a2eefb182df58d88a72829e4
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 412
 # truncated oid
@@ -3605,9 +3084,7 @@
 public = 3058301206072a8648ce3d020106072a8648ce3d0301034200042998705a9a71c783e1cf4397dbed9375a44e4cb88053594b0ea982203b6363b063d0af4971d1c3813db3c7799f9f9324cbe1b90054c81b510ff6297160add66b
 result = acceptable
 shared = f0b6d851dcd8e9a8c474d695137962f082c4f2a1a2eefb182df58d88a72829e4
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 413
 # truncated oid
@@ -3615,9 +3092,7 @@
 public = 3058301206072a8648ce3d020106078648ce3d030107034200042998705a9a71c783e1cf4397dbed9375a44e4cb88053594b0ea982203b6363b063d0af4971d1c3813db3c7799f9f9324cbe1b90054c81b510ff6297160add66b
 result = acceptable
 shared = f0b6d851dcd8e9a8c474d695137962f082c4f2a1a2eefb182df58d88a72829e4
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 414
 # wrong oid
@@ -3625,9 +3100,7 @@
 public = 3057301106052b0e03021a06082a8648ce3d030107034200042998705a9a71c783e1cf4397dbed9375a44e4cb88053594b0ea982203b6363b063d0af4971d1c3813db3c7799f9f9324cbe1b90054c81b510ff6297160add66b
 result = acceptable
 shared = f0b6d851dcd8e9a8c474d695137962f082c4f2a1a2eefb182df58d88a72829e4
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 415
 # wrong oid
@@ -3635,9 +3108,7 @@
 public = 305b3015060960864801650304020106082a8648ce3d030107034200042998705a9a71c783e1cf4397dbed9375a44e4cb88053594b0ea982203b6363b063d0af4971d1c3813db3c7799f9f9324cbe1b90054c81b510ff6297160add66b
 result = acceptable
 shared = f0b6d851dcd8e9a8c474d695137962f082c4f2a1a2eefb182df58d88a72829e4
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 416
 # wrong oid
@@ -3645,9 +3116,7 @@
 public = 3056301006072a8648ce3d020106052b0e03021a034200042998705a9a71c783e1cf4397dbed9375a44e4cb88053594b0ea982203b6363b063d0af4971d1c3813db3c7799f9f9324cbe1b90054c81b510ff6297160add66b
 result = acceptable
 shared = f0b6d851dcd8e9a8c474d695137962f082c4f2a1a2eefb182df58d88a72829e4
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 417
 # wrong oid
@@ -3655,9 +3124,7 @@
 public = 305a301406072a8648ce3d02010609608648016503040201034200042998705a9a71c783e1cf4397dbed9375a44e4cb88053594b0ea982203b6363b063d0af4971d1c3813db3c7799f9f9324cbe1b90054c81b510ff6297160add66b
 result = acceptable
 shared = f0b6d851dcd8e9a8c474d695137962f082c4f2a1a2eefb182df58d88a72829e4
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 418
 # longer oid
@@ -3665,9 +3132,7 @@
 public = 305a301406082a8648ce3d02010106082a8648ce3d030107034200042998705a9a71c783e1cf4397dbed9375a44e4cb88053594b0ea982203b6363b063d0af4971d1c3813db3c7799f9f9324cbe1b90054c81b510ff6297160add66b
 result = acceptable
 shared = f0b6d851dcd8e9a8c474d695137962f082c4f2a1a2eefb182df58d88a72829e4
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 419
 # longer oid
@@ -3675,9 +3140,7 @@
 public = 305a301406072a8648ce3d020106092a8648ce3d03010701034200042998705a9a71c783e1cf4397dbed9375a44e4cb88053594b0ea982203b6363b063d0af4971d1c3813db3c7799f9f9324cbe1b90054c81b510ff6297160add66b
 result = acceptable
 shared = f0b6d851dcd8e9a8c474d695137962f082c4f2a1a2eefb182df58d88a72829e4
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 420
 # oid with modified node
@@ -3685,9 +3148,7 @@
 public = 3059301306072a8648ce3d021106082a8648ce3d030107034200042998705a9a71c783e1cf4397dbed9375a44e4cb88053594b0ea982203b6363b063d0af4971d1c3813db3c7799f9f9324cbe1b90054c81b510ff6297160add66b
 result = acceptable
 shared = f0b6d851dcd8e9a8c474d695137962f082c4f2a1a2eefb182df58d88a72829e4
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 421
 # oid with modified node
@@ -3695,9 +3156,7 @@
 public = 305d3017060b2a8648ce3d02888080800106082a8648ce3d030107034200042998705a9a71c783e1cf4397dbed9375a44e4cb88053594b0ea982203b6363b063d0af4971d1c3813db3c7799f9f9324cbe1b90054c81b510ff6297160add66b
 result = acceptable
 shared = f0b6d851dcd8e9a8c474d695137962f082c4f2a1a2eefb182df58d88a72829e4
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 422
 # oid with modified node
@@ -3705,9 +3164,7 @@
 public = 3059301306072a8648ce3d020106082a8648ce3d030117034200042998705a9a71c783e1cf4397dbed9375a44e4cb88053594b0ea982203b6363b063d0af4971d1c3813db3c7799f9f9324cbe1b90054c81b510ff6297160add66b
 result = acceptable
 shared = f0b6d851dcd8e9a8c474d695137962f082c4f2a1a2eefb182df58d88a72829e4
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 423
 # oid with modified node
@@ -3715,9 +3172,7 @@
 public = 305d301706072a8648ce3d0201060c2a8648ce3d03018880808007034200042998705a9a71c783e1cf4397dbed9375a44e4cb88053594b0ea982203b6363b063d0af4971d1c3813db3c7799f9f9324cbe1b90054c81b510ff6297160add66b
 result = acceptable
 shared = f0b6d851dcd8e9a8c474d695137962f082c4f2a1a2eefb182df58d88a72829e4
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 424
 # large integer in oid
@@ -3725,9 +3180,7 @@
 public = 3062301c06102a8648ce3d028280808080808080800106082a8648ce3d030107034200042998705a9a71c783e1cf4397dbed9375a44e4cb88053594b0ea982203b6363b063d0af4971d1c3813db3c7799f9f9324cbe1b90054c81b510ff6297160add66b
 result = acceptable
 shared = f0b6d851dcd8e9a8c474d695137962f082c4f2a1a2eefb182df58d88a72829e4
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 425
 # large integer in oid
@@ -3735,9 +3188,7 @@
 public = 3062301c06072a8648ce3d020106112a8648ce3d030182808080808080808007034200042998705a9a71c783e1cf4397dbed9375a44e4cb88053594b0ea982203b6363b063d0af4971d1c3813db3c7799f9f9324cbe1b90054c81b510ff6297160add66b
 result = acceptable
 shared = f0b6d851dcd8e9a8c474d695137962f082c4f2a1a2eefb182df58d88a72829e4
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 426
 # oid with invalid node
@@ -3745,9 +3196,7 @@
 public = 305a301406082a8648ce3d0201e006082a8648ce3d030107034200042998705a9a71c783e1cf4397dbed9375a44e4cb88053594b0ea982203b6363b063d0af4971d1c3813db3c7799f9f9324cbe1b90054c81b510ff6297160add66b
 result = acceptable
 shared = f0b6d851dcd8e9a8c474d695137962f082c4f2a1a2eefb182df58d88a72829e4
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 427
 # oid with invalid node
@@ -3755,9 +3204,7 @@
 public = 305a301406082a808648ce3d020106082a8648ce3d030107034200042998705a9a71c783e1cf4397dbed9375a44e4cb88053594b0ea982203b6363b063d0af4971d1c3813db3c7799f9f9324cbe1b90054c81b510ff6297160add66b
 result = acceptable
 shared = f0b6d851dcd8e9a8c474d695137962f082c4f2a1a2eefb182df58d88a72829e4
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 428
 # oid with invalid node
@@ -3765,9 +3212,7 @@
 public = 305a301406072a8648ce3d020106092a8648ce3d030107e0034200042998705a9a71c783e1cf4397dbed9375a44e4cb88053594b0ea982203b6363b063d0af4971d1c3813db3c7799f9f9324cbe1b90054c81b510ff6297160add66b
 result = acceptable
 shared = f0b6d851dcd8e9a8c474d695137962f082c4f2a1a2eefb182df58d88a72829e4
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 429
 # oid with invalid node
@@ -3775,9 +3220,7 @@
 public = 305a301406072a8648ce3d020106092a808648ce3d030107034200042998705a9a71c783e1cf4397dbed9375a44e4cb88053594b0ea982203b6363b063d0af4971d1c3813db3c7799f9f9324cbe1b90054c81b510ff6297160add66b
 result = acceptable
 shared = f0b6d851dcd8e9a8c474d695137962f082c4f2a1a2eefb182df58d88a72829e4
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 430
 # long form encoding of length of bit string
@@ -3785,9 +3228,7 @@
 public = 305a301306072a8648ce3d020106082a8648ce3d03010703814200042998705a9a71c783e1cf4397dbed9375a44e4cb88053594b0ea982203b6363b063d0af4971d1c3813db3c7799f9f9324cbe1b90054c81b510ff6297160add66b
 result = acceptable
 shared = f0b6d851dcd8e9a8c474d695137962f082c4f2a1a2eefb182df58d88a72829e4
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 431
 # length of bit string contains leading 0
@@ -3795,9 +3236,7 @@
 public = 305b301306072a8648ce3d020106082a8648ce3d0301070382004200042998705a9a71c783e1cf4397dbed9375a44e4cb88053594b0ea982203b6363b063d0af4971d1c3813db3c7799f9f9324cbe1b90054c81b510ff6297160add66b
 result = acceptable
 shared = f0b6d851dcd8e9a8c474d695137962f082c4f2a1a2eefb182df58d88a72829e4
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 432
 # wrong length of bit string
@@ -3805,9 +3244,7 @@
 public = 3059301306072a8648ce3d020106082a8648ce3d030107034300042998705a9a71c783e1cf4397dbed9375a44e4cb88053594b0ea982203b6363b063d0af4971d1c3813db3c7799f9f9324cbe1b90054c81b510ff6297160add66b
 result = acceptable
 shared = f0b6d851dcd8e9a8c474d695137962f082c4f2a1a2eefb182df58d88a72829e4
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 433
 # wrong length of bit string
@@ -3815,9 +3252,7 @@
 public = 3059301306072a8648ce3d020106082a8648ce3d030107034100042998705a9a71c783e1cf4397dbed9375a44e4cb88053594b0ea982203b6363b063d0af4971d1c3813db3c7799f9f9324cbe1b90054c81b510ff6297160add66b
 result = acceptable
 shared = f0b6d851dcd8e9a8c474d695137962f082c4f2a1a2eefb182df58d88a72829e4
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 434
 # uint32 overflow in length of bit string
@@ -3825,9 +3260,7 @@
 public = 305e301306072a8648ce3d020106082a8648ce3d0301070385010000004200042998705a9a71c783e1cf4397dbed9375a44e4cb88053594b0ea982203b6363b063d0af4971d1c3813db3c7799f9f9324cbe1b90054c81b510ff6297160add66b
 result = acceptable
 shared = f0b6d851dcd8e9a8c474d695137962f082c4f2a1a2eefb182df58d88a72829e4
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 435
 # uint64 overflow in length of bit string
@@ -3835,9 +3268,7 @@
 public = 3062301306072a8648ce3d020106082a8648ce3d030107038901000000000000004200042998705a9a71c783e1cf4397dbed9375a44e4cb88053594b0ea982203b6363b063d0af4971d1c3813db3c7799f9f9324cbe1b90054c81b510ff6297160add66b
 result = acceptable
 shared = f0b6d851dcd8e9a8c474d695137962f082c4f2a1a2eefb182df58d88a72829e4
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 436
 # length of bit string = 2**31 - 1
@@ -3845,9 +3276,7 @@
 public = 305d301306072a8648ce3d020106082a8648ce3d03010703847fffffff00042998705a9a71c783e1cf4397dbed9375a44e4cb88053594b0ea982203b6363b063d0af4971d1c3813db3c7799f9f9324cbe1b90054c81b510ff6297160add66b
 result = acceptable
 shared = f0b6d851dcd8e9a8c474d695137962f082c4f2a1a2eefb182df58d88a72829e4
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 437
 # length of bit string = 2**32 - 1
@@ -3855,9 +3284,7 @@
 public = 305d301306072a8648ce3d020106082a8648ce3d0301070384ffffffff00042998705a9a71c783e1cf4397dbed9375a44e4cb88053594b0ea982203b6363b063d0af4971d1c3813db3c7799f9f9324cbe1b90054c81b510ff6297160add66b
 result = acceptable
 shared = f0b6d851dcd8e9a8c474d695137962f082c4f2a1a2eefb182df58d88a72829e4
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 438
 # length of bit string = 2**40 - 1
@@ -3865,9 +3292,7 @@
 public = 305e301306072a8648ce3d020106082a8648ce3d0301070385ffffffffff00042998705a9a71c783e1cf4397dbed9375a44e4cb88053594b0ea982203b6363b063d0af4971d1c3813db3c7799f9f9324cbe1b90054c81b510ff6297160add66b
 result = acceptable
 shared = f0b6d851dcd8e9a8c474d695137962f082c4f2a1a2eefb182df58d88a72829e4
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 439
 # length of bit string = 2**64 - 1
@@ -3875,9 +3300,7 @@
 public = 3061301306072a8648ce3d020106082a8648ce3d0301070388ffffffffffffffff00042998705a9a71c783e1cf4397dbed9375a44e4cb88053594b0ea982203b6363b063d0af4971d1c3813db3c7799f9f9324cbe1b90054c81b510ff6297160add66b
 result = acceptable
 shared = f0b6d851dcd8e9a8c474d695137962f082c4f2a1a2eefb182df58d88a72829e4
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 440
 # incorrect length of bit string
@@ -3885,9 +3308,7 @@
 public = 3059301306072a8648ce3d020106082a8648ce3d03010703ff00042998705a9a71c783e1cf4397dbed9375a44e4cb88053594b0ea982203b6363b063d0af4971d1c3813db3c7799f9f9324cbe1b90054c81b510ff6297160add66b
 result = acceptable
 shared = f0b6d851dcd8e9a8c474d695137962f082c4f2a1a2eefb182df58d88a72829e4
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 441
 # lonely bit string tag
@@ -3895,9 +3316,7 @@
 public = 3016301306072a8648ce3d020106082a8648ce3d03010703
 result = acceptable
 shared = f0b6d851dcd8e9a8c474d695137962f082c4f2a1a2eefb182df58d88a72829e4
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 442
 # appending 0's to bit string
@@ -3905,9 +3324,7 @@
 public = 305b301306072a8648ce3d020106082a8648ce3d030107034400042998705a9a71c783e1cf4397dbed9375a44e4cb88053594b0ea982203b6363b063d0af4971d1c3813db3c7799f9f9324cbe1b90054c81b510ff6297160add66b0000
 result = acceptable
 shared = f0b6d851dcd8e9a8c474d695137962f082c4f2a1a2eefb182df58d88a72829e4
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 443
 # prepending 0's to bit string
@@ -3915,9 +3332,7 @@
 public = 305b301306072a8648ce3d020106082a8648ce3d0301070344000000042998705a9a71c783e1cf4397dbed9375a44e4cb88053594b0ea982203b6363b063d0af4971d1c3813db3c7799f9f9324cbe1b90054c81b510ff6297160add66b
 result = acceptable
 shared = f0b6d851dcd8e9a8c474d695137962f082c4f2a1a2eefb182df58d88a72829e4
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 444
 # appending null value to bit string
@@ -3925,9 +3340,7 @@
 public = 305b301306072a8648ce3d020106082a8648ce3d030107034400042998705a9a71c783e1cf4397dbed9375a44e4cb88053594b0ea982203b6363b063d0af4971d1c3813db3c7799f9f9324cbe1b90054c81b510ff6297160add66b0500
 result = acceptable
 shared = f0b6d851dcd8e9a8c474d695137962f082c4f2a1a2eefb182df58d88a72829e4
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 445
 # truncated length of bit string
@@ -3935,9 +3348,7 @@
 public = 3017301306072a8648ce3d020106082a8648ce3d0301070381
 result = acceptable
 shared = f0b6d851dcd8e9a8c474d695137962f082c4f2a1a2eefb182df58d88a72829e4
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 446
 # Replacing bit string with NULL
@@ -3945,9 +3356,7 @@
 public = 3017301306072a8648ce3d020106082a8648ce3d0301070500
 result = acceptable
 shared = f0b6d851dcd8e9a8c474d695137962f082c4f2a1a2eefb182df58d88a72829e4
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 447
 # changing tag value of bit string
@@ -3955,9 +3364,7 @@
 public = 3059301306072a8648ce3d020106082a8648ce3d030107014200042998705a9a71c783e1cf4397dbed9375a44e4cb88053594b0ea982203b6363b063d0af4971d1c3813db3c7799f9f9324cbe1b90054c81b510ff6297160add66b
 result = acceptable
 shared = f0b6d851dcd8e9a8c474d695137962f082c4f2a1a2eefb182df58d88a72829e4
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 448
 # changing tag value of bit string
@@ -3965,9 +3372,7 @@
 public = 3059301306072a8648ce3d020106082a8648ce3d030107024200042998705a9a71c783e1cf4397dbed9375a44e4cb88053594b0ea982203b6363b063d0af4971d1c3813db3c7799f9f9324cbe1b90054c81b510ff6297160add66b
 result = acceptable
 shared = f0b6d851dcd8e9a8c474d695137962f082c4f2a1a2eefb182df58d88a72829e4
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 449
 # changing tag value of bit string
@@ -3975,9 +3380,7 @@
 public = 3059301306072a8648ce3d020106082a8648ce3d030107044200042998705a9a71c783e1cf4397dbed9375a44e4cb88053594b0ea982203b6363b063d0af4971d1c3813db3c7799f9f9324cbe1b90054c81b510ff6297160add66b
 result = acceptable
 shared = f0b6d851dcd8e9a8c474d695137962f082c4f2a1a2eefb182df58d88a72829e4
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 450
 # changing tag value of bit string
@@ -3985,9 +3388,7 @@
 public = 3059301306072a8648ce3d020106082a8648ce3d030107054200042998705a9a71c783e1cf4397dbed9375a44e4cb88053594b0ea982203b6363b063d0af4971d1c3813db3c7799f9f9324cbe1b90054c81b510ff6297160add66b
 result = acceptable
 shared = f0b6d851dcd8e9a8c474d695137962f082c4f2a1a2eefb182df58d88a72829e4
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 451
 # changing tag value of bit string
@@ -3995,9 +3396,7 @@
 public = 3059301306072a8648ce3d020106082a8648ce3d030107ff4200042998705a9a71c783e1cf4397dbed9375a44e4cb88053594b0ea982203b6363b063d0af4971d1c3813db3c7799f9f9324cbe1b90054c81b510ff6297160add66b
 result = acceptable
 shared = f0b6d851dcd8e9a8c474d695137962f082c4f2a1a2eefb182df58d88a72829e4
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 452
 # dropping value of bit string
@@ -4005,9 +3404,7 @@
 public = 3017301306072a8648ce3d020106082a8648ce3d0301070300
 result = acceptable
 shared = f0b6d851dcd8e9a8c474d695137962f082c4f2a1a2eefb182df58d88a72829e4
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 453
 # modify first byte of bit string
@@ -4015,9 +3412,7 @@
 public = 3059301306072a8648ce3d020106082a8648ce3d030107034202042998705a9a71c783e1cf4397dbed9375a44e4cb88053594b0ea982203b6363b063d0af4971d1c3813db3c7799f9f9324cbe1b90054c81b510ff6297160add66b
 result = acceptable
 shared = f0b6d851dcd8e9a8c474d695137962f082c4f2a1a2eefb182df58d88a72829e4
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 454
 # modify last byte of bit string
@@ -4025,9 +3420,7 @@
 public = 3059301306072a8648ce3d020106082a8648ce3d030107034200042998705a9a71c783e1cf4397dbed9375a44e4cb88053594b0ea982203b6363b063d0af4971d1c3813db3c7799f9f9324cbe1b90054c81b510ff6297160add6eb
 result = acceptable
 shared = f0b6d851dcd8e9a8c474d695137962f082c4f2a1a2eefb182df58d88a72829e4
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 455
 # truncated bit string
@@ -4035,9 +3428,7 @@
 public = 3058301306072a8648ce3d020106082a8648ce3d030107034100042998705a9a71c783e1cf4397dbed9375a44e4cb88053594b0ea982203b6363b063d0af4971d1c3813db3c7799f9f9324cbe1b90054c81b510ff6297160add6
 result = acceptable
 shared = f0b6d851dcd8e9a8c474d695137962f082c4f2a1a2eefb182df58d88a72829e4
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 456
 # truncated bit string
@@ -4045,9 +3436,7 @@
 public = 3058301306072a8648ce3d020106082a8648ce3d0301070341042998705a9a71c783e1cf4397dbed9375a44e4cb88053594b0ea982203b6363b063d0af4971d1c3813db3c7799f9f9324cbe1b90054c81b510ff6297160add66b
 result = acceptable
 shared = f0b6d851dcd8e9a8c474d695137962f082c4f2a1a2eefb182df58d88a72829e4
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 457
 # declaring bits as unused in bit string
@@ -4055,9 +3444,7 @@
 public = 3059301306072a8648ce3d020106082a8648ce3d030107034201042998705a9a71c783e1cf4397dbed9375a44e4cb88053594b0ea982203b6363b063d0af4971d1c3813db3c7799f9f9324cbe1b90054c81b510ff6297160add66b
 result = acceptable
 shared = f0b6d851dcd8e9a8c474d695137962f082c4f2a1a2eefb182df58d88a72829e4
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 458
 # unused bits in bit string
@@ -4065,9 +3452,7 @@
 public = 305d301306072a8648ce3d020106082a8648ce3d030107034620042998705a9a71c783e1cf4397dbed9375a44e4cb88053594b0ea982203b6363b063d0af4971d1c3813db3c7799f9f9324cbe1b90054c81b510ff6297160add66b01020304
 result = acceptable
 shared = f0b6d851dcd8e9a8c474d695137962f082c4f2a1a2eefb182df58d88a72829e4
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 459
 # unused bits in empty bit-string
@@ -4075,9 +3460,7 @@
 public = 3018301306072a8648ce3d020106082a8648ce3d030107030103
 result = acceptable
 shared = f0b6d851dcd8e9a8c474d695137962f082c4f2a1a2eefb182df58d88a72829e4
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 460
 # 128 unused bits
@@ -4085,7 +3468,5 @@
 public = 3059301306072a8648ce3d020106082a8648ce3d030107034280042998705a9a71c783e1cf4397dbed9375a44e4cb88053594b0ea982203b6363b063d0af4971d1c3813db3c7799f9f9324cbe1b90054c81b510ff6297160add66b
 result = acceptable
 shared = f0b6d851dcd8e9a8c474d695137962f082c4f2a1a2eefb182df58d88a72829e4
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
diff --git a/third_party/wycheproof_testvectors/ecdh_secp384r1_test.txt b/third_party/wycheproof_testvectors/ecdh_secp384r1_test.txt
index a78e765..10c0773 100644
--- a/third_party/wycheproof_testvectors/ecdh_secp384r1_test.txt
+++ b/third_party/wycheproof_testvectors/ecdh_secp384r1_test.txt
@@ -20,8 +20,7 @@
 public = 3046301006072a8648ce3d020106052b8104002203320002790a6e059ef9a5940163183d4a7809135d29791643fc43a2f17ee8bf677ab84f791b64a6be15969ffa012dd9185d8796
 result = acceptable
 shared = 6461defb95d996b24296f5a1832b34db05ed031114fbe7d98d098f93859866e4de1e229da71fef0c77fe49b249190135
-# The point in the public key is compressed. Not every library supports points
-# in compressed format.
+flags = CompressedPoint
 
 # tcId = 3
 # edge case for shared secret
@@ -1167,9 +1166,7 @@
 public = 3076301006072a8648ce3d020106052b8104002203620004e9dfaaab808b3aac1ccca7cc6242a7ee583249afe8ee8f66b904cc8eec34ad334456e00f33a94de8b5169cf0199550c020156e9651734ff999c5f3ea62b83d0083a6093f234457251ecf72c41e4df7cea2420b5454a7f690034380bac981e92e
 result = valid
 shared = 2ecf9dc47e8b07ae61ddbd1680ead02698e9e8469f78d5a28328e48d0c9d7a2ac787e50cba58cc44a32fb1235d2d7027
-# The private key has a special value. Implementations using addition
-# subtraction chains for the point multiplication may get the point at infinity
-# as an intermediate result. See CVE_2017_10176
+flags = AddSubChain
 
 # tcId = 162
 # edge case private key
@@ -1177,9 +1174,7 @@
 public = 3076301006072a8648ce3d020106052b8104002203620004e9dfaaab808b3aac1ccca7cc6242a7ee583249afe8ee8f66b904cc8eec34ad334456e00f33a94de8b5169cf0199550c020156e9651734ff999c5f3ea62b83d0083a6093f234457251ecf72c41e4df7cea2420b5454a7f690034380bac981e92e
 result = valid
 shared = 06ee9f55079d3d3c18c683ba33e0d2521be97c4fbf7917bf3b6287d58ffcde2df88842e3f5530b39549ac20974b1b60e
-# The private key has a special value. Implementations using addition
-# subtraction chains for the point multiplication may get the point at infinity
-# as an intermediate result. See CVE_2017_10176
+flags = AddSubChain
 
 # tcId = 163
 # edge case private key
@@ -1194,9 +1189,7 @@
 public = 3076301006072a8648ce3d020106052b8104002203620004e9dfaaab808b3aac1ccca7cc6242a7ee583249afe8ee8f66b904cc8eec34ad334456e00f33a94de8b5169cf0199550c020156e9651734ff999c5f3ea62b83d0083a6093f234457251ecf72c41e4df7cea2420b5454a7f690034380bac981e92e
 result = valid
 shared = 024c5281487216058270cd1cfe259e948310e4adc263a9edaa4da0bc3f5f8ce8ffc88ae41b2c050bf6dd9c8c66857237
-# The private key has a special value. Implementations using addition
-# subtraction chains for the point multiplication may get the point at infinity
-# as an intermediate result. See CVE_2017_10176
+flags = AddSubChain
 
 # tcId = 165
 # point is not on curve
@@ -1322,12 +1315,7 @@
 public = 3076301006072a8648ce3d020106052b81040022036200042121a348f9743855859c496f91d0f39fe728fc46e48d007713051b22f1c0257fe20dd85b21df7e1ec82bf8b39b2138a2ae74f80e6257778f8cca9f279b57d25eeeb155960642972f0567e204514f0ac1eb1e27db5115053211914961d09644c8
 result = invalid
 shared = 
-# The public key has been modified and is invalid. An implementation should
-# always check whether the public key is valid and on the same curve as the
-# private key. The test vector includes the shared secret computed with the
-# original public key if the public point is on the curve of the private key.
-# Generating a shared secret other than the one with the original key likely
-# indicates that the bug is exploitable.
+flags = InvalidPublic
 
 # tcId = 183
 # public point = (0,0)
@@ -1335,12 +1323,7 @@
 public = 3076301006072a8648ce3d020106052b8104002203620004000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
 result = invalid
 shared = 
-# The public key has been modified and is invalid. An implementation should
-# always check whether the public key is valid and on the same curve as the
-# private key. The test vector includes the shared secret computed with the
-# original public key if the public point is on the curve of the private key.
-# Generating a shared secret other than the one with the original key likely
-# indicates that the bug is exploitable.
+flags = InvalidPublic
 
 # tcId = 184
 # order =
@@ -1349,20 +1332,7 @@
 public = 308201b53082014d06072a8648ce3d020130820140020101303c06072a8648ce3d0101023100fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffeffffffff0000000000000000ffffffff30640430fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffeffffffff0000000000000000fffffffc0430b3312fa7e23ee7e4988e056be3f82d19181d9c6efe8141120314088f5013875ac656398d8a2ed19d2a85c8edd3ec2aef046104aa87ca22be8b05378eb1c71ef320ad746e1d3b628ba79b9859f741e082542a385502f25dbf55296c3a545e3872760ab73617de4a96262c6f5d9e98bf9292dc29f8f41dbd289a147ce9da3113b5f0b8c00a60b1ce1d7e819d7a431d7c90ea0e5f0231ff000000000000000000000000000000000000000000000000389cb27e0bc8d220a7e5f24db74f58851313e695333ad68d020101036200042121a348f9743855859c496f91d0f39fe728fc46e48d007713051b22f1c0257fe20dd85b21df7e1ec82bf8b39b2138a2ae74f80e6257778f8cca9f279b57d25eeeb155960642972f0567e204514f0ac1eb1e27db5115053211914961d09644c6
 result = invalid
 shared = 455cf3c0b0090688599825522ef3312878201514f6330ccc7f42ec1945204adfe419b2dbbfb942dc98b16d8323150cf6
-# The order of the public key has been modified. If this order is used in a
-# cryptographic primitive instead of the correct order then private keys may
-# leak. E.g. ECDHC in BC 1.52 suffered from this.
-# The public key has been modified and is invalid. An implementation should
-# always check whether the public key is valid and on the same curve as the
-# private key. The test vector includes the shared secret computed with the
-# original public key if the public point is on the curve of the private key.
-# Generating a shared secret other than the one with the original key likely
-# indicates that the bug is exploitable.
-# The public key does not use a named curve. RFC 3279 allows to encode such
-# curves by explicitly encoding, the parameters of the curve equation, modulus,
-# generator, order and cofactor. However, many crypto libraries only support
-# named curves. Modifying some of the EC parameters and encoding the
-# corresponding public key as an unnamed curve is a potential attack vector.
+flags = WrongOrder,InvalidPublic,UnnamedCurve
 
 # tcId = 185
 # order = 0
@@ -1370,20 +1340,7 @@
 public = 308201853082011d06072a8648ce3d020130820110020101303c06072a8648ce3d0101023100fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffeffffffff0000000000000000ffffffff30640430fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffeffffffff0000000000000000fffffffc0430b3312fa7e23ee7e4988e056be3f82d19181d9c6efe8141120314088f5013875ac656398d8a2ed19d2a85c8edd3ec2aef046104aa87ca22be8b05378eb1c71ef320ad746e1d3b628ba79b9859f741e082542a385502f25dbf55296c3a545e3872760ab73617de4a96262c6f5d9e98bf9292dc29f8f41dbd289a147ce9da3113b5f0b8c00a60b1ce1d7e819d7a431d7c90ea0e5f020100020101036200042121a348f9743855859c496f91d0f39fe728fc46e48d007713051b22f1c0257fe20dd85b21df7e1ec82bf8b39b2138a2ae74f80e6257778f8cca9f279b57d25eeeb155960642972f0567e204514f0ac1eb1e27db5115053211914961d09644c6
 result = invalid
 shared = 455cf3c0b0090688599825522ef3312878201514f6330ccc7f42ec1945204adfe419b2dbbfb942dc98b16d8323150cf6
-# The order of the public key has been modified. If this order is used in a
-# cryptographic primitive instead of the correct order then private keys may
-# leak. E.g. ECDHC in BC 1.52 suffered from this.
-# The public key has been modified and is invalid. An implementation should
-# always check whether the public key is valid and on the same curve as the
-# private key. The test vector includes the shared secret computed with the
-# original public key if the public point is on the curve of the private key.
-# Generating a shared secret other than the one with the original key likely
-# indicates that the bug is exploitable.
-# The public key does not use a named curve. RFC 3279 allows to encode such
-# curves by explicitly encoding, the parameters of the curve equation, modulus,
-# generator, order and cofactor. However, many crypto libraries only support
-# named curves. Modifying some of the EC parameters and encoding the
-# corresponding public key as an unnamed curve is a potential attack vector.
+flags = WrongOrder,InvalidPublic,UnnamedCurve
 
 # tcId = 186
 # order = 1
@@ -1391,20 +1348,7 @@
 public = 308201853082011d06072a8648ce3d020130820110020101303c06072a8648ce3d0101023100fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffeffffffff0000000000000000ffffffff30640430fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffeffffffff0000000000000000fffffffc0430b3312fa7e23ee7e4988e056be3f82d19181d9c6efe8141120314088f5013875ac656398d8a2ed19d2a85c8edd3ec2aef046104aa87ca22be8b05378eb1c71ef320ad746e1d3b628ba79b9859f741e082542a385502f25dbf55296c3a545e3872760ab73617de4a96262c6f5d9e98bf9292dc29f8f41dbd289a147ce9da3113b5f0b8c00a60b1ce1d7e819d7a431d7c90ea0e5f020101020101036200042121a348f9743855859c496f91d0f39fe728fc46e48d007713051b22f1c0257fe20dd85b21df7e1ec82bf8b39b2138a2ae74f80e6257778f8cca9f279b57d25eeeb155960642972f0567e204514f0ac1eb1e27db5115053211914961d09644c6
 result = acceptable
 shared = 455cf3c0b0090688599825522ef3312878201514f6330ccc7f42ec1945204adfe419b2dbbfb942dc98b16d8323150cf6
-# The order of the public key has been modified. If this order is used in a
-# cryptographic primitive instead of the correct order then private keys may
-# leak. E.g. ECDHC in BC 1.52 suffered from this.
-# A parameter that is typically not used for ECDH has been modified. Sometimes
-# libraries ignore small differences between public and private key. For
-# example, a library might ignore an incorrect cofactor in the public key. We
-# consider ignoring such changes as acceptable as long as these differences do
-# not change the outcome of the ECDH computation, i.e. as long as the
-# computation is done on the curve from the private key.
-# The public key does not use a named curve. RFC 3279 allows to encode such
-# curves by explicitly encoding, the parameters of the curve equation, modulus,
-# generator, order and cofactor. However, many crypto libraries only support
-# named curves. Modifying some of the EC parameters and encoding the
-# corresponding public key as an unnamed curve is a potential attack vector.
+flags = WrongOrder,UnusedParam,UnnamedCurve
 
 # tcId = 187
 # order =
@@ -1413,20 +1357,7 @@
 public = 308201b13082014906072a8648ce3d02013082013c020101303c06072a8648ce3d0101023100fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffeffffffff0000000000000000ffffffff30640430fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffeffffffff0000000000000000fffffffc0430b3312fa7e23ee7e4988e056be3f82d19181d9c6efe8141120314088f5013875ac656398d8a2ed19d2a85c8edd3ec2aef046104aa87ca22be8b05378eb1c71ef320ad746e1d3b628ba79b9859f741e082542a385502f25dbf55296c3a545e3872760ab73617de4a96262c6f5d9e98bf9292dc29f8f41dbd289a147ce9da3113b5f0b8c00a60b1ce1d7e819d7a431d7c90ea0e5f022d00ffffffffffffffffffffffffffffffffffffffffffffffffc7634d81f4372ddf581a0db248b0a77aecec196a020101036200042121a348f9743855859c496f91d0f39fe728fc46e48d007713051b22f1c0257fe20dd85b21df7e1ec82bf8b39b2138a2ae74f80e6257778f8cca9f279b57d25eeeb155960642972f0567e204514f0ac1eb1e27db5115053211914961d09644c6
 result = acceptable
 shared = 455cf3c0b0090688599825522ef3312878201514f6330ccc7f42ec1945204adfe419b2dbbfb942dc98b16d8323150cf6
-# The order of the public key has been modified. If this order is used in a
-# cryptographic primitive instead of the correct order then private keys may
-# leak. E.g. ECDHC in BC 1.52 suffered from this.
-# A parameter that is typically not used for ECDH has been modified. Sometimes
-# libraries ignore small differences between public and private key. For
-# example, a library might ignore an incorrect cofactor in the public key. We
-# consider ignoring such changes as acceptable as long as these differences do
-# not change the outcome of the ECDH computation, i.e. as long as the
-# computation is done on the curve from the private key.
-# The public key does not use a named curve. RFC 3279 allows to encode such
-# curves by explicitly encoding, the parameters of the curve equation, modulus,
-# generator, order and cofactor. However, many crypto libraries only support
-# named curves. Modifying some of the EC parameters and encoding the
-# corresponding public key as an unnamed curve is a potential attack vector.
+flags = WrongOrder,UnusedParam,UnnamedCurve
 
 # tcId = 188
 # generator = (0,0)
@@ -1434,17 +1365,7 @@
 public = 308201b53082014d06072a8648ce3d020130820140020101303c06072a8648ce3d0101023100fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffeffffffff0000000000000000ffffffff30640430fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffeffffffff0000000000000000fffffffc0430b3312fa7e23ee7e4988e056be3f82d19181d9c6efe8141120314088f5013875ac656398d8a2ed19d2a85c8edd3ec2aef046104000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000023100ffffffffffffffffffffffffffffffffffffffffffffffffc7634d81f4372ddf581a0db248b0a77aecec196accc52973020101036200042121a348f9743855859c496f91d0f39fe728fc46e48d007713051b22f1c0257fe20dd85b21df7e1ec82bf8b39b2138a2ae74f80e6257778f8cca9f279b57d25eeeb155960642972f0567e204514f0ac1eb1e27db5115053211914961d09644c6
 result = acceptable
 shared = 455cf3c0b0090688599825522ef3312878201514f6330ccc7f42ec1945204adfe419b2dbbfb942dc98b16d8323150cf6
-# A parameter that is typically not used for ECDH has been modified. Sometimes
-# libraries ignore small differences between public and private key. For
-# example, a library might ignore an incorrect cofactor in the public key. We
-# consider ignoring such changes as acceptable as long as these differences do
-# not change the outcome of the ECDH computation, i.e. as long as the
-# computation is done on the curve from the private key.
-# The public key does not use a named curve. RFC 3279 allows to encode such
-# curves by explicitly encoding, the parameters of the curve equation, modulus,
-# generator, order and cofactor. However, many crypto libraries only support
-# named curves. Modifying some of the EC parameters and encoding the
-# corresponding public key as an unnamed curve is a potential attack vector.
+flags = UnusedParam,UnnamedCurve
 
 # tcId = 189
 # generator not on curve
@@ -1452,17 +1373,7 @@
 public = 308201b53082014d06072a8648ce3d020130820140020101303c06072a8648ce3d0101023100fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffeffffffff0000000000000000ffffffff30640430fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffeffffffff0000000000000000fffffffc0430b3312fa7e23ee7e4988e056be3f82d19181d9c6efe8141120314088f5013875ac656398d8a2ed19d2a85c8edd3ec2aef046104aa87ca22be8b05378eb1c71ef320ad746e1d3b628ba79b9859f741e082542a385502f25dbf55296c3a545e3872760ab73617de4a96262c6f5d9e98bf9292dc29f8f41dbd289a147ce9da3113b5f0b8c00a60b1ce1d7e819d7a431d7c90ea0e61023100ffffffffffffffffffffffffffffffffffffffffffffffffc7634d81f4372ddf581a0db248b0a77aecec196accc52973020101036200042121a348f9743855859c496f91d0f39fe728fc46e48d007713051b22f1c0257fe20dd85b21df7e1ec82bf8b39b2138a2ae74f80e6257778f8cca9f279b57d25eeeb155960642972f0567e204514f0ac1eb1e27db5115053211914961d09644c6
 result = acceptable
 shared = 455cf3c0b0090688599825522ef3312878201514f6330ccc7f42ec1945204adfe419b2dbbfb942dc98b16d8323150cf6
-# A parameter that is typically not used for ECDH has been modified. Sometimes
-# libraries ignore small differences between public and private key. For
-# example, a library might ignore an incorrect cofactor in the public key. We
-# consider ignoring such changes as acceptable as long as these differences do
-# not change the outcome of the ECDH computation, i.e. as long as the
-# computation is done on the curve from the private key.
-# The public key does not use a named curve. RFC 3279 allows to encode such
-# curves by explicitly encoding, the parameters of the curve equation, modulus,
-# generator, order and cofactor. However, many crypto libraries only support
-# named curves. Modifying some of the EC parameters and encoding the
-# corresponding public key as an unnamed curve is a potential attack vector.
+flags = UnusedParam,UnnamedCurve
 
 # tcId = 190
 # cofactor = -1
@@ -1470,17 +1381,7 @@
 public = 308201b53082014d06072a8648ce3d020130820140020101303c06072a8648ce3d0101023100fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffeffffffff0000000000000000ffffffff30640430fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffeffffffff0000000000000000fffffffc0430b3312fa7e23ee7e4988e056be3f82d19181d9c6efe8141120314088f5013875ac656398d8a2ed19d2a85c8edd3ec2aef046104aa87ca22be8b05378eb1c71ef320ad746e1d3b628ba79b9859f741e082542a385502f25dbf55296c3a545e3872760ab73617de4a96262c6f5d9e98bf9292dc29f8f41dbd289a147ce9da3113b5f0b8c00a60b1ce1d7e819d7a431d7c90ea0e5f023100ffffffffffffffffffffffffffffffffffffffffffffffffc7634d81f4372ddf581a0db248b0a77aecec196accc529730201ff036200042121a348f9743855859c496f91d0f39fe728fc46e48d007713051b22f1c0257fe20dd85b21df7e1ec82bf8b39b2138a2ae74f80e6257778f8cca9f279b57d25eeeb155960642972f0567e204514f0ac1eb1e27db5115053211914961d09644c6
 result = invalid
 shared = 455cf3c0b0090688599825522ef3312878201514f6330ccc7f42ec1945204adfe419b2dbbfb942dc98b16d8323150cf6
-# The public key has been modified and is invalid. An implementation should
-# always check whether the public key is valid and on the same curve as the
-# private key. The test vector includes the shared secret computed with the
-# original public key if the public point is on the curve of the private key.
-# Generating a shared secret other than the one with the original key likely
-# indicates that the bug is exploitable.
-# The public key does not use a named curve. RFC 3279 allows to encode such
-# curves by explicitly encoding, the parameters of the curve equation, modulus,
-# generator, order and cofactor. However, many crypto libraries only support
-# named curves. Modifying some of the EC parameters and encoding the
-# corresponding public key as an unnamed curve is a potential attack vector.
+flags = InvalidPublic,UnnamedCurve
 
 # tcId = 191
 # cofactor = 0
@@ -1488,17 +1389,7 @@
 public = 308201b53082014d06072a8648ce3d020130820140020101303c06072a8648ce3d0101023100fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffeffffffff0000000000000000ffffffff30640430fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffeffffffff0000000000000000fffffffc0430b3312fa7e23ee7e4988e056be3f82d19181d9c6efe8141120314088f5013875ac656398d8a2ed19d2a85c8edd3ec2aef046104aa87ca22be8b05378eb1c71ef320ad746e1d3b628ba79b9859f741e082542a385502f25dbf55296c3a545e3872760ab73617de4a96262c6f5d9e98bf9292dc29f8f41dbd289a147ce9da3113b5f0b8c00a60b1ce1d7e819d7a431d7c90ea0e5f023100ffffffffffffffffffffffffffffffffffffffffffffffffc7634d81f4372ddf581a0db248b0a77aecec196accc52973020100036200042121a348f9743855859c496f91d0f39fe728fc46e48d007713051b22f1c0257fe20dd85b21df7e1ec82bf8b39b2138a2ae74f80e6257778f8cca9f279b57d25eeeb155960642972f0567e204514f0ac1eb1e27db5115053211914961d09644c6
 result = invalid
 shared = 455cf3c0b0090688599825522ef3312878201514f6330ccc7f42ec1945204adfe419b2dbbfb942dc98b16d8323150cf6
-# The public key has been modified and is invalid. An implementation should
-# always check whether the public key is valid and on the same curve as the
-# private key. The test vector includes the shared secret computed with the
-# original public key if the public point is on the curve of the private key.
-# Generating a shared secret other than the one with the original key likely
-# indicates that the bug is exploitable.
-# The public key does not use a named curve. RFC 3279 allows to encode such
-# curves by explicitly encoding, the parameters of the curve equation, modulus,
-# generator, order and cofactor. However, many crypto libraries only support
-# named curves. Modifying some of the EC parameters and encoding the
-# corresponding public key as an unnamed curve is a potential attack vector.
+flags = InvalidPublic,UnnamedCurve
 
 # tcId = 192
 # cofactor = 2
@@ -1506,17 +1397,7 @@
 public = 308201b53082014d06072a8648ce3d020130820140020101303c06072a8648ce3d0101023100fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffeffffffff0000000000000000ffffffff30640430fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffeffffffff0000000000000000fffffffc0430b3312fa7e23ee7e4988e056be3f82d19181d9c6efe8141120314088f5013875ac656398d8a2ed19d2a85c8edd3ec2aef046104aa87ca22be8b05378eb1c71ef320ad746e1d3b628ba79b9859f741e082542a385502f25dbf55296c3a545e3872760ab73617de4a96262c6f5d9e98bf9292dc29f8f41dbd289a147ce9da3113b5f0b8c00a60b1ce1d7e819d7a431d7c90ea0e5f023100ffffffffffffffffffffffffffffffffffffffffffffffffc7634d81f4372ddf581a0db248b0a77aecec196accc52973020102036200042121a348f9743855859c496f91d0f39fe728fc46e48d007713051b22f1c0257fe20dd85b21df7e1ec82bf8b39b2138a2ae74f80e6257778f8cca9f279b57d25eeeb155960642972f0567e204514f0ac1eb1e27db5115053211914961d09644c6
 result = acceptable
 shared = 455cf3c0b0090688599825522ef3312878201514f6330ccc7f42ec1945204adfe419b2dbbfb942dc98b16d8323150cf6
-# A parameter that is typically not used for ECDH has been modified. Sometimes
-# libraries ignore small differences between public and private key. For
-# example, a library might ignore an incorrect cofactor in the public key. We
-# consider ignoring such changes as acceptable as long as these differences do
-# not change the outcome of the ECDH computation, i.e. as long as the
-# computation is done on the curve from the private key.
-# The public key does not use a named curve. RFC 3279 allows to encode such
-# curves by explicitly encoding, the parameters of the curve equation, modulus,
-# generator, order and cofactor. However, many crypto libraries only support
-# named curves. Modifying some of the EC parameters and encoding the
-# corresponding public key as an unnamed curve is a potential attack vector.
+flags = UnusedParam,UnnamedCurve
 
 # tcId = 193
 # cofactor =
@@ -1525,17 +1406,7 @@
 public = 308201e53082017d06072a8648ce3d020130820170020101303c06072a8648ce3d0101023100fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffeffffffff0000000000000000ffffffff30640430fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffeffffffff0000000000000000fffffffc0430b3312fa7e23ee7e4988e056be3f82d19181d9c6efe8141120314088f5013875ac656398d8a2ed19d2a85c8edd3ec2aef046104aa87ca22be8b05378eb1c71ef320ad746e1d3b628ba79b9859f741e082542a385502f25dbf55296c3a545e3872760ab73617de4a96262c6f5d9e98bf9292dc29f8f41dbd289a147ce9da3113b5f0b8c00a60b1ce1d7e819d7a431d7c90ea0e5f023100ffffffffffffffffffffffffffffffffffffffffffffffffc7634d81f4372ddf581a0db248b0a77aecec196accc52973023100ffffffffffffffffffffffffffffffffffffffffffffffffc7634d81f4372ddf581a0db248b0a77aecec196accc52973036200042121a348f9743855859c496f91d0f39fe728fc46e48d007713051b22f1c0257fe20dd85b21df7e1ec82bf8b39b2138a2ae74f80e6257778f8cca9f279b57d25eeeb155960642972f0567e204514f0ac1eb1e27db5115053211914961d09644c6
 result = invalid
 shared = 455cf3c0b0090688599825522ef3312878201514f6330ccc7f42ec1945204adfe419b2dbbfb942dc98b16d8323150cf6
-# The public key has been modified and is invalid. An implementation should
-# always check whether the public key is valid and on the same curve as the
-# private key. The test vector includes the shared secret computed with the
-# original public key if the public point is on the curve of the private key.
-# Generating a shared secret other than the one with the original key likely
-# indicates that the bug is exploitable.
-# The public key does not use a named curve. RFC 3279 allows to encode such
-# curves by explicitly encoding, the parameters of the curve equation, modulus,
-# generator, order and cofactor. However, many crypto libraries only support
-# named curves. Modifying some of the EC parameters and encoding the
-# corresponding public key as an unnamed curve is a potential attack vector.
+flags = InvalidPublic,UnnamedCurve
 
 # tcId = 194
 # cofactor = None
@@ -1543,17 +1414,7 @@
 public = 308201b23082014a06072a8648ce3d02013082013d020101303c06072a8648ce3d0101023100fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffeffffffff0000000000000000ffffffff30640430fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffeffffffff0000000000000000fffffffc0430b3312fa7e23ee7e4988e056be3f82d19181d9c6efe8141120314088f5013875ac656398d8a2ed19d2a85c8edd3ec2aef046104aa87ca22be8b05378eb1c71ef320ad746e1d3b628ba79b9859f741e082542a385502f25dbf55296c3a545e3872760ab73617de4a96262c6f5d9e98bf9292dc29f8f41dbd289a147ce9da3113b5f0b8c00a60b1ce1d7e819d7a431d7c90ea0e5f023100ffffffffffffffffffffffffffffffffffffffffffffffffc7634d81f4372ddf581a0db248b0a77aecec196accc52973036200042121a348f9743855859c496f91d0f39fe728fc46e48d007713051b22f1c0257fe20dd85b21df7e1ec82bf8b39b2138a2ae74f80e6257778f8cca9f279b57d25eeeb155960642972f0567e204514f0ac1eb1e27db5115053211914961d09644c6
 result = acceptable
 shared = 455cf3c0b0090688599825522ef3312878201514f6330ccc7f42ec1945204adfe419b2dbbfb942dc98b16d8323150cf6
-# A parameter that is typically not used for ECDH has been modified. Sometimes
-# libraries ignore small differences between public and private key. For
-# example, a library might ignore an incorrect cofactor in the public key. We
-# consider ignoring such changes as acceptable as long as these differences do
-# not change the outcome of the ECDH computation, i.e. as long as the
-# computation is done on the curve from the private key.
-# The public key does not use a named curve. RFC 3279 allows to encode such
-# curves by explicitly encoding, the parameters of the curve equation, modulus,
-# generator, order and cofactor. However, many crypto libraries only support
-# named curves. Modifying some of the EC parameters and encoding the
-# corresponding public key as an unnamed curve is a potential attack vector.
+flags = UnusedParam,UnnamedCurve
 
 # tcId = 195
 # modified prime
@@ -1561,20 +1422,7 @@
 public = 308201b53082014d06072a8648ce3d020130820140020101303c06072a8648ce3d0101023100f47e533e4e43e4bf04e901db0eea6efba14bbcdc3b1c5753a7c141487e4f43784e57a72310202323361f44760c8368bf306404300b81acc1b1bc1b40fb16fe24f11591045eb44323c4e3a8ac583ebeb781b0bc86b1a858dbefdfdcdcc9e0bb8af37c973d0430b3312fa7e23ee7e4988e056be3f82d19181d9c6efe8141120314088f5013875ac656398d8a2ed19d2a85c8edd3ec2aef04610400000000000000000000000000000000fffffffffffd38000000000000000000000000000000000000000000000001cf3646298bba2f24e84189cf0d1e75188fc4fcf5b0844281822e789e3d534b159f4c419342260197625ad924a2c72c4d0f023100ffffffffffffffffffffffffffffffffffffffffffffffffc7634d81f4372ddf581a0db248b0a77aecec196accc529730201010362000400000000000000000000000000000000fffffffffffd38000000000000000000000000000000000000000000000001cf3646298bba2f24e84189cf0d1e75188fc4fcf5b0844281822e789e3d534b159f4c419342260197625ad924a2c72c4d0f
 result = invalid
 shared = 5df0762488bc0a7be1121508949382861f781c331676048c2d45d245be6f476c872113e6710bc746c3d06970510193ce
-# The modulus of the public key has been modified. The public point of the
-# public key has been chosen so that it is both a point on both the curve of the
-# modified public key and the private key.
-# The public key has been modified and is invalid. An implementation should
-# always check whether the public key is valid and on the same curve as the
-# private key. The test vector includes the shared secret computed with the
-# original public key if the public point is on the curve of the private key.
-# Generating a shared secret other than the one with the original key likely
-# indicates that the bug is exploitable.
-# The public key does not use a named curve. RFC 3279 allows to encode such
-# curves by explicitly encoding, the parameters of the curve equation, modulus,
-# generator, order and cofactor. However, many crypto libraries only support
-# named curves. Modifying some of the EC parameters and encoding the
-# corresponding public key as an unnamed curve is a potential attack vector.
+flags = ModifiedPrime,InvalidPublic,UnnamedCurve
 
 # tcId = 196
 # using secp224r1
@@ -1582,12 +1430,7 @@
 public = 304e301006072a8648ce3d020106052b81040021033a0004074f56dc2ea648ef89c3b72e23bbd2da36f60243e4d2067b70604af1c2165cec2f86603d60c8a611d5b84ba3d91dfe1a480825bcc4af3bcf
 result = invalid
 shared = 
-# The public key has been modified and is invalid. An implementation should
-# always check whether the public key is valid and on the same curve as the
-# private key. The test vector includes the shared secret computed with the
-# original public key if the public point is on the curve of the private key.
-# Generating a shared secret other than the one with the original key likely
-# indicates that the bug is exploitable.
+flags = InvalidPublic
 
 # tcId = 197
 # using secp256r1
@@ -1595,12 +1438,7 @@
 public = 3059301306072a8648ce3d020106082a8648ce3d03010703420004cbf6606595a3ee50f9fceaa2798c2740c82540516b4e5a7d361ff24e9dd15364e5408b2e679f9d5310d1f6893b36ce16b4a507509175fcb52aea53b781556b39
 result = invalid
 shared = 
-# The public key has been modified and is invalid. An implementation should
-# always check whether the public key is valid and on the same curve as the
-# private key. The test vector includes the shared secret computed with the
-# original public key if the public point is on the curve of the private key.
-# Generating a shared secret other than the one with the original key likely
-# indicates that the bug is exploitable.
+flags = InvalidPublic
 
 # tcId = 198
 # using secp256k1
@@ -1608,12 +1446,7 @@
 public = 3056301006072a8648ce3d020106052b8104000a03420004a1263e75b87ae0937060ff1472f330ee55cdf8f4329d6284a9ebfbcc856c11684225e72cbebff41e54fb6f00e11afe53a17937bedbf2df787f8ef9584f775838
 result = invalid
 shared = 
-# The public key has been modified and is invalid. An implementation should
-# always check whether the public key is valid and on the same curve as the
-# private key. The test vector includes the shared secret computed with the
-# original public key if the public point is on the curve of the private key.
-# Generating a shared secret other than the one with the original key likely
-# indicates that the bug is exploitable.
+flags = InvalidPublic
 
 # tcId = 199
 # a = 0
@@ -1621,17 +1454,7 @@
 public = 308201863082011e06072a8648ce3d020130820111020101303c06072a8648ce3d0101023100fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffeffffffff0000000000000000ffffffff303504010004304fcc45ccf5e23ee407b9291d2e85523962a2a79a50da3facca04b7267ad316db202cb07c24905740d201ded3028881090461042121a348f9743855859c496f91d0f39fe728fc46e48d007713051b22f1c0257fe20dd85b21df7e1ec82bf8b39b2138a2ae74f80e6257778f8cca9f279b57d25eeeb155960642972f0567e204514f0ac1eb1e27db5115053211914961d09644c6023100ffffffffffffffffffffffffffffffffffffffffffffffffc7634d81f4372ddf581a0db248b0a77aecec196accc52973020101036200042121a348f9743855859c496f91d0f39fe728fc46e48d007713051b22f1c0257fe20dd85b21df7e1ec82bf8b39b2138a2ae74f80e6257778f8cca9f279b57d25eeeb155960642972f0567e204514f0ac1eb1e27db5115053211914961d09644c6
 result = acceptable
 shared = 455cf3c0b0090688599825522ef3312878201514f6330ccc7f42ec1945204adfe419b2dbbfb942dc98b16d8323150cf6
-# A parameter that is typically not used for ECDH has been modified. Sometimes
-# libraries ignore small differences between public and private key. For
-# example, a library might ignore an incorrect cofactor in the public key. We
-# consider ignoring such changes as acceptable as long as these differences do
-# not change the outcome of the ECDH computation, i.e. as long as the
-# computation is done on the curve from the private key.
-# The public key does not use a named curve. RFC 3279 allows to encode such
-# curves by explicitly encoding, the parameters of the curve equation, modulus,
-# generator, order and cofactor. However, many crypto libraries only support
-# named curves. Modifying some of the EC parameters and encoding the
-# corresponding public key as an unnamed curve is a potential attack vector.
+flags = UnusedParam,UnnamedCurve
 
 # tcId = 200
 # public key of order 3
@@ -1639,21 +1462,7 @@
 public = 308201b53082014d06072a8648ce3d020130820140020101303c06072a8648ce3d0101023100fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffeffffffff0000000000000000ffffffff3064043074a89c1d95030a24dddf35deb3d490665cab6a0e72741abb05f3fb7e34ec8b432b39fc1ba64285f407856ca80690f125043054e7a558b35bb0e9af4a419ec6635f3c0d34ae013cde6debef47514bcb980ad547c9aa5834be44eaa02e93bf851344e8046104c98adce2b5ef154f90d7d6f0c2ec6c526a9f214cce85ee84290e45fd6e5e88f82dfe994c0050d838789744af8b8d9505f29cbb59d91d1908faaab1cd17b7e0736df1e09a4fc42366abb339565086f7d872c779af84980f9fd725446ff0e2dde5023100ffffffffffffffffffffffffffffffffffffffffffffffffc7634d81f4372ddf581a0db248b0a77aecec196accc5297302010103620004c98adce2b5ef154f90d7d6f0c2ec6c526a9f214cce85ee84290e45fd6e5e88f82dfe994c0050d838789744af8b8d95050d6344a626e2e6f705554e32e8481f8c920e1f65b03bdc99544cc6a9af7908268d38864f7b67f06028dabb910f1d221a
 result = invalid
 shared = 
-# The vector contains a weak public key. The curve is not a named curve, the
-# public key point has order 3 and has been chosen to be on the same curve as
-# the private key. This test vector is used to check ECC implementations for
-# missing steps in the verification of the public key.
-# The public key has been modified and is invalid. An implementation should
-# always check whether the public key is valid and on the same curve as the
-# private key. The test vector includes the shared secret computed with the
-# original public key if the public point is on the curve of the private key.
-# Generating a shared secret other than the one with the original key likely
-# indicates that the bug is exploitable.
-# The public key does not use a named curve. RFC 3279 allows to encode such
-# curves by explicitly encoding, the parameters of the curve equation, modulus,
-# generator, order and cofactor. However, many crypto libraries only support
-# named curves. Modifying some of the EC parameters and encoding the
-# corresponding public key as an unnamed curve is a potential attack vector.
+flags = WeakPublicKey,InvalidPublic,UnnamedCurve
 
 # tcId = 201
 # Public key uses wrong curve: secp224r1
@@ -1766,8 +1575,7 @@
 public = 3046301006072a8648ce3d020106052b81040022033200024424530ea70bace90601f8d5869e4179a6cd689b6a18fdfec50cecf17cb836d24820211ada67815b42c2c2606303f69e
 result = invalid
 shared = 
-# The point in the public key is compressed. Not every library supports points
-# in compressed format.
+flags = CompressedPoint
 
 # tcId = 217
 # long form encoding of length of sequence
@@ -1775,9 +1583,7 @@
 public = 308176301006072a8648ce3d020106052b8104002203620004c2bed48c5e15e8208411b1a14c77c440b9a8c3b6b2af6eef05e4fbae13cfe7ba5e9af208c54e3035e3b4559f97b0f2798dbe522a47ee950419b5faa273d24ff2748a8349c591cc80871acf3c6702cce129c68351a713207a69f02b5bed031251
 result = acceptable
 shared = 40c344fb1185a5a97dd00b114f1b9c5ce4009f90c593f236fe465518f9ff27326a421e05b5bc1bfe3768d5becb9ec797
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 218
 # long form encoding of length of sequence
@@ -1785,9 +1591,7 @@
 public = 307730811006072a8648ce3d020106052b8104002203620004c2bed48c5e15e8208411b1a14c77c440b9a8c3b6b2af6eef05e4fbae13cfe7ba5e9af208c54e3035e3b4559f97b0f2798dbe522a47ee950419b5faa273d24ff2748a8349c591cc80871acf3c6702cce129c68351a713207a69f02b5bed031251
 result = acceptable
 shared = 40c344fb1185a5a97dd00b114f1b9c5ce4009f90c593f236fe465518f9ff27326a421e05b5bc1bfe3768d5becb9ec797
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 219
 # length of sequence contains leading 0
@@ -1795,9 +1599,7 @@
 public = 30820076301006072a8648ce3d020106052b8104002203620004c2bed48c5e15e8208411b1a14c77c440b9a8c3b6b2af6eef05e4fbae13cfe7ba5e9af208c54e3035e3b4559f97b0f2798dbe522a47ee950419b5faa273d24ff2748a8349c591cc80871acf3c6702cce129c68351a713207a69f02b5bed031251
 result = acceptable
 shared = 40c344fb1185a5a97dd00b114f1b9c5ce4009f90c593f236fe465518f9ff27326a421e05b5bc1bfe3768d5becb9ec797
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 220
 # length of sequence contains leading 0
@@ -1805,9 +1607,7 @@
 public = 30783082001006072a8648ce3d020106052b8104002203620004c2bed48c5e15e8208411b1a14c77c440b9a8c3b6b2af6eef05e4fbae13cfe7ba5e9af208c54e3035e3b4559f97b0f2798dbe522a47ee950419b5faa273d24ff2748a8349c591cc80871acf3c6702cce129c68351a713207a69f02b5bed031251
 result = acceptable
 shared = 40c344fb1185a5a97dd00b114f1b9c5ce4009f90c593f236fe465518f9ff27326a421e05b5bc1bfe3768d5becb9ec797
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 221
 # wrong length of sequence
@@ -1815,9 +1615,7 @@
 public = 3077301006072a8648ce3d020106052b8104002203620004c2bed48c5e15e8208411b1a14c77c440b9a8c3b6b2af6eef05e4fbae13cfe7ba5e9af208c54e3035e3b4559f97b0f2798dbe522a47ee950419b5faa273d24ff2748a8349c591cc80871acf3c6702cce129c68351a713207a69f02b5bed031251
 result = acceptable
 shared = 40c344fb1185a5a97dd00b114f1b9c5ce4009f90c593f236fe465518f9ff27326a421e05b5bc1bfe3768d5becb9ec797
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 222
 # wrong length of sequence
@@ -1825,9 +1623,7 @@
 public = 3075301006072a8648ce3d020106052b8104002203620004c2bed48c5e15e8208411b1a14c77c440b9a8c3b6b2af6eef05e4fbae13cfe7ba5e9af208c54e3035e3b4559f97b0f2798dbe522a47ee950419b5faa273d24ff2748a8349c591cc80871acf3c6702cce129c68351a713207a69f02b5bed031251
 result = acceptable
 shared = 40c344fb1185a5a97dd00b114f1b9c5ce4009f90c593f236fe465518f9ff27326a421e05b5bc1bfe3768d5becb9ec797
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 223
 # wrong length of sequence
@@ -1835,9 +1631,7 @@
 public = 3076301106072a8648ce3d020106052b8104002203620004c2bed48c5e15e8208411b1a14c77c440b9a8c3b6b2af6eef05e4fbae13cfe7ba5e9af208c54e3035e3b4559f97b0f2798dbe522a47ee950419b5faa273d24ff2748a8349c591cc80871acf3c6702cce129c68351a713207a69f02b5bed031251
 result = acceptable
 shared = 40c344fb1185a5a97dd00b114f1b9c5ce4009f90c593f236fe465518f9ff27326a421e05b5bc1bfe3768d5becb9ec797
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 224
 # wrong length of sequence
@@ -1845,9 +1639,7 @@
 public = 3076300f06072a8648ce3d020106052b8104002203620004c2bed48c5e15e8208411b1a14c77c440b9a8c3b6b2af6eef05e4fbae13cfe7ba5e9af208c54e3035e3b4559f97b0f2798dbe522a47ee950419b5faa273d24ff2748a8349c591cc80871acf3c6702cce129c68351a713207a69f02b5bed031251
 result = acceptable
 shared = 40c344fb1185a5a97dd00b114f1b9c5ce4009f90c593f236fe465518f9ff27326a421e05b5bc1bfe3768d5becb9ec797
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 225
 # uint32 overflow in length of sequence
@@ -1855,9 +1647,7 @@
 public = 30850100000076301006072a8648ce3d020106052b8104002203620004c2bed48c5e15e8208411b1a14c77c440b9a8c3b6b2af6eef05e4fbae13cfe7ba5e9af208c54e3035e3b4559f97b0f2798dbe522a47ee950419b5faa273d24ff2748a8349c591cc80871acf3c6702cce129c68351a713207a69f02b5bed031251
 result = acceptable
 shared = 40c344fb1185a5a97dd00b114f1b9c5ce4009f90c593f236fe465518f9ff27326a421e05b5bc1bfe3768d5becb9ec797
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 226
 # uint32 overflow in length of sequence
@@ -1865,9 +1655,7 @@
 public = 307b3085010000001006072a8648ce3d020106052b8104002203620004c2bed48c5e15e8208411b1a14c77c440b9a8c3b6b2af6eef05e4fbae13cfe7ba5e9af208c54e3035e3b4559f97b0f2798dbe522a47ee950419b5faa273d24ff2748a8349c591cc80871acf3c6702cce129c68351a713207a69f02b5bed031251
 result = acceptable
 shared = 40c344fb1185a5a97dd00b114f1b9c5ce4009f90c593f236fe465518f9ff27326a421e05b5bc1bfe3768d5becb9ec797
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 227
 # uint64 overflow in length of sequence
@@ -1875,9 +1663,7 @@
 public = 3089010000000000000076301006072a8648ce3d020106052b8104002203620004c2bed48c5e15e8208411b1a14c77c440b9a8c3b6b2af6eef05e4fbae13cfe7ba5e9af208c54e3035e3b4559f97b0f2798dbe522a47ee950419b5faa273d24ff2748a8349c591cc80871acf3c6702cce129c68351a713207a69f02b5bed031251
 result = acceptable
 shared = 40c344fb1185a5a97dd00b114f1b9c5ce4009f90c593f236fe465518f9ff27326a421e05b5bc1bfe3768d5becb9ec797
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 228
 # uint64 overflow in length of sequence
@@ -1885,9 +1671,7 @@
 public = 307f308901000000000000001006072a8648ce3d020106052b8104002203620004c2bed48c5e15e8208411b1a14c77c440b9a8c3b6b2af6eef05e4fbae13cfe7ba5e9af208c54e3035e3b4559f97b0f2798dbe522a47ee950419b5faa273d24ff2748a8349c591cc80871acf3c6702cce129c68351a713207a69f02b5bed031251
 result = acceptable
 shared = 40c344fb1185a5a97dd00b114f1b9c5ce4009f90c593f236fe465518f9ff27326a421e05b5bc1bfe3768d5becb9ec797
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 229
 # length of sequence = 2**31 - 1
@@ -1895,9 +1679,7 @@
 public = 30847fffffff301006072a8648ce3d020106052b8104002203620004c2bed48c5e15e8208411b1a14c77c440b9a8c3b6b2af6eef05e4fbae13cfe7ba5e9af208c54e3035e3b4559f97b0f2798dbe522a47ee950419b5faa273d24ff2748a8349c591cc80871acf3c6702cce129c68351a713207a69f02b5bed031251
 result = acceptable
 shared = 40c344fb1185a5a97dd00b114f1b9c5ce4009f90c593f236fe465518f9ff27326a421e05b5bc1bfe3768d5becb9ec797
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 230
 # length of sequence = 2**31 - 1
@@ -1905,9 +1687,7 @@
 public = 307a30847fffffff06072a8648ce3d020106052b8104002203620004c2bed48c5e15e8208411b1a14c77c440b9a8c3b6b2af6eef05e4fbae13cfe7ba5e9af208c54e3035e3b4559f97b0f2798dbe522a47ee950419b5faa273d24ff2748a8349c591cc80871acf3c6702cce129c68351a713207a69f02b5bed031251
 result = acceptable
 shared = 40c344fb1185a5a97dd00b114f1b9c5ce4009f90c593f236fe465518f9ff27326a421e05b5bc1bfe3768d5becb9ec797
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 231
 # length of sequence = 2**32 - 1
@@ -1915,9 +1695,7 @@
 public = 3084ffffffff301006072a8648ce3d020106052b8104002203620004c2bed48c5e15e8208411b1a14c77c440b9a8c3b6b2af6eef05e4fbae13cfe7ba5e9af208c54e3035e3b4559f97b0f2798dbe522a47ee950419b5faa273d24ff2748a8349c591cc80871acf3c6702cce129c68351a713207a69f02b5bed031251
 result = acceptable
 shared = 40c344fb1185a5a97dd00b114f1b9c5ce4009f90c593f236fe465518f9ff27326a421e05b5bc1bfe3768d5becb9ec797
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 232
 # length of sequence = 2**32 - 1
@@ -1925,9 +1703,7 @@
 public = 307a3084ffffffff06072a8648ce3d020106052b8104002203620004c2bed48c5e15e8208411b1a14c77c440b9a8c3b6b2af6eef05e4fbae13cfe7ba5e9af208c54e3035e3b4559f97b0f2798dbe522a47ee950419b5faa273d24ff2748a8349c591cc80871acf3c6702cce129c68351a713207a69f02b5bed031251
 result = acceptable
 shared = 40c344fb1185a5a97dd00b114f1b9c5ce4009f90c593f236fe465518f9ff27326a421e05b5bc1bfe3768d5becb9ec797
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 233
 # length of sequence = 2**40 - 1
@@ -1935,9 +1711,7 @@
 public = 3085ffffffffff301006072a8648ce3d020106052b8104002203620004c2bed48c5e15e8208411b1a14c77c440b9a8c3b6b2af6eef05e4fbae13cfe7ba5e9af208c54e3035e3b4559f97b0f2798dbe522a47ee950419b5faa273d24ff2748a8349c591cc80871acf3c6702cce129c68351a713207a69f02b5bed031251
 result = acceptable
 shared = 40c344fb1185a5a97dd00b114f1b9c5ce4009f90c593f236fe465518f9ff27326a421e05b5bc1bfe3768d5becb9ec797
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 234
 # length of sequence = 2**40 - 1
@@ -1945,9 +1719,7 @@
 public = 307b3085ffffffffff06072a8648ce3d020106052b8104002203620004c2bed48c5e15e8208411b1a14c77c440b9a8c3b6b2af6eef05e4fbae13cfe7ba5e9af208c54e3035e3b4559f97b0f2798dbe522a47ee950419b5faa273d24ff2748a8349c591cc80871acf3c6702cce129c68351a713207a69f02b5bed031251
 result = acceptable
 shared = 40c344fb1185a5a97dd00b114f1b9c5ce4009f90c593f236fe465518f9ff27326a421e05b5bc1bfe3768d5becb9ec797
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 235
 # length of sequence = 2**64 - 1
@@ -1955,9 +1727,7 @@
 public = 3088ffffffffffffffff301006072a8648ce3d020106052b8104002203620004c2bed48c5e15e8208411b1a14c77c440b9a8c3b6b2af6eef05e4fbae13cfe7ba5e9af208c54e3035e3b4559f97b0f2798dbe522a47ee950419b5faa273d24ff2748a8349c591cc80871acf3c6702cce129c68351a713207a69f02b5bed031251
 result = acceptable
 shared = 40c344fb1185a5a97dd00b114f1b9c5ce4009f90c593f236fe465518f9ff27326a421e05b5bc1bfe3768d5becb9ec797
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 236
 # length of sequence = 2**64 - 1
@@ -1965,9 +1735,7 @@
 public = 307e3088ffffffffffffffff06072a8648ce3d020106052b8104002203620004c2bed48c5e15e8208411b1a14c77c440b9a8c3b6b2af6eef05e4fbae13cfe7ba5e9af208c54e3035e3b4559f97b0f2798dbe522a47ee950419b5faa273d24ff2748a8349c591cc80871acf3c6702cce129c68351a713207a69f02b5bed031251
 result = acceptable
 shared = 40c344fb1185a5a97dd00b114f1b9c5ce4009f90c593f236fe465518f9ff27326a421e05b5bc1bfe3768d5becb9ec797
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 237
 # incorrect length of sequence
@@ -1975,9 +1743,7 @@
 public = 30ff301006072a8648ce3d020106052b8104002203620004c2bed48c5e15e8208411b1a14c77c440b9a8c3b6b2af6eef05e4fbae13cfe7ba5e9af208c54e3035e3b4559f97b0f2798dbe522a47ee950419b5faa273d24ff2748a8349c591cc80871acf3c6702cce129c68351a713207a69f02b5bed031251
 result = acceptable
 shared = 40c344fb1185a5a97dd00b114f1b9c5ce4009f90c593f236fe465518f9ff27326a421e05b5bc1bfe3768d5becb9ec797
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 238
 # incorrect length of sequence
@@ -1985,9 +1751,7 @@
 public = 307630ff06072a8648ce3d020106052b8104002203620004c2bed48c5e15e8208411b1a14c77c440b9a8c3b6b2af6eef05e4fbae13cfe7ba5e9af208c54e3035e3b4559f97b0f2798dbe522a47ee950419b5faa273d24ff2748a8349c591cc80871acf3c6702cce129c68351a713207a69f02b5bed031251
 result = acceptable
 shared = 40c344fb1185a5a97dd00b114f1b9c5ce4009f90c593f236fe465518f9ff27326a421e05b5bc1bfe3768d5becb9ec797
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 239
 # indefinite length without termination
@@ -1995,9 +1759,7 @@
 public = 3080301006072a8648ce3d020106052b8104002203620004c2bed48c5e15e8208411b1a14c77c440b9a8c3b6b2af6eef05e4fbae13cfe7ba5e9af208c54e3035e3b4559f97b0f2798dbe522a47ee950419b5faa273d24ff2748a8349c591cc80871acf3c6702cce129c68351a713207a69f02b5bed031251
 result = acceptable
 shared = 40c344fb1185a5a97dd00b114f1b9c5ce4009f90c593f236fe465518f9ff27326a421e05b5bc1bfe3768d5becb9ec797
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 240
 # indefinite length without termination
@@ -2005,9 +1767,7 @@
 public = 3076308006072a8648ce3d020106052b8104002203620004c2bed48c5e15e8208411b1a14c77c440b9a8c3b6b2af6eef05e4fbae13cfe7ba5e9af208c54e3035e3b4559f97b0f2798dbe522a47ee950419b5faa273d24ff2748a8349c591cc80871acf3c6702cce129c68351a713207a69f02b5bed031251
 result = acceptable
 shared = 40c344fb1185a5a97dd00b114f1b9c5ce4009f90c593f236fe465518f9ff27326a421e05b5bc1bfe3768d5becb9ec797
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 241
 # indefinite length without termination
@@ -2015,9 +1775,7 @@
 public = 3076301006802a8648ce3d020106052b8104002203620004c2bed48c5e15e8208411b1a14c77c440b9a8c3b6b2af6eef05e4fbae13cfe7ba5e9af208c54e3035e3b4559f97b0f2798dbe522a47ee950419b5faa273d24ff2748a8349c591cc80871acf3c6702cce129c68351a713207a69f02b5bed031251
 result = acceptable
 shared = 40c344fb1185a5a97dd00b114f1b9c5ce4009f90c593f236fe465518f9ff27326a421e05b5bc1bfe3768d5becb9ec797
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 242
 # indefinite length without termination
@@ -2025,9 +1783,7 @@
 public = 3076301006072a8648ce3d020106802b8104002203620004c2bed48c5e15e8208411b1a14c77c440b9a8c3b6b2af6eef05e4fbae13cfe7ba5e9af208c54e3035e3b4559f97b0f2798dbe522a47ee950419b5faa273d24ff2748a8349c591cc80871acf3c6702cce129c68351a713207a69f02b5bed031251
 result = acceptable
 shared = 40c344fb1185a5a97dd00b114f1b9c5ce4009f90c593f236fe465518f9ff27326a421e05b5bc1bfe3768d5becb9ec797
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 243
 # indefinite length without termination
@@ -2035,9 +1791,7 @@
 public = 3076301006072a8648ce3d020106052b8104002203800004c2bed48c5e15e8208411b1a14c77c440b9a8c3b6b2af6eef05e4fbae13cfe7ba5e9af208c54e3035e3b4559f97b0f2798dbe522a47ee950419b5faa273d24ff2748a8349c591cc80871acf3c6702cce129c68351a713207a69f02b5bed031251
 result = acceptable
 shared = 40c344fb1185a5a97dd00b114f1b9c5ce4009f90c593f236fe465518f9ff27326a421e05b5bc1bfe3768d5becb9ec797
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 244
 # removing sequence
@@ -2045,9 +1799,7 @@
 public = 
 result = acceptable
 shared = 40c344fb1185a5a97dd00b114f1b9c5ce4009f90c593f236fe465518f9ff27326a421e05b5bc1bfe3768d5becb9ec797
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 245
 # removing sequence
@@ -2055,9 +1807,7 @@
 public = 306403620004c2bed48c5e15e8208411b1a14c77c440b9a8c3b6b2af6eef05e4fbae13cfe7ba5e9af208c54e3035e3b4559f97b0f2798dbe522a47ee950419b5faa273d24ff2748a8349c591cc80871acf3c6702cce129c68351a713207a69f02b5bed031251
 result = acceptable
 shared = 40c344fb1185a5a97dd00b114f1b9c5ce4009f90c593f236fe465518f9ff27326a421e05b5bc1bfe3768d5becb9ec797
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 246
 # lonely sequence tag
@@ -2065,9 +1815,7 @@
 public = 30
 result = acceptable
 shared = 40c344fb1185a5a97dd00b114f1b9c5ce4009f90c593f236fe465518f9ff27326a421e05b5bc1bfe3768d5becb9ec797
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 247
 # lonely sequence tag
@@ -2075,9 +1823,7 @@
 public = 30653003620004c2bed48c5e15e8208411b1a14c77c440b9a8c3b6b2af6eef05e4fbae13cfe7ba5e9af208c54e3035e3b4559f97b0f2798dbe522a47ee950419b5faa273d24ff2748a8349c591cc80871acf3c6702cce129c68351a713207a69f02b5bed031251
 result = acceptable
 shared = 40c344fb1185a5a97dd00b114f1b9c5ce4009f90c593f236fe465518f9ff27326a421e05b5bc1bfe3768d5becb9ec797
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 248
 # appending 0's to sequence
@@ -2085,9 +1831,7 @@
 public = 3078301006072a8648ce3d020106052b8104002203620004c2bed48c5e15e8208411b1a14c77c440b9a8c3b6b2af6eef05e4fbae13cfe7ba5e9af208c54e3035e3b4559f97b0f2798dbe522a47ee950419b5faa273d24ff2748a8349c591cc80871acf3c6702cce129c68351a713207a69f02b5bed0312510000
 result = acceptable
 shared = 40c344fb1185a5a97dd00b114f1b9c5ce4009f90c593f236fe465518f9ff27326a421e05b5bc1bfe3768d5becb9ec797
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 249
 # appending 0's to sequence
@@ -2095,9 +1839,7 @@
 public = 3078301206072a8648ce3d020106052b81040022000003620004c2bed48c5e15e8208411b1a14c77c440b9a8c3b6b2af6eef05e4fbae13cfe7ba5e9af208c54e3035e3b4559f97b0f2798dbe522a47ee950419b5faa273d24ff2748a8349c591cc80871acf3c6702cce129c68351a713207a69f02b5bed031251
 result = acceptable
 shared = 40c344fb1185a5a97dd00b114f1b9c5ce4009f90c593f236fe465518f9ff27326a421e05b5bc1bfe3768d5becb9ec797
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 250
 # prepending 0's to sequence
@@ -2105,9 +1847,7 @@
 public = 30780000301006072a8648ce3d020106052b8104002203620004c2bed48c5e15e8208411b1a14c77c440b9a8c3b6b2af6eef05e4fbae13cfe7ba5e9af208c54e3035e3b4559f97b0f2798dbe522a47ee950419b5faa273d24ff2748a8349c591cc80871acf3c6702cce129c68351a713207a69f02b5bed031251
 result = acceptable
 shared = 40c344fb1185a5a97dd00b114f1b9c5ce4009f90c593f236fe465518f9ff27326a421e05b5bc1bfe3768d5becb9ec797
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 251
 # prepending 0's to sequence
@@ -2115,9 +1855,7 @@
 public = 30783012000006072a8648ce3d020106052b8104002203620004c2bed48c5e15e8208411b1a14c77c440b9a8c3b6b2af6eef05e4fbae13cfe7ba5e9af208c54e3035e3b4559f97b0f2798dbe522a47ee950419b5faa273d24ff2748a8349c591cc80871acf3c6702cce129c68351a713207a69f02b5bed031251
 result = acceptable
 shared = 40c344fb1185a5a97dd00b114f1b9c5ce4009f90c593f236fe465518f9ff27326a421e05b5bc1bfe3768d5becb9ec797
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 252
 # appending unused 0's to sequence
@@ -2125,9 +1863,7 @@
 public = 3076301006072a8648ce3d020106052b8104002203620004c2bed48c5e15e8208411b1a14c77c440b9a8c3b6b2af6eef05e4fbae13cfe7ba5e9af208c54e3035e3b4559f97b0f2798dbe522a47ee950419b5faa273d24ff2748a8349c591cc80871acf3c6702cce129c68351a713207a69f02b5bed0312510000
 result = acceptable
 shared = 40c344fb1185a5a97dd00b114f1b9c5ce4009f90c593f236fe465518f9ff27326a421e05b5bc1bfe3768d5becb9ec797
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 253
 # appending unused 0's to sequence
@@ -2135,9 +1871,7 @@
 public = 3078301006072a8648ce3d020106052b81040022000003620004c2bed48c5e15e8208411b1a14c77c440b9a8c3b6b2af6eef05e4fbae13cfe7ba5e9af208c54e3035e3b4559f97b0f2798dbe522a47ee950419b5faa273d24ff2748a8349c591cc80871acf3c6702cce129c68351a713207a69f02b5bed031251
 result = acceptable
 shared = 40c344fb1185a5a97dd00b114f1b9c5ce4009f90c593f236fe465518f9ff27326a421e05b5bc1bfe3768d5becb9ec797
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 254
 # appending null value to sequence
@@ -2145,9 +1879,7 @@
 public = 3078301006072a8648ce3d020106052b8104002203620004c2bed48c5e15e8208411b1a14c77c440b9a8c3b6b2af6eef05e4fbae13cfe7ba5e9af208c54e3035e3b4559f97b0f2798dbe522a47ee950419b5faa273d24ff2748a8349c591cc80871acf3c6702cce129c68351a713207a69f02b5bed0312510500
 result = acceptable
 shared = 40c344fb1185a5a97dd00b114f1b9c5ce4009f90c593f236fe465518f9ff27326a421e05b5bc1bfe3768d5becb9ec797
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 255
 # appending null value to sequence
@@ -2155,9 +1887,7 @@
 public = 3078301206072a8648ce3d020106052b81040022050003620004c2bed48c5e15e8208411b1a14c77c440b9a8c3b6b2af6eef05e4fbae13cfe7ba5e9af208c54e3035e3b4559f97b0f2798dbe522a47ee950419b5faa273d24ff2748a8349c591cc80871acf3c6702cce129c68351a713207a69f02b5bed031251
 result = acceptable
 shared = 40c344fb1185a5a97dd00b114f1b9c5ce4009f90c593f236fe465518f9ff27326a421e05b5bc1bfe3768d5becb9ec797
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 256
 # including garbage
@@ -2165,9 +1895,7 @@
 public = 307b4981773076301006072a8648ce3d020106052b8104002203620004c2bed48c5e15e8208411b1a14c77c440b9a8c3b6b2af6eef05e4fbae13cfe7ba5e9af208c54e3035e3b4559f97b0f2798dbe522a47ee950419b5faa273d24ff2748a8349c591cc80871acf3c6702cce129c68351a713207a69f02b5bed031251
 result = acceptable
 shared = 40c344fb1185a5a97dd00b114f1b9c5ce4009f90c593f236fe465518f9ff27326a421e05b5bc1bfe3768d5becb9ec797
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 257
 # including garbage
@@ -2175,9 +1903,7 @@
 public = 307a25003076301006072a8648ce3d020106052b8104002203620004c2bed48c5e15e8208411b1a14c77c440b9a8c3b6b2af6eef05e4fbae13cfe7ba5e9af208c54e3035e3b4559f97b0f2798dbe522a47ee950419b5faa273d24ff2748a8349c591cc80871acf3c6702cce129c68351a713207a69f02b5bed031251
 result = acceptable
 shared = 40c344fb1185a5a97dd00b114f1b9c5ce4009f90c593f236fe465518f9ff27326a421e05b5bc1bfe3768d5becb9ec797
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 258
 # including garbage
@@ -2185,9 +1911,7 @@
 public = 30783076301006072a8648ce3d020106052b8104002203620004c2bed48c5e15e8208411b1a14c77c440b9a8c3b6b2af6eef05e4fbae13cfe7ba5e9af208c54e3035e3b4559f97b0f2798dbe522a47ee950419b5faa273d24ff2748a8349c591cc80871acf3c6702cce129c68351a713207a69f02b5bed0312510004deadbeef
 result = acceptable
 shared = 40c344fb1185a5a97dd00b114f1b9c5ce4009f90c593f236fe465518f9ff27326a421e05b5bc1bfe3768d5becb9ec797
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 259
 # including garbage
@@ -2195,9 +1919,7 @@
 public = 307b3015498177301006072a8648ce3d020106052b8104002203620004c2bed48c5e15e8208411b1a14c77c440b9a8c3b6b2af6eef05e4fbae13cfe7ba5e9af208c54e3035e3b4559f97b0f2798dbe522a47ee950419b5faa273d24ff2748a8349c591cc80871acf3c6702cce129c68351a713207a69f02b5bed031251
 result = acceptable
 shared = 40c344fb1185a5a97dd00b114f1b9c5ce4009f90c593f236fe465518f9ff27326a421e05b5bc1bfe3768d5becb9ec797
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 260
 # including garbage
@@ -2205,9 +1927,7 @@
 public = 307a30142500301006072a8648ce3d020106052b8104002203620004c2bed48c5e15e8208411b1a14c77c440b9a8c3b6b2af6eef05e4fbae13cfe7ba5e9af208c54e3035e3b4559f97b0f2798dbe522a47ee950419b5faa273d24ff2748a8349c591cc80871acf3c6702cce129c68351a713207a69f02b5bed031251
 result = acceptable
 shared = 40c344fb1185a5a97dd00b114f1b9c5ce4009f90c593f236fe465518f9ff27326a421e05b5bc1bfe3768d5becb9ec797
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 261
 # including garbage
@@ -2215,9 +1935,7 @@
 public = 307e3012301006072a8648ce3d020106052b810400220004deadbeef03620004c2bed48c5e15e8208411b1a14c77c440b9a8c3b6b2af6eef05e4fbae13cfe7ba5e9af208c54e3035e3b4559f97b0f2798dbe522a47ee950419b5faa273d24ff2748a8349c591cc80871acf3c6702cce129c68351a713207a69f02b5bed031251
 result = acceptable
 shared = 40c344fb1185a5a97dd00b114f1b9c5ce4009f90c593f236fe465518f9ff27326a421e05b5bc1bfe3768d5becb9ec797
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 262
 # including garbage
@@ -2225,9 +1943,7 @@
 public = 307b3015260c49817706072a8648ce3d020106052b8104002203620004c2bed48c5e15e8208411b1a14c77c440b9a8c3b6b2af6eef05e4fbae13cfe7ba5e9af208c54e3035e3b4559f97b0f2798dbe522a47ee950419b5faa273d24ff2748a8349c591cc80871acf3c6702cce129c68351a713207a69f02b5bed031251
 result = acceptable
 shared = 40c344fb1185a5a97dd00b114f1b9c5ce4009f90c593f236fe465518f9ff27326a421e05b5bc1bfe3768d5becb9ec797
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 263
 # including garbage
@@ -2235,9 +1951,7 @@
 public = 307a3014260b250006072a8648ce3d020106052b8104002203620004c2bed48c5e15e8208411b1a14c77c440b9a8c3b6b2af6eef05e4fbae13cfe7ba5e9af208c54e3035e3b4559f97b0f2798dbe522a47ee950419b5faa273d24ff2748a8349c591cc80871acf3c6702cce129c68351a713207a69f02b5bed031251
 result = acceptable
 shared = 40c344fb1185a5a97dd00b114f1b9c5ce4009f90c593f236fe465518f9ff27326a421e05b5bc1bfe3768d5becb9ec797
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 264
 # including garbage
@@ -2245,9 +1959,7 @@
 public = 307e3018260906072a8648ce3d02010004deadbeef06052b8104002203620004c2bed48c5e15e8208411b1a14c77c440b9a8c3b6b2af6eef05e4fbae13cfe7ba5e9af208c54e3035e3b4559f97b0f2798dbe522a47ee950419b5faa273d24ff2748a8349c591cc80871acf3c6702cce129c68351a713207a69f02b5bed031251
 result = acceptable
 shared = 40c344fb1185a5a97dd00b114f1b9c5ce4009f90c593f236fe465518f9ff27326a421e05b5bc1bfe3768d5becb9ec797
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 265
 # including garbage
@@ -2255,9 +1967,7 @@
 public = 307b301506072a8648ce3d0201260a49817706052b8104002203620004c2bed48c5e15e8208411b1a14c77c440b9a8c3b6b2af6eef05e4fbae13cfe7ba5e9af208c54e3035e3b4559f97b0f2798dbe522a47ee950419b5faa273d24ff2748a8349c591cc80871acf3c6702cce129c68351a713207a69f02b5bed031251
 result = acceptable
 shared = 40c344fb1185a5a97dd00b114f1b9c5ce4009f90c593f236fe465518f9ff27326a421e05b5bc1bfe3768d5becb9ec797
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 266
 # including garbage
@@ -2265,9 +1975,7 @@
 public = 307a301406072a8648ce3d02012609250006052b8104002203620004c2bed48c5e15e8208411b1a14c77c440b9a8c3b6b2af6eef05e4fbae13cfe7ba5e9af208c54e3035e3b4559f97b0f2798dbe522a47ee950419b5faa273d24ff2748a8349c591cc80871acf3c6702cce129c68351a713207a69f02b5bed031251
 result = acceptable
 shared = 40c344fb1185a5a97dd00b114f1b9c5ce4009f90c593f236fe465518f9ff27326a421e05b5bc1bfe3768d5becb9ec797
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 267
 # including garbage
@@ -2275,9 +1983,7 @@
 public = 307e301806072a8648ce3d0201260706052b810400220004deadbeef03620004c2bed48c5e15e8208411b1a14c77c440b9a8c3b6b2af6eef05e4fbae13cfe7ba5e9af208c54e3035e3b4559f97b0f2798dbe522a47ee950419b5faa273d24ff2748a8349c591cc80871acf3c6702cce129c68351a713207a69f02b5bed031251
 result = acceptable
 shared = 40c344fb1185a5a97dd00b114f1b9c5ce4009f90c593f236fe465518f9ff27326a421e05b5bc1bfe3768d5becb9ec797
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 268
 # including garbage
@@ -2285,9 +1991,7 @@
 public = 307b301006072a8648ce3d020106052b81040022236749817703620004c2bed48c5e15e8208411b1a14c77c440b9a8c3b6b2af6eef05e4fbae13cfe7ba5e9af208c54e3035e3b4559f97b0f2798dbe522a47ee950419b5faa273d24ff2748a8349c591cc80871acf3c6702cce129c68351a713207a69f02b5bed031251
 result = acceptable
 shared = 40c344fb1185a5a97dd00b114f1b9c5ce4009f90c593f236fe465518f9ff27326a421e05b5bc1bfe3768d5becb9ec797
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 269
 # including garbage
@@ -2295,9 +1999,7 @@
 public = 307a301006072a8648ce3d020106052b810400222366250003620004c2bed48c5e15e8208411b1a14c77c440b9a8c3b6b2af6eef05e4fbae13cfe7ba5e9af208c54e3035e3b4559f97b0f2798dbe522a47ee950419b5faa273d24ff2748a8349c591cc80871acf3c6702cce129c68351a713207a69f02b5bed031251
 result = acceptable
 shared = 40c344fb1185a5a97dd00b114f1b9c5ce4009f90c593f236fe465518f9ff27326a421e05b5bc1bfe3768d5becb9ec797
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 270
 # including garbage
@@ -2305,9 +2007,7 @@
 public = 307e301006072a8648ce3d020106052b81040022236403620004c2bed48c5e15e8208411b1a14c77c440b9a8c3b6b2af6eef05e4fbae13cfe7ba5e9af208c54e3035e3b4559f97b0f2798dbe522a47ee950419b5faa273d24ff2748a8349c591cc80871acf3c6702cce129c68351a713207a69f02b5bed0312510004deadbeef
 result = acceptable
 shared = 40c344fb1185a5a97dd00b114f1b9c5ce4009f90c593f236fe465518f9ff27326a421e05b5bc1bfe3768d5becb9ec797
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 271
 # including undefined tags
@@ -2315,9 +2015,7 @@
 public = 307eaa00bb00cd003076301006072a8648ce3d020106052b8104002203620004c2bed48c5e15e8208411b1a14c77c440b9a8c3b6b2af6eef05e4fbae13cfe7ba5e9af208c54e3035e3b4559f97b0f2798dbe522a47ee950419b5faa273d24ff2748a8349c591cc80871acf3c6702cce129c68351a713207a69f02b5bed031251
 result = acceptable
 shared = 40c344fb1185a5a97dd00b114f1b9c5ce4009f90c593f236fe465518f9ff27326a421e05b5bc1bfe3768d5becb9ec797
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 272
 # including undefined tags
@@ -2325,9 +2023,7 @@
 public = 307caa02aabb3076301006072a8648ce3d020106052b8104002203620004c2bed48c5e15e8208411b1a14c77c440b9a8c3b6b2af6eef05e4fbae13cfe7ba5e9af208c54e3035e3b4559f97b0f2798dbe522a47ee950419b5faa273d24ff2748a8349c591cc80871acf3c6702cce129c68351a713207a69f02b5bed031251
 result = acceptable
 shared = 40c344fb1185a5a97dd00b114f1b9c5ce4009f90c593f236fe465518f9ff27326a421e05b5bc1bfe3768d5becb9ec797
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 273
 # including undefined tags
@@ -2335,9 +2031,7 @@
 public = 307e3018aa00bb00cd00301006072a8648ce3d020106052b8104002203620004c2bed48c5e15e8208411b1a14c77c440b9a8c3b6b2af6eef05e4fbae13cfe7ba5e9af208c54e3035e3b4559f97b0f2798dbe522a47ee950419b5faa273d24ff2748a8349c591cc80871acf3c6702cce129c68351a713207a69f02b5bed031251
 result = acceptable
 shared = 40c344fb1185a5a97dd00b114f1b9c5ce4009f90c593f236fe465518f9ff27326a421e05b5bc1bfe3768d5becb9ec797
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 274
 # including undefined tags
@@ -2345,9 +2039,7 @@
 public = 307c3016aa02aabb301006072a8648ce3d020106052b8104002203620004c2bed48c5e15e8208411b1a14c77c440b9a8c3b6b2af6eef05e4fbae13cfe7ba5e9af208c54e3035e3b4559f97b0f2798dbe522a47ee950419b5faa273d24ff2748a8349c591cc80871acf3c6702cce129c68351a713207a69f02b5bed031251
 result = acceptable
 shared = 40c344fb1185a5a97dd00b114f1b9c5ce4009f90c593f236fe465518f9ff27326a421e05b5bc1bfe3768d5becb9ec797
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 275
 # including undefined tags
@@ -2355,9 +2047,7 @@
 public = 307e3018260faa00bb00cd0006072a8648ce3d020106052b8104002203620004c2bed48c5e15e8208411b1a14c77c440b9a8c3b6b2af6eef05e4fbae13cfe7ba5e9af208c54e3035e3b4559f97b0f2798dbe522a47ee950419b5faa273d24ff2748a8349c591cc80871acf3c6702cce129c68351a713207a69f02b5bed031251
 result = acceptable
 shared = 40c344fb1185a5a97dd00b114f1b9c5ce4009f90c593f236fe465518f9ff27326a421e05b5bc1bfe3768d5becb9ec797
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 276
 # including undefined tags
@@ -2365,9 +2055,7 @@
 public = 307c3016260daa02aabb06072a8648ce3d020106052b8104002203620004c2bed48c5e15e8208411b1a14c77c440b9a8c3b6b2af6eef05e4fbae13cfe7ba5e9af208c54e3035e3b4559f97b0f2798dbe522a47ee950419b5faa273d24ff2748a8349c591cc80871acf3c6702cce129c68351a713207a69f02b5bed031251
 result = acceptable
 shared = 40c344fb1185a5a97dd00b114f1b9c5ce4009f90c593f236fe465518f9ff27326a421e05b5bc1bfe3768d5becb9ec797
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 277
 # including undefined tags
@@ -2375,9 +2063,7 @@
 public = 307e301806072a8648ce3d0201260daa00bb00cd0006052b8104002203620004c2bed48c5e15e8208411b1a14c77c440b9a8c3b6b2af6eef05e4fbae13cfe7ba5e9af208c54e3035e3b4559f97b0f2798dbe522a47ee950419b5faa273d24ff2748a8349c591cc80871acf3c6702cce129c68351a713207a69f02b5bed031251
 result = acceptable
 shared = 40c344fb1185a5a97dd00b114f1b9c5ce4009f90c593f236fe465518f9ff27326a421e05b5bc1bfe3768d5becb9ec797
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 278
 # including undefined tags
@@ -2385,9 +2071,7 @@
 public = 307c301606072a8648ce3d0201260baa02aabb06052b8104002203620004c2bed48c5e15e8208411b1a14c77c440b9a8c3b6b2af6eef05e4fbae13cfe7ba5e9af208c54e3035e3b4559f97b0f2798dbe522a47ee950419b5faa273d24ff2748a8349c591cc80871acf3c6702cce129c68351a713207a69f02b5bed031251
 result = acceptable
 shared = 40c344fb1185a5a97dd00b114f1b9c5ce4009f90c593f236fe465518f9ff27326a421e05b5bc1bfe3768d5becb9ec797
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 279
 # including undefined tags
@@ -2395,9 +2079,7 @@
 public = 307e301006072a8648ce3d020106052b81040022236aaa00bb00cd0003620004c2bed48c5e15e8208411b1a14c77c440b9a8c3b6b2af6eef05e4fbae13cfe7ba5e9af208c54e3035e3b4559f97b0f2798dbe522a47ee950419b5faa273d24ff2748a8349c591cc80871acf3c6702cce129c68351a713207a69f02b5bed031251
 result = acceptable
 shared = 40c344fb1185a5a97dd00b114f1b9c5ce4009f90c593f236fe465518f9ff27326a421e05b5bc1bfe3768d5becb9ec797
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 280
 # including undefined tags
@@ -2405,9 +2087,7 @@
 public = 307c301006072a8648ce3d020106052b810400222368aa02aabb03620004c2bed48c5e15e8208411b1a14c77c440b9a8c3b6b2af6eef05e4fbae13cfe7ba5e9af208c54e3035e3b4559f97b0f2798dbe522a47ee950419b5faa273d24ff2748a8349c591cc80871acf3c6702cce129c68351a713207a69f02b5bed031251
 result = acceptable
 shared = 40c344fb1185a5a97dd00b114f1b9c5ce4009f90c593f236fe465518f9ff27326a421e05b5bc1bfe3768d5becb9ec797
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 281
 # truncated length of sequence
@@ -2415,9 +2095,7 @@
 public = 3081
 result = acceptable
 shared = 40c344fb1185a5a97dd00b114f1b9c5ce4009f90c593f236fe465518f9ff27326a421e05b5bc1bfe3768d5becb9ec797
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 282
 # truncated length of sequence
@@ -2425,9 +2103,7 @@
 public = 3066308103620004c2bed48c5e15e8208411b1a14c77c440b9a8c3b6b2af6eef05e4fbae13cfe7ba5e9af208c54e3035e3b4559f97b0f2798dbe522a47ee950419b5faa273d24ff2748a8349c591cc80871acf3c6702cce129c68351a713207a69f02b5bed031251
 result = acceptable
 shared = 40c344fb1185a5a97dd00b114f1b9c5ce4009f90c593f236fe465518f9ff27326a421e05b5bc1bfe3768d5becb9ec797
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 283
 # Replacing sequence with NULL
@@ -2435,9 +2111,7 @@
 public = 0500
 result = acceptable
 shared = 40c344fb1185a5a97dd00b114f1b9c5ce4009f90c593f236fe465518f9ff27326a421e05b5bc1bfe3768d5becb9ec797
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 284
 # Replacing sequence with NULL
@@ -2445,9 +2119,7 @@
 public = 3066050003620004c2bed48c5e15e8208411b1a14c77c440b9a8c3b6b2af6eef05e4fbae13cfe7ba5e9af208c54e3035e3b4559f97b0f2798dbe522a47ee950419b5faa273d24ff2748a8349c591cc80871acf3c6702cce129c68351a713207a69f02b5bed031251
 result = acceptable
 shared = 40c344fb1185a5a97dd00b114f1b9c5ce4009f90c593f236fe465518f9ff27326a421e05b5bc1bfe3768d5becb9ec797
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 285
 # changing tag value of sequence
@@ -2455,9 +2127,7 @@
 public = 2e76301006072a8648ce3d020106052b8104002203620004c2bed48c5e15e8208411b1a14c77c440b9a8c3b6b2af6eef05e4fbae13cfe7ba5e9af208c54e3035e3b4559f97b0f2798dbe522a47ee950419b5faa273d24ff2748a8349c591cc80871acf3c6702cce129c68351a713207a69f02b5bed031251
 result = acceptable
 shared = 40c344fb1185a5a97dd00b114f1b9c5ce4009f90c593f236fe465518f9ff27326a421e05b5bc1bfe3768d5becb9ec797
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 286
 # changing tag value of sequence
@@ -2465,9 +2135,7 @@
 public = 2f76301006072a8648ce3d020106052b8104002203620004c2bed48c5e15e8208411b1a14c77c440b9a8c3b6b2af6eef05e4fbae13cfe7ba5e9af208c54e3035e3b4559f97b0f2798dbe522a47ee950419b5faa273d24ff2748a8349c591cc80871acf3c6702cce129c68351a713207a69f02b5bed031251
 result = acceptable
 shared = 40c344fb1185a5a97dd00b114f1b9c5ce4009f90c593f236fe465518f9ff27326a421e05b5bc1bfe3768d5becb9ec797
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 287
 # changing tag value of sequence
@@ -2475,9 +2143,7 @@
 public = 3176301006072a8648ce3d020106052b8104002203620004c2bed48c5e15e8208411b1a14c77c440b9a8c3b6b2af6eef05e4fbae13cfe7ba5e9af208c54e3035e3b4559f97b0f2798dbe522a47ee950419b5faa273d24ff2748a8349c591cc80871acf3c6702cce129c68351a713207a69f02b5bed031251
 result = acceptable
 shared = 40c344fb1185a5a97dd00b114f1b9c5ce4009f90c593f236fe465518f9ff27326a421e05b5bc1bfe3768d5becb9ec797
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 288
 # changing tag value of sequence
@@ -2485,9 +2151,7 @@
 public = 3276301006072a8648ce3d020106052b8104002203620004c2bed48c5e15e8208411b1a14c77c440b9a8c3b6b2af6eef05e4fbae13cfe7ba5e9af208c54e3035e3b4559f97b0f2798dbe522a47ee950419b5faa273d24ff2748a8349c591cc80871acf3c6702cce129c68351a713207a69f02b5bed031251
 result = acceptable
 shared = 40c344fb1185a5a97dd00b114f1b9c5ce4009f90c593f236fe465518f9ff27326a421e05b5bc1bfe3768d5becb9ec797
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 289
 # changing tag value of sequence
@@ -2495,9 +2159,7 @@
 public = ff76301006072a8648ce3d020106052b8104002203620004c2bed48c5e15e8208411b1a14c77c440b9a8c3b6b2af6eef05e4fbae13cfe7ba5e9af208c54e3035e3b4559f97b0f2798dbe522a47ee950419b5faa273d24ff2748a8349c591cc80871acf3c6702cce129c68351a713207a69f02b5bed031251
 result = acceptable
 shared = 40c344fb1185a5a97dd00b114f1b9c5ce4009f90c593f236fe465518f9ff27326a421e05b5bc1bfe3768d5becb9ec797
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 290
 # changing tag value of sequence
@@ -2505,9 +2167,7 @@
 public = 30762e1006072a8648ce3d020106052b8104002203620004c2bed48c5e15e8208411b1a14c77c440b9a8c3b6b2af6eef05e4fbae13cfe7ba5e9af208c54e3035e3b4559f97b0f2798dbe522a47ee950419b5faa273d24ff2748a8349c591cc80871acf3c6702cce129c68351a713207a69f02b5bed031251
 result = acceptable
 shared = 40c344fb1185a5a97dd00b114f1b9c5ce4009f90c593f236fe465518f9ff27326a421e05b5bc1bfe3768d5becb9ec797
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 291
 # changing tag value of sequence
@@ -2515,9 +2175,7 @@
 public = 30762f1006072a8648ce3d020106052b8104002203620004c2bed48c5e15e8208411b1a14c77c440b9a8c3b6b2af6eef05e4fbae13cfe7ba5e9af208c54e3035e3b4559f97b0f2798dbe522a47ee950419b5faa273d24ff2748a8349c591cc80871acf3c6702cce129c68351a713207a69f02b5bed031251
 result = acceptable
 shared = 40c344fb1185a5a97dd00b114f1b9c5ce4009f90c593f236fe465518f9ff27326a421e05b5bc1bfe3768d5becb9ec797
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 292
 # changing tag value of sequence
@@ -2525,9 +2183,7 @@
 public = 3076311006072a8648ce3d020106052b8104002203620004c2bed48c5e15e8208411b1a14c77c440b9a8c3b6b2af6eef05e4fbae13cfe7ba5e9af208c54e3035e3b4559f97b0f2798dbe522a47ee950419b5faa273d24ff2748a8349c591cc80871acf3c6702cce129c68351a713207a69f02b5bed031251
 result = acceptable
 shared = 40c344fb1185a5a97dd00b114f1b9c5ce4009f90c593f236fe465518f9ff27326a421e05b5bc1bfe3768d5becb9ec797
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 293
 # changing tag value of sequence
@@ -2535,9 +2191,7 @@
 public = 3076321006072a8648ce3d020106052b8104002203620004c2bed48c5e15e8208411b1a14c77c440b9a8c3b6b2af6eef05e4fbae13cfe7ba5e9af208c54e3035e3b4559f97b0f2798dbe522a47ee950419b5faa273d24ff2748a8349c591cc80871acf3c6702cce129c68351a713207a69f02b5bed031251
 result = acceptable
 shared = 40c344fb1185a5a97dd00b114f1b9c5ce4009f90c593f236fe465518f9ff27326a421e05b5bc1bfe3768d5becb9ec797
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 294
 # changing tag value of sequence
@@ -2545,9 +2199,7 @@
 public = 3076ff1006072a8648ce3d020106052b8104002203620004c2bed48c5e15e8208411b1a14c77c440b9a8c3b6b2af6eef05e4fbae13cfe7ba5e9af208c54e3035e3b4559f97b0f2798dbe522a47ee950419b5faa273d24ff2748a8349c591cc80871acf3c6702cce129c68351a713207a69f02b5bed031251
 result = acceptable
 shared = 40c344fb1185a5a97dd00b114f1b9c5ce4009f90c593f236fe465518f9ff27326a421e05b5bc1bfe3768d5becb9ec797
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 295
 # dropping value of sequence
@@ -2555,9 +2207,7 @@
 public = 3000
 result = acceptable
 shared = 40c344fb1185a5a97dd00b114f1b9c5ce4009f90c593f236fe465518f9ff27326a421e05b5bc1bfe3768d5becb9ec797
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 296
 # dropping value of sequence
@@ -2565,9 +2215,7 @@
 public = 3066300003620004c2bed48c5e15e8208411b1a14c77c440b9a8c3b6b2af6eef05e4fbae13cfe7ba5e9af208c54e3035e3b4559f97b0f2798dbe522a47ee950419b5faa273d24ff2748a8349c591cc80871acf3c6702cce129c68351a713207a69f02b5bed031251
 result = acceptable
 shared = 40c344fb1185a5a97dd00b114f1b9c5ce4009f90c593f236fe465518f9ff27326a421e05b5bc1bfe3768d5becb9ec797
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 297
 # truncated sequence
@@ -2575,9 +2223,7 @@
 public = 3075301006072a8648ce3d020106052b8104002203620004c2bed48c5e15e8208411b1a14c77c440b9a8c3b6b2af6eef05e4fbae13cfe7ba5e9af208c54e3035e3b4559f97b0f2798dbe522a47ee950419b5faa273d24ff2748a8349c591cc80871acf3c6702cce129c68351a713207a69f02b5bed0312
 result = acceptable
 shared = 40c344fb1185a5a97dd00b114f1b9c5ce4009f90c593f236fe465518f9ff27326a421e05b5bc1bfe3768d5becb9ec797
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 298
 # truncated sequence
@@ -2585,9 +2231,7 @@
 public = 30751006072a8648ce3d020106052b8104002203620004c2bed48c5e15e8208411b1a14c77c440b9a8c3b6b2af6eef05e4fbae13cfe7ba5e9af208c54e3035e3b4559f97b0f2798dbe522a47ee950419b5faa273d24ff2748a8349c591cc80871acf3c6702cce129c68351a713207a69f02b5bed031251
 result = acceptable
 shared = 40c344fb1185a5a97dd00b114f1b9c5ce4009f90c593f236fe465518f9ff27326a421e05b5bc1bfe3768d5becb9ec797
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 299
 # truncated sequence
@@ -2595,9 +2239,7 @@
 public = 3075300f06072a8648ce3d020106052b81040003620004c2bed48c5e15e8208411b1a14c77c440b9a8c3b6b2af6eef05e4fbae13cfe7ba5e9af208c54e3035e3b4559f97b0f2798dbe522a47ee950419b5faa273d24ff2748a8349c591cc80871acf3c6702cce129c68351a713207a69f02b5bed031251
 result = acceptable
 shared = 40c344fb1185a5a97dd00b114f1b9c5ce4009f90c593f236fe465518f9ff27326a421e05b5bc1bfe3768d5becb9ec797
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 300
 # truncated sequence
@@ -2605,9 +2247,7 @@
 public = 3075300f072a8648ce3d020106052b8104002203620004c2bed48c5e15e8208411b1a14c77c440b9a8c3b6b2af6eef05e4fbae13cfe7ba5e9af208c54e3035e3b4559f97b0f2798dbe522a47ee950419b5faa273d24ff2748a8349c591cc80871acf3c6702cce129c68351a713207a69f02b5bed031251
 result = acceptable
 shared = 40c344fb1185a5a97dd00b114f1b9c5ce4009f90c593f236fe465518f9ff27326a421e05b5bc1bfe3768d5becb9ec797
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 301
 # indefinite length
@@ -2615,9 +2255,7 @@
 public = 3080301006072a8648ce3d020106052b8104002203620004c2bed48c5e15e8208411b1a14c77c440b9a8c3b6b2af6eef05e4fbae13cfe7ba5e9af208c54e3035e3b4559f97b0f2798dbe522a47ee950419b5faa273d24ff2748a8349c591cc80871acf3c6702cce129c68351a713207a69f02b5bed0312510000
 result = acceptable
 shared = 40c344fb1185a5a97dd00b114f1b9c5ce4009f90c593f236fe465518f9ff27326a421e05b5bc1bfe3768d5becb9ec797
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 302
 # indefinite length
@@ -2625,9 +2263,7 @@
 public = 3078308006072a8648ce3d020106052b81040022000003620004c2bed48c5e15e8208411b1a14c77c440b9a8c3b6b2af6eef05e4fbae13cfe7ba5e9af208c54e3035e3b4559f97b0f2798dbe522a47ee950419b5faa273d24ff2748a8349c591cc80871acf3c6702cce129c68351a713207a69f02b5bed031251
 result = acceptable
 shared = 40c344fb1185a5a97dd00b114f1b9c5ce4009f90c593f236fe465518f9ff27326a421e05b5bc1bfe3768d5becb9ec797
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 303
 # indefinite length with truncated delimiter
@@ -2635,9 +2271,7 @@
 public = 3080301006072a8648ce3d020106052b8104002203620004c2bed48c5e15e8208411b1a14c77c440b9a8c3b6b2af6eef05e4fbae13cfe7ba5e9af208c54e3035e3b4559f97b0f2798dbe522a47ee950419b5faa273d24ff2748a8349c591cc80871acf3c6702cce129c68351a713207a69f02b5bed03125100
 result = acceptable
 shared = 40c344fb1185a5a97dd00b114f1b9c5ce4009f90c593f236fe465518f9ff27326a421e05b5bc1bfe3768d5becb9ec797
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 304
 # indefinite length with truncated delimiter
@@ -2645,9 +2279,7 @@
 public = 3077308006072a8648ce3d020106052b810400220003620004c2bed48c5e15e8208411b1a14c77c440b9a8c3b6b2af6eef05e4fbae13cfe7ba5e9af208c54e3035e3b4559f97b0f2798dbe522a47ee950419b5faa273d24ff2748a8349c591cc80871acf3c6702cce129c68351a713207a69f02b5bed031251
 result = acceptable
 shared = 40c344fb1185a5a97dd00b114f1b9c5ce4009f90c593f236fe465518f9ff27326a421e05b5bc1bfe3768d5becb9ec797
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 305
 # indefinite length with additional element
@@ -2655,9 +2287,7 @@
 public = 3080301006072a8648ce3d020106052b8104002203620004c2bed48c5e15e8208411b1a14c77c440b9a8c3b6b2af6eef05e4fbae13cfe7ba5e9af208c54e3035e3b4559f97b0f2798dbe522a47ee950419b5faa273d24ff2748a8349c591cc80871acf3c6702cce129c68351a713207a69f02b5bed03125105000000
 result = acceptable
 shared = 40c344fb1185a5a97dd00b114f1b9c5ce4009f90c593f236fe465518f9ff27326a421e05b5bc1bfe3768d5becb9ec797
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 306
 # indefinite length with additional element
@@ -2665,9 +2295,7 @@
 public = 307a308006072a8648ce3d020106052b810400220500000003620004c2bed48c5e15e8208411b1a14c77c440b9a8c3b6b2af6eef05e4fbae13cfe7ba5e9af208c54e3035e3b4559f97b0f2798dbe522a47ee950419b5faa273d24ff2748a8349c591cc80871acf3c6702cce129c68351a713207a69f02b5bed031251
 result = acceptable
 shared = 40c344fb1185a5a97dd00b114f1b9c5ce4009f90c593f236fe465518f9ff27326a421e05b5bc1bfe3768d5becb9ec797
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 307
 # indefinite length with truncated element
@@ -2675,9 +2303,7 @@
 public = 3080301006072a8648ce3d020106052b8104002203620004c2bed48c5e15e8208411b1a14c77c440b9a8c3b6b2af6eef05e4fbae13cfe7ba5e9af208c54e3035e3b4559f97b0f2798dbe522a47ee950419b5faa273d24ff2748a8349c591cc80871acf3c6702cce129c68351a713207a69f02b5bed031251060811220000
 result = acceptable
 shared = 40c344fb1185a5a97dd00b114f1b9c5ce4009f90c593f236fe465518f9ff27326a421e05b5bc1bfe3768d5becb9ec797
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 308
 # indefinite length with truncated element
@@ -2685,9 +2311,7 @@
 public = 307c308006072a8648ce3d020106052b8104002206081122000003620004c2bed48c5e15e8208411b1a14c77c440b9a8c3b6b2af6eef05e4fbae13cfe7ba5e9af208c54e3035e3b4559f97b0f2798dbe522a47ee950419b5faa273d24ff2748a8349c591cc80871acf3c6702cce129c68351a713207a69f02b5bed031251
 result = acceptable
 shared = 40c344fb1185a5a97dd00b114f1b9c5ce4009f90c593f236fe465518f9ff27326a421e05b5bc1bfe3768d5becb9ec797
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 309
 # indefinite length with garbage
@@ -2695,9 +2319,7 @@
 public = 3080301006072a8648ce3d020106052b8104002203620004c2bed48c5e15e8208411b1a14c77c440b9a8c3b6b2af6eef05e4fbae13cfe7ba5e9af208c54e3035e3b4559f97b0f2798dbe522a47ee950419b5faa273d24ff2748a8349c591cc80871acf3c6702cce129c68351a713207a69f02b5bed0312510000fe02beef
 result = acceptable
 shared = 40c344fb1185a5a97dd00b114f1b9c5ce4009f90c593f236fe465518f9ff27326a421e05b5bc1bfe3768d5becb9ec797
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 310
 # indefinite length with garbage
@@ -2705,9 +2327,7 @@
 public = 307c308006072a8648ce3d020106052b810400220000fe02beef03620004c2bed48c5e15e8208411b1a14c77c440b9a8c3b6b2af6eef05e4fbae13cfe7ba5e9af208c54e3035e3b4559f97b0f2798dbe522a47ee950419b5faa273d24ff2748a8349c591cc80871acf3c6702cce129c68351a713207a69f02b5bed031251
 result = acceptable
 shared = 40c344fb1185a5a97dd00b114f1b9c5ce4009f90c593f236fe465518f9ff27326a421e05b5bc1bfe3768d5becb9ec797
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 311
 # indefinite length with nonempty EOC
@@ -2715,9 +2335,7 @@
 public = 3080301006072a8648ce3d020106052b8104002203620004c2bed48c5e15e8208411b1a14c77c440b9a8c3b6b2af6eef05e4fbae13cfe7ba5e9af208c54e3035e3b4559f97b0f2798dbe522a47ee950419b5faa273d24ff2748a8349c591cc80871acf3c6702cce129c68351a713207a69f02b5bed0312510002beef
 result = acceptable
 shared = 40c344fb1185a5a97dd00b114f1b9c5ce4009f90c593f236fe465518f9ff27326a421e05b5bc1bfe3768d5becb9ec797
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 312
 # indefinite length with nonempty EOC
@@ -2725,9 +2343,7 @@
 public = 307a308006072a8648ce3d020106052b810400220002beef03620004c2bed48c5e15e8208411b1a14c77c440b9a8c3b6b2af6eef05e4fbae13cfe7ba5e9af208c54e3035e3b4559f97b0f2798dbe522a47ee950419b5faa273d24ff2748a8349c591cc80871acf3c6702cce129c68351a713207a69f02b5bed031251
 result = acceptable
 shared = 40c344fb1185a5a97dd00b114f1b9c5ce4009f90c593f236fe465518f9ff27326a421e05b5bc1bfe3768d5becb9ec797
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 313
 # prepend empty sequence
@@ -2735,9 +2351,7 @@
 public = 30783000301006072a8648ce3d020106052b8104002203620004c2bed48c5e15e8208411b1a14c77c440b9a8c3b6b2af6eef05e4fbae13cfe7ba5e9af208c54e3035e3b4559f97b0f2798dbe522a47ee950419b5faa273d24ff2748a8349c591cc80871acf3c6702cce129c68351a713207a69f02b5bed031251
 result = acceptable
 shared = 40c344fb1185a5a97dd00b114f1b9c5ce4009f90c593f236fe465518f9ff27326a421e05b5bc1bfe3768d5becb9ec797
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 314
 # prepend empty sequence
@@ -2745,9 +2359,7 @@
 public = 30783012300006072a8648ce3d020106052b8104002203620004c2bed48c5e15e8208411b1a14c77c440b9a8c3b6b2af6eef05e4fbae13cfe7ba5e9af208c54e3035e3b4559f97b0f2798dbe522a47ee950419b5faa273d24ff2748a8349c591cc80871acf3c6702cce129c68351a713207a69f02b5bed031251
 result = acceptable
 shared = 40c344fb1185a5a97dd00b114f1b9c5ce4009f90c593f236fe465518f9ff27326a421e05b5bc1bfe3768d5becb9ec797
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 315
 # append empty sequence
@@ -2755,9 +2367,7 @@
 public = 3078301006072a8648ce3d020106052b8104002203620004c2bed48c5e15e8208411b1a14c77c440b9a8c3b6b2af6eef05e4fbae13cfe7ba5e9af208c54e3035e3b4559f97b0f2798dbe522a47ee950419b5faa273d24ff2748a8349c591cc80871acf3c6702cce129c68351a713207a69f02b5bed0312513000
 result = acceptable
 shared = 40c344fb1185a5a97dd00b114f1b9c5ce4009f90c593f236fe465518f9ff27326a421e05b5bc1bfe3768d5becb9ec797
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 316
 # append empty sequence
@@ -2765,9 +2375,7 @@
 public = 3078301206072a8648ce3d020106052b81040022300003620004c2bed48c5e15e8208411b1a14c77c440b9a8c3b6b2af6eef05e4fbae13cfe7ba5e9af208c54e3035e3b4559f97b0f2798dbe522a47ee950419b5faa273d24ff2748a8349c591cc80871acf3c6702cce129c68351a713207a69f02b5bed031251
 result = acceptable
 shared = 40c344fb1185a5a97dd00b114f1b9c5ce4009f90c593f236fe465518f9ff27326a421e05b5bc1bfe3768d5becb9ec797
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 317
 # append garbage with high tag number
@@ -2775,9 +2383,7 @@
 public = 3079301006072a8648ce3d020106052b8104002203620004c2bed48c5e15e8208411b1a14c77c440b9a8c3b6b2af6eef05e4fbae13cfe7ba5e9af208c54e3035e3b4559f97b0f2798dbe522a47ee950419b5faa273d24ff2748a8349c591cc80871acf3c6702cce129c68351a713207a69f02b5bed031251bf7f00
 result = acceptable
 shared = 40c344fb1185a5a97dd00b114f1b9c5ce4009f90c593f236fe465518f9ff27326a421e05b5bc1bfe3768d5becb9ec797
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 318
 # append garbage with high tag number
@@ -2785,9 +2391,7 @@
 public = 3079301306072a8648ce3d020106052b81040022bf7f0003620004c2bed48c5e15e8208411b1a14c77c440b9a8c3b6b2af6eef05e4fbae13cfe7ba5e9af208c54e3035e3b4559f97b0f2798dbe522a47ee950419b5faa273d24ff2748a8349c591cc80871acf3c6702cce129c68351a713207a69f02b5bed031251
 result = acceptable
 shared = 40c344fb1185a5a97dd00b114f1b9c5ce4009f90c593f236fe465518f9ff27326a421e05b5bc1bfe3768d5becb9ec797
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 319
 # sequence of sequence
@@ -2795,9 +2399,7 @@
 public = 30783076301006072a8648ce3d020106052b8104002203620004c2bed48c5e15e8208411b1a14c77c440b9a8c3b6b2af6eef05e4fbae13cfe7ba5e9af208c54e3035e3b4559f97b0f2798dbe522a47ee950419b5faa273d24ff2748a8349c591cc80871acf3c6702cce129c68351a713207a69f02b5bed031251
 result = acceptable
 shared = 40c344fb1185a5a97dd00b114f1b9c5ce4009f90c593f236fe465518f9ff27326a421e05b5bc1bfe3768d5becb9ec797
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 320
 # sequence of sequence
@@ -2805,9 +2407,7 @@
 public = 30783012301006072a8648ce3d020106052b8104002203620004c2bed48c5e15e8208411b1a14c77c440b9a8c3b6b2af6eef05e4fbae13cfe7ba5e9af208c54e3035e3b4559f97b0f2798dbe522a47ee950419b5faa273d24ff2748a8349c591cc80871acf3c6702cce129c68351a713207a69f02b5bed031251
 result = acceptable
 shared = 40c344fb1185a5a97dd00b114f1b9c5ce4009f90c593f236fe465518f9ff27326a421e05b5bc1bfe3768d5becb9ec797
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 321
 # truncated sequence: removed last 1 elements
@@ -2815,9 +2415,7 @@
 public = 3012301006072a8648ce3d020106052b81040022
 result = acceptable
 shared = 40c344fb1185a5a97dd00b114f1b9c5ce4009f90c593f236fe465518f9ff27326a421e05b5bc1bfe3768d5becb9ec797
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 322
 # truncated sequence: removed last 1 elements
@@ -2825,9 +2423,7 @@
 public = 306f300906072a8648ce3d020103620004c2bed48c5e15e8208411b1a14c77c440b9a8c3b6b2af6eef05e4fbae13cfe7ba5e9af208c54e3035e3b4559f97b0f2798dbe522a47ee950419b5faa273d24ff2748a8349c591cc80871acf3c6702cce129c68351a713207a69f02b5bed031251
 result = acceptable
 shared = 40c344fb1185a5a97dd00b114f1b9c5ce4009f90c593f236fe465518f9ff27326a421e05b5bc1bfe3768d5becb9ec797
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 323
 # repeating element in sequence
@@ -2835,9 +2431,7 @@
 public = 3081da301006072a8648ce3d020106052b8104002203620004c2bed48c5e15e8208411b1a14c77c440b9a8c3b6b2af6eef05e4fbae13cfe7ba5e9af208c54e3035e3b4559f97b0f2798dbe522a47ee950419b5faa273d24ff2748a8349c591cc80871acf3c6702cce129c68351a713207a69f02b5bed03125103620004c2bed48c5e15e8208411b1a14c77c440b9a8c3b6b2af6eef05e4fbae13cfe7ba5e9af208c54e3035e3b4559f97b0f2798dbe522a47ee950419b5faa273d24ff2748a8349c591cc80871acf3c6702cce129c68351a713207a69f02b5bed031251
 result = acceptable
 shared = 40c344fb1185a5a97dd00b114f1b9c5ce4009f90c593f236fe465518f9ff27326a421e05b5bc1bfe3768d5becb9ec797
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 324
 # repeating element in sequence
@@ -2845,9 +2439,7 @@
 public = 307d301706072a8648ce3d020106052b8104002206052b8104002203620004c2bed48c5e15e8208411b1a14c77c440b9a8c3b6b2af6eef05e4fbae13cfe7ba5e9af208c54e3035e3b4559f97b0f2798dbe522a47ee950419b5faa273d24ff2748a8349c591cc80871acf3c6702cce129c68351a713207a69f02b5bed031251
 result = acceptable
 shared = 40c344fb1185a5a97dd00b114f1b9c5ce4009f90c593f236fe465518f9ff27326a421e05b5bc1bfe3768d5becb9ec797
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 325
 # long form encoding of length of oid
@@ -2855,9 +2447,7 @@
 public = 307730110681072a8648ce3d020106052b8104002203620004c2bed48c5e15e8208411b1a14c77c440b9a8c3b6b2af6eef05e4fbae13cfe7ba5e9af208c54e3035e3b4559f97b0f2798dbe522a47ee950419b5faa273d24ff2748a8349c591cc80871acf3c6702cce129c68351a713207a69f02b5bed031251
 result = acceptable
 shared = 40c344fb1185a5a97dd00b114f1b9c5ce4009f90c593f236fe465518f9ff27326a421e05b5bc1bfe3768d5becb9ec797
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 326
 # long form encoding of length of oid
@@ -2865,9 +2455,7 @@
 public = 3077301106072a8648ce3d02010681052b8104002203620004c2bed48c5e15e8208411b1a14c77c440b9a8c3b6b2af6eef05e4fbae13cfe7ba5e9af208c54e3035e3b4559f97b0f2798dbe522a47ee950419b5faa273d24ff2748a8349c591cc80871acf3c6702cce129c68351a713207a69f02b5bed031251
 result = acceptable
 shared = 40c344fb1185a5a97dd00b114f1b9c5ce4009f90c593f236fe465518f9ff27326a421e05b5bc1bfe3768d5becb9ec797
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 327
 # length of oid contains leading 0
@@ -2875,9 +2463,7 @@
 public = 30783012068200072a8648ce3d020106052b8104002203620004c2bed48c5e15e8208411b1a14c77c440b9a8c3b6b2af6eef05e4fbae13cfe7ba5e9af208c54e3035e3b4559f97b0f2798dbe522a47ee950419b5faa273d24ff2748a8349c591cc80871acf3c6702cce129c68351a713207a69f02b5bed031251
 result = acceptable
 shared = 40c344fb1185a5a97dd00b114f1b9c5ce4009f90c593f236fe465518f9ff27326a421e05b5bc1bfe3768d5becb9ec797
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 328
 # length of oid contains leading 0
@@ -2885,9 +2471,7 @@
 public = 3078301206072a8648ce3d0201068200052b8104002203620004c2bed48c5e15e8208411b1a14c77c440b9a8c3b6b2af6eef05e4fbae13cfe7ba5e9af208c54e3035e3b4559f97b0f2798dbe522a47ee950419b5faa273d24ff2748a8349c591cc80871acf3c6702cce129c68351a713207a69f02b5bed031251
 result = acceptable
 shared = 40c344fb1185a5a97dd00b114f1b9c5ce4009f90c593f236fe465518f9ff27326a421e05b5bc1bfe3768d5becb9ec797
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 329
 # wrong length of oid
@@ -2895,9 +2479,7 @@
 public = 3076301006082a8648ce3d020106052b8104002203620004c2bed48c5e15e8208411b1a14c77c440b9a8c3b6b2af6eef05e4fbae13cfe7ba5e9af208c54e3035e3b4559f97b0f2798dbe522a47ee950419b5faa273d24ff2748a8349c591cc80871acf3c6702cce129c68351a713207a69f02b5bed031251
 result = acceptable
 shared = 40c344fb1185a5a97dd00b114f1b9c5ce4009f90c593f236fe465518f9ff27326a421e05b5bc1bfe3768d5becb9ec797
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 330
 # wrong length of oid
@@ -2905,9 +2487,7 @@
 public = 3076301006062a8648ce3d020106052b8104002203620004c2bed48c5e15e8208411b1a14c77c440b9a8c3b6b2af6eef05e4fbae13cfe7ba5e9af208c54e3035e3b4559f97b0f2798dbe522a47ee950419b5faa273d24ff2748a8349c591cc80871acf3c6702cce129c68351a713207a69f02b5bed031251
 result = acceptable
 shared = 40c344fb1185a5a97dd00b114f1b9c5ce4009f90c593f236fe465518f9ff27326a421e05b5bc1bfe3768d5becb9ec797
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 331
 # wrong length of oid
@@ -2915,9 +2495,7 @@
 public = 3076301006072a8648ce3d020106062b8104002203620004c2bed48c5e15e8208411b1a14c77c440b9a8c3b6b2af6eef05e4fbae13cfe7ba5e9af208c54e3035e3b4559f97b0f2798dbe522a47ee950419b5faa273d24ff2748a8349c591cc80871acf3c6702cce129c68351a713207a69f02b5bed031251
 result = acceptable
 shared = 40c344fb1185a5a97dd00b114f1b9c5ce4009f90c593f236fe465518f9ff27326a421e05b5bc1bfe3768d5becb9ec797
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 332
 # wrong length of oid
@@ -2925,9 +2503,7 @@
 public = 3076301006072a8648ce3d020106042b8104002203620004c2bed48c5e15e8208411b1a14c77c440b9a8c3b6b2af6eef05e4fbae13cfe7ba5e9af208c54e3035e3b4559f97b0f2798dbe522a47ee950419b5faa273d24ff2748a8349c591cc80871acf3c6702cce129c68351a713207a69f02b5bed031251
 result = acceptable
 shared = 40c344fb1185a5a97dd00b114f1b9c5ce4009f90c593f236fe465518f9ff27326a421e05b5bc1bfe3768d5becb9ec797
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 333
 # uint32 overflow in length of oid
@@ -2935,9 +2511,7 @@
 public = 307b3015068501000000072a8648ce3d020106052b8104002203620004c2bed48c5e15e8208411b1a14c77c440b9a8c3b6b2af6eef05e4fbae13cfe7ba5e9af208c54e3035e3b4559f97b0f2798dbe522a47ee950419b5faa273d24ff2748a8349c591cc80871acf3c6702cce129c68351a713207a69f02b5bed031251
 result = acceptable
 shared = 40c344fb1185a5a97dd00b114f1b9c5ce4009f90c593f236fe465518f9ff27326a421e05b5bc1bfe3768d5becb9ec797
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 334
 # uint32 overflow in length of oid
@@ -2945,9 +2519,7 @@
 public = 307b301506072a8648ce3d0201068501000000052b8104002203620004c2bed48c5e15e8208411b1a14c77c440b9a8c3b6b2af6eef05e4fbae13cfe7ba5e9af208c54e3035e3b4559f97b0f2798dbe522a47ee950419b5faa273d24ff2748a8349c591cc80871acf3c6702cce129c68351a713207a69f02b5bed031251
 result = acceptable
 shared = 40c344fb1185a5a97dd00b114f1b9c5ce4009f90c593f236fe465518f9ff27326a421e05b5bc1bfe3768d5becb9ec797
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 335
 # uint64 overflow in length of oid
@@ -2955,9 +2527,7 @@
 public = 307f301906890100000000000000072a8648ce3d020106052b8104002203620004c2bed48c5e15e8208411b1a14c77c440b9a8c3b6b2af6eef05e4fbae13cfe7ba5e9af208c54e3035e3b4559f97b0f2798dbe522a47ee950419b5faa273d24ff2748a8349c591cc80871acf3c6702cce129c68351a713207a69f02b5bed031251
 result = acceptable
 shared = 40c344fb1185a5a97dd00b114f1b9c5ce4009f90c593f236fe465518f9ff27326a421e05b5bc1bfe3768d5becb9ec797
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 336
 # uint64 overflow in length of oid
@@ -2965,9 +2535,7 @@
 public = 307f301906072a8648ce3d020106890100000000000000052b8104002203620004c2bed48c5e15e8208411b1a14c77c440b9a8c3b6b2af6eef05e4fbae13cfe7ba5e9af208c54e3035e3b4559f97b0f2798dbe522a47ee950419b5faa273d24ff2748a8349c591cc80871acf3c6702cce129c68351a713207a69f02b5bed031251
 result = acceptable
 shared = 40c344fb1185a5a97dd00b114f1b9c5ce4009f90c593f236fe465518f9ff27326a421e05b5bc1bfe3768d5becb9ec797
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 337
 # length of oid = 2**31 - 1
@@ -2975,9 +2543,7 @@
 public = 307a301406847fffffff2a8648ce3d020106052b8104002203620004c2bed48c5e15e8208411b1a14c77c440b9a8c3b6b2af6eef05e4fbae13cfe7ba5e9af208c54e3035e3b4559f97b0f2798dbe522a47ee950419b5faa273d24ff2748a8349c591cc80871acf3c6702cce129c68351a713207a69f02b5bed031251
 result = acceptable
 shared = 40c344fb1185a5a97dd00b114f1b9c5ce4009f90c593f236fe465518f9ff27326a421e05b5bc1bfe3768d5becb9ec797
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 338
 # length of oid = 2**31 - 1
@@ -2985,9 +2551,7 @@
 public = 307a301406072a8648ce3d020106847fffffff2b8104002203620004c2bed48c5e15e8208411b1a14c77c440b9a8c3b6b2af6eef05e4fbae13cfe7ba5e9af208c54e3035e3b4559f97b0f2798dbe522a47ee950419b5faa273d24ff2748a8349c591cc80871acf3c6702cce129c68351a713207a69f02b5bed031251
 result = acceptable
 shared = 40c344fb1185a5a97dd00b114f1b9c5ce4009f90c593f236fe465518f9ff27326a421e05b5bc1bfe3768d5becb9ec797
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 339
 # length of oid = 2**32 - 1
@@ -2995,9 +2559,7 @@
 public = 307a30140684ffffffff2a8648ce3d020106052b8104002203620004c2bed48c5e15e8208411b1a14c77c440b9a8c3b6b2af6eef05e4fbae13cfe7ba5e9af208c54e3035e3b4559f97b0f2798dbe522a47ee950419b5faa273d24ff2748a8349c591cc80871acf3c6702cce129c68351a713207a69f02b5bed031251
 result = acceptable
 shared = 40c344fb1185a5a97dd00b114f1b9c5ce4009f90c593f236fe465518f9ff27326a421e05b5bc1bfe3768d5becb9ec797
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 340
 # length of oid = 2**32 - 1
@@ -3005,9 +2567,7 @@
 public = 307a301406072a8648ce3d02010684ffffffff2b8104002203620004c2bed48c5e15e8208411b1a14c77c440b9a8c3b6b2af6eef05e4fbae13cfe7ba5e9af208c54e3035e3b4559f97b0f2798dbe522a47ee950419b5faa273d24ff2748a8349c591cc80871acf3c6702cce129c68351a713207a69f02b5bed031251
 result = acceptable
 shared = 40c344fb1185a5a97dd00b114f1b9c5ce4009f90c593f236fe465518f9ff27326a421e05b5bc1bfe3768d5becb9ec797
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 341
 # length of oid = 2**40 - 1
@@ -3015,9 +2575,7 @@
 public = 307b30150685ffffffffff2a8648ce3d020106052b8104002203620004c2bed48c5e15e8208411b1a14c77c440b9a8c3b6b2af6eef05e4fbae13cfe7ba5e9af208c54e3035e3b4559f97b0f2798dbe522a47ee950419b5faa273d24ff2748a8349c591cc80871acf3c6702cce129c68351a713207a69f02b5bed031251
 result = acceptable
 shared = 40c344fb1185a5a97dd00b114f1b9c5ce4009f90c593f236fe465518f9ff27326a421e05b5bc1bfe3768d5becb9ec797
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 342
 # length of oid = 2**40 - 1
@@ -3025,9 +2583,7 @@
 public = 307b301506072a8648ce3d02010685ffffffffff2b8104002203620004c2bed48c5e15e8208411b1a14c77c440b9a8c3b6b2af6eef05e4fbae13cfe7ba5e9af208c54e3035e3b4559f97b0f2798dbe522a47ee950419b5faa273d24ff2748a8349c591cc80871acf3c6702cce129c68351a713207a69f02b5bed031251
 result = acceptable
 shared = 40c344fb1185a5a97dd00b114f1b9c5ce4009f90c593f236fe465518f9ff27326a421e05b5bc1bfe3768d5becb9ec797
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 343
 # length of oid = 2**64 - 1
@@ -3035,9 +2591,7 @@
 public = 307e30180688ffffffffffffffff2a8648ce3d020106052b8104002203620004c2bed48c5e15e8208411b1a14c77c440b9a8c3b6b2af6eef05e4fbae13cfe7ba5e9af208c54e3035e3b4559f97b0f2798dbe522a47ee950419b5faa273d24ff2748a8349c591cc80871acf3c6702cce129c68351a713207a69f02b5bed031251
 result = acceptable
 shared = 40c344fb1185a5a97dd00b114f1b9c5ce4009f90c593f236fe465518f9ff27326a421e05b5bc1bfe3768d5becb9ec797
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 344
 # length of oid = 2**64 - 1
@@ -3045,9 +2599,7 @@
 public = 307e301806072a8648ce3d02010688ffffffffffffffff2b8104002203620004c2bed48c5e15e8208411b1a14c77c440b9a8c3b6b2af6eef05e4fbae13cfe7ba5e9af208c54e3035e3b4559f97b0f2798dbe522a47ee950419b5faa273d24ff2748a8349c591cc80871acf3c6702cce129c68351a713207a69f02b5bed031251
 result = acceptable
 shared = 40c344fb1185a5a97dd00b114f1b9c5ce4009f90c593f236fe465518f9ff27326a421e05b5bc1bfe3768d5becb9ec797
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 345
 # incorrect length of oid
@@ -3055,9 +2607,7 @@
 public = 3076301006ff2a8648ce3d020106052b8104002203620004c2bed48c5e15e8208411b1a14c77c440b9a8c3b6b2af6eef05e4fbae13cfe7ba5e9af208c54e3035e3b4559f97b0f2798dbe522a47ee950419b5faa273d24ff2748a8349c591cc80871acf3c6702cce129c68351a713207a69f02b5bed031251
 result = acceptable
 shared = 40c344fb1185a5a97dd00b114f1b9c5ce4009f90c593f236fe465518f9ff27326a421e05b5bc1bfe3768d5becb9ec797
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 346
 # incorrect length of oid
@@ -3065,9 +2615,7 @@
 public = 3076301006072a8648ce3d020106ff2b8104002203620004c2bed48c5e15e8208411b1a14c77c440b9a8c3b6b2af6eef05e4fbae13cfe7ba5e9af208c54e3035e3b4559f97b0f2798dbe522a47ee950419b5faa273d24ff2748a8349c591cc80871acf3c6702cce129c68351a713207a69f02b5bed031251
 result = acceptable
 shared = 40c344fb1185a5a97dd00b114f1b9c5ce4009f90c593f236fe465518f9ff27326a421e05b5bc1bfe3768d5becb9ec797
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 347
 # removing oid
@@ -3075,9 +2623,7 @@
 public = 306d300706052b8104002203620004c2bed48c5e15e8208411b1a14c77c440b9a8c3b6b2af6eef05e4fbae13cfe7ba5e9af208c54e3035e3b4559f97b0f2798dbe522a47ee950419b5faa273d24ff2748a8349c591cc80871acf3c6702cce129c68351a713207a69f02b5bed031251
 result = acceptable
 shared = 40c344fb1185a5a97dd00b114f1b9c5ce4009f90c593f236fe465518f9ff27326a421e05b5bc1bfe3768d5becb9ec797
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 348
 # lonely oid tag
@@ -3085,9 +2631,7 @@
 public = 306e30080606052b8104002203620004c2bed48c5e15e8208411b1a14c77c440b9a8c3b6b2af6eef05e4fbae13cfe7ba5e9af208c54e3035e3b4559f97b0f2798dbe522a47ee950419b5faa273d24ff2748a8349c591cc80871acf3c6702cce129c68351a713207a69f02b5bed031251
 result = acceptable
 shared = 40c344fb1185a5a97dd00b114f1b9c5ce4009f90c593f236fe465518f9ff27326a421e05b5bc1bfe3768d5becb9ec797
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 349
 # lonely oid tag
@@ -3095,9 +2639,7 @@
 public = 3070300a06072a8648ce3d02010603620004c2bed48c5e15e8208411b1a14c77c440b9a8c3b6b2af6eef05e4fbae13cfe7ba5e9af208c54e3035e3b4559f97b0f2798dbe522a47ee950419b5faa273d24ff2748a8349c591cc80871acf3c6702cce129c68351a713207a69f02b5bed031251
 result = acceptable
 shared = 40c344fb1185a5a97dd00b114f1b9c5ce4009f90c593f236fe465518f9ff27326a421e05b5bc1bfe3768d5becb9ec797
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 350
 # appending 0's to oid
@@ -3105,9 +2647,7 @@
 public = 3078301206092a8648ce3d0201000006052b8104002203620004c2bed48c5e15e8208411b1a14c77c440b9a8c3b6b2af6eef05e4fbae13cfe7ba5e9af208c54e3035e3b4559f97b0f2798dbe522a47ee950419b5faa273d24ff2748a8349c591cc80871acf3c6702cce129c68351a713207a69f02b5bed031251
 result = acceptable
 shared = 40c344fb1185a5a97dd00b114f1b9c5ce4009f90c593f236fe465518f9ff27326a421e05b5bc1bfe3768d5becb9ec797
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 351
 # appending 0's to oid
@@ -3115,9 +2655,7 @@
 public = 3078301206072a8648ce3d020106072b81040022000003620004c2bed48c5e15e8208411b1a14c77c440b9a8c3b6b2af6eef05e4fbae13cfe7ba5e9af208c54e3035e3b4559f97b0f2798dbe522a47ee950419b5faa273d24ff2748a8349c591cc80871acf3c6702cce129c68351a713207a69f02b5bed031251
 result = acceptable
 shared = 40c344fb1185a5a97dd00b114f1b9c5ce4009f90c593f236fe465518f9ff27326a421e05b5bc1bfe3768d5becb9ec797
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 352
 # prepending 0's to oid
@@ -3125,9 +2663,7 @@
 public = 30783012060900002a8648ce3d020106052b8104002203620004c2bed48c5e15e8208411b1a14c77c440b9a8c3b6b2af6eef05e4fbae13cfe7ba5e9af208c54e3035e3b4559f97b0f2798dbe522a47ee950419b5faa273d24ff2748a8349c591cc80871acf3c6702cce129c68351a713207a69f02b5bed031251
 result = acceptable
 shared = 40c344fb1185a5a97dd00b114f1b9c5ce4009f90c593f236fe465518f9ff27326a421e05b5bc1bfe3768d5becb9ec797
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 353
 # prepending 0's to oid
@@ -3135,9 +2671,7 @@
 public = 3078301206072a8648ce3d0201060700002b8104002203620004c2bed48c5e15e8208411b1a14c77c440b9a8c3b6b2af6eef05e4fbae13cfe7ba5e9af208c54e3035e3b4559f97b0f2798dbe522a47ee950419b5faa273d24ff2748a8349c591cc80871acf3c6702cce129c68351a713207a69f02b5bed031251
 result = acceptable
 shared = 40c344fb1185a5a97dd00b114f1b9c5ce4009f90c593f236fe465518f9ff27326a421e05b5bc1bfe3768d5becb9ec797
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 354
 # appending unused 0's to oid
@@ -3145,9 +2679,7 @@
 public = 3078301206072a8648ce3d0201000006052b8104002203620004c2bed48c5e15e8208411b1a14c77c440b9a8c3b6b2af6eef05e4fbae13cfe7ba5e9af208c54e3035e3b4559f97b0f2798dbe522a47ee950419b5faa273d24ff2748a8349c591cc80871acf3c6702cce129c68351a713207a69f02b5bed031251
 result = acceptable
 shared = 40c344fb1185a5a97dd00b114f1b9c5ce4009f90c593f236fe465518f9ff27326a421e05b5bc1bfe3768d5becb9ec797
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 355
 # appending null value to oid
@@ -3155,9 +2687,7 @@
 public = 3078301206092a8648ce3d0201050006052b8104002203620004c2bed48c5e15e8208411b1a14c77c440b9a8c3b6b2af6eef05e4fbae13cfe7ba5e9af208c54e3035e3b4559f97b0f2798dbe522a47ee950419b5faa273d24ff2748a8349c591cc80871acf3c6702cce129c68351a713207a69f02b5bed031251
 result = acceptable
 shared = 40c344fb1185a5a97dd00b114f1b9c5ce4009f90c593f236fe465518f9ff27326a421e05b5bc1bfe3768d5becb9ec797
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 356
 # appending null value to oid
@@ -3165,9 +2695,7 @@
 public = 3078301206072a8648ce3d020106072b81040022050003620004c2bed48c5e15e8208411b1a14c77c440b9a8c3b6b2af6eef05e4fbae13cfe7ba5e9af208c54e3035e3b4559f97b0f2798dbe522a47ee950419b5faa273d24ff2748a8349c591cc80871acf3c6702cce129c68351a713207a69f02b5bed031251
 result = acceptable
 shared = 40c344fb1185a5a97dd00b114f1b9c5ce4009f90c593f236fe465518f9ff27326a421e05b5bc1bfe3768d5becb9ec797
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 357
 # truncated length of oid
@@ -3175,9 +2703,7 @@
 public = 306f3009068106052b8104002203620004c2bed48c5e15e8208411b1a14c77c440b9a8c3b6b2af6eef05e4fbae13cfe7ba5e9af208c54e3035e3b4559f97b0f2798dbe522a47ee950419b5faa273d24ff2748a8349c591cc80871acf3c6702cce129c68351a713207a69f02b5bed031251
 result = acceptable
 shared = 40c344fb1185a5a97dd00b114f1b9c5ce4009f90c593f236fe465518f9ff27326a421e05b5bc1bfe3768d5becb9ec797
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 358
 # truncated length of oid
@@ -3185,9 +2711,7 @@
 public = 3071300b06072a8648ce3d0201068103620004c2bed48c5e15e8208411b1a14c77c440b9a8c3b6b2af6eef05e4fbae13cfe7ba5e9af208c54e3035e3b4559f97b0f2798dbe522a47ee950419b5faa273d24ff2748a8349c591cc80871acf3c6702cce129c68351a713207a69f02b5bed031251
 result = acceptable
 shared = 40c344fb1185a5a97dd00b114f1b9c5ce4009f90c593f236fe465518f9ff27326a421e05b5bc1bfe3768d5becb9ec797
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 359
 # Replacing oid with NULL
@@ -3195,9 +2719,7 @@
 public = 306f3009050006052b8104002203620004c2bed48c5e15e8208411b1a14c77c440b9a8c3b6b2af6eef05e4fbae13cfe7ba5e9af208c54e3035e3b4559f97b0f2798dbe522a47ee950419b5faa273d24ff2748a8349c591cc80871acf3c6702cce129c68351a713207a69f02b5bed031251
 result = acceptable
 shared = 40c344fb1185a5a97dd00b114f1b9c5ce4009f90c593f236fe465518f9ff27326a421e05b5bc1bfe3768d5becb9ec797
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 360
 # Replacing oid with NULL
@@ -3205,9 +2727,7 @@
 public = 3071300b06072a8648ce3d0201050003620004c2bed48c5e15e8208411b1a14c77c440b9a8c3b6b2af6eef05e4fbae13cfe7ba5e9af208c54e3035e3b4559f97b0f2798dbe522a47ee950419b5faa273d24ff2748a8349c591cc80871acf3c6702cce129c68351a713207a69f02b5bed031251
 result = acceptable
 shared = 40c344fb1185a5a97dd00b114f1b9c5ce4009f90c593f236fe465518f9ff27326a421e05b5bc1bfe3768d5becb9ec797
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 361
 # changing tag value of oid
@@ -3215,9 +2735,7 @@
 public = 3076301004072a8648ce3d020106052b8104002203620004c2bed48c5e15e8208411b1a14c77c440b9a8c3b6b2af6eef05e4fbae13cfe7ba5e9af208c54e3035e3b4559f97b0f2798dbe522a47ee950419b5faa273d24ff2748a8349c591cc80871acf3c6702cce129c68351a713207a69f02b5bed031251
 result = acceptable
 shared = 40c344fb1185a5a97dd00b114f1b9c5ce4009f90c593f236fe465518f9ff27326a421e05b5bc1bfe3768d5becb9ec797
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 362
 # changing tag value of oid
@@ -3225,9 +2743,7 @@
 public = 3076301005072a8648ce3d020106052b8104002203620004c2bed48c5e15e8208411b1a14c77c440b9a8c3b6b2af6eef05e4fbae13cfe7ba5e9af208c54e3035e3b4559f97b0f2798dbe522a47ee950419b5faa273d24ff2748a8349c591cc80871acf3c6702cce129c68351a713207a69f02b5bed031251
 result = acceptable
 shared = 40c344fb1185a5a97dd00b114f1b9c5ce4009f90c593f236fe465518f9ff27326a421e05b5bc1bfe3768d5becb9ec797
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 363
 # changing tag value of oid
@@ -3235,9 +2751,7 @@
 public = 3076301007072a8648ce3d020106052b8104002203620004c2bed48c5e15e8208411b1a14c77c440b9a8c3b6b2af6eef05e4fbae13cfe7ba5e9af208c54e3035e3b4559f97b0f2798dbe522a47ee950419b5faa273d24ff2748a8349c591cc80871acf3c6702cce129c68351a713207a69f02b5bed031251
 result = acceptable
 shared = 40c344fb1185a5a97dd00b114f1b9c5ce4009f90c593f236fe465518f9ff27326a421e05b5bc1bfe3768d5becb9ec797
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 364
 # changing tag value of oid
@@ -3245,9 +2759,7 @@
 public = 3076301008072a8648ce3d020106052b8104002203620004c2bed48c5e15e8208411b1a14c77c440b9a8c3b6b2af6eef05e4fbae13cfe7ba5e9af208c54e3035e3b4559f97b0f2798dbe522a47ee950419b5faa273d24ff2748a8349c591cc80871acf3c6702cce129c68351a713207a69f02b5bed031251
 result = acceptable
 shared = 40c344fb1185a5a97dd00b114f1b9c5ce4009f90c593f236fe465518f9ff27326a421e05b5bc1bfe3768d5becb9ec797
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 365
 # changing tag value of oid
@@ -3255,9 +2767,7 @@
 public = 30763010ff072a8648ce3d020106052b8104002203620004c2bed48c5e15e8208411b1a14c77c440b9a8c3b6b2af6eef05e4fbae13cfe7ba5e9af208c54e3035e3b4559f97b0f2798dbe522a47ee950419b5faa273d24ff2748a8349c591cc80871acf3c6702cce129c68351a713207a69f02b5bed031251
 result = acceptable
 shared = 40c344fb1185a5a97dd00b114f1b9c5ce4009f90c593f236fe465518f9ff27326a421e05b5bc1bfe3768d5becb9ec797
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 366
 # changing tag value of oid
@@ -3265,9 +2775,7 @@
 public = 3076301006072a8648ce3d020104052b8104002203620004c2bed48c5e15e8208411b1a14c77c440b9a8c3b6b2af6eef05e4fbae13cfe7ba5e9af208c54e3035e3b4559f97b0f2798dbe522a47ee950419b5faa273d24ff2748a8349c591cc80871acf3c6702cce129c68351a713207a69f02b5bed031251
 result = acceptable
 shared = 40c344fb1185a5a97dd00b114f1b9c5ce4009f90c593f236fe465518f9ff27326a421e05b5bc1bfe3768d5becb9ec797
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 367
 # changing tag value of oid
@@ -3275,9 +2783,7 @@
 public = 3076301006072a8648ce3d020105052b8104002203620004c2bed48c5e15e8208411b1a14c77c440b9a8c3b6b2af6eef05e4fbae13cfe7ba5e9af208c54e3035e3b4559f97b0f2798dbe522a47ee950419b5faa273d24ff2748a8349c591cc80871acf3c6702cce129c68351a713207a69f02b5bed031251
 result = acceptable
 shared = 40c344fb1185a5a97dd00b114f1b9c5ce4009f90c593f236fe465518f9ff27326a421e05b5bc1bfe3768d5becb9ec797
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 368
 # changing tag value of oid
@@ -3285,9 +2791,7 @@
 public = 3076301006072a8648ce3d020107052b8104002203620004c2bed48c5e15e8208411b1a14c77c440b9a8c3b6b2af6eef05e4fbae13cfe7ba5e9af208c54e3035e3b4559f97b0f2798dbe522a47ee950419b5faa273d24ff2748a8349c591cc80871acf3c6702cce129c68351a713207a69f02b5bed031251
 result = acceptable
 shared = 40c344fb1185a5a97dd00b114f1b9c5ce4009f90c593f236fe465518f9ff27326a421e05b5bc1bfe3768d5becb9ec797
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 369
 # changing tag value of oid
@@ -3295,9 +2799,7 @@
 public = 3076301006072a8648ce3d020108052b8104002203620004c2bed48c5e15e8208411b1a14c77c440b9a8c3b6b2af6eef05e4fbae13cfe7ba5e9af208c54e3035e3b4559f97b0f2798dbe522a47ee950419b5faa273d24ff2748a8349c591cc80871acf3c6702cce129c68351a713207a69f02b5bed031251
 result = acceptable
 shared = 40c344fb1185a5a97dd00b114f1b9c5ce4009f90c593f236fe465518f9ff27326a421e05b5bc1bfe3768d5becb9ec797
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 370
 # changing tag value of oid
@@ -3305,9 +2807,7 @@
 public = 3076301006072a8648ce3d0201ff052b8104002203620004c2bed48c5e15e8208411b1a14c77c440b9a8c3b6b2af6eef05e4fbae13cfe7ba5e9af208c54e3035e3b4559f97b0f2798dbe522a47ee950419b5faa273d24ff2748a8349c591cc80871acf3c6702cce129c68351a713207a69f02b5bed031251
 result = acceptable
 shared = 40c344fb1185a5a97dd00b114f1b9c5ce4009f90c593f236fe465518f9ff27326a421e05b5bc1bfe3768d5becb9ec797
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 371
 # dropping value of oid
@@ -3315,9 +2815,7 @@
 public = 306f3009060006052b8104002203620004c2bed48c5e15e8208411b1a14c77c440b9a8c3b6b2af6eef05e4fbae13cfe7ba5e9af208c54e3035e3b4559f97b0f2798dbe522a47ee950419b5faa273d24ff2748a8349c591cc80871acf3c6702cce129c68351a713207a69f02b5bed031251
 result = acceptable
 shared = 40c344fb1185a5a97dd00b114f1b9c5ce4009f90c593f236fe465518f9ff27326a421e05b5bc1bfe3768d5becb9ec797
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 372
 # dropping value of oid
@@ -3325,9 +2823,7 @@
 public = 3071300b06072a8648ce3d0201060003620004c2bed48c5e15e8208411b1a14c77c440b9a8c3b6b2af6eef05e4fbae13cfe7ba5e9af208c54e3035e3b4559f97b0f2798dbe522a47ee950419b5faa273d24ff2748a8349c591cc80871acf3c6702cce129c68351a713207a69f02b5bed031251
 result = acceptable
 shared = 40c344fb1185a5a97dd00b114f1b9c5ce4009f90c593f236fe465518f9ff27326a421e05b5bc1bfe3768d5becb9ec797
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 373
 # modify first byte of oid
@@ -3335,9 +2831,7 @@
 public = 307630100607288648ce3d020106052b8104002203620004c2bed48c5e15e8208411b1a14c77c440b9a8c3b6b2af6eef05e4fbae13cfe7ba5e9af208c54e3035e3b4559f97b0f2798dbe522a47ee950419b5faa273d24ff2748a8349c591cc80871acf3c6702cce129c68351a713207a69f02b5bed031251
 result = acceptable
 shared = 40c344fb1185a5a97dd00b114f1b9c5ce4009f90c593f236fe465518f9ff27326a421e05b5bc1bfe3768d5becb9ec797
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 374
 # modify first byte of oid
@@ -3345,9 +2839,7 @@
 public = 3076301006072a8648ce3d02010605298104002203620004c2bed48c5e15e8208411b1a14c77c440b9a8c3b6b2af6eef05e4fbae13cfe7ba5e9af208c54e3035e3b4559f97b0f2798dbe522a47ee950419b5faa273d24ff2748a8349c591cc80871acf3c6702cce129c68351a713207a69f02b5bed031251
 result = acceptable
 shared = 40c344fb1185a5a97dd00b114f1b9c5ce4009f90c593f236fe465518f9ff27326a421e05b5bc1bfe3768d5becb9ec797
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 375
 # modify last byte of oid
@@ -3355,9 +2847,7 @@
 public = 3076301006072a8648ce3d028106052b8104002203620004c2bed48c5e15e8208411b1a14c77c440b9a8c3b6b2af6eef05e4fbae13cfe7ba5e9af208c54e3035e3b4559f97b0f2798dbe522a47ee950419b5faa273d24ff2748a8349c591cc80871acf3c6702cce129c68351a713207a69f02b5bed031251
 result = acceptable
 shared = 40c344fb1185a5a97dd00b114f1b9c5ce4009f90c593f236fe465518f9ff27326a421e05b5bc1bfe3768d5becb9ec797
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 376
 # modify last byte of oid
@@ -3365,9 +2855,7 @@
 public = 3076301006072a8648ce3d020106052b810400a203620004c2bed48c5e15e8208411b1a14c77c440b9a8c3b6b2af6eef05e4fbae13cfe7ba5e9af208c54e3035e3b4559f97b0f2798dbe522a47ee950419b5faa273d24ff2748a8349c591cc80871acf3c6702cce129c68351a713207a69f02b5bed031251
 result = acceptable
 shared = 40c344fb1185a5a97dd00b114f1b9c5ce4009f90c593f236fe465518f9ff27326a421e05b5bc1bfe3768d5becb9ec797
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 377
 # truncated oid
@@ -3375,9 +2863,7 @@
 public = 3075300f06062a8648ce3d0206052b8104002203620004c2bed48c5e15e8208411b1a14c77c440b9a8c3b6b2af6eef05e4fbae13cfe7ba5e9af208c54e3035e3b4559f97b0f2798dbe522a47ee950419b5faa273d24ff2748a8349c591cc80871acf3c6702cce129c68351a713207a69f02b5bed031251
 result = acceptable
 shared = 40c344fb1185a5a97dd00b114f1b9c5ce4009f90c593f236fe465518f9ff27326a421e05b5bc1bfe3768d5becb9ec797
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 378
 # truncated oid
@@ -3385,9 +2871,7 @@
 public = 3075300f06068648ce3d020106052b8104002203620004c2bed48c5e15e8208411b1a14c77c440b9a8c3b6b2af6eef05e4fbae13cfe7ba5e9af208c54e3035e3b4559f97b0f2798dbe522a47ee950419b5faa273d24ff2748a8349c591cc80871acf3c6702cce129c68351a713207a69f02b5bed031251
 result = acceptable
 shared = 40c344fb1185a5a97dd00b114f1b9c5ce4009f90c593f236fe465518f9ff27326a421e05b5bc1bfe3768d5becb9ec797
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 379
 # truncated oid
@@ -3395,9 +2879,7 @@
 public = 3075300f06072a8648ce3d020106042b81040003620004c2bed48c5e15e8208411b1a14c77c440b9a8c3b6b2af6eef05e4fbae13cfe7ba5e9af208c54e3035e3b4559f97b0f2798dbe522a47ee950419b5faa273d24ff2748a8349c591cc80871acf3c6702cce129c68351a713207a69f02b5bed031251
 result = acceptable
 shared = 40c344fb1185a5a97dd00b114f1b9c5ce4009f90c593f236fe465518f9ff27326a421e05b5bc1bfe3768d5becb9ec797
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 380
 # truncated oid
@@ -3405,9 +2887,7 @@
 public = 3075300f06072a8648ce3d020106048104002203620004c2bed48c5e15e8208411b1a14c77c440b9a8c3b6b2af6eef05e4fbae13cfe7ba5e9af208c54e3035e3b4559f97b0f2798dbe522a47ee950419b5faa273d24ff2748a8349c591cc80871acf3c6702cce129c68351a713207a69f02b5bed031251
 result = acceptable
 shared = 40c344fb1185a5a97dd00b114f1b9c5ce4009f90c593f236fe465518f9ff27326a421e05b5bc1bfe3768d5becb9ec797
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 381
 # wrong oid
@@ -3415,9 +2895,7 @@
 public = 3074300e06052b0e03021a06052b8104002203620004c2bed48c5e15e8208411b1a14c77c440b9a8c3b6b2af6eef05e4fbae13cfe7ba5e9af208c54e3035e3b4559f97b0f2798dbe522a47ee950419b5faa273d24ff2748a8349c591cc80871acf3c6702cce129c68351a713207a69f02b5bed031251
 result = acceptable
 shared = 40c344fb1185a5a97dd00b114f1b9c5ce4009f90c593f236fe465518f9ff27326a421e05b5bc1bfe3768d5becb9ec797
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 382
 # wrong oid
@@ -3425,9 +2903,7 @@
 public = 30783012060960864801650304020106052b8104002203620004c2bed48c5e15e8208411b1a14c77c440b9a8c3b6b2af6eef05e4fbae13cfe7ba5e9af208c54e3035e3b4559f97b0f2798dbe522a47ee950419b5faa273d24ff2748a8349c591cc80871acf3c6702cce129c68351a713207a69f02b5bed031251
 result = acceptable
 shared = 40c344fb1185a5a97dd00b114f1b9c5ce4009f90c593f236fe465518f9ff27326a421e05b5bc1bfe3768d5becb9ec797
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 383
 # wrong oid
@@ -3435,9 +2911,7 @@
 public = 3076301006072a8648ce3d020106052b0e03021a03620004c2bed48c5e15e8208411b1a14c77c440b9a8c3b6b2af6eef05e4fbae13cfe7ba5e9af208c54e3035e3b4559f97b0f2798dbe522a47ee950419b5faa273d24ff2748a8349c591cc80871acf3c6702cce129c68351a713207a69f02b5bed031251
 result = acceptable
 shared = 40c344fb1185a5a97dd00b114f1b9c5ce4009f90c593f236fe465518f9ff27326a421e05b5bc1bfe3768d5becb9ec797
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 384
 # wrong oid
@@ -3445,9 +2919,7 @@
 public = 307a301406072a8648ce3d0201060960864801650304020103620004c2bed48c5e15e8208411b1a14c77c440b9a8c3b6b2af6eef05e4fbae13cfe7ba5e9af208c54e3035e3b4559f97b0f2798dbe522a47ee950419b5faa273d24ff2748a8349c591cc80871acf3c6702cce129c68351a713207a69f02b5bed031251
 result = acceptable
 shared = 40c344fb1185a5a97dd00b114f1b9c5ce4009f90c593f236fe465518f9ff27326a421e05b5bc1bfe3768d5becb9ec797
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 385
 # longer oid
@@ -3455,9 +2927,7 @@
 public = 3077301106082a8648ce3d02010106052b8104002203620004c2bed48c5e15e8208411b1a14c77c440b9a8c3b6b2af6eef05e4fbae13cfe7ba5e9af208c54e3035e3b4559f97b0f2798dbe522a47ee950419b5faa273d24ff2748a8349c591cc80871acf3c6702cce129c68351a713207a69f02b5bed031251
 result = acceptable
 shared = 40c344fb1185a5a97dd00b114f1b9c5ce4009f90c593f236fe465518f9ff27326a421e05b5bc1bfe3768d5becb9ec797
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 386
 # longer oid
@@ -3465,9 +2935,7 @@
 public = 3077301106072a8648ce3d020106062b810400220103620004c2bed48c5e15e8208411b1a14c77c440b9a8c3b6b2af6eef05e4fbae13cfe7ba5e9af208c54e3035e3b4559f97b0f2798dbe522a47ee950419b5faa273d24ff2748a8349c591cc80871acf3c6702cce129c68351a713207a69f02b5bed031251
 result = acceptable
 shared = 40c344fb1185a5a97dd00b114f1b9c5ce4009f90c593f236fe465518f9ff27326a421e05b5bc1bfe3768d5becb9ec797
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 387
 # oid with modified node
@@ -3475,9 +2943,7 @@
 public = 3076301006072a8648ce3d021106052b8104002203620004c2bed48c5e15e8208411b1a14c77c440b9a8c3b6b2af6eef05e4fbae13cfe7ba5e9af208c54e3035e3b4559f97b0f2798dbe522a47ee950419b5faa273d24ff2748a8349c591cc80871acf3c6702cce129c68351a713207a69f02b5bed031251
 result = acceptable
 shared = 40c344fb1185a5a97dd00b114f1b9c5ce4009f90c593f236fe465518f9ff27326a421e05b5bc1bfe3768d5becb9ec797
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 388
 # oid with modified node
@@ -3485,9 +2951,7 @@
 public = 307a3014060b2a8648ce3d02888080800106052b8104002203620004c2bed48c5e15e8208411b1a14c77c440b9a8c3b6b2af6eef05e4fbae13cfe7ba5e9af208c54e3035e3b4559f97b0f2798dbe522a47ee950419b5faa273d24ff2748a8349c591cc80871acf3c6702cce129c68351a713207a69f02b5bed031251
 result = acceptable
 shared = 40c344fb1185a5a97dd00b114f1b9c5ce4009f90c593f236fe465518f9ff27326a421e05b5bc1bfe3768d5becb9ec797
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 389
 # oid with modified node
@@ -3495,9 +2959,7 @@
 public = 3076301006072a8648ce3d020106052b8104003203620004c2bed48c5e15e8208411b1a14c77c440b9a8c3b6b2af6eef05e4fbae13cfe7ba5e9af208c54e3035e3b4559f97b0f2798dbe522a47ee950419b5faa273d24ff2748a8349c591cc80871acf3c6702cce129c68351a713207a69f02b5bed031251
 result = acceptable
 shared = 40c344fb1185a5a97dd00b114f1b9c5ce4009f90c593f236fe465518f9ff27326a421e05b5bc1bfe3768d5becb9ec797
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 390
 # oid with modified node
@@ -3505,9 +2967,7 @@
 public = 307a301406072a8648ce3d020106092b810400888080802203620004c2bed48c5e15e8208411b1a14c77c440b9a8c3b6b2af6eef05e4fbae13cfe7ba5e9af208c54e3035e3b4559f97b0f2798dbe522a47ee950419b5faa273d24ff2748a8349c591cc80871acf3c6702cce129c68351a713207a69f02b5bed031251
 result = acceptable
 shared = 40c344fb1185a5a97dd00b114f1b9c5ce4009f90c593f236fe465518f9ff27326a421e05b5bc1bfe3768d5becb9ec797
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 391
 # large integer in oid
@@ -3515,9 +2975,7 @@
 public = 307f301906102a8648ce3d028280808080808080800106052b8104002203620004c2bed48c5e15e8208411b1a14c77c440b9a8c3b6b2af6eef05e4fbae13cfe7ba5e9af208c54e3035e3b4559f97b0f2798dbe522a47ee950419b5faa273d24ff2748a8349c591cc80871acf3c6702cce129c68351a713207a69f02b5bed031251
 result = acceptable
 shared = 40c344fb1185a5a97dd00b114f1b9c5ce4009f90c593f236fe465518f9ff27326a421e05b5bc1bfe3768d5becb9ec797
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 392
 # large integer in oid
@@ -3525,9 +2983,7 @@
 public = 307f301906072a8648ce3d0201060e2b8104008280808080808080802203620004c2bed48c5e15e8208411b1a14c77c440b9a8c3b6b2af6eef05e4fbae13cfe7ba5e9af208c54e3035e3b4559f97b0f2798dbe522a47ee950419b5faa273d24ff2748a8349c591cc80871acf3c6702cce129c68351a713207a69f02b5bed031251
 result = acceptable
 shared = 40c344fb1185a5a97dd00b114f1b9c5ce4009f90c593f236fe465518f9ff27326a421e05b5bc1bfe3768d5becb9ec797
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 393
 # oid with invalid node
@@ -3535,9 +2991,7 @@
 public = 3077301106082a8648ce3d0201e006052b8104002203620004c2bed48c5e15e8208411b1a14c77c440b9a8c3b6b2af6eef05e4fbae13cfe7ba5e9af208c54e3035e3b4559f97b0f2798dbe522a47ee950419b5faa273d24ff2748a8349c591cc80871acf3c6702cce129c68351a713207a69f02b5bed031251
 result = acceptable
 shared = 40c344fb1185a5a97dd00b114f1b9c5ce4009f90c593f236fe465518f9ff27326a421e05b5bc1bfe3768d5becb9ec797
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 394
 # oid with invalid node
@@ -3545,9 +2999,7 @@
 public = 3077301106082a808648ce3d020106052b8104002203620004c2bed48c5e15e8208411b1a14c77c440b9a8c3b6b2af6eef05e4fbae13cfe7ba5e9af208c54e3035e3b4559f97b0f2798dbe522a47ee950419b5faa273d24ff2748a8349c591cc80871acf3c6702cce129c68351a713207a69f02b5bed031251
 result = acceptable
 shared = 40c344fb1185a5a97dd00b114f1b9c5ce4009f90c593f236fe465518f9ff27326a421e05b5bc1bfe3768d5becb9ec797
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 395
 # oid with invalid node
@@ -3555,9 +3007,7 @@
 public = 3077301106072a8648ce3d020106062b81040022e003620004c2bed48c5e15e8208411b1a14c77c440b9a8c3b6b2af6eef05e4fbae13cfe7ba5e9af208c54e3035e3b4559f97b0f2798dbe522a47ee950419b5faa273d24ff2748a8349c591cc80871acf3c6702cce129c68351a713207a69f02b5bed031251
 result = acceptable
 shared = 40c344fb1185a5a97dd00b114f1b9c5ce4009f90c593f236fe465518f9ff27326a421e05b5bc1bfe3768d5becb9ec797
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 396
 # oid with invalid node
@@ -3565,9 +3015,7 @@
 public = 3077301106072a8648ce3d020106062b808104002203620004c2bed48c5e15e8208411b1a14c77c440b9a8c3b6b2af6eef05e4fbae13cfe7ba5e9af208c54e3035e3b4559f97b0f2798dbe522a47ee950419b5faa273d24ff2748a8349c591cc80871acf3c6702cce129c68351a713207a69f02b5bed031251
 result = acceptable
 shared = 40c344fb1185a5a97dd00b114f1b9c5ce4009f90c593f236fe465518f9ff27326a421e05b5bc1bfe3768d5becb9ec797
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 397
 # long form encoding of length of bit string
@@ -3575,9 +3023,7 @@
 public = 3077301006072a8648ce3d020106052b810400220381620004c2bed48c5e15e8208411b1a14c77c440b9a8c3b6b2af6eef05e4fbae13cfe7ba5e9af208c54e3035e3b4559f97b0f2798dbe522a47ee950419b5faa273d24ff2748a8349c591cc80871acf3c6702cce129c68351a713207a69f02b5bed031251
 result = acceptable
 shared = 40c344fb1185a5a97dd00b114f1b9c5ce4009f90c593f236fe465518f9ff27326a421e05b5bc1bfe3768d5becb9ec797
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 398
 # length of bit string contains leading 0
@@ -3585,9 +3031,7 @@
 public = 3078301006072a8648ce3d020106052b81040022038200620004c2bed48c5e15e8208411b1a14c77c440b9a8c3b6b2af6eef05e4fbae13cfe7ba5e9af208c54e3035e3b4559f97b0f2798dbe522a47ee950419b5faa273d24ff2748a8349c591cc80871acf3c6702cce129c68351a713207a69f02b5bed031251
 result = acceptable
 shared = 40c344fb1185a5a97dd00b114f1b9c5ce4009f90c593f236fe465518f9ff27326a421e05b5bc1bfe3768d5becb9ec797
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 399
 # wrong length of bit string
@@ -3595,9 +3039,7 @@
 public = 3076301006072a8648ce3d020106052b8104002203630004c2bed48c5e15e8208411b1a14c77c440b9a8c3b6b2af6eef05e4fbae13cfe7ba5e9af208c54e3035e3b4559f97b0f2798dbe522a47ee950419b5faa273d24ff2748a8349c591cc80871acf3c6702cce129c68351a713207a69f02b5bed031251
 result = acceptable
 shared = 40c344fb1185a5a97dd00b114f1b9c5ce4009f90c593f236fe465518f9ff27326a421e05b5bc1bfe3768d5becb9ec797
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 400
 # wrong length of bit string
@@ -3605,9 +3047,7 @@
 public = 3076301006072a8648ce3d020106052b8104002203610004c2bed48c5e15e8208411b1a14c77c440b9a8c3b6b2af6eef05e4fbae13cfe7ba5e9af208c54e3035e3b4559f97b0f2798dbe522a47ee950419b5faa273d24ff2748a8349c591cc80871acf3c6702cce129c68351a713207a69f02b5bed031251
 result = acceptable
 shared = 40c344fb1185a5a97dd00b114f1b9c5ce4009f90c593f236fe465518f9ff27326a421e05b5bc1bfe3768d5becb9ec797
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 401
 # uint32 overflow in length of bit string
@@ -3615,9 +3055,7 @@
 public = 307b301006072a8648ce3d020106052b81040022038501000000620004c2bed48c5e15e8208411b1a14c77c440b9a8c3b6b2af6eef05e4fbae13cfe7ba5e9af208c54e3035e3b4559f97b0f2798dbe522a47ee950419b5faa273d24ff2748a8349c591cc80871acf3c6702cce129c68351a713207a69f02b5bed031251
 result = acceptable
 shared = 40c344fb1185a5a97dd00b114f1b9c5ce4009f90c593f236fe465518f9ff27326a421e05b5bc1bfe3768d5becb9ec797
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 402
 # uint64 overflow in length of bit string
@@ -3625,9 +3063,7 @@
 public = 307f301006072a8648ce3d020106052b8104002203890100000000000000620004c2bed48c5e15e8208411b1a14c77c440b9a8c3b6b2af6eef05e4fbae13cfe7ba5e9af208c54e3035e3b4559f97b0f2798dbe522a47ee950419b5faa273d24ff2748a8349c591cc80871acf3c6702cce129c68351a713207a69f02b5bed031251
 result = acceptable
 shared = 40c344fb1185a5a97dd00b114f1b9c5ce4009f90c593f236fe465518f9ff27326a421e05b5bc1bfe3768d5becb9ec797
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 403
 # length of bit string = 2**31 - 1
@@ -3635,9 +3071,7 @@
 public = 307a301006072a8648ce3d020106052b8104002203847fffffff0004c2bed48c5e15e8208411b1a14c77c440b9a8c3b6b2af6eef05e4fbae13cfe7ba5e9af208c54e3035e3b4559f97b0f2798dbe522a47ee950419b5faa273d24ff2748a8349c591cc80871acf3c6702cce129c68351a713207a69f02b5bed031251
 result = acceptable
 shared = 40c344fb1185a5a97dd00b114f1b9c5ce4009f90c593f236fe465518f9ff27326a421e05b5bc1bfe3768d5becb9ec797
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 404
 # length of bit string = 2**32 - 1
@@ -3645,9 +3079,7 @@
 public = 307a301006072a8648ce3d020106052b810400220384ffffffff0004c2bed48c5e15e8208411b1a14c77c440b9a8c3b6b2af6eef05e4fbae13cfe7ba5e9af208c54e3035e3b4559f97b0f2798dbe522a47ee950419b5faa273d24ff2748a8349c591cc80871acf3c6702cce129c68351a713207a69f02b5bed031251
 result = acceptable
 shared = 40c344fb1185a5a97dd00b114f1b9c5ce4009f90c593f236fe465518f9ff27326a421e05b5bc1bfe3768d5becb9ec797
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 405
 # length of bit string = 2**40 - 1
@@ -3655,9 +3087,7 @@
 public = 307b301006072a8648ce3d020106052b810400220385ffffffffff0004c2bed48c5e15e8208411b1a14c77c440b9a8c3b6b2af6eef05e4fbae13cfe7ba5e9af208c54e3035e3b4559f97b0f2798dbe522a47ee950419b5faa273d24ff2748a8349c591cc80871acf3c6702cce129c68351a713207a69f02b5bed031251
 result = acceptable
 shared = 40c344fb1185a5a97dd00b114f1b9c5ce4009f90c593f236fe465518f9ff27326a421e05b5bc1bfe3768d5becb9ec797
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 406
 # length of bit string = 2**64 - 1
@@ -3665,9 +3095,7 @@
 public = 307e301006072a8648ce3d020106052b810400220388ffffffffffffffff0004c2bed48c5e15e8208411b1a14c77c440b9a8c3b6b2af6eef05e4fbae13cfe7ba5e9af208c54e3035e3b4559f97b0f2798dbe522a47ee950419b5faa273d24ff2748a8349c591cc80871acf3c6702cce129c68351a713207a69f02b5bed031251
 result = acceptable
 shared = 40c344fb1185a5a97dd00b114f1b9c5ce4009f90c593f236fe465518f9ff27326a421e05b5bc1bfe3768d5becb9ec797
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 407
 # incorrect length of bit string
@@ -3675,9 +3103,7 @@
 public = 3076301006072a8648ce3d020106052b8104002203ff0004c2bed48c5e15e8208411b1a14c77c440b9a8c3b6b2af6eef05e4fbae13cfe7ba5e9af208c54e3035e3b4559f97b0f2798dbe522a47ee950419b5faa273d24ff2748a8349c591cc80871acf3c6702cce129c68351a713207a69f02b5bed031251
 result = acceptable
 shared = 40c344fb1185a5a97dd00b114f1b9c5ce4009f90c593f236fe465518f9ff27326a421e05b5bc1bfe3768d5becb9ec797
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 408
 # lonely bit string tag
@@ -3685,9 +3111,7 @@
 public = 3013301006072a8648ce3d020106052b8104002203
 result = acceptable
 shared = 40c344fb1185a5a97dd00b114f1b9c5ce4009f90c593f236fe465518f9ff27326a421e05b5bc1bfe3768d5becb9ec797
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 409
 # appending 0's to bit string
@@ -3695,9 +3119,7 @@
 public = 3078301006072a8648ce3d020106052b8104002203640004c2bed48c5e15e8208411b1a14c77c440b9a8c3b6b2af6eef05e4fbae13cfe7ba5e9af208c54e3035e3b4559f97b0f2798dbe522a47ee950419b5faa273d24ff2748a8349c591cc80871acf3c6702cce129c68351a713207a69f02b5bed0312510000
 result = acceptable
 shared = 40c344fb1185a5a97dd00b114f1b9c5ce4009f90c593f236fe465518f9ff27326a421e05b5bc1bfe3768d5becb9ec797
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 410
 # prepending 0's to bit string
@@ -3705,9 +3127,7 @@
 public = 3078301006072a8648ce3d020106052b81040022036400000004c2bed48c5e15e8208411b1a14c77c440b9a8c3b6b2af6eef05e4fbae13cfe7ba5e9af208c54e3035e3b4559f97b0f2798dbe522a47ee950419b5faa273d24ff2748a8349c591cc80871acf3c6702cce129c68351a713207a69f02b5bed031251
 result = acceptable
 shared = 40c344fb1185a5a97dd00b114f1b9c5ce4009f90c593f236fe465518f9ff27326a421e05b5bc1bfe3768d5becb9ec797
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 411
 # appending null value to bit string
@@ -3715,9 +3135,7 @@
 public = 3078301006072a8648ce3d020106052b8104002203640004c2bed48c5e15e8208411b1a14c77c440b9a8c3b6b2af6eef05e4fbae13cfe7ba5e9af208c54e3035e3b4559f97b0f2798dbe522a47ee950419b5faa273d24ff2748a8349c591cc80871acf3c6702cce129c68351a713207a69f02b5bed0312510500
 result = acceptable
 shared = 40c344fb1185a5a97dd00b114f1b9c5ce4009f90c593f236fe465518f9ff27326a421e05b5bc1bfe3768d5becb9ec797
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 412
 # truncated length of bit string
@@ -3725,9 +3143,7 @@
 public = 3014301006072a8648ce3d020106052b810400220381
 result = acceptable
 shared = 40c344fb1185a5a97dd00b114f1b9c5ce4009f90c593f236fe465518f9ff27326a421e05b5bc1bfe3768d5becb9ec797
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 413
 # Replacing bit string with NULL
@@ -3735,9 +3151,7 @@
 public = 3014301006072a8648ce3d020106052b810400220500
 result = acceptable
 shared = 40c344fb1185a5a97dd00b114f1b9c5ce4009f90c593f236fe465518f9ff27326a421e05b5bc1bfe3768d5becb9ec797
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 414
 # changing tag value of bit string
@@ -3745,9 +3159,7 @@
 public = 3076301006072a8648ce3d020106052b8104002201620004c2bed48c5e15e8208411b1a14c77c440b9a8c3b6b2af6eef05e4fbae13cfe7ba5e9af208c54e3035e3b4559f97b0f2798dbe522a47ee950419b5faa273d24ff2748a8349c591cc80871acf3c6702cce129c68351a713207a69f02b5bed031251
 result = acceptable
 shared = 40c344fb1185a5a97dd00b114f1b9c5ce4009f90c593f236fe465518f9ff27326a421e05b5bc1bfe3768d5becb9ec797
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 415
 # changing tag value of bit string
@@ -3755,9 +3167,7 @@
 public = 3076301006072a8648ce3d020106052b8104002202620004c2bed48c5e15e8208411b1a14c77c440b9a8c3b6b2af6eef05e4fbae13cfe7ba5e9af208c54e3035e3b4559f97b0f2798dbe522a47ee950419b5faa273d24ff2748a8349c591cc80871acf3c6702cce129c68351a713207a69f02b5bed031251
 result = acceptable
 shared = 40c344fb1185a5a97dd00b114f1b9c5ce4009f90c593f236fe465518f9ff27326a421e05b5bc1bfe3768d5becb9ec797
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 416
 # changing tag value of bit string
@@ -3765,9 +3175,7 @@
 public = 3076301006072a8648ce3d020106052b8104002204620004c2bed48c5e15e8208411b1a14c77c440b9a8c3b6b2af6eef05e4fbae13cfe7ba5e9af208c54e3035e3b4559f97b0f2798dbe522a47ee950419b5faa273d24ff2748a8349c591cc80871acf3c6702cce129c68351a713207a69f02b5bed031251
 result = acceptable
 shared = 40c344fb1185a5a97dd00b114f1b9c5ce4009f90c593f236fe465518f9ff27326a421e05b5bc1bfe3768d5becb9ec797
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 417
 # changing tag value of bit string
@@ -3775,9 +3183,7 @@
 public = 3076301006072a8648ce3d020106052b8104002205620004c2bed48c5e15e8208411b1a14c77c440b9a8c3b6b2af6eef05e4fbae13cfe7ba5e9af208c54e3035e3b4559f97b0f2798dbe522a47ee950419b5faa273d24ff2748a8349c591cc80871acf3c6702cce129c68351a713207a69f02b5bed031251
 result = acceptable
 shared = 40c344fb1185a5a97dd00b114f1b9c5ce4009f90c593f236fe465518f9ff27326a421e05b5bc1bfe3768d5becb9ec797
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 418
 # changing tag value of bit string
@@ -3785,9 +3191,7 @@
 public = 3076301006072a8648ce3d020106052b81040022ff620004c2bed48c5e15e8208411b1a14c77c440b9a8c3b6b2af6eef05e4fbae13cfe7ba5e9af208c54e3035e3b4559f97b0f2798dbe522a47ee950419b5faa273d24ff2748a8349c591cc80871acf3c6702cce129c68351a713207a69f02b5bed031251
 result = acceptable
 shared = 40c344fb1185a5a97dd00b114f1b9c5ce4009f90c593f236fe465518f9ff27326a421e05b5bc1bfe3768d5becb9ec797
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 419
 # dropping value of bit string
@@ -3795,9 +3199,7 @@
 public = 3014301006072a8648ce3d020106052b810400220300
 result = acceptable
 shared = 40c344fb1185a5a97dd00b114f1b9c5ce4009f90c593f236fe465518f9ff27326a421e05b5bc1bfe3768d5becb9ec797
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 420
 # modify first byte of bit string
@@ -3805,9 +3207,7 @@
 public = 3076301006072a8648ce3d020106052b8104002203620204c2bed48c5e15e8208411b1a14c77c440b9a8c3b6b2af6eef05e4fbae13cfe7ba5e9af208c54e3035e3b4559f97b0f2798dbe522a47ee950419b5faa273d24ff2748a8349c591cc80871acf3c6702cce129c68351a713207a69f02b5bed031251
 result = acceptable
 shared = 40c344fb1185a5a97dd00b114f1b9c5ce4009f90c593f236fe465518f9ff27326a421e05b5bc1bfe3768d5becb9ec797
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 421
 # modify last byte of bit string
@@ -3815,9 +3215,7 @@
 public = 3076301006072a8648ce3d020106052b8104002203620004c2bed48c5e15e8208411b1a14c77c440b9a8c3b6b2af6eef05e4fbae13cfe7ba5e9af208c54e3035e3b4559f97b0f2798dbe522a47ee950419b5faa273d24ff2748a8349c591cc80871acf3c6702cce129c68351a713207a69f02b5bed0312d1
 result = acceptable
 shared = 40c344fb1185a5a97dd00b114f1b9c5ce4009f90c593f236fe465518f9ff27326a421e05b5bc1bfe3768d5becb9ec797
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 422
 # truncated bit string
@@ -3825,9 +3223,7 @@
 public = 3075301006072a8648ce3d020106052b8104002203610004c2bed48c5e15e8208411b1a14c77c440b9a8c3b6b2af6eef05e4fbae13cfe7ba5e9af208c54e3035e3b4559f97b0f2798dbe522a47ee950419b5faa273d24ff2748a8349c591cc80871acf3c6702cce129c68351a713207a69f02b5bed0312
 result = acceptable
 shared = 40c344fb1185a5a97dd00b114f1b9c5ce4009f90c593f236fe465518f9ff27326a421e05b5bc1bfe3768d5becb9ec797
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 423
 # truncated bit string
@@ -3835,9 +3231,7 @@
 public = 3075301006072a8648ce3d020106052b81040022036104c2bed48c5e15e8208411b1a14c77c440b9a8c3b6b2af6eef05e4fbae13cfe7ba5e9af208c54e3035e3b4559f97b0f2798dbe522a47ee950419b5faa273d24ff2748a8349c591cc80871acf3c6702cce129c68351a713207a69f02b5bed031251
 result = acceptable
 shared = 40c344fb1185a5a97dd00b114f1b9c5ce4009f90c593f236fe465518f9ff27326a421e05b5bc1bfe3768d5becb9ec797
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 424
 # declaring bits as unused in bit string
@@ -3845,9 +3239,7 @@
 public = 3076301006072a8648ce3d020106052b8104002203620104c2bed48c5e15e8208411b1a14c77c440b9a8c3b6b2af6eef05e4fbae13cfe7ba5e9af208c54e3035e3b4559f97b0f2798dbe522a47ee950419b5faa273d24ff2748a8349c591cc80871acf3c6702cce129c68351a713207a69f02b5bed031251
 result = acceptable
 shared = 40c344fb1185a5a97dd00b114f1b9c5ce4009f90c593f236fe465518f9ff27326a421e05b5bc1bfe3768d5becb9ec797
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 425
 # unused bits in bit string
@@ -3855,9 +3247,7 @@
 public = 307a301006072a8648ce3d020106052b8104002203662004c2bed48c5e15e8208411b1a14c77c440b9a8c3b6b2af6eef05e4fbae13cfe7ba5e9af208c54e3035e3b4559f97b0f2798dbe522a47ee950419b5faa273d24ff2748a8349c591cc80871acf3c6702cce129c68351a713207a69f02b5bed03125101020304
 result = acceptable
 shared = 40c344fb1185a5a97dd00b114f1b9c5ce4009f90c593f236fe465518f9ff27326a421e05b5bc1bfe3768d5becb9ec797
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 426
 # unused bits in empty bit-string
@@ -3865,9 +3255,7 @@
 public = 3015301006072a8648ce3d020106052b81040022030103
 result = acceptable
 shared = 40c344fb1185a5a97dd00b114f1b9c5ce4009f90c593f236fe465518f9ff27326a421e05b5bc1bfe3768d5becb9ec797
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 427
 # 128 unused bits
@@ -3875,7 +3263,5 @@
 public = 3076301006072a8648ce3d020106052b8104002203628004c2bed48c5e15e8208411b1a14c77c440b9a8c3b6b2af6eef05e4fbae13cfe7ba5e9af208c54e3035e3b4559f97b0f2798dbe522a47ee950419b5faa273d24ff2748a8349c591cc80871acf3c6702cce129c68351a713207a69f02b5bed031251
 result = acceptable
 shared = 40c344fb1185a5a97dd00b114f1b9c5ce4009f90c593f236fe465518f9ff27326a421e05b5bc1bfe3768d5becb9ec797
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
diff --git a/third_party/wycheproof_testvectors/ecdh_secp521r1_test.txt b/third_party/wycheproof_testvectors/ecdh_secp521r1_test.txt
index a552982..8e23c05 100644
--- a/third_party/wycheproof_testvectors/ecdh_secp521r1_test.txt
+++ b/third_party/wycheproof_testvectors/ecdh_secp521r1_test.txt
@@ -20,8 +20,7 @@
 public = 3058301006072a8648ce3d020106052b81040023034400030064da3e94733db536a74a0d8a5cb2265a31c54a1da6529a198377fbd38575d9d79769ca2bdf2d4c972642926d444891a652e7f492337251adf1613cf3077999b5ce
 result = acceptable
 shared = 01f1e410f2c6262bce6879a3f46dfb7dd11d30eeee9ab49852102e1892201dd10f27266c2cf7cbccc7f6885099043dad80ff57f0df96acf283fb090de53df95f7d87
-# The point in the public key is compressed. Not every library supports points
-# in compressed format.
+flags = CompressedPoint
 
 # tcId = 3
 # edge case for shared secret
@@ -1494,9 +1493,7 @@
 public = 30819b301006072a8648ce3d020106052b81040023038186000401ad5043591dbe81657fe3d1c3d7a516606ad9d320a35fce8aaec8a950fb53f95388f3fc48be998e99334ad9e9234cded14471fe86caccaa07d058ee8771733ac3b900854de36366590b9ee4d0370ea6b00f7ebd8156ccf14e99f1a5344a9b4964fbb8348b081a8840c6b64be77997ad8bebfea5e7d9f7a6a7fa6d7655c50b2b7835f314
 result = valid
 shared = 00286cefaaf38ca4c6657eb9b187d8614d51775fd71c1a79b4c0ef1a0d4ce72b6f5b2bc854a4e78283530942a3f4fd2a8586d5ea51513c89d3d29de5de06321e118e
-# The private key has a special value. Implementations using addition
-# subtraction chains for the point multiplication may get the point at infinity
-# as an intermediate result. See CVE_2017_10176
+flags = AddSubChain
 
 # tcId = 203
 # edge case private key
@@ -1504,9 +1501,7 @@
 public = 30819b301006072a8648ce3d020106052b81040023038186000401ad5043591dbe81657fe3d1c3d7a516606ad9d320a35fce8aaec8a950fb53f95388f3fc48be998e99334ad9e9234cded14471fe86caccaa07d058ee8771733ac3b900854de36366590b9ee4d0370ea6b00f7ebd8156ccf14e99f1a5344a9b4964fbb8348b081a8840c6b64be77997ad8bebfea5e7d9f7a6a7fa6d7655c50b2b7835f314
 result = valid
 shared = 014790de14c481f1336fcb7d33a8bf8e23eb594cc48608e9edfe0e326e106b67e7eaa3f04ec9985599178f632a5ee6419e11217060e9fcd5958a43882bf8cd3be6ba
-# The private key has a special value. Implementations using addition
-# subtraction chains for the point multiplication may get the point at infinity
-# as an intermediate result. See CVE_2017_10176
+flags = AddSubChain
 
 # tcId = 204
 # edge case private key
@@ -1514,9 +1509,7 @@
 public = 30819b301006072a8648ce3d020106052b81040023038186000401ad5043591dbe81657fe3d1c3d7a516606ad9d320a35fce8aaec8a950fb53f95388f3fc48be998e99334ad9e9234cded14471fe86caccaa07d058ee8771733ac3b900854de36366590b9ee4d0370ea6b00f7ebd8156ccf14e99f1a5344a9b4964fbb8348b081a8840c6b64be77997ad8bebfea5e7d9f7a6a7fa6d7655c50b2b7835f314
 result = valid
 shared = 01ae775dbc4096a3aea7977b1a0af4b2830ecf9ca927a6247fba4cccb46b3f71d0e7abb8dda72d1c1ee7bb5b875b4773cc8df40f732819c4147da330775d1742ea35
-# The private key has a special value. Implementations using addition
-# subtraction chains for the point multiplication may get the point at infinity
-# as an intermediate result. See CVE_2017_10176
+flags = AddSubChain
 
 # tcId = 205
 # edge case private key
@@ -1524,9 +1517,7 @@
 public = 30819b301006072a8648ce3d020106052b81040023038186000401ad5043591dbe81657fe3d1c3d7a516606ad9d320a35fce8aaec8a950fb53f95388f3fc48be998e99334ad9e9234cded14471fe86caccaa07d058ee8771733ac3b900854de36366590b9ee4d0370ea6b00f7ebd8156ccf14e99f1a5344a9b4964fbb8348b081a8840c6b64be77997ad8bebfea5e7d9f7a6a7fa6d7655c50b2b7835f314
 result = valid
 shared = 01979fb05e068a12a3f20cfdfb9eaee9f22b356edcc7655383ed38124b86814f86a6f2216a34f3fc2299d403ee42408f95d08c5c6cd11db72cbf299a4a3c2545be25
-# The private key has a special value. Implementations using addition
-# subtraction chains for the point multiplication may get the point at infinity
-# as an intermediate result. See CVE_2017_10176
+flags = AddSubChain
 
 # tcId = 206
 # edge case private key
@@ -1534,9 +1525,7 @@
 public = 30819b301006072a8648ce3d020106052b81040023038186000401ad5043591dbe81657fe3d1c3d7a516606ad9d320a35fce8aaec8a950fb53f95388f3fc48be998e99334ad9e9234cded14471fe86caccaa07d058ee8771733ac3b900854de36366590b9ee4d0370ea6b00f7ebd8156ccf14e99f1a5344a9b4964fbb8348b081a8840c6b64be77997ad8bebfea5e7d9f7a6a7fa6d7655c50b2b7835f314
 result = valid
 shared = 0197ebe26798bf67f06ff0282773af75115531f41d94c093d87481b76bef707bc222f2d6672f84a00fa20c5ed27027ab4006b68d93ee2151016c9ddbe014346272e2
-# The private key has a special value. Implementations using addition
-# subtraction chains for the point multiplication may get the point at infinity
-# as an intermediate result. See CVE_2017_10176
+flags = AddSubChain
 
 # tcId = 207
 # edge case private key
@@ -1551,9 +1540,7 @@
 public = 30819b301006072a8648ce3d020106052b81040023038186000401ad5043591dbe81657fe3d1c3d7a516606ad9d320a35fce8aaec8a950fb53f95388f3fc48be998e99334ad9e9234cded14471fe86caccaa07d058ee8771733ac3b900854de36366590b9ee4d0370ea6b00f7ebd8156ccf14e99f1a5344a9b4964fbb8348b081a8840c6b64be77997ad8bebfea5e7d9f7a6a7fa6d7655c50b2b7835f314
 result = valid
 shared = 01c168314cdc85757ade34a52a9e5379ffa5968f084b7e404939a8033a0fc698e26211754b9b2c04cf8a1420abe6e986ef1a238bbb91dd402b72e0ed50a876f1a83e
-# The private key has a special value. Implementations using addition
-# subtraction chains for the point multiplication may get the point at infinity
-# as an intermediate result. See CVE_2017_10176
+flags = AddSubChain
 
 # tcId = 209
 # CVE-2017-10176: Issue with elliptic curve addition
@@ -1561,9 +1548,7 @@
 public = 30819b301006072a8648ce3d020106052b81040023038186000400c6858e06b70404e9cd9e3ecb662395b4429c648139053fb521f828af606b4d3dbaa14b5e77efe75928fe1dc127a2ffa8de3348b3c1856a429bf97e7e31c2e5bd66011839296a789a3bc0045c8a5fb42c7d1bd998f54449579b446817afbd17273e662c97ee72995ef42640c550b9013fad0761353c7086a272c24088be94769fd16650
 result = valid
 shared = 01bc33425e72a12779eacb2edcc5b63d1281f7e86dbc7bf99a7abd0cfe367de4666d6edbb8525bffe5222f0702c3096dec0884ce572f5a15c423fdf44d01dd99c61d
-# This test vector leads to an EC point multiplication where an intermediate
-# result can be the point at infinity, if addition-subtraction chains are used
-# to speed up the point multiplication.
+flags = CVE_2017_10176
 
 # tcId = 210
 # point is not on curve
@@ -1689,12 +1674,7 @@
 public = 30819b301006072a8648ce3d020106052b81040023038186000400c2a43ac3742b09e006c2dfc9c36444d7e699f567a73f674ce257330b312dd7a8a04fbe92d1d9acbcc65f6184711ada5bf39f6e11e0cbde98f1640d099eb90dfce701802d7755c2fe3180848d4a70b170096ec64eba99b478ba7f6fc129b0566279b8e1ab7962fa912fc4ae53b5202a03520617843dc63e5cb5f956ec7f1453d0865fe1
 result = invalid
 shared = 
-# The public key has been modified and is invalid. An implementation should
-# always check whether the public key is valid and on the same curve as the
-# private key. The test vector includes the shared secret computed with the
-# original public key if the public point is on the curve of the private key.
-# Generating a shared secret other than the one with the original key likely
-# indicates that the bug is exploitable.
+flags = InvalidPublic
 
 # tcId = 228
 # public point = (0,0)
@@ -1702,12 +1682,7 @@
 public = 30819b301006072a8648ce3d020106052b810400230381860004000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
 result = invalid
 shared = 
-# The public key has been modified and is invalid. An implementation should
-# always check whether the public key is valid and on the same curve as the
-# private key. The test vector includes the shared secret computed with the
-# original public key if the public point is on the curve of the private key.
-# Generating a shared secret other than the one with the original key likely
-# indicates that the bug is exploitable.
+flags = InvalidPublic
 
 # tcId = 229
 # order =
@@ -1716,20 +1691,7 @@
 public = 30820245308201b806072a8648ce3d0201308201ab020101304d06072a8648ce3d0101024201ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff308187044201fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffc044151953eb9618e1c9a1f929a21a0b68540eea2da725b99b315f3b8b489918ef109e156193951ec7e937b1652c0bd3bb1bf073573df883d2c34f1ef451fd46b503f000481850400c6858e06b70404e9cd9e3ecb662395b4429c648139053fb521f828af606b4d3dbaa14b5e77efe75928fe1dc127a2ffa8de3348b3c1856a429bf97e7e31c2e5bd66011839296a789a3bc0045c8a5fb42c7d1bd998f54449579b446817afbd17273e662c97ee72995ef42640c550b9013fad0761353c7086a272c24088be94769fd166500242fe000000000000000000000000000000000000000000000000000000000000000005ae79787c40d069948033feb708f65a2fc44a36477663b851449048e16ec79bf7020101038186000400c2a43ac3742b09e006c2dfc9c36444d7e699f567a73f674ce257330b312dd7a8a04fbe92d1d9acbcc65f6184711ada5bf39f6e11e0cbde98f1640d099eb90dfce701802d7755c2fe3180848d4a70b170096ec64eba99b478ba7f6fc129b0566279b8e1ab7962fa912fc4ae53b5202a03520617843dc63e5cb5f956ec7f1453d0865fdf
 result = invalid
 shared = 00fb8542487cbd45e609632f681db6b48fdabed9b97a2467a34205eadadad9dedb54a2a647d23dca68e929a2041888b091f4bb4023a0517be669a6c9f9c847ef89de
-# The order of the public key has been modified. If this order is used in a
-# cryptographic primitive instead of the correct order then private keys may
-# leak. E.g. ECDHC in BC 1.52 suffered from this.
-# The public key has been modified and is invalid. An implementation should
-# always check whether the public key is valid and on the same curve as the
-# private key. The test vector includes the shared secret computed with the
-# original public key if the public point is on the curve of the private key.
-# Generating a shared secret other than the one with the original key likely
-# indicates that the bug is exploitable.
-# The public key does not use a named curve. RFC 3279 allows to encode such
-# curves by explicitly encoding, the parameters of the curve equation, modulus,
-# generator, order and cofactor. However, many crypto libraries only support
-# named curves. Modifying some of the EC parameters and encoding the
-# corresponding public key as an unnamed curve is a potential attack vector.
+flags = WrongOrder,InvalidPublic,UnnamedCurve
 
 # tcId = 230
 # order = 0
@@ -1737,20 +1699,7 @@
 public = 308202043082017706072a8648ce3d02013082016a020101304d06072a8648ce3d0101024201ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff308187044201fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffc044151953eb9618e1c9a1f929a21a0b68540eea2da725b99b315f3b8b489918ef109e156193951ec7e937b1652c0bd3bb1bf073573df883d2c34f1ef451fd46b503f000481850400c6858e06b70404e9cd9e3ecb662395b4429c648139053fb521f828af606b4d3dbaa14b5e77efe75928fe1dc127a2ffa8de3348b3c1856a429bf97e7e31c2e5bd66011839296a789a3bc0045c8a5fb42c7d1bd998f54449579b446817afbd17273e662c97ee72995ef42640c550b9013fad0761353c7086a272c24088be94769fd16650020100020101038186000400c2a43ac3742b09e006c2dfc9c36444d7e699f567a73f674ce257330b312dd7a8a04fbe92d1d9acbcc65f6184711ada5bf39f6e11e0cbde98f1640d099eb90dfce701802d7755c2fe3180848d4a70b170096ec64eba99b478ba7f6fc129b0566279b8e1ab7962fa912fc4ae53b5202a03520617843dc63e5cb5f956ec7f1453d0865fdf
 result = invalid
 shared = 00fb8542487cbd45e609632f681db6b48fdabed9b97a2467a34205eadadad9dedb54a2a647d23dca68e929a2041888b091f4bb4023a0517be669a6c9f9c847ef89de
-# The order of the public key has been modified. If this order is used in a
-# cryptographic primitive instead of the correct order then private keys may
-# leak. E.g. ECDHC in BC 1.52 suffered from this.
-# The public key has been modified and is invalid. An implementation should
-# always check whether the public key is valid and on the same curve as the
-# private key. The test vector includes the shared secret computed with the
-# original public key if the public point is on the curve of the private key.
-# Generating a shared secret other than the one with the original key likely
-# indicates that the bug is exploitable.
-# The public key does not use a named curve. RFC 3279 allows to encode such
-# curves by explicitly encoding, the parameters of the curve equation, modulus,
-# generator, order and cofactor. However, many crypto libraries only support
-# named curves. Modifying some of the EC parameters and encoding the
-# corresponding public key as an unnamed curve is a potential attack vector.
+flags = WrongOrder,InvalidPublic,UnnamedCurve
 
 # tcId = 231
 # order = 1
@@ -1758,20 +1707,7 @@
 public = 308202043082017706072a8648ce3d02013082016a020101304d06072a8648ce3d0101024201ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff308187044201fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffc044151953eb9618e1c9a1f929a21a0b68540eea2da725b99b315f3b8b489918ef109e156193951ec7e937b1652c0bd3bb1bf073573df883d2c34f1ef451fd46b503f000481850400c6858e06b70404e9cd9e3ecb662395b4429c648139053fb521f828af606b4d3dbaa14b5e77efe75928fe1dc127a2ffa8de3348b3c1856a429bf97e7e31c2e5bd66011839296a789a3bc0045c8a5fb42c7d1bd998f54449579b446817afbd17273e662c97ee72995ef42640c550b9013fad0761353c7086a272c24088be94769fd16650020101020101038186000400c2a43ac3742b09e006c2dfc9c36444d7e699f567a73f674ce257330b312dd7a8a04fbe92d1d9acbcc65f6184711ada5bf39f6e11e0cbde98f1640d099eb90dfce701802d7755c2fe3180848d4a70b170096ec64eba99b478ba7f6fc129b0566279b8e1ab7962fa912fc4ae53b5202a03520617843dc63e5cb5f956ec7f1453d0865fdf
 result = acceptable
 shared = 00fb8542487cbd45e609632f681db6b48fdabed9b97a2467a34205eadadad9dedb54a2a647d23dca68e929a2041888b091f4bb4023a0517be669a6c9f9c847ef89de
-# The order of the public key has been modified. If this order is used in a
-# cryptographic primitive instead of the correct order then private keys may
-# leak. E.g. ECDHC in BC 1.52 suffered from this.
-# A parameter that is typically not used for ECDH has been modified. Sometimes
-# libraries ignore small differences between public and private key. For
-# example, a library might ignore an incorrect cofactor in the public key. We
-# consider ignoring such changes as acceptable as long as these differences do
-# not change the outcome of the ECDH computation, i.e. as long as the
-# computation is done on the curve from the private key.
-# The public key does not use a named curve. RFC 3279 allows to encode such
-# curves by explicitly encoding, the parameters of the curve equation, modulus,
-# generator, order and cofactor. However, many crypto libraries only support
-# named curves. Modifying some of the EC parameters and encoding the
-# corresponding public key as an unnamed curve is a potential attack vector.
+flags = WrongOrder,UnusedParam,UnnamedCurve
 
 # tcId = 232
 # order =
@@ -1780,20 +1716,7 @@
 public = 30820241308201b406072a8648ce3d0201308201a7020101304d06072a8648ce3d0101024201ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff308187044201fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffc044151953eb9618e1c9a1f929a21a0b68540eea2da725b99b315f3b8b489918ef109e156193951ec7e937b1652c0bd3bb1bf073573df883d2c34f1ef451fd46b503f000481850400c6858e06b70404e9cd9e3ecb662395b4429c648139053fb521f828af606b4d3dbaa14b5e77efe75928fe1dc127a2ffa8de3348b3c1856a429bf97e7e31c2e5bd66011839296a789a3bc0045c8a5fb42c7d1bd998f54449579b446817afbd17273e662c97ee72995ef42640c550b9013fad0761353c7086a272c24088be94769fd16650023e01fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffa51868783bf2f966b7fcc0148f709a5d03bb5c9b8899c47aebb6fb71e020101038186000400c2a43ac3742b09e006c2dfc9c36444d7e699f567a73f674ce257330b312dd7a8a04fbe92d1d9acbcc65f6184711ada5bf39f6e11e0cbde98f1640d099eb90dfce701802d7755c2fe3180848d4a70b170096ec64eba99b478ba7f6fc129b0566279b8e1ab7962fa912fc4ae53b5202a03520617843dc63e5cb5f956ec7f1453d0865fdf
 result = acceptable
 shared = 00fb8542487cbd45e609632f681db6b48fdabed9b97a2467a34205eadadad9dedb54a2a647d23dca68e929a2041888b091f4bb4023a0517be669a6c9f9c847ef89de
-# The order of the public key has been modified. If this order is used in a
-# cryptographic primitive instead of the correct order then private keys may
-# leak. E.g. ECDHC in BC 1.52 suffered from this.
-# A parameter that is typically not used for ECDH has been modified. Sometimes
-# libraries ignore small differences between public and private key. For
-# example, a library might ignore an incorrect cofactor in the public key. We
-# consider ignoring such changes as acceptable as long as these differences do
-# not change the outcome of the ECDH computation, i.e. as long as the
-# computation is done on the curve from the private key.
-# The public key does not use a named curve. RFC 3279 allows to encode such
-# curves by explicitly encoding, the parameters of the curve equation, modulus,
-# generator, order and cofactor. However, many crypto libraries only support
-# named curves. Modifying some of the EC parameters and encoding the
-# corresponding public key as an unnamed curve is a potential attack vector.
+flags = WrongOrder,UnusedParam,UnnamedCurve
 
 # tcId = 233
 # generator = (0,0)
@@ -1801,17 +1724,7 @@
 public = 30820245308201b806072a8648ce3d0201308201ab020101304d06072a8648ce3d0101024201ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff308187044201fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffc044151953eb9618e1c9a1f929a21a0b68540eea2da725b99b315f3b8b489918ef109e156193951ec7e937b1652c0bd3bb1bf073573df883d2c34f1ef451fd46b503f0004818504000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000024201fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffa51868783bf2f966b7fcc0148f709a5d03bb5c9b8899c47aebb6fb71e91386409020101038186000400c2a43ac3742b09e006c2dfc9c36444d7e699f567a73f674ce257330b312dd7a8a04fbe92d1d9acbcc65f6184711ada5bf39f6e11e0cbde98f1640d099eb90dfce701802d7755c2fe3180848d4a70b170096ec64eba99b478ba7f6fc129b0566279b8e1ab7962fa912fc4ae53b5202a03520617843dc63e5cb5f956ec7f1453d0865fdf
 result = acceptable
 shared = 00fb8542487cbd45e609632f681db6b48fdabed9b97a2467a34205eadadad9dedb54a2a647d23dca68e929a2041888b091f4bb4023a0517be669a6c9f9c847ef89de
-# A parameter that is typically not used for ECDH has been modified. Sometimes
-# libraries ignore small differences between public and private key. For
-# example, a library might ignore an incorrect cofactor in the public key. We
-# consider ignoring such changes as acceptable as long as these differences do
-# not change the outcome of the ECDH computation, i.e. as long as the
-# computation is done on the curve from the private key.
-# The public key does not use a named curve. RFC 3279 allows to encode such
-# curves by explicitly encoding, the parameters of the curve equation, modulus,
-# generator, order and cofactor. However, many crypto libraries only support
-# named curves. Modifying some of the EC parameters and encoding the
-# corresponding public key as an unnamed curve is a potential attack vector.
+flags = UnusedParam,UnnamedCurve
 
 # tcId = 234
 # generator not on curve
@@ -1819,17 +1732,7 @@
 public = 30820245308201b806072a8648ce3d0201308201ab020101304d06072a8648ce3d0101024201ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff308187044201fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffc044151953eb9618e1c9a1f929a21a0b68540eea2da725b99b315f3b8b489918ef109e156193951ec7e937b1652c0bd3bb1bf073573df883d2c34f1ef451fd46b503f000481850400c6858e06b70404e9cd9e3ecb662395b4429c648139053fb521f828af606b4d3dbaa14b5e77efe75928fe1dc127a2ffa8de3348b3c1856a429bf97e7e31c2e5bd66011839296a789a3bc0045c8a5fb42c7d1bd998f54449579b446817afbd17273e662c97ee72995ef42640c550b9013fad0761353c7086a272c24088be94769fd16652024201fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffa51868783bf2f966b7fcc0148f709a5d03bb5c9b8899c47aebb6fb71e91386409020101038186000400c2a43ac3742b09e006c2dfc9c36444d7e699f567a73f674ce257330b312dd7a8a04fbe92d1d9acbcc65f6184711ada5bf39f6e11e0cbde98f1640d099eb90dfce701802d7755c2fe3180848d4a70b170096ec64eba99b478ba7f6fc129b0566279b8e1ab7962fa912fc4ae53b5202a03520617843dc63e5cb5f956ec7f1453d0865fdf
 result = acceptable
 shared = 00fb8542487cbd45e609632f681db6b48fdabed9b97a2467a34205eadadad9dedb54a2a647d23dca68e929a2041888b091f4bb4023a0517be669a6c9f9c847ef89de
-# A parameter that is typically not used for ECDH has been modified. Sometimes
-# libraries ignore small differences between public and private key. For
-# example, a library might ignore an incorrect cofactor in the public key. We
-# consider ignoring such changes as acceptable as long as these differences do
-# not change the outcome of the ECDH computation, i.e. as long as the
-# computation is done on the curve from the private key.
-# The public key does not use a named curve. RFC 3279 allows to encode such
-# curves by explicitly encoding, the parameters of the curve equation, modulus,
-# generator, order and cofactor. However, many crypto libraries only support
-# named curves. Modifying some of the EC parameters and encoding the
-# corresponding public key as an unnamed curve is a potential attack vector.
+flags = UnusedParam,UnnamedCurve
 
 # tcId = 235
 # cofactor = -1
@@ -1837,17 +1740,7 @@
 public = 30820245308201b806072a8648ce3d0201308201ab020101304d06072a8648ce3d0101024201ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff308187044201fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffc044151953eb9618e1c9a1f929a21a0b68540eea2da725b99b315f3b8b489918ef109e156193951ec7e937b1652c0bd3bb1bf073573df883d2c34f1ef451fd46b503f000481850400c6858e06b70404e9cd9e3ecb662395b4429c648139053fb521f828af606b4d3dbaa14b5e77efe75928fe1dc127a2ffa8de3348b3c1856a429bf97e7e31c2e5bd66011839296a789a3bc0045c8a5fb42c7d1bd998f54449579b446817afbd17273e662c97ee72995ef42640c550b9013fad0761353c7086a272c24088be94769fd16650024201fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffa51868783bf2f966b7fcc0148f709a5d03bb5c9b8899c47aebb6fb71e913864090201ff038186000400c2a43ac3742b09e006c2dfc9c36444d7e699f567a73f674ce257330b312dd7a8a04fbe92d1d9acbcc65f6184711ada5bf39f6e11e0cbde98f1640d099eb90dfce701802d7755c2fe3180848d4a70b170096ec64eba99b478ba7f6fc129b0566279b8e1ab7962fa912fc4ae53b5202a03520617843dc63e5cb5f956ec7f1453d0865fdf
 result = invalid
 shared = 00fb8542487cbd45e609632f681db6b48fdabed9b97a2467a34205eadadad9dedb54a2a647d23dca68e929a2041888b091f4bb4023a0517be669a6c9f9c847ef89de
-# The public key has been modified and is invalid. An implementation should
-# always check whether the public key is valid and on the same curve as the
-# private key. The test vector includes the shared secret computed with the
-# original public key if the public point is on the curve of the private key.
-# Generating a shared secret other than the one with the original key likely
-# indicates that the bug is exploitable.
-# The public key does not use a named curve. RFC 3279 allows to encode such
-# curves by explicitly encoding, the parameters of the curve equation, modulus,
-# generator, order and cofactor. However, many crypto libraries only support
-# named curves. Modifying some of the EC parameters and encoding the
-# corresponding public key as an unnamed curve is a potential attack vector.
+flags = InvalidPublic,UnnamedCurve
 
 # tcId = 236
 # cofactor = 0
@@ -1855,17 +1748,7 @@
 public = 30820245308201b806072a8648ce3d0201308201ab020101304d06072a8648ce3d0101024201ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff308187044201fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffc044151953eb9618e1c9a1f929a21a0b68540eea2da725b99b315f3b8b489918ef109e156193951ec7e937b1652c0bd3bb1bf073573df883d2c34f1ef451fd46b503f000481850400c6858e06b70404e9cd9e3ecb662395b4429c648139053fb521f828af606b4d3dbaa14b5e77efe75928fe1dc127a2ffa8de3348b3c1856a429bf97e7e31c2e5bd66011839296a789a3bc0045c8a5fb42c7d1bd998f54449579b446817afbd17273e662c97ee72995ef42640c550b9013fad0761353c7086a272c24088be94769fd16650024201fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffa51868783bf2f966b7fcc0148f709a5d03bb5c9b8899c47aebb6fb71e91386409020100038186000400c2a43ac3742b09e006c2dfc9c36444d7e699f567a73f674ce257330b312dd7a8a04fbe92d1d9acbcc65f6184711ada5bf39f6e11e0cbde98f1640d099eb90dfce701802d7755c2fe3180848d4a70b170096ec64eba99b478ba7f6fc129b0566279b8e1ab7962fa912fc4ae53b5202a03520617843dc63e5cb5f956ec7f1453d0865fdf
 result = invalid
 shared = 00fb8542487cbd45e609632f681db6b48fdabed9b97a2467a34205eadadad9dedb54a2a647d23dca68e929a2041888b091f4bb4023a0517be669a6c9f9c847ef89de
-# The public key has been modified and is invalid. An implementation should
-# always check whether the public key is valid and on the same curve as the
-# private key. The test vector includes the shared secret computed with the
-# original public key if the public point is on the curve of the private key.
-# Generating a shared secret other than the one with the original key likely
-# indicates that the bug is exploitable.
-# The public key does not use a named curve. RFC 3279 allows to encode such
-# curves by explicitly encoding, the parameters of the curve equation, modulus,
-# generator, order and cofactor. However, many crypto libraries only support
-# named curves. Modifying some of the EC parameters and encoding the
-# corresponding public key as an unnamed curve is a potential attack vector.
+flags = InvalidPublic,UnnamedCurve
 
 # tcId = 237
 # cofactor = 2
@@ -1873,17 +1756,7 @@
 public = 30820245308201b806072a8648ce3d0201308201ab020101304d06072a8648ce3d0101024201ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff308187044201fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffc044151953eb9618e1c9a1f929a21a0b68540eea2da725b99b315f3b8b489918ef109e156193951ec7e937b1652c0bd3bb1bf073573df883d2c34f1ef451fd46b503f000481850400c6858e06b70404e9cd9e3ecb662395b4429c648139053fb521f828af606b4d3dbaa14b5e77efe75928fe1dc127a2ffa8de3348b3c1856a429bf97e7e31c2e5bd66011839296a789a3bc0045c8a5fb42c7d1bd998f54449579b446817afbd17273e662c97ee72995ef42640c550b9013fad0761353c7086a272c24088be94769fd16650024201fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffa51868783bf2f966b7fcc0148f709a5d03bb5c9b8899c47aebb6fb71e91386409020102038186000400c2a43ac3742b09e006c2dfc9c36444d7e699f567a73f674ce257330b312dd7a8a04fbe92d1d9acbcc65f6184711ada5bf39f6e11e0cbde98f1640d099eb90dfce701802d7755c2fe3180848d4a70b170096ec64eba99b478ba7f6fc129b0566279b8e1ab7962fa912fc4ae53b5202a03520617843dc63e5cb5f956ec7f1453d0865fdf
 result = acceptable
 shared = 00fb8542487cbd45e609632f681db6b48fdabed9b97a2467a34205eadadad9dedb54a2a647d23dca68e929a2041888b091f4bb4023a0517be669a6c9f9c847ef89de
-# A parameter that is typically not used for ECDH has been modified. Sometimes
-# libraries ignore small differences between public and private key. For
-# example, a library might ignore an incorrect cofactor in the public key. We
-# consider ignoring such changes as acceptable as long as these differences do
-# not change the outcome of the ECDH computation, i.e. as long as the
-# computation is done on the curve from the private key.
-# The public key does not use a named curve. RFC 3279 allows to encode such
-# curves by explicitly encoding, the parameters of the curve equation, modulus,
-# generator, order and cofactor. However, many crypto libraries only support
-# named curves. Modifying some of the EC parameters and encoding the
-# corresponding public key as an unnamed curve is a potential attack vector.
+flags = UnusedParam,UnnamedCurve
 
 # tcId = 238
 # cofactor =
@@ -1892,17 +1765,7 @@
 public = 30820286308201f906072a8648ce3d0201308201ec020101304d06072a8648ce3d0101024201ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff308187044201fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffc044151953eb9618e1c9a1f929a21a0b68540eea2da725b99b315f3b8b489918ef109e156193951ec7e937b1652c0bd3bb1bf073573df883d2c34f1ef451fd46b503f000481850400c6858e06b70404e9cd9e3ecb662395b4429c648139053fb521f828af606b4d3dbaa14b5e77efe75928fe1dc127a2ffa8de3348b3c1856a429bf97e7e31c2e5bd66011839296a789a3bc0045c8a5fb42c7d1bd998f54449579b446817afbd17273e662c97ee72995ef42640c550b9013fad0761353c7086a272c24088be94769fd16650024201fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffa51868783bf2f966b7fcc0148f709a5d03bb5c9b8899c47aebb6fb71e91386409024201fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffa51868783bf2f966b7fcc0148f709a5d03bb5c9b8899c47aebb6fb71e91386409038186000400c2a43ac3742b09e006c2dfc9c36444d7e699f567a73f674ce257330b312dd7a8a04fbe92d1d9acbcc65f6184711ada5bf39f6e11e0cbde98f1640d099eb90dfce701802d7755c2fe3180848d4a70b170096ec64eba99b478ba7f6fc129b0566279b8e1ab7962fa912fc4ae53b5202a03520617843dc63e5cb5f956ec7f1453d0865fdf
 result = invalid
 shared = 00fb8542487cbd45e609632f681db6b48fdabed9b97a2467a34205eadadad9dedb54a2a647d23dca68e929a2041888b091f4bb4023a0517be669a6c9f9c847ef89de
-# The public key has been modified and is invalid. An implementation should
-# always check whether the public key is valid and on the same curve as the
-# private key. The test vector includes the shared secret computed with the
-# original public key if the public point is on the curve of the private key.
-# Generating a shared secret other than the one with the original key likely
-# indicates that the bug is exploitable.
-# The public key does not use a named curve. RFC 3279 allows to encode such
-# curves by explicitly encoding, the parameters of the curve equation, modulus,
-# generator, order and cofactor. However, many crypto libraries only support
-# named curves. Modifying some of the EC parameters and encoding the
-# corresponding public key as an unnamed curve is a potential attack vector.
+flags = InvalidPublic,UnnamedCurve
 
 # tcId = 239
 # cofactor = None
@@ -1910,17 +1773,7 @@
 public = 30820242308201b506072a8648ce3d0201308201a8020101304d06072a8648ce3d0101024201ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff308187044201fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffc044151953eb9618e1c9a1f929a21a0b68540eea2da725b99b315f3b8b489918ef109e156193951ec7e937b1652c0bd3bb1bf073573df883d2c34f1ef451fd46b503f000481850400c6858e06b70404e9cd9e3ecb662395b4429c648139053fb521f828af606b4d3dbaa14b5e77efe75928fe1dc127a2ffa8de3348b3c1856a429bf97e7e31c2e5bd66011839296a789a3bc0045c8a5fb42c7d1bd998f54449579b446817afbd17273e662c97ee72995ef42640c550b9013fad0761353c7086a272c24088be94769fd16650024201fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffa51868783bf2f966b7fcc0148f709a5d03bb5c9b8899c47aebb6fb71e91386409038186000400c2a43ac3742b09e006c2dfc9c36444d7e699f567a73f674ce257330b312dd7a8a04fbe92d1d9acbcc65f6184711ada5bf39f6e11e0cbde98f1640d099eb90dfce701802d7755c2fe3180848d4a70b170096ec64eba99b478ba7f6fc129b0566279b8e1ab7962fa912fc4ae53b5202a03520617843dc63e5cb5f956ec7f1453d0865fdf
 result = acceptable
 shared = 00fb8542487cbd45e609632f681db6b48fdabed9b97a2467a34205eadadad9dedb54a2a647d23dca68e929a2041888b091f4bb4023a0517be669a6c9f9c847ef89de
-# A parameter that is typically not used for ECDH has been modified. Sometimes
-# libraries ignore small differences between public and private key. For
-# example, a library might ignore an incorrect cofactor in the public key. We
-# consider ignoring such changes as acceptable as long as these differences do
-# not change the outcome of the ECDH computation, i.e. as long as the
-# computation is done on the curve from the private key.
-# The public key does not use a named curve. RFC 3279 allows to encode such
-# curves by explicitly encoding, the parameters of the curve equation, modulus,
-# generator, order and cofactor. However, many crypto libraries only support
-# named curves. Modifying some of the EC parameters and encoding the
-# corresponding public key as an unnamed curve is a potential attack vector.
+flags = UnusedParam,UnnamedCurve
 
 # tcId = 240
 # modified prime
@@ -1928,20 +1781,7 @@
 public = 30820244308201b706072a8648ce3d0201308201aa020101304d06072a8648ce3d0101024201e99d17d498f3c68ed8e50430ec4f36c14dbeeaf7652e985636bf0548ffb981e9e011607fd0059cd4fe51e882f19a3839ebe7f1d7376cb761431b214ed76970cc0130818604411662e82b670c3971271afbcf13b0c93eb24115089ad167a9c940fab700467e161fee9f802ffa632b01ae177d0e65c7c614180e28c893489ebce4deb128968f33fb044151953eb9618e1c9a1f929a21a0b68540eea2da725b99b315f3b8b489918ef109e156193951ec7e937b1652c0bd3bb1bf073573df883d2c34f1ef451fd46b503f0004818504000000000000000000000000000000000000000000000a14517cc6b91f8000000000000000000000000000000000000000000000000000000000000000000000032c006b0f530bec5bed532357d436727699f0e3c5b9366f1a435be640b97cd43d937655b1f157c7d0c7df25011fef7c3ab7d8e556e6125b59b847fcdd89a4051796a797024201fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffa51868783bf2f966b7fcc0148f709a5d03bb5c9b8899c47aebb6fb71e913864090201010381860004000000000000000000000000000000000000000000000a14517cc6b91f8000000000000000000000000000000000000000000000000000000000000000000000032c006b0f530bec5bed532357d436727699f0e3c5b9366f1a435be640b97cd43d937655b1f157c7d0c7df25011fef7c3ab7d8e556e6125b59b847fcdd89a4051796a797
 result = invalid
 shared = 00ebef6771455911ee573c183e990f7086650f9bafdb722c896751bd2c0f87959c78a39382d10fdfb46fd3515c8feb590943dd79778b13adbc7f670ba2a009753483
-# The modulus of the public key has been modified. The public point of the
-# public key has been chosen so that it is both a point on both the curve of the
-# modified public key and the private key.
-# The public key has been modified and is invalid. An implementation should
-# always check whether the public key is valid and on the same curve as the
-# private key. The test vector includes the shared secret computed with the
-# original public key if the public point is on the curve of the private key.
-# Generating a shared secret other than the one with the original key likely
-# indicates that the bug is exploitable.
-# The public key does not use a named curve. RFC 3279 allows to encode such
-# curves by explicitly encoding, the parameters of the curve equation, modulus,
-# generator, order and cofactor. However, many crypto libraries only support
-# named curves. Modifying some of the EC parameters and encoding the
-# corresponding public key as an unnamed curve is a potential attack vector.
+flags = ModifiedPrime,InvalidPublic,UnnamedCurve
 
 # tcId = 241
 # using secp224r1
@@ -1949,12 +1789,7 @@
 public = 304e301006072a8648ce3d020106052b81040021033a0004074f56dc2ea648ef89c3b72e23bbd2da36f60243e4d2067b70604af1c2165cec2f86603d60c8a611d5b84ba3d91dfe1a480825bcc4af3bcf
 result = invalid
 shared = 
-# The public key has been modified and is invalid. An implementation should
-# always check whether the public key is valid and on the same curve as the
-# private key. The test vector includes the shared secret computed with the
-# original public key if the public point is on the curve of the private key.
-# Generating a shared secret other than the one with the original key likely
-# indicates that the bug is exploitable.
+flags = InvalidPublic
 
 # tcId = 242
 # using secp256r1
@@ -1962,12 +1797,7 @@
 public = 3059301306072a8648ce3d020106082a8648ce3d03010703420004cbf6606595a3ee50f9fceaa2798c2740c82540516b4e5a7d361ff24e9dd15364e5408b2e679f9d5310d1f6893b36ce16b4a507509175fcb52aea53b781556b39
 result = invalid
 shared = 
-# The public key has been modified and is invalid. An implementation should
-# always check whether the public key is valid and on the same curve as the
-# private key. The test vector includes the shared secret computed with the
-# original public key if the public point is on the curve of the private key.
-# Generating a shared secret other than the one with the original key likely
-# indicates that the bug is exploitable.
+flags = InvalidPublic
 
 # tcId = 243
 # using secp256k1
@@ -1975,12 +1805,7 @@
 public = 3056301006072a8648ce3d020106052b8104000a03420004a1263e75b87ae0937060ff1472f330ee55cdf8f4329d6284a9ebfbcc856c11684225e72cbebff41e54fb6f00e11afe53a17937bedbf2df787f8ef9584f775838
 result = invalid
 shared = 
-# The public key has been modified and is invalid. An implementation should
-# always check whether the public key is valid and on the same curve as the
-# private key. The test vector includes the shared secret computed with the
-# original public key if the public point is on the curve of the private key.
-# Generating a shared secret other than the one with the original key likely
-# indicates that the bug is exploitable.
+flags = InvalidPublic
 
 # tcId = 244
 # a = 0
@@ -1988,17 +1813,7 @@
 public = 308202033082017606072a8648ce3d020130820169020101304d06072a8648ce3d0101024201ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff3046040100044109a88e6f050cfefa0b49fac45689b6b93ad4fa3b65db7d2f4cb31b67fe056a100066dd80dc5f785d27f82e3369eb22ab2c5729a9e5d9906a1dc31e02f84026484a0481850400c2a43ac3742b09e006c2dfc9c36444d7e699f567a73f674ce257330b312dd7a8a04fbe92d1d9acbcc65f6184711ada5bf39f6e11e0cbde98f1640d099eb90dfce701802d7755c2fe3180848d4a70b170096ec64eba99b478ba7f6fc129b0566279b8e1ab7962fa912fc4ae53b5202a03520617843dc63e5cb5f956ec7f1453d0865fdf024201fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffa51868783bf2f966b7fcc0148f709a5d03bb5c9b8899c47aebb6fb71e91386409020101038186000400c2a43ac3742b09e006c2dfc9c36444d7e699f567a73f674ce257330b312dd7a8a04fbe92d1d9acbcc65f6184711ada5bf39f6e11e0cbde98f1640d099eb90dfce701802d7755c2fe3180848d4a70b170096ec64eba99b478ba7f6fc129b0566279b8e1ab7962fa912fc4ae53b5202a03520617843dc63e5cb5f956ec7f1453d0865fdf
 result = acceptable
 shared = 00fb8542487cbd45e609632f681db6b48fdabed9b97a2467a34205eadadad9dedb54a2a647d23dca68e929a2041888b091f4bb4023a0517be669a6c9f9c847ef89de
-# A parameter that is typically not used for ECDH has been modified. Sometimes
-# libraries ignore small differences between public and private key. For
-# example, a library might ignore an incorrect cofactor in the public key. We
-# consider ignoring such changes as acceptable as long as these differences do
-# not change the outcome of the ECDH computation, i.e. as long as the
-# computation is done on the curve from the private key.
-# The public key does not use a named curve. RFC 3279 allows to encode such
-# curves by explicitly encoding, the parameters of the curve equation, modulus,
-# generator, order and cofactor. However, many crypto libraries only support
-# named curves. Modifying some of the EC parameters and encoding the
-# corresponding public key as an unnamed curve is a potential attack vector.
+flags = UnusedParam,UnnamedCurve
 
 # tcId = 245
 # public key of order 3
@@ -2006,21 +1821,7 @@
 public = 30820245308201b806072a8648ce3d0201308201ab020101304d06072a8648ce3d0101024201ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff308187044122cf9f56681fb138292f337d49937d24268b13b89617117fc35c880de0b3d4185ea9bef6e077a3bef09e0835c68dd301f5eafd873361149e8bdc295050f43c22f20442011f108b762c3e4b4945577057a910ca94481d69f8abc3239c36ad492af73bb8e81c8a8f9cf658165b32914a4a4fff8c3aec5982f734de122cf65610a139592496a70481850401c70f1e46f736e8ee0c78ec2253266bc62da9bbec44fe109321c9bab98a441b4a94840e85546e895f50d7331adc8a48275204ee12d6865597a521efcf01f4839d840000576bfe88eca0e48ab49df0e823e24a7d0b32b5b9ac1ac46819f4c51e801675e16872395c9eca3ffb5e2b7d4763d6858882b94b5bb6764c00e0b57891ee995cd1024201fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffa51868783bf2f966b7fcc0148f709a5d03bb5c9b8899c47aebb6fb71e91386409020101038186000401c70f1e46f736e8ee0c78ec2253266bc62da9bbec44fe109321c9bab98a441b4a94840e85546e895f50d7331adc8a48275204ee12d6865597a521efcf01f4839d8401ffa8940177135f1b754b620f17dc1db582f4cd4a4653e53b97e60b3ae17fe98a1e978dc6a36135c004a1d482b89c297a777d46b4a44989b3ff1f4a876e1166a32e
 result = invalid
 shared = 
-# The vector contains a weak public key. The curve is not a named curve, the
-# public key point has order 3 and has been chosen to be on the same curve as
-# the private key. This test vector is used to check ECC implementations for
-# missing steps in the verification of the public key.
-# The public key has been modified and is invalid. An implementation should
-# always check whether the public key is valid and on the same curve as the
-# private key. The test vector includes the shared secret computed with the
-# original public key if the public point is on the curve of the private key.
-# Generating a shared secret other than the one with the original key likely
-# indicates that the bug is exploitable.
-# The public key does not use a named curve. RFC 3279 allows to encode such
-# curves by explicitly encoding, the parameters of the curve equation, modulus,
-# generator, order and cofactor. However, many crypto libraries only support
-# named curves. Modifying some of the EC parameters and encoding the
-# corresponding public key as an unnamed curve is a potential attack vector.
+flags = WeakPublicKey,InvalidPublic,UnnamedCurve
 
 # tcId = 246
 # Public key uses wrong curve: secp224r1
@@ -2133,8 +1934,7 @@
 public = 3058301006072a8648ce3d020106052b810400230344000200429cb431c18f5f4e4e502f74214e6ac5ec2c3f86b830bac24de95feae142ca7d9aa8aa5b34f55af4b2848f2e6ba6df4c3ecd401a1d7b2a8287a332b202196fadbb
 result = invalid
 shared = 
-# The point in the public key is compressed. Not every library supports points
-# in compressed format.
+flags = CompressedPoint
 
 # tcId = 262
 # public key is a low order point on twist
@@ -2142,8 +1942,7 @@
 public = 3058301006072a8648ce3d020106052b81040023034400020108cbf3c9bf8e42135d87127556831076d84d5e549e645afda8a099249231b59b6c508dee4e91c9a543e90ebc82613f86cb1290e29102a0f2fdeb57bf4193fb4639
 result = invalid
 shared = 
-# The point in the public key is compressed. Not every library supports points
-# in compressed format.
+flags = CompressedPoint
 
 # tcId = 263
 # public key is a low order point on twist
@@ -2151,8 +1950,7 @@
 public = 3058301006072a8648ce3d020106052b8104002303440003011f2dca6b686e2141c11822e2d5439261583ce98cd6c4041c6d1be9e17dee33ea4a65c3e8cca6de50a30a39c788a585f1188bef0680a9c0264b3c8dcf494d0eb948
 result = invalid
 shared = 
-# The point in the public key is compressed. Not every library supports points
-# in compressed format.
+flags = CompressedPoint
 
 # tcId = 264
 # public key is a low order point on twist
@@ -2160,8 +1958,7 @@
 public = 3058301006072a8648ce3d020106052b8104002303440002011f2dca6b686e2141c11822e2d5439261583ce98cd6c4041c6d1be9e17dee33ea4a65c3e8cca6de50a30a39c788a585f1188bef0680a9c0264b3c8dcf494d0eb948
 result = invalid
 shared = 
-# The point in the public key is compressed. Not every library supports points
-# in compressed format.
+flags = CompressedPoint
 
 # tcId = 265
 # public key is a low order point on twist
@@ -2169,8 +1966,7 @@
 public = 3058301006072a8648ce3d020106052b81040023034400030108cbf3c9bf8e42135d87127556831076d84d5e549e645afda8a099249231b59b6c508dee4e91c9a543e90ebc82613f86cb1290e29102a0f2fdeb57bf4193fb4639
 result = invalid
 shared = 
-# The point in the public key is compressed. Not every library supports points
-# in compressed format.
+flags = CompressedPoint
 
 # tcId = 266
 # public key is a low order point on twist
@@ -2178,8 +1974,7 @@
 public = 3058301006072a8648ce3d020106052b81040023034400020009cc73141cf1843d2b2c95dc5cbc4d615c6da4814c1c7208615d8e78c7a8666aba1852faaa45a45d32bd0fde6ea78f262a96bf1e02949cea48c33c695103683048
 result = invalid
 shared = 
-# The point in the public key is compressed. Not every library supports points
-# in compressed format.
+flags = CompressedPoint
 
 # tcId = 267
 # public key is a low order point on twist
@@ -2187,8 +1982,7 @@
 public = 3058301006072a8648ce3d020106052b81040023034400030047b9cf28e04b38796858545d60d6133fbdc20ede086e5d95111c982b8c276628235e536c075637a97c0a6c30d02b83b19e578203473eea16dfdeaeccb1dc0d9b19
 result = invalid
 shared = 
-# The point in the public key is compressed. Not every library supports points
-# in compressed format.
+flags = CompressedPoint
 
 # tcId = 268
 # public key is a low order point on twist
@@ -2196,8 +1990,7 @@
 public = 3058301006072a8648ce3d020106052b810400230344000300c18410f5727ee0101a52ef95c0ac455cbc65bf9967f0a2c419aa0a291cabad569f2337e102d0a9128f4212dbf9fa9e5a8f14ca7f28e82977281facdd9ca7a92c78
 result = invalid
 shared = 
-# The point in the public key is compressed. Not every library supports points
-# in compressed format.
+flags = CompressedPoint
 
 # tcId = 269
 # public key is a low order point on twist
@@ -2205,8 +1998,7 @@
 public = 3058301006072a8648ce3d020106052b810400230344000200c18410f5727ee0101a52ef95c0ac455cbc65bf9967f0a2c419aa0a291cabad569f2337e102d0a9128f4212dbf9fa9e5a8f14ca7f28e82977281facdd9ca7a92c78
 result = invalid
 shared = 
-# The point in the public key is compressed. Not every library supports points
-# in compressed format.
+flags = CompressedPoint
 
 # tcId = 270
 # public key is a low order point on twist
@@ -2214,8 +2006,7 @@
 public = 3058301006072a8648ce3d020106052b81040023034400020047b9cf28e04b38796858545d60d6133fbdc20ede086e5d95111c982b8c276628235e536c075637a97c0a6c30d02b83b19e578203473eea16dfdeaeccb1dc0d9b19
 result = invalid
 shared = 
-# The point in the public key is compressed. Not every library supports points
-# in compressed format.
+flags = CompressedPoint
 
 # tcId = 271
 # public key is a low order point on twist
@@ -2223,8 +2014,7 @@
 public = 3058301006072a8648ce3d020106052b81040023034400030009cc73141cf1843d2b2c95dc5cbc4d615c6da4814c1c7208615d8e78c7a8666aba1852faaa45a45d32bd0fde6ea78f262a96bf1e02949cea48c33c695103683048
 result = invalid
 shared = 
-# The point in the public key is compressed. Not every library supports points
-# in compressed format.
+flags = CompressedPoint
 
 # tcId = 272
 # length of sequence contains leading 0
@@ -2232,9 +2022,7 @@
 public = 3082009b301006072a8648ce3d020106052b810400230381860004017ee16985c3678234d272913682a7c122b35c1c5011d1933bb7b08c8b883afcf469453079e2ef02a724a6ddbe25ee3b2e63007dd2838c5bb00fa1ff8fd18cf81eaa01116ce049d63f22f71c7d11c0acd67cacd1b4ea0125bd48e872dc5cc9fc4073b7c844c4b42223483b4aa8402b198d981dc8b7aba048749b4a0496e2537d3cc32d50
 result = acceptable
 shared = 00d397252813d37329b9e277823e2dfccdd1ee519f0c32ccbb3f5fc62062e8c07dbf3fb86085736115b70f86f44ad852f3488ecbb5e7ec31e961e869b40b6add05f5
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 273
 # length of sequence contains leading 0
@@ -2242,9 +2030,7 @@
 public = 30819d3082001006072a8648ce3d020106052b810400230381860004017ee16985c3678234d272913682a7c122b35c1c5011d1933bb7b08c8b883afcf469453079e2ef02a724a6ddbe25ee3b2e63007dd2838c5bb00fa1ff8fd18cf81eaa01116ce049d63f22f71c7d11c0acd67cacd1b4ea0125bd48e872dc5cc9fc4073b7c844c4b42223483b4aa8402b198d981dc8b7aba048749b4a0496e2537d3cc32d50
 result = acceptable
 shared = 00d397252813d37329b9e277823e2dfccdd1ee519f0c32ccbb3f5fc62062e8c07dbf3fb86085736115b70f86f44ad852f3488ecbb5e7ec31e961e869b40b6add05f5
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 274
 # wrong length of sequence
@@ -2252,9 +2038,7 @@
 public = 309c301006072a8648ce3d020106052b810400230381860004017ee16985c3678234d272913682a7c122b35c1c5011d1933bb7b08c8b883afcf469453079e2ef02a724a6ddbe25ee3b2e63007dd2838c5bb00fa1ff8fd18cf81eaa01116ce049d63f22f71c7d11c0acd67cacd1b4ea0125bd48e872dc5cc9fc4073b7c844c4b42223483b4aa8402b198d981dc8b7aba048749b4a0496e2537d3cc32d50
 result = acceptable
 shared = 00d397252813d37329b9e277823e2dfccdd1ee519f0c32ccbb3f5fc62062e8c07dbf3fb86085736115b70f86f44ad852f3488ecbb5e7ec31e961e869b40b6add05f5
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 275
 # wrong length of sequence
@@ -2262,9 +2046,7 @@
 public = 309a301006072a8648ce3d020106052b810400230381860004017ee16985c3678234d272913682a7c122b35c1c5011d1933bb7b08c8b883afcf469453079e2ef02a724a6ddbe25ee3b2e63007dd2838c5bb00fa1ff8fd18cf81eaa01116ce049d63f22f71c7d11c0acd67cacd1b4ea0125bd48e872dc5cc9fc4073b7c844c4b42223483b4aa8402b198d981dc8b7aba048749b4a0496e2537d3cc32d50
 result = acceptable
 shared = 00d397252813d37329b9e277823e2dfccdd1ee519f0c32ccbb3f5fc62062e8c07dbf3fb86085736115b70f86f44ad852f3488ecbb5e7ec31e961e869b40b6add05f5
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 276
 # wrong length of sequence
@@ -2272,9 +2054,7 @@
 public = 30819b301106072a8648ce3d020106052b810400230381860004017ee16985c3678234d272913682a7c122b35c1c5011d1933bb7b08c8b883afcf469453079e2ef02a724a6ddbe25ee3b2e63007dd2838c5bb00fa1ff8fd18cf81eaa01116ce049d63f22f71c7d11c0acd67cacd1b4ea0125bd48e872dc5cc9fc4073b7c844c4b42223483b4aa8402b198d981dc8b7aba048749b4a0496e2537d3cc32d50
 result = acceptable
 shared = 00d397252813d37329b9e277823e2dfccdd1ee519f0c32ccbb3f5fc62062e8c07dbf3fb86085736115b70f86f44ad852f3488ecbb5e7ec31e961e869b40b6add05f5
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 277
 # wrong length of sequence
@@ -2282,9 +2062,7 @@
 public = 30819b300f06072a8648ce3d020106052b810400230381860004017ee16985c3678234d272913682a7c122b35c1c5011d1933bb7b08c8b883afcf469453079e2ef02a724a6ddbe25ee3b2e63007dd2838c5bb00fa1ff8fd18cf81eaa01116ce049d63f22f71c7d11c0acd67cacd1b4ea0125bd48e872dc5cc9fc4073b7c844c4b42223483b4aa8402b198d981dc8b7aba048749b4a0496e2537d3cc32d50
 result = acceptable
 shared = 00d397252813d37329b9e277823e2dfccdd1ee519f0c32ccbb3f5fc62062e8c07dbf3fb86085736115b70f86f44ad852f3488ecbb5e7ec31e961e869b40b6add05f5
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 278
 # uint32 overflow in length of sequence
@@ -2292,9 +2070,7 @@
 public = 3085010000009b301006072a8648ce3d020106052b810400230381860004017ee16985c3678234d272913682a7c122b35c1c5011d1933bb7b08c8b883afcf469453079e2ef02a724a6ddbe25ee3b2e63007dd2838c5bb00fa1ff8fd18cf81eaa01116ce049d63f22f71c7d11c0acd67cacd1b4ea0125bd48e872dc5cc9fc4073b7c844c4b42223483b4aa8402b198d981dc8b7aba048749b4a0496e2537d3cc32d50
 result = acceptable
 shared = 00d397252813d37329b9e277823e2dfccdd1ee519f0c32ccbb3f5fc62062e8c07dbf3fb86085736115b70f86f44ad852f3488ecbb5e7ec31e961e869b40b6add05f5
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 279
 # uint32 overflow in length of sequence
@@ -2302,9 +2078,7 @@
 public = 3081a03085010000001006072a8648ce3d020106052b810400230381860004017ee16985c3678234d272913682a7c122b35c1c5011d1933bb7b08c8b883afcf469453079e2ef02a724a6ddbe25ee3b2e63007dd2838c5bb00fa1ff8fd18cf81eaa01116ce049d63f22f71c7d11c0acd67cacd1b4ea0125bd48e872dc5cc9fc4073b7c844c4b42223483b4aa8402b198d981dc8b7aba048749b4a0496e2537d3cc32d50
 result = acceptable
 shared = 00d397252813d37329b9e277823e2dfccdd1ee519f0c32ccbb3f5fc62062e8c07dbf3fb86085736115b70f86f44ad852f3488ecbb5e7ec31e961e869b40b6add05f5
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 280
 # uint64 overflow in length of sequence
@@ -2312,9 +2086,7 @@
 public = 308901000000000000009b301006072a8648ce3d020106052b810400230381860004017ee16985c3678234d272913682a7c122b35c1c5011d1933bb7b08c8b883afcf469453079e2ef02a724a6ddbe25ee3b2e63007dd2838c5bb00fa1ff8fd18cf81eaa01116ce049d63f22f71c7d11c0acd67cacd1b4ea0125bd48e872dc5cc9fc4073b7c844c4b42223483b4aa8402b198d981dc8b7aba048749b4a0496e2537d3cc32d50
 result = acceptable
 shared = 00d397252813d37329b9e277823e2dfccdd1ee519f0c32ccbb3f5fc62062e8c07dbf3fb86085736115b70f86f44ad852f3488ecbb5e7ec31e961e869b40b6add05f5
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 281
 # uint64 overflow in length of sequence
@@ -2322,9 +2094,7 @@
 public = 3081a4308901000000000000001006072a8648ce3d020106052b810400230381860004017ee16985c3678234d272913682a7c122b35c1c5011d1933bb7b08c8b883afcf469453079e2ef02a724a6ddbe25ee3b2e63007dd2838c5bb00fa1ff8fd18cf81eaa01116ce049d63f22f71c7d11c0acd67cacd1b4ea0125bd48e872dc5cc9fc4073b7c844c4b42223483b4aa8402b198d981dc8b7aba048749b4a0496e2537d3cc32d50
 result = acceptable
 shared = 00d397252813d37329b9e277823e2dfccdd1ee519f0c32ccbb3f5fc62062e8c07dbf3fb86085736115b70f86f44ad852f3488ecbb5e7ec31e961e869b40b6add05f5
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 282
 # length of sequence = 2**31 - 1
@@ -2332,9 +2102,7 @@
 public = 30847fffffff301006072a8648ce3d020106052b810400230381860004017ee16985c3678234d272913682a7c122b35c1c5011d1933bb7b08c8b883afcf469453079e2ef02a724a6ddbe25ee3b2e63007dd2838c5bb00fa1ff8fd18cf81eaa01116ce049d63f22f71c7d11c0acd67cacd1b4ea0125bd48e872dc5cc9fc4073b7c844c4b42223483b4aa8402b198d981dc8b7aba048749b4a0496e2537d3cc32d50
 result = acceptable
 shared = 00d397252813d37329b9e277823e2dfccdd1ee519f0c32ccbb3f5fc62062e8c07dbf3fb86085736115b70f86f44ad852f3488ecbb5e7ec31e961e869b40b6add05f5
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 283
 # length of sequence = 2**31 - 1
@@ -2342,9 +2110,7 @@
 public = 30819f30847fffffff06072a8648ce3d020106052b810400230381860004017ee16985c3678234d272913682a7c122b35c1c5011d1933bb7b08c8b883afcf469453079e2ef02a724a6ddbe25ee3b2e63007dd2838c5bb00fa1ff8fd18cf81eaa01116ce049d63f22f71c7d11c0acd67cacd1b4ea0125bd48e872dc5cc9fc4073b7c844c4b42223483b4aa8402b198d981dc8b7aba048749b4a0496e2537d3cc32d50
 result = acceptable
 shared = 00d397252813d37329b9e277823e2dfccdd1ee519f0c32ccbb3f5fc62062e8c07dbf3fb86085736115b70f86f44ad852f3488ecbb5e7ec31e961e869b40b6add05f5
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 284
 # length of sequence = 2**32 - 1
@@ -2352,9 +2118,7 @@
 public = 3084ffffffff301006072a8648ce3d020106052b810400230381860004017ee16985c3678234d272913682a7c122b35c1c5011d1933bb7b08c8b883afcf469453079e2ef02a724a6ddbe25ee3b2e63007dd2838c5bb00fa1ff8fd18cf81eaa01116ce049d63f22f71c7d11c0acd67cacd1b4ea0125bd48e872dc5cc9fc4073b7c844c4b42223483b4aa8402b198d981dc8b7aba048749b4a0496e2537d3cc32d50
 result = acceptable
 shared = 00d397252813d37329b9e277823e2dfccdd1ee519f0c32ccbb3f5fc62062e8c07dbf3fb86085736115b70f86f44ad852f3488ecbb5e7ec31e961e869b40b6add05f5
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 285
 # length of sequence = 2**32 - 1
@@ -2362,9 +2126,7 @@
 public = 30819f3084ffffffff06072a8648ce3d020106052b810400230381860004017ee16985c3678234d272913682a7c122b35c1c5011d1933bb7b08c8b883afcf469453079e2ef02a724a6ddbe25ee3b2e63007dd2838c5bb00fa1ff8fd18cf81eaa01116ce049d63f22f71c7d11c0acd67cacd1b4ea0125bd48e872dc5cc9fc4073b7c844c4b42223483b4aa8402b198d981dc8b7aba048749b4a0496e2537d3cc32d50
 result = acceptable
 shared = 00d397252813d37329b9e277823e2dfccdd1ee519f0c32ccbb3f5fc62062e8c07dbf3fb86085736115b70f86f44ad852f3488ecbb5e7ec31e961e869b40b6add05f5
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 286
 # length of sequence = 2**40 - 1
@@ -2372,9 +2134,7 @@
 public = 3085ffffffffff301006072a8648ce3d020106052b810400230381860004017ee16985c3678234d272913682a7c122b35c1c5011d1933bb7b08c8b883afcf469453079e2ef02a724a6ddbe25ee3b2e63007dd2838c5bb00fa1ff8fd18cf81eaa01116ce049d63f22f71c7d11c0acd67cacd1b4ea0125bd48e872dc5cc9fc4073b7c844c4b42223483b4aa8402b198d981dc8b7aba048749b4a0496e2537d3cc32d50
 result = acceptable
 shared = 00d397252813d37329b9e277823e2dfccdd1ee519f0c32ccbb3f5fc62062e8c07dbf3fb86085736115b70f86f44ad852f3488ecbb5e7ec31e961e869b40b6add05f5
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 287
 # length of sequence = 2**40 - 1
@@ -2382,9 +2142,7 @@
 public = 3081a03085ffffffffff06072a8648ce3d020106052b810400230381860004017ee16985c3678234d272913682a7c122b35c1c5011d1933bb7b08c8b883afcf469453079e2ef02a724a6ddbe25ee3b2e63007dd2838c5bb00fa1ff8fd18cf81eaa01116ce049d63f22f71c7d11c0acd67cacd1b4ea0125bd48e872dc5cc9fc4073b7c844c4b42223483b4aa8402b198d981dc8b7aba048749b4a0496e2537d3cc32d50
 result = acceptable
 shared = 00d397252813d37329b9e277823e2dfccdd1ee519f0c32ccbb3f5fc62062e8c07dbf3fb86085736115b70f86f44ad852f3488ecbb5e7ec31e961e869b40b6add05f5
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 288
 # length of sequence = 2**64 - 1
@@ -2392,9 +2150,7 @@
 public = 3088ffffffffffffffff301006072a8648ce3d020106052b810400230381860004017ee16985c3678234d272913682a7c122b35c1c5011d1933bb7b08c8b883afcf469453079e2ef02a724a6ddbe25ee3b2e63007dd2838c5bb00fa1ff8fd18cf81eaa01116ce049d63f22f71c7d11c0acd67cacd1b4ea0125bd48e872dc5cc9fc4073b7c844c4b42223483b4aa8402b198d981dc8b7aba048749b4a0496e2537d3cc32d50
 result = acceptable
 shared = 00d397252813d37329b9e277823e2dfccdd1ee519f0c32ccbb3f5fc62062e8c07dbf3fb86085736115b70f86f44ad852f3488ecbb5e7ec31e961e869b40b6add05f5
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 289
 # length of sequence = 2**64 - 1
@@ -2402,9 +2158,7 @@
 public = 3081a33088ffffffffffffffff06072a8648ce3d020106052b810400230381860004017ee16985c3678234d272913682a7c122b35c1c5011d1933bb7b08c8b883afcf469453079e2ef02a724a6ddbe25ee3b2e63007dd2838c5bb00fa1ff8fd18cf81eaa01116ce049d63f22f71c7d11c0acd67cacd1b4ea0125bd48e872dc5cc9fc4073b7c844c4b42223483b4aa8402b198d981dc8b7aba048749b4a0496e2537d3cc32d50
 result = acceptable
 shared = 00d397252813d37329b9e277823e2dfccdd1ee519f0c32ccbb3f5fc62062e8c07dbf3fb86085736115b70f86f44ad852f3488ecbb5e7ec31e961e869b40b6add05f5
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 290
 # incorrect length of sequence
@@ -2412,9 +2166,7 @@
 public = 30ff301006072a8648ce3d020106052b810400230381860004017ee16985c3678234d272913682a7c122b35c1c5011d1933bb7b08c8b883afcf469453079e2ef02a724a6ddbe25ee3b2e63007dd2838c5bb00fa1ff8fd18cf81eaa01116ce049d63f22f71c7d11c0acd67cacd1b4ea0125bd48e872dc5cc9fc4073b7c844c4b42223483b4aa8402b198d981dc8b7aba048749b4a0496e2537d3cc32d50
 result = acceptable
 shared = 00d397252813d37329b9e277823e2dfccdd1ee519f0c32ccbb3f5fc62062e8c07dbf3fb86085736115b70f86f44ad852f3488ecbb5e7ec31e961e869b40b6add05f5
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 291
 # incorrect length of sequence
@@ -2422,9 +2174,7 @@
 public = 30819b30ff06072a8648ce3d020106052b810400230381860004017ee16985c3678234d272913682a7c122b35c1c5011d1933bb7b08c8b883afcf469453079e2ef02a724a6ddbe25ee3b2e63007dd2838c5bb00fa1ff8fd18cf81eaa01116ce049d63f22f71c7d11c0acd67cacd1b4ea0125bd48e872dc5cc9fc4073b7c844c4b42223483b4aa8402b198d981dc8b7aba048749b4a0496e2537d3cc32d50
 result = acceptable
 shared = 00d397252813d37329b9e277823e2dfccdd1ee519f0c32ccbb3f5fc62062e8c07dbf3fb86085736115b70f86f44ad852f3488ecbb5e7ec31e961e869b40b6add05f5
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 292
 # indefinite length without termination
@@ -2432,9 +2182,7 @@
 public = 3080301006072a8648ce3d020106052b810400230381860004017ee16985c3678234d272913682a7c122b35c1c5011d1933bb7b08c8b883afcf469453079e2ef02a724a6ddbe25ee3b2e63007dd2838c5bb00fa1ff8fd18cf81eaa01116ce049d63f22f71c7d11c0acd67cacd1b4ea0125bd48e872dc5cc9fc4073b7c844c4b42223483b4aa8402b198d981dc8b7aba048749b4a0496e2537d3cc32d50
 result = acceptable
 shared = 00d397252813d37329b9e277823e2dfccdd1ee519f0c32ccbb3f5fc62062e8c07dbf3fb86085736115b70f86f44ad852f3488ecbb5e7ec31e961e869b40b6add05f5
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 293
 # indefinite length without termination
@@ -2442,9 +2190,7 @@
 public = 30819b308006072a8648ce3d020106052b810400230381860004017ee16985c3678234d272913682a7c122b35c1c5011d1933bb7b08c8b883afcf469453079e2ef02a724a6ddbe25ee3b2e63007dd2838c5bb00fa1ff8fd18cf81eaa01116ce049d63f22f71c7d11c0acd67cacd1b4ea0125bd48e872dc5cc9fc4073b7c844c4b42223483b4aa8402b198d981dc8b7aba048749b4a0496e2537d3cc32d50
 result = acceptable
 shared = 00d397252813d37329b9e277823e2dfccdd1ee519f0c32ccbb3f5fc62062e8c07dbf3fb86085736115b70f86f44ad852f3488ecbb5e7ec31e961e869b40b6add05f5
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 294
 # indefinite length without termination
@@ -2452,9 +2198,7 @@
 public = 30819b301006802a8648ce3d020106052b810400230381860004017ee16985c3678234d272913682a7c122b35c1c5011d1933bb7b08c8b883afcf469453079e2ef02a724a6ddbe25ee3b2e63007dd2838c5bb00fa1ff8fd18cf81eaa01116ce049d63f22f71c7d11c0acd67cacd1b4ea0125bd48e872dc5cc9fc4073b7c844c4b42223483b4aa8402b198d981dc8b7aba048749b4a0496e2537d3cc32d50
 result = acceptable
 shared = 00d397252813d37329b9e277823e2dfccdd1ee519f0c32ccbb3f5fc62062e8c07dbf3fb86085736115b70f86f44ad852f3488ecbb5e7ec31e961e869b40b6add05f5
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 295
 # indefinite length without termination
@@ -2462,9 +2206,7 @@
 public = 30819b301006072a8648ce3d020106802b810400230381860004017ee16985c3678234d272913682a7c122b35c1c5011d1933bb7b08c8b883afcf469453079e2ef02a724a6ddbe25ee3b2e63007dd2838c5bb00fa1ff8fd18cf81eaa01116ce049d63f22f71c7d11c0acd67cacd1b4ea0125bd48e872dc5cc9fc4073b7c844c4b42223483b4aa8402b198d981dc8b7aba048749b4a0496e2537d3cc32d50
 result = acceptable
 shared = 00d397252813d37329b9e277823e2dfccdd1ee519f0c32ccbb3f5fc62062e8c07dbf3fb86085736115b70f86f44ad852f3488ecbb5e7ec31e961e869b40b6add05f5
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 296
 # indefinite length without termination
@@ -2472,9 +2214,7 @@
 public = 30819a301006072a8648ce3d020106052b8104002303800004017ee16985c3678234d272913682a7c122b35c1c5011d1933bb7b08c8b883afcf469453079e2ef02a724a6ddbe25ee3b2e63007dd2838c5bb00fa1ff8fd18cf81eaa01116ce049d63f22f71c7d11c0acd67cacd1b4ea0125bd48e872dc5cc9fc4073b7c844c4b42223483b4aa8402b198d981dc8b7aba048749b4a0496e2537d3cc32d50
 result = acceptable
 shared = 00d397252813d37329b9e277823e2dfccdd1ee519f0c32ccbb3f5fc62062e8c07dbf3fb86085736115b70f86f44ad852f3488ecbb5e7ec31e961e869b40b6add05f5
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 297
 # removing sequence
@@ -2482,9 +2222,7 @@
 public = 
 result = acceptable
 shared = 00d397252813d37329b9e277823e2dfccdd1ee519f0c32ccbb3f5fc62062e8c07dbf3fb86085736115b70f86f44ad852f3488ecbb5e7ec31e961e869b40b6add05f5
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 298
 # removing sequence
@@ -2492,9 +2230,7 @@
 public = 3081890381860004017ee16985c3678234d272913682a7c122b35c1c5011d1933bb7b08c8b883afcf469453079e2ef02a724a6ddbe25ee3b2e63007dd2838c5bb00fa1ff8fd18cf81eaa01116ce049d63f22f71c7d11c0acd67cacd1b4ea0125bd48e872dc5cc9fc4073b7c844c4b42223483b4aa8402b198d981dc8b7aba048749b4a0496e2537d3cc32d50
 result = acceptable
 shared = 00d397252813d37329b9e277823e2dfccdd1ee519f0c32ccbb3f5fc62062e8c07dbf3fb86085736115b70f86f44ad852f3488ecbb5e7ec31e961e869b40b6add05f5
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 299
 # lonely sequence tag
@@ -2502,9 +2238,7 @@
 public = 30
 result = acceptable
 shared = 00d397252813d37329b9e277823e2dfccdd1ee519f0c32ccbb3f5fc62062e8c07dbf3fb86085736115b70f86f44ad852f3488ecbb5e7ec31e961e869b40b6add05f5
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 300
 # lonely sequence tag
@@ -2512,9 +2246,7 @@
 public = 30818a300381860004017ee16985c3678234d272913682a7c122b35c1c5011d1933bb7b08c8b883afcf469453079e2ef02a724a6ddbe25ee3b2e63007dd2838c5bb00fa1ff8fd18cf81eaa01116ce049d63f22f71c7d11c0acd67cacd1b4ea0125bd48e872dc5cc9fc4073b7c844c4b42223483b4aa8402b198d981dc8b7aba048749b4a0496e2537d3cc32d50
 result = acceptable
 shared = 00d397252813d37329b9e277823e2dfccdd1ee519f0c32ccbb3f5fc62062e8c07dbf3fb86085736115b70f86f44ad852f3488ecbb5e7ec31e961e869b40b6add05f5
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 301
 # appending 0's to sequence
@@ -2522,9 +2254,7 @@
 public = 30819d301006072a8648ce3d020106052b810400230381860004017ee16985c3678234d272913682a7c122b35c1c5011d1933bb7b08c8b883afcf469453079e2ef02a724a6ddbe25ee3b2e63007dd2838c5bb00fa1ff8fd18cf81eaa01116ce049d63f22f71c7d11c0acd67cacd1b4ea0125bd48e872dc5cc9fc4073b7c844c4b42223483b4aa8402b198d981dc8b7aba048749b4a0496e2537d3cc32d500000
 result = acceptable
 shared = 00d397252813d37329b9e277823e2dfccdd1ee519f0c32ccbb3f5fc62062e8c07dbf3fb86085736115b70f86f44ad852f3488ecbb5e7ec31e961e869b40b6add05f5
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 302
 # appending 0's to sequence
@@ -2532,9 +2262,7 @@
 public = 30819d301206072a8648ce3d020106052b8104002300000381860004017ee16985c3678234d272913682a7c122b35c1c5011d1933bb7b08c8b883afcf469453079e2ef02a724a6ddbe25ee3b2e63007dd2838c5bb00fa1ff8fd18cf81eaa01116ce049d63f22f71c7d11c0acd67cacd1b4ea0125bd48e872dc5cc9fc4073b7c844c4b42223483b4aa8402b198d981dc8b7aba048749b4a0496e2537d3cc32d50
 result = acceptable
 shared = 00d397252813d37329b9e277823e2dfccdd1ee519f0c32ccbb3f5fc62062e8c07dbf3fb86085736115b70f86f44ad852f3488ecbb5e7ec31e961e869b40b6add05f5
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 303
 # prepending 0's to sequence
@@ -2542,9 +2270,7 @@
 public = 30819d0000301006072a8648ce3d020106052b810400230381860004017ee16985c3678234d272913682a7c122b35c1c5011d1933bb7b08c8b883afcf469453079e2ef02a724a6ddbe25ee3b2e63007dd2838c5bb00fa1ff8fd18cf81eaa01116ce049d63f22f71c7d11c0acd67cacd1b4ea0125bd48e872dc5cc9fc4073b7c844c4b42223483b4aa8402b198d981dc8b7aba048749b4a0496e2537d3cc32d50
 result = acceptable
 shared = 00d397252813d37329b9e277823e2dfccdd1ee519f0c32ccbb3f5fc62062e8c07dbf3fb86085736115b70f86f44ad852f3488ecbb5e7ec31e961e869b40b6add05f5
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 304
 # prepending 0's to sequence
@@ -2552,9 +2278,7 @@
 public = 30819d3012000006072a8648ce3d020106052b810400230381860004017ee16985c3678234d272913682a7c122b35c1c5011d1933bb7b08c8b883afcf469453079e2ef02a724a6ddbe25ee3b2e63007dd2838c5bb00fa1ff8fd18cf81eaa01116ce049d63f22f71c7d11c0acd67cacd1b4ea0125bd48e872dc5cc9fc4073b7c844c4b42223483b4aa8402b198d981dc8b7aba048749b4a0496e2537d3cc32d50
 result = acceptable
 shared = 00d397252813d37329b9e277823e2dfccdd1ee519f0c32ccbb3f5fc62062e8c07dbf3fb86085736115b70f86f44ad852f3488ecbb5e7ec31e961e869b40b6add05f5
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 305
 # appending unused 0's to sequence
@@ -2562,9 +2286,7 @@
 public = 30819b301006072a8648ce3d020106052b810400230381860004017ee16985c3678234d272913682a7c122b35c1c5011d1933bb7b08c8b883afcf469453079e2ef02a724a6ddbe25ee3b2e63007dd2838c5bb00fa1ff8fd18cf81eaa01116ce049d63f22f71c7d11c0acd67cacd1b4ea0125bd48e872dc5cc9fc4073b7c844c4b42223483b4aa8402b198d981dc8b7aba048749b4a0496e2537d3cc32d500000
 result = acceptable
 shared = 00d397252813d37329b9e277823e2dfccdd1ee519f0c32ccbb3f5fc62062e8c07dbf3fb86085736115b70f86f44ad852f3488ecbb5e7ec31e961e869b40b6add05f5
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 306
 # appending unused 0's to sequence
@@ -2572,9 +2294,7 @@
 public = 30819d301006072a8648ce3d020106052b8104002300000381860004017ee16985c3678234d272913682a7c122b35c1c5011d1933bb7b08c8b883afcf469453079e2ef02a724a6ddbe25ee3b2e63007dd2838c5bb00fa1ff8fd18cf81eaa01116ce049d63f22f71c7d11c0acd67cacd1b4ea0125bd48e872dc5cc9fc4073b7c844c4b42223483b4aa8402b198d981dc8b7aba048749b4a0496e2537d3cc32d50
 result = acceptable
 shared = 00d397252813d37329b9e277823e2dfccdd1ee519f0c32ccbb3f5fc62062e8c07dbf3fb86085736115b70f86f44ad852f3488ecbb5e7ec31e961e869b40b6add05f5
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 307
 # appending null value to sequence
@@ -2582,9 +2302,7 @@
 public = 30819d301006072a8648ce3d020106052b810400230381860004017ee16985c3678234d272913682a7c122b35c1c5011d1933bb7b08c8b883afcf469453079e2ef02a724a6ddbe25ee3b2e63007dd2838c5bb00fa1ff8fd18cf81eaa01116ce049d63f22f71c7d11c0acd67cacd1b4ea0125bd48e872dc5cc9fc4073b7c844c4b42223483b4aa8402b198d981dc8b7aba048749b4a0496e2537d3cc32d500500
 result = acceptable
 shared = 00d397252813d37329b9e277823e2dfccdd1ee519f0c32ccbb3f5fc62062e8c07dbf3fb86085736115b70f86f44ad852f3488ecbb5e7ec31e961e869b40b6add05f5
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 308
 # appending null value to sequence
@@ -2592,9 +2310,7 @@
 public = 30819d301206072a8648ce3d020106052b8104002305000381860004017ee16985c3678234d272913682a7c122b35c1c5011d1933bb7b08c8b883afcf469453079e2ef02a724a6ddbe25ee3b2e63007dd2838c5bb00fa1ff8fd18cf81eaa01116ce049d63f22f71c7d11c0acd67cacd1b4ea0125bd48e872dc5cc9fc4073b7c844c4b42223483b4aa8402b198d981dc8b7aba048749b4a0496e2537d3cc32d50
 result = acceptable
 shared = 00d397252813d37329b9e277823e2dfccdd1ee519f0c32ccbb3f5fc62062e8c07dbf3fb86085736115b70f86f44ad852f3488ecbb5e7ec31e961e869b40b6add05f5
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 309
 # including garbage
@@ -2602,9 +2318,7 @@
 public = 3081a149817730819b301006072a8648ce3d020106052b810400230381860004017ee16985c3678234d272913682a7c122b35c1c5011d1933bb7b08c8b883afcf469453079e2ef02a724a6ddbe25ee3b2e63007dd2838c5bb00fa1ff8fd18cf81eaa01116ce049d63f22f71c7d11c0acd67cacd1b4ea0125bd48e872dc5cc9fc4073b7c844c4b42223483b4aa8402b198d981dc8b7aba048749b4a0496e2537d3cc32d50
 result = acceptable
 shared = 00d397252813d37329b9e277823e2dfccdd1ee519f0c32ccbb3f5fc62062e8c07dbf3fb86085736115b70f86f44ad852f3488ecbb5e7ec31e961e869b40b6add05f5
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 310
 # including garbage
@@ -2612,9 +2326,7 @@
 public = 3081a0250030819b301006072a8648ce3d020106052b810400230381860004017ee16985c3678234d272913682a7c122b35c1c5011d1933bb7b08c8b883afcf469453079e2ef02a724a6ddbe25ee3b2e63007dd2838c5bb00fa1ff8fd18cf81eaa01116ce049d63f22f71c7d11c0acd67cacd1b4ea0125bd48e872dc5cc9fc4073b7c844c4b42223483b4aa8402b198d981dc8b7aba048749b4a0496e2537d3cc32d50
 result = acceptable
 shared = 00d397252813d37329b9e277823e2dfccdd1ee519f0c32ccbb3f5fc62062e8c07dbf3fb86085736115b70f86f44ad852f3488ecbb5e7ec31e961e869b40b6add05f5
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 311
 # including garbage
@@ -2622,9 +2334,7 @@
 public = 30819e30819b301006072a8648ce3d020106052b810400230381860004017ee16985c3678234d272913682a7c122b35c1c5011d1933bb7b08c8b883afcf469453079e2ef02a724a6ddbe25ee3b2e63007dd2838c5bb00fa1ff8fd18cf81eaa01116ce049d63f22f71c7d11c0acd67cacd1b4ea0125bd48e872dc5cc9fc4073b7c844c4b42223483b4aa8402b198d981dc8b7aba048749b4a0496e2537d3cc32d500004deadbeef
 result = acceptable
 shared = 00d397252813d37329b9e277823e2dfccdd1ee519f0c32ccbb3f5fc62062e8c07dbf3fb86085736115b70f86f44ad852f3488ecbb5e7ec31e961e869b40b6add05f5
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 312
 # including garbage
@@ -2632,9 +2342,7 @@
 public = 3081a03015498177301006072a8648ce3d020106052b810400230381860004017ee16985c3678234d272913682a7c122b35c1c5011d1933bb7b08c8b883afcf469453079e2ef02a724a6ddbe25ee3b2e63007dd2838c5bb00fa1ff8fd18cf81eaa01116ce049d63f22f71c7d11c0acd67cacd1b4ea0125bd48e872dc5cc9fc4073b7c844c4b42223483b4aa8402b198d981dc8b7aba048749b4a0496e2537d3cc32d50
 result = acceptable
 shared = 00d397252813d37329b9e277823e2dfccdd1ee519f0c32ccbb3f5fc62062e8c07dbf3fb86085736115b70f86f44ad852f3488ecbb5e7ec31e961e869b40b6add05f5
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 313
 # including garbage
@@ -2642,9 +2350,7 @@
 public = 30819f30142500301006072a8648ce3d020106052b810400230381860004017ee16985c3678234d272913682a7c122b35c1c5011d1933bb7b08c8b883afcf469453079e2ef02a724a6ddbe25ee3b2e63007dd2838c5bb00fa1ff8fd18cf81eaa01116ce049d63f22f71c7d11c0acd67cacd1b4ea0125bd48e872dc5cc9fc4073b7c844c4b42223483b4aa8402b198d981dc8b7aba048749b4a0496e2537d3cc32d50
 result = acceptable
 shared = 00d397252813d37329b9e277823e2dfccdd1ee519f0c32ccbb3f5fc62062e8c07dbf3fb86085736115b70f86f44ad852f3488ecbb5e7ec31e961e869b40b6add05f5
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 314
 # including garbage
@@ -2652,9 +2358,7 @@
 public = 3081a33012301006072a8648ce3d020106052b810400230004deadbeef0381860004017ee16985c3678234d272913682a7c122b35c1c5011d1933bb7b08c8b883afcf469453079e2ef02a724a6ddbe25ee3b2e63007dd2838c5bb00fa1ff8fd18cf81eaa01116ce049d63f22f71c7d11c0acd67cacd1b4ea0125bd48e872dc5cc9fc4073b7c844c4b42223483b4aa8402b198d981dc8b7aba048749b4a0496e2537d3cc32d50
 result = acceptable
 shared = 00d397252813d37329b9e277823e2dfccdd1ee519f0c32ccbb3f5fc62062e8c07dbf3fb86085736115b70f86f44ad852f3488ecbb5e7ec31e961e869b40b6add05f5
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 315
 # including garbage
@@ -2662,9 +2366,7 @@
 public = 3081a03015260c49817706072a8648ce3d020106052b810400230381860004017ee16985c3678234d272913682a7c122b35c1c5011d1933bb7b08c8b883afcf469453079e2ef02a724a6ddbe25ee3b2e63007dd2838c5bb00fa1ff8fd18cf81eaa01116ce049d63f22f71c7d11c0acd67cacd1b4ea0125bd48e872dc5cc9fc4073b7c844c4b42223483b4aa8402b198d981dc8b7aba048749b4a0496e2537d3cc32d50
 result = acceptable
 shared = 00d397252813d37329b9e277823e2dfccdd1ee519f0c32ccbb3f5fc62062e8c07dbf3fb86085736115b70f86f44ad852f3488ecbb5e7ec31e961e869b40b6add05f5
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 316
 # including garbage
@@ -2672,9 +2374,7 @@
 public = 30819f3014260b250006072a8648ce3d020106052b810400230381860004017ee16985c3678234d272913682a7c122b35c1c5011d1933bb7b08c8b883afcf469453079e2ef02a724a6ddbe25ee3b2e63007dd2838c5bb00fa1ff8fd18cf81eaa01116ce049d63f22f71c7d11c0acd67cacd1b4ea0125bd48e872dc5cc9fc4073b7c844c4b42223483b4aa8402b198d981dc8b7aba048749b4a0496e2537d3cc32d50
 result = acceptable
 shared = 00d397252813d37329b9e277823e2dfccdd1ee519f0c32ccbb3f5fc62062e8c07dbf3fb86085736115b70f86f44ad852f3488ecbb5e7ec31e961e869b40b6add05f5
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 317
 # including garbage
@@ -2682,9 +2382,7 @@
 public = 3081a33018260906072a8648ce3d02010004deadbeef06052b810400230381860004017ee16985c3678234d272913682a7c122b35c1c5011d1933bb7b08c8b883afcf469453079e2ef02a724a6ddbe25ee3b2e63007dd2838c5bb00fa1ff8fd18cf81eaa01116ce049d63f22f71c7d11c0acd67cacd1b4ea0125bd48e872dc5cc9fc4073b7c844c4b42223483b4aa8402b198d981dc8b7aba048749b4a0496e2537d3cc32d50
 result = acceptable
 shared = 00d397252813d37329b9e277823e2dfccdd1ee519f0c32ccbb3f5fc62062e8c07dbf3fb86085736115b70f86f44ad852f3488ecbb5e7ec31e961e869b40b6add05f5
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 318
 # including garbage
@@ -2692,9 +2390,7 @@
 public = 3081a0301506072a8648ce3d0201260a49817706052b810400230381860004017ee16985c3678234d272913682a7c122b35c1c5011d1933bb7b08c8b883afcf469453079e2ef02a724a6ddbe25ee3b2e63007dd2838c5bb00fa1ff8fd18cf81eaa01116ce049d63f22f71c7d11c0acd67cacd1b4ea0125bd48e872dc5cc9fc4073b7c844c4b42223483b4aa8402b198d981dc8b7aba048749b4a0496e2537d3cc32d50
 result = acceptable
 shared = 00d397252813d37329b9e277823e2dfccdd1ee519f0c32ccbb3f5fc62062e8c07dbf3fb86085736115b70f86f44ad852f3488ecbb5e7ec31e961e869b40b6add05f5
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 319
 # including garbage
@@ -2702,9 +2398,7 @@
 public = 30819f301406072a8648ce3d02012609250006052b810400230381860004017ee16985c3678234d272913682a7c122b35c1c5011d1933bb7b08c8b883afcf469453079e2ef02a724a6ddbe25ee3b2e63007dd2838c5bb00fa1ff8fd18cf81eaa01116ce049d63f22f71c7d11c0acd67cacd1b4ea0125bd48e872dc5cc9fc4073b7c844c4b42223483b4aa8402b198d981dc8b7aba048749b4a0496e2537d3cc32d50
 result = acceptable
 shared = 00d397252813d37329b9e277823e2dfccdd1ee519f0c32ccbb3f5fc62062e8c07dbf3fb86085736115b70f86f44ad852f3488ecbb5e7ec31e961e869b40b6add05f5
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 320
 # including garbage
@@ -2712,9 +2406,7 @@
 public = 3081a3301806072a8648ce3d0201260706052b810400230004deadbeef0381860004017ee16985c3678234d272913682a7c122b35c1c5011d1933bb7b08c8b883afcf469453079e2ef02a724a6ddbe25ee3b2e63007dd2838c5bb00fa1ff8fd18cf81eaa01116ce049d63f22f71c7d11c0acd67cacd1b4ea0125bd48e872dc5cc9fc4073b7c844c4b42223483b4aa8402b198d981dc8b7aba048749b4a0496e2537d3cc32d50
 result = acceptable
 shared = 00d397252813d37329b9e277823e2dfccdd1ee519f0c32ccbb3f5fc62062e8c07dbf3fb86085736115b70f86f44ad852f3488ecbb5e7ec31e961e869b40b6add05f5
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 321
 # including garbage
@@ -2722,9 +2414,7 @@
 public = 3081a1301006072a8648ce3d020106052b8104002323818c4981770381860004017ee16985c3678234d272913682a7c122b35c1c5011d1933bb7b08c8b883afcf469453079e2ef02a724a6ddbe25ee3b2e63007dd2838c5bb00fa1ff8fd18cf81eaa01116ce049d63f22f71c7d11c0acd67cacd1b4ea0125bd48e872dc5cc9fc4073b7c844c4b42223483b4aa8402b198d981dc8b7aba048749b4a0496e2537d3cc32d50
 result = acceptable
 shared = 00d397252813d37329b9e277823e2dfccdd1ee519f0c32ccbb3f5fc62062e8c07dbf3fb86085736115b70f86f44ad852f3488ecbb5e7ec31e961e869b40b6add05f5
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 322
 # including garbage
@@ -2732,9 +2422,7 @@
 public = 3081a0301006072a8648ce3d020106052b8104002323818b25000381860004017ee16985c3678234d272913682a7c122b35c1c5011d1933bb7b08c8b883afcf469453079e2ef02a724a6ddbe25ee3b2e63007dd2838c5bb00fa1ff8fd18cf81eaa01116ce049d63f22f71c7d11c0acd67cacd1b4ea0125bd48e872dc5cc9fc4073b7c844c4b42223483b4aa8402b198d981dc8b7aba048749b4a0496e2537d3cc32d50
 result = acceptable
 shared = 00d397252813d37329b9e277823e2dfccdd1ee519f0c32ccbb3f5fc62062e8c07dbf3fb86085736115b70f86f44ad852f3488ecbb5e7ec31e961e869b40b6add05f5
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 323
 # including garbage
@@ -2742,9 +2430,7 @@
 public = 3081a4301006072a8648ce3d020106052b810400232381890381860004017ee16985c3678234d272913682a7c122b35c1c5011d1933bb7b08c8b883afcf469453079e2ef02a724a6ddbe25ee3b2e63007dd2838c5bb00fa1ff8fd18cf81eaa01116ce049d63f22f71c7d11c0acd67cacd1b4ea0125bd48e872dc5cc9fc4073b7c844c4b42223483b4aa8402b198d981dc8b7aba048749b4a0496e2537d3cc32d500004deadbeef
 result = acceptable
 shared = 00d397252813d37329b9e277823e2dfccdd1ee519f0c32ccbb3f5fc62062e8c07dbf3fb86085736115b70f86f44ad852f3488ecbb5e7ec31e961e869b40b6add05f5
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 324
 # including undefined tags
@@ -2752,9 +2438,7 @@
 public = 3081a4aa00bb00cd0030819b301006072a8648ce3d020106052b810400230381860004017ee16985c3678234d272913682a7c122b35c1c5011d1933bb7b08c8b883afcf469453079e2ef02a724a6ddbe25ee3b2e63007dd2838c5bb00fa1ff8fd18cf81eaa01116ce049d63f22f71c7d11c0acd67cacd1b4ea0125bd48e872dc5cc9fc4073b7c844c4b42223483b4aa8402b198d981dc8b7aba048749b4a0496e2537d3cc32d50
 result = acceptable
 shared = 00d397252813d37329b9e277823e2dfccdd1ee519f0c32ccbb3f5fc62062e8c07dbf3fb86085736115b70f86f44ad852f3488ecbb5e7ec31e961e869b40b6add05f5
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 325
 # including undefined tags
@@ -2762,9 +2446,7 @@
 public = 3081a2aa02aabb30819b301006072a8648ce3d020106052b810400230381860004017ee16985c3678234d272913682a7c122b35c1c5011d1933bb7b08c8b883afcf469453079e2ef02a724a6ddbe25ee3b2e63007dd2838c5bb00fa1ff8fd18cf81eaa01116ce049d63f22f71c7d11c0acd67cacd1b4ea0125bd48e872dc5cc9fc4073b7c844c4b42223483b4aa8402b198d981dc8b7aba048749b4a0496e2537d3cc32d50
 result = acceptable
 shared = 00d397252813d37329b9e277823e2dfccdd1ee519f0c32ccbb3f5fc62062e8c07dbf3fb86085736115b70f86f44ad852f3488ecbb5e7ec31e961e869b40b6add05f5
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 326
 # including undefined tags
@@ -2772,9 +2454,7 @@
 public = 3081a33018aa00bb00cd00301006072a8648ce3d020106052b810400230381860004017ee16985c3678234d272913682a7c122b35c1c5011d1933bb7b08c8b883afcf469453079e2ef02a724a6ddbe25ee3b2e63007dd2838c5bb00fa1ff8fd18cf81eaa01116ce049d63f22f71c7d11c0acd67cacd1b4ea0125bd48e872dc5cc9fc4073b7c844c4b42223483b4aa8402b198d981dc8b7aba048749b4a0496e2537d3cc32d50
 result = acceptable
 shared = 00d397252813d37329b9e277823e2dfccdd1ee519f0c32ccbb3f5fc62062e8c07dbf3fb86085736115b70f86f44ad852f3488ecbb5e7ec31e961e869b40b6add05f5
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 327
 # including undefined tags
@@ -2782,9 +2462,7 @@
 public = 3081a13016aa02aabb301006072a8648ce3d020106052b810400230381860004017ee16985c3678234d272913682a7c122b35c1c5011d1933bb7b08c8b883afcf469453079e2ef02a724a6ddbe25ee3b2e63007dd2838c5bb00fa1ff8fd18cf81eaa01116ce049d63f22f71c7d11c0acd67cacd1b4ea0125bd48e872dc5cc9fc4073b7c844c4b42223483b4aa8402b198d981dc8b7aba048749b4a0496e2537d3cc32d50
 result = acceptable
 shared = 00d397252813d37329b9e277823e2dfccdd1ee519f0c32ccbb3f5fc62062e8c07dbf3fb86085736115b70f86f44ad852f3488ecbb5e7ec31e961e869b40b6add05f5
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 328
 # including undefined tags
@@ -2792,9 +2470,7 @@
 public = 3081a33018260faa00bb00cd0006072a8648ce3d020106052b810400230381860004017ee16985c3678234d272913682a7c122b35c1c5011d1933bb7b08c8b883afcf469453079e2ef02a724a6ddbe25ee3b2e63007dd2838c5bb00fa1ff8fd18cf81eaa01116ce049d63f22f71c7d11c0acd67cacd1b4ea0125bd48e872dc5cc9fc4073b7c844c4b42223483b4aa8402b198d981dc8b7aba048749b4a0496e2537d3cc32d50
 result = acceptable
 shared = 00d397252813d37329b9e277823e2dfccdd1ee519f0c32ccbb3f5fc62062e8c07dbf3fb86085736115b70f86f44ad852f3488ecbb5e7ec31e961e869b40b6add05f5
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 329
 # including undefined tags
@@ -2802,9 +2478,7 @@
 public = 3081a13016260daa02aabb06072a8648ce3d020106052b810400230381860004017ee16985c3678234d272913682a7c122b35c1c5011d1933bb7b08c8b883afcf469453079e2ef02a724a6ddbe25ee3b2e63007dd2838c5bb00fa1ff8fd18cf81eaa01116ce049d63f22f71c7d11c0acd67cacd1b4ea0125bd48e872dc5cc9fc4073b7c844c4b42223483b4aa8402b198d981dc8b7aba048749b4a0496e2537d3cc32d50
 result = acceptable
 shared = 00d397252813d37329b9e277823e2dfccdd1ee519f0c32ccbb3f5fc62062e8c07dbf3fb86085736115b70f86f44ad852f3488ecbb5e7ec31e961e869b40b6add05f5
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 330
 # including undefined tags
@@ -2812,9 +2486,7 @@
 public = 3081a3301806072a8648ce3d0201260daa00bb00cd0006052b810400230381860004017ee16985c3678234d272913682a7c122b35c1c5011d1933bb7b08c8b883afcf469453079e2ef02a724a6ddbe25ee3b2e63007dd2838c5bb00fa1ff8fd18cf81eaa01116ce049d63f22f71c7d11c0acd67cacd1b4ea0125bd48e872dc5cc9fc4073b7c844c4b42223483b4aa8402b198d981dc8b7aba048749b4a0496e2537d3cc32d50
 result = acceptable
 shared = 00d397252813d37329b9e277823e2dfccdd1ee519f0c32ccbb3f5fc62062e8c07dbf3fb86085736115b70f86f44ad852f3488ecbb5e7ec31e961e869b40b6add05f5
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 331
 # including undefined tags
@@ -2822,9 +2494,7 @@
 public = 3081a1301606072a8648ce3d0201260baa02aabb06052b810400230381860004017ee16985c3678234d272913682a7c122b35c1c5011d1933bb7b08c8b883afcf469453079e2ef02a724a6ddbe25ee3b2e63007dd2838c5bb00fa1ff8fd18cf81eaa01116ce049d63f22f71c7d11c0acd67cacd1b4ea0125bd48e872dc5cc9fc4073b7c844c4b42223483b4aa8402b198d981dc8b7aba048749b4a0496e2537d3cc32d50
 result = acceptable
 shared = 00d397252813d37329b9e277823e2dfccdd1ee519f0c32ccbb3f5fc62062e8c07dbf3fb86085736115b70f86f44ad852f3488ecbb5e7ec31e961e869b40b6add05f5
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 332
 # including undefined tags
@@ -2832,9 +2502,7 @@
 public = 3081a4301006072a8648ce3d020106052b8104002323818faa00bb00cd000381860004017ee16985c3678234d272913682a7c122b35c1c5011d1933bb7b08c8b883afcf469453079e2ef02a724a6ddbe25ee3b2e63007dd2838c5bb00fa1ff8fd18cf81eaa01116ce049d63f22f71c7d11c0acd67cacd1b4ea0125bd48e872dc5cc9fc4073b7c844c4b42223483b4aa8402b198d981dc8b7aba048749b4a0496e2537d3cc32d50
 result = acceptable
 shared = 00d397252813d37329b9e277823e2dfccdd1ee519f0c32ccbb3f5fc62062e8c07dbf3fb86085736115b70f86f44ad852f3488ecbb5e7ec31e961e869b40b6add05f5
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 333
 # including undefined tags
@@ -2842,9 +2510,7 @@
 public = 3081a2301006072a8648ce3d020106052b8104002323818daa02aabb0381860004017ee16985c3678234d272913682a7c122b35c1c5011d1933bb7b08c8b883afcf469453079e2ef02a724a6ddbe25ee3b2e63007dd2838c5bb00fa1ff8fd18cf81eaa01116ce049d63f22f71c7d11c0acd67cacd1b4ea0125bd48e872dc5cc9fc4073b7c844c4b42223483b4aa8402b198d981dc8b7aba048749b4a0496e2537d3cc32d50
 result = acceptable
 shared = 00d397252813d37329b9e277823e2dfccdd1ee519f0c32ccbb3f5fc62062e8c07dbf3fb86085736115b70f86f44ad852f3488ecbb5e7ec31e961e869b40b6add05f5
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 334
 # truncated length of sequence
@@ -2852,9 +2518,7 @@
 public = 3081
 result = acceptable
 shared = 00d397252813d37329b9e277823e2dfccdd1ee519f0c32ccbb3f5fc62062e8c07dbf3fb86085736115b70f86f44ad852f3488ecbb5e7ec31e961e869b40b6add05f5
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 335
 # truncated length of sequence
@@ -2862,9 +2526,7 @@
 public = 30818b30810381860004017ee16985c3678234d272913682a7c122b35c1c5011d1933bb7b08c8b883afcf469453079e2ef02a724a6ddbe25ee3b2e63007dd2838c5bb00fa1ff8fd18cf81eaa01116ce049d63f22f71c7d11c0acd67cacd1b4ea0125bd48e872dc5cc9fc4073b7c844c4b42223483b4aa8402b198d981dc8b7aba048749b4a0496e2537d3cc32d50
 result = acceptable
 shared = 00d397252813d37329b9e277823e2dfccdd1ee519f0c32ccbb3f5fc62062e8c07dbf3fb86085736115b70f86f44ad852f3488ecbb5e7ec31e961e869b40b6add05f5
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 336
 # Replacing sequence with NULL
@@ -2872,9 +2534,7 @@
 public = 0500
 result = acceptable
 shared = 00d397252813d37329b9e277823e2dfccdd1ee519f0c32ccbb3f5fc62062e8c07dbf3fb86085736115b70f86f44ad852f3488ecbb5e7ec31e961e869b40b6add05f5
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 337
 # Replacing sequence with NULL
@@ -2882,9 +2542,7 @@
 public = 30818b05000381860004017ee16985c3678234d272913682a7c122b35c1c5011d1933bb7b08c8b883afcf469453079e2ef02a724a6ddbe25ee3b2e63007dd2838c5bb00fa1ff8fd18cf81eaa01116ce049d63f22f71c7d11c0acd67cacd1b4ea0125bd48e872dc5cc9fc4073b7c844c4b42223483b4aa8402b198d981dc8b7aba048749b4a0496e2537d3cc32d50
 result = acceptable
 shared = 00d397252813d37329b9e277823e2dfccdd1ee519f0c32ccbb3f5fc62062e8c07dbf3fb86085736115b70f86f44ad852f3488ecbb5e7ec31e961e869b40b6add05f5
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 338
 # changing tag value of sequence
@@ -2892,9 +2550,7 @@
 public = 2e819b301006072a8648ce3d020106052b810400230381860004017ee16985c3678234d272913682a7c122b35c1c5011d1933bb7b08c8b883afcf469453079e2ef02a724a6ddbe25ee3b2e63007dd2838c5bb00fa1ff8fd18cf81eaa01116ce049d63f22f71c7d11c0acd67cacd1b4ea0125bd48e872dc5cc9fc4073b7c844c4b42223483b4aa8402b198d981dc8b7aba048749b4a0496e2537d3cc32d50
 result = acceptable
 shared = 00d397252813d37329b9e277823e2dfccdd1ee519f0c32ccbb3f5fc62062e8c07dbf3fb86085736115b70f86f44ad852f3488ecbb5e7ec31e961e869b40b6add05f5
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 339
 # changing tag value of sequence
@@ -2902,9 +2558,7 @@
 public = 2f819b301006072a8648ce3d020106052b810400230381860004017ee16985c3678234d272913682a7c122b35c1c5011d1933bb7b08c8b883afcf469453079e2ef02a724a6ddbe25ee3b2e63007dd2838c5bb00fa1ff8fd18cf81eaa01116ce049d63f22f71c7d11c0acd67cacd1b4ea0125bd48e872dc5cc9fc4073b7c844c4b42223483b4aa8402b198d981dc8b7aba048749b4a0496e2537d3cc32d50
 result = acceptable
 shared = 00d397252813d37329b9e277823e2dfccdd1ee519f0c32ccbb3f5fc62062e8c07dbf3fb86085736115b70f86f44ad852f3488ecbb5e7ec31e961e869b40b6add05f5
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 340
 # changing tag value of sequence
@@ -2912,9 +2566,7 @@
 public = 31819b301006072a8648ce3d020106052b810400230381860004017ee16985c3678234d272913682a7c122b35c1c5011d1933bb7b08c8b883afcf469453079e2ef02a724a6ddbe25ee3b2e63007dd2838c5bb00fa1ff8fd18cf81eaa01116ce049d63f22f71c7d11c0acd67cacd1b4ea0125bd48e872dc5cc9fc4073b7c844c4b42223483b4aa8402b198d981dc8b7aba048749b4a0496e2537d3cc32d50
 result = acceptable
 shared = 00d397252813d37329b9e277823e2dfccdd1ee519f0c32ccbb3f5fc62062e8c07dbf3fb86085736115b70f86f44ad852f3488ecbb5e7ec31e961e869b40b6add05f5
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 341
 # changing tag value of sequence
@@ -2922,9 +2574,7 @@
 public = 32819b301006072a8648ce3d020106052b810400230381860004017ee16985c3678234d272913682a7c122b35c1c5011d1933bb7b08c8b883afcf469453079e2ef02a724a6ddbe25ee3b2e63007dd2838c5bb00fa1ff8fd18cf81eaa01116ce049d63f22f71c7d11c0acd67cacd1b4ea0125bd48e872dc5cc9fc4073b7c844c4b42223483b4aa8402b198d981dc8b7aba048749b4a0496e2537d3cc32d50
 result = acceptable
 shared = 00d397252813d37329b9e277823e2dfccdd1ee519f0c32ccbb3f5fc62062e8c07dbf3fb86085736115b70f86f44ad852f3488ecbb5e7ec31e961e869b40b6add05f5
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 342
 # changing tag value of sequence
@@ -2932,9 +2582,7 @@
 public = ff819b301006072a8648ce3d020106052b810400230381860004017ee16985c3678234d272913682a7c122b35c1c5011d1933bb7b08c8b883afcf469453079e2ef02a724a6ddbe25ee3b2e63007dd2838c5bb00fa1ff8fd18cf81eaa01116ce049d63f22f71c7d11c0acd67cacd1b4ea0125bd48e872dc5cc9fc4073b7c844c4b42223483b4aa8402b198d981dc8b7aba048749b4a0496e2537d3cc32d50
 result = acceptable
 shared = 00d397252813d37329b9e277823e2dfccdd1ee519f0c32ccbb3f5fc62062e8c07dbf3fb86085736115b70f86f44ad852f3488ecbb5e7ec31e961e869b40b6add05f5
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 343
 # changing tag value of sequence
@@ -2942,9 +2590,7 @@
 public = 30819b2e1006072a8648ce3d020106052b810400230381860004017ee16985c3678234d272913682a7c122b35c1c5011d1933bb7b08c8b883afcf469453079e2ef02a724a6ddbe25ee3b2e63007dd2838c5bb00fa1ff8fd18cf81eaa01116ce049d63f22f71c7d11c0acd67cacd1b4ea0125bd48e872dc5cc9fc4073b7c844c4b42223483b4aa8402b198d981dc8b7aba048749b4a0496e2537d3cc32d50
 result = acceptable
 shared = 00d397252813d37329b9e277823e2dfccdd1ee519f0c32ccbb3f5fc62062e8c07dbf3fb86085736115b70f86f44ad852f3488ecbb5e7ec31e961e869b40b6add05f5
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 344
 # changing tag value of sequence
@@ -2952,9 +2598,7 @@
 public = 30819b2f1006072a8648ce3d020106052b810400230381860004017ee16985c3678234d272913682a7c122b35c1c5011d1933bb7b08c8b883afcf469453079e2ef02a724a6ddbe25ee3b2e63007dd2838c5bb00fa1ff8fd18cf81eaa01116ce049d63f22f71c7d11c0acd67cacd1b4ea0125bd48e872dc5cc9fc4073b7c844c4b42223483b4aa8402b198d981dc8b7aba048749b4a0496e2537d3cc32d50
 result = acceptable
 shared = 00d397252813d37329b9e277823e2dfccdd1ee519f0c32ccbb3f5fc62062e8c07dbf3fb86085736115b70f86f44ad852f3488ecbb5e7ec31e961e869b40b6add05f5
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 345
 # changing tag value of sequence
@@ -2962,9 +2606,7 @@
 public = 30819b311006072a8648ce3d020106052b810400230381860004017ee16985c3678234d272913682a7c122b35c1c5011d1933bb7b08c8b883afcf469453079e2ef02a724a6ddbe25ee3b2e63007dd2838c5bb00fa1ff8fd18cf81eaa01116ce049d63f22f71c7d11c0acd67cacd1b4ea0125bd48e872dc5cc9fc4073b7c844c4b42223483b4aa8402b198d981dc8b7aba048749b4a0496e2537d3cc32d50
 result = acceptable
 shared = 00d397252813d37329b9e277823e2dfccdd1ee519f0c32ccbb3f5fc62062e8c07dbf3fb86085736115b70f86f44ad852f3488ecbb5e7ec31e961e869b40b6add05f5
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 346
 # changing tag value of sequence
@@ -2972,9 +2614,7 @@
 public = 30819b321006072a8648ce3d020106052b810400230381860004017ee16985c3678234d272913682a7c122b35c1c5011d1933bb7b08c8b883afcf469453079e2ef02a724a6ddbe25ee3b2e63007dd2838c5bb00fa1ff8fd18cf81eaa01116ce049d63f22f71c7d11c0acd67cacd1b4ea0125bd48e872dc5cc9fc4073b7c844c4b42223483b4aa8402b198d981dc8b7aba048749b4a0496e2537d3cc32d50
 result = acceptable
 shared = 00d397252813d37329b9e277823e2dfccdd1ee519f0c32ccbb3f5fc62062e8c07dbf3fb86085736115b70f86f44ad852f3488ecbb5e7ec31e961e869b40b6add05f5
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 347
 # changing tag value of sequence
@@ -2982,9 +2622,7 @@
 public = 30819bff1006072a8648ce3d020106052b810400230381860004017ee16985c3678234d272913682a7c122b35c1c5011d1933bb7b08c8b883afcf469453079e2ef02a724a6ddbe25ee3b2e63007dd2838c5bb00fa1ff8fd18cf81eaa01116ce049d63f22f71c7d11c0acd67cacd1b4ea0125bd48e872dc5cc9fc4073b7c844c4b42223483b4aa8402b198d981dc8b7aba048749b4a0496e2537d3cc32d50
 result = acceptable
 shared = 00d397252813d37329b9e277823e2dfccdd1ee519f0c32ccbb3f5fc62062e8c07dbf3fb86085736115b70f86f44ad852f3488ecbb5e7ec31e961e869b40b6add05f5
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 348
 # dropping value of sequence
@@ -2992,9 +2630,7 @@
 public = 3000
 result = acceptable
 shared = 00d397252813d37329b9e277823e2dfccdd1ee519f0c32ccbb3f5fc62062e8c07dbf3fb86085736115b70f86f44ad852f3488ecbb5e7ec31e961e869b40b6add05f5
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 349
 # dropping value of sequence
@@ -3002,9 +2638,7 @@
 public = 30818b30000381860004017ee16985c3678234d272913682a7c122b35c1c5011d1933bb7b08c8b883afcf469453079e2ef02a724a6ddbe25ee3b2e63007dd2838c5bb00fa1ff8fd18cf81eaa01116ce049d63f22f71c7d11c0acd67cacd1b4ea0125bd48e872dc5cc9fc4073b7c844c4b42223483b4aa8402b198d981dc8b7aba048749b4a0496e2537d3cc32d50
 result = acceptable
 shared = 00d397252813d37329b9e277823e2dfccdd1ee519f0c32ccbb3f5fc62062e8c07dbf3fb86085736115b70f86f44ad852f3488ecbb5e7ec31e961e869b40b6add05f5
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 350
 # truncated sequence
@@ -3012,9 +2646,7 @@
 public = 30819a301006072a8648ce3d020106052b810400230381860004017ee16985c3678234d272913682a7c122b35c1c5011d1933bb7b08c8b883afcf469453079e2ef02a724a6ddbe25ee3b2e63007dd2838c5bb00fa1ff8fd18cf81eaa01116ce049d63f22f71c7d11c0acd67cacd1b4ea0125bd48e872dc5cc9fc4073b7c844c4b42223483b4aa8402b198d981dc8b7aba048749b4a0496e2537d3cc32d
 result = acceptable
 shared = 00d397252813d37329b9e277823e2dfccdd1ee519f0c32ccbb3f5fc62062e8c07dbf3fb86085736115b70f86f44ad852f3488ecbb5e7ec31e961e869b40b6add05f5
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 351
 # truncated sequence
@@ -3022,9 +2654,7 @@
 public = 30819a1006072a8648ce3d020106052b810400230381860004017ee16985c3678234d272913682a7c122b35c1c5011d1933bb7b08c8b883afcf469453079e2ef02a724a6ddbe25ee3b2e63007dd2838c5bb00fa1ff8fd18cf81eaa01116ce049d63f22f71c7d11c0acd67cacd1b4ea0125bd48e872dc5cc9fc4073b7c844c4b42223483b4aa8402b198d981dc8b7aba048749b4a0496e2537d3cc32d50
 result = acceptable
 shared = 00d397252813d37329b9e277823e2dfccdd1ee519f0c32ccbb3f5fc62062e8c07dbf3fb86085736115b70f86f44ad852f3488ecbb5e7ec31e961e869b40b6add05f5
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 352
 # truncated sequence
@@ -3032,9 +2662,7 @@
 public = 30819a300f06072a8648ce3d020106052b8104000381860004017ee16985c3678234d272913682a7c122b35c1c5011d1933bb7b08c8b883afcf469453079e2ef02a724a6ddbe25ee3b2e63007dd2838c5bb00fa1ff8fd18cf81eaa01116ce049d63f22f71c7d11c0acd67cacd1b4ea0125bd48e872dc5cc9fc4073b7c844c4b42223483b4aa8402b198d981dc8b7aba048749b4a0496e2537d3cc32d50
 result = acceptable
 shared = 00d397252813d37329b9e277823e2dfccdd1ee519f0c32ccbb3f5fc62062e8c07dbf3fb86085736115b70f86f44ad852f3488ecbb5e7ec31e961e869b40b6add05f5
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 353
 # truncated sequence
@@ -3042,9 +2670,7 @@
 public = 30819a300f072a8648ce3d020106052b810400230381860004017ee16985c3678234d272913682a7c122b35c1c5011d1933bb7b08c8b883afcf469453079e2ef02a724a6ddbe25ee3b2e63007dd2838c5bb00fa1ff8fd18cf81eaa01116ce049d63f22f71c7d11c0acd67cacd1b4ea0125bd48e872dc5cc9fc4073b7c844c4b42223483b4aa8402b198d981dc8b7aba048749b4a0496e2537d3cc32d50
 result = acceptable
 shared = 00d397252813d37329b9e277823e2dfccdd1ee519f0c32ccbb3f5fc62062e8c07dbf3fb86085736115b70f86f44ad852f3488ecbb5e7ec31e961e869b40b6add05f5
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 354
 # indefinite length
@@ -3052,9 +2678,7 @@
 public = 3080301006072a8648ce3d020106052b810400230381860004017ee16985c3678234d272913682a7c122b35c1c5011d1933bb7b08c8b883afcf469453079e2ef02a724a6ddbe25ee3b2e63007dd2838c5bb00fa1ff8fd18cf81eaa01116ce049d63f22f71c7d11c0acd67cacd1b4ea0125bd48e872dc5cc9fc4073b7c844c4b42223483b4aa8402b198d981dc8b7aba048749b4a0496e2537d3cc32d500000
 result = acceptable
 shared = 00d397252813d37329b9e277823e2dfccdd1ee519f0c32ccbb3f5fc62062e8c07dbf3fb86085736115b70f86f44ad852f3488ecbb5e7ec31e961e869b40b6add05f5
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 355
 # indefinite length
@@ -3062,9 +2686,7 @@
 public = 30819d308006072a8648ce3d020106052b8104002300000381860004017ee16985c3678234d272913682a7c122b35c1c5011d1933bb7b08c8b883afcf469453079e2ef02a724a6ddbe25ee3b2e63007dd2838c5bb00fa1ff8fd18cf81eaa01116ce049d63f22f71c7d11c0acd67cacd1b4ea0125bd48e872dc5cc9fc4073b7c844c4b42223483b4aa8402b198d981dc8b7aba048749b4a0496e2537d3cc32d50
 result = acceptable
 shared = 00d397252813d37329b9e277823e2dfccdd1ee519f0c32ccbb3f5fc62062e8c07dbf3fb86085736115b70f86f44ad852f3488ecbb5e7ec31e961e869b40b6add05f5
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 356
 # indefinite length with truncated delimiter
@@ -3072,9 +2694,7 @@
 public = 3080301006072a8648ce3d020106052b810400230381860004017ee16985c3678234d272913682a7c122b35c1c5011d1933bb7b08c8b883afcf469453079e2ef02a724a6ddbe25ee3b2e63007dd2838c5bb00fa1ff8fd18cf81eaa01116ce049d63f22f71c7d11c0acd67cacd1b4ea0125bd48e872dc5cc9fc4073b7c844c4b42223483b4aa8402b198d981dc8b7aba048749b4a0496e2537d3cc32d5000
 result = acceptable
 shared = 00d397252813d37329b9e277823e2dfccdd1ee519f0c32ccbb3f5fc62062e8c07dbf3fb86085736115b70f86f44ad852f3488ecbb5e7ec31e961e869b40b6add05f5
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 357
 # indefinite length with truncated delimiter
@@ -3082,9 +2702,7 @@
 public = 30819c308006072a8648ce3d020106052b81040023000381860004017ee16985c3678234d272913682a7c122b35c1c5011d1933bb7b08c8b883afcf469453079e2ef02a724a6ddbe25ee3b2e63007dd2838c5bb00fa1ff8fd18cf81eaa01116ce049d63f22f71c7d11c0acd67cacd1b4ea0125bd48e872dc5cc9fc4073b7c844c4b42223483b4aa8402b198d981dc8b7aba048749b4a0496e2537d3cc32d50
 result = acceptable
 shared = 00d397252813d37329b9e277823e2dfccdd1ee519f0c32ccbb3f5fc62062e8c07dbf3fb86085736115b70f86f44ad852f3488ecbb5e7ec31e961e869b40b6add05f5
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 358
 # indefinite length with additional element
@@ -3092,9 +2710,7 @@
 public = 3080301006072a8648ce3d020106052b810400230381860004017ee16985c3678234d272913682a7c122b35c1c5011d1933bb7b08c8b883afcf469453079e2ef02a724a6ddbe25ee3b2e63007dd2838c5bb00fa1ff8fd18cf81eaa01116ce049d63f22f71c7d11c0acd67cacd1b4ea0125bd48e872dc5cc9fc4073b7c844c4b42223483b4aa8402b198d981dc8b7aba048749b4a0496e2537d3cc32d5005000000
 result = acceptable
 shared = 00d397252813d37329b9e277823e2dfccdd1ee519f0c32ccbb3f5fc62062e8c07dbf3fb86085736115b70f86f44ad852f3488ecbb5e7ec31e961e869b40b6add05f5
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 359
 # indefinite length with additional element
@@ -3102,9 +2718,7 @@
 public = 30819f308006072a8648ce3d020106052b81040023050000000381860004017ee16985c3678234d272913682a7c122b35c1c5011d1933bb7b08c8b883afcf469453079e2ef02a724a6ddbe25ee3b2e63007dd2838c5bb00fa1ff8fd18cf81eaa01116ce049d63f22f71c7d11c0acd67cacd1b4ea0125bd48e872dc5cc9fc4073b7c844c4b42223483b4aa8402b198d981dc8b7aba048749b4a0496e2537d3cc32d50
 result = acceptable
 shared = 00d397252813d37329b9e277823e2dfccdd1ee519f0c32ccbb3f5fc62062e8c07dbf3fb86085736115b70f86f44ad852f3488ecbb5e7ec31e961e869b40b6add05f5
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 360
 # indefinite length with truncated element
@@ -3112,9 +2726,7 @@
 public = 3080301006072a8648ce3d020106052b810400230381860004017ee16985c3678234d272913682a7c122b35c1c5011d1933bb7b08c8b883afcf469453079e2ef02a724a6ddbe25ee3b2e63007dd2838c5bb00fa1ff8fd18cf81eaa01116ce049d63f22f71c7d11c0acd67cacd1b4ea0125bd48e872dc5cc9fc4073b7c844c4b42223483b4aa8402b198d981dc8b7aba048749b4a0496e2537d3cc32d50060811220000
 result = acceptable
 shared = 00d397252813d37329b9e277823e2dfccdd1ee519f0c32ccbb3f5fc62062e8c07dbf3fb86085736115b70f86f44ad852f3488ecbb5e7ec31e961e869b40b6add05f5
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 361
 # indefinite length with truncated element
@@ -3122,9 +2734,7 @@
 public = 3081a1308006072a8648ce3d020106052b810400230608112200000381860004017ee16985c3678234d272913682a7c122b35c1c5011d1933bb7b08c8b883afcf469453079e2ef02a724a6ddbe25ee3b2e63007dd2838c5bb00fa1ff8fd18cf81eaa01116ce049d63f22f71c7d11c0acd67cacd1b4ea0125bd48e872dc5cc9fc4073b7c844c4b42223483b4aa8402b198d981dc8b7aba048749b4a0496e2537d3cc32d50
 result = acceptable
 shared = 00d397252813d37329b9e277823e2dfccdd1ee519f0c32ccbb3f5fc62062e8c07dbf3fb86085736115b70f86f44ad852f3488ecbb5e7ec31e961e869b40b6add05f5
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 362
 # indefinite length with garbage
@@ -3132,9 +2742,7 @@
 public = 3080301006072a8648ce3d020106052b810400230381860004017ee16985c3678234d272913682a7c122b35c1c5011d1933bb7b08c8b883afcf469453079e2ef02a724a6ddbe25ee3b2e63007dd2838c5bb00fa1ff8fd18cf81eaa01116ce049d63f22f71c7d11c0acd67cacd1b4ea0125bd48e872dc5cc9fc4073b7c844c4b42223483b4aa8402b198d981dc8b7aba048749b4a0496e2537d3cc32d500000fe02beef
 result = acceptable
 shared = 00d397252813d37329b9e277823e2dfccdd1ee519f0c32ccbb3f5fc62062e8c07dbf3fb86085736115b70f86f44ad852f3488ecbb5e7ec31e961e869b40b6add05f5
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 363
 # indefinite length with garbage
@@ -3142,9 +2750,7 @@
 public = 3081a1308006072a8648ce3d020106052b810400230000fe02beef0381860004017ee16985c3678234d272913682a7c122b35c1c5011d1933bb7b08c8b883afcf469453079e2ef02a724a6ddbe25ee3b2e63007dd2838c5bb00fa1ff8fd18cf81eaa01116ce049d63f22f71c7d11c0acd67cacd1b4ea0125bd48e872dc5cc9fc4073b7c844c4b42223483b4aa8402b198d981dc8b7aba048749b4a0496e2537d3cc32d50
 result = acceptable
 shared = 00d397252813d37329b9e277823e2dfccdd1ee519f0c32ccbb3f5fc62062e8c07dbf3fb86085736115b70f86f44ad852f3488ecbb5e7ec31e961e869b40b6add05f5
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 364
 # indefinite length with nonempty EOC
@@ -3152,9 +2758,7 @@
 public = 3080301006072a8648ce3d020106052b810400230381860004017ee16985c3678234d272913682a7c122b35c1c5011d1933bb7b08c8b883afcf469453079e2ef02a724a6ddbe25ee3b2e63007dd2838c5bb00fa1ff8fd18cf81eaa01116ce049d63f22f71c7d11c0acd67cacd1b4ea0125bd48e872dc5cc9fc4073b7c844c4b42223483b4aa8402b198d981dc8b7aba048749b4a0496e2537d3cc32d500002beef
 result = acceptable
 shared = 00d397252813d37329b9e277823e2dfccdd1ee519f0c32ccbb3f5fc62062e8c07dbf3fb86085736115b70f86f44ad852f3488ecbb5e7ec31e961e869b40b6add05f5
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 365
 # indefinite length with nonempty EOC
@@ -3162,9 +2766,7 @@
 public = 30819f308006072a8648ce3d020106052b810400230002beef0381860004017ee16985c3678234d272913682a7c122b35c1c5011d1933bb7b08c8b883afcf469453079e2ef02a724a6ddbe25ee3b2e63007dd2838c5bb00fa1ff8fd18cf81eaa01116ce049d63f22f71c7d11c0acd67cacd1b4ea0125bd48e872dc5cc9fc4073b7c844c4b42223483b4aa8402b198d981dc8b7aba048749b4a0496e2537d3cc32d50
 result = acceptable
 shared = 00d397252813d37329b9e277823e2dfccdd1ee519f0c32ccbb3f5fc62062e8c07dbf3fb86085736115b70f86f44ad852f3488ecbb5e7ec31e961e869b40b6add05f5
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 366
 # prepend empty sequence
@@ -3172,9 +2774,7 @@
 public = 30819d3000301006072a8648ce3d020106052b810400230381860004017ee16985c3678234d272913682a7c122b35c1c5011d1933bb7b08c8b883afcf469453079e2ef02a724a6ddbe25ee3b2e63007dd2838c5bb00fa1ff8fd18cf81eaa01116ce049d63f22f71c7d11c0acd67cacd1b4ea0125bd48e872dc5cc9fc4073b7c844c4b42223483b4aa8402b198d981dc8b7aba048749b4a0496e2537d3cc32d50
 result = acceptable
 shared = 00d397252813d37329b9e277823e2dfccdd1ee519f0c32ccbb3f5fc62062e8c07dbf3fb86085736115b70f86f44ad852f3488ecbb5e7ec31e961e869b40b6add05f5
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 367
 # prepend empty sequence
@@ -3182,9 +2782,7 @@
 public = 30819d3012300006072a8648ce3d020106052b810400230381860004017ee16985c3678234d272913682a7c122b35c1c5011d1933bb7b08c8b883afcf469453079e2ef02a724a6ddbe25ee3b2e63007dd2838c5bb00fa1ff8fd18cf81eaa01116ce049d63f22f71c7d11c0acd67cacd1b4ea0125bd48e872dc5cc9fc4073b7c844c4b42223483b4aa8402b198d981dc8b7aba048749b4a0496e2537d3cc32d50
 result = acceptable
 shared = 00d397252813d37329b9e277823e2dfccdd1ee519f0c32ccbb3f5fc62062e8c07dbf3fb86085736115b70f86f44ad852f3488ecbb5e7ec31e961e869b40b6add05f5
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 368
 # append empty sequence
@@ -3192,9 +2790,7 @@
 public = 30819d301006072a8648ce3d020106052b810400230381860004017ee16985c3678234d272913682a7c122b35c1c5011d1933bb7b08c8b883afcf469453079e2ef02a724a6ddbe25ee3b2e63007dd2838c5bb00fa1ff8fd18cf81eaa01116ce049d63f22f71c7d11c0acd67cacd1b4ea0125bd48e872dc5cc9fc4073b7c844c4b42223483b4aa8402b198d981dc8b7aba048749b4a0496e2537d3cc32d503000
 result = acceptable
 shared = 00d397252813d37329b9e277823e2dfccdd1ee519f0c32ccbb3f5fc62062e8c07dbf3fb86085736115b70f86f44ad852f3488ecbb5e7ec31e961e869b40b6add05f5
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 369
 # append empty sequence
@@ -3202,9 +2798,7 @@
 public = 30819d301206072a8648ce3d020106052b8104002330000381860004017ee16985c3678234d272913682a7c122b35c1c5011d1933bb7b08c8b883afcf469453079e2ef02a724a6ddbe25ee3b2e63007dd2838c5bb00fa1ff8fd18cf81eaa01116ce049d63f22f71c7d11c0acd67cacd1b4ea0125bd48e872dc5cc9fc4073b7c844c4b42223483b4aa8402b198d981dc8b7aba048749b4a0496e2537d3cc32d50
 result = acceptable
 shared = 00d397252813d37329b9e277823e2dfccdd1ee519f0c32ccbb3f5fc62062e8c07dbf3fb86085736115b70f86f44ad852f3488ecbb5e7ec31e961e869b40b6add05f5
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 370
 # append garbage with high tag number
@@ -3212,9 +2806,7 @@
 public = 30819e301006072a8648ce3d020106052b810400230381860004017ee16985c3678234d272913682a7c122b35c1c5011d1933bb7b08c8b883afcf469453079e2ef02a724a6ddbe25ee3b2e63007dd2838c5bb00fa1ff8fd18cf81eaa01116ce049d63f22f71c7d11c0acd67cacd1b4ea0125bd48e872dc5cc9fc4073b7c844c4b42223483b4aa8402b198d981dc8b7aba048749b4a0496e2537d3cc32d50bf7f00
 result = acceptable
 shared = 00d397252813d37329b9e277823e2dfccdd1ee519f0c32ccbb3f5fc62062e8c07dbf3fb86085736115b70f86f44ad852f3488ecbb5e7ec31e961e869b40b6add05f5
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 371
 # append garbage with high tag number
@@ -3222,9 +2814,7 @@
 public = 30819e301306072a8648ce3d020106052b81040023bf7f000381860004017ee16985c3678234d272913682a7c122b35c1c5011d1933bb7b08c8b883afcf469453079e2ef02a724a6ddbe25ee3b2e63007dd2838c5bb00fa1ff8fd18cf81eaa01116ce049d63f22f71c7d11c0acd67cacd1b4ea0125bd48e872dc5cc9fc4073b7c844c4b42223483b4aa8402b198d981dc8b7aba048749b4a0496e2537d3cc32d50
 result = acceptable
 shared = 00d397252813d37329b9e277823e2dfccdd1ee519f0c32ccbb3f5fc62062e8c07dbf3fb86085736115b70f86f44ad852f3488ecbb5e7ec31e961e869b40b6add05f5
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 372
 # sequence of sequence
@@ -3232,9 +2822,7 @@
 public = 30819e30819b301006072a8648ce3d020106052b810400230381860004017ee16985c3678234d272913682a7c122b35c1c5011d1933bb7b08c8b883afcf469453079e2ef02a724a6ddbe25ee3b2e63007dd2838c5bb00fa1ff8fd18cf81eaa01116ce049d63f22f71c7d11c0acd67cacd1b4ea0125bd48e872dc5cc9fc4073b7c844c4b42223483b4aa8402b198d981dc8b7aba048749b4a0496e2537d3cc32d50
 result = acceptable
 shared = 00d397252813d37329b9e277823e2dfccdd1ee519f0c32ccbb3f5fc62062e8c07dbf3fb86085736115b70f86f44ad852f3488ecbb5e7ec31e961e869b40b6add05f5
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 373
 # sequence of sequence
@@ -3242,9 +2830,7 @@
 public = 30819d3012301006072a8648ce3d020106052b810400230381860004017ee16985c3678234d272913682a7c122b35c1c5011d1933bb7b08c8b883afcf469453079e2ef02a724a6ddbe25ee3b2e63007dd2838c5bb00fa1ff8fd18cf81eaa01116ce049d63f22f71c7d11c0acd67cacd1b4ea0125bd48e872dc5cc9fc4073b7c844c4b42223483b4aa8402b198d981dc8b7aba048749b4a0496e2537d3cc32d50
 result = acceptable
 shared = 00d397252813d37329b9e277823e2dfccdd1ee519f0c32ccbb3f5fc62062e8c07dbf3fb86085736115b70f86f44ad852f3488ecbb5e7ec31e961e869b40b6add05f5
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 374
 # truncated sequence: removed last 1 elements
@@ -3252,9 +2838,7 @@
 public = 3012301006072a8648ce3d020106052b81040023
 result = acceptable
 shared = 00d397252813d37329b9e277823e2dfccdd1ee519f0c32ccbb3f5fc62062e8c07dbf3fb86085736115b70f86f44ad852f3488ecbb5e7ec31e961e869b40b6add05f5
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 375
 # truncated sequence: removed last 1 elements
@@ -3262,9 +2846,7 @@
 public = 308194300906072a8648ce3d02010381860004017ee16985c3678234d272913682a7c122b35c1c5011d1933bb7b08c8b883afcf469453079e2ef02a724a6ddbe25ee3b2e63007dd2838c5bb00fa1ff8fd18cf81eaa01116ce049d63f22f71c7d11c0acd67cacd1b4ea0125bd48e872dc5cc9fc4073b7c844c4b42223483b4aa8402b198d981dc8b7aba048749b4a0496e2537d3cc32d50
 result = acceptable
 shared = 00d397252813d37329b9e277823e2dfccdd1ee519f0c32ccbb3f5fc62062e8c07dbf3fb86085736115b70f86f44ad852f3488ecbb5e7ec31e961e869b40b6add05f5
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 376
 # repeating element in sequence
@@ -3272,9 +2854,7 @@
 public = 30820124301006072a8648ce3d020106052b810400230381860004017ee16985c3678234d272913682a7c122b35c1c5011d1933bb7b08c8b883afcf469453079e2ef02a724a6ddbe25ee3b2e63007dd2838c5bb00fa1ff8fd18cf81eaa01116ce049d63f22f71c7d11c0acd67cacd1b4ea0125bd48e872dc5cc9fc4073b7c844c4b42223483b4aa8402b198d981dc8b7aba048749b4a0496e2537d3cc32d500381860004017ee16985c3678234d272913682a7c122b35c1c5011d1933bb7b08c8b883afcf469453079e2ef02a724a6ddbe25ee3b2e63007dd2838c5bb00fa1ff8fd18cf81eaa01116ce049d63f22f71c7d11c0acd67cacd1b4ea0125bd48e872dc5cc9fc4073b7c844c4b42223483b4aa8402b198d981dc8b7aba048749b4a0496e2537d3cc32d50
 result = acceptable
 shared = 00d397252813d37329b9e277823e2dfccdd1ee519f0c32ccbb3f5fc62062e8c07dbf3fb86085736115b70f86f44ad852f3488ecbb5e7ec31e961e869b40b6add05f5
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 377
 # repeating element in sequence
@@ -3282,9 +2862,7 @@
 public = 3081a2301706072a8648ce3d020106052b8104002306052b810400230381860004017ee16985c3678234d272913682a7c122b35c1c5011d1933bb7b08c8b883afcf469453079e2ef02a724a6ddbe25ee3b2e63007dd2838c5bb00fa1ff8fd18cf81eaa01116ce049d63f22f71c7d11c0acd67cacd1b4ea0125bd48e872dc5cc9fc4073b7c844c4b42223483b4aa8402b198d981dc8b7aba048749b4a0496e2537d3cc32d50
 result = acceptable
 shared = 00d397252813d37329b9e277823e2dfccdd1ee519f0c32ccbb3f5fc62062e8c07dbf3fb86085736115b70f86f44ad852f3488ecbb5e7ec31e961e869b40b6add05f5
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 378
 # long form encoding of length of sequence
@@ -3292,9 +2870,7 @@
 public = 30819c30811006072a8648ce3d020106052b810400230381860004017ee16985c3678234d272913682a7c122b35c1c5011d1933bb7b08c8b883afcf469453079e2ef02a724a6ddbe25ee3b2e63007dd2838c5bb00fa1ff8fd18cf81eaa01116ce049d63f22f71c7d11c0acd67cacd1b4ea0125bd48e872dc5cc9fc4073b7c844c4b42223483b4aa8402b198d981dc8b7aba048749b4a0496e2537d3cc32d50
 result = acceptable
 shared = 00d397252813d37329b9e277823e2dfccdd1ee519f0c32ccbb3f5fc62062e8c07dbf3fb86085736115b70f86f44ad852f3488ecbb5e7ec31e961e869b40b6add05f5
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 379
 # long form encoding of length of oid
@@ -3302,9 +2878,7 @@
 public = 30819c30110681072a8648ce3d020106052b810400230381860004017ee16985c3678234d272913682a7c122b35c1c5011d1933bb7b08c8b883afcf469453079e2ef02a724a6ddbe25ee3b2e63007dd2838c5bb00fa1ff8fd18cf81eaa01116ce049d63f22f71c7d11c0acd67cacd1b4ea0125bd48e872dc5cc9fc4073b7c844c4b42223483b4aa8402b198d981dc8b7aba048749b4a0496e2537d3cc32d50
 result = acceptable
 shared = 00d397252813d37329b9e277823e2dfccdd1ee519f0c32ccbb3f5fc62062e8c07dbf3fb86085736115b70f86f44ad852f3488ecbb5e7ec31e961e869b40b6add05f5
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 380
 # long form encoding of length of oid
@@ -3312,9 +2886,7 @@
 public = 30819c301106072a8648ce3d02010681052b810400230381860004017ee16985c3678234d272913682a7c122b35c1c5011d1933bb7b08c8b883afcf469453079e2ef02a724a6ddbe25ee3b2e63007dd2838c5bb00fa1ff8fd18cf81eaa01116ce049d63f22f71c7d11c0acd67cacd1b4ea0125bd48e872dc5cc9fc4073b7c844c4b42223483b4aa8402b198d981dc8b7aba048749b4a0496e2537d3cc32d50
 result = acceptable
 shared = 00d397252813d37329b9e277823e2dfccdd1ee519f0c32ccbb3f5fc62062e8c07dbf3fb86085736115b70f86f44ad852f3488ecbb5e7ec31e961e869b40b6add05f5
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 381
 # length of oid contains leading 0
@@ -3322,9 +2894,7 @@
 public = 30819d3012068200072a8648ce3d020106052b810400230381860004017ee16985c3678234d272913682a7c122b35c1c5011d1933bb7b08c8b883afcf469453079e2ef02a724a6ddbe25ee3b2e63007dd2838c5bb00fa1ff8fd18cf81eaa01116ce049d63f22f71c7d11c0acd67cacd1b4ea0125bd48e872dc5cc9fc4073b7c844c4b42223483b4aa8402b198d981dc8b7aba048749b4a0496e2537d3cc32d50
 result = acceptable
 shared = 00d397252813d37329b9e277823e2dfccdd1ee519f0c32ccbb3f5fc62062e8c07dbf3fb86085736115b70f86f44ad852f3488ecbb5e7ec31e961e869b40b6add05f5
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 382
 # length of oid contains leading 0
@@ -3332,9 +2902,7 @@
 public = 30819d301206072a8648ce3d0201068200052b810400230381860004017ee16985c3678234d272913682a7c122b35c1c5011d1933bb7b08c8b883afcf469453079e2ef02a724a6ddbe25ee3b2e63007dd2838c5bb00fa1ff8fd18cf81eaa01116ce049d63f22f71c7d11c0acd67cacd1b4ea0125bd48e872dc5cc9fc4073b7c844c4b42223483b4aa8402b198d981dc8b7aba048749b4a0496e2537d3cc32d50
 result = acceptable
 shared = 00d397252813d37329b9e277823e2dfccdd1ee519f0c32ccbb3f5fc62062e8c07dbf3fb86085736115b70f86f44ad852f3488ecbb5e7ec31e961e869b40b6add05f5
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 383
 # wrong length of oid
@@ -3342,9 +2910,7 @@
 public = 30819b301006082a8648ce3d020106052b810400230381860004017ee16985c3678234d272913682a7c122b35c1c5011d1933bb7b08c8b883afcf469453079e2ef02a724a6ddbe25ee3b2e63007dd2838c5bb00fa1ff8fd18cf81eaa01116ce049d63f22f71c7d11c0acd67cacd1b4ea0125bd48e872dc5cc9fc4073b7c844c4b42223483b4aa8402b198d981dc8b7aba048749b4a0496e2537d3cc32d50
 result = acceptable
 shared = 00d397252813d37329b9e277823e2dfccdd1ee519f0c32ccbb3f5fc62062e8c07dbf3fb86085736115b70f86f44ad852f3488ecbb5e7ec31e961e869b40b6add05f5
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 384
 # wrong length of oid
@@ -3352,9 +2918,7 @@
 public = 30819b301006062a8648ce3d020106052b810400230381860004017ee16985c3678234d272913682a7c122b35c1c5011d1933bb7b08c8b883afcf469453079e2ef02a724a6ddbe25ee3b2e63007dd2838c5bb00fa1ff8fd18cf81eaa01116ce049d63f22f71c7d11c0acd67cacd1b4ea0125bd48e872dc5cc9fc4073b7c844c4b42223483b4aa8402b198d981dc8b7aba048749b4a0496e2537d3cc32d50
 result = acceptable
 shared = 00d397252813d37329b9e277823e2dfccdd1ee519f0c32ccbb3f5fc62062e8c07dbf3fb86085736115b70f86f44ad852f3488ecbb5e7ec31e961e869b40b6add05f5
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 385
 # wrong length of oid
@@ -3362,9 +2926,7 @@
 public = 30819b301006072a8648ce3d020106062b810400230381860004017ee16985c3678234d272913682a7c122b35c1c5011d1933bb7b08c8b883afcf469453079e2ef02a724a6ddbe25ee3b2e63007dd2838c5bb00fa1ff8fd18cf81eaa01116ce049d63f22f71c7d11c0acd67cacd1b4ea0125bd48e872dc5cc9fc4073b7c844c4b42223483b4aa8402b198d981dc8b7aba048749b4a0496e2537d3cc32d50
 result = acceptable
 shared = 00d397252813d37329b9e277823e2dfccdd1ee519f0c32ccbb3f5fc62062e8c07dbf3fb86085736115b70f86f44ad852f3488ecbb5e7ec31e961e869b40b6add05f5
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 386
 # wrong length of oid
@@ -3372,9 +2934,7 @@
 public = 30819b301006072a8648ce3d020106042b810400230381860004017ee16985c3678234d272913682a7c122b35c1c5011d1933bb7b08c8b883afcf469453079e2ef02a724a6ddbe25ee3b2e63007dd2838c5bb00fa1ff8fd18cf81eaa01116ce049d63f22f71c7d11c0acd67cacd1b4ea0125bd48e872dc5cc9fc4073b7c844c4b42223483b4aa8402b198d981dc8b7aba048749b4a0496e2537d3cc32d50
 result = acceptable
 shared = 00d397252813d37329b9e277823e2dfccdd1ee519f0c32ccbb3f5fc62062e8c07dbf3fb86085736115b70f86f44ad852f3488ecbb5e7ec31e961e869b40b6add05f5
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 387
 # uint32 overflow in length of oid
@@ -3382,9 +2942,7 @@
 public = 3081a03015068501000000072a8648ce3d020106052b810400230381860004017ee16985c3678234d272913682a7c122b35c1c5011d1933bb7b08c8b883afcf469453079e2ef02a724a6ddbe25ee3b2e63007dd2838c5bb00fa1ff8fd18cf81eaa01116ce049d63f22f71c7d11c0acd67cacd1b4ea0125bd48e872dc5cc9fc4073b7c844c4b42223483b4aa8402b198d981dc8b7aba048749b4a0496e2537d3cc32d50
 result = acceptable
 shared = 00d397252813d37329b9e277823e2dfccdd1ee519f0c32ccbb3f5fc62062e8c07dbf3fb86085736115b70f86f44ad852f3488ecbb5e7ec31e961e869b40b6add05f5
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 388
 # uint32 overflow in length of oid
@@ -3392,9 +2950,7 @@
 public = 3081a0301506072a8648ce3d0201068501000000052b810400230381860004017ee16985c3678234d272913682a7c122b35c1c5011d1933bb7b08c8b883afcf469453079e2ef02a724a6ddbe25ee3b2e63007dd2838c5bb00fa1ff8fd18cf81eaa01116ce049d63f22f71c7d11c0acd67cacd1b4ea0125bd48e872dc5cc9fc4073b7c844c4b42223483b4aa8402b198d981dc8b7aba048749b4a0496e2537d3cc32d50
 result = acceptable
 shared = 00d397252813d37329b9e277823e2dfccdd1ee519f0c32ccbb3f5fc62062e8c07dbf3fb86085736115b70f86f44ad852f3488ecbb5e7ec31e961e869b40b6add05f5
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 389
 # uint64 overflow in length of oid
@@ -3402,9 +2958,7 @@
 public = 3081a4301906890100000000000000072a8648ce3d020106052b810400230381860004017ee16985c3678234d272913682a7c122b35c1c5011d1933bb7b08c8b883afcf469453079e2ef02a724a6ddbe25ee3b2e63007dd2838c5bb00fa1ff8fd18cf81eaa01116ce049d63f22f71c7d11c0acd67cacd1b4ea0125bd48e872dc5cc9fc4073b7c844c4b42223483b4aa8402b198d981dc8b7aba048749b4a0496e2537d3cc32d50
 result = acceptable
 shared = 00d397252813d37329b9e277823e2dfccdd1ee519f0c32ccbb3f5fc62062e8c07dbf3fb86085736115b70f86f44ad852f3488ecbb5e7ec31e961e869b40b6add05f5
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 390
 # uint64 overflow in length of oid
@@ -3412,9 +2966,7 @@
 public = 3081a4301906072a8648ce3d020106890100000000000000052b810400230381860004017ee16985c3678234d272913682a7c122b35c1c5011d1933bb7b08c8b883afcf469453079e2ef02a724a6ddbe25ee3b2e63007dd2838c5bb00fa1ff8fd18cf81eaa01116ce049d63f22f71c7d11c0acd67cacd1b4ea0125bd48e872dc5cc9fc4073b7c844c4b42223483b4aa8402b198d981dc8b7aba048749b4a0496e2537d3cc32d50
 result = acceptable
 shared = 00d397252813d37329b9e277823e2dfccdd1ee519f0c32ccbb3f5fc62062e8c07dbf3fb86085736115b70f86f44ad852f3488ecbb5e7ec31e961e869b40b6add05f5
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 391
 # length of oid = 2**31 - 1
@@ -3422,9 +2974,7 @@
 public = 30819f301406847fffffff2a8648ce3d020106052b810400230381860004017ee16985c3678234d272913682a7c122b35c1c5011d1933bb7b08c8b883afcf469453079e2ef02a724a6ddbe25ee3b2e63007dd2838c5bb00fa1ff8fd18cf81eaa01116ce049d63f22f71c7d11c0acd67cacd1b4ea0125bd48e872dc5cc9fc4073b7c844c4b42223483b4aa8402b198d981dc8b7aba048749b4a0496e2537d3cc32d50
 result = acceptable
 shared = 00d397252813d37329b9e277823e2dfccdd1ee519f0c32ccbb3f5fc62062e8c07dbf3fb86085736115b70f86f44ad852f3488ecbb5e7ec31e961e869b40b6add05f5
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 392
 # length of oid = 2**31 - 1
@@ -3432,9 +2982,7 @@
 public = 30819f301406072a8648ce3d020106847fffffff2b810400230381860004017ee16985c3678234d272913682a7c122b35c1c5011d1933bb7b08c8b883afcf469453079e2ef02a724a6ddbe25ee3b2e63007dd2838c5bb00fa1ff8fd18cf81eaa01116ce049d63f22f71c7d11c0acd67cacd1b4ea0125bd48e872dc5cc9fc4073b7c844c4b42223483b4aa8402b198d981dc8b7aba048749b4a0496e2537d3cc32d50
 result = acceptable
 shared = 00d397252813d37329b9e277823e2dfccdd1ee519f0c32ccbb3f5fc62062e8c07dbf3fb86085736115b70f86f44ad852f3488ecbb5e7ec31e961e869b40b6add05f5
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 393
 # length of oid = 2**32 - 1
@@ -3442,9 +2990,7 @@
 public = 30819f30140684ffffffff2a8648ce3d020106052b810400230381860004017ee16985c3678234d272913682a7c122b35c1c5011d1933bb7b08c8b883afcf469453079e2ef02a724a6ddbe25ee3b2e63007dd2838c5bb00fa1ff8fd18cf81eaa01116ce049d63f22f71c7d11c0acd67cacd1b4ea0125bd48e872dc5cc9fc4073b7c844c4b42223483b4aa8402b198d981dc8b7aba048749b4a0496e2537d3cc32d50
 result = acceptable
 shared = 00d397252813d37329b9e277823e2dfccdd1ee519f0c32ccbb3f5fc62062e8c07dbf3fb86085736115b70f86f44ad852f3488ecbb5e7ec31e961e869b40b6add05f5
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 394
 # length of oid = 2**32 - 1
@@ -3452,9 +2998,7 @@
 public = 30819f301406072a8648ce3d02010684ffffffff2b810400230381860004017ee16985c3678234d272913682a7c122b35c1c5011d1933bb7b08c8b883afcf469453079e2ef02a724a6ddbe25ee3b2e63007dd2838c5bb00fa1ff8fd18cf81eaa01116ce049d63f22f71c7d11c0acd67cacd1b4ea0125bd48e872dc5cc9fc4073b7c844c4b42223483b4aa8402b198d981dc8b7aba048749b4a0496e2537d3cc32d50
 result = acceptable
 shared = 00d397252813d37329b9e277823e2dfccdd1ee519f0c32ccbb3f5fc62062e8c07dbf3fb86085736115b70f86f44ad852f3488ecbb5e7ec31e961e869b40b6add05f5
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 395
 # length of oid = 2**40 - 1
@@ -3462,9 +3006,7 @@
 public = 3081a030150685ffffffffff2a8648ce3d020106052b810400230381860004017ee16985c3678234d272913682a7c122b35c1c5011d1933bb7b08c8b883afcf469453079e2ef02a724a6ddbe25ee3b2e63007dd2838c5bb00fa1ff8fd18cf81eaa01116ce049d63f22f71c7d11c0acd67cacd1b4ea0125bd48e872dc5cc9fc4073b7c844c4b42223483b4aa8402b198d981dc8b7aba048749b4a0496e2537d3cc32d50
 result = acceptable
 shared = 00d397252813d37329b9e277823e2dfccdd1ee519f0c32ccbb3f5fc62062e8c07dbf3fb86085736115b70f86f44ad852f3488ecbb5e7ec31e961e869b40b6add05f5
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 396
 # length of oid = 2**40 - 1
@@ -3472,9 +3014,7 @@
 public = 3081a0301506072a8648ce3d02010685ffffffffff2b810400230381860004017ee16985c3678234d272913682a7c122b35c1c5011d1933bb7b08c8b883afcf469453079e2ef02a724a6ddbe25ee3b2e63007dd2838c5bb00fa1ff8fd18cf81eaa01116ce049d63f22f71c7d11c0acd67cacd1b4ea0125bd48e872dc5cc9fc4073b7c844c4b42223483b4aa8402b198d981dc8b7aba048749b4a0496e2537d3cc32d50
 result = acceptable
 shared = 00d397252813d37329b9e277823e2dfccdd1ee519f0c32ccbb3f5fc62062e8c07dbf3fb86085736115b70f86f44ad852f3488ecbb5e7ec31e961e869b40b6add05f5
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 397
 # length of oid = 2**64 - 1
@@ -3482,9 +3022,7 @@
 public = 3081a330180688ffffffffffffffff2a8648ce3d020106052b810400230381860004017ee16985c3678234d272913682a7c122b35c1c5011d1933bb7b08c8b883afcf469453079e2ef02a724a6ddbe25ee3b2e63007dd2838c5bb00fa1ff8fd18cf81eaa01116ce049d63f22f71c7d11c0acd67cacd1b4ea0125bd48e872dc5cc9fc4073b7c844c4b42223483b4aa8402b198d981dc8b7aba048749b4a0496e2537d3cc32d50
 result = acceptable
 shared = 00d397252813d37329b9e277823e2dfccdd1ee519f0c32ccbb3f5fc62062e8c07dbf3fb86085736115b70f86f44ad852f3488ecbb5e7ec31e961e869b40b6add05f5
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 398
 # length of oid = 2**64 - 1
@@ -3492,9 +3030,7 @@
 public = 3081a3301806072a8648ce3d02010688ffffffffffffffff2b810400230381860004017ee16985c3678234d272913682a7c122b35c1c5011d1933bb7b08c8b883afcf469453079e2ef02a724a6ddbe25ee3b2e63007dd2838c5bb00fa1ff8fd18cf81eaa01116ce049d63f22f71c7d11c0acd67cacd1b4ea0125bd48e872dc5cc9fc4073b7c844c4b42223483b4aa8402b198d981dc8b7aba048749b4a0496e2537d3cc32d50
 result = acceptable
 shared = 00d397252813d37329b9e277823e2dfccdd1ee519f0c32ccbb3f5fc62062e8c07dbf3fb86085736115b70f86f44ad852f3488ecbb5e7ec31e961e869b40b6add05f5
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 399
 # incorrect length of oid
@@ -3502,9 +3038,7 @@
 public = 30819b301006ff2a8648ce3d020106052b810400230381860004017ee16985c3678234d272913682a7c122b35c1c5011d1933bb7b08c8b883afcf469453079e2ef02a724a6ddbe25ee3b2e63007dd2838c5bb00fa1ff8fd18cf81eaa01116ce049d63f22f71c7d11c0acd67cacd1b4ea0125bd48e872dc5cc9fc4073b7c844c4b42223483b4aa8402b198d981dc8b7aba048749b4a0496e2537d3cc32d50
 result = acceptable
 shared = 00d397252813d37329b9e277823e2dfccdd1ee519f0c32ccbb3f5fc62062e8c07dbf3fb86085736115b70f86f44ad852f3488ecbb5e7ec31e961e869b40b6add05f5
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 400
 # incorrect length of oid
@@ -3512,9 +3046,7 @@
 public = 30819b301006072a8648ce3d020106ff2b810400230381860004017ee16985c3678234d272913682a7c122b35c1c5011d1933bb7b08c8b883afcf469453079e2ef02a724a6ddbe25ee3b2e63007dd2838c5bb00fa1ff8fd18cf81eaa01116ce049d63f22f71c7d11c0acd67cacd1b4ea0125bd48e872dc5cc9fc4073b7c844c4b42223483b4aa8402b198d981dc8b7aba048749b4a0496e2537d3cc32d50
 result = acceptable
 shared = 00d397252813d37329b9e277823e2dfccdd1ee519f0c32ccbb3f5fc62062e8c07dbf3fb86085736115b70f86f44ad852f3488ecbb5e7ec31e961e869b40b6add05f5
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 401
 # removing oid
@@ -3522,9 +3054,7 @@
 public = 308192300706052b810400230381860004017ee16985c3678234d272913682a7c122b35c1c5011d1933bb7b08c8b883afcf469453079e2ef02a724a6ddbe25ee3b2e63007dd2838c5bb00fa1ff8fd18cf81eaa01116ce049d63f22f71c7d11c0acd67cacd1b4ea0125bd48e872dc5cc9fc4073b7c844c4b42223483b4aa8402b198d981dc8b7aba048749b4a0496e2537d3cc32d50
 result = acceptable
 shared = 00d397252813d37329b9e277823e2dfccdd1ee519f0c32ccbb3f5fc62062e8c07dbf3fb86085736115b70f86f44ad852f3488ecbb5e7ec31e961e869b40b6add05f5
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 402
 # lonely oid tag
@@ -3532,9 +3062,7 @@
 public = 30819330080606052b810400230381860004017ee16985c3678234d272913682a7c122b35c1c5011d1933bb7b08c8b883afcf469453079e2ef02a724a6ddbe25ee3b2e63007dd2838c5bb00fa1ff8fd18cf81eaa01116ce049d63f22f71c7d11c0acd67cacd1b4ea0125bd48e872dc5cc9fc4073b7c844c4b42223483b4aa8402b198d981dc8b7aba048749b4a0496e2537d3cc32d50
 result = acceptable
 shared = 00d397252813d37329b9e277823e2dfccdd1ee519f0c32ccbb3f5fc62062e8c07dbf3fb86085736115b70f86f44ad852f3488ecbb5e7ec31e961e869b40b6add05f5
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 403
 # lonely oid tag
@@ -3542,9 +3070,7 @@
 public = 308195300a06072a8648ce3d0201060381860004017ee16985c3678234d272913682a7c122b35c1c5011d1933bb7b08c8b883afcf469453079e2ef02a724a6ddbe25ee3b2e63007dd2838c5bb00fa1ff8fd18cf81eaa01116ce049d63f22f71c7d11c0acd67cacd1b4ea0125bd48e872dc5cc9fc4073b7c844c4b42223483b4aa8402b198d981dc8b7aba048749b4a0496e2537d3cc32d50
 result = acceptable
 shared = 00d397252813d37329b9e277823e2dfccdd1ee519f0c32ccbb3f5fc62062e8c07dbf3fb86085736115b70f86f44ad852f3488ecbb5e7ec31e961e869b40b6add05f5
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 404
 # appending 0's to oid
@@ -3552,9 +3078,7 @@
 public = 30819d301206092a8648ce3d0201000006052b810400230381860004017ee16985c3678234d272913682a7c122b35c1c5011d1933bb7b08c8b883afcf469453079e2ef02a724a6ddbe25ee3b2e63007dd2838c5bb00fa1ff8fd18cf81eaa01116ce049d63f22f71c7d11c0acd67cacd1b4ea0125bd48e872dc5cc9fc4073b7c844c4b42223483b4aa8402b198d981dc8b7aba048749b4a0496e2537d3cc32d50
 result = acceptable
 shared = 00d397252813d37329b9e277823e2dfccdd1ee519f0c32ccbb3f5fc62062e8c07dbf3fb86085736115b70f86f44ad852f3488ecbb5e7ec31e961e869b40b6add05f5
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 405
 # appending 0's to oid
@@ -3562,9 +3086,7 @@
 public = 30819d301206072a8648ce3d020106072b8104002300000381860004017ee16985c3678234d272913682a7c122b35c1c5011d1933bb7b08c8b883afcf469453079e2ef02a724a6ddbe25ee3b2e63007dd2838c5bb00fa1ff8fd18cf81eaa01116ce049d63f22f71c7d11c0acd67cacd1b4ea0125bd48e872dc5cc9fc4073b7c844c4b42223483b4aa8402b198d981dc8b7aba048749b4a0496e2537d3cc32d50
 result = acceptable
 shared = 00d397252813d37329b9e277823e2dfccdd1ee519f0c32ccbb3f5fc62062e8c07dbf3fb86085736115b70f86f44ad852f3488ecbb5e7ec31e961e869b40b6add05f5
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 406
 # prepending 0's to oid
@@ -3572,9 +3094,7 @@
 public = 30819d3012060900002a8648ce3d020106052b810400230381860004017ee16985c3678234d272913682a7c122b35c1c5011d1933bb7b08c8b883afcf469453079e2ef02a724a6ddbe25ee3b2e63007dd2838c5bb00fa1ff8fd18cf81eaa01116ce049d63f22f71c7d11c0acd67cacd1b4ea0125bd48e872dc5cc9fc4073b7c844c4b42223483b4aa8402b198d981dc8b7aba048749b4a0496e2537d3cc32d50
 result = acceptable
 shared = 00d397252813d37329b9e277823e2dfccdd1ee519f0c32ccbb3f5fc62062e8c07dbf3fb86085736115b70f86f44ad852f3488ecbb5e7ec31e961e869b40b6add05f5
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 407
 # prepending 0's to oid
@@ -3582,9 +3102,7 @@
 public = 30819d301206072a8648ce3d0201060700002b810400230381860004017ee16985c3678234d272913682a7c122b35c1c5011d1933bb7b08c8b883afcf469453079e2ef02a724a6ddbe25ee3b2e63007dd2838c5bb00fa1ff8fd18cf81eaa01116ce049d63f22f71c7d11c0acd67cacd1b4ea0125bd48e872dc5cc9fc4073b7c844c4b42223483b4aa8402b198d981dc8b7aba048749b4a0496e2537d3cc32d50
 result = acceptable
 shared = 00d397252813d37329b9e277823e2dfccdd1ee519f0c32ccbb3f5fc62062e8c07dbf3fb86085736115b70f86f44ad852f3488ecbb5e7ec31e961e869b40b6add05f5
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 408
 # appending unused 0's to oid
@@ -3592,9 +3110,7 @@
 public = 30819d301206072a8648ce3d0201000006052b810400230381860004017ee16985c3678234d272913682a7c122b35c1c5011d1933bb7b08c8b883afcf469453079e2ef02a724a6ddbe25ee3b2e63007dd2838c5bb00fa1ff8fd18cf81eaa01116ce049d63f22f71c7d11c0acd67cacd1b4ea0125bd48e872dc5cc9fc4073b7c844c4b42223483b4aa8402b198d981dc8b7aba048749b4a0496e2537d3cc32d50
 result = acceptable
 shared = 00d397252813d37329b9e277823e2dfccdd1ee519f0c32ccbb3f5fc62062e8c07dbf3fb86085736115b70f86f44ad852f3488ecbb5e7ec31e961e869b40b6add05f5
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 409
 # appending null value to oid
@@ -3602,9 +3118,7 @@
 public = 30819d301206092a8648ce3d0201050006052b810400230381860004017ee16985c3678234d272913682a7c122b35c1c5011d1933bb7b08c8b883afcf469453079e2ef02a724a6ddbe25ee3b2e63007dd2838c5bb00fa1ff8fd18cf81eaa01116ce049d63f22f71c7d11c0acd67cacd1b4ea0125bd48e872dc5cc9fc4073b7c844c4b42223483b4aa8402b198d981dc8b7aba048749b4a0496e2537d3cc32d50
 result = acceptable
 shared = 00d397252813d37329b9e277823e2dfccdd1ee519f0c32ccbb3f5fc62062e8c07dbf3fb86085736115b70f86f44ad852f3488ecbb5e7ec31e961e869b40b6add05f5
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 410
 # appending null value to oid
@@ -3612,9 +3126,7 @@
 public = 30819d301206072a8648ce3d020106072b8104002305000381860004017ee16985c3678234d272913682a7c122b35c1c5011d1933bb7b08c8b883afcf469453079e2ef02a724a6ddbe25ee3b2e63007dd2838c5bb00fa1ff8fd18cf81eaa01116ce049d63f22f71c7d11c0acd67cacd1b4ea0125bd48e872dc5cc9fc4073b7c844c4b42223483b4aa8402b198d981dc8b7aba048749b4a0496e2537d3cc32d50
 result = acceptable
 shared = 00d397252813d37329b9e277823e2dfccdd1ee519f0c32ccbb3f5fc62062e8c07dbf3fb86085736115b70f86f44ad852f3488ecbb5e7ec31e961e869b40b6add05f5
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 411
 # truncated length of oid
@@ -3622,9 +3134,7 @@
 public = 3081943009068106052b810400230381860004017ee16985c3678234d272913682a7c122b35c1c5011d1933bb7b08c8b883afcf469453079e2ef02a724a6ddbe25ee3b2e63007dd2838c5bb00fa1ff8fd18cf81eaa01116ce049d63f22f71c7d11c0acd67cacd1b4ea0125bd48e872dc5cc9fc4073b7c844c4b42223483b4aa8402b198d981dc8b7aba048749b4a0496e2537d3cc32d50
 result = acceptable
 shared = 00d397252813d37329b9e277823e2dfccdd1ee519f0c32ccbb3f5fc62062e8c07dbf3fb86085736115b70f86f44ad852f3488ecbb5e7ec31e961e869b40b6add05f5
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 412
 # truncated length of oid
@@ -3632,9 +3142,7 @@
 public = 308196300b06072a8648ce3d020106810381860004017ee16985c3678234d272913682a7c122b35c1c5011d1933bb7b08c8b883afcf469453079e2ef02a724a6ddbe25ee3b2e63007dd2838c5bb00fa1ff8fd18cf81eaa01116ce049d63f22f71c7d11c0acd67cacd1b4ea0125bd48e872dc5cc9fc4073b7c844c4b42223483b4aa8402b198d981dc8b7aba048749b4a0496e2537d3cc32d50
 result = acceptable
 shared = 00d397252813d37329b9e277823e2dfccdd1ee519f0c32ccbb3f5fc62062e8c07dbf3fb86085736115b70f86f44ad852f3488ecbb5e7ec31e961e869b40b6add05f5
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 413
 # Replacing oid with NULL
@@ -3642,9 +3150,7 @@
 public = 3081943009050006052b810400230381860004017ee16985c3678234d272913682a7c122b35c1c5011d1933bb7b08c8b883afcf469453079e2ef02a724a6ddbe25ee3b2e63007dd2838c5bb00fa1ff8fd18cf81eaa01116ce049d63f22f71c7d11c0acd67cacd1b4ea0125bd48e872dc5cc9fc4073b7c844c4b42223483b4aa8402b198d981dc8b7aba048749b4a0496e2537d3cc32d50
 result = acceptable
 shared = 00d397252813d37329b9e277823e2dfccdd1ee519f0c32ccbb3f5fc62062e8c07dbf3fb86085736115b70f86f44ad852f3488ecbb5e7ec31e961e869b40b6add05f5
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 414
 # Replacing oid with NULL
@@ -3652,9 +3158,7 @@
 public = 308196300b06072a8648ce3d020105000381860004017ee16985c3678234d272913682a7c122b35c1c5011d1933bb7b08c8b883afcf469453079e2ef02a724a6ddbe25ee3b2e63007dd2838c5bb00fa1ff8fd18cf81eaa01116ce049d63f22f71c7d11c0acd67cacd1b4ea0125bd48e872dc5cc9fc4073b7c844c4b42223483b4aa8402b198d981dc8b7aba048749b4a0496e2537d3cc32d50
 result = acceptable
 shared = 00d397252813d37329b9e277823e2dfccdd1ee519f0c32ccbb3f5fc62062e8c07dbf3fb86085736115b70f86f44ad852f3488ecbb5e7ec31e961e869b40b6add05f5
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 415
 # changing tag value of oid
@@ -3662,9 +3166,7 @@
 public = 30819b301004072a8648ce3d020106052b810400230381860004017ee16985c3678234d272913682a7c122b35c1c5011d1933bb7b08c8b883afcf469453079e2ef02a724a6ddbe25ee3b2e63007dd2838c5bb00fa1ff8fd18cf81eaa01116ce049d63f22f71c7d11c0acd67cacd1b4ea0125bd48e872dc5cc9fc4073b7c844c4b42223483b4aa8402b198d981dc8b7aba048749b4a0496e2537d3cc32d50
 result = acceptable
 shared = 00d397252813d37329b9e277823e2dfccdd1ee519f0c32ccbb3f5fc62062e8c07dbf3fb86085736115b70f86f44ad852f3488ecbb5e7ec31e961e869b40b6add05f5
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 416
 # changing tag value of oid
@@ -3672,9 +3174,7 @@
 public = 30819b301005072a8648ce3d020106052b810400230381860004017ee16985c3678234d272913682a7c122b35c1c5011d1933bb7b08c8b883afcf469453079e2ef02a724a6ddbe25ee3b2e63007dd2838c5bb00fa1ff8fd18cf81eaa01116ce049d63f22f71c7d11c0acd67cacd1b4ea0125bd48e872dc5cc9fc4073b7c844c4b42223483b4aa8402b198d981dc8b7aba048749b4a0496e2537d3cc32d50
 result = acceptable
 shared = 00d397252813d37329b9e277823e2dfccdd1ee519f0c32ccbb3f5fc62062e8c07dbf3fb86085736115b70f86f44ad852f3488ecbb5e7ec31e961e869b40b6add05f5
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 417
 # changing tag value of oid
@@ -3682,9 +3182,7 @@
 public = 30819b301007072a8648ce3d020106052b810400230381860004017ee16985c3678234d272913682a7c122b35c1c5011d1933bb7b08c8b883afcf469453079e2ef02a724a6ddbe25ee3b2e63007dd2838c5bb00fa1ff8fd18cf81eaa01116ce049d63f22f71c7d11c0acd67cacd1b4ea0125bd48e872dc5cc9fc4073b7c844c4b42223483b4aa8402b198d981dc8b7aba048749b4a0496e2537d3cc32d50
 result = acceptable
 shared = 00d397252813d37329b9e277823e2dfccdd1ee519f0c32ccbb3f5fc62062e8c07dbf3fb86085736115b70f86f44ad852f3488ecbb5e7ec31e961e869b40b6add05f5
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 418
 # changing tag value of oid
@@ -3692,9 +3190,7 @@
 public = 30819b301008072a8648ce3d020106052b810400230381860004017ee16985c3678234d272913682a7c122b35c1c5011d1933bb7b08c8b883afcf469453079e2ef02a724a6ddbe25ee3b2e63007dd2838c5bb00fa1ff8fd18cf81eaa01116ce049d63f22f71c7d11c0acd67cacd1b4ea0125bd48e872dc5cc9fc4073b7c844c4b42223483b4aa8402b198d981dc8b7aba048749b4a0496e2537d3cc32d50
 result = acceptable
 shared = 00d397252813d37329b9e277823e2dfccdd1ee519f0c32ccbb3f5fc62062e8c07dbf3fb86085736115b70f86f44ad852f3488ecbb5e7ec31e961e869b40b6add05f5
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 419
 # changing tag value of oid
@@ -3702,9 +3198,7 @@
 public = 30819b3010ff072a8648ce3d020106052b810400230381860004017ee16985c3678234d272913682a7c122b35c1c5011d1933bb7b08c8b883afcf469453079e2ef02a724a6ddbe25ee3b2e63007dd2838c5bb00fa1ff8fd18cf81eaa01116ce049d63f22f71c7d11c0acd67cacd1b4ea0125bd48e872dc5cc9fc4073b7c844c4b42223483b4aa8402b198d981dc8b7aba048749b4a0496e2537d3cc32d50
 result = acceptable
 shared = 00d397252813d37329b9e277823e2dfccdd1ee519f0c32ccbb3f5fc62062e8c07dbf3fb86085736115b70f86f44ad852f3488ecbb5e7ec31e961e869b40b6add05f5
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 420
 # changing tag value of oid
@@ -3712,9 +3206,7 @@
 public = 30819b301006072a8648ce3d020104052b810400230381860004017ee16985c3678234d272913682a7c122b35c1c5011d1933bb7b08c8b883afcf469453079e2ef02a724a6ddbe25ee3b2e63007dd2838c5bb00fa1ff8fd18cf81eaa01116ce049d63f22f71c7d11c0acd67cacd1b4ea0125bd48e872dc5cc9fc4073b7c844c4b42223483b4aa8402b198d981dc8b7aba048749b4a0496e2537d3cc32d50
 result = acceptable
 shared = 00d397252813d37329b9e277823e2dfccdd1ee519f0c32ccbb3f5fc62062e8c07dbf3fb86085736115b70f86f44ad852f3488ecbb5e7ec31e961e869b40b6add05f5
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 421
 # changing tag value of oid
@@ -3722,9 +3214,7 @@
 public = 30819b301006072a8648ce3d020105052b810400230381860004017ee16985c3678234d272913682a7c122b35c1c5011d1933bb7b08c8b883afcf469453079e2ef02a724a6ddbe25ee3b2e63007dd2838c5bb00fa1ff8fd18cf81eaa01116ce049d63f22f71c7d11c0acd67cacd1b4ea0125bd48e872dc5cc9fc4073b7c844c4b42223483b4aa8402b198d981dc8b7aba048749b4a0496e2537d3cc32d50
 result = acceptable
 shared = 00d397252813d37329b9e277823e2dfccdd1ee519f0c32ccbb3f5fc62062e8c07dbf3fb86085736115b70f86f44ad852f3488ecbb5e7ec31e961e869b40b6add05f5
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 422
 # changing tag value of oid
@@ -3732,9 +3222,7 @@
 public = 30819b301006072a8648ce3d020107052b810400230381860004017ee16985c3678234d272913682a7c122b35c1c5011d1933bb7b08c8b883afcf469453079e2ef02a724a6ddbe25ee3b2e63007dd2838c5bb00fa1ff8fd18cf81eaa01116ce049d63f22f71c7d11c0acd67cacd1b4ea0125bd48e872dc5cc9fc4073b7c844c4b42223483b4aa8402b198d981dc8b7aba048749b4a0496e2537d3cc32d50
 result = acceptable
 shared = 00d397252813d37329b9e277823e2dfccdd1ee519f0c32ccbb3f5fc62062e8c07dbf3fb86085736115b70f86f44ad852f3488ecbb5e7ec31e961e869b40b6add05f5
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 423
 # changing tag value of oid
@@ -3742,9 +3230,7 @@
 public = 30819b301006072a8648ce3d020108052b810400230381860004017ee16985c3678234d272913682a7c122b35c1c5011d1933bb7b08c8b883afcf469453079e2ef02a724a6ddbe25ee3b2e63007dd2838c5bb00fa1ff8fd18cf81eaa01116ce049d63f22f71c7d11c0acd67cacd1b4ea0125bd48e872dc5cc9fc4073b7c844c4b42223483b4aa8402b198d981dc8b7aba048749b4a0496e2537d3cc32d50
 result = acceptable
 shared = 00d397252813d37329b9e277823e2dfccdd1ee519f0c32ccbb3f5fc62062e8c07dbf3fb86085736115b70f86f44ad852f3488ecbb5e7ec31e961e869b40b6add05f5
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 424
 # changing tag value of oid
@@ -3752,9 +3238,7 @@
 public = 30819b301006072a8648ce3d0201ff052b810400230381860004017ee16985c3678234d272913682a7c122b35c1c5011d1933bb7b08c8b883afcf469453079e2ef02a724a6ddbe25ee3b2e63007dd2838c5bb00fa1ff8fd18cf81eaa01116ce049d63f22f71c7d11c0acd67cacd1b4ea0125bd48e872dc5cc9fc4073b7c844c4b42223483b4aa8402b198d981dc8b7aba048749b4a0496e2537d3cc32d50
 result = acceptable
 shared = 00d397252813d37329b9e277823e2dfccdd1ee519f0c32ccbb3f5fc62062e8c07dbf3fb86085736115b70f86f44ad852f3488ecbb5e7ec31e961e869b40b6add05f5
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 425
 # dropping value of oid
@@ -3762,9 +3246,7 @@
 public = 3081943009060006052b810400230381860004017ee16985c3678234d272913682a7c122b35c1c5011d1933bb7b08c8b883afcf469453079e2ef02a724a6ddbe25ee3b2e63007dd2838c5bb00fa1ff8fd18cf81eaa01116ce049d63f22f71c7d11c0acd67cacd1b4ea0125bd48e872dc5cc9fc4073b7c844c4b42223483b4aa8402b198d981dc8b7aba048749b4a0496e2537d3cc32d50
 result = acceptable
 shared = 00d397252813d37329b9e277823e2dfccdd1ee519f0c32ccbb3f5fc62062e8c07dbf3fb86085736115b70f86f44ad852f3488ecbb5e7ec31e961e869b40b6add05f5
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 426
 # dropping value of oid
@@ -3772,9 +3254,7 @@
 public = 308196300b06072a8648ce3d020106000381860004017ee16985c3678234d272913682a7c122b35c1c5011d1933bb7b08c8b883afcf469453079e2ef02a724a6ddbe25ee3b2e63007dd2838c5bb00fa1ff8fd18cf81eaa01116ce049d63f22f71c7d11c0acd67cacd1b4ea0125bd48e872dc5cc9fc4073b7c844c4b42223483b4aa8402b198d981dc8b7aba048749b4a0496e2537d3cc32d50
 result = acceptable
 shared = 00d397252813d37329b9e277823e2dfccdd1ee519f0c32ccbb3f5fc62062e8c07dbf3fb86085736115b70f86f44ad852f3488ecbb5e7ec31e961e869b40b6add05f5
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 427
 # modify first byte of oid
@@ -3782,9 +3262,7 @@
 public = 30819b30100607288648ce3d020106052b810400230381860004017ee16985c3678234d272913682a7c122b35c1c5011d1933bb7b08c8b883afcf469453079e2ef02a724a6ddbe25ee3b2e63007dd2838c5bb00fa1ff8fd18cf81eaa01116ce049d63f22f71c7d11c0acd67cacd1b4ea0125bd48e872dc5cc9fc4073b7c844c4b42223483b4aa8402b198d981dc8b7aba048749b4a0496e2537d3cc32d50
 result = acceptable
 shared = 00d397252813d37329b9e277823e2dfccdd1ee519f0c32ccbb3f5fc62062e8c07dbf3fb86085736115b70f86f44ad852f3488ecbb5e7ec31e961e869b40b6add05f5
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 428
 # modify first byte of oid
@@ -3792,9 +3270,7 @@
 public = 30819b301006072a8648ce3d0201060529810400230381860004017ee16985c3678234d272913682a7c122b35c1c5011d1933bb7b08c8b883afcf469453079e2ef02a724a6ddbe25ee3b2e63007dd2838c5bb00fa1ff8fd18cf81eaa01116ce049d63f22f71c7d11c0acd67cacd1b4ea0125bd48e872dc5cc9fc4073b7c844c4b42223483b4aa8402b198d981dc8b7aba048749b4a0496e2537d3cc32d50
 result = acceptable
 shared = 00d397252813d37329b9e277823e2dfccdd1ee519f0c32ccbb3f5fc62062e8c07dbf3fb86085736115b70f86f44ad852f3488ecbb5e7ec31e961e869b40b6add05f5
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 429
 # modify last byte of oid
@@ -3802,9 +3278,7 @@
 public = 30819b301006072a8648ce3d028106052b810400230381860004017ee16985c3678234d272913682a7c122b35c1c5011d1933bb7b08c8b883afcf469453079e2ef02a724a6ddbe25ee3b2e63007dd2838c5bb00fa1ff8fd18cf81eaa01116ce049d63f22f71c7d11c0acd67cacd1b4ea0125bd48e872dc5cc9fc4073b7c844c4b42223483b4aa8402b198d981dc8b7aba048749b4a0496e2537d3cc32d50
 result = acceptable
 shared = 00d397252813d37329b9e277823e2dfccdd1ee519f0c32ccbb3f5fc62062e8c07dbf3fb86085736115b70f86f44ad852f3488ecbb5e7ec31e961e869b40b6add05f5
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 430
 # modify last byte of oid
@@ -3812,9 +3286,7 @@
 public = 30819b301006072a8648ce3d020106052b810400a30381860004017ee16985c3678234d272913682a7c122b35c1c5011d1933bb7b08c8b883afcf469453079e2ef02a724a6ddbe25ee3b2e63007dd2838c5bb00fa1ff8fd18cf81eaa01116ce049d63f22f71c7d11c0acd67cacd1b4ea0125bd48e872dc5cc9fc4073b7c844c4b42223483b4aa8402b198d981dc8b7aba048749b4a0496e2537d3cc32d50
 result = acceptable
 shared = 00d397252813d37329b9e277823e2dfccdd1ee519f0c32ccbb3f5fc62062e8c07dbf3fb86085736115b70f86f44ad852f3488ecbb5e7ec31e961e869b40b6add05f5
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 431
 # truncated oid
@@ -3822,9 +3294,7 @@
 public = 30819a300f06062a8648ce3d0206052b810400230381860004017ee16985c3678234d272913682a7c122b35c1c5011d1933bb7b08c8b883afcf469453079e2ef02a724a6ddbe25ee3b2e63007dd2838c5bb00fa1ff8fd18cf81eaa01116ce049d63f22f71c7d11c0acd67cacd1b4ea0125bd48e872dc5cc9fc4073b7c844c4b42223483b4aa8402b198d981dc8b7aba048749b4a0496e2537d3cc32d50
 result = acceptable
 shared = 00d397252813d37329b9e277823e2dfccdd1ee519f0c32ccbb3f5fc62062e8c07dbf3fb86085736115b70f86f44ad852f3488ecbb5e7ec31e961e869b40b6add05f5
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 432
 # truncated oid
@@ -3832,9 +3302,7 @@
 public = 30819a300f06068648ce3d020106052b810400230381860004017ee16985c3678234d272913682a7c122b35c1c5011d1933bb7b08c8b883afcf469453079e2ef02a724a6ddbe25ee3b2e63007dd2838c5bb00fa1ff8fd18cf81eaa01116ce049d63f22f71c7d11c0acd67cacd1b4ea0125bd48e872dc5cc9fc4073b7c844c4b42223483b4aa8402b198d981dc8b7aba048749b4a0496e2537d3cc32d50
 result = acceptable
 shared = 00d397252813d37329b9e277823e2dfccdd1ee519f0c32ccbb3f5fc62062e8c07dbf3fb86085736115b70f86f44ad852f3488ecbb5e7ec31e961e869b40b6add05f5
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 433
 # truncated oid
@@ -3842,9 +3310,7 @@
 public = 30819a300f06072a8648ce3d020106042b8104000381860004017ee16985c3678234d272913682a7c122b35c1c5011d1933bb7b08c8b883afcf469453079e2ef02a724a6ddbe25ee3b2e63007dd2838c5bb00fa1ff8fd18cf81eaa01116ce049d63f22f71c7d11c0acd67cacd1b4ea0125bd48e872dc5cc9fc4073b7c844c4b42223483b4aa8402b198d981dc8b7aba048749b4a0496e2537d3cc32d50
 result = acceptable
 shared = 00d397252813d37329b9e277823e2dfccdd1ee519f0c32ccbb3f5fc62062e8c07dbf3fb86085736115b70f86f44ad852f3488ecbb5e7ec31e961e869b40b6add05f5
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 434
 # truncated oid
@@ -3852,9 +3318,7 @@
 public = 30819a300f06072a8648ce3d02010604810400230381860004017ee16985c3678234d272913682a7c122b35c1c5011d1933bb7b08c8b883afcf469453079e2ef02a724a6ddbe25ee3b2e63007dd2838c5bb00fa1ff8fd18cf81eaa01116ce049d63f22f71c7d11c0acd67cacd1b4ea0125bd48e872dc5cc9fc4073b7c844c4b42223483b4aa8402b198d981dc8b7aba048749b4a0496e2537d3cc32d50
 result = acceptable
 shared = 00d397252813d37329b9e277823e2dfccdd1ee519f0c32ccbb3f5fc62062e8c07dbf3fb86085736115b70f86f44ad852f3488ecbb5e7ec31e961e869b40b6add05f5
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 435
 # wrong oid
@@ -3862,9 +3326,7 @@
 public = 308199300e06052b0e03021a06052b810400230381860004017ee16985c3678234d272913682a7c122b35c1c5011d1933bb7b08c8b883afcf469453079e2ef02a724a6ddbe25ee3b2e63007dd2838c5bb00fa1ff8fd18cf81eaa01116ce049d63f22f71c7d11c0acd67cacd1b4ea0125bd48e872dc5cc9fc4073b7c844c4b42223483b4aa8402b198d981dc8b7aba048749b4a0496e2537d3cc32d50
 result = acceptable
 shared = 00d397252813d37329b9e277823e2dfccdd1ee519f0c32ccbb3f5fc62062e8c07dbf3fb86085736115b70f86f44ad852f3488ecbb5e7ec31e961e869b40b6add05f5
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 436
 # wrong oid
@@ -3872,9 +3334,7 @@
 public = 30819d3012060960864801650304020106052b810400230381860004017ee16985c3678234d272913682a7c122b35c1c5011d1933bb7b08c8b883afcf469453079e2ef02a724a6ddbe25ee3b2e63007dd2838c5bb00fa1ff8fd18cf81eaa01116ce049d63f22f71c7d11c0acd67cacd1b4ea0125bd48e872dc5cc9fc4073b7c844c4b42223483b4aa8402b198d981dc8b7aba048749b4a0496e2537d3cc32d50
 result = acceptable
 shared = 00d397252813d37329b9e277823e2dfccdd1ee519f0c32ccbb3f5fc62062e8c07dbf3fb86085736115b70f86f44ad852f3488ecbb5e7ec31e961e869b40b6add05f5
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 437
 # wrong oid
@@ -3882,9 +3342,7 @@
 public = 30819b301006072a8648ce3d020106052b0e03021a0381860004017ee16985c3678234d272913682a7c122b35c1c5011d1933bb7b08c8b883afcf469453079e2ef02a724a6ddbe25ee3b2e63007dd2838c5bb00fa1ff8fd18cf81eaa01116ce049d63f22f71c7d11c0acd67cacd1b4ea0125bd48e872dc5cc9fc4073b7c844c4b42223483b4aa8402b198d981dc8b7aba048749b4a0496e2537d3cc32d50
 result = acceptable
 shared = 00d397252813d37329b9e277823e2dfccdd1ee519f0c32ccbb3f5fc62062e8c07dbf3fb86085736115b70f86f44ad852f3488ecbb5e7ec31e961e869b40b6add05f5
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 438
 # wrong oid
@@ -3892,9 +3350,7 @@
 public = 30819f301406072a8648ce3d020106096086480165030402010381860004017ee16985c3678234d272913682a7c122b35c1c5011d1933bb7b08c8b883afcf469453079e2ef02a724a6ddbe25ee3b2e63007dd2838c5bb00fa1ff8fd18cf81eaa01116ce049d63f22f71c7d11c0acd67cacd1b4ea0125bd48e872dc5cc9fc4073b7c844c4b42223483b4aa8402b198d981dc8b7aba048749b4a0496e2537d3cc32d50
 result = acceptable
 shared = 00d397252813d37329b9e277823e2dfccdd1ee519f0c32ccbb3f5fc62062e8c07dbf3fb86085736115b70f86f44ad852f3488ecbb5e7ec31e961e869b40b6add05f5
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 439
 # longer oid
@@ -3902,9 +3358,7 @@
 public = 30819c301106082a8648ce3d02010106052b810400230381860004017ee16985c3678234d272913682a7c122b35c1c5011d1933bb7b08c8b883afcf469453079e2ef02a724a6ddbe25ee3b2e63007dd2838c5bb00fa1ff8fd18cf81eaa01116ce049d63f22f71c7d11c0acd67cacd1b4ea0125bd48e872dc5cc9fc4073b7c844c4b42223483b4aa8402b198d981dc8b7aba048749b4a0496e2537d3cc32d50
 result = acceptable
 shared = 00d397252813d37329b9e277823e2dfccdd1ee519f0c32ccbb3f5fc62062e8c07dbf3fb86085736115b70f86f44ad852f3488ecbb5e7ec31e961e869b40b6add05f5
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 440
 # longer oid
@@ -3912,9 +3366,7 @@
 public = 30819c301106072a8648ce3d020106062b81040023010381860004017ee16985c3678234d272913682a7c122b35c1c5011d1933bb7b08c8b883afcf469453079e2ef02a724a6ddbe25ee3b2e63007dd2838c5bb00fa1ff8fd18cf81eaa01116ce049d63f22f71c7d11c0acd67cacd1b4ea0125bd48e872dc5cc9fc4073b7c844c4b42223483b4aa8402b198d981dc8b7aba048749b4a0496e2537d3cc32d50
 result = acceptable
 shared = 00d397252813d37329b9e277823e2dfccdd1ee519f0c32ccbb3f5fc62062e8c07dbf3fb86085736115b70f86f44ad852f3488ecbb5e7ec31e961e869b40b6add05f5
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 441
 # oid with modified node
@@ -3922,9 +3374,7 @@
 public = 30819b301006072a8648ce3d021106052b810400230381860004017ee16985c3678234d272913682a7c122b35c1c5011d1933bb7b08c8b883afcf469453079e2ef02a724a6ddbe25ee3b2e63007dd2838c5bb00fa1ff8fd18cf81eaa01116ce049d63f22f71c7d11c0acd67cacd1b4ea0125bd48e872dc5cc9fc4073b7c844c4b42223483b4aa8402b198d981dc8b7aba048749b4a0496e2537d3cc32d50
 result = acceptable
 shared = 00d397252813d37329b9e277823e2dfccdd1ee519f0c32ccbb3f5fc62062e8c07dbf3fb86085736115b70f86f44ad852f3488ecbb5e7ec31e961e869b40b6add05f5
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 442
 # oid with modified node
@@ -3932,9 +3382,7 @@
 public = 30819f3014060b2a8648ce3d02888080800106052b810400230381860004017ee16985c3678234d272913682a7c122b35c1c5011d1933bb7b08c8b883afcf469453079e2ef02a724a6ddbe25ee3b2e63007dd2838c5bb00fa1ff8fd18cf81eaa01116ce049d63f22f71c7d11c0acd67cacd1b4ea0125bd48e872dc5cc9fc4073b7c844c4b42223483b4aa8402b198d981dc8b7aba048749b4a0496e2537d3cc32d50
 result = acceptable
 shared = 00d397252813d37329b9e277823e2dfccdd1ee519f0c32ccbb3f5fc62062e8c07dbf3fb86085736115b70f86f44ad852f3488ecbb5e7ec31e961e869b40b6add05f5
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 443
 # oid with modified node
@@ -3942,9 +3390,7 @@
 public = 30819b301006072a8648ce3d020106052b810400330381860004017ee16985c3678234d272913682a7c122b35c1c5011d1933bb7b08c8b883afcf469453079e2ef02a724a6ddbe25ee3b2e63007dd2838c5bb00fa1ff8fd18cf81eaa01116ce049d63f22f71c7d11c0acd67cacd1b4ea0125bd48e872dc5cc9fc4073b7c844c4b42223483b4aa8402b198d981dc8b7aba048749b4a0496e2537d3cc32d50
 result = acceptable
 shared = 00d397252813d37329b9e277823e2dfccdd1ee519f0c32ccbb3f5fc62062e8c07dbf3fb86085736115b70f86f44ad852f3488ecbb5e7ec31e961e869b40b6add05f5
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 444
 # oid with modified node
@@ -3952,9 +3398,7 @@
 public = 30819f301406072a8648ce3d020106092b81040088808080230381860004017ee16985c3678234d272913682a7c122b35c1c5011d1933bb7b08c8b883afcf469453079e2ef02a724a6ddbe25ee3b2e63007dd2838c5bb00fa1ff8fd18cf81eaa01116ce049d63f22f71c7d11c0acd67cacd1b4ea0125bd48e872dc5cc9fc4073b7c844c4b42223483b4aa8402b198d981dc8b7aba048749b4a0496e2537d3cc32d50
 result = acceptable
 shared = 00d397252813d37329b9e277823e2dfccdd1ee519f0c32ccbb3f5fc62062e8c07dbf3fb86085736115b70f86f44ad852f3488ecbb5e7ec31e961e869b40b6add05f5
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 445
 # large integer in oid
@@ -3962,9 +3406,7 @@
 public = 3081a4301906102a8648ce3d028280808080808080800106052b810400230381860004017ee16985c3678234d272913682a7c122b35c1c5011d1933bb7b08c8b883afcf469453079e2ef02a724a6ddbe25ee3b2e63007dd2838c5bb00fa1ff8fd18cf81eaa01116ce049d63f22f71c7d11c0acd67cacd1b4ea0125bd48e872dc5cc9fc4073b7c844c4b42223483b4aa8402b198d981dc8b7aba048749b4a0496e2537d3cc32d50
 result = acceptable
 shared = 00d397252813d37329b9e277823e2dfccdd1ee519f0c32ccbb3f5fc62062e8c07dbf3fb86085736115b70f86f44ad852f3488ecbb5e7ec31e961e869b40b6add05f5
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 446
 # large integer in oid
@@ -3972,9 +3414,7 @@
 public = 3081a4301906072a8648ce3d0201060e2b810400828080808080808080230381860004017ee16985c3678234d272913682a7c122b35c1c5011d1933bb7b08c8b883afcf469453079e2ef02a724a6ddbe25ee3b2e63007dd2838c5bb00fa1ff8fd18cf81eaa01116ce049d63f22f71c7d11c0acd67cacd1b4ea0125bd48e872dc5cc9fc4073b7c844c4b42223483b4aa8402b198d981dc8b7aba048749b4a0496e2537d3cc32d50
 result = acceptable
 shared = 00d397252813d37329b9e277823e2dfccdd1ee519f0c32ccbb3f5fc62062e8c07dbf3fb86085736115b70f86f44ad852f3488ecbb5e7ec31e961e869b40b6add05f5
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 447
 # oid with invalid node
@@ -3982,9 +3422,7 @@
 public = 30819c301106082a8648ce3d0201e006052b810400230381860004017ee16985c3678234d272913682a7c122b35c1c5011d1933bb7b08c8b883afcf469453079e2ef02a724a6ddbe25ee3b2e63007dd2838c5bb00fa1ff8fd18cf81eaa01116ce049d63f22f71c7d11c0acd67cacd1b4ea0125bd48e872dc5cc9fc4073b7c844c4b42223483b4aa8402b198d981dc8b7aba048749b4a0496e2537d3cc32d50
 result = acceptable
 shared = 00d397252813d37329b9e277823e2dfccdd1ee519f0c32ccbb3f5fc62062e8c07dbf3fb86085736115b70f86f44ad852f3488ecbb5e7ec31e961e869b40b6add05f5
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 448
 # oid with invalid node
@@ -3992,9 +3430,7 @@
 public = 30819c301106082a808648ce3d020106052b810400230381860004017ee16985c3678234d272913682a7c122b35c1c5011d1933bb7b08c8b883afcf469453079e2ef02a724a6ddbe25ee3b2e63007dd2838c5bb00fa1ff8fd18cf81eaa01116ce049d63f22f71c7d11c0acd67cacd1b4ea0125bd48e872dc5cc9fc4073b7c844c4b42223483b4aa8402b198d981dc8b7aba048749b4a0496e2537d3cc32d50
 result = acceptable
 shared = 00d397252813d37329b9e277823e2dfccdd1ee519f0c32ccbb3f5fc62062e8c07dbf3fb86085736115b70f86f44ad852f3488ecbb5e7ec31e961e869b40b6add05f5
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 449
 # oid with invalid node
@@ -4002,9 +3438,7 @@
 public = 30819c301106072a8648ce3d020106062b81040023e00381860004017ee16985c3678234d272913682a7c122b35c1c5011d1933bb7b08c8b883afcf469453079e2ef02a724a6ddbe25ee3b2e63007dd2838c5bb00fa1ff8fd18cf81eaa01116ce049d63f22f71c7d11c0acd67cacd1b4ea0125bd48e872dc5cc9fc4073b7c844c4b42223483b4aa8402b198d981dc8b7aba048749b4a0496e2537d3cc32d50
 result = acceptable
 shared = 00d397252813d37329b9e277823e2dfccdd1ee519f0c32ccbb3f5fc62062e8c07dbf3fb86085736115b70f86f44ad852f3488ecbb5e7ec31e961e869b40b6add05f5
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 450
 # oid with invalid node
@@ -4012,9 +3446,7 @@
 public = 30819c301106072a8648ce3d020106062b80810400230381860004017ee16985c3678234d272913682a7c122b35c1c5011d1933bb7b08c8b883afcf469453079e2ef02a724a6ddbe25ee3b2e63007dd2838c5bb00fa1ff8fd18cf81eaa01116ce049d63f22f71c7d11c0acd67cacd1b4ea0125bd48e872dc5cc9fc4073b7c844c4b42223483b4aa8402b198d981dc8b7aba048749b4a0496e2537d3cc32d50
 result = acceptable
 shared = 00d397252813d37329b9e277823e2dfccdd1ee519f0c32ccbb3f5fc62062e8c07dbf3fb86085736115b70f86f44ad852f3488ecbb5e7ec31e961e869b40b6add05f5
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 451
 # length of bit string contains leading 0
@@ -4022,9 +3454,7 @@
 public = 30819c301006072a8648ce3d020106052b81040023038200860004017ee16985c3678234d272913682a7c122b35c1c5011d1933bb7b08c8b883afcf469453079e2ef02a724a6ddbe25ee3b2e63007dd2838c5bb00fa1ff8fd18cf81eaa01116ce049d63f22f71c7d11c0acd67cacd1b4ea0125bd48e872dc5cc9fc4073b7c844c4b42223483b4aa8402b198d981dc8b7aba048749b4a0496e2537d3cc32d50
 result = acceptable
 shared = 00d397252813d37329b9e277823e2dfccdd1ee519f0c32ccbb3f5fc62062e8c07dbf3fb86085736115b70f86f44ad852f3488ecbb5e7ec31e961e869b40b6add05f5
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 452
 # wrong length of bit string
@@ -4032,9 +3462,7 @@
 public = 30819a301006072a8648ce3d020106052b8104002303870004017ee16985c3678234d272913682a7c122b35c1c5011d1933bb7b08c8b883afcf469453079e2ef02a724a6ddbe25ee3b2e63007dd2838c5bb00fa1ff8fd18cf81eaa01116ce049d63f22f71c7d11c0acd67cacd1b4ea0125bd48e872dc5cc9fc4073b7c844c4b42223483b4aa8402b198d981dc8b7aba048749b4a0496e2537d3cc32d50
 result = acceptable
 shared = 00d397252813d37329b9e277823e2dfccdd1ee519f0c32ccbb3f5fc62062e8c07dbf3fb86085736115b70f86f44ad852f3488ecbb5e7ec31e961e869b40b6add05f5
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 453
 # wrong length of bit string
@@ -4042,9 +3470,7 @@
 public = 30819a301006072a8648ce3d020106052b8104002303850004017ee16985c3678234d272913682a7c122b35c1c5011d1933bb7b08c8b883afcf469453079e2ef02a724a6ddbe25ee3b2e63007dd2838c5bb00fa1ff8fd18cf81eaa01116ce049d63f22f71c7d11c0acd67cacd1b4ea0125bd48e872dc5cc9fc4073b7c844c4b42223483b4aa8402b198d981dc8b7aba048749b4a0496e2537d3cc32d50
 result = acceptable
 shared = 00d397252813d37329b9e277823e2dfccdd1ee519f0c32ccbb3f5fc62062e8c07dbf3fb86085736115b70f86f44ad852f3488ecbb5e7ec31e961e869b40b6add05f5
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 454
 # uint32 overflow in length of bit string
@@ -4052,9 +3478,7 @@
 public = 30819f301006072a8648ce3d020106052b81040023038501000000860004017ee16985c3678234d272913682a7c122b35c1c5011d1933bb7b08c8b883afcf469453079e2ef02a724a6ddbe25ee3b2e63007dd2838c5bb00fa1ff8fd18cf81eaa01116ce049d63f22f71c7d11c0acd67cacd1b4ea0125bd48e872dc5cc9fc4073b7c844c4b42223483b4aa8402b198d981dc8b7aba048749b4a0496e2537d3cc32d50
 result = acceptable
 shared = 00d397252813d37329b9e277823e2dfccdd1ee519f0c32ccbb3f5fc62062e8c07dbf3fb86085736115b70f86f44ad852f3488ecbb5e7ec31e961e869b40b6add05f5
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 455
 # uint64 overflow in length of bit string
@@ -4062,9 +3486,7 @@
 public = 3081a3301006072a8648ce3d020106052b8104002303890100000000000000860004017ee16985c3678234d272913682a7c122b35c1c5011d1933bb7b08c8b883afcf469453079e2ef02a724a6ddbe25ee3b2e63007dd2838c5bb00fa1ff8fd18cf81eaa01116ce049d63f22f71c7d11c0acd67cacd1b4ea0125bd48e872dc5cc9fc4073b7c844c4b42223483b4aa8402b198d981dc8b7aba048749b4a0496e2537d3cc32d50
 result = acceptable
 shared = 00d397252813d37329b9e277823e2dfccdd1ee519f0c32ccbb3f5fc62062e8c07dbf3fb86085736115b70f86f44ad852f3488ecbb5e7ec31e961e869b40b6add05f5
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 456
 # length of bit string = 2**31 - 1
@@ -4072,9 +3494,7 @@
 public = 30819e301006072a8648ce3d020106052b8104002303847fffffff0004017ee16985c3678234d272913682a7c122b35c1c5011d1933bb7b08c8b883afcf469453079e2ef02a724a6ddbe25ee3b2e63007dd2838c5bb00fa1ff8fd18cf81eaa01116ce049d63f22f71c7d11c0acd67cacd1b4ea0125bd48e872dc5cc9fc4073b7c844c4b42223483b4aa8402b198d981dc8b7aba048749b4a0496e2537d3cc32d50
 result = acceptable
 shared = 00d397252813d37329b9e277823e2dfccdd1ee519f0c32ccbb3f5fc62062e8c07dbf3fb86085736115b70f86f44ad852f3488ecbb5e7ec31e961e869b40b6add05f5
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 457
 # length of bit string = 2**32 - 1
@@ -4082,9 +3502,7 @@
 public = 30819e301006072a8648ce3d020106052b810400230384ffffffff0004017ee16985c3678234d272913682a7c122b35c1c5011d1933bb7b08c8b883afcf469453079e2ef02a724a6ddbe25ee3b2e63007dd2838c5bb00fa1ff8fd18cf81eaa01116ce049d63f22f71c7d11c0acd67cacd1b4ea0125bd48e872dc5cc9fc4073b7c844c4b42223483b4aa8402b198d981dc8b7aba048749b4a0496e2537d3cc32d50
 result = acceptable
 shared = 00d397252813d37329b9e277823e2dfccdd1ee519f0c32ccbb3f5fc62062e8c07dbf3fb86085736115b70f86f44ad852f3488ecbb5e7ec31e961e869b40b6add05f5
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 458
 # length of bit string = 2**40 - 1
@@ -4092,9 +3510,7 @@
 public = 30819f301006072a8648ce3d020106052b810400230385ffffffffff0004017ee16985c3678234d272913682a7c122b35c1c5011d1933bb7b08c8b883afcf469453079e2ef02a724a6ddbe25ee3b2e63007dd2838c5bb00fa1ff8fd18cf81eaa01116ce049d63f22f71c7d11c0acd67cacd1b4ea0125bd48e872dc5cc9fc4073b7c844c4b42223483b4aa8402b198d981dc8b7aba048749b4a0496e2537d3cc32d50
 result = acceptable
 shared = 00d397252813d37329b9e277823e2dfccdd1ee519f0c32ccbb3f5fc62062e8c07dbf3fb86085736115b70f86f44ad852f3488ecbb5e7ec31e961e869b40b6add05f5
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 459
 # length of bit string = 2**64 - 1
@@ -4102,9 +3518,7 @@
 public = 3081a2301006072a8648ce3d020106052b810400230388ffffffffffffffff0004017ee16985c3678234d272913682a7c122b35c1c5011d1933bb7b08c8b883afcf469453079e2ef02a724a6ddbe25ee3b2e63007dd2838c5bb00fa1ff8fd18cf81eaa01116ce049d63f22f71c7d11c0acd67cacd1b4ea0125bd48e872dc5cc9fc4073b7c844c4b42223483b4aa8402b198d981dc8b7aba048749b4a0496e2537d3cc32d50
 result = acceptable
 shared = 00d397252813d37329b9e277823e2dfccdd1ee519f0c32ccbb3f5fc62062e8c07dbf3fb86085736115b70f86f44ad852f3488ecbb5e7ec31e961e869b40b6add05f5
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 460
 # incorrect length of bit string
@@ -4112,9 +3526,7 @@
 public = 30819a301006072a8648ce3d020106052b8104002303ff0004017ee16985c3678234d272913682a7c122b35c1c5011d1933bb7b08c8b883afcf469453079e2ef02a724a6ddbe25ee3b2e63007dd2838c5bb00fa1ff8fd18cf81eaa01116ce049d63f22f71c7d11c0acd67cacd1b4ea0125bd48e872dc5cc9fc4073b7c844c4b42223483b4aa8402b198d981dc8b7aba048749b4a0496e2537d3cc32d50
 result = acceptable
 shared = 00d397252813d37329b9e277823e2dfccdd1ee519f0c32ccbb3f5fc62062e8c07dbf3fb86085736115b70f86f44ad852f3488ecbb5e7ec31e961e869b40b6add05f5
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 461
 # lonely bit string tag
@@ -4122,9 +3534,7 @@
 public = 3013301006072a8648ce3d020106052b8104002303
 result = acceptable
 shared = 00d397252813d37329b9e277823e2dfccdd1ee519f0c32ccbb3f5fc62062e8c07dbf3fb86085736115b70f86f44ad852f3488ecbb5e7ec31e961e869b40b6add05f5
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 462
 # appending 0's to bit string
@@ -4132,9 +3542,7 @@
 public = 30819d301006072a8648ce3d020106052b810400230381880004017ee16985c3678234d272913682a7c122b35c1c5011d1933bb7b08c8b883afcf469453079e2ef02a724a6ddbe25ee3b2e63007dd2838c5bb00fa1ff8fd18cf81eaa01116ce049d63f22f71c7d11c0acd67cacd1b4ea0125bd48e872dc5cc9fc4073b7c844c4b42223483b4aa8402b198d981dc8b7aba048749b4a0496e2537d3cc32d500000
 result = acceptable
 shared = 00d397252813d37329b9e277823e2dfccdd1ee519f0c32ccbb3f5fc62062e8c07dbf3fb86085736115b70f86f44ad852f3488ecbb5e7ec31e961e869b40b6add05f5
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 463
 # prepending 0's to bit string
@@ -4142,9 +3550,7 @@
 public = 30819d301006072a8648ce3d020106052b8104002303818800000004017ee16985c3678234d272913682a7c122b35c1c5011d1933bb7b08c8b883afcf469453079e2ef02a724a6ddbe25ee3b2e63007dd2838c5bb00fa1ff8fd18cf81eaa01116ce049d63f22f71c7d11c0acd67cacd1b4ea0125bd48e872dc5cc9fc4073b7c844c4b42223483b4aa8402b198d981dc8b7aba048749b4a0496e2537d3cc32d50
 result = acceptable
 shared = 00d397252813d37329b9e277823e2dfccdd1ee519f0c32ccbb3f5fc62062e8c07dbf3fb86085736115b70f86f44ad852f3488ecbb5e7ec31e961e869b40b6add05f5
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 464
 # appending null value to bit string
@@ -4152,9 +3558,7 @@
 public = 30819d301006072a8648ce3d020106052b810400230381880004017ee16985c3678234d272913682a7c122b35c1c5011d1933bb7b08c8b883afcf469453079e2ef02a724a6ddbe25ee3b2e63007dd2838c5bb00fa1ff8fd18cf81eaa01116ce049d63f22f71c7d11c0acd67cacd1b4ea0125bd48e872dc5cc9fc4073b7c844c4b42223483b4aa8402b198d981dc8b7aba048749b4a0496e2537d3cc32d500500
 result = acceptable
 shared = 00d397252813d37329b9e277823e2dfccdd1ee519f0c32ccbb3f5fc62062e8c07dbf3fb86085736115b70f86f44ad852f3488ecbb5e7ec31e961e869b40b6add05f5
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 465
 # truncated length of bit string
@@ -4162,9 +3566,7 @@
 public = 3014301006072a8648ce3d020106052b810400230381
 result = acceptable
 shared = 00d397252813d37329b9e277823e2dfccdd1ee519f0c32ccbb3f5fc62062e8c07dbf3fb86085736115b70f86f44ad852f3488ecbb5e7ec31e961e869b40b6add05f5
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 466
 # Replacing bit string with NULL
@@ -4172,9 +3574,7 @@
 public = 3014301006072a8648ce3d020106052b810400230500
 result = acceptable
 shared = 00d397252813d37329b9e277823e2dfccdd1ee519f0c32ccbb3f5fc62062e8c07dbf3fb86085736115b70f86f44ad852f3488ecbb5e7ec31e961e869b40b6add05f5
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 467
 # changing tag value of bit string
@@ -4182,9 +3582,7 @@
 public = 30819b301006072a8648ce3d020106052b810400230181860004017ee16985c3678234d272913682a7c122b35c1c5011d1933bb7b08c8b883afcf469453079e2ef02a724a6ddbe25ee3b2e63007dd2838c5bb00fa1ff8fd18cf81eaa01116ce049d63f22f71c7d11c0acd67cacd1b4ea0125bd48e872dc5cc9fc4073b7c844c4b42223483b4aa8402b198d981dc8b7aba048749b4a0496e2537d3cc32d50
 result = acceptable
 shared = 00d397252813d37329b9e277823e2dfccdd1ee519f0c32ccbb3f5fc62062e8c07dbf3fb86085736115b70f86f44ad852f3488ecbb5e7ec31e961e869b40b6add05f5
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 468
 # changing tag value of bit string
@@ -4192,9 +3590,7 @@
 public = 30819b301006072a8648ce3d020106052b810400230281860004017ee16985c3678234d272913682a7c122b35c1c5011d1933bb7b08c8b883afcf469453079e2ef02a724a6ddbe25ee3b2e63007dd2838c5bb00fa1ff8fd18cf81eaa01116ce049d63f22f71c7d11c0acd67cacd1b4ea0125bd48e872dc5cc9fc4073b7c844c4b42223483b4aa8402b198d981dc8b7aba048749b4a0496e2537d3cc32d50
 result = acceptable
 shared = 00d397252813d37329b9e277823e2dfccdd1ee519f0c32ccbb3f5fc62062e8c07dbf3fb86085736115b70f86f44ad852f3488ecbb5e7ec31e961e869b40b6add05f5
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 469
 # changing tag value of bit string
@@ -4202,9 +3598,7 @@
 public = 30819b301006072a8648ce3d020106052b810400230481860004017ee16985c3678234d272913682a7c122b35c1c5011d1933bb7b08c8b883afcf469453079e2ef02a724a6ddbe25ee3b2e63007dd2838c5bb00fa1ff8fd18cf81eaa01116ce049d63f22f71c7d11c0acd67cacd1b4ea0125bd48e872dc5cc9fc4073b7c844c4b42223483b4aa8402b198d981dc8b7aba048749b4a0496e2537d3cc32d50
 result = acceptable
 shared = 00d397252813d37329b9e277823e2dfccdd1ee519f0c32ccbb3f5fc62062e8c07dbf3fb86085736115b70f86f44ad852f3488ecbb5e7ec31e961e869b40b6add05f5
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 470
 # changing tag value of bit string
@@ -4212,9 +3606,7 @@
 public = 30819b301006072a8648ce3d020106052b810400230581860004017ee16985c3678234d272913682a7c122b35c1c5011d1933bb7b08c8b883afcf469453079e2ef02a724a6ddbe25ee3b2e63007dd2838c5bb00fa1ff8fd18cf81eaa01116ce049d63f22f71c7d11c0acd67cacd1b4ea0125bd48e872dc5cc9fc4073b7c844c4b42223483b4aa8402b198d981dc8b7aba048749b4a0496e2537d3cc32d50
 result = acceptable
 shared = 00d397252813d37329b9e277823e2dfccdd1ee519f0c32ccbb3f5fc62062e8c07dbf3fb86085736115b70f86f44ad852f3488ecbb5e7ec31e961e869b40b6add05f5
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 471
 # changing tag value of bit string
@@ -4222,9 +3614,7 @@
 public = 30819b301006072a8648ce3d020106052b81040023ff81860004017ee16985c3678234d272913682a7c122b35c1c5011d1933bb7b08c8b883afcf469453079e2ef02a724a6ddbe25ee3b2e63007dd2838c5bb00fa1ff8fd18cf81eaa01116ce049d63f22f71c7d11c0acd67cacd1b4ea0125bd48e872dc5cc9fc4073b7c844c4b42223483b4aa8402b198d981dc8b7aba048749b4a0496e2537d3cc32d50
 result = acceptable
 shared = 00d397252813d37329b9e277823e2dfccdd1ee519f0c32ccbb3f5fc62062e8c07dbf3fb86085736115b70f86f44ad852f3488ecbb5e7ec31e961e869b40b6add05f5
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 472
 # dropping value of bit string
@@ -4232,9 +3622,7 @@
 public = 3014301006072a8648ce3d020106052b810400230300
 result = acceptable
 shared = 00d397252813d37329b9e277823e2dfccdd1ee519f0c32ccbb3f5fc62062e8c07dbf3fb86085736115b70f86f44ad852f3488ecbb5e7ec31e961e869b40b6add05f5
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 473
 # modify first byte of bit string
@@ -4242,9 +3630,7 @@
 public = 30819b301006072a8648ce3d020106052b810400230381860204017ee16985c3678234d272913682a7c122b35c1c5011d1933bb7b08c8b883afcf469453079e2ef02a724a6ddbe25ee3b2e63007dd2838c5bb00fa1ff8fd18cf81eaa01116ce049d63f22f71c7d11c0acd67cacd1b4ea0125bd48e872dc5cc9fc4073b7c844c4b42223483b4aa8402b198d981dc8b7aba048749b4a0496e2537d3cc32d50
 result = acceptable
 shared = 00d397252813d37329b9e277823e2dfccdd1ee519f0c32ccbb3f5fc62062e8c07dbf3fb86085736115b70f86f44ad852f3488ecbb5e7ec31e961e869b40b6add05f5
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 474
 # modify last byte of bit string
@@ -4252,9 +3638,7 @@
 public = 30819b301006072a8648ce3d020106052b810400230381860004017ee16985c3678234d272913682a7c122b35c1c5011d1933bb7b08c8b883afcf469453079e2ef02a724a6ddbe25ee3b2e63007dd2838c5bb00fa1ff8fd18cf81eaa01116ce049d63f22f71c7d11c0acd67cacd1b4ea0125bd48e872dc5cc9fc4073b7c844c4b42223483b4aa8402b198d981dc8b7aba048749b4a0496e2537d3cc32dd0
 result = acceptable
 shared = 00d397252813d37329b9e277823e2dfccdd1ee519f0c32ccbb3f5fc62062e8c07dbf3fb86085736115b70f86f44ad852f3488ecbb5e7ec31e961e869b40b6add05f5
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 475
 # truncated bit string
@@ -4262,9 +3646,7 @@
 public = 30819a301006072a8648ce3d020106052b810400230381850004017ee16985c3678234d272913682a7c122b35c1c5011d1933bb7b08c8b883afcf469453079e2ef02a724a6ddbe25ee3b2e63007dd2838c5bb00fa1ff8fd18cf81eaa01116ce049d63f22f71c7d11c0acd67cacd1b4ea0125bd48e872dc5cc9fc4073b7c844c4b42223483b4aa8402b198d981dc8b7aba048749b4a0496e2537d3cc32d
 result = acceptable
 shared = 00d397252813d37329b9e277823e2dfccdd1ee519f0c32ccbb3f5fc62062e8c07dbf3fb86085736115b70f86f44ad852f3488ecbb5e7ec31e961e869b40b6add05f5
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 476
 # truncated bit string
@@ -4272,9 +3654,7 @@
 public = 30819a301006072a8648ce3d020106052b8104002303818504017ee16985c3678234d272913682a7c122b35c1c5011d1933bb7b08c8b883afcf469453079e2ef02a724a6ddbe25ee3b2e63007dd2838c5bb00fa1ff8fd18cf81eaa01116ce049d63f22f71c7d11c0acd67cacd1b4ea0125bd48e872dc5cc9fc4073b7c844c4b42223483b4aa8402b198d981dc8b7aba048749b4a0496e2537d3cc32d50
 result = acceptable
 shared = 00d397252813d37329b9e277823e2dfccdd1ee519f0c32ccbb3f5fc62062e8c07dbf3fb86085736115b70f86f44ad852f3488ecbb5e7ec31e961e869b40b6add05f5
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 477
 # declaring bits as unused in bit string
@@ -4282,9 +3662,7 @@
 public = 30819b301006072a8648ce3d020106052b810400230381860104017ee16985c3678234d272913682a7c122b35c1c5011d1933bb7b08c8b883afcf469453079e2ef02a724a6ddbe25ee3b2e63007dd2838c5bb00fa1ff8fd18cf81eaa01116ce049d63f22f71c7d11c0acd67cacd1b4ea0125bd48e872dc5cc9fc4073b7c844c4b42223483b4aa8402b198d981dc8b7aba048749b4a0496e2537d3cc32d50
 result = acceptable
 shared = 00d397252813d37329b9e277823e2dfccdd1ee519f0c32ccbb3f5fc62062e8c07dbf3fb86085736115b70f86f44ad852f3488ecbb5e7ec31e961e869b40b6add05f5
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 478
 # unused bits in bit string
@@ -4292,9 +3670,7 @@
 public = 30819f301006072a8648ce3d020106052b8104002303818a2004017ee16985c3678234d272913682a7c122b35c1c5011d1933bb7b08c8b883afcf469453079e2ef02a724a6ddbe25ee3b2e63007dd2838c5bb00fa1ff8fd18cf81eaa01116ce049d63f22f71c7d11c0acd67cacd1b4ea0125bd48e872dc5cc9fc4073b7c844c4b42223483b4aa8402b198d981dc8b7aba048749b4a0496e2537d3cc32d5001020304
 result = acceptable
 shared = 00d397252813d37329b9e277823e2dfccdd1ee519f0c32ccbb3f5fc62062e8c07dbf3fb86085736115b70f86f44ad852f3488ecbb5e7ec31e961e869b40b6add05f5
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 479
 # unused bits in empty bit-string
@@ -4302,9 +3678,7 @@
 public = 3015301006072a8648ce3d020106052b81040023030103
 result = acceptable
 shared = 00d397252813d37329b9e277823e2dfccdd1ee519f0c32ccbb3f5fc62062e8c07dbf3fb86085736115b70f86f44ad852f3488ecbb5e7ec31e961e869b40b6add05f5
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 480
 # 128 unused bits
@@ -4312,7 +3686,5 @@
 public = 30819b301006072a8648ce3d020106052b810400230381868004017ee16985c3678234d272913682a7c122b35c1c5011d1933bb7b08c8b883afcf469453079e2ef02a724a6ddbe25ee3b2e63007dd2838c5bb00fa1ff8fd18cf81eaa01116ce049d63f22f71c7d11c0acd67cacd1b4ea0125bd48e872dc5cc9fc4073b7c844c4b42223483b4aa8402b198d981dc8b7aba048749b4a0496e2537d3cc32d50
 result = acceptable
 shared = 00d397252813d37329b9e277823e2dfccdd1ee519f0c32ccbb3f5fc62062e8c07dbf3fb86085736115b70f86f44ad852f3488ecbb5e7ec31e961e869b40b6add05f5
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
diff --git a/third_party/wycheproof_testvectors/ecdsa_secp224r1_sha224_test.txt b/third_party/wycheproof_testvectors/ecdsa_secp224r1_sha224_test.txt
index da1db0a..6741e06 100644
--- a/third_party/wycheproof_testvectors/ecdsa_secp224r1_sha224_test.txt
+++ b/third_party/wycheproof_testvectors/ecdsa_secp224r1_sha224_test.txt
@@ -24,10 +24,7 @@
 msg = 313233343030
 result = acceptable
 sig = 303c021c70049af31f8348673d56cece2b27e587a402f2a48f0b21a7911a480a021cd7bf40db0909941d78f9948340c69e14c5417f8c840b7edb35846361
-# Some implementations of ECDSA and DSA incorrectly encode r and s by not
-# including leading zeros in the ASN encoding of integers when necessary. Hence,
-# some implementations (e.g. jdk) allow signatures with incorrect ASN encodings
-# assuming that the signature is otherwise valid.
+flags = MissingZero
 
 # tcId = 3
 # valid
@@ -40,18 +37,14 @@
 msg = 313233343030
 result = invalid
 sig = 30813d021c70049af31f8348673d56cece2b27e587a402f2a48f0b21a7911a480a021d00d7bf40db0909941d78f9948340c69e14c5417f8c840b7edb35846361
-# This is a signature with correct values for (r, s) but using some alternative
-# BER encoding instead of DER encoding. Implementations should not accept such
-# signatures to limit signature malleability.
+flags = BER
 
 # tcId = 5
 # length of sequence contains leading 0
 msg = 313233343030
 result = invalid
 sig = 3082003d021c70049af31f8348673d56cece2b27e587a402f2a48f0b21a7911a480a021d00d7bf40db0909941d78f9948340c69e14c5417f8c840b7edb35846361
-# This is a signature with correct values for (r, s) but using some alternative
-# BER encoding instead of DER encoding. Implementations should not accept such
-# signatures to limit signature malleability.
+flags = BER
 
 # tcId = 6
 # wrong length of sequence
@@ -358,9 +351,7 @@
 msg = 313233343030
 result = invalid
 sig = 3080021c70049af31f8348673d56cece2b27e587a402f2a48f0b21a7911a480a021d00d7bf40db0909941d78f9948340c69e14c5417f8c840b7edb358463610000
-# This is a signature with correct values for (r, s) but using some alternative
-# BER encoding instead of DER encoding. Implementations should not accept such
-# signatures to limit signature malleability.
+flags = BER
 
 # tcId = 57
 # indefinite length with truncated delimiter
@@ -433,36 +424,28 @@
 msg = 313233343030
 result = invalid
 sig = 303e02811c70049af31f8348673d56cece2b27e587a402f2a48f0b21a7911a480a021d00d7bf40db0909941d78f9948340c69e14c5417f8c840b7edb35846361
-# This is a signature with correct values for (r, s) but using some alternative
-# BER encoding instead of DER encoding. Implementations should not accept such
-# signatures to limit signature malleability.
+flags = BER
 
 # tcId = 69
 # long form encoding of length of integer
 msg = 313233343030
 result = invalid
 sig = 303e021c70049af31f8348673d56cece2b27e587a402f2a48f0b21a7911a480a02811d00d7bf40db0909941d78f9948340c69e14c5417f8c840b7edb35846361
-# This is a signature with correct values for (r, s) but using some alternative
-# BER encoding instead of DER encoding. Implementations should not accept such
-# signatures to limit signature malleability.
+flags = BER
 
 # tcId = 70
 # length of integer contains leading 0
 msg = 313233343030
 result = invalid
 sig = 303f0282001c70049af31f8348673d56cece2b27e587a402f2a48f0b21a7911a480a021d00d7bf40db0909941d78f9948340c69e14c5417f8c840b7edb35846361
-# This is a signature with correct values for (r, s) but using some alternative
-# BER encoding instead of DER encoding. Implementations should not accept such
-# signatures to limit signature malleability.
+flags = BER
 
 # tcId = 71
 # length of integer contains leading 0
 msg = 313233343030
 result = invalid
 sig = 303f021c70049af31f8348673d56cece2b27e587a402f2a48f0b21a7911a480a0282001d00d7bf40db0909941d78f9948340c69e14c5417f8c840b7edb35846361
-# This is a signature with correct values for (r, s) but using some alternative
-# BER encoding instead of DER encoding. Implementations should not accept such
-# signatures to limit signature malleability.
+flags = BER
 
 # tcId = 72
 # wrong length of integer
@@ -607,18 +590,14 @@
 msg = 313233343030
 result = invalid
 sig = 303f021e000070049af31f8348673d56cece2b27e587a402f2a48f0b21a7911a480a021d00d7bf40db0909941d78f9948340c69e14c5417f8c840b7edb35846361
-# This is a signature with correct values for (r, s) but using some alternative
-# BER encoding instead of DER encoding. Implementations should not accept such
-# signatures to limit signature malleability.
+flags = BER
 
 # tcId = 96
 # prepending 0's to integer
 msg = 313233343030
 result = invalid
 sig = 303f021c70049af31f8348673d56cece2b27e587a402f2a48f0b21a7911a480a021f000000d7bf40db0909941d78f9948340c69e14c5417f8c840b7edb35846361
-# This is a signature with correct values for (r, s) but using some alternative
-# BER encoding instead of DER encoding. Implementations should not accept such
-# signatures to limit signature malleability.
+flags = BER
 
 # tcId = 97
 # appending unused 0's to integer
@@ -907,640 +886,560 @@
 msg = 313233343030
 result = invalid
 sig = 3006020100020100
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 145
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3006020100020101
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 146
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 30060201000201ff
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 147
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3022020100021d00ffffffffffffffffffffffffffff16a2e0b8f03e13dd29455c5c2a3d
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 148
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3022020100021d00ffffffffffffffffffffffffffff16a2e0b8f03e13dd29455c5c2a3c
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 149
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3022020100021d00ffffffffffffffffffffffffffff16a2e0b8f03e13dd29455c5c2a3e
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 150
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3022020100021d00ffffffffffffffffffffffffffffffff000000000000000000000001
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 151
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3022020100021d00ffffffffffffffffffffffffffffffff000000000000000000000002
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 152
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3008020100090380fe01
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 153
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3006020100090142
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 154
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3006020101020100
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 155
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3006020101020101
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 156
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 30060201010201ff
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 157
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3022020101021d00ffffffffffffffffffffffffffff16a2e0b8f03e13dd29455c5c2a3d
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 158
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3022020101021d00ffffffffffffffffffffffffffff16a2e0b8f03e13dd29455c5c2a3c
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 159
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3022020101021d00ffffffffffffffffffffffffffff16a2e0b8f03e13dd29455c5c2a3e
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 160
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3022020101021d00ffffffffffffffffffffffffffffffff000000000000000000000001
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 161
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3022020101021d00ffffffffffffffffffffffffffffffff000000000000000000000002
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 162
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3008020101090380fe01
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 163
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3006020101090142
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 164
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 30060201ff020100
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 165
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 30060201ff020101
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 166
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 30060201ff0201ff
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 167
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 30220201ff021d00ffffffffffffffffffffffffffff16a2e0b8f03e13dd29455c5c2a3d
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 168
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 30220201ff021d00ffffffffffffffffffffffffffff16a2e0b8f03e13dd29455c5c2a3c
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 169
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 30220201ff021d00ffffffffffffffffffffffffffff16a2e0b8f03e13dd29455c5c2a3e
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 170
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 30220201ff021d00ffffffffffffffffffffffffffffffff000000000000000000000001
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 171
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 30220201ff021d00ffffffffffffffffffffffffffffffff000000000000000000000002
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 172
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 30080201ff090380fe01
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 173
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 30060201ff090142
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 174
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3022021d00ffffffffffffffffffffffffffff16a2e0b8f03e13dd29455c5c2a3d020100
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 175
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3022021d00ffffffffffffffffffffffffffff16a2e0b8f03e13dd29455c5c2a3d020101
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 176
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3022021d00ffffffffffffffffffffffffffff16a2e0b8f03e13dd29455c5c2a3d0201ff
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 177
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 303e021d00ffffffffffffffffffffffffffff16a2e0b8f03e13dd29455c5c2a3d021d00ffffffffffffffffffffffffffff16a2e0b8f03e13dd29455c5c2a3d
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 178
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 303e021d00ffffffffffffffffffffffffffff16a2e0b8f03e13dd29455c5c2a3d021d00ffffffffffffffffffffffffffff16a2e0b8f03e13dd29455c5c2a3c
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 179
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 303e021d00ffffffffffffffffffffffffffff16a2e0b8f03e13dd29455c5c2a3d021d00ffffffffffffffffffffffffffff16a2e0b8f03e13dd29455c5c2a3e
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 180
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 303e021d00ffffffffffffffffffffffffffff16a2e0b8f03e13dd29455c5c2a3d021d00ffffffffffffffffffffffffffffffff000000000000000000000001
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 181
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 303e021d00ffffffffffffffffffffffffffff16a2e0b8f03e13dd29455c5c2a3d021d00ffffffffffffffffffffffffffffffff000000000000000000000002
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 182
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3024021d00ffffffffffffffffffffffffffff16a2e0b8f03e13dd29455c5c2a3d090380fe01
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 183
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3022021d00ffffffffffffffffffffffffffff16a2e0b8f03e13dd29455c5c2a3d090142
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 184
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3022021d00ffffffffffffffffffffffffffff16a2e0b8f03e13dd29455c5c2a3c020100
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 185
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3022021d00ffffffffffffffffffffffffffff16a2e0b8f03e13dd29455c5c2a3c020101
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 186
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3022021d00ffffffffffffffffffffffffffff16a2e0b8f03e13dd29455c5c2a3c0201ff
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 187
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 303e021d00ffffffffffffffffffffffffffff16a2e0b8f03e13dd29455c5c2a3c021d00ffffffffffffffffffffffffffff16a2e0b8f03e13dd29455c5c2a3d
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 188
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 303e021d00ffffffffffffffffffffffffffff16a2e0b8f03e13dd29455c5c2a3c021d00ffffffffffffffffffffffffffff16a2e0b8f03e13dd29455c5c2a3c
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 189
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 303e021d00ffffffffffffffffffffffffffff16a2e0b8f03e13dd29455c5c2a3c021d00ffffffffffffffffffffffffffff16a2e0b8f03e13dd29455c5c2a3e
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 190
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 303e021d00ffffffffffffffffffffffffffff16a2e0b8f03e13dd29455c5c2a3c021d00ffffffffffffffffffffffffffffffff000000000000000000000001
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 191
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 303e021d00ffffffffffffffffffffffffffff16a2e0b8f03e13dd29455c5c2a3c021d00ffffffffffffffffffffffffffffffff000000000000000000000002
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 192
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3024021d00ffffffffffffffffffffffffffff16a2e0b8f03e13dd29455c5c2a3c090380fe01
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 193
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3022021d00ffffffffffffffffffffffffffff16a2e0b8f03e13dd29455c5c2a3c090142
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 194
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3022021d00ffffffffffffffffffffffffffff16a2e0b8f03e13dd29455c5c2a3e020100
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 195
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3022021d00ffffffffffffffffffffffffffff16a2e0b8f03e13dd29455c5c2a3e020101
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 196
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3022021d00ffffffffffffffffffffffffffff16a2e0b8f03e13dd29455c5c2a3e0201ff
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 197
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 303e021d00ffffffffffffffffffffffffffff16a2e0b8f03e13dd29455c5c2a3e021d00ffffffffffffffffffffffffffff16a2e0b8f03e13dd29455c5c2a3d
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 198
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 303e021d00ffffffffffffffffffffffffffff16a2e0b8f03e13dd29455c5c2a3e021d00ffffffffffffffffffffffffffff16a2e0b8f03e13dd29455c5c2a3c
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 199
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 303e021d00ffffffffffffffffffffffffffff16a2e0b8f03e13dd29455c5c2a3e021d00ffffffffffffffffffffffffffff16a2e0b8f03e13dd29455c5c2a3e
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 200
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 303e021d00ffffffffffffffffffffffffffff16a2e0b8f03e13dd29455c5c2a3e021d00ffffffffffffffffffffffffffffffff000000000000000000000001
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 201
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 303e021d00ffffffffffffffffffffffffffff16a2e0b8f03e13dd29455c5c2a3e021d00ffffffffffffffffffffffffffffffff000000000000000000000002
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 202
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3024021d00ffffffffffffffffffffffffffff16a2e0b8f03e13dd29455c5c2a3e090380fe01
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 203
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3022021d00ffffffffffffffffffffffffffff16a2e0b8f03e13dd29455c5c2a3e090142
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 204
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3022021d00ffffffffffffffffffffffffffffffff000000000000000000000001020100
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 205
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3022021d00ffffffffffffffffffffffffffffffff000000000000000000000001020101
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 206
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3022021d00ffffffffffffffffffffffffffffffff0000000000000000000000010201ff
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 207
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 303e021d00ffffffffffffffffffffffffffffffff000000000000000000000001021d00ffffffffffffffffffffffffffff16a2e0b8f03e13dd29455c5c2a3d
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 208
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 303e021d00ffffffffffffffffffffffffffffffff000000000000000000000001021d00ffffffffffffffffffffffffffff16a2e0b8f03e13dd29455c5c2a3c
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 209
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 303e021d00ffffffffffffffffffffffffffffffff000000000000000000000001021d00ffffffffffffffffffffffffffff16a2e0b8f03e13dd29455c5c2a3e
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 210
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 303e021d00ffffffffffffffffffffffffffffffff000000000000000000000001021d00ffffffffffffffffffffffffffffffff000000000000000000000001
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 211
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 303e021d00ffffffffffffffffffffffffffffffff000000000000000000000001021d00ffffffffffffffffffffffffffffffff000000000000000000000002
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 212
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3024021d00ffffffffffffffffffffffffffffffff000000000000000000000001090380fe01
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 213
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3022021d00ffffffffffffffffffffffffffffffff000000000000000000000001090142
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 214
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3022021d00ffffffffffffffffffffffffffffffff000000000000000000000002020100
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 215
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3022021d00ffffffffffffffffffffffffffffffff000000000000000000000002020101
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 216
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3022021d00ffffffffffffffffffffffffffffffff0000000000000000000000020201ff
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 217
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 303e021d00ffffffffffffffffffffffffffffffff000000000000000000000002021d00ffffffffffffffffffffffffffff16a2e0b8f03e13dd29455c5c2a3d
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 218
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 303e021d00ffffffffffffffffffffffffffffffff000000000000000000000002021d00ffffffffffffffffffffffffffff16a2e0b8f03e13dd29455c5c2a3c
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 219
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 303e021d00ffffffffffffffffffffffffffffffff000000000000000000000002021d00ffffffffffffffffffffffffffff16a2e0b8f03e13dd29455c5c2a3e
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 220
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 303e021d00ffffffffffffffffffffffffffffffff000000000000000000000002021d00ffffffffffffffffffffffffffffffff000000000000000000000001
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 221
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 303e021d00ffffffffffffffffffffffffffffffff000000000000000000000002021d00ffffffffffffffffffffffffffffffff000000000000000000000002
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 222
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3024021d00ffffffffffffffffffffffffffffffff000000000000000000000002090380fe01
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 223
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3022021d00ffffffffffffffffffffffffffffffff000000000000000000000002090142
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 224
 # Signature encoding contains wrong types.
@@ -2432,9 +2331,7 @@
 msg = 313233343030
 result = valid
 sig = 303d021d00c44503dae85dd5210780f02928b3d927171c578f8603d16b240663c7021c1ef359e4bd146f63d8155c5c2523fa3353c9820f84f28150bad3819a
-# Some implementations of ECDSA do not handle duplication and points at infinity
-# correctly. This is a test vector that has been specially crafted to check for
-# such an omission.
+flags = PointDuplication
 
 [key.curve = secp224r1]
 [key.keySize = 224]
@@ -2450,9 +2347,7 @@
 msg = 313233343030
 result = invalid
 sig = 303d021d00c44503dae85dd5210780f02928b3d927171c578f8603d16b240663c7021c1ef359e4bd146f63d8155c5c2523fa3353c9820f84f28150bad3819a
-# Some implementations of ECDSA do not handle duplication and points at infinity
-# correctly. This is a test vector that has been specially crafted to check for
-# such an omission.
+flags = PointDuplication
 
 [key.curve = secp224r1]
 [key.keySize = 224]
diff --git a/third_party/wycheproof_testvectors/ecdsa_secp224r1_sha256_test.txt b/third_party/wycheproof_testvectors/ecdsa_secp224r1_sha256_test.txt
index 4d1e613..e652c20 100644
--- a/third_party/wycheproof_testvectors/ecdsa_secp224r1_sha256_test.txt
+++ b/third_party/wycheproof_testvectors/ecdsa_secp224r1_sha256_test.txt
@@ -30,18 +30,14 @@
 msg = 313233343030
 result = invalid
 sig = 30813c021c3ade5c0624a5677ed7b6450d9420bbe028d499c23be9ef9d8b8a8a04021c617d6af141efd0c800c9ba3382c2faf758540a5dd98d1756a1dad981
-# This is a signature with correct values for (r, s) but using some alternative
-# BER encoding instead of DER encoding. Implementations should not accept such
-# signatures to limit signature malleability.
+flags = BER
 
 # tcId = 4
 # length of sequence contains leading 0
 msg = 313233343030
 result = invalid
 sig = 3082003c021c3ade5c0624a5677ed7b6450d9420bbe028d499c23be9ef9d8b8a8a04021c617d6af141efd0c800c9ba3382c2faf758540a5dd98d1756a1dad981
-# This is a signature with correct values for (r, s) but using some alternative
-# BER encoding instead of DER encoding. Implementations should not accept such
-# signatures to limit signature malleability.
+flags = BER
 
 # tcId = 5
 # wrong length of sequence
@@ -348,9 +344,7 @@
 msg = 313233343030
 result = invalid
 sig = 3080021c3ade5c0624a5677ed7b6450d9420bbe028d499c23be9ef9d8b8a8a04021c617d6af141efd0c800c9ba3382c2faf758540a5dd98d1756a1dad9810000
-# This is a signature with correct values for (r, s) but using some alternative
-# BER encoding instead of DER encoding. Implementations should not accept such
-# signatures to limit signature malleability.
+flags = BER
 
 # tcId = 56
 # indefinite length with truncated delimiter
@@ -423,36 +417,28 @@
 msg = 313233343030
 result = invalid
 sig = 303d02811c3ade5c0624a5677ed7b6450d9420bbe028d499c23be9ef9d8b8a8a04021c617d6af141efd0c800c9ba3382c2faf758540a5dd98d1756a1dad981
-# This is a signature with correct values for (r, s) but using some alternative
-# BER encoding instead of DER encoding. Implementations should not accept such
-# signatures to limit signature malleability.
+flags = BER
 
 # tcId = 68
 # long form encoding of length of integer
 msg = 313233343030
 result = invalid
 sig = 303d021c3ade5c0624a5677ed7b6450d9420bbe028d499c23be9ef9d8b8a8a0402811c617d6af141efd0c800c9ba3382c2faf758540a5dd98d1756a1dad981
-# This is a signature with correct values for (r, s) but using some alternative
-# BER encoding instead of DER encoding. Implementations should not accept such
-# signatures to limit signature malleability.
+flags = BER
 
 # tcId = 69
 # length of integer contains leading 0
 msg = 313233343030
 result = invalid
 sig = 303e0282001c3ade5c0624a5677ed7b6450d9420bbe028d499c23be9ef9d8b8a8a04021c617d6af141efd0c800c9ba3382c2faf758540a5dd98d1756a1dad981
-# This is a signature with correct values for (r, s) but using some alternative
-# BER encoding instead of DER encoding. Implementations should not accept such
-# signatures to limit signature malleability.
+flags = BER
 
 # tcId = 70
 # length of integer contains leading 0
 msg = 313233343030
 result = invalid
 sig = 303e021c3ade5c0624a5677ed7b6450d9420bbe028d499c23be9ef9d8b8a8a040282001c617d6af141efd0c800c9ba3382c2faf758540a5dd98d1756a1dad981
-# This is a signature with correct values for (r, s) but using some alternative
-# BER encoding instead of DER encoding. Implementations should not accept such
-# signatures to limit signature malleability.
+flags = BER
 
 # tcId = 71
 # wrong length of integer
@@ -597,18 +583,14 @@
 msg = 313233343030
 result = invalid
 sig = 303e021e00003ade5c0624a5677ed7b6450d9420bbe028d499c23be9ef9d8b8a8a04021c617d6af141efd0c800c9ba3382c2faf758540a5dd98d1756a1dad981
-# This is a signature with correct values for (r, s) but using some alternative
-# BER encoding instead of DER encoding. Implementations should not accept such
-# signatures to limit signature malleability.
+flags = BER
 
 # tcId = 95
 # prepending 0's to integer
 msg = 313233343030
 result = invalid
 sig = 303e021c3ade5c0624a5677ed7b6450d9420bbe028d499c23be9ef9d8b8a8a04021e0000617d6af141efd0c800c9ba3382c2faf758540a5dd98d1756a1dad981
-# This is a signature with correct values for (r, s) but using some alternative
-# BER encoding instead of DER encoding. Implementations should not accept such
-# signatures to limit signature malleability.
+flags = BER
 
 # tcId = 96
 # appending unused 0's to integer
@@ -903,640 +885,560 @@
 msg = 313233343030
 result = invalid
 sig = 3006020100020100
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 145
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3006020100020101
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 146
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 30060201000201ff
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 147
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3022020100021d00ffffffffffffffffffffffffffff16a2e0b8f03e13dd29455c5c2a3d
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 148
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3022020100021d00ffffffffffffffffffffffffffff16a2e0b8f03e13dd29455c5c2a3c
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 149
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3022020100021d00ffffffffffffffffffffffffffff16a2e0b8f03e13dd29455c5c2a3e
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 150
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3022020100021d00ffffffffffffffffffffffffffffffff000000000000000000000001
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 151
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3022020100021d00ffffffffffffffffffffffffffffffff000000000000000000000002
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 152
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3008020100090380fe01
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 153
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3006020100090142
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 154
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3006020101020100
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 155
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3006020101020101
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 156
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 30060201010201ff
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 157
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3022020101021d00ffffffffffffffffffffffffffff16a2e0b8f03e13dd29455c5c2a3d
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 158
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3022020101021d00ffffffffffffffffffffffffffff16a2e0b8f03e13dd29455c5c2a3c
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 159
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3022020101021d00ffffffffffffffffffffffffffff16a2e0b8f03e13dd29455c5c2a3e
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 160
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3022020101021d00ffffffffffffffffffffffffffffffff000000000000000000000001
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 161
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3022020101021d00ffffffffffffffffffffffffffffffff000000000000000000000002
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 162
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3008020101090380fe01
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 163
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3006020101090142
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 164
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 30060201ff020100
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 165
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 30060201ff020101
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 166
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 30060201ff0201ff
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 167
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 30220201ff021d00ffffffffffffffffffffffffffff16a2e0b8f03e13dd29455c5c2a3d
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 168
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 30220201ff021d00ffffffffffffffffffffffffffff16a2e0b8f03e13dd29455c5c2a3c
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 169
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 30220201ff021d00ffffffffffffffffffffffffffff16a2e0b8f03e13dd29455c5c2a3e
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 170
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 30220201ff021d00ffffffffffffffffffffffffffffffff000000000000000000000001
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 171
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 30220201ff021d00ffffffffffffffffffffffffffffffff000000000000000000000002
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 172
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 30080201ff090380fe01
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 173
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 30060201ff090142
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 174
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3022021d00ffffffffffffffffffffffffffff16a2e0b8f03e13dd29455c5c2a3d020100
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 175
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3022021d00ffffffffffffffffffffffffffff16a2e0b8f03e13dd29455c5c2a3d020101
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 176
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3022021d00ffffffffffffffffffffffffffff16a2e0b8f03e13dd29455c5c2a3d0201ff
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 177
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 303e021d00ffffffffffffffffffffffffffff16a2e0b8f03e13dd29455c5c2a3d021d00ffffffffffffffffffffffffffff16a2e0b8f03e13dd29455c5c2a3d
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 178
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 303e021d00ffffffffffffffffffffffffffff16a2e0b8f03e13dd29455c5c2a3d021d00ffffffffffffffffffffffffffff16a2e0b8f03e13dd29455c5c2a3c
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 179
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 303e021d00ffffffffffffffffffffffffffff16a2e0b8f03e13dd29455c5c2a3d021d00ffffffffffffffffffffffffffff16a2e0b8f03e13dd29455c5c2a3e
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 180
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 303e021d00ffffffffffffffffffffffffffff16a2e0b8f03e13dd29455c5c2a3d021d00ffffffffffffffffffffffffffffffff000000000000000000000001
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 181
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 303e021d00ffffffffffffffffffffffffffff16a2e0b8f03e13dd29455c5c2a3d021d00ffffffffffffffffffffffffffffffff000000000000000000000002
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 182
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3024021d00ffffffffffffffffffffffffffff16a2e0b8f03e13dd29455c5c2a3d090380fe01
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 183
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3022021d00ffffffffffffffffffffffffffff16a2e0b8f03e13dd29455c5c2a3d090142
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 184
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3022021d00ffffffffffffffffffffffffffff16a2e0b8f03e13dd29455c5c2a3c020100
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 185
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3022021d00ffffffffffffffffffffffffffff16a2e0b8f03e13dd29455c5c2a3c020101
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 186
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3022021d00ffffffffffffffffffffffffffff16a2e0b8f03e13dd29455c5c2a3c0201ff
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 187
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 303e021d00ffffffffffffffffffffffffffff16a2e0b8f03e13dd29455c5c2a3c021d00ffffffffffffffffffffffffffff16a2e0b8f03e13dd29455c5c2a3d
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 188
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 303e021d00ffffffffffffffffffffffffffff16a2e0b8f03e13dd29455c5c2a3c021d00ffffffffffffffffffffffffffff16a2e0b8f03e13dd29455c5c2a3c
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 189
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 303e021d00ffffffffffffffffffffffffffff16a2e0b8f03e13dd29455c5c2a3c021d00ffffffffffffffffffffffffffff16a2e0b8f03e13dd29455c5c2a3e
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 190
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 303e021d00ffffffffffffffffffffffffffff16a2e0b8f03e13dd29455c5c2a3c021d00ffffffffffffffffffffffffffffffff000000000000000000000001
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 191
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 303e021d00ffffffffffffffffffffffffffff16a2e0b8f03e13dd29455c5c2a3c021d00ffffffffffffffffffffffffffffffff000000000000000000000002
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 192
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3024021d00ffffffffffffffffffffffffffff16a2e0b8f03e13dd29455c5c2a3c090380fe01
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 193
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3022021d00ffffffffffffffffffffffffffff16a2e0b8f03e13dd29455c5c2a3c090142
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 194
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3022021d00ffffffffffffffffffffffffffff16a2e0b8f03e13dd29455c5c2a3e020100
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 195
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3022021d00ffffffffffffffffffffffffffff16a2e0b8f03e13dd29455c5c2a3e020101
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 196
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3022021d00ffffffffffffffffffffffffffff16a2e0b8f03e13dd29455c5c2a3e0201ff
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 197
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 303e021d00ffffffffffffffffffffffffffff16a2e0b8f03e13dd29455c5c2a3e021d00ffffffffffffffffffffffffffff16a2e0b8f03e13dd29455c5c2a3d
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 198
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 303e021d00ffffffffffffffffffffffffffff16a2e0b8f03e13dd29455c5c2a3e021d00ffffffffffffffffffffffffffff16a2e0b8f03e13dd29455c5c2a3c
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 199
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 303e021d00ffffffffffffffffffffffffffff16a2e0b8f03e13dd29455c5c2a3e021d00ffffffffffffffffffffffffffff16a2e0b8f03e13dd29455c5c2a3e
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 200
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 303e021d00ffffffffffffffffffffffffffff16a2e0b8f03e13dd29455c5c2a3e021d00ffffffffffffffffffffffffffffffff000000000000000000000001
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 201
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 303e021d00ffffffffffffffffffffffffffff16a2e0b8f03e13dd29455c5c2a3e021d00ffffffffffffffffffffffffffffffff000000000000000000000002
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 202
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3024021d00ffffffffffffffffffffffffffff16a2e0b8f03e13dd29455c5c2a3e090380fe01
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 203
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3022021d00ffffffffffffffffffffffffffff16a2e0b8f03e13dd29455c5c2a3e090142
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 204
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3022021d00ffffffffffffffffffffffffffffffff000000000000000000000001020100
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 205
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3022021d00ffffffffffffffffffffffffffffffff000000000000000000000001020101
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 206
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3022021d00ffffffffffffffffffffffffffffffff0000000000000000000000010201ff
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 207
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 303e021d00ffffffffffffffffffffffffffffffff000000000000000000000001021d00ffffffffffffffffffffffffffff16a2e0b8f03e13dd29455c5c2a3d
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 208
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 303e021d00ffffffffffffffffffffffffffffffff000000000000000000000001021d00ffffffffffffffffffffffffffff16a2e0b8f03e13dd29455c5c2a3c
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 209
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 303e021d00ffffffffffffffffffffffffffffffff000000000000000000000001021d00ffffffffffffffffffffffffffff16a2e0b8f03e13dd29455c5c2a3e
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 210
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 303e021d00ffffffffffffffffffffffffffffffff000000000000000000000001021d00ffffffffffffffffffffffffffffffff000000000000000000000001
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 211
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 303e021d00ffffffffffffffffffffffffffffffff000000000000000000000001021d00ffffffffffffffffffffffffffffffff000000000000000000000002
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 212
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3024021d00ffffffffffffffffffffffffffffffff000000000000000000000001090380fe01
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 213
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3022021d00ffffffffffffffffffffffffffffffff000000000000000000000001090142
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 214
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3022021d00ffffffffffffffffffffffffffffffff000000000000000000000002020100
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 215
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3022021d00ffffffffffffffffffffffffffffffff000000000000000000000002020101
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 216
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3022021d00ffffffffffffffffffffffffffffffff0000000000000000000000020201ff
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 217
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 303e021d00ffffffffffffffffffffffffffffffff000000000000000000000002021d00ffffffffffffffffffffffffffff16a2e0b8f03e13dd29455c5c2a3d
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 218
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 303e021d00ffffffffffffffffffffffffffffffff000000000000000000000002021d00ffffffffffffffffffffffffffff16a2e0b8f03e13dd29455c5c2a3c
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 219
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 303e021d00ffffffffffffffffffffffffffffffff000000000000000000000002021d00ffffffffffffffffffffffffffff16a2e0b8f03e13dd29455c5c2a3e
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 220
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 303e021d00ffffffffffffffffffffffffffffffff000000000000000000000002021d00ffffffffffffffffffffffffffffffff000000000000000000000001
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 221
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 303e021d00ffffffffffffffffffffffffffffffff000000000000000000000002021d00ffffffffffffffffffffffffffffffff000000000000000000000002
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 222
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3024021d00ffffffffffffffffffffffffffffffff000000000000000000000002090380fe01
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 223
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3022021d00ffffffffffffffffffffffffffffffff000000000000000000000002090142
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 224
 # Signature encoding contains wrong types.
@@ -2602,9 +2504,7 @@
 msg = 313233343030
 result = valid
 sig = 303d021d00c44503dae85dd5210780f02928b3d927171c578f8603d16b240663c7021c3f552f1c2b01651edf5902650fe9ab046f71999ac928edc0087bdb13
-# Some implementations of ECDSA do not handle duplication and points at infinity
-# correctly. This is a test vector that has been specially crafted to check for
-# such an omission.
+flags = PointDuplication
 
 [key.curve = secp224r1]
 [key.keySize = 224]
@@ -2620,9 +2520,7 @@
 msg = 313233343030
 result = invalid
 sig = 303d021d00c44503dae85dd5210780f02928b3d927171c578f8603d16b240663c7021c3f552f1c2b01651edf5902650fe9ab046f71999ac928edc0087bdb13
-# Some implementations of ECDSA do not handle duplication and points at infinity
-# correctly. This is a test vector that has been specially crafted to check for
-# such an omission.
+flags = PointDuplication
 
 [key.curve = secp224r1]
 [key.keySize = 224]
diff --git a/third_party/wycheproof_testvectors/ecdsa_secp224r1_sha512_test.txt b/third_party/wycheproof_testvectors/ecdsa_secp224r1_sha512_test.txt
index 30af541..839815f 100644
--- a/third_party/wycheproof_testvectors/ecdsa_secp224r1_sha512_test.txt
+++ b/third_party/wycheproof_testvectors/ecdsa_secp224r1_sha512_test.txt
@@ -24,10 +24,7 @@
 msg = 313233343030
 result = acceptable
 sig = 303c021c691c723dd6a7f5d11b8c8e8bd0825c9fab0b99ee2b25f3658fdf92ab021cc6b899049859a01f5093eab08341ee443f383b77fed04e4a614cbb2e
-# Some implementations of ECDSA and DSA incorrectly encode r and s by not
-# including leading zeros in the ASN encoding of integers when necessary. Hence,
-# some implementations (e.g. jdk) allow signatures with incorrect ASN encodings
-# assuming that the signature is otherwise valid.
+flags = MissingZero
 
 # tcId = 3
 # valid
@@ -40,18 +37,14 @@
 msg = 313233343030
 result = invalid
 sig = 30813d021c691c723dd6a7f5d11b8c8e8bd0825c9fab0b99ee2b25f3658fdf92ab021d00c6b899049859a01f5093eab08341ee443f383b77fed04e4a614cbb2e
-# This is a signature with correct values for (r, s) but using some alternative
-# BER encoding instead of DER encoding. Implementations should not accept such
-# signatures to limit signature malleability.
+flags = BER
 
 # tcId = 5
 # length of sequence contains leading 0
 msg = 313233343030
 result = invalid
 sig = 3082003d021c691c723dd6a7f5d11b8c8e8bd0825c9fab0b99ee2b25f3658fdf92ab021d00c6b899049859a01f5093eab08341ee443f383b77fed04e4a614cbb2e
-# This is a signature with correct values for (r, s) but using some alternative
-# BER encoding instead of DER encoding. Implementations should not accept such
-# signatures to limit signature malleability.
+flags = BER
 
 # tcId = 6
 # wrong length of sequence
@@ -358,9 +351,7 @@
 msg = 313233343030
 result = invalid
 sig = 3080021c691c723dd6a7f5d11b8c8e8bd0825c9fab0b99ee2b25f3658fdf92ab021d00c6b899049859a01f5093eab08341ee443f383b77fed04e4a614cbb2e0000
-# This is a signature with correct values for (r, s) but using some alternative
-# BER encoding instead of DER encoding. Implementations should not accept such
-# signatures to limit signature malleability.
+flags = BER
 
 # tcId = 57
 # indefinite length with truncated delimiter
@@ -433,36 +424,28 @@
 msg = 313233343030
 result = invalid
 sig = 303e02811c691c723dd6a7f5d11b8c8e8bd0825c9fab0b99ee2b25f3658fdf92ab021d00c6b899049859a01f5093eab08341ee443f383b77fed04e4a614cbb2e
-# This is a signature with correct values for (r, s) but using some alternative
-# BER encoding instead of DER encoding. Implementations should not accept such
-# signatures to limit signature malleability.
+flags = BER
 
 # tcId = 69
 # long form encoding of length of integer
 msg = 313233343030
 result = invalid
 sig = 303e021c691c723dd6a7f5d11b8c8e8bd0825c9fab0b99ee2b25f3658fdf92ab02811d00c6b899049859a01f5093eab08341ee443f383b77fed04e4a614cbb2e
-# This is a signature with correct values for (r, s) but using some alternative
-# BER encoding instead of DER encoding. Implementations should not accept such
-# signatures to limit signature malleability.
+flags = BER
 
 # tcId = 70
 # length of integer contains leading 0
 msg = 313233343030
 result = invalid
 sig = 303f0282001c691c723dd6a7f5d11b8c8e8bd0825c9fab0b99ee2b25f3658fdf92ab021d00c6b899049859a01f5093eab08341ee443f383b77fed04e4a614cbb2e
-# This is a signature with correct values for (r, s) but using some alternative
-# BER encoding instead of DER encoding. Implementations should not accept such
-# signatures to limit signature malleability.
+flags = BER
 
 # tcId = 71
 # length of integer contains leading 0
 msg = 313233343030
 result = invalid
 sig = 303f021c691c723dd6a7f5d11b8c8e8bd0825c9fab0b99ee2b25f3658fdf92ab0282001d00c6b899049859a01f5093eab08341ee443f383b77fed04e4a614cbb2e
-# This is a signature with correct values for (r, s) but using some alternative
-# BER encoding instead of DER encoding. Implementations should not accept such
-# signatures to limit signature malleability.
+flags = BER
 
 # tcId = 72
 # wrong length of integer
@@ -607,18 +590,14 @@
 msg = 313233343030
 result = invalid
 sig = 303f021e0000691c723dd6a7f5d11b8c8e8bd0825c9fab0b99ee2b25f3658fdf92ab021d00c6b899049859a01f5093eab08341ee443f383b77fed04e4a614cbb2e
-# This is a signature with correct values for (r, s) but using some alternative
-# BER encoding instead of DER encoding. Implementations should not accept such
-# signatures to limit signature malleability.
+flags = BER
 
 # tcId = 96
 # prepending 0's to integer
 msg = 313233343030
 result = invalid
 sig = 303f021c691c723dd6a7f5d11b8c8e8bd0825c9fab0b99ee2b25f3658fdf92ab021f000000c6b899049859a01f5093eab08341ee443f383b77fed04e4a614cbb2e
-# This is a signature with correct values for (r, s) but using some alternative
-# BER encoding instead of DER encoding. Implementations should not accept such
-# signatures to limit signature malleability.
+flags = BER
 
 # tcId = 97
 # appending unused 0's to integer
@@ -907,640 +886,560 @@
 msg = 313233343030
 result = invalid
 sig = 3006020100020100
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 145
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3006020100020101
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 146
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 30060201000201ff
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 147
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3022020100021d00ffffffffffffffffffffffffffff16a2e0b8f03e13dd29455c5c2a3d
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 148
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3022020100021d00ffffffffffffffffffffffffffff16a2e0b8f03e13dd29455c5c2a3c
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 149
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3022020100021d00ffffffffffffffffffffffffffff16a2e0b8f03e13dd29455c5c2a3e
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 150
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3022020100021d00ffffffffffffffffffffffffffffffff000000000000000000000001
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 151
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3022020100021d00ffffffffffffffffffffffffffffffff000000000000000000000002
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 152
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3008020100090380fe01
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 153
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3006020100090142
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 154
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3006020101020100
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 155
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3006020101020101
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 156
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 30060201010201ff
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 157
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3022020101021d00ffffffffffffffffffffffffffff16a2e0b8f03e13dd29455c5c2a3d
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 158
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3022020101021d00ffffffffffffffffffffffffffff16a2e0b8f03e13dd29455c5c2a3c
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 159
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3022020101021d00ffffffffffffffffffffffffffff16a2e0b8f03e13dd29455c5c2a3e
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 160
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3022020101021d00ffffffffffffffffffffffffffffffff000000000000000000000001
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 161
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3022020101021d00ffffffffffffffffffffffffffffffff000000000000000000000002
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 162
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3008020101090380fe01
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 163
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3006020101090142
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 164
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 30060201ff020100
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 165
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 30060201ff020101
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 166
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 30060201ff0201ff
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 167
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 30220201ff021d00ffffffffffffffffffffffffffff16a2e0b8f03e13dd29455c5c2a3d
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 168
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 30220201ff021d00ffffffffffffffffffffffffffff16a2e0b8f03e13dd29455c5c2a3c
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 169
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 30220201ff021d00ffffffffffffffffffffffffffff16a2e0b8f03e13dd29455c5c2a3e
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 170
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 30220201ff021d00ffffffffffffffffffffffffffffffff000000000000000000000001
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 171
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 30220201ff021d00ffffffffffffffffffffffffffffffff000000000000000000000002
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 172
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 30080201ff090380fe01
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 173
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 30060201ff090142
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 174
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3022021d00ffffffffffffffffffffffffffff16a2e0b8f03e13dd29455c5c2a3d020100
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 175
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3022021d00ffffffffffffffffffffffffffff16a2e0b8f03e13dd29455c5c2a3d020101
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 176
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3022021d00ffffffffffffffffffffffffffff16a2e0b8f03e13dd29455c5c2a3d0201ff
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 177
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 303e021d00ffffffffffffffffffffffffffff16a2e0b8f03e13dd29455c5c2a3d021d00ffffffffffffffffffffffffffff16a2e0b8f03e13dd29455c5c2a3d
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 178
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 303e021d00ffffffffffffffffffffffffffff16a2e0b8f03e13dd29455c5c2a3d021d00ffffffffffffffffffffffffffff16a2e0b8f03e13dd29455c5c2a3c
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 179
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 303e021d00ffffffffffffffffffffffffffff16a2e0b8f03e13dd29455c5c2a3d021d00ffffffffffffffffffffffffffff16a2e0b8f03e13dd29455c5c2a3e
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 180
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 303e021d00ffffffffffffffffffffffffffff16a2e0b8f03e13dd29455c5c2a3d021d00ffffffffffffffffffffffffffffffff000000000000000000000001
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 181
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 303e021d00ffffffffffffffffffffffffffff16a2e0b8f03e13dd29455c5c2a3d021d00ffffffffffffffffffffffffffffffff000000000000000000000002
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 182
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3024021d00ffffffffffffffffffffffffffff16a2e0b8f03e13dd29455c5c2a3d090380fe01
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 183
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3022021d00ffffffffffffffffffffffffffff16a2e0b8f03e13dd29455c5c2a3d090142
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 184
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3022021d00ffffffffffffffffffffffffffff16a2e0b8f03e13dd29455c5c2a3c020100
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 185
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3022021d00ffffffffffffffffffffffffffff16a2e0b8f03e13dd29455c5c2a3c020101
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 186
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3022021d00ffffffffffffffffffffffffffff16a2e0b8f03e13dd29455c5c2a3c0201ff
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 187
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 303e021d00ffffffffffffffffffffffffffff16a2e0b8f03e13dd29455c5c2a3c021d00ffffffffffffffffffffffffffff16a2e0b8f03e13dd29455c5c2a3d
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 188
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 303e021d00ffffffffffffffffffffffffffff16a2e0b8f03e13dd29455c5c2a3c021d00ffffffffffffffffffffffffffff16a2e0b8f03e13dd29455c5c2a3c
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 189
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 303e021d00ffffffffffffffffffffffffffff16a2e0b8f03e13dd29455c5c2a3c021d00ffffffffffffffffffffffffffff16a2e0b8f03e13dd29455c5c2a3e
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 190
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 303e021d00ffffffffffffffffffffffffffff16a2e0b8f03e13dd29455c5c2a3c021d00ffffffffffffffffffffffffffffffff000000000000000000000001
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 191
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 303e021d00ffffffffffffffffffffffffffff16a2e0b8f03e13dd29455c5c2a3c021d00ffffffffffffffffffffffffffffffff000000000000000000000002
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 192
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3024021d00ffffffffffffffffffffffffffff16a2e0b8f03e13dd29455c5c2a3c090380fe01
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 193
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3022021d00ffffffffffffffffffffffffffff16a2e0b8f03e13dd29455c5c2a3c090142
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 194
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3022021d00ffffffffffffffffffffffffffff16a2e0b8f03e13dd29455c5c2a3e020100
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 195
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3022021d00ffffffffffffffffffffffffffff16a2e0b8f03e13dd29455c5c2a3e020101
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 196
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3022021d00ffffffffffffffffffffffffffff16a2e0b8f03e13dd29455c5c2a3e0201ff
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 197
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 303e021d00ffffffffffffffffffffffffffff16a2e0b8f03e13dd29455c5c2a3e021d00ffffffffffffffffffffffffffff16a2e0b8f03e13dd29455c5c2a3d
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 198
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 303e021d00ffffffffffffffffffffffffffff16a2e0b8f03e13dd29455c5c2a3e021d00ffffffffffffffffffffffffffff16a2e0b8f03e13dd29455c5c2a3c
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 199
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 303e021d00ffffffffffffffffffffffffffff16a2e0b8f03e13dd29455c5c2a3e021d00ffffffffffffffffffffffffffff16a2e0b8f03e13dd29455c5c2a3e
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 200
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 303e021d00ffffffffffffffffffffffffffff16a2e0b8f03e13dd29455c5c2a3e021d00ffffffffffffffffffffffffffffffff000000000000000000000001
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 201
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 303e021d00ffffffffffffffffffffffffffff16a2e0b8f03e13dd29455c5c2a3e021d00ffffffffffffffffffffffffffffffff000000000000000000000002
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 202
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3024021d00ffffffffffffffffffffffffffff16a2e0b8f03e13dd29455c5c2a3e090380fe01
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 203
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3022021d00ffffffffffffffffffffffffffff16a2e0b8f03e13dd29455c5c2a3e090142
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 204
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3022021d00ffffffffffffffffffffffffffffffff000000000000000000000001020100
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 205
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3022021d00ffffffffffffffffffffffffffffffff000000000000000000000001020101
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 206
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3022021d00ffffffffffffffffffffffffffffffff0000000000000000000000010201ff
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 207
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 303e021d00ffffffffffffffffffffffffffffffff000000000000000000000001021d00ffffffffffffffffffffffffffff16a2e0b8f03e13dd29455c5c2a3d
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 208
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 303e021d00ffffffffffffffffffffffffffffffff000000000000000000000001021d00ffffffffffffffffffffffffffff16a2e0b8f03e13dd29455c5c2a3c
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 209
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 303e021d00ffffffffffffffffffffffffffffffff000000000000000000000001021d00ffffffffffffffffffffffffffff16a2e0b8f03e13dd29455c5c2a3e
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 210
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 303e021d00ffffffffffffffffffffffffffffffff000000000000000000000001021d00ffffffffffffffffffffffffffffffff000000000000000000000001
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 211
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 303e021d00ffffffffffffffffffffffffffffffff000000000000000000000001021d00ffffffffffffffffffffffffffffffff000000000000000000000002
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 212
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3024021d00ffffffffffffffffffffffffffffffff000000000000000000000001090380fe01
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 213
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3022021d00ffffffffffffffffffffffffffffffff000000000000000000000001090142
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 214
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3022021d00ffffffffffffffffffffffffffffffff000000000000000000000002020100
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 215
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3022021d00ffffffffffffffffffffffffffffffff000000000000000000000002020101
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 216
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3022021d00ffffffffffffffffffffffffffffffff0000000000000000000000020201ff
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 217
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 303e021d00ffffffffffffffffffffffffffffffff000000000000000000000002021d00ffffffffffffffffffffffffffff16a2e0b8f03e13dd29455c5c2a3d
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 218
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 303e021d00ffffffffffffffffffffffffffffffff000000000000000000000002021d00ffffffffffffffffffffffffffff16a2e0b8f03e13dd29455c5c2a3c
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 219
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 303e021d00ffffffffffffffffffffffffffffffff000000000000000000000002021d00ffffffffffffffffffffffffffff16a2e0b8f03e13dd29455c5c2a3e
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 220
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 303e021d00ffffffffffffffffffffffffffffffff000000000000000000000002021d00ffffffffffffffffffffffffffffffff000000000000000000000001
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 221
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 303e021d00ffffffffffffffffffffffffffffffff000000000000000000000002021d00ffffffffffffffffffffffffffffffff000000000000000000000002
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 222
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3024021d00ffffffffffffffffffffffffffffffff000000000000000000000002090380fe01
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 223
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3022021d00ffffffffffffffffffffffffffffffff000000000000000000000002090142
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 224
 # Signature encoding contains wrong types.
@@ -3020,9 +2919,7 @@
 msg = 313233343030
 result = valid
 sig = 303e021d00c44503dae85dd5210780f02928b3d927171c578f8603d16b240663c7021d00ec0ce3fa725c1027475a5f5bf4ee980de61c3b4875afe8b654b24ee2
-# Some implementations of ECDSA do not handle duplication and points at infinity
-# correctly. This is a test vector that has been specially crafted to check for
-# such an omission.
+flags = PointDuplication
 
 [key.curve = secp224r1]
 [key.keySize = 224]
@@ -3038,9 +2935,7 @@
 msg = 313233343030
 result = invalid
 sig = 303e021d00c44503dae85dd5210780f02928b3d927171c578f8603d16b240663c7021d00ec0ce3fa725c1027475a5f5bf4ee980de61c3b4875afe8b654b24ee2
-# Some implementations of ECDSA do not handle duplication and points at infinity
-# correctly. This is a test vector that has been specially crafted to check for
-# such an omission.
+flags = PointDuplication
 
 [key.curve = secp224r1]
 [key.keySize = 224]
diff --git a/third_party/wycheproof_testvectors/ecdsa_secp256r1_sha256_test.txt b/third_party/wycheproof_testvectors/ecdsa_secp256r1_sha256_test.txt
index 8a1a333..01c0caa 100644
--- a/third_party/wycheproof_testvectors/ecdsa_secp256r1_sha256_test.txt
+++ b/third_party/wycheproof_testvectors/ecdsa_secp256r1_sha256_test.txt
@@ -24,10 +24,7 @@
 msg = 313233343030
 result = acceptable
 sig = 304402202ba3a8be6b94d5ec80a6d9d1190a436effe50d85a1eee859b8cc6af9bd5c2e180220b329f479a2bbd0a5c384ee1493b1f5186a87139cac5df4087c134b49156847db
-# Some implementations of ECDSA and DSA incorrectly encode r and s by not
-# including leading zeros in the ASN encoding of integers when necessary. Hence,
-# some implementations (e.g. jdk) allow signatures with incorrect ASN encodings
-# assuming that the signature is otherwise valid.
+flags = MissingZero
 
 # tcId = 3
 # valid
@@ -40,18 +37,14 @@
 msg = 313233343030
 result = invalid
 sig = 30814502202ba3a8be6b94d5ec80a6d9d1190a436effe50d85a1eee859b8cc6af9bd5c2e18022100b329f479a2bbd0a5c384ee1493b1f5186a87139cac5df4087c134b49156847db
-# This is a signature with correct values for (r, s) but using some alternative
-# BER encoding instead of DER encoding. Implementations should not accept such
-# signatures to limit signature malleability.
+flags = BER
 
 # tcId = 5
 # length of sequence contains leading 0
 msg = 313233343030
 result = invalid
 sig = 3082004502202ba3a8be6b94d5ec80a6d9d1190a436effe50d85a1eee859b8cc6af9bd5c2e18022100b329f479a2bbd0a5c384ee1493b1f5186a87139cac5df4087c134b49156847db
-# This is a signature with correct values for (r, s) but using some alternative
-# BER encoding instead of DER encoding. Implementations should not accept such
-# signatures to limit signature malleability.
+flags = BER
 
 # tcId = 6
 # wrong length of sequence
@@ -358,9 +351,7 @@
 msg = 313233343030
 result = invalid
 sig = 308002202ba3a8be6b94d5ec80a6d9d1190a436effe50d85a1eee859b8cc6af9bd5c2e18022100b329f479a2bbd0a5c384ee1493b1f5186a87139cac5df4087c134b49156847db0000
-# This is a signature with correct values for (r, s) but using some alternative
-# BER encoding instead of DER encoding. Implementations should not accept such
-# signatures to limit signature malleability.
+flags = BER
 
 # tcId = 57
 # indefinite length with truncated delimiter
@@ -433,36 +424,28 @@
 msg = 313233343030
 result = invalid
 sig = 30460281202ba3a8be6b94d5ec80a6d9d1190a436effe50d85a1eee859b8cc6af9bd5c2e18022100b329f479a2bbd0a5c384ee1493b1f5186a87139cac5df4087c134b49156847db
-# This is a signature with correct values for (r, s) but using some alternative
-# BER encoding instead of DER encoding. Implementations should not accept such
-# signatures to limit signature malleability.
+flags = BER
 
 # tcId = 69
 # long form encoding of length of integer
 msg = 313233343030
 result = invalid
 sig = 304602202ba3a8be6b94d5ec80a6d9d1190a436effe50d85a1eee859b8cc6af9bd5c2e1802812100b329f479a2bbd0a5c384ee1493b1f5186a87139cac5df4087c134b49156847db
-# This is a signature with correct values for (r, s) but using some alternative
-# BER encoding instead of DER encoding. Implementations should not accept such
-# signatures to limit signature malleability.
+flags = BER
 
 # tcId = 70
 # length of integer contains leading 0
 msg = 313233343030
 result = invalid
 sig = 3047028200202ba3a8be6b94d5ec80a6d9d1190a436effe50d85a1eee859b8cc6af9bd5c2e18022100b329f479a2bbd0a5c384ee1493b1f5186a87139cac5df4087c134b49156847db
-# This is a signature with correct values for (r, s) but using some alternative
-# BER encoding instead of DER encoding. Implementations should not accept such
-# signatures to limit signature malleability.
+flags = BER
 
 # tcId = 71
 # length of integer contains leading 0
 msg = 313233343030
 result = invalid
 sig = 304702202ba3a8be6b94d5ec80a6d9d1190a436effe50d85a1eee859b8cc6af9bd5c2e180282002100b329f479a2bbd0a5c384ee1493b1f5186a87139cac5df4087c134b49156847db
-# This is a signature with correct values for (r, s) but using some alternative
-# BER encoding instead of DER encoding. Implementations should not accept such
-# signatures to limit signature malleability.
+flags = BER
 
 # tcId = 72
 # wrong length of integer
@@ -607,18 +590,14 @@
 msg = 313233343030
 result = invalid
 sig = 3047022200002ba3a8be6b94d5ec80a6d9d1190a436effe50d85a1eee859b8cc6af9bd5c2e18022100b329f479a2bbd0a5c384ee1493b1f5186a87139cac5df4087c134b49156847db
-# This is a signature with correct values for (r, s) but using some alternative
-# BER encoding instead of DER encoding. Implementations should not accept such
-# signatures to limit signature malleability.
+flags = BER
 
 # tcId = 96
 # prepending 0's to integer
 msg = 313233343030
 result = invalid
 sig = 304702202ba3a8be6b94d5ec80a6d9d1190a436effe50d85a1eee859b8cc6af9bd5c2e180223000000b329f479a2bbd0a5c384ee1493b1f5186a87139cac5df4087c134b49156847db
-# This is a signature with correct values for (r, s) but using some alternative
-# BER encoding instead of DER encoding. Implementations should not accept such
-# signatures to limit signature malleability.
+flags = BER
 
 # tcId = 97
 # appending unused 0's to integer
@@ -907,640 +886,560 @@
 msg = 313233343030
 result = invalid
 sig = 3006020100020100
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 145
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3006020100020101
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 146
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 30060201000201ff
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 147
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3026020100022100ffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc632551
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 148
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3026020100022100ffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc632550
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 149
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3026020100022100ffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc632552
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 150
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3026020100022100ffffffff00000001000000000000000000000000ffffffffffffffffffffffff
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 151
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3026020100022100ffffffff00000001000000000000000000000001000000000000000000000000
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 152
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3008020100090380fe01
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 153
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3006020100090142
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 154
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3006020101020100
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 155
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3006020101020101
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 156
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 30060201010201ff
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 157
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3026020101022100ffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc632551
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 158
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3026020101022100ffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc632550
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 159
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3026020101022100ffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc632552
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 160
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3026020101022100ffffffff00000001000000000000000000000000ffffffffffffffffffffffff
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 161
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3026020101022100ffffffff00000001000000000000000000000001000000000000000000000000
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 162
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3008020101090380fe01
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 163
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3006020101090142
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 164
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 30060201ff020100
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 165
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 30060201ff020101
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 166
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 30060201ff0201ff
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 167
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 30260201ff022100ffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc632551
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 168
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 30260201ff022100ffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc632550
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 169
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 30260201ff022100ffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc632552
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 170
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 30260201ff022100ffffffff00000001000000000000000000000000ffffffffffffffffffffffff
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 171
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 30260201ff022100ffffffff00000001000000000000000000000001000000000000000000000000
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 172
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 30080201ff090380fe01
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 173
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 30060201ff090142
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 174
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3026022100ffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc632551020100
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 175
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3026022100ffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc632551020101
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 176
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3026022100ffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc6325510201ff
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 177
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3046022100ffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc632551022100ffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc632551
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 178
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3046022100ffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc632551022100ffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc632550
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 179
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3046022100ffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc632551022100ffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc632552
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 180
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3046022100ffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc632551022100ffffffff00000001000000000000000000000000ffffffffffffffffffffffff
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 181
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3046022100ffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc632551022100ffffffff00000001000000000000000000000001000000000000000000000000
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 182
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3028022100ffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc632551090380fe01
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 183
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3026022100ffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc632551090142
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 184
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3026022100ffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc632550020100
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 185
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3026022100ffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc632550020101
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 186
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3026022100ffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc6325500201ff
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 187
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3046022100ffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc632550022100ffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc632551
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 188
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3046022100ffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc632550022100ffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc632550
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 189
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3046022100ffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc632550022100ffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc632552
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 190
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3046022100ffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc632550022100ffffffff00000001000000000000000000000000ffffffffffffffffffffffff
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 191
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3046022100ffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc632550022100ffffffff00000001000000000000000000000001000000000000000000000000
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 192
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3028022100ffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc632550090380fe01
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 193
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3026022100ffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc632550090142
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 194
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3026022100ffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc632552020100
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 195
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3026022100ffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc632552020101
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 196
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3026022100ffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc6325520201ff
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 197
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3046022100ffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc632552022100ffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc632551
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 198
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3046022100ffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc632552022100ffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc632550
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 199
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3046022100ffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc632552022100ffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc632552
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 200
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3046022100ffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc632552022100ffffffff00000001000000000000000000000000ffffffffffffffffffffffff
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 201
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3046022100ffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc632552022100ffffffff00000001000000000000000000000001000000000000000000000000
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 202
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3028022100ffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc632552090380fe01
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 203
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3026022100ffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc632552090142
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 204
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3026022100ffffffff00000001000000000000000000000000ffffffffffffffffffffffff020100
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 205
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3026022100ffffffff00000001000000000000000000000000ffffffffffffffffffffffff020101
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 206
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3026022100ffffffff00000001000000000000000000000000ffffffffffffffffffffffff0201ff
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 207
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3046022100ffffffff00000001000000000000000000000000ffffffffffffffffffffffff022100ffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc632551
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 208
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3046022100ffffffff00000001000000000000000000000000ffffffffffffffffffffffff022100ffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc632550
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 209
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3046022100ffffffff00000001000000000000000000000000ffffffffffffffffffffffff022100ffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc632552
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 210
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3046022100ffffffff00000001000000000000000000000000ffffffffffffffffffffffff022100ffffffff00000001000000000000000000000000ffffffffffffffffffffffff
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 211
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3046022100ffffffff00000001000000000000000000000000ffffffffffffffffffffffff022100ffffffff00000001000000000000000000000001000000000000000000000000
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 212
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3028022100ffffffff00000001000000000000000000000000ffffffffffffffffffffffff090380fe01
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 213
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3026022100ffffffff00000001000000000000000000000000ffffffffffffffffffffffff090142
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 214
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3026022100ffffffff00000001000000000000000000000001000000000000000000000000020100
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 215
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3026022100ffffffff00000001000000000000000000000001000000000000000000000000020101
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 216
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3026022100ffffffff000000010000000000000000000000010000000000000000000000000201ff
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 217
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3046022100ffffffff00000001000000000000000000000001000000000000000000000000022100ffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc632551
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 218
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3046022100ffffffff00000001000000000000000000000001000000000000000000000000022100ffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc632550
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 219
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3046022100ffffffff00000001000000000000000000000001000000000000000000000000022100ffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc632552
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 220
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3046022100ffffffff00000001000000000000000000000001000000000000000000000000022100ffffffff00000001000000000000000000000000ffffffffffffffffffffffff
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 221
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3046022100ffffffff00000001000000000000000000000001000000000000000000000000022100ffffffff00000001000000000000000000000001000000000000000000000000
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 222
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3028022100ffffffff00000001000000000000000000000001000000000000000000000000090380fe01
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 223
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3026022100ffffffff00000001000000000000000000000001000000000000000000000000090142
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 224
 # Signature encoding contains wrong types.
@@ -2705,9 +2604,7 @@
 msg = 313233343030
 result = valid
 sig = 304502206f2347cab7dd76858fe0555ac3bc99048c4aacafdfb6bcbe05ea6c42c4934569022100bb726660235793aa9957a61e76e00c2c435109cf9a15dd624d53f4301047856b
-# Some implementations of ECDSA do not handle duplication and points at infinity
-# correctly. This is a test vector that has been specially crafted to check for
-# such an omission.
+flags = PointDuplication
 
 [key.curve = secp256r1]
 [key.keySize = 256]
@@ -2723,9 +2620,7 @@
 msg = 313233343030
 result = invalid
 sig = 304502206f2347cab7dd76858fe0555ac3bc99048c4aacafdfb6bcbe05ea6c42c4934569022100bb726660235793aa9957a61e76e00c2c435109cf9a15dd624d53f4301047856b
-# Some implementations of ECDSA do not handle duplication and points at infinity
-# correctly. This is a test vector that has been specially crafted to check for
-# such an omission.
+flags = PointDuplication
 
 [key.curve = secp256r1]
 [key.keySize = 256]
diff --git a/third_party/wycheproof_testvectors/ecdsa_secp256r1_sha512_test.txt b/third_party/wycheproof_testvectors/ecdsa_secp256r1_sha512_test.txt
index 10c3735..0c6efb8 100644
--- a/third_party/wycheproof_testvectors/ecdsa_secp256r1_sha512_test.txt
+++ b/third_party/wycheproof_testvectors/ecdsa_secp256r1_sha512_test.txt
@@ -24,10 +24,7 @@
 msg = 313233343030
 result = acceptable
 sig = 304402202478f1d049f6d857ac900a7af1772226a4c59b345fbb90613c66f42b98f981c00220a07a59c4a41688538eb315e94effca0f4039035c6c2ed1dc84841359d1b34eb2
-# Some implementations of ECDSA and DSA incorrectly encode r and s by not
-# including leading zeros in the ASN encoding of integers when necessary. Hence,
-# some implementations (e.g. jdk) allow signatures with incorrect ASN encodings
-# assuming that the signature is otherwise valid.
+flags = MissingZero
 
 # tcId = 3
 # valid
@@ -40,18 +37,14 @@
 msg = 313233343030
 result = invalid
 sig = 30814502202478f1d049f6d857ac900a7af1772226a4c59b345fbb90613c66f42b98f981c0022100a07a59c4a41688538eb315e94effca0f4039035c6c2ed1dc84841359d1b34eb2
-# This is a signature with correct values for (r, s) but using some alternative
-# BER encoding instead of DER encoding. Implementations should not accept such
-# signatures to limit signature malleability.
+flags = BER
 
 # tcId = 5
 # length of sequence contains leading 0
 msg = 313233343030
 result = invalid
 sig = 3082004502202478f1d049f6d857ac900a7af1772226a4c59b345fbb90613c66f42b98f981c0022100a07a59c4a41688538eb315e94effca0f4039035c6c2ed1dc84841359d1b34eb2
-# This is a signature with correct values for (r, s) but using some alternative
-# BER encoding instead of DER encoding. Implementations should not accept such
-# signatures to limit signature malleability.
+flags = BER
 
 # tcId = 6
 # wrong length of sequence
@@ -358,9 +351,7 @@
 msg = 313233343030
 result = invalid
 sig = 308002202478f1d049f6d857ac900a7af1772226a4c59b345fbb90613c66f42b98f981c0022100a07a59c4a41688538eb315e94effca0f4039035c6c2ed1dc84841359d1b34eb20000
-# This is a signature with correct values for (r, s) but using some alternative
-# BER encoding instead of DER encoding. Implementations should not accept such
-# signatures to limit signature malleability.
+flags = BER
 
 # tcId = 57
 # indefinite length with truncated delimiter
@@ -433,36 +424,28 @@
 msg = 313233343030
 result = invalid
 sig = 30460281202478f1d049f6d857ac900a7af1772226a4c59b345fbb90613c66f42b98f981c0022100a07a59c4a41688538eb315e94effca0f4039035c6c2ed1dc84841359d1b34eb2
-# This is a signature with correct values for (r, s) but using some alternative
-# BER encoding instead of DER encoding. Implementations should not accept such
-# signatures to limit signature malleability.
+flags = BER
 
 # tcId = 69
 # long form encoding of length of integer
 msg = 313233343030
 result = invalid
 sig = 304602202478f1d049f6d857ac900a7af1772226a4c59b345fbb90613c66f42b98f981c002812100a07a59c4a41688538eb315e94effca0f4039035c6c2ed1dc84841359d1b34eb2
-# This is a signature with correct values for (r, s) but using some alternative
-# BER encoding instead of DER encoding. Implementations should not accept such
-# signatures to limit signature malleability.
+flags = BER
 
 # tcId = 70
 # length of integer contains leading 0
 msg = 313233343030
 result = invalid
 sig = 3047028200202478f1d049f6d857ac900a7af1772226a4c59b345fbb90613c66f42b98f981c0022100a07a59c4a41688538eb315e94effca0f4039035c6c2ed1dc84841359d1b34eb2
-# This is a signature with correct values for (r, s) but using some alternative
-# BER encoding instead of DER encoding. Implementations should not accept such
-# signatures to limit signature malleability.
+flags = BER
 
 # tcId = 71
 # length of integer contains leading 0
 msg = 313233343030
 result = invalid
 sig = 304702202478f1d049f6d857ac900a7af1772226a4c59b345fbb90613c66f42b98f981c00282002100a07a59c4a41688538eb315e94effca0f4039035c6c2ed1dc84841359d1b34eb2
-# This is a signature with correct values for (r, s) but using some alternative
-# BER encoding instead of DER encoding. Implementations should not accept such
-# signatures to limit signature malleability.
+flags = BER
 
 # tcId = 72
 # wrong length of integer
@@ -607,18 +590,14 @@
 msg = 313233343030
 result = invalid
 sig = 3047022200002478f1d049f6d857ac900a7af1772226a4c59b345fbb90613c66f42b98f981c0022100a07a59c4a41688538eb315e94effca0f4039035c6c2ed1dc84841359d1b34eb2
-# This is a signature with correct values for (r, s) but using some alternative
-# BER encoding instead of DER encoding. Implementations should not accept such
-# signatures to limit signature malleability.
+flags = BER
 
 # tcId = 96
 # prepending 0's to integer
 msg = 313233343030
 result = invalid
 sig = 304702202478f1d049f6d857ac900a7af1772226a4c59b345fbb90613c66f42b98f981c00223000000a07a59c4a41688538eb315e94effca0f4039035c6c2ed1dc84841359d1b34eb2
-# This is a signature with correct values for (r, s) but using some alternative
-# BER encoding instead of DER encoding. Implementations should not accept such
-# signatures to limit signature malleability.
+flags = BER
 
 # tcId = 97
 # appending unused 0's to integer
@@ -907,640 +886,560 @@
 msg = 313233343030
 result = invalid
 sig = 3006020100020100
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 145
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3006020100020101
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 146
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 30060201000201ff
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 147
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3026020100022100ffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc632551
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 148
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3026020100022100ffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc632550
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 149
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3026020100022100ffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc632552
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 150
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3026020100022100ffffffff00000001000000000000000000000000ffffffffffffffffffffffff
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 151
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3026020100022100ffffffff00000001000000000000000000000001000000000000000000000000
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 152
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3008020100090380fe01
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 153
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3006020100090142
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 154
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3006020101020100
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 155
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3006020101020101
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 156
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 30060201010201ff
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 157
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3026020101022100ffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc632551
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 158
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3026020101022100ffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc632550
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 159
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3026020101022100ffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc632552
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 160
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3026020101022100ffffffff00000001000000000000000000000000ffffffffffffffffffffffff
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 161
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3026020101022100ffffffff00000001000000000000000000000001000000000000000000000000
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 162
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3008020101090380fe01
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 163
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3006020101090142
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 164
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 30060201ff020100
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 165
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 30060201ff020101
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 166
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 30060201ff0201ff
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 167
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 30260201ff022100ffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc632551
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 168
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 30260201ff022100ffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc632550
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 169
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 30260201ff022100ffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc632552
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 170
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 30260201ff022100ffffffff00000001000000000000000000000000ffffffffffffffffffffffff
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 171
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 30260201ff022100ffffffff00000001000000000000000000000001000000000000000000000000
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 172
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 30080201ff090380fe01
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 173
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 30060201ff090142
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 174
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3026022100ffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc632551020100
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 175
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3026022100ffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc632551020101
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 176
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3026022100ffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc6325510201ff
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 177
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3046022100ffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc632551022100ffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc632551
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 178
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3046022100ffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc632551022100ffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc632550
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 179
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3046022100ffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc632551022100ffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc632552
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 180
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3046022100ffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc632551022100ffffffff00000001000000000000000000000000ffffffffffffffffffffffff
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 181
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3046022100ffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc632551022100ffffffff00000001000000000000000000000001000000000000000000000000
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 182
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3028022100ffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc632551090380fe01
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 183
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3026022100ffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc632551090142
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 184
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3026022100ffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc632550020100
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 185
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3026022100ffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc632550020101
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 186
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3026022100ffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc6325500201ff
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 187
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3046022100ffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc632550022100ffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc632551
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 188
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3046022100ffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc632550022100ffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc632550
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 189
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3046022100ffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc632550022100ffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc632552
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 190
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3046022100ffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc632550022100ffffffff00000001000000000000000000000000ffffffffffffffffffffffff
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 191
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3046022100ffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc632550022100ffffffff00000001000000000000000000000001000000000000000000000000
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 192
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3028022100ffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc632550090380fe01
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 193
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3026022100ffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc632550090142
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 194
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3026022100ffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc632552020100
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 195
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3026022100ffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc632552020101
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 196
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3026022100ffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc6325520201ff
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 197
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3046022100ffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc632552022100ffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc632551
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 198
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3046022100ffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc632552022100ffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc632550
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 199
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3046022100ffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc632552022100ffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc632552
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 200
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3046022100ffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc632552022100ffffffff00000001000000000000000000000000ffffffffffffffffffffffff
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 201
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3046022100ffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc632552022100ffffffff00000001000000000000000000000001000000000000000000000000
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 202
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3028022100ffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc632552090380fe01
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 203
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3026022100ffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc632552090142
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 204
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3026022100ffffffff00000001000000000000000000000000ffffffffffffffffffffffff020100
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 205
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3026022100ffffffff00000001000000000000000000000000ffffffffffffffffffffffff020101
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 206
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3026022100ffffffff00000001000000000000000000000000ffffffffffffffffffffffff0201ff
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 207
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3046022100ffffffff00000001000000000000000000000000ffffffffffffffffffffffff022100ffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc632551
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 208
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3046022100ffffffff00000001000000000000000000000000ffffffffffffffffffffffff022100ffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc632550
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 209
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3046022100ffffffff00000001000000000000000000000000ffffffffffffffffffffffff022100ffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc632552
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 210
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3046022100ffffffff00000001000000000000000000000000ffffffffffffffffffffffff022100ffffffff00000001000000000000000000000000ffffffffffffffffffffffff
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 211
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3046022100ffffffff00000001000000000000000000000000ffffffffffffffffffffffff022100ffffffff00000001000000000000000000000001000000000000000000000000
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 212
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3028022100ffffffff00000001000000000000000000000000ffffffffffffffffffffffff090380fe01
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 213
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3026022100ffffffff00000001000000000000000000000000ffffffffffffffffffffffff090142
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 214
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3026022100ffffffff00000001000000000000000000000001000000000000000000000000020100
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 215
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3026022100ffffffff00000001000000000000000000000001000000000000000000000000020101
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 216
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3026022100ffffffff000000010000000000000000000000010000000000000000000000000201ff
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 217
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3046022100ffffffff00000001000000000000000000000001000000000000000000000000022100ffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc632551
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 218
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3046022100ffffffff00000001000000000000000000000001000000000000000000000000022100ffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc632550
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 219
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3046022100ffffffff00000001000000000000000000000001000000000000000000000000022100ffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc632552
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 220
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3046022100ffffffff00000001000000000000000000000001000000000000000000000000022100ffffffff00000001000000000000000000000000ffffffffffffffffffffffff
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 221
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3046022100ffffffff00000001000000000000000000000001000000000000000000000000022100ffffffff00000001000000000000000000000001000000000000000000000000
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 222
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3028022100ffffffff00000001000000000000000000000001000000000000000000000000090380fe01
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 223
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3026022100ffffffff00000001000000000000000000000001000000000000000000000000090142
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 224
 # Signature encoding contains wrong types.
@@ -3125,9 +3024,7 @@
 msg = 313233343030
 result = valid
 sig = 304502206f2347cab7dd76858fe0555ac3bc99048c4aacafdfb6bcbe05ea6c42c4934569022100b4cfa1996ec1d24cdbc8fa17fcabc3a5d4b2b36cf4b50a7b775ab78785710746
-# Some implementations of ECDSA do not handle duplication and points at infinity
-# correctly. This is a test vector that has been specially crafted to check for
-# such an omission.
+flags = PointDuplication
 
 [key.curve = secp256r1]
 [key.keySize = 256]
@@ -3143,9 +3040,7 @@
 msg = 313233343030
 result = invalid
 sig = 304502206f2347cab7dd76858fe0555ac3bc99048c4aacafdfb6bcbe05ea6c42c4934569022100b4cfa1996ec1d24cdbc8fa17fcabc3a5d4b2b36cf4b50a7b775ab78785710746
-# Some implementations of ECDSA do not handle duplication and points at infinity
-# correctly. This is a test vector that has been specially crafted to check for
-# such an omission.
+flags = PointDuplication
 
 [key.curve = secp256r1]
 [key.keySize = 256]
diff --git a/third_party/wycheproof_testvectors/ecdsa_secp384r1_sha384_test.txt b/third_party/wycheproof_testvectors/ecdsa_secp384r1_sha384_test.txt
index f110c79..6a94399 100644
--- a/third_party/wycheproof_testvectors/ecdsa_secp384r1_sha384_test.txt
+++ b/third_party/wycheproof_testvectors/ecdsa_secp384r1_sha384_test.txt
@@ -24,10 +24,7 @@
 msg = 313233343030
 result = acceptable
 sig = 3064023012b30abef6b5476fe6b612ae557c0425661e26b44b1bfe19daf2ca28e3113083ba8e4ae4cc45a0320abd3394f1c548d70230e7bf25603e2d07076ff30b7a2abec473da8b11c572b35fc631991d5de62ddca7525aaba89325dfd04fecc47bff426f82
-# Some implementations of ECDSA and DSA incorrectly encode r and s by not
-# including leading zeros in the ASN encoding of integers when necessary. Hence,
-# some implementations (e.g. jdk) allow signatures with incorrect ASN encodings
-# assuming that the signature is otherwise valid.
+flags = MissingZero
 
 # tcId = 3
 # valid
@@ -40,18 +37,14 @@
 msg = 313233343030
 result = invalid
 sig = 308165023012b30abef6b5476fe6b612ae557c0425661e26b44b1bfe19daf2ca28e3113083ba8e4ae4cc45a0320abd3394f1c548d7023100e7bf25603e2d07076ff30b7a2abec473da8b11c572b35fc631991d5de62ddca7525aaba89325dfd04fecc47bff426f82
-# This is a signature with correct values for (r, s) but using some alternative
-# BER encoding instead of DER encoding. Implementations should not accept such
-# signatures to limit signature malleability.
+flags = BER
 
 # tcId = 5
 # length of sequence contains leading 0
 msg = 313233343030
 result = invalid
 sig = 30820065023012b30abef6b5476fe6b612ae557c0425661e26b44b1bfe19daf2ca28e3113083ba8e4ae4cc45a0320abd3394f1c548d7023100e7bf25603e2d07076ff30b7a2abec473da8b11c572b35fc631991d5de62ddca7525aaba89325dfd04fecc47bff426f82
-# This is a signature with correct values for (r, s) but using some alternative
-# BER encoding instead of DER encoding. Implementations should not accept such
-# signatures to limit signature malleability.
+flags = BER
 
 # tcId = 6
 # wrong length of sequence
@@ -358,9 +351,7 @@
 msg = 313233343030
 result = invalid
 sig = 3080023012b30abef6b5476fe6b612ae557c0425661e26b44b1bfe19daf2ca28e3113083ba8e4ae4cc45a0320abd3394f1c548d7023100e7bf25603e2d07076ff30b7a2abec473da8b11c572b35fc631991d5de62ddca7525aaba89325dfd04fecc47bff426f820000
-# This is a signature with correct values for (r, s) but using some alternative
-# BER encoding instead of DER encoding. Implementations should not accept such
-# signatures to limit signature malleability.
+flags = BER
 
 # tcId = 57
 # indefinite length with truncated delimiter
@@ -433,36 +424,28 @@
 msg = 313233343030
 result = invalid
 sig = 306602813012b30abef6b5476fe6b612ae557c0425661e26b44b1bfe19daf2ca28e3113083ba8e4ae4cc45a0320abd3394f1c548d7023100e7bf25603e2d07076ff30b7a2abec473da8b11c572b35fc631991d5de62ddca7525aaba89325dfd04fecc47bff426f82
-# This is a signature with correct values for (r, s) but using some alternative
-# BER encoding instead of DER encoding. Implementations should not accept such
-# signatures to limit signature malleability.
+flags = BER
 
 # tcId = 69
 # long form encoding of length of integer
 msg = 313233343030
 result = invalid
 sig = 3066023012b30abef6b5476fe6b612ae557c0425661e26b44b1bfe19daf2ca28e3113083ba8e4ae4cc45a0320abd3394f1c548d702813100e7bf25603e2d07076ff30b7a2abec473da8b11c572b35fc631991d5de62ddca7525aaba89325dfd04fecc47bff426f82
-# This is a signature with correct values for (r, s) but using some alternative
-# BER encoding instead of DER encoding. Implementations should not accept such
-# signatures to limit signature malleability.
+flags = BER
 
 # tcId = 70
 # length of integer contains leading 0
 msg = 313233343030
 result = invalid
 sig = 30670282003012b30abef6b5476fe6b612ae557c0425661e26b44b1bfe19daf2ca28e3113083ba8e4ae4cc45a0320abd3394f1c548d7023100e7bf25603e2d07076ff30b7a2abec473da8b11c572b35fc631991d5de62ddca7525aaba89325dfd04fecc47bff426f82
-# This is a signature with correct values for (r, s) but using some alternative
-# BER encoding instead of DER encoding. Implementations should not accept such
-# signatures to limit signature malleability.
+flags = BER
 
 # tcId = 71
 # length of integer contains leading 0
 msg = 313233343030
 result = invalid
 sig = 3067023012b30abef6b5476fe6b612ae557c0425661e26b44b1bfe19daf2ca28e3113083ba8e4ae4cc45a0320abd3394f1c548d70282003100e7bf25603e2d07076ff30b7a2abec473da8b11c572b35fc631991d5de62ddca7525aaba89325dfd04fecc47bff426f82
-# This is a signature with correct values for (r, s) but using some alternative
-# BER encoding instead of DER encoding. Implementations should not accept such
-# signatures to limit signature malleability.
+flags = BER
 
 # tcId = 72
 # wrong length of integer
@@ -607,18 +590,14 @@
 msg = 313233343030
 result = invalid
 sig = 30670232000012b30abef6b5476fe6b612ae557c0425661e26b44b1bfe19daf2ca28e3113083ba8e4ae4cc45a0320abd3394f1c548d7023100e7bf25603e2d07076ff30b7a2abec473da8b11c572b35fc631991d5de62ddca7525aaba89325dfd04fecc47bff426f82
-# This is a signature with correct values for (r, s) but using some alternative
-# BER encoding instead of DER encoding. Implementations should not accept such
-# signatures to limit signature malleability.
+flags = BER
 
 # tcId = 96
 # prepending 0's to integer
 msg = 313233343030
 result = invalid
 sig = 3067023012b30abef6b5476fe6b612ae557c0425661e26b44b1bfe19daf2ca28e3113083ba8e4ae4cc45a0320abd3394f1c548d70233000000e7bf25603e2d07076ff30b7a2abec473da8b11c572b35fc631991d5de62ddca7525aaba89325dfd04fecc47bff426f82
-# This is a signature with correct values for (r, s) but using some alternative
-# BER encoding instead of DER encoding. Implementations should not accept such
-# signatures to limit signature malleability.
+flags = BER
 
 # tcId = 97
 # appending unused 0's to integer
@@ -907,640 +886,560 @@
 msg = 313233343030
 result = invalid
 sig = 3006020100020100
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 145
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3006020100020101
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 146
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 30060201000201ff
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 147
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3036020100023100ffffffffffffffffffffffffffffffffffffffffffffffffc7634d81f4372ddf581a0db248b0a77aecec196accc52973
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 148
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3036020100023100ffffffffffffffffffffffffffffffffffffffffffffffffc7634d81f4372ddf581a0db248b0a77aecec196accc52972
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 149
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3036020100023100ffffffffffffffffffffffffffffffffffffffffffffffffc7634d81f4372ddf581a0db248b0a77aecec196accc52974
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 150
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3036020100023100fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffeffffffff0000000000000000ffffffff
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 151
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3036020100023100fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffeffffffff000000000000000100000000
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 152
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3008020100090380fe01
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 153
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3006020100090142
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 154
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3006020101020100
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 155
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3006020101020101
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 156
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 30060201010201ff
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 157
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3036020101023100ffffffffffffffffffffffffffffffffffffffffffffffffc7634d81f4372ddf581a0db248b0a77aecec196accc52973
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 158
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3036020101023100ffffffffffffffffffffffffffffffffffffffffffffffffc7634d81f4372ddf581a0db248b0a77aecec196accc52972
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 159
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3036020101023100ffffffffffffffffffffffffffffffffffffffffffffffffc7634d81f4372ddf581a0db248b0a77aecec196accc52974
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 160
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3036020101023100fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffeffffffff0000000000000000ffffffff
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 161
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3036020101023100fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffeffffffff000000000000000100000000
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 162
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3008020101090380fe01
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 163
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3006020101090142
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 164
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 30060201ff020100
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 165
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 30060201ff020101
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 166
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 30060201ff0201ff
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 167
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 30360201ff023100ffffffffffffffffffffffffffffffffffffffffffffffffc7634d81f4372ddf581a0db248b0a77aecec196accc52973
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 168
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 30360201ff023100ffffffffffffffffffffffffffffffffffffffffffffffffc7634d81f4372ddf581a0db248b0a77aecec196accc52972
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 169
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 30360201ff023100ffffffffffffffffffffffffffffffffffffffffffffffffc7634d81f4372ddf581a0db248b0a77aecec196accc52974
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 170
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 30360201ff023100fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffeffffffff0000000000000000ffffffff
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 171
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 30360201ff023100fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffeffffffff000000000000000100000000
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 172
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 30080201ff090380fe01
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 173
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 30060201ff090142
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 174
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3036023100ffffffffffffffffffffffffffffffffffffffffffffffffc7634d81f4372ddf581a0db248b0a77aecec196accc52973020100
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 175
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3036023100ffffffffffffffffffffffffffffffffffffffffffffffffc7634d81f4372ddf581a0db248b0a77aecec196accc52973020101
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 176
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3036023100ffffffffffffffffffffffffffffffffffffffffffffffffc7634d81f4372ddf581a0db248b0a77aecec196accc529730201ff
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 177
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3066023100ffffffffffffffffffffffffffffffffffffffffffffffffc7634d81f4372ddf581a0db248b0a77aecec196accc52973023100ffffffffffffffffffffffffffffffffffffffffffffffffc7634d81f4372ddf581a0db248b0a77aecec196accc52973
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 178
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3066023100ffffffffffffffffffffffffffffffffffffffffffffffffc7634d81f4372ddf581a0db248b0a77aecec196accc52973023100ffffffffffffffffffffffffffffffffffffffffffffffffc7634d81f4372ddf581a0db248b0a77aecec196accc52972
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 179
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3066023100ffffffffffffffffffffffffffffffffffffffffffffffffc7634d81f4372ddf581a0db248b0a77aecec196accc52973023100ffffffffffffffffffffffffffffffffffffffffffffffffc7634d81f4372ddf581a0db248b0a77aecec196accc52974
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 180
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3066023100ffffffffffffffffffffffffffffffffffffffffffffffffc7634d81f4372ddf581a0db248b0a77aecec196accc52973023100fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffeffffffff0000000000000000ffffffff
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 181
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3066023100ffffffffffffffffffffffffffffffffffffffffffffffffc7634d81f4372ddf581a0db248b0a77aecec196accc52973023100fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffeffffffff000000000000000100000000
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 182
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3038023100ffffffffffffffffffffffffffffffffffffffffffffffffc7634d81f4372ddf581a0db248b0a77aecec196accc52973090380fe01
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 183
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3036023100ffffffffffffffffffffffffffffffffffffffffffffffffc7634d81f4372ddf581a0db248b0a77aecec196accc52973090142
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 184
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3036023100ffffffffffffffffffffffffffffffffffffffffffffffffc7634d81f4372ddf581a0db248b0a77aecec196accc52972020100
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 185
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3036023100ffffffffffffffffffffffffffffffffffffffffffffffffc7634d81f4372ddf581a0db248b0a77aecec196accc52972020101
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 186
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3036023100ffffffffffffffffffffffffffffffffffffffffffffffffc7634d81f4372ddf581a0db248b0a77aecec196accc529720201ff
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 187
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3066023100ffffffffffffffffffffffffffffffffffffffffffffffffc7634d81f4372ddf581a0db248b0a77aecec196accc52972023100ffffffffffffffffffffffffffffffffffffffffffffffffc7634d81f4372ddf581a0db248b0a77aecec196accc52973
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 188
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3066023100ffffffffffffffffffffffffffffffffffffffffffffffffc7634d81f4372ddf581a0db248b0a77aecec196accc52972023100ffffffffffffffffffffffffffffffffffffffffffffffffc7634d81f4372ddf581a0db248b0a77aecec196accc52972
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 189
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3066023100ffffffffffffffffffffffffffffffffffffffffffffffffc7634d81f4372ddf581a0db248b0a77aecec196accc52972023100ffffffffffffffffffffffffffffffffffffffffffffffffc7634d81f4372ddf581a0db248b0a77aecec196accc52974
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 190
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3066023100ffffffffffffffffffffffffffffffffffffffffffffffffc7634d81f4372ddf581a0db248b0a77aecec196accc52972023100fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffeffffffff0000000000000000ffffffff
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 191
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3066023100ffffffffffffffffffffffffffffffffffffffffffffffffc7634d81f4372ddf581a0db248b0a77aecec196accc52972023100fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffeffffffff000000000000000100000000
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 192
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3038023100ffffffffffffffffffffffffffffffffffffffffffffffffc7634d81f4372ddf581a0db248b0a77aecec196accc52972090380fe01
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 193
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3036023100ffffffffffffffffffffffffffffffffffffffffffffffffc7634d81f4372ddf581a0db248b0a77aecec196accc52972090142
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 194
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3036023100ffffffffffffffffffffffffffffffffffffffffffffffffc7634d81f4372ddf581a0db248b0a77aecec196accc52974020100
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 195
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3036023100ffffffffffffffffffffffffffffffffffffffffffffffffc7634d81f4372ddf581a0db248b0a77aecec196accc52974020101
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 196
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3036023100ffffffffffffffffffffffffffffffffffffffffffffffffc7634d81f4372ddf581a0db248b0a77aecec196accc529740201ff
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 197
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3066023100ffffffffffffffffffffffffffffffffffffffffffffffffc7634d81f4372ddf581a0db248b0a77aecec196accc52974023100ffffffffffffffffffffffffffffffffffffffffffffffffc7634d81f4372ddf581a0db248b0a77aecec196accc52973
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 198
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3066023100ffffffffffffffffffffffffffffffffffffffffffffffffc7634d81f4372ddf581a0db248b0a77aecec196accc52974023100ffffffffffffffffffffffffffffffffffffffffffffffffc7634d81f4372ddf581a0db248b0a77aecec196accc52972
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 199
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3066023100ffffffffffffffffffffffffffffffffffffffffffffffffc7634d81f4372ddf581a0db248b0a77aecec196accc52974023100ffffffffffffffffffffffffffffffffffffffffffffffffc7634d81f4372ddf581a0db248b0a77aecec196accc52974
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 200
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3066023100ffffffffffffffffffffffffffffffffffffffffffffffffc7634d81f4372ddf581a0db248b0a77aecec196accc52974023100fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffeffffffff0000000000000000ffffffff
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 201
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3066023100ffffffffffffffffffffffffffffffffffffffffffffffffc7634d81f4372ddf581a0db248b0a77aecec196accc52974023100fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffeffffffff000000000000000100000000
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 202
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3038023100ffffffffffffffffffffffffffffffffffffffffffffffffc7634d81f4372ddf581a0db248b0a77aecec196accc52974090380fe01
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 203
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3036023100ffffffffffffffffffffffffffffffffffffffffffffffffc7634d81f4372ddf581a0db248b0a77aecec196accc52974090142
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 204
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3036023100fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffeffffffff0000000000000000ffffffff020100
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 205
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3036023100fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffeffffffff0000000000000000ffffffff020101
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 206
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3036023100fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffeffffffff0000000000000000ffffffff0201ff
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 207
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3066023100fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffeffffffff0000000000000000ffffffff023100ffffffffffffffffffffffffffffffffffffffffffffffffc7634d81f4372ddf581a0db248b0a77aecec196accc52973
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 208
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3066023100fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffeffffffff0000000000000000ffffffff023100ffffffffffffffffffffffffffffffffffffffffffffffffc7634d81f4372ddf581a0db248b0a77aecec196accc52972
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 209
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3066023100fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffeffffffff0000000000000000ffffffff023100ffffffffffffffffffffffffffffffffffffffffffffffffc7634d81f4372ddf581a0db248b0a77aecec196accc52974
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 210
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3066023100fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffeffffffff0000000000000000ffffffff023100fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffeffffffff0000000000000000ffffffff
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 211
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3066023100fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffeffffffff0000000000000000ffffffff023100fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffeffffffff000000000000000100000000
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 212
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3038023100fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffeffffffff0000000000000000ffffffff090380fe01
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 213
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3036023100fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffeffffffff0000000000000000ffffffff090142
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 214
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3036023100fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffeffffffff000000000000000100000000020100
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 215
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3036023100fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffeffffffff000000000000000100000000020101
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 216
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3036023100fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffeffffffff0000000000000001000000000201ff
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 217
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3066023100fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffeffffffff000000000000000100000000023100ffffffffffffffffffffffffffffffffffffffffffffffffc7634d81f4372ddf581a0db248b0a77aecec196accc52973
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 218
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3066023100fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffeffffffff000000000000000100000000023100ffffffffffffffffffffffffffffffffffffffffffffffffc7634d81f4372ddf581a0db248b0a77aecec196accc52972
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 219
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3066023100fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffeffffffff000000000000000100000000023100ffffffffffffffffffffffffffffffffffffffffffffffffc7634d81f4372ddf581a0db248b0a77aecec196accc52974
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 220
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3066023100fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffeffffffff000000000000000100000000023100fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffeffffffff0000000000000000ffffffff
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 221
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3066023100fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffeffffffff000000000000000100000000023100fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffeffffffff000000000000000100000000
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 222
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3038023100fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffeffffffff000000000000000100000000090380fe01
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 223
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3036023100fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffeffffffff000000000000000100000000090142
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 224
 # Signature encoding contains wrong types.
@@ -2822,9 +2721,7 @@
 msg = 313233343030
 result = valid
 sig = 3065023100b37699e0d518a4d370dbdaaaea3788850fa03f8186d1f78fdfbae6540aa670b31c8ada0fff3e737bd69520560fe0ce60023064adb4d51a93f96bed4665de2d4e1169cc95819ec6e9333edfd5c07ca134ceef7c95957b719ae349fc439eaa49fbbe34
-# Some implementations of ECDSA do not handle duplication and points at infinity
-# correctly. This is a test vector that has been specially crafted to check for
-# such an omission.
+flags = PointDuplication
 
 [key.curve = secp384r1]
 [key.keySize = 384]
@@ -2840,9 +2737,7 @@
 msg = 313233343030
 result = invalid
 sig = 3065023100b37699e0d518a4d370dbdaaaea3788850fa03f8186d1f78fdfbae6540aa670b31c8ada0fff3e737bd69520560fe0ce60023064adb4d51a93f96bed4665de2d4e1169cc95819ec6e9333edfd5c07ca134ceef7c95957b719ae349fc439eaa49fbbe34
-# Some implementations of ECDSA do not handle duplication and points at infinity
-# correctly. This is a test vector that has been specially crafted to check for
-# such an omission.
+flags = PointDuplication
 
 [key.curve = secp384r1]
 [key.keySize = 384]
diff --git a/third_party/wycheproof_testvectors/ecdsa_secp384r1_sha512_test.txt b/third_party/wycheproof_testvectors/ecdsa_secp384r1_sha512_test.txt
index 782d42b..0c45cda 100644
--- a/third_party/wycheproof_testvectors/ecdsa_secp384r1_sha512_test.txt
+++ b/third_party/wycheproof_testvectors/ecdsa_secp384r1_sha512_test.txt
@@ -24,20 +24,14 @@
 msg = 313233343030
 result = acceptable
 sig = 30650230814cc9a70febda342d4ada87fc39426f403d5e89808428460c1eca60c897bfd6728da14673854673d7d297ea944a15e202310084f5ef11d22f22d0548af6a50dbf2f6a1bb9054585af5e600c49cf35b1e69b712754dd781c837355ddd41c752193a7cd
-# Some implementations of ECDSA and DSA incorrectly encode r and s by not
-# including leading zeros in the ASN encoding of integers when necessary. Hence,
-# some implementations (e.g. jdk) allow signatures with incorrect ASN encodings
-# assuming that the signature is otherwise valid.
+flags = MissingZero
 
 # tcId = 3
 # Legacy:ASN encoding of s misses leading 0
 msg = 313233343030
 result = acceptable
 sig = 3065023100814cc9a70febda342d4ada87fc39426f403d5e89808428460c1eca60c897bfd6728da14673854673d7d297ea944a15e2023084f5ef11d22f22d0548af6a50dbf2f6a1bb9054585af5e600c49cf35b1e69b712754dd781c837355ddd41c752193a7cd
-# Some implementations of ECDSA and DSA incorrectly encode r and s by not
-# including leading zeros in the ASN encoding of integers when necessary. Hence,
-# some implementations (e.g. jdk) allow signatures with incorrect ASN encodings
-# assuming that the signature is otherwise valid.
+flags = MissingZero
 
 # tcId = 4
 # valid
@@ -50,18 +44,14 @@
 msg = 313233343030
 result = invalid
 sig = 308166023100814cc9a70febda342d4ada87fc39426f403d5e89808428460c1eca60c897bfd6728da14673854673d7d297ea944a15e202310084f5ef11d22f22d0548af6a50dbf2f6a1bb9054585af5e600c49cf35b1e69b712754dd781c837355ddd41c752193a7cd
-# This is a signature with correct values for (r, s) but using some alternative
-# BER encoding instead of DER encoding. Implementations should not accept such
-# signatures to limit signature malleability.
+flags = BER
 
 # tcId = 6
 # length of sequence contains leading 0
 msg = 313233343030
 result = invalid
 sig = 30820066023100814cc9a70febda342d4ada87fc39426f403d5e89808428460c1eca60c897bfd6728da14673854673d7d297ea944a15e202310084f5ef11d22f22d0548af6a50dbf2f6a1bb9054585af5e600c49cf35b1e69b712754dd781c837355ddd41c752193a7cd
-# This is a signature with correct values for (r, s) but using some alternative
-# BER encoding instead of DER encoding. Implementations should not accept such
-# signatures to limit signature malleability.
+flags = BER
 
 # tcId = 7
 # wrong length of sequence
@@ -368,9 +358,7 @@
 msg = 313233343030
 result = invalid
 sig = 3080023100814cc9a70febda342d4ada87fc39426f403d5e89808428460c1eca60c897bfd6728da14673854673d7d297ea944a15e202310084f5ef11d22f22d0548af6a50dbf2f6a1bb9054585af5e600c49cf35b1e69b712754dd781c837355ddd41c752193a7cd0000
-# This is a signature with correct values for (r, s) but using some alternative
-# BER encoding instead of DER encoding. Implementations should not accept such
-# signatures to limit signature malleability.
+flags = BER
 
 # tcId = 58
 # indefinite length with truncated delimiter
@@ -443,36 +431,28 @@
 msg = 313233343030
 result = invalid
 sig = 306702813100814cc9a70febda342d4ada87fc39426f403d5e89808428460c1eca60c897bfd6728da14673854673d7d297ea944a15e202310084f5ef11d22f22d0548af6a50dbf2f6a1bb9054585af5e600c49cf35b1e69b712754dd781c837355ddd41c752193a7cd
-# This is a signature with correct values for (r, s) but using some alternative
-# BER encoding instead of DER encoding. Implementations should not accept such
-# signatures to limit signature malleability.
+flags = BER
 
 # tcId = 70
 # long form encoding of length of integer
 msg = 313233343030
 result = invalid
 sig = 3067023100814cc9a70febda342d4ada87fc39426f403d5e89808428460c1eca60c897bfd6728da14673854673d7d297ea944a15e20281310084f5ef11d22f22d0548af6a50dbf2f6a1bb9054585af5e600c49cf35b1e69b712754dd781c837355ddd41c752193a7cd
-# This is a signature with correct values for (r, s) but using some alternative
-# BER encoding instead of DER encoding. Implementations should not accept such
-# signatures to limit signature malleability.
+flags = BER
 
 # tcId = 71
 # length of integer contains leading 0
 msg = 313233343030
 result = invalid
 sig = 30680282003100814cc9a70febda342d4ada87fc39426f403d5e89808428460c1eca60c897bfd6728da14673854673d7d297ea944a15e202310084f5ef11d22f22d0548af6a50dbf2f6a1bb9054585af5e600c49cf35b1e69b712754dd781c837355ddd41c752193a7cd
-# This is a signature with correct values for (r, s) but using some alternative
-# BER encoding instead of DER encoding. Implementations should not accept such
-# signatures to limit signature malleability.
+flags = BER
 
 # tcId = 72
 # length of integer contains leading 0
 msg = 313233343030
 result = invalid
 sig = 3068023100814cc9a70febda342d4ada87fc39426f403d5e89808428460c1eca60c897bfd6728da14673854673d7d297ea944a15e2028200310084f5ef11d22f22d0548af6a50dbf2f6a1bb9054585af5e600c49cf35b1e69b712754dd781c837355ddd41c752193a7cd
-# This is a signature with correct values for (r, s) but using some alternative
-# BER encoding instead of DER encoding. Implementations should not accept such
-# signatures to limit signature malleability.
+flags = BER
 
 # tcId = 73
 # wrong length of integer
@@ -617,18 +597,14 @@
 msg = 313233343030
 result = invalid
 sig = 30680233000000814cc9a70febda342d4ada87fc39426f403d5e89808428460c1eca60c897bfd6728da14673854673d7d297ea944a15e202310084f5ef11d22f22d0548af6a50dbf2f6a1bb9054585af5e600c49cf35b1e69b712754dd781c837355ddd41c752193a7cd
-# This is a signature with correct values for (r, s) but using some alternative
-# BER encoding instead of DER encoding. Implementations should not accept such
-# signatures to limit signature malleability.
+flags = BER
 
 # tcId = 97
 # prepending 0's to integer
 msg = 313233343030
 result = invalid
 sig = 3068023100814cc9a70febda342d4ada87fc39426f403d5e89808428460c1eca60c897bfd6728da14673854673d7d297ea944a15e2023300000084f5ef11d22f22d0548af6a50dbf2f6a1bb9054585af5e600c49cf35b1e69b712754dd781c837355ddd41c752193a7cd
-# This is a signature with correct values for (r, s) but using some alternative
-# BER encoding instead of DER encoding. Implementations should not accept such
-# signatures to limit signature malleability.
+flags = BER
 
 # tcId = 98
 # appending unused 0's to integer
@@ -911,640 +887,560 @@
 msg = 313233343030
 result = invalid
 sig = 3006020100020100
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 145
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3006020100020101
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 146
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 30060201000201ff
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 147
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3036020100023100ffffffffffffffffffffffffffffffffffffffffffffffffc7634d81f4372ddf581a0db248b0a77aecec196accc52973
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 148
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3036020100023100ffffffffffffffffffffffffffffffffffffffffffffffffc7634d81f4372ddf581a0db248b0a77aecec196accc52972
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 149
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3036020100023100ffffffffffffffffffffffffffffffffffffffffffffffffc7634d81f4372ddf581a0db248b0a77aecec196accc52974
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 150
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3036020100023100fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffeffffffff0000000000000000ffffffff
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 151
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3036020100023100fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffeffffffff000000000000000100000000
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 152
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3008020100090380fe01
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 153
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3006020100090142
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 154
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3006020101020100
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 155
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3006020101020101
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 156
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 30060201010201ff
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 157
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3036020101023100ffffffffffffffffffffffffffffffffffffffffffffffffc7634d81f4372ddf581a0db248b0a77aecec196accc52973
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 158
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3036020101023100ffffffffffffffffffffffffffffffffffffffffffffffffc7634d81f4372ddf581a0db248b0a77aecec196accc52972
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 159
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3036020101023100ffffffffffffffffffffffffffffffffffffffffffffffffc7634d81f4372ddf581a0db248b0a77aecec196accc52974
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 160
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3036020101023100fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffeffffffff0000000000000000ffffffff
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 161
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3036020101023100fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffeffffffff000000000000000100000000
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 162
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3008020101090380fe01
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 163
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3006020101090142
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 164
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 30060201ff020100
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 165
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 30060201ff020101
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 166
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 30060201ff0201ff
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 167
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 30360201ff023100ffffffffffffffffffffffffffffffffffffffffffffffffc7634d81f4372ddf581a0db248b0a77aecec196accc52973
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 168
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 30360201ff023100ffffffffffffffffffffffffffffffffffffffffffffffffc7634d81f4372ddf581a0db248b0a77aecec196accc52972
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 169
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 30360201ff023100ffffffffffffffffffffffffffffffffffffffffffffffffc7634d81f4372ddf581a0db248b0a77aecec196accc52974
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 170
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 30360201ff023100fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffeffffffff0000000000000000ffffffff
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 171
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 30360201ff023100fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffeffffffff000000000000000100000000
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 172
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 30080201ff090380fe01
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 173
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 30060201ff090142
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 174
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3036023100ffffffffffffffffffffffffffffffffffffffffffffffffc7634d81f4372ddf581a0db248b0a77aecec196accc52973020100
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 175
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3036023100ffffffffffffffffffffffffffffffffffffffffffffffffc7634d81f4372ddf581a0db248b0a77aecec196accc52973020101
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 176
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3036023100ffffffffffffffffffffffffffffffffffffffffffffffffc7634d81f4372ddf581a0db248b0a77aecec196accc529730201ff
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 177
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3066023100ffffffffffffffffffffffffffffffffffffffffffffffffc7634d81f4372ddf581a0db248b0a77aecec196accc52973023100ffffffffffffffffffffffffffffffffffffffffffffffffc7634d81f4372ddf581a0db248b0a77aecec196accc52973
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 178
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3066023100ffffffffffffffffffffffffffffffffffffffffffffffffc7634d81f4372ddf581a0db248b0a77aecec196accc52973023100ffffffffffffffffffffffffffffffffffffffffffffffffc7634d81f4372ddf581a0db248b0a77aecec196accc52972
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 179
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3066023100ffffffffffffffffffffffffffffffffffffffffffffffffc7634d81f4372ddf581a0db248b0a77aecec196accc52973023100ffffffffffffffffffffffffffffffffffffffffffffffffc7634d81f4372ddf581a0db248b0a77aecec196accc52974
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 180
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3066023100ffffffffffffffffffffffffffffffffffffffffffffffffc7634d81f4372ddf581a0db248b0a77aecec196accc52973023100fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffeffffffff0000000000000000ffffffff
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 181
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3066023100ffffffffffffffffffffffffffffffffffffffffffffffffc7634d81f4372ddf581a0db248b0a77aecec196accc52973023100fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffeffffffff000000000000000100000000
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 182
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3038023100ffffffffffffffffffffffffffffffffffffffffffffffffc7634d81f4372ddf581a0db248b0a77aecec196accc52973090380fe01
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 183
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3036023100ffffffffffffffffffffffffffffffffffffffffffffffffc7634d81f4372ddf581a0db248b0a77aecec196accc52973090142
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 184
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3036023100ffffffffffffffffffffffffffffffffffffffffffffffffc7634d81f4372ddf581a0db248b0a77aecec196accc52972020100
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 185
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3036023100ffffffffffffffffffffffffffffffffffffffffffffffffc7634d81f4372ddf581a0db248b0a77aecec196accc52972020101
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 186
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3036023100ffffffffffffffffffffffffffffffffffffffffffffffffc7634d81f4372ddf581a0db248b0a77aecec196accc529720201ff
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 187
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3066023100ffffffffffffffffffffffffffffffffffffffffffffffffc7634d81f4372ddf581a0db248b0a77aecec196accc52972023100ffffffffffffffffffffffffffffffffffffffffffffffffc7634d81f4372ddf581a0db248b0a77aecec196accc52973
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 188
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3066023100ffffffffffffffffffffffffffffffffffffffffffffffffc7634d81f4372ddf581a0db248b0a77aecec196accc52972023100ffffffffffffffffffffffffffffffffffffffffffffffffc7634d81f4372ddf581a0db248b0a77aecec196accc52972
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 189
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3066023100ffffffffffffffffffffffffffffffffffffffffffffffffc7634d81f4372ddf581a0db248b0a77aecec196accc52972023100ffffffffffffffffffffffffffffffffffffffffffffffffc7634d81f4372ddf581a0db248b0a77aecec196accc52974
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 190
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3066023100ffffffffffffffffffffffffffffffffffffffffffffffffc7634d81f4372ddf581a0db248b0a77aecec196accc52972023100fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffeffffffff0000000000000000ffffffff
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 191
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3066023100ffffffffffffffffffffffffffffffffffffffffffffffffc7634d81f4372ddf581a0db248b0a77aecec196accc52972023100fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffeffffffff000000000000000100000000
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 192
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3038023100ffffffffffffffffffffffffffffffffffffffffffffffffc7634d81f4372ddf581a0db248b0a77aecec196accc52972090380fe01
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 193
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3036023100ffffffffffffffffffffffffffffffffffffffffffffffffc7634d81f4372ddf581a0db248b0a77aecec196accc52972090142
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 194
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3036023100ffffffffffffffffffffffffffffffffffffffffffffffffc7634d81f4372ddf581a0db248b0a77aecec196accc52974020100
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 195
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3036023100ffffffffffffffffffffffffffffffffffffffffffffffffc7634d81f4372ddf581a0db248b0a77aecec196accc52974020101
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 196
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3036023100ffffffffffffffffffffffffffffffffffffffffffffffffc7634d81f4372ddf581a0db248b0a77aecec196accc529740201ff
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 197
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3066023100ffffffffffffffffffffffffffffffffffffffffffffffffc7634d81f4372ddf581a0db248b0a77aecec196accc52974023100ffffffffffffffffffffffffffffffffffffffffffffffffc7634d81f4372ddf581a0db248b0a77aecec196accc52973
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 198
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3066023100ffffffffffffffffffffffffffffffffffffffffffffffffc7634d81f4372ddf581a0db248b0a77aecec196accc52974023100ffffffffffffffffffffffffffffffffffffffffffffffffc7634d81f4372ddf581a0db248b0a77aecec196accc52972
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 199
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3066023100ffffffffffffffffffffffffffffffffffffffffffffffffc7634d81f4372ddf581a0db248b0a77aecec196accc52974023100ffffffffffffffffffffffffffffffffffffffffffffffffc7634d81f4372ddf581a0db248b0a77aecec196accc52974
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 200
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3066023100ffffffffffffffffffffffffffffffffffffffffffffffffc7634d81f4372ddf581a0db248b0a77aecec196accc52974023100fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffeffffffff0000000000000000ffffffff
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 201
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3066023100ffffffffffffffffffffffffffffffffffffffffffffffffc7634d81f4372ddf581a0db248b0a77aecec196accc52974023100fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffeffffffff000000000000000100000000
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 202
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3038023100ffffffffffffffffffffffffffffffffffffffffffffffffc7634d81f4372ddf581a0db248b0a77aecec196accc52974090380fe01
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 203
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3036023100ffffffffffffffffffffffffffffffffffffffffffffffffc7634d81f4372ddf581a0db248b0a77aecec196accc52974090142
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 204
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3036023100fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffeffffffff0000000000000000ffffffff020100
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 205
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3036023100fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffeffffffff0000000000000000ffffffff020101
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 206
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3036023100fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffeffffffff0000000000000000ffffffff0201ff
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 207
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3066023100fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffeffffffff0000000000000000ffffffff023100ffffffffffffffffffffffffffffffffffffffffffffffffc7634d81f4372ddf581a0db248b0a77aecec196accc52973
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 208
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3066023100fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffeffffffff0000000000000000ffffffff023100ffffffffffffffffffffffffffffffffffffffffffffffffc7634d81f4372ddf581a0db248b0a77aecec196accc52972
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 209
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3066023100fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffeffffffff0000000000000000ffffffff023100ffffffffffffffffffffffffffffffffffffffffffffffffc7634d81f4372ddf581a0db248b0a77aecec196accc52974
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 210
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3066023100fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffeffffffff0000000000000000ffffffff023100fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffeffffffff0000000000000000ffffffff
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 211
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3066023100fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffeffffffff0000000000000000ffffffff023100fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffeffffffff000000000000000100000000
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 212
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3038023100fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffeffffffff0000000000000000ffffffff090380fe01
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 213
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3036023100fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffeffffffff0000000000000000ffffffff090142
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 214
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3036023100fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffeffffffff000000000000000100000000020100
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 215
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3036023100fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffeffffffff000000000000000100000000020101
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 216
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3036023100fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffeffffffff0000000000000001000000000201ff
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 217
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3066023100fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffeffffffff000000000000000100000000023100ffffffffffffffffffffffffffffffffffffffffffffffffc7634d81f4372ddf581a0db248b0a77aecec196accc52973
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 218
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3066023100fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffeffffffff000000000000000100000000023100ffffffffffffffffffffffffffffffffffffffffffffffffc7634d81f4372ddf581a0db248b0a77aecec196accc52972
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 219
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3066023100fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffeffffffff000000000000000100000000023100ffffffffffffffffffffffffffffffffffffffffffffffffc7634d81f4372ddf581a0db248b0a77aecec196accc52974
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 220
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3066023100fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffeffffffff000000000000000100000000023100fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffeffffffff0000000000000000ffffffff
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 221
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3066023100fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffeffffffff000000000000000100000000023100fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffeffffffff000000000000000100000000
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 222
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3038023100fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffeffffffff000000000000000100000000090380fe01
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 223
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3036023100fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffeffffffff000000000000000100000000090142
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 224
 # Signature encoding contains wrong types.
@@ -3054,9 +2950,7 @@
 msg = 313233343030
 result = valid
 sig = 3066023100b37699e0d518a4d370dbdaaaea3788850fa03f8186d1f78fdfbae6540aa670b31c8ada0fff3e737bd69520560fe0ce60023100e16043c2face20228dba6366e19ecc6db71b918bbe8a890b9dad2fcead184e071c9ac4acaee2f831a1e4cc337994f5ec
-# Some implementations of ECDSA do not handle duplication and points at infinity
-# correctly. This is a test vector that has been specially crafted to check for
-# such an omission.
+flags = PointDuplication
 
 [key.curve = secp384r1]
 [key.keySize = 384]
@@ -3072,9 +2966,7 @@
 msg = 313233343030
 result = invalid
 sig = 3066023100b37699e0d518a4d370dbdaaaea3788850fa03f8186d1f78fdfbae6540aa670b31c8ada0fff3e737bd69520560fe0ce60023100e16043c2face20228dba6366e19ecc6db71b918bbe8a890b9dad2fcead184e071c9ac4acaee2f831a1e4cc337994f5ec
-# Some implementations of ECDSA do not handle duplication and points at infinity
-# correctly. This is a test vector that has been specially crafted to check for
-# such an omission.
+flags = PointDuplication
 
 [key.curve = secp384r1]
 [key.keySize = 384]
diff --git a/third_party/wycheproof_testvectors/ecdsa_secp521r1_sha512_test.txt b/third_party/wycheproof_testvectors/ecdsa_secp521r1_sha512_test.txt
index 58bf90a..35a7eb7 100644
--- a/third_party/wycheproof_testvectors/ecdsa_secp521r1_sha512_test.txt
+++ b/third_party/wycheproof_testvectors/ecdsa_secp521r1_sha512_test.txt
@@ -30,9 +30,7 @@
 msg = 313233343030
 result = invalid
 sig = 3082008602414e4223ee43e8cb89de3b1339ffc279e582f82c7ab0f71bbde43dbe374ac75ffbef29acdf8e70750b9a04f66fda48351de7bbfd515720b0ec5cd736f9b73bdf8645024128b5d0926a4172b349b0fd2e929487a5edb94b142df923a697e7446acdacdba0a029e43d69111174dba2fe747122709a69ce69d5285e174a01a93022fea8318ac1
-# This is a signature with correct values for (r, s) but using some alternative
-# BER encoding instead of DER encoding. Implementations should not accept such
-# signatures to limit signature malleability.
+flags = BER
 
 # tcId = 4
 # wrong length of sequence
@@ -339,9 +337,7 @@
 msg = 313233343030
 result = invalid
 sig = 308002414e4223ee43e8cb89de3b1339ffc279e582f82c7ab0f71bbde43dbe374ac75ffbef29acdf8e70750b9a04f66fda48351de7bbfd515720b0ec5cd736f9b73bdf8645024128b5d0926a4172b349b0fd2e929487a5edb94b142df923a697e7446acdacdba0a029e43d69111174dba2fe747122709a69ce69d5285e174a01a93022fea8318ac10000
-# This is a signature with correct values for (r, s) but using some alternative
-# BER encoding instead of DER encoding. Implementations should not accept such
-# signatures to limit signature malleability.
+flags = BER
 
 # tcId = 55
 # indefinite length with truncated delimiter
@@ -414,36 +410,28 @@
 msg = 313233343030
 result = invalid
 sig = 3081870281414e4223ee43e8cb89de3b1339ffc279e582f82c7ab0f71bbde43dbe374ac75ffbef29acdf8e70750b9a04f66fda48351de7bbfd515720b0ec5cd736f9b73bdf8645024128b5d0926a4172b349b0fd2e929487a5edb94b142df923a697e7446acdacdba0a029e43d69111174dba2fe747122709a69ce69d5285e174a01a93022fea8318ac1
-# This is a signature with correct values for (r, s) but using some alternative
-# BER encoding instead of DER encoding. Implementations should not accept such
-# signatures to limit signature malleability.
+flags = BER
 
 # tcId = 67
 # long form encoding of length of integer
 msg = 313233343030
 result = invalid
 sig = 30818702414e4223ee43e8cb89de3b1339ffc279e582f82c7ab0f71bbde43dbe374ac75ffbef29acdf8e70750b9a04f66fda48351de7bbfd515720b0ec5cd736f9b73bdf864502814128b5d0926a4172b349b0fd2e929487a5edb94b142df923a697e7446acdacdba0a029e43d69111174dba2fe747122709a69ce69d5285e174a01a93022fea8318ac1
-# This is a signature with correct values for (r, s) but using some alternative
-# BER encoding instead of DER encoding. Implementations should not accept such
-# signatures to limit signature malleability.
+flags = BER
 
 # tcId = 68
 # length of integer contains leading 0
 msg = 313233343030
 result = invalid
 sig = 308188028200414e4223ee43e8cb89de3b1339ffc279e582f82c7ab0f71bbde43dbe374ac75ffbef29acdf8e70750b9a04f66fda48351de7bbfd515720b0ec5cd736f9b73bdf8645024128b5d0926a4172b349b0fd2e929487a5edb94b142df923a697e7446acdacdba0a029e43d69111174dba2fe747122709a69ce69d5285e174a01a93022fea8318ac1
-# This is a signature with correct values for (r, s) but using some alternative
-# BER encoding instead of DER encoding. Implementations should not accept such
-# signatures to limit signature malleability.
+flags = BER
 
 # tcId = 69
 # length of integer contains leading 0
 msg = 313233343030
 result = invalid
 sig = 30818802414e4223ee43e8cb89de3b1339ffc279e582f82c7ab0f71bbde43dbe374ac75ffbef29acdf8e70750b9a04f66fda48351de7bbfd515720b0ec5cd736f9b73bdf86450282004128b5d0926a4172b349b0fd2e929487a5edb94b142df923a697e7446acdacdba0a029e43d69111174dba2fe747122709a69ce69d5285e174a01a93022fea8318ac1
-# This is a signature with correct values for (r, s) but using some alternative
-# BER encoding instead of DER encoding. Implementations should not accept such
-# signatures to limit signature malleability.
+flags = BER
 
 # tcId = 70
 # wrong length of integer
@@ -588,18 +576,14 @@
 msg = 313233343030
 result = invalid
 sig = 308188024300004e4223ee43e8cb89de3b1339ffc279e582f82c7ab0f71bbde43dbe374ac75ffbef29acdf8e70750b9a04f66fda48351de7bbfd515720b0ec5cd736f9b73bdf8645024128b5d0926a4172b349b0fd2e929487a5edb94b142df923a697e7446acdacdba0a029e43d69111174dba2fe747122709a69ce69d5285e174a01a93022fea8318ac1
-# This is a signature with correct values for (r, s) but using some alternative
-# BER encoding instead of DER encoding. Implementations should not accept such
-# signatures to limit signature malleability.
+flags = BER
 
 # tcId = 94
 # prepending 0's to integer
 msg = 313233343030
 result = invalid
 sig = 30818802414e4223ee43e8cb89de3b1339ffc279e582f82c7ab0f71bbde43dbe374ac75ffbef29acdf8e70750b9a04f66fda48351de7bbfd515720b0ec5cd736f9b73bdf86450243000028b5d0926a4172b349b0fd2e929487a5edb94b142df923a697e7446acdacdba0a029e43d69111174dba2fe747122709a69ce69d5285e174a01a93022fea8318ac1
-# This is a signature with correct values for (r, s) but using some alternative
-# BER encoding instead of DER encoding. Implementations should not accept such
-# signatures to limit signature malleability.
+flags = BER
 
 # tcId = 95
 # appending unused 0's to integer
@@ -906,640 +890,560 @@
 msg = 313233343030
 result = invalid
 sig = 3006020100020100
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 146
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3006020100020101
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 147
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 30060201000201ff
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 148
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3047020100024201fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffa51868783bf2f966b7fcc0148f709a5d03bb5c9b8899c47aebb6fb71e91386409
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 149
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3047020100024201fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffa51868783bf2f966b7fcc0148f709a5d03bb5c9b8899c47aebb6fb71e91386408
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 150
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3047020100024201fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffa51868783bf2f966b7fcc0148f709a5d03bb5c9b8899c47aebb6fb71e9138640a
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 151
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3047020100024201ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 152
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 30470201000242020000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 153
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3008020100090380fe01
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 154
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3006020100090142
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 155
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3006020101020100
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 156
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3006020101020101
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 157
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 30060201010201ff
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 158
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3047020101024201fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffa51868783bf2f966b7fcc0148f709a5d03bb5c9b8899c47aebb6fb71e91386409
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 159
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3047020101024201fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffa51868783bf2f966b7fcc0148f709a5d03bb5c9b8899c47aebb6fb71e91386408
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 160
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3047020101024201fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffa51868783bf2f966b7fcc0148f709a5d03bb5c9b8899c47aebb6fb71e9138640a
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 161
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3047020101024201ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 162
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 30470201010242020000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 163
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3008020101090380fe01
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 164
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3006020101090142
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 165
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 30060201ff020100
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 166
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 30060201ff020101
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 167
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 30060201ff0201ff
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 168
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 30470201ff024201fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffa51868783bf2f966b7fcc0148f709a5d03bb5c9b8899c47aebb6fb71e91386409
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 169
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 30470201ff024201fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffa51868783bf2f966b7fcc0148f709a5d03bb5c9b8899c47aebb6fb71e91386408
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 170
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 30470201ff024201fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffa51868783bf2f966b7fcc0148f709a5d03bb5c9b8899c47aebb6fb71e9138640a
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 171
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 30470201ff024201ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 172
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 30470201ff0242020000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 173
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 30080201ff090380fe01
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 174
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 30060201ff090142
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 175
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3047024201fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffa51868783bf2f966b7fcc0148f709a5d03bb5c9b8899c47aebb6fb71e91386409020100
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 176
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3047024201fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffa51868783bf2f966b7fcc0148f709a5d03bb5c9b8899c47aebb6fb71e91386409020101
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 177
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3047024201fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffa51868783bf2f966b7fcc0148f709a5d03bb5c9b8899c47aebb6fb71e913864090201ff
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 178
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 308188024201fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffa51868783bf2f966b7fcc0148f709a5d03bb5c9b8899c47aebb6fb71e91386409024201fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffa51868783bf2f966b7fcc0148f709a5d03bb5c9b8899c47aebb6fb71e91386409
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 179
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 308188024201fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffa51868783bf2f966b7fcc0148f709a5d03bb5c9b8899c47aebb6fb71e91386409024201fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffa51868783bf2f966b7fcc0148f709a5d03bb5c9b8899c47aebb6fb71e91386408
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 180
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 308188024201fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffa51868783bf2f966b7fcc0148f709a5d03bb5c9b8899c47aebb6fb71e91386409024201fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffa51868783bf2f966b7fcc0148f709a5d03bb5c9b8899c47aebb6fb71e9138640a
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 181
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 308188024201fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffa51868783bf2f966b7fcc0148f709a5d03bb5c9b8899c47aebb6fb71e91386409024201ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 182
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 308188024201fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffa51868783bf2f966b7fcc0148f709a5d03bb5c9b8899c47aebb6fb71e913864090242020000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 183
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3049024201fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffa51868783bf2f966b7fcc0148f709a5d03bb5c9b8899c47aebb6fb71e91386409090380fe01
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 184
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3047024201fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffa51868783bf2f966b7fcc0148f709a5d03bb5c9b8899c47aebb6fb71e91386409090142
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 185
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3047024201fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffa51868783bf2f966b7fcc0148f709a5d03bb5c9b8899c47aebb6fb71e91386408020100
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 186
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3047024201fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffa51868783bf2f966b7fcc0148f709a5d03bb5c9b8899c47aebb6fb71e91386408020101
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 187
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3047024201fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffa51868783bf2f966b7fcc0148f709a5d03bb5c9b8899c47aebb6fb71e913864080201ff
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 188
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 308188024201fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffa51868783bf2f966b7fcc0148f709a5d03bb5c9b8899c47aebb6fb71e91386408024201fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffa51868783bf2f966b7fcc0148f709a5d03bb5c9b8899c47aebb6fb71e91386409
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 189
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 308188024201fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffa51868783bf2f966b7fcc0148f709a5d03bb5c9b8899c47aebb6fb71e91386408024201fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffa51868783bf2f966b7fcc0148f709a5d03bb5c9b8899c47aebb6fb71e91386408
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 190
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 308188024201fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffa51868783bf2f966b7fcc0148f709a5d03bb5c9b8899c47aebb6fb71e91386408024201fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffa51868783bf2f966b7fcc0148f709a5d03bb5c9b8899c47aebb6fb71e9138640a
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 191
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 308188024201fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffa51868783bf2f966b7fcc0148f709a5d03bb5c9b8899c47aebb6fb71e91386408024201ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 192
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 308188024201fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffa51868783bf2f966b7fcc0148f709a5d03bb5c9b8899c47aebb6fb71e913864080242020000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 193
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3049024201fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffa51868783bf2f966b7fcc0148f709a5d03bb5c9b8899c47aebb6fb71e91386408090380fe01
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 194
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3047024201fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffa51868783bf2f966b7fcc0148f709a5d03bb5c9b8899c47aebb6fb71e91386408090142
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 195
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3047024201fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffa51868783bf2f966b7fcc0148f709a5d03bb5c9b8899c47aebb6fb71e9138640a020100
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 196
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3047024201fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffa51868783bf2f966b7fcc0148f709a5d03bb5c9b8899c47aebb6fb71e9138640a020101
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 197
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3047024201fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffa51868783bf2f966b7fcc0148f709a5d03bb5c9b8899c47aebb6fb71e9138640a0201ff
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 198
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 308188024201fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffa51868783bf2f966b7fcc0148f709a5d03bb5c9b8899c47aebb6fb71e9138640a024201fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffa51868783bf2f966b7fcc0148f709a5d03bb5c9b8899c47aebb6fb71e91386409
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 199
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 308188024201fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffa51868783bf2f966b7fcc0148f709a5d03bb5c9b8899c47aebb6fb71e9138640a024201fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffa51868783bf2f966b7fcc0148f709a5d03bb5c9b8899c47aebb6fb71e91386408
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 200
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 308188024201fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffa51868783bf2f966b7fcc0148f709a5d03bb5c9b8899c47aebb6fb71e9138640a024201fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffa51868783bf2f966b7fcc0148f709a5d03bb5c9b8899c47aebb6fb71e9138640a
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 201
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 308188024201fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffa51868783bf2f966b7fcc0148f709a5d03bb5c9b8899c47aebb6fb71e9138640a024201ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 202
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 308188024201fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffa51868783bf2f966b7fcc0148f709a5d03bb5c9b8899c47aebb6fb71e9138640a0242020000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 203
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3049024201fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffa51868783bf2f966b7fcc0148f709a5d03bb5c9b8899c47aebb6fb71e9138640a090380fe01
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 204
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3047024201fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffa51868783bf2f966b7fcc0148f709a5d03bb5c9b8899c47aebb6fb71e9138640a090142
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 205
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3047024201ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff020100
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 206
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3047024201ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff020101
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 207
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3047024201ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff0201ff
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 208
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 308188024201ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff024201fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffa51868783bf2f966b7fcc0148f709a5d03bb5c9b8899c47aebb6fb71e91386409
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 209
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 308188024201ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff024201fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffa51868783bf2f966b7fcc0148f709a5d03bb5c9b8899c47aebb6fb71e91386408
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 210
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 308188024201ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff024201fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffa51868783bf2f966b7fcc0148f709a5d03bb5c9b8899c47aebb6fb71e9138640a
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 211
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 308188024201ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff024201ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 212
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 308188024201ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff0242020000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 213
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3049024201ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff090380fe01
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 214
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3047024201ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff090142
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 215
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 30470242020000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000020100
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 216
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 30470242020000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000020101
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 217
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 304702420200000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000201ff
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 218
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3081880242020000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000024201fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffa51868783bf2f966b7fcc0148f709a5d03bb5c9b8899c47aebb6fb71e91386409
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 219
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3081880242020000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000024201fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffa51868783bf2f966b7fcc0148f709a5d03bb5c9b8899c47aebb6fb71e91386408
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 220
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3081880242020000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000024201fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffa51868783bf2f966b7fcc0148f709a5d03bb5c9b8899c47aebb6fb71e9138640a
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 221
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 3081880242020000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000024201ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 222
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 30818802420200000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000242020000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 223
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 30490242020000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000090380fe01
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 224
 # Signature with special case values for r and s
 msg = 313233343030
 result = invalid
 sig = 30470242020000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000090142
-# Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA
-# implementation does not check boundaries and computes s^(-1)==0.
+flags = EdgeCase
 
 # tcId = 225
 # Signature encoding contains wrong types.
@@ -3103,9 +3007,7 @@
 msg = 313233343030
 result = valid
 sig = 30818802420090c8d0d718cb9d8d81094e6d068fb13c16b4df8c77bac676dddfe3e68855bed06b9ba8d0f8a80edce03a9fac7da561e24b1cd22d459239a146695a671f81f73aaf024201150b0fe9f0dff27fa180cc9442c3bfc9e395232898607b110a51bcb1086cb9726e251a07c9557808df32460715950a3dc446ae4229b9ed59fe241b389aee3a6963
-# Some implementations of ECDSA do not handle duplication and points at infinity
-# correctly. This is a test vector that has been specially crafted to check for
-# such an omission.
+flags = PointDuplication
 
 [key.curve = secp521r1]
 [key.keySize = 521]
@@ -3121,9 +3023,7 @@
 msg = 313233343030
 result = invalid
 sig = 30818802420090c8d0d718cb9d8d81094e6d068fb13c16b4df8c77bac676dddfe3e68855bed06b9ba8d0f8a80edce03a9fac7da561e24b1cd22d459239a146695a671f81f73aaf024201150b0fe9f0dff27fa180cc9442c3bfc9e395232898607b110a51bcb1086cb9726e251a07c9557808df32460715950a3dc446ae4229b9ed59fe241b389aee3a6963
-# Some implementations of ECDSA do not handle duplication and points at infinity
-# correctly. This is a test vector that has been specially crafted to check for
-# such an omission.
+flags = PointDuplication
 
 [key.curve = secp521r1]
 [key.keySize = 521]
diff --git a/third_party/wycheproof_testvectors/eddsa_test.txt b/third_party/wycheproof_testvectors/eddsa_test.txt
index dec273e..55afb2b 100644
--- a/third_party/wycheproof_testvectors/eddsa_test.txt
+++ b/third_party/wycheproof_testvectors/eddsa_test.txt
@@ -384,72 +384,56 @@
 msg = 54657374
 result = invalid
 sig = 7c38e026f29e14aabd059a0f2db8b0cd783040609a8be684db12f82a27774ab067654bce3832c2d76f8f6f5dafc08d9339d4eef676573336a5c51eb6f946b31d
-# EdDSA signatures are non-malleable, if implemented accordingly. Failing to
-# check the range of S allows to modify signatures. See RFC 8032, Section 5.2.7
-# and Section 8.4.
+flags = SignatureMalleability
 
 # tcId = 64
 # checking malleability 
 msg = 54657374
 result = invalid
 sig = 7c38e026f29e14aabd059a0f2db8b0cd783040609a8be684db12f82a27774ab05439412b5395d42f462c67008eba6ca839d4eef676573336a5c51eb6f946b32d
-# EdDSA signatures are non-malleable, if implemented accordingly. Failing to
-# check the range of S allows to modify signatures. See RFC 8032, Section 5.2.7
-# and Section 8.4.
+flags = SignatureMalleability
 
 # tcId = 65
 # checking malleability 
 msg = 54657374
 result = invalid
 sig = 7c38e026f29e14aabd059a0f2db8b0cd783040609a8be684db12f82a27774ab02ee12ce5875bf9dff26556464bae2ad239d4eef676573336a5c51eb6f946b34d
-# EdDSA signatures are non-malleable, if implemented accordingly. Failing to
-# check the range of S allows to modify signatures. See RFC 8032, Section 5.2.7
-# and Section 8.4.
+flags = SignatureMalleability
 
 # tcId = 66
 # checking malleability 
 msg = 54657374
 result = invalid
 sig = 7c38e026f29e14aabd059a0f2db8b0cd783040609a8be684db12f82a27774ab0e2300459f1e742404cd934d2c595a6253ad4eef676573336a5c51eb6f946b38d
-# EdDSA signatures are non-malleable, if implemented accordingly. Failing to
-# check the range of S allows to modify signatures. See RFC 8032, Section 5.2.7
-# and Section 8.4.
+flags = SignatureMalleability
 
 # tcId = 67
 # checking malleability 
 msg = 54657374
 result = invalid
 sig = 7c38e026f29e14aabd059a0f2db8b0cd783040609a8be684db12f82a27774ab07a9155711ecfaf7f99f277bad0c6ae7e39d4eef676573336a5c51eb6f946b32d
-# EdDSA signatures are non-malleable, if implemented accordingly. Failing to
-# check the range of S allows to modify signatures. See RFC 8032, Section 5.2.7
-# and Section 8.4.
+flags = SignatureMalleability
 
 # tcId = 68
 # checking malleability 
 msg = 54657374
 result = invalid
 sig = 7c38e026f29e14aabd059a0f2db8b0cd783040609a8be684db12f82a27774ab07a9155711ecfaf7f99f277bad0c6ae7e39d4eef676573336a5c51eb6f946b34d
-# EdDSA signatures are non-malleable, if implemented accordingly. Failing to
-# check the range of S allows to modify signatures. See RFC 8032, Section 5.2.7
-# and Section 8.4.
+flags = SignatureMalleability
 
 # tcId = 69
 # checking malleability 
 msg = 54657374
 result = invalid
 sig = 7c38e026f29e14aabd059a0f2db8b0cd783040609a8be684db12f82a27774ab07a9155711ecfaf7f99f277bad0c6ae7e39d4eef676573336a5c51eb6f946b38d
-# EdDSA signatures are non-malleable, if implemented accordingly. Failing to
-# check the range of S allows to modify signatures. See RFC 8032, Section 5.2.7
-# and Section 8.4.
+flags = SignatureMalleability
 
 # tcId = 70
 # checking malleability 
 msg = 54657374
 result = invalid
 sig = 7c38e026f29e14aabd059a0f2db8b0cd783040609a8be684db12f82a27774ab0679155711ecfaf7f99f277bad0c6ae7e39d4eef676573336a5c51eb6f946b38d
-# EdDSA signatures are non-malleable, if implemented accordingly. Failing to
-# check the range of S allows to modify signatures. See RFC 8032, Section 5.2.7
-# and Section 8.4.
+flags = SignatureMalleability
 
 [jwk.crv = Ed25519]
 [jwk.d = CiOiAHKJEjeqCGS1dlE5UUkIeHh4zXcTWgBZiB0xPwA]
diff --git a/third_party/wycheproof_testvectors/hkdf_sha1_test.txt b/third_party/wycheproof_testvectors/hkdf_sha1_test.txt
index e531083..35b9054 100644
--- a/third_party/wycheproof_testvectors/hkdf_sha1_test.txt
+++ b/third_party/wycheproof_testvectors/hkdf_sha1_test.txt
@@ -36,8 +36,7 @@
 result = valid
 salt = 
 size = 42
-# An empty salt is a valid input for HKDF. It is equivalent to a salt with n
-# zero bytes, where n is the size of the underlying hash function.
+flags = EmptySalt
 
 # tcId = 4
 # RFC 5869
@@ -47,8 +46,7 @@
 result = valid
 salt = 
 size = 42
-# An empty salt is a valid input for HKDF. It is equivalent to a salt with n
-# zero bytes, where n is the size of the underlying hash function.
+flags = EmptySalt
 
 [keySize = 128]
 
@@ -59,8 +57,7 @@
 result = valid
 salt = 
 size = 20
-# An empty salt is a valid input for HKDF. It is equivalent to a salt with n
-# zero bytes, where n is the size of the underlying hash function.
+flags = EmptySalt
 
 # tcId = 6
 ikm = e3db76e02278cbd2adbcb4555803da11
@@ -69,8 +66,7 @@
 result = valid
 salt = 
 size = 42
-# An empty salt is a valid input for HKDF. It is equivalent to a salt with n
-# zero bytes, where n is the size of the underlying hash function.
+flags = EmptySalt
 
 # tcId = 7
 ikm = d4dcb92a769f57c8bab8a420ee0aa351
@@ -79,8 +75,7 @@
 result = valid
 salt = 
 size = 64
-# An empty salt is a valid input for HKDF. It is equivalent to a salt with n
-# zero bytes, where n is the size of the underlying hash function.
+flags = EmptySalt
 
 # tcId = 8
 ikm = 2d43e54bf0c94c9cbff4300f4aa69ab8
@@ -89,8 +84,7 @@
 result = valid
 salt = 
 size = 20
-# An empty salt is a valid input for HKDF. It is equivalent to a salt with n
-# zero bytes, where n is the size of the underlying hash function.
+flags = EmptySalt
 
 # tcId = 9
 ikm = 4055536896c406d5fe14a6cd6b999bff
@@ -99,8 +93,7 @@
 result = valid
 salt = 
 size = 42
-# An empty salt is a valid input for HKDF. It is equivalent to a salt with n
-# zero bytes, where n is the size of the underlying hash function.
+flags = EmptySalt
 
 # tcId = 10
 ikm = 5b01b2da3166f217cdd68de8af60078f
@@ -109,8 +102,7 @@
 result = valid
 salt = 
 size = 64
-# An empty salt is a valid input for HKDF. It is equivalent to a salt with n
-# zero bytes, where n is the size of the underlying hash function.
+flags = EmptySalt
 
 # tcId = 11
 ikm = 467403c2ec02a235bf730ff37e8d8ff3
@@ -241,7 +233,7 @@
 result = invalid
 salt = 96b2e11fe817e1e40fba8aa5083cd490482b2abe
 size = 5101
-# The output size of HKDF is limited to 255*size of the hash digest
+flags = SizeTooLarge
 
 # tcId = 27
 # output collision for different salts
@@ -251,8 +243,7 @@
 result = valid
 salt = 
 size = 32
-# An empty salt is a valid input for HKDF. It is equivalent to a salt with n
-# zero bytes, where n is the size of the underlying hash function.
+flags = EmptySalt
 
 # tcId = 28
 # output collision for different salts
@@ -355,8 +346,7 @@
 result = valid
 salt = 
 size = 20
-# An empty salt is a valid input for HKDF. It is equivalent to a salt with n
-# zero bytes, where n is the size of the underlying hash function.
+flags = EmptySalt
 
 # tcId = 39
 ikm = 8c177ab5f40e9c57203883562f01f174070ccd97
@@ -365,8 +355,7 @@
 result = valid
 salt = 
 size = 42
-# An empty salt is a valid input for HKDF. It is equivalent to a salt with n
-# zero bytes, where n is the size of the underlying hash function.
+flags = EmptySalt
 
 # tcId = 40
 ikm = e842a4fc1a147cf2f87de9bd5a42fce6457496f7
@@ -375,8 +364,7 @@
 result = valid
 salt = 
 size = 64
-# An empty salt is a valid input for HKDF. It is equivalent to a salt with n
-# zero bytes, where n is the size of the underlying hash function.
+flags = EmptySalt
 
 # tcId = 41
 ikm = 5b870ee1bb97ee83f67fa7335b4a0f9dadc80d12
@@ -385,8 +373,7 @@
 result = valid
 salt = 
 size = 20
-# An empty salt is a valid input for HKDF. It is equivalent to a salt with n
-# zero bytes, where n is the size of the underlying hash function.
+flags = EmptySalt
 
 # tcId = 42
 ikm = 58ea7ab33acff514ec08f41e59c17a3c66c1ceef
@@ -395,8 +382,7 @@
 result = valid
 salt = 
 size = 42
-# An empty salt is a valid input for HKDF. It is equivalent to a salt with n
-# zero bytes, where n is the size of the underlying hash function.
+flags = EmptySalt
 
 # tcId = 43
 ikm = e8d20934b9d320458f4854e2442e2f0fa092f461
@@ -405,8 +391,7 @@
 result = valid
 salt = 
 size = 64
-# An empty salt is a valid input for HKDF. It is equivalent to a salt with n
-# zero bytes, where n is the size of the underlying hash function.
+flags = EmptySalt
 
 # tcId = 44
 ikm = dc9e488c684dbf0ac8ff1eefaa0666d413d258f0
@@ -561,7 +546,7 @@
 result = invalid
 salt = cfe7614e2db108b12f077ff8e58e2b80718d981e
 size = 5101
-# The output size of HKDF is limited to 255*size of the hash digest
+flags = SizeTooLarge
 
 # tcId = 63
 # output collision for different salts
@@ -571,8 +556,7 @@
 result = valid
 salt = 
 size = 32
-# An empty salt is a valid input for HKDF. It is equivalent to a salt with n
-# zero bytes, where n is the size of the underlying hash function.
+flags = EmptySalt
 
 # tcId = 64
 # output collision for different salts
@@ -675,8 +659,7 @@
 result = valid
 salt = 
 size = 20
-# An empty salt is a valid input for HKDF. It is equivalent to a salt with n
-# zero bytes, where n is the size of the underlying hash function.
+flags = EmptySalt
 
 # tcId = 75
 ikm = 236c2ba20c72242820f63d3e9c20633162c1cb048a45dea13861e8a138b9640d
@@ -685,8 +668,7 @@
 result = valid
 salt = 
 size = 42
-# An empty salt is a valid input for HKDF. It is equivalent to a salt with n
-# zero bytes, where n is the size of the underlying hash function.
+flags = EmptySalt
 
 # tcId = 76
 ikm = f2cba42dd82acb5d2d569406815a3769b7becb13fa48537fa7d7d5e121081d39
@@ -695,8 +677,7 @@
 result = valid
 salt = 
 size = 64
-# An empty salt is a valid input for HKDF. It is equivalent to a salt with n
-# zero bytes, where n is the size of the underlying hash function.
+flags = EmptySalt
 
 # tcId = 77
 ikm = 73d97f2ffde01b447a5b8573190a8eb4f87f7ac04482836143f780ad876bfffe
@@ -705,8 +686,7 @@
 result = valid
 salt = 
 size = 20
-# An empty salt is a valid input for HKDF. It is equivalent to a salt with n
-# zero bytes, where n is the size of the underlying hash function.
+flags = EmptySalt
 
 # tcId = 78
 ikm = 6948521434707e96fa943e44988d1ad409ec57e6594867e8193e9d727238916d
@@ -715,8 +695,7 @@
 result = valid
 salt = 
 size = 42
-# An empty salt is a valid input for HKDF. It is equivalent to a salt with n
-# zero bytes, where n is the size of the underlying hash function.
+flags = EmptySalt
 
 # tcId = 79
 ikm = b72b3854923b8a0048497a86bddef962552c8f6b2c72b2b2006a1820fea5c6a9
@@ -725,8 +704,7 @@
 result = valid
 salt = 
 size = 64
-# An empty salt is a valid input for HKDF. It is equivalent to a salt with n
-# zero bytes, where n is the size of the underlying hash function.
+flags = EmptySalt
 
 # tcId = 80
 ikm = 44d774def90685c0e9a685fa50fd434c807d1a57896fa42f91778821fe232057
@@ -857,7 +835,7 @@
 result = invalid
 salt = aac161c03b3d3cf4d94072a48fd6ca3619510888
 size = 5101
-# The output size of HKDF is limited to 255*size of the hash digest
+flags = SizeTooLarge
 
 # tcId = 96
 # output collision for different salts
@@ -867,8 +845,7 @@
 result = valid
 salt = 
 size = 32
-# An empty salt is a valid input for HKDF. It is equivalent to a salt with n
-# zero bytes, where n is the size of the underlying hash function.
+flags = EmptySalt
 
 # tcId = 97
 # output collision for different salts
diff --git a/third_party/wycheproof_testvectors/hkdf_sha256_test.txt b/third_party/wycheproof_testvectors/hkdf_sha256_test.txt
index 744db97..d69bb3c 100644
--- a/third_party/wycheproof_testvectors/hkdf_sha256_test.txt
+++ b/third_party/wycheproof_testvectors/hkdf_sha256_test.txt
@@ -23,8 +23,7 @@
 result = valid
 salt = 
 size = 42
-# An empty salt is a valid input for HKDF. It is equivalent to a salt with n
-# zero bytes, where n is the size of the underlying hash function.
+flags = EmptySalt
 
 [keySize = 640]
 
@@ -46,8 +45,7 @@
 result = valid
 salt = 
 size = 20
-# An empty salt is a valid input for HKDF. It is equivalent to a salt with n
-# zero bytes, where n is the size of the underlying hash function.
+flags = EmptySalt
 
 # tcId = 5
 ikm = e3db76e02278cbd2adbcb4555803da11
@@ -56,8 +54,7 @@
 result = valid
 salt = 
 size = 42
-# An empty salt is a valid input for HKDF. It is equivalent to a salt with n
-# zero bytes, where n is the size of the underlying hash function.
+flags = EmptySalt
 
 # tcId = 6
 ikm = d4dcb92a769f57c8bab8a420ee0aa351
@@ -66,8 +63,7 @@
 result = valid
 salt = 
 size = 64
-# An empty salt is a valid input for HKDF. It is equivalent to a salt with n
-# zero bytes, where n is the size of the underlying hash function.
+flags = EmptySalt
 
 # tcId = 7
 ikm = 2d43e54bf0c94c9cbff4300f4aa69ab8
@@ -76,8 +72,7 @@
 result = valid
 salt = 
 size = 20
-# An empty salt is a valid input for HKDF. It is equivalent to a salt with n
-# zero bytes, where n is the size of the underlying hash function.
+flags = EmptySalt
 
 # tcId = 8
 ikm = 4055536896c406d5fe14a6cd6b999bff
@@ -86,8 +81,7 @@
 result = valid
 salt = 
 size = 42
-# An empty salt is a valid input for HKDF. It is equivalent to a salt with n
-# zero bytes, where n is the size of the underlying hash function.
+flags = EmptySalt
 
 # tcId = 9
 ikm = 5b01b2da3166f217cdd68de8af60078f
@@ -96,8 +90,7 @@
 result = valid
 salt = 
 size = 64
-# An empty salt is a valid input for HKDF. It is equivalent to a salt with n
-# zero bytes, where n is the size of the underlying hash function.
+flags = EmptySalt
 
 # tcId = 10
 ikm = 467403c2ec02a235bf730ff37e8d8ff3
@@ -228,7 +221,7 @@
 result = invalid
 salt = 701dfbe3f22c13268a04871dbb9711f371bd702b2bb41dba24409578e6481bc1
 size = 8161
-# The output size of HKDF is limited to 255*size of the hash digest
+flags = SizeTooLarge
 
 # tcId = 26
 # output collision for different salts
@@ -238,8 +231,7 @@
 result = valid
 salt = 
 size = 32
-# An empty salt is a valid input for HKDF. It is equivalent to a salt with n
-# zero bytes, where n is the size of the underlying hash function.
+flags = EmptySalt
 
 # tcId = 27
 # output collision for different salts
@@ -342,8 +334,7 @@
 result = valid
 salt = 
 size = 20
-# An empty salt is a valid input for HKDF. It is equivalent to a salt with n
-# zero bytes, where n is the size of the underlying hash function.
+flags = EmptySalt
 
 # tcId = 38
 ikm = 8c177ab5f40e9c57203883562f01f174070ccd97
@@ -352,8 +343,7 @@
 result = valid
 salt = 
 size = 42
-# An empty salt is a valid input for HKDF. It is equivalent to a salt with n
-# zero bytes, where n is the size of the underlying hash function.
+flags = EmptySalt
 
 # tcId = 39
 ikm = e842a4fc1a147cf2f87de9bd5a42fce6457496f7
@@ -362,8 +352,7 @@
 result = valid
 salt = 
 size = 64
-# An empty salt is a valid input for HKDF. It is equivalent to a salt with n
-# zero bytes, where n is the size of the underlying hash function.
+flags = EmptySalt
 
 # tcId = 40
 ikm = 5b870ee1bb97ee83f67fa7335b4a0f9dadc80d12
@@ -372,8 +361,7 @@
 result = valid
 salt = 
 size = 20
-# An empty salt is a valid input for HKDF. It is equivalent to a salt with n
-# zero bytes, where n is the size of the underlying hash function.
+flags = EmptySalt
 
 # tcId = 41
 ikm = 58ea7ab33acff514ec08f41e59c17a3c66c1ceef
@@ -382,8 +370,7 @@
 result = valid
 salt = 
 size = 42
-# An empty salt is a valid input for HKDF. It is equivalent to a salt with n
-# zero bytes, where n is the size of the underlying hash function.
+flags = EmptySalt
 
 # tcId = 42
 ikm = e8d20934b9d320458f4854e2442e2f0fa092f461
@@ -392,8 +379,7 @@
 result = valid
 salt = 
 size = 64
-# An empty salt is a valid input for HKDF. It is equivalent to a salt with n
-# zero bytes, where n is the size of the underlying hash function.
+flags = EmptySalt
 
 # tcId = 43
 ikm = dc9e488c684dbf0ac8ff1eefaa0666d413d258f0
@@ -524,7 +510,7 @@
 result = invalid
 salt = 9ad532fb460bf6d4c3eb565dcb84dd0f3c04c5ce962076f1397ca7ca472ae2c2
 size = 8161
-# The output size of HKDF is limited to 255*size of the hash digest
+flags = SizeTooLarge
 
 # tcId = 59
 # output collision for different salts
@@ -534,8 +520,7 @@
 result = valid
 salt = 
 size = 32
-# An empty salt is a valid input for HKDF. It is equivalent to a salt with n
-# zero bytes, where n is the size of the underlying hash function.
+flags = EmptySalt
 
 # tcId = 60
 # output collision for different salts
@@ -638,8 +623,7 @@
 result = valid
 salt = 
 size = 20
-# An empty salt is a valid input for HKDF. It is equivalent to a salt with n
-# zero bytes, where n is the size of the underlying hash function.
+flags = EmptySalt
 
 # tcId = 71
 ikm = 236c2ba20c72242820f63d3e9c20633162c1cb048a45dea13861e8a138b9640d
@@ -648,8 +632,7 @@
 result = valid
 salt = 
 size = 42
-# An empty salt is a valid input for HKDF. It is equivalent to a salt with n
-# zero bytes, where n is the size of the underlying hash function.
+flags = EmptySalt
 
 # tcId = 72
 ikm = f2cba42dd82acb5d2d569406815a3769b7becb13fa48537fa7d7d5e121081d39
@@ -658,8 +641,7 @@
 result = valid
 salt = 
 size = 64
-# An empty salt is a valid input for HKDF. It is equivalent to a salt with n
-# zero bytes, where n is the size of the underlying hash function.
+flags = EmptySalt
 
 # tcId = 73
 ikm = 73d97f2ffde01b447a5b8573190a8eb4f87f7ac04482836143f780ad876bfffe
@@ -668,8 +650,7 @@
 result = valid
 salt = 
 size = 20
-# An empty salt is a valid input for HKDF. It is equivalent to a salt with n
-# zero bytes, where n is the size of the underlying hash function.
+flags = EmptySalt
 
 # tcId = 74
 ikm = 6948521434707e96fa943e44988d1ad409ec57e6594867e8193e9d727238916d
@@ -678,8 +659,7 @@
 result = valid
 salt = 
 size = 42
-# An empty salt is a valid input for HKDF. It is equivalent to a salt with n
-# zero bytes, where n is the size of the underlying hash function.
+flags = EmptySalt
 
 # tcId = 75
 ikm = b72b3854923b8a0048497a86bddef962552c8f6b2c72b2b2006a1820fea5c6a9
@@ -688,8 +668,7 @@
 result = valid
 salt = 
 size = 64
-# An empty salt is a valid input for HKDF. It is equivalent to a salt with n
-# zero bytes, where n is the size of the underlying hash function.
+flags = EmptySalt
 
 # tcId = 76
 ikm = 44d774def90685c0e9a685fa50fd434c807d1a57896fa42f91778821fe232057
@@ -844,7 +823,7 @@
 result = invalid
 salt = 41535a35ec11384df15a0a24a65f067591b446ac4514f7d981724db4900a6106
 size = 8161
-# The output size of HKDF is limited to 255*size of the hash digest
+flags = SizeTooLarge
 
 # tcId = 95
 # output collision for different salts
@@ -854,8 +833,7 @@
 result = valid
 salt = 
 size = 32
-# An empty salt is a valid input for HKDF. It is equivalent to a salt with n
-# zero bytes, where n is the size of the underlying hash function.
+flags = EmptySalt
 
 # tcId = 96
 # output collision for different salts
diff --git a/third_party/wycheproof_testvectors/hkdf_sha384_test.txt b/third_party/wycheproof_testvectors/hkdf_sha384_test.txt
index 3350b75..bdb4731 100644
--- a/third_party/wycheproof_testvectors/hkdf_sha384_test.txt
+++ b/third_party/wycheproof_testvectors/hkdf_sha384_test.txt
@@ -13,8 +13,7 @@
 result = valid
 salt = 
 size = 20
-# An empty salt is a valid input for HKDF. It is equivalent to a salt with n
-# zero bytes, where n is the size of the underlying hash function.
+flags = EmptySalt
 
 # tcId = 2
 ikm = e3db76e02278cbd2adbcb4555803da11
@@ -23,8 +22,7 @@
 result = valid
 salt = 
 size = 42
-# An empty salt is a valid input for HKDF. It is equivalent to a salt with n
-# zero bytes, where n is the size of the underlying hash function.
+flags = EmptySalt
 
 # tcId = 3
 ikm = d4dcb92a769f57c8bab8a420ee0aa351
@@ -33,8 +31,7 @@
 result = valid
 salt = 
 size = 64
-# An empty salt is a valid input for HKDF. It is equivalent to a salt with n
-# zero bytes, where n is the size of the underlying hash function.
+flags = EmptySalt
 
 # tcId = 4
 ikm = 2d43e54bf0c94c9cbff4300f4aa69ab8
@@ -43,8 +40,7 @@
 result = valid
 salt = 
 size = 20
-# An empty salt is a valid input for HKDF. It is equivalent to a salt with n
-# zero bytes, where n is the size of the underlying hash function.
+flags = EmptySalt
 
 # tcId = 5
 ikm = 4055536896c406d5fe14a6cd6b999bff
@@ -53,8 +49,7 @@
 result = valid
 salt = 
 size = 42
-# An empty salt is a valid input for HKDF. It is equivalent to a salt with n
-# zero bytes, where n is the size of the underlying hash function.
+flags = EmptySalt
 
 # tcId = 6
 ikm = 5b01b2da3166f217cdd68de8af60078f
@@ -63,8 +58,7 @@
 result = valid
 salt = 
 size = 64
-# An empty salt is a valid input for HKDF. It is equivalent to a salt with n
-# zero bytes, where n is the size of the underlying hash function.
+flags = EmptySalt
 
 # tcId = 7
 ikm = 467403c2ec02a235bf730ff37e8d8ff3
@@ -195,7 +189,7 @@
 result = invalid
 salt = 85522968a566b7ba10cb8e7a6f10159977e4a572408ace1b65c481ccfdf09532483cf308bba0557c9a72c849780e044c
 size = 12241
-# The output size of HKDF is limited to 255*size of the hash digest
+flags = SizeTooLarge
 
 # tcId = 23
 # output collision for different salts
@@ -205,8 +199,7 @@
 result = valid
 salt = 
 size = 32
-# An empty salt is a valid input for HKDF. It is equivalent to a salt with n
-# zero bytes, where n is the size of the underlying hash function.
+flags = EmptySalt
 
 # tcId = 24
 # output collision for different salts
@@ -309,8 +302,7 @@
 result = valid
 salt = 
 size = 20
-# An empty salt is a valid input for HKDF. It is equivalent to a salt with n
-# zero bytes, where n is the size of the underlying hash function.
+flags = EmptySalt
 
 # tcId = 35
 ikm = 8c177ab5f40e9c57203883562f01f174070ccd97
@@ -319,8 +311,7 @@
 result = valid
 salt = 
 size = 42
-# An empty salt is a valid input for HKDF. It is equivalent to a salt with n
-# zero bytes, where n is the size of the underlying hash function.
+flags = EmptySalt
 
 # tcId = 36
 ikm = e842a4fc1a147cf2f87de9bd5a42fce6457496f7
@@ -329,8 +320,7 @@
 result = valid
 salt = 
 size = 64
-# An empty salt is a valid input for HKDF. It is equivalent to a salt with n
-# zero bytes, where n is the size of the underlying hash function.
+flags = EmptySalt
 
 # tcId = 37
 ikm = 5b870ee1bb97ee83f67fa7335b4a0f9dadc80d12
@@ -339,8 +329,7 @@
 result = valid
 salt = 
 size = 20
-# An empty salt is a valid input for HKDF. It is equivalent to a salt with n
-# zero bytes, where n is the size of the underlying hash function.
+flags = EmptySalt
 
 # tcId = 38
 ikm = 58ea7ab33acff514ec08f41e59c17a3c66c1ceef
@@ -349,8 +338,7 @@
 result = valid
 salt = 
 size = 42
-# An empty salt is a valid input for HKDF. It is equivalent to a salt with n
-# zero bytes, where n is the size of the underlying hash function.
+flags = EmptySalt
 
 # tcId = 39
 ikm = e8d20934b9d320458f4854e2442e2f0fa092f461
@@ -359,8 +347,7 @@
 result = valid
 salt = 
 size = 64
-# An empty salt is a valid input for HKDF. It is equivalent to a salt with n
-# zero bytes, where n is the size of the underlying hash function.
+flags = EmptySalt
 
 # tcId = 40
 ikm = dc9e488c684dbf0ac8ff1eefaa0666d413d258f0
@@ -491,7 +478,7 @@
 result = invalid
 salt = e01bc4ca3df96a1d158434ec7519550d485ec22d45f827c5f1f9c20036591089a8b6dbec705fd80266fac62a66c9681c
 size = 12241
-# The output size of HKDF is limited to 255*size of the hash digest
+flags = SizeTooLarge
 
 # tcId = 56
 # output collision for different salts
@@ -501,8 +488,7 @@
 result = valid
 salt = 
 size = 32
-# An empty salt is a valid input for HKDF. It is equivalent to a salt with n
-# zero bytes, where n is the size of the underlying hash function.
+flags = EmptySalt
 
 # tcId = 57
 # output collision for different salts
@@ -605,8 +591,7 @@
 result = valid
 salt = 
 size = 20
-# An empty salt is a valid input for HKDF. It is equivalent to a salt with n
-# zero bytes, where n is the size of the underlying hash function.
+flags = EmptySalt
 
 # tcId = 68
 ikm = 236c2ba20c72242820f63d3e9c20633162c1cb048a45dea13861e8a138b9640d
@@ -615,8 +600,7 @@
 result = valid
 salt = 
 size = 42
-# An empty salt is a valid input for HKDF. It is equivalent to a salt with n
-# zero bytes, where n is the size of the underlying hash function.
+flags = EmptySalt
 
 # tcId = 69
 ikm = f2cba42dd82acb5d2d569406815a3769b7becb13fa48537fa7d7d5e121081d39
@@ -625,8 +609,7 @@
 result = valid
 salt = 
 size = 64
-# An empty salt is a valid input for HKDF. It is equivalent to a salt with n
-# zero bytes, where n is the size of the underlying hash function.
+flags = EmptySalt
 
 # tcId = 70
 ikm = 73d97f2ffde01b447a5b8573190a8eb4f87f7ac04482836143f780ad876bfffe
@@ -635,8 +618,7 @@
 result = valid
 salt = 
 size = 20
-# An empty salt is a valid input for HKDF. It is equivalent to a salt with n
-# zero bytes, where n is the size of the underlying hash function.
+flags = EmptySalt
 
 # tcId = 71
 ikm = 6948521434707e96fa943e44988d1ad409ec57e6594867e8193e9d727238916d
@@ -645,8 +627,7 @@
 result = valid
 salt = 
 size = 42
-# An empty salt is a valid input for HKDF. It is equivalent to a salt with n
-# zero bytes, where n is the size of the underlying hash function.
+flags = EmptySalt
 
 # tcId = 72
 ikm = b72b3854923b8a0048497a86bddef962552c8f6b2c72b2b2006a1820fea5c6a9
@@ -655,8 +636,7 @@
 result = valid
 salt = 
 size = 64
-# An empty salt is a valid input for HKDF. It is equivalent to a salt with n
-# zero bytes, where n is the size of the underlying hash function.
+flags = EmptySalt
 
 # tcId = 73
 ikm = 44d774def90685c0e9a685fa50fd434c807d1a57896fa42f91778821fe232057
@@ -787,7 +767,7 @@
 result = invalid
 salt = 408df96efb424324020d4836d100280b70f5d0e850e5460db77c543224ad5d2ba935060d1b5d63d80923fe922db1220a
 size = 12241
-# The output size of HKDF is limited to 255*size of the hash digest
+flags = SizeTooLarge
 
 # tcId = 89
 # output collision for different salts
@@ -797,8 +777,7 @@
 result = valid
 salt = 
 size = 32
-# An empty salt is a valid input for HKDF. It is equivalent to a salt with n
-# zero bytes, where n is the size of the underlying hash function.
+flags = EmptySalt
 
 # tcId = 90
 # output collision for different salts
diff --git a/third_party/wycheproof_testvectors/hkdf_sha512_test.txt b/third_party/wycheproof_testvectors/hkdf_sha512_test.txt
index 129ff7e..b03dcd7 100644
--- a/third_party/wycheproof_testvectors/hkdf_sha512_test.txt
+++ b/third_party/wycheproof_testvectors/hkdf_sha512_test.txt
@@ -13,8 +13,7 @@
 result = valid
 salt = 
 size = 20
-# An empty salt is a valid input for HKDF. It is equivalent to a salt with n
-# zero bytes, where n is the size of the underlying hash function.
+flags = EmptySalt
 
 # tcId = 2
 ikm = e3db76e02278cbd2adbcb4555803da11
@@ -23,8 +22,7 @@
 result = valid
 salt = 
 size = 42
-# An empty salt is a valid input for HKDF. It is equivalent to a salt with n
-# zero bytes, where n is the size of the underlying hash function.
+flags = EmptySalt
 
 # tcId = 3
 ikm = d4dcb92a769f57c8bab8a420ee0aa351
@@ -33,8 +31,7 @@
 result = valid
 salt = 
 size = 64
-# An empty salt is a valid input for HKDF. It is equivalent to a salt with n
-# zero bytes, where n is the size of the underlying hash function.
+flags = EmptySalt
 
 # tcId = 4
 ikm = 2d43e54bf0c94c9cbff4300f4aa69ab8
@@ -43,8 +40,7 @@
 result = valid
 salt = 
 size = 20
-# An empty salt is a valid input for HKDF. It is equivalent to a salt with n
-# zero bytes, where n is the size of the underlying hash function.
+flags = EmptySalt
 
 # tcId = 5
 ikm = 4055536896c406d5fe14a6cd6b999bff
@@ -53,8 +49,7 @@
 result = valid
 salt = 
 size = 42
-# An empty salt is a valid input for HKDF. It is equivalent to a salt with n
-# zero bytes, where n is the size of the underlying hash function.
+flags = EmptySalt
 
 # tcId = 6
 ikm = 5b01b2da3166f217cdd68de8af60078f
@@ -63,8 +58,7 @@
 result = valid
 salt = 
 size = 64
-# An empty salt is a valid input for HKDF. It is equivalent to a salt with n
-# zero bytes, where n is the size of the underlying hash function.
+flags = EmptySalt
 
 # tcId = 7
 ikm = 467403c2ec02a235bf730ff37e8d8ff3
@@ -195,7 +189,7 @@
 result = invalid
 salt = 1460e1e2a09bd06410ec04ecacb752b707d5b26a003431a7d67e51c5df028b098853d77c0faa23edc5b27d304fcfc85883cb8fa4cbc5ff32e79139102b8ebcd4
 size = 16321
-# The output size of HKDF is limited to 255*size of the hash digest
+flags = SizeTooLarge
 
 # tcId = 23
 # output collision for different salts
@@ -205,8 +199,7 @@
 result = valid
 salt = 
 size = 32
-# An empty salt is a valid input for HKDF. It is equivalent to a salt with n
-# zero bytes, where n is the size of the underlying hash function.
+flags = EmptySalt
 
 # tcId = 24
 # output collision for different salts
@@ -309,8 +302,7 @@
 result = valid
 salt = 
 size = 20
-# An empty salt is a valid input for HKDF. It is equivalent to a salt with n
-# zero bytes, where n is the size of the underlying hash function.
+flags = EmptySalt
 
 # tcId = 35
 ikm = 8c177ab5f40e9c57203883562f01f174070ccd97
@@ -319,8 +311,7 @@
 result = valid
 salt = 
 size = 42
-# An empty salt is a valid input for HKDF. It is equivalent to a salt with n
-# zero bytes, where n is the size of the underlying hash function.
+flags = EmptySalt
 
 # tcId = 36
 ikm = e842a4fc1a147cf2f87de9bd5a42fce6457496f7
@@ -329,8 +320,7 @@
 result = valid
 salt = 
 size = 64
-# An empty salt is a valid input for HKDF. It is equivalent to a salt with n
-# zero bytes, where n is the size of the underlying hash function.
+flags = EmptySalt
 
 # tcId = 37
 ikm = 5b870ee1bb97ee83f67fa7335b4a0f9dadc80d12
@@ -339,8 +329,7 @@
 result = valid
 salt = 
 size = 20
-# An empty salt is a valid input for HKDF. It is equivalent to a salt with n
-# zero bytes, where n is the size of the underlying hash function.
+flags = EmptySalt
 
 # tcId = 38
 ikm = 58ea7ab33acff514ec08f41e59c17a3c66c1ceef
@@ -349,8 +338,7 @@
 result = valid
 salt = 
 size = 42
-# An empty salt is a valid input for HKDF. It is equivalent to a salt with n
-# zero bytes, where n is the size of the underlying hash function.
+flags = EmptySalt
 
 # tcId = 39
 ikm = e8d20934b9d320458f4854e2442e2f0fa092f461
@@ -359,8 +347,7 @@
 result = valid
 salt = 
 size = 64
-# An empty salt is a valid input for HKDF. It is equivalent to a salt with n
-# zero bytes, where n is the size of the underlying hash function.
+flags = EmptySalt
 
 # tcId = 40
 ikm = dc9e488c684dbf0ac8ff1eefaa0666d413d258f0
@@ -491,7 +478,7 @@
 result = invalid
 salt = dedfa9e98cf384cc448927bea53574c05c1132f2a07b531b366b15e12dd7c9f69ad1eca26581562f53cb3b4db07b9196664bcfd2b9cd1616a9dfe471af24b55a
 size = 16321
-# The output size of HKDF is limited to 255*size of the hash digest
+flags = SizeTooLarge
 
 # tcId = 56
 # output collision for different salts
@@ -501,8 +488,7 @@
 result = valid
 salt = 
 size = 32
-# An empty salt is a valid input for HKDF. It is equivalent to a salt with n
-# zero bytes, where n is the size of the underlying hash function.
+flags = EmptySalt
 
 # tcId = 57
 # output collision for different salts
@@ -605,8 +591,7 @@
 result = valid
 salt = 
 size = 20
-# An empty salt is a valid input for HKDF. It is equivalent to a salt with n
-# zero bytes, where n is the size of the underlying hash function.
+flags = EmptySalt
 
 # tcId = 68
 ikm = 236c2ba20c72242820f63d3e9c20633162c1cb048a45dea13861e8a138b9640d
@@ -615,8 +600,7 @@
 result = valid
 salt = 
 size = 42
-# An empty salt is a valid input for HKDF. It is equivalent to a salt with n
-# zero bytes, where n is the size of the underlying hash function.
+flags = EmptySalt
 
 # tcId = 69
 ikm = f2cba42dd82acb5d2d569406815a3769b7becb13fa48537fa7d7d5e121081d39
@@ -625,8 +609,7 @@
 result = valid
 salt = 
 size = 64
-# An empty salt is a valid input for HKDF. It is equivalent to a salt with n
-# zero bytes, where n is the size of the underlying hash function.
+flags = EmptySalt
 
 # tcId = 70
 ikm = 73d97f2ffde01b447a5b8573190a8eb4f87f7ac04482836143f780ad876bfffe
@@ -635,8 +618,7 @@
 result = valid
 salt = 
 size = 20
-# An empty salt is a valid input for HKDF. It is equivalent to a salt with n
-# zero bytes, where n is the size of the underlying hash function.
+flags = EmptySalt
 
 # tcId = 71
 ikm = 6948521434707e96fa943e44988d1ad409ec57e6594867e8193e9d727238916d
@@ -645,8 +627,7 @@
 result = valid
 salt = 
 size = 42
-# An empty salt is a valid input for HKDF. It is equivalent to a salt with n
-# zero bytes, where n is the size of the underlying hash function.
+flags = EmptySalt
 
 # tcId = 72
 ikm = b72b3854923b8a0048497a86bddef962552c8f6b2c72b2b2006a1820fea5c6a9
@@ -655,8 +636,7 @@
 result = valid
 salt = 
 size = 64
-# An empty salt is a valid input for HKDF. It is equivalent to a salt with n
-# zero bytes, where n is the size of the underlying hash function.
+flags = EmptySalt
 
 # tcId = 73
 ikm = 44d774def90685c0e9a685fa50fd434c807d1a57896fa42f91778821fe232057
@@ -787,7 +767,7 @@
 result = invalid
 salt = 78865524949fc5a008997d85b1ce5d33054ea061d6ff5d7bf74c9d36b3502f0b6fc163101376b241024ee063e82d5826ff5395124a18504256544f922b7c1761
 size = 16321
-# The output size of HKDF is limited to 255*size of the hash digest
+flags = SizeTooLarge
 
 # tcId = 89
 # output collision for different salts
@@ -797,8 +777,7 @@
 result = valid
 salt = 
 size = 32
-# An empty salt is a valid input for HKDF. It is equivalent to a salt with n
-# zero bytes, where n is the size of the underlying hash function.
+flags = EmptySalt
 
 # tcId = 90
 # output collision for different salts
diff --git a/third_party/wycheproof_testvectors/kwp_test.txt b/third_party/wycheproof_testvectors/kwp_test.txt
index c7f9cbe..9c05b42 100644
--- a/third_party/wycheproof_testvectors/kwp_test.txt
+++ b/third_party/wycheproof_testvectors/kwp_test.txt
@@ -30,8 +30,7 @@
 key = e0e12959109103e30ae8b5684a22e662
 msg = dbb0f2bb2be912a20430972d9842ce3fd3b928e573e1ac8e
 result = acceptable
-# The wrapping key should be at least as strong as the key it wraps. The
-# wrapping key in this test vector is shorter than the wrapped key.
+flags = WeakWrapping
 
 # tcId = 5
 # wrapped key is longer than wrapping key
@@ -39,8 +38,7 @@
 key = dd583d9f1059861430ec8b5d8a180e9b
 msg = f2e34f356362a31b51d6e02bcd333c9e6170494ca5ff5487
 result = acceptable
-# The wrapping key should be at least as strong as the key it wraps. The
-# wrapping key in this test vector is shorter than the wrapped key.
+flags = WeakWrapping
 
 # tcId = 6
 # wrapped key is longer than wrapping key
@@ -48,8 +46,7 @@
 key = faf5ccfae42b43cee2c5f0f3177a7c5d
 msg = 4e02084833660c463830483b36dab866c64c8cf7429cac3d
 result = acceptable
-# The wrapping key should be at least as strong as the key it wraps. The
-# wrapping key in this test vector is shorter than the wrapped key.
+flags = WeakWrapping
 
 # tcId = 7
 # wrapped key is longer than wrapping key
@@ -57,8 +54,7 @@
 key = c2b9d23f2831ddcdeb456853d4014db9
 msg = f4cfea98e58b939cc859554385cf3a6c7f8217f728efb431c964786de8274907
 result = acceptable
-# The wrapping key should be at least as strong as the key it wraps. The
-# wrapping key in this test vector is shorter than the wrapped key.
+flags = WeakWrapping
 
 # tcId = 8
 # wrapped key is longer than wrapping key
@@ -66,8 +62,7 @@
 key = 620a08f320cdedbf7ae551add348d95e
 msg = cec34eaf8e67e1ce619ddfc309531c42f16033a7e2cbc4f5eb3a548164e9b291
 result = acceptable
-# The wrapping key should be at least as strong as the key it wraps. The
-# wrapping key in this test vector is shorter than the wrapped key.
+flags = WeakWrapping
 
 # tcId = 9
 # wrapped key is longer than wrapping key
@@ -75,8 +70,7 @@
 key = ed089ac274f8c7cea2415671a94b5e53
 msg = 6065e41df14daeeefacac5daeb7674cdc9c1f686013b797153e80ef215893299
 result = acceptable
-# The wrapping key should be at least as strong as the key it wraps. The
-# wrapping key in this test vector is shorter than the wrapped key.
+flags = WeakWrapping
 
 # tcId = 10
 # Round counter overflows 256
@@ -84,8 +78,7 @@
 key = b6121acad51038e11873aaa7e6c7be06
 msg = 000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
 result = acceptable
-# The wrapping key should be at least as strong as the key it wraps. The
-# wrapping key in this test vector is shorter than the wrapped key.
+flags = WeakWrapping
 
 # tcId = 11
 # wrapping small key
@@ -93,9 +86,7 @@
 key = 1abf4b7fa2bb62a78f09ddab04625dca
 msg = 
 result = acceptable
-# This test vector wraps a key smaller than 128-bits. Rejecting such keys may be
-# reasonable to detect weak keys. Rejecting the keys also simplifies the
-# implementation and its analysis.
+flags = SmallKey
 
 # tcId = 12
 # wrapping small key
@@ -103,9 +94,7 @@
 key = 1abf4b7fa2bb62a78f09ddab04625dca
 msg = 4c
 result = acceptable
-# This test vector wraps a key smaller than 128-bits. Rejecting such keys may be
-# reasonable to detect weak keys. Rejecting the keys also simplifies the
-# implementation and its analysis.
+flags = SmallKey
 
 # tcId = 13
 # wrapping small key
@@ -113,9 +102,7 @@
 key = 1abf4b7fa2bb62a78f09ddab04625dca
 msg = be52
 result = acceptable
-# This test vector wraps a key smaller than 128-bits. Rejecting such keys may be
-# reasonable to detect weak keys. Rejecting the keys also simplifies the
-# implementation and its analysis.
+flags = SmallKey
 
 # tcId = 14
 # wrapping small key
@@ -123,9 +110,7 @@
 key = 1abf4b7fa2bb62a78f09ddab04625dca
 msg = 2d5244
 result = acceptable
-# This test vector wraps a key smaller than 128-bits. Rejecting such keys may be
-# reasonable to detect weak keys. Rejecting the keys also simplifies the
-# implementation and its analysis.
+flags = SmallKey
 
 # tcId = 15
 # wrapping small key
@@ -133,9 +118,7 @@
 key = 1abf4b7fa2bb62a78f09ddab04625dca
 msg = 6c3d3b4c
 result = acceptable
-# This test vector wraps a key smaller than 128-bits. Rejecting such keys may be
-# reasonable to detect weak keys. Rejecting the keys also simplifies the
-# implementation and its analysis.
+flags = SmallKey
 
 # tcId = 16
 # wrapping small key
@@ -143,9 +126,7 @@
 key = 1abf4b7fa2bb62a78f09ddab04625dca
 msg = 0412ab3ec6
 result = acceptable
-# This test vector wraps a key smaller than 128-bits. Rejecting such keys may be
-# reasonable to detect weak keys. Rejecting the keys also simplifies the
-# implementation and its analysis.
+flags = SmallKey
 
 # tcId = 17
 # wrapping small key
@@ -153,9 +134,7 @@
 key = 1abf4b7fa2bb62a78f09ddab04625dca
 msg = 8ae08938929c
 result = acceptable
-# This test vector wraps a key smaller than 128-bits. Rejecting such keys may be
-# reasonable to detect weak keys. Rejecting the keys also simplifies the
-# implementation and its analysis.
+flags = SmallKey
 
 # tcId = 18
 # wrapping small key
@@ -163,9 +142,7 @@
 key = 1abf4b7fa2bb62a78f09ddab04625dca
 msg = 7c8dfbb68d72af
 result = acceptable
-# This test vector wraps a key smaller than 128-bits. Rejecting such keys may be
-# reasonable to detect weak keys. Rejecting the keys also simplifies the
-# implementation and its analysis.
+flags = SmallKey
 
 # tcId = 19
 # wrapping small key
@@ -173,9 +150,7 @@
 key = 1abf4b7fa2bb62a78f09ddab04625dca
 msg = 536f8f83b64771c1
 result = acceptable
-# This test vector wraps a key smaller than 128-bits. Rejecting such keys may be
-# reasonable to detect weak keys. Rejecting the keys also simplifies the
-# implementation and its analysis.
+flags = SmallKey
 
 # tcId = 20
 # wrapping small key
@@ -183,9 +158,7 @@
 key = 1abf4b7fa2bb62a78f09ddab04625dca
 msg = 8571f282b18b64ec5e
 result = acceptable
-# This test vector wraps a key smaller than 128-bits. Rejecting such keys may be
-# reasonable to detect weak keys. Rejecting the keys also simplifies the
-# implementation and its analysis.
+flags = SmallKey
 
 # tcId = 21
 # wrapping small key
@@ -193,9 +166,7 @@
 key = 1abf4b7fa2bb62a78f09ddab04625dca
 msg = 8ada889862813e364c4d
 result = acceptable
-# This test vector wraps a key smaller than 128-bits. Rejecting such keys may be
-# reasonable to detect weak keys. Rejecting the keys also simplifies the
-# implementation and its analysis.
+flags = SmallKey
 
 # tcId = 22
 # wrapping small key
@@ -203,9 +174,7 @@
 key = 1abf4b7fa2bb62a78f09ddab04625dca
 msg = f9c56e8058758a5c7c2baa
 result = acceptable
-# This test vector wraps a key smaller than 128-bits. Rejecting such keys may be
-# reasonable to detect weak keys. Rejecting the keys also simplifies the
-# implementation and its analysis.
+flags = SmallKey
 
 # tcId = 23
 # wrapping small key
@@ -213,9 +182,7 @@
 key = 1abf4b7fa2bb62a78f09ddab04625dca
 msg = 7c7dbc83fa62206a521ed4ad
 result = acceptable
-# This test vector wraps a key smaller than 128-bits. Rejecting such keys may be
-# reasonable to detect weak keys. Rejecting the keys also simplifies the
-# implementation and its analysis.
+flags = SmallKey
 
 # tcId = 24
 # wrapping small key
@@ -223,9 +190,7 @@
 key = 1abf4b7fa2bb62a78f09ddab04625dca
 msg = a6614daf00df6d14f50388bad5
 result = acceptable
-# This test vector wraps a key smaller than 128-bits. Rejecting such keys may be
-# reasonable to detect weak keys. Rejecting the keys also simplifies the
-# implementation and its analysis.
+flags = SmallKey
 
 # tcId = 25
 # wrapping small key
@@ -233,9 +198,7 @@
 key = 1abf4b7fa2bb62a78f09ddab04625dca
 msg = 450580a47d7008321496bfb82f48
 result = acceptable
-# This test vector wraps a key smaller than 128-bits. Rejecting such keys may be
-# reasonable to detect weak keys. Rejecting the keys also simplifies the
-# implementation and its analysis.
+flags = SmallKey
 
 # tcId = 26
 # wrapping small key
@@ -243,9 +206,7 @@
 key = 1abf4b7fa2bb62a78f09ddab04625dca
 msg = 9efd21e13855eea8907afdcd8935f4
 result = acceptable
-# This test vector wraps a key smaller than 128-bits. Rejecting such keys may be
-# reasonable to detect weak keys. Rejecting the keys also simplifies the
-# implementation and its analysis.
+flags = SmallKey
 
 # tcId = 27
 # Modified IV
@@ -634,8 +595,7 @@
 key = 1639f9f81e53e2eeb677a249e5eced3af108971301601a7b
 msg = ec3c6a1f1a9585327fe658490c74635e5300876da5846a629398984fb551d691
 result = acceptable
-# The wrapping key should be at least as strong as the key it wraps. The
-# wrapping key in this test vector is shorter than the wrapped key.
+flags = WeakWrapping
 
 # tcId = 83
 # wrapped key is longer than wrapping key
@@ -643,8 +603,7 @@
 key = 1f22d5658aa685b8ba8659dc342880d5b2399e6a815005b0
 msg = 50be4c1b2f29a63f44d7fc63737f600f0194ea3fb36e173d2ddd19f218656380
 result = acceptable
-# The wrapping key should be at least as strong as the key it wraps. The
-# wrapping key in this test vector is shorter than the wrapped key.
+flags = WeakWrapping
 
 # tcId = 84
 # wrapped key is longer than wrapping key
@@ -652,8 +611,7 @@
 key = 3a2f4aa50441954bba5a1836294ce071f9296b23dbed6771
 msg = 65da02ff21b483a1e39575490b4319e84ae0299f1f00b3859fbe2e74b3ec2aaf
 result = acceptable
-# The wrapping key should be at least as strong as the key it wraps. The
-# wrapping key in this test vector is shorter than the wrapped key.
+flags = WeakWrapping
 
 # tcId = 85
 # Round counter overflows 256
@@ -661,8 +619,7 @@
 key = b6121acad51038e11873aaa7e6c7be06f93826b74fec0ea1
 msg = 000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
 result = acceptable
-# The wrapping key should be at least as strong as the key it wraps. The
-# wrapping key in this test vector is shorter than the wrapped key.
+flags = WeakWrapping
 
 # tcId = 86
 # wrapping small key
@@ -670,9 +627,7 @@
 key = 1abf4b7fa2bb62a78f09ddab04625dcacdd9e551d1a69b6b
 msg = 
 result = acceptable
-# This test vector wraps a key smaller than 128-bits. Rejecting such keys may be
-# reasonable to detect weak keys. Rejecting the keys also simplifies the
-# implementation and its analysis.
+flags = SmallKey
 
 # tcId = 87
 # wrapping small key
@@ -680,9 +635,7 @@
 key = 1abf4b7fa2bb62a78f09ddab04625dcacdd9e551d1a69b6b
 msg = a3
 result = acceptable
-# This test vector wraps a key smaller than 128-bits. Rejecting such keys may be
-# reasonable to detect weak keys. Rejecting the keys also simplifies the
-# implementation and its analysis.
+flags = SmallKey
 
 # tcId = 88
 # wrapping small key
@@ -690,9 +643,7 @@
 key = 1abf4b7fa2bb62a78f09ddab04625dcacdd9e551d1a69b6b
 msg = 594b
 result = acceptable
-# This test vector wraps a key smaller than 128-bits. Rejecting such keys may be
-# reasonable to detect weak keys. Rejecting the keys also simplifies the
-# implementation and its analysis.
+flags = SmallKey
 
 # tcId = 89
 # wrapping small key
@@ -700,9 +651,7 @@
 key = 1abf4b7fa2bb62a78f09ddab04625dcacdd9e551d1a69b6b
 msg = 72ab34
 result = acceptable
-# This test vector wraps a key smaller than 128-bits. Rejecting such keys may be
-# reasonable to detect weak keys. Rejecting the keys also simplifies the
-# implementation and its analysis.
+flags = SmallKey
 
 # tcId = 90
 # wrapping small key
@@ -710,9 +659,7 @@
 key = 1abf4b7fa2bb62a78f09ddab04625dcacdd9e551d1a69b6b
 msg = d4d9460f
 result = acceptable
-# This test vector wraps a key smaller than 128-bits. Rejecting such keys may be
-# reasonable to detect weak keys. Rejecting the keys also simplifies the
-# implementation and its analysis.
+flags = SmallKey
 
 # tcId = 91
 # wrapping small key
@@ -720,9 +667,7 @@
 key = 1abf4b7fa2bb62a78f09ddab04625dcacdd9e551d1a69b6b
 msg = 643972e552
 result = acceptable
-# This test vector wraps a key smaller than 128-bits. Rejecting such keys may be
-# reasonable to detect weak keys. Rejecting the keys also simplifies the
-# implementation and its analysis.
+flags = SmallKey
 
 # tcId = 92
 # wrapping small key
@@ -730,9 +675,7 @@
 key = 1abf4b7fa2bb62a78f09ddab04625dcacdd9e551d1a69b6b
 msg = f3cdb73d2561
 result = acceptable
-# This test vector wraps a key smaller than 128-bits. Rejecting such keys may be
-# reasonable to detect weak keys. Rejecting the keys also simplifies the
-# implementation and its analysis.
+flags = SmallKey
 
 # tcId = 93
 # wrapping small key
@@ -740,9 +683,7 @@
 key = 1abf4b7fa2bb62a78f09ddab04625dcacdd9e551d1a69b6b
 msg = 7b0b53b6429e14
 result = acceptable
-# This test vector wraps a key smaller than 128-bits. Rejecting such keys may be
-# reasonable to detect weak keys. Rejecting the keys also simplifies the
-# implementation and its analysis.
+flags = SmallKey
 
 # tcId = 94
 # wrapping small key
@@ -750,9 +691,7 @@
 key = 1abf4b7fa2bb62a78f09ddab04625dcacdd9e551d1a69b6b
 msg = 6b2393773e6d1378
 result = acceptable
-# This test vector wraps a key smaller than 128-bits. Rejecting such keys may be
-# reasonable to detect weak keys. Rejecting the keys also simplifies the
-# implementation and its analysis.
+flags = SmallKey
 
 # tcId = 95
 # wrapping small key
@@ -760,9 +699,7 @@
 key = 1abf4b7fa2bb62a78f09ddab04625dcacdd9e551d1a69b6b
 msg = 2c52d6639e769960e8
 result = acceptable
-# This test vector wraps a key smaller than 128-bits. Rejecting such keys may be
-# reasonable to detect weak keys. Rejecting the keys also simplifies the
-# implementation and its analysis.
+flags = SmallKey
 
 # tcId = 96
 # wrapping small key
@@ -770,9 +707,7 @@
 key = 1abf4b7fa2bb62a78f09ddab04625dcacdd9e551d1a69b6b
 msg = 707c9356216d69c69048
 result = acceptable
-# This test vector wraps a key smaller than 128-bits. Rejecting such keys may be
-# reasonable to detect weak keys. Rejecting the keys also simplifies the
-# implementation and its analysis.
+flags = SmallKey
 
 # tcId = 97
 # wrapping small key
@@ -780,9 +715,7 @@
 key = 1abf4b7fa2bb62a78f09ddab04625dcacdd9e551d1a69b6b
 msg = 615f6fa79e1847e7359a8a
 result = acceptable
-# This test vector wraps a key smaller than 128-bits. Rejecting such keys may be
-# reasonable to detect weak keys. Rejecting the keys also simplifies the
-# implementation and its analysis.
+flags = SmallKey
 
 # tcId = 98
 # wrapping small key
@@ -790,9 +723,7 @@
 key = 1abf4b7fa2bb62a78f09ddab04625dcacdd9e551d1a69b6b
 msg = 7f5e999168ec60624426cbb1
 result = acceptable
-# This test vector wraps a key smaller than 128-bits. Rejecting such keys may be
-# reasonable to detect weak keys. Rejecting the keys also simplifies the
-# implementation and its analysis.
+flags = SmallKey
 
 # tcId = 99
 # wrapping small key
@@ -800,9 +731,7 @@
 key = 1abf4b7fa2bb62a78f09ddab04625dcacdd9e551d1a69b6b
 msg = 3f93aaf4463775baf6c0c975ae
 result = acceptable
-# This test vector wraps a key smaller than 128-bits. Rejecting such keys may be
-# reasonable to detect weak keys. Rejecting the keys also simplifies the
-# implementation and its analysis.
+flags = SmallKey
 
 # tcId = 100
 # wrapping small key
@@ -810,9 +739,7 @@
 key = 1abf4b7fa2bb62a78f09ddab04625dcacdd9e551d1a69b6b
 msg = fefcf10c976309b2beb085771e50
 result = acceptable
-# This test vector wraps a key smaller than 128-bits. Rejecting such keys may be
-# reasonable to detect weak keys. Rejecting the keys also simplifies the
-# implementation and its analysis.
+flags = SmallKey
 
 # tcId = 101
 # wrapping small key
@@ -820,9 +747,7 @@
 key = 1abf4b7fa2bb62a78f09ddab04625dcacdd9e551d1a69b6b
 msg = 6854354d0099f7eff740b0587140b3
 result = acceptable
-# This test vector wraps a key smaller than 128-bits. Rejecting such keys may be
-# reasonable to detect weak keys. Rejecting the keys also simplifies the
-# implementation and its analysis.
+flags = SmallKey
 
 # tcId = 102
 # Modified IV
@@ -1299,8 +1224,7 @@
 key = b6121acad51038e11873aaa7e6c7be06f93826b74fec0ea1c02f9981ed49d16a
 msg = 000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
 result = acceptable
-# The wrapping key should be at least as strong as the key it wraps. The
-# wrapping key in this test vector is shorter than the wrapped key.
+flags = WeakWrapping
 
 # tcId = 171
 # wrapping small key
@@ -1308,9 +1232,7 @@
 key = 1abf4b7fa2bb62a78f09ddab04625dcacdd9e551d1a69b6b162baa53d2700093
 msg = 
 result = acceptable
-# This test vector wraps a key smaller than 128-bits. Rejecting such keys may be
-# reasonable to detect weak keys. Rejecting the keys also simplifies the
-# implementation and its analysis.
+flags = SmallKey
 
 # tcId = 172
 # wrapping small key
@@ -1318,9 +1240,7 @@
 key = 1abf4b7fa2bb62a78f09ddab04625dcacdd9e551d1a69b6b162baa53d2700093
 msg = ae
 result = acceptable
-# This test vector wraps a key smaller than 128-bits. Rejecting such keys may be
-# reasonable to detect weak keys. Rejecting the keys also simplifies the
-# implementation and its analysis.
+flags = SmallKey
 
 # tcId = 173
 # wrapping small key
@@ -1328,9 +1248,7 @@
 key = 1abf4b7fa2bb62a78f09ddab04625dcacdd9e551d1a69b6b162baa53d2700093
 msg = c548
 result = acceptable
-# This test vector wraps a key smaller than 128-bits. Rejecting such keys may be
-# reasonable to detect weak keys. Rejecting the keys also simplifies the
-# implementation and its analysis.
+flags = SmallKey
 
 # tcId = 174
 # wrapping small key
@@ -1338,9 +1256,7 @@
 key = 1abf4b7fa2bb62a78f09ddab04625dcacdd9e551d1a69b6b162baa53d2700093
 msg = f713b9
 result = acceptable
-# This test vector wraps a key smaller than 128-bits. Rejecting such keys may be
-# reasonable to detect weak keys. Rejecting the keys also simplifies the
-# implementation and its analysis.
+flags = SmallKey
 
 # tcId = 175
 # wrapping small key
@@ -1348,9 +1264,7 @@
 key = 1abf4b7fa2bb62a78f09ddab04625dcacdd9e551d1a69b6b162baa53d2700093
 msg = f375cbf7
 result = acceptable
-# This test vector wraps a key smaller than 128-bits. Rejecting such keys may be
-# reasonable to detect weak keys. Rejecting the keys also simplifies the
-# implementation and its analysis.
+flags = SmallKey
 
 # tcId = 176
 # wrapping small key
@@ -1358,9 +1272,7 @@
 key = 1abf4b7fa2bb62a78f09ddab04625dcacdd9e551d1a69b6b162baa53d2700093
 msg = d9445094b1
 result = acceptable
-# This test vector wraps a key smaller than 128-bits. Rejecting such keys may be
-# reasonable to detect weak keys. Rejecting the keys also simplifies the
-# implementation and its analysis.
+flags = SmallKey
 
 # tcId = 177
 # wrapping small key
@@ -1368,9 +1280,7 @@
 key = 1abf4b7fa2bb62a78f09ddab04625dcacdd9e551d1a69b6b162baa53d2700093
 msg = fab43e91ae15
 result = acceptable
-# This test vector wraps a key smaller than 128-bits. Rejecting such keys may be
-# reasonable to detect weak keys. Rejecting the keys also simplifies the
-# implementation and its analysis.
+flags = SmallKey
 
 # tcId = 178
 # wrapping small key
@@ -1378,9 +1288,7 @@
 key = 1abf4b7fa2bb62a78f09ddab04625dcacdd9e551d1a69b6b162baa53d2700093
 msg = 90735025797bd2
 result = acceptable
-# This test vector wraps a key smaller than 128-bits. Rejecting such keys may be
-# reasonable to detect weak keys. Rejecting the keys also simplifies the
-# implementation and its analysis.
+flags = SmallKey
 
 # tcId = 179
 # wrapping small key
@@ -1388,9 +1296,7 @@
 key = 1abf4b7fa2bb62a78f09ddab04625dcacdd9e551d1a69b6b162baa53d2700093
 msg = e43f5e4e123a03c4
 result = acceptable
-# This test vector wraps a key smaller than 128-bits. Rejecting such keys may be
-# reasonable to detect weak keys. Rejecting the keys also simplifies the
-# implementation and its analysis.
+flags = SmallKey
 
 # tcId = 180
 # wrapping small key
@@ -1398,9 +1304,7 @@
 key = 1abf4b7fa2bb62a78f09ddab04625dcacdd9e551d1a69b6b162baa53d2700093
 msg = 1723eb9d000916996a
 result = acceptable
-# This test vector wraps a key smaller than 128-bits. Rejecting such keys may be
-# reasonable to detect weak keys. Rejecting the keys also simplifies the
-# implementation and its analysis.
+flags = SmallKey
 
 # tcId = 181
 # wrapping small key
@@ -1408,9 +1312,7 @@
 key = 1abf4b7fa2bb62a78f09ddab04625dcacdd9e551d1a69b6b162baa53d2700093
 msg = 8b18daecde14b8472ffd
 result = acceptable
-# This test vector wraps a key smaller than 128-bits. Rejecting such keys may be
-# reasonable to detect weak keys. Rejecting the keys also simplifies the
-# implementation and its analysis.
+flags = SmallKey
 
 # tcId = 182
 # wrapping small key
@@ -1418,9 +1320,7 @@
 key = 1abf4b7fa2bb62a78f09ddab04625dcacdd9e551d1a69b6b162baa53d2700093
 msg = e5bd6fbacbf3ef0d40c884
 result = acceptable
-# This test vector wraps a key smaller than 128-bits. Rejecting such keys may be
-# reasonable to detect weak keys. Rejecting the keys also simplifies the
-# implementation and its analysis.
+flags = SmallKey
 
 # tcId = 183
 # wrapping small key
@@ -1428,9 +1328,7 @@
 key = 1abf4b7fa2bb62a78f09ddab04625dcacdd9e551d1a69b6b162baa53d2700093
 msg = b3be5e5397df5f46b099e821
 result = acceptable
-# This test vector wraps a key smaller than 128-bits. Rejecting such keys may be
-# reasonable to detect weak keys. Rejecting the keys also simplifies the
-# implementation and its analysis.
+flags = SmallKey
 
 # tcId = 184
 # wrapping small key
@@ -1438,9 +1336,7 @@
 key = 1abf4b7fa2bb62a78f09ddab04625dcacdd9e551d1a69b6b162baa53d2700093
 msg = 4cdd960cabcf8aaf69c37da1d3
 result = acceptable
-# This test vector wraps a key smaller than 128-bits. Rejecting such keys may be
-# reasonable to detect weak keys. Rejecting the keys also simplifies the
-# implementation and its analysis.
+flags = SmallKey
 
 # tcId = 185
 # wrapping small key
@@ -1448,9 +1344,7 @@
 key = 1abf4b7fa2bb62a78f09ddab04625dcacdd9e551d1a69b6b162baa53d2700093
 msg = da29e0889cf98742612e0326300b
 result = acceptable
-# This test vector wraps a key smaller than 128-bits. Rejecting such keys may be
-# reasonable to detect weak keys. Rejecting the keys also simplifies the
-# implementation and its analysis.
+flags = SmallKey
 
 # tcId = 186
 # wrapping small key
@@ -1458,9 +1352,7 @@
 key = 1abf4b7fa2bb62a78f09ddab04625dcacdd9e551d1a69b6b162baa53d2700093
 msg = 72aaee126a822184806c7d22eed66b
 result = acceptable
-# This test vector wraps a key smaller than 128-bits. Rejecting such keys may be
-# reasonable to detect weak keys. Rejecting the keys also simplifies the
-# implementation and its analysis.
+flags = SmallKey
 
 # tcId = 187
 # Modified IV
diff --git a/third_party/wycheproof_testvectors/rsa_pss_2048_sha1_mgf1_20_test.txt b/third_party/wycheproof_testvectors/rsa_pss_2048_sha1_mgf1_20_test.txt
index c8789e1..9163692 100644
--- a/third_party/wycheproof_testvectors/rsa_pss_2048_sha1_mgf1_20_test.txt
+++ b/third_party/wycheproof_testvectors/rsa_pss_2048_sha1_mgf1_20_test.txt
@@ -18,533 +18,533 @@
 msg = 
 result = acceptable
 sig = 1d5a9bb49cb1f5c2862f36e451dce7fc607f3d302eb9a9fbea5b673a29fa9023308381262c538cb53910b5773a7a44ff465828bdfccf8a7a4ef902e945dd5f6226ffb7d5b05f2335e5762c5aceff71c8408150959c1780cc9c22fccebd3405e81f1bc16d276c07e4a545ddb1aadeb751b571d22f3e4bc4e02020eec5901a1ebc04415e9ddfe967fbe4ec7166923aa095b9fc7a81fc21ba37b5220a973fc5f32fdb8e0841ed321450248402a159d2c08e4a72b780310d420a6e499c2b34b0bd6fe0d1d0e1a7810563324ad8e778720755eb00ac6e28b204ff5fbb01fcfc91e8f1d2f113a5f32843119f5e06beec0fe94e5bfd0ccdd7f322bdab7b05c4f83c0504
-# The key for this test vector uses a weak hash function.
+flags = WeakHash
 
 # tcId = 2
 msg = 0000000000000000000000000000000000000000
 result = acceptable
 sig = 01e9b1d4f36d040a553ee12afb76a36d04c6c5a0f3df84ae22422e8157e57b1c43a7bdaade30ae73073632a4679973ec10bcbb3016f6e20c9cad29a14f96052507819e90cf56ba50c97df5e5001c7f94817ed29f7500f839eb415ef3182aedb2484bace43cd2fcaaa6f5dbc4b6491791592f084b2a14ab303e89deb28a68c72b0b630ae85becb67f2b722f23a0f321f3a7496b251895111640452932579aa53ffb8f8fb4ffd331fa48c6f1e8e152ce7e04cfec941cd96dcf7a885a3022e426d87e8111336f1166878dcf8d190ffb16a574fea9eb6d7e270e025c6d98817e75c968f78c4750be018f74968d7f3e5cb9d6f47d5aafc99c85c83af7175c73091ae8
-# The key for this test vector uses a weak hash function.
+flags = WeakHash
 
 # tcId = 3
 msg = 54657374
 result = acceptable
 sig = ac3c332b52f06ba2190c6ee312c32321ac377019c35453537a393bcf0c1e6f3697f770ccec092740100a7009cba20f86304108165d5de572df89c42423eabaf910619d555f7b27f7aca31861db0bca8357956466d3792fb6669c77b98bed3c721f71321548f8b4313e535eab5638b9e341f4bac6c9ca02bd07111da4e39f2cb8ed8ea5daced3ada8376ec8db27f6d619ad92e01fb49bb3e53ec3b84ca67b18c268db08ec28752b0c13f269a39fa700dac163b5b9439cd7a9883673335f2b7ecc0728ab38df178ce14479bf6a8aa1e24a433e41f9f217be5c0181245135d1e265e1ca1aa06dd6e853f5d1f144878e2f64461599cf88490285b52a79b744f25ec5
-# The key for this test vector uses a weak hash function.
+flags = WeakHash
 
 # tcId = 4
 msg = 313233343030
 result = acceptable
 sig = 0bb9473d3a8cc4abd63c6f2ac13e278a9cd1dda844fdbd13e9b77cdd52c1b05ac59126e45d276777e8b1bc423cb261d29675988954c9ddc38bb9a67bec5e03e1e780915333dfe494dd8a4f0bfa0d748805885c389d6f7fb6f786c58d21a468b3589346d70e1153e29dcdb91dec8ac185501efea247bac7c63e3c546ed635e647097bae3b8ccb992701a75d209c439c5dbe8122da616a4e230bce08f541abff854fb93c87fdde0fb457c44b2783568bcbbfbba611d8e984410d360c4ec3732cb69426a94191d5a0cb33149b518ded86864706c723b27228d74836513191cebc790793e5809287b0279e7bc82f266d437d192e98975960d0014dd02e172b7fe251
-# The key for this test vector uses a weak hash function.
+flags = WeakHash
 
 # tcId = 5
 msg = 4d657373616765
 result = acceptable
 sig = 1b92015bd34fcce819bcf75a6c38a05ae2b425f4b21802306c1af645d1197d2c84b84b24d453eccc44f578465b8100ad9d60ac4912c7aa4d5745a1acead176d8758f6abb532d874ba5407d9e3e399f2cd6166b9d3ad1745cd20ddbb584891879ebe71bfd4275d4c176c9da1e13903e42be68ff2a78d2da9324a8cfc7a8e2fd08307c0ee14288087196c840a0e2b3811d9e9bda6ec24bc86e7ca5e34b57969e3aac31388fd2e696528f7d5136bd44c122156a5147f05bc9b118d3a33ee6d7faecbb048290bb0d4719c25ba71741d7434d66fc4baba9b995dfbc56e3507cfc97aa2d67acfa1083e0ef58e6db6975b3bd6b10ddf1c13087d2bf546a931f0baa0cc6
-# The key for this test vector uses a weak hash function.
+flags = WeakHash
 
 # tcId = 6
 msg = 61
 result = acceptable
 sig = ab8c1e95acc36ad6218e48f033835d15ec6bc7181552feb6dd6e128546917bac892f5b349a234d051a83ea6469e27189f2995302388337c2ffb3a746db17b157923bcf6e985ebd203a4e9a23697cf2925912ecadc3d3f68252e5e01e112db1829658b16ffe7188228921829ee59d575c6ad8299d76c7f5d6cb204b769854de0204087560465904c73ec3bbc1b47bbc98586f0ba17b99c43234d262b7f1e19fb2cdd20b92c322d6e498835b3ce8480eda172921b5a4707d5ccb662e1ee4b3b4c36b5b485a10aecf1b12449732018e594a734b68c8fad4a730b469d097c89c4121d4f6dce34be78f65591b673b1d0ee170cb3c1852ca22bd53b9b26b2fa19ff275
-# The key for this test vector uses a weak hash function.
+flags = WeakHash
 
 # tcId = 7
 msg = e0e1e2e3e4e5e6e7e8e9eaebecedeeeff0f1f2f3f4f5f6f7f8f9fafbfcfdfeff
 result = acceptable
 sig = 264dc979cdb293d180f15ef3183334d4940410c9639712910006c68e3766c3aba1dd95510d71e7d91d93e61128da456cb0d84c44552f33504bd2dae30699d372e394912a66c334e888873a949d58a3b7d7d43e76391ab0cc490e7c3afee6a5f3262b7d298919d64c5e7bb81cd7bf8e612b9f6e266eb28316a7fd01e44b62100f4b462ba5b238115081536ad1f6a068d656d00000431afd1b6a5b57f43f27ca778c08a4f86f62ef84c73aa72b0c361c68345c10599ed731d6423c750462acfb469910a50aa2fcad3ef8c908633bd3fb0b2e7e8988f9be2ebd715333381c6506e0cdaba7691109cceb8ad5364fbc035c309a50912dbb670a8c255c287a9ba992f0
-# The key for this test vector uses a weak hash function.
+flags = WeakHash
 
 # tcId = 8
 msg = 383633323732373830
 result = acceptable
 sig = 91d5f67dd4f93a6093adb8a7686be7e458f66c23e32464942f46193055c61c29db94eb12f96c918e1cbfcbcd2ed6f4ef6d271cb6def90375b1c07bb2d5e7c1c92425b16b2d8acfb87b8aececb874b7bc2ec9b2865f8882e0807db9ed481ed5fed0f3dca5b643686e70b4940af6d086ed7fb91fc30b322ce9fda13ab70a7206feab152991415d50ae586e8a9229a5d2ebdd1cfe56c131fb832f1dc39bd9fce7b73b190832b4052f5dd34cffcb39f5b0d527db2322d292427bba611ccaf8afd7cef8878337f1a8b2bc0f5ac08497eecc95b23ba171707795fdf5397f94ead6b8569b4871aeef1052fb4e895bad9f17462c1dfd712950631f625503d1336e850e6f
-# The key for this test vector uses a weak hash function.
+flags = WeakHash
 
 # tcId = 9
 msg = 36313639333935313337
 result = acceptable
 sig = 500ba4952945df532e565c9803ee08eae2b7b69e02199cdc510184fab3f22613f4a005fb425bcff96e25ba4f66a849abbd299f2ea7d530b263bab4899ee3b6121b88b1f2ba0186867fcacf686a71fdba46c2e5379167603bd88a9e1a20f5211420a1737a77c40fce3a7722115682882ba04fb521088750178f3b665921011209f4046b9981b79696cb4193fe56783ea96ffea62fd3f5945e4790ed1a1059b5f81124e52dfdae58e6814a1ea91851c045d71960600a2a94db05f40fdcc61b90e846e563122e6fff4ad1ba74394af7fc13ec46fd7befe8825abb40b365e8ecec7131769ae3871e806eff4f6092802a8edaa8cc47ac8053c8fefca21648abcab60f
-# The key for this test vector uses a weak hash function.
+flags = WeakHash
 
 # tcId = 10
 msg = 333036353331303631
 result = acceptable
 sig = 3296d2cbabc9257d91b75b51b994dfb8f777fd2630801414c33d405860e3f75b8b08540952e4defba250d3946537774f93a8c88607c8d673a0a1c7161ea14c56b8d3e2d17862e932146f29937b0084295f16bda9f6c555af0e26f7ddd223af6118c795463ac9b5be70bd413bbeda91539f05da157275c24269f039be88b3c3589e4cbc99746f3acf186b79bf27882ef2ef3edc0dc717ed2b94ed55177f99537a3261cf509852115652376261b090ef766cc68a99ec4ec7aa8ec6cab724b4eccae9805f300c48a076f0dd345b6018941bbe4fdbf94e548bdd6bdb6c62a358407ed3c84ff587ebb36ca82818fd82618c94bd355944547b09af94a03e68a3f07f94
-# The key for this test vector uses a weak hash function.
+flags = WeakHash
 
 # tcId = 11
 msg = 38353939363734353639
 result = acceptable
 sig = 97e5859c080f776faa13039db19d49eaf2a16b048246c939ef875fdb4e28eb2bf4ee3c114b2d99b20753d1082061fc4935429a92aad3d486718657a8ca2141873e69668edd749f99f1cd757dfe7cc2db297cf1bcaa1f82c3cd92482f4dca6ca66b0c28276c32c4c2864c8e87e8c42b4008a87a4100523130c8e4bb35b7fa7d1af7ea6097da7f7ae8372d5aeda20b4a4ba3a6c93e1b77b17a08328a27d975ccfa6d1b9010b34ccc12ebc0c3d4e6bb14c1b655a15b7f68604068c9c493f561017a1aaec7c84d1a24d9ef97aa683a240abd141a55daa3c210174e731daff63eb39ac3aab1a79b9a0f9178a7c374f0bd0148e4ffd8c9e17f2dc7ef8fb20e3f5f1043
-# The key for this test vector uses a weak hash function.
+flags = WeakHash
 
 # tcId = 12
 msg = 3135393637383036353431
 result = acceptable
 sig = 8357bf730c668cf632cf2b1b5f9f9f3837061a1de0b86906debecd43077bd132b6c6a078b35b6878a07a8d0a84ceb45c93cf8e56e21e7cfc095107412672b58faeea7cdba71765101890b12a92af31d12f6370529215c299469ebfdcaa2055d2c2261bfce7329977f13fceb51d445b56a57a4e34e7c6abcbd7ecd13af0d92a6300ccaf70e3ae8a827380c58bfe4f381ab085784545d6b23ebf896ea8c453af1b498784025c9e9eb01e10e9d1e22eaf2c77902b64435be4c54b9f3d74b63482e69cf751f522f5a3ff59a35ccec8e612321495a727fdabe0891265cb45a18c99846aec27bcebdd79195f65e05a4d5799a333219589c61e1aaa93547974138746fa
-# The key for this test vector uses a weak hash function.
+flags = WeakHash
 
 # tcId = 13
 msg = 333237303833383939
 result = acceptable
 sig = 46f2507d0817c14753ed5d4a9fa6c98cbcf7483f237ecf5d26d76e6522e940215841da07f3f20d4af6d8a35e182617150115063c1e1dc897b67ade6b6263700f5420a7f6595ce620f90ce6b8393ff006fe4f0825dee82ddca8457ef74d78e3352f05ecce196a1bf4d45f018317a6a42c59a2f2876f95e405d65c4bc5f0380d0e0956766f89b15850fbf736cb042921e4589721b5ad9abb6213bfecf8eab2ed077c6cf33be26e8b9fc5f95adc045efff8658231e28fd595701531e8bc3c74b42f12271f077e08cf9386d5b611bd88218e42ae757eab5c0c9b974c2bc17da12c8babad3eefda8a16a56ce3431da35460b1ad1df2b2e172cdfc006512e1a4ac866f
-# The key for this test vector uses a weak hash function.
+flags = WeakHash
 
 # tcId = 14
 msg = 34363035383435363034
 result = acceptable
 sig = 0c3b3f5120fb9c7dc3a715498786aae8e2dfe5d63f54cf805d02bafd36c806c83d0a93af5d1eda293f4ffe6d0ab218648a82ad12dd328a60f6c632dbf9f6e5e504fd08b8b84d8d58000a2d2a9f9a966ee898d9cb75a69c930b260f6dba3a0301ae876e212d4fb971d819c20cb07aaf0fcdbc152765398173dc0d7229ebcd8a9aaddff45d118bf63ab397adb39af91203e8fa5a7d28f2937ff7cf31ae90dd9efc9f2549bf6cbcc3c65aaf78a93c76007bee2720930e2a5331335983943a6d93570b11615165196f9d7ddadf805d443021580514d921f439891446c1fb1dd740794bbd6decb017acc238a81ceab36071be58551557b09643cd2bd7be6e69b77aa8
-# The key for this test vector uses a weak hash function.
+flags = WeakHash
 
 # tcId = 15
 msg = 3131313738363634323032
 result = acceptable
 sig = 94b777215d1ae19f959d046fc02fde3e113e15bdadb1d792c744f217200e275d3954b798b43e5ee382877420144087be340e11d2879c10af6376437b5a8f62634fa19b9338360a318c95c9421d90f60337634f3a03a2260796d8928e056aa7759cb13f3bbc72954f9c9da7eab1d3564050e4267ced557e3684e5090cef96f585153db8c732b78b4f7df59db219d7aeac42d4f20b1dc9825171bbebc2712e722ed6fed12dfc72dccb1e9a2c6d93e4c86641e1dfe16d6d43629dee7d80eba8e9639ea594ffa206cf3f0e561b2953a290d8cd70bd0ccbef64b32bd66b294f1fb1ec97bad0e096e5e200e5812fe025333cedd7d1ec8c111b28beb4a402f5cabf2f99
-# The key for this test vector uses a weak hash function.
+flags = WeakHash
 
 # tcId = 16
 msg = 383035343535343634
 result = acceptable
 sig = 819f624b0dfe6822d3923ac1e5c75f79e1da3dfbc13b332874d4052eebb30f9b2a09ecf75f1122990c37367d75e4ec510f4645b9f41fe4f2f9805a981ea81ce932127613126caf8e04b9d194a927b720b24cd9f1721e33d121c59930ec48a5f5574f9aa8c6bafb5c8ccf9dddb2dbb418d9884ecb4a931a9265360dac7475de7e4cc795ce7a586c7d476ba470dda7c03b3f1ab69d9372d7cff3422306edd8fe8f6dd745596f1fcacfb99914470c13e752bfaadce632fe4124d6ccd80eebf87a6982a998aa4a0892c270ae6de0b9bcbfbc9cbd96dff2e2f93f80d9370fa2a015e13d0376b4d9dcbdedea29ba9b616a83261ccf6ec56079ff2ec93d72989cf93454
-# The key for this test vector uses a weak hash function.
+flags = WeakHash
 
 # tcId = 17
 msg = 32373335323330353531
 result = acceptable
 sig = 118d4dcfebd82ea74b28041bd8bf5f969d04e160e2b8ab2fbbe1c2a1673cdd4fa7d801aa4bc23f9898bc0dcb240e8a3ede076f911ffeb2749c03d21923055f8878aeed88563dbbc45422b658f8647dc868885c92015df4d5925f3e6d75e85754b7f002374d4583ed310bc991cad2812fd29d0906c4dea5c52921fe2184880c5e8ca51b06bc5654edd5e0e72e20922a9c9b2fcd068c700ec82878b6ac04a56becd76fbbe9fd4abfa9348756f983bfa92539424d972d764e7813bbbd34bb369ec147fcb1a94e8602e359f1ef312725f2bb81c04932c1c4ebebfa09e3165d0287a85a22f0898d6385538066246ade07cb51580db1fcca86afad06fe2f9695c2f8fd
-# The key for this test vector uses a weak hash function.
+flags = WeakHash
 
 # tcId = 18
 msg = 31323238343430383037
 result = acceptable
 sig = 53711344088547e405b1e3f7605e44f9b7b6735d5d3c32ee0e408fe7ec9ccf58998487443f66d4edc0020dba88efdef9ead403a2874b2892054e391f61c1b36e490a8623868ea3e3eeb07eb6a2de96503b93f4fb534225072c6bf90837c029a1f5c2a5d8194df2e203fb0c2aaeea506767952897d900d9fb20c8cf4f7b68a97a5278d7aaa6e383f0cc8d2b53bb748ab6b0dc5fb1ce82b08aa986449b3c3137a5965985d0cd62b7a1a11b31a498669a0b3072692eed9a1393e42d7e61b90226acc62b284ec550c0813c4afa25a1b6fc103cb80cf429944b557e1334e81c1173df4a86ab107cd8ec6c75392cc7cb11c9212f15ee7e18aa0d27006af5c5ede7b0e6
-# The key for this test vector uses a weak hash function.
+flags = WeakHash
 
 # tcId = 19
 msg = 353131363538393837
 result = acceptable
 sig = 972ab5dfd3aa92ef9ff40026764716784c87154f12967ed3f02adee5f73fe9a0594b22599e829bcdaeb00217a12218dadf06c9940aaf9c02c75cb149a89e258a548894bf4762100ba17bc8bc60a7a0d05307b7133678dba4babf660d12418659cea25c9f982bdb9b1d2300fdd9d144a25d4f150e54ca7ca344dde9e9e1ba5783c2cb606bbc86341ab9344a0840dc515dd1d589bede2e3f483b20180f08695cca0e9e1cefc68b6bfc3527e48ff0260a3f696c0680364bd4b6830d675ec4986638e976b83cb1f56ad5fe705d5dee0c0c5eb29bd15a24f265965000ebcee5a8551ad8ef74b40592477255169bda56dc8f35fafaf796fbfa44d366033e15acfe048b
-# The key for this test vector uses a weak hash function.
+flags = WeakHash
 
 # tcId = 20
 msg = 36383435383536373234
 result = acceptable
 sig = 7a7cdead06ba212e8dd6b446f911cf37b40c5ac7f9c817125c0d5ee3cde49ef336b87eb94f7d8a93e1d9fd0efeb77e724769b27d6f63ba91f7219f23e085a3433e4d69ca8f8e420534f554c69a7221d70e57f8a8246b24b5986716c50da4942a1720e51b3ab87efdad42e02cac254be2673d5bfa4669e764defb401121a25055993dc5ebba22176834b4a2f9a8a3a34d35ae2c344e9a84675d94ef8f56b16d848d15851c058ae64df8a404eee09b63bb64fe017c206a94dbd7b274440f04fe07d22d079c2d2a8686f247eb983a0ee625b2d4b9fdd4d9ade53712f0d13cf1ff1aac03d09f80335bf9364327a89171a8a51f4219f86646be96f0d96c6cb27f43d3
-# The key for this test vector uses a weak hash function.
+flags = WeakHash
 
 # tcId = 21
 msg = 32373736323939313435
 result = acceptable
 sig = bb15915502ad77b3a080eed70b444b753496450a4114d435d2aee9fbf1b345074fe85c23ad4ef52603b3a8a077d5024e3d56dd620169b6dc0ff7437fe1a520c293d78faa77258e8c8632100e0644f469f0a3250a53483e9a2f8dab0bdaead5df41dd1bba91dd01d79eda1df838dd4567d04526b0e1fcb5d07cc628f4ff62fecb65d2386af638ba6d0e594518699c5685033635af6cb302d07bf39a1dc5b50ede06baacafad9a2ee9ac48bf88c11329d2be62d565b0312813fc81c9e3cd243aacaa6c11dccbb6941e2aba6f93524b0140f30987168036b13810c10f65f0acc443f7df7009c238a8d5bfab00116f1adcb4cbf55c484239689404788bd29eb787f8
-# The key for this test vector uses a weak hash function.
+flags = WeakHash
 
 # tcId = 22
 msg = 32383739323832383334
 result = acceptable
 sig = 4fe965e8b685d1eff38f26261f5c168b77560de5f2d7243a33c3c1c7f267d7b60e9a61444b6cf0a71caa18ca81f38960f45ef29586910c240c93820551f3da5e15180684807faa5d9fd361325b9d39c7b8e805abd75b69af4d020345bcda266a15540b32ccd28e57f7063edc228fbc815f1ab965fa542ed679c43f7b4949f7448e6882bc36a8f10412dc0e828b33ad4e09a5c72d3730143520e4eb625356615bf49e51ccebe904af7c6397785de0f20371689f2975666524103bdbb4bf27f1e202018aca8003de615f073773cca7e647e71ee51d97cc30356a17b50aa3c47a74e133aabba4ae41750786a9b1e584e319836c3c7e7c8c2eb2ce6604323856b399
-# The key for this test vector uses a weak hash function.
+flags = WeakHash
 
 # tcId = 23
 msg = 363635373637393733
 result = acceptable
 sig = 9e12dc1ec88182f9462a795d710dd07447e79a4e035b97c16e351c4b5d4e98459b8e5a52e2f51dcc1edc4c8943863fa9abc8fbd75ee2f47691a58428034021c6d3323191a5a5fdb2da2ac1b2a149b8d1025576309e21410c9400cbd3b67d2ac4d4af6f57c6380fda2817c263984795934b48844f5ea4761402354112a2a8e2c06dccea0e535a06b6b1274a42f218b1d442c2c8347e7fd168100ef658c63c790e6bdfad3f4e57a536e2ce181a976dee1d605cee947bf5b228f7c540c2c9c9f2caa0461bf737e32f5454f52cf5300b23e8a9921d5e4a380eb836b645515c0c71ea803b730d0667dba49be3825c7a5f49afb7e989c85246ceec236c3a0eb43ed8be
-# The key for this test vector uses a weak hash function.
+flags = WeakHash
 
 # tcId = 24
 msg = 373436353535373037
 result = acceptable
 sig = 3f55470e612c832eea00cd738b6152bd03d88c3abda95ccc2ed6eb6aa5c0e4d858982a548d25914eac7649c53d2169da5ad4f09bb64d6290c913d346424d189bc2414ed50dd2bdcfe3e9e80a992c6611ec86b537a8b5cd92985cb6226a0367c2ff20d2859c21882fafb2b9c47f48fd19cfa14f793e0fff45d06a2e886253a209ed95030da05a1c6ea35d2993c600491b493ded76e952acb0442c52760fbb1f735957a1ab30fefea6e7b596a7aa4ea479ba6a6aeb866ce6caf38cb7c6338b2993213c39c98b0cdd6e46c9702069b85a8c7e050c1079b11fd209fde0cc58d37beec46db4c8c95b402c45b2f5b7906f1ef19f2a84dbb8e54bd5d5dd39a532ed6e37
-# The key for this test vector uses a weak hash function.
+flags = WeakHash
 
 # tcId = 25
 msg = 39383734313231353838
 result = acceptable
 sig = 08823a3eefc4d13f801419b374a5d8cd51f9281e124deb0415250e9e353e3a2f974a83347ca09d3b5ec24ec94048b096a4b11dfac52f2480b522f70eb4eeeed6f84941bc37d1dd1d82d7b9883beef1a6cdcdc5b3f6024d9299b10d7697c0325e2c75764f225cdf5fed483ac300a489b69536acc9fc90d581dfa10d67056b3ef9b05e09aa8dfd3d688ec4d63f483c301a44934bba1841860948c130d6353e7d74c9ca9e764c44e3b6fb1665afd38b6a7df8892d90a0d5483dfaec6270084ad76aa50f38e34389f891fa6455ed9f3cbacc422266f6ca2b10aea5c3caf83035c06833cd7bbbba83dadfb28807f7b3d7f4ac6e9025a47217c3dd1dfe9426aae6175f
-# The key for this test vector uses a weak hash function.
+flags = WeakHash
 
 # tcId = 26
 msg = 32363032333032333730
 result = acceptable
 sig = bb6c055b3f55671f0ce85c5641b970b5ca0dd1f1b8978b915c8e36390700f6bfc765dc6b1694625672f70c0bdc97517d81cca9190ac4bc9eb5105df3457f48144ab9dcc049ae54f28123af0204176685ef6c2d71b0e618389400e18e90fd1dfe65cde88b628fdc410631ecae8d64b86da329228ce4c99fcf572e77e3ea366ce6d33d1401e250c75a329c71c7f5363a95cfde27bc8cf010bef57aacbd44c60a4d5b7aea41df9b9d59efa0cb6cd343b3c95c7acbd84d77873a5775c8757c585d665cfae9bf10095fe4f979b5866b6fb393b09890e118a35ae8a17f7eb8f60dd6e4954010ba903e69f4cdc63880bb24c3019acc596e6028b5f1aa86cc16d6f9720b
-# The key for this test vector uses a weak hash function.
+flags = WeakHash
 
 # tcId = 27
 msg = 33373236363131363038
 result = acceptable
 sig = 80ac097d00555c8f6ac34f3ea96570432283b373bfbfc327e5e1f88b9b25d8dccd61d1064a944a10418ffb863ca2eee28182d046ea819b776e00a6fd62836aa3f334aaf7d14897971782a8e557c53314a3da16f3bf09959c139abf42c95a943e8f736fe6ac47aac2c4453d2a7091214e9d6c81098f39907d001b4cdaef6a66b426b571105a94331349d0c4d456263e090c0ed01ad2195ca0e7affd36d0f559cdf12c8c8128c7cf1a8aebaef6154b4bf8e3bd8db789eab080b14b45b10527e800452fbe2f20345cb41afae4f35530936c1b99137a3370f4f1c9eccfa81bfa3749fec4b1b0672b50e970c621ba0a66d1e775bb4df0674f587c938a29176c603318
-# The key for this test vector uses a weak hash function.
+flags = WeakHash
 
 # tcId = 28
 msg = 37333434363334343235
 result = acceptable
 sig = 669f3256203b4ffe73ec01c2d7d120ab9c02bab82ac75495dcfa24db2f8e79970673d4790da772f4b16b14f81047086034b3ad927196a48390774aefe0d277ff466798d3497c0e108d51476945e4c324d32145af5d8cafe88bfd6a4b52c8e033ab4b95bc5b5c3451808f019b39285efd4feb6c21708b00aa5bc781afa87fd7475cad673833617159e75051646064d81ed42044791c27e37eec421893fd371d7cd96b462c158560545df3f5862fe97958c9974c9332b46d894486e97c84528a1f55a3d9add429cd7c1a05fb582affc12fa3aeee980a93b8168f284d7f95faa2ddf137e445d2c5658b89a2a230a9a640bbee40665c2bede3f16b986c72ad15b4f2
-# The key for this test vector uses a weak hash function.
+flags = WeakHash
 
 # tcId = 29
 msg = 39313032343039313337
 result = acceptable
 sig = 50191cd6481555054231eb25b7d44f374052a228036f1e796c2d923c9df9bfd2f881620870ee4d7dffa4637e570d6055345c87b61a2c8f4f3b536d89cb0379883c99fa246e3ae9c6a157770767bb018d702382840e5125ea59bb6367f98c070327d30bc4e17c40b465fb5314e59692527d792c9155f5f1c2d9f4061a3b784741788d92d761e1a3c553320b4165c864e874f24664de3dc6b572dbbd4fdc495431de288389c2690bcf56482632ee34b638aa902f5ea808933aeace4eefbd2b6ef54b47cf2afe586c20bf015e782d5ab952bf7696268467a6beb2f2506cbcbec919674fc785474ee0608c43980f64987ec0b75e8041871ed9a2f99bf4623504a9d5
-# The key for this test vector uses a weak hash function.
+flags = WeakHash
 
 # tcId = 30
 msg = 33383239383138363835
 result = acceptable
 sig = 55a3be3e5c6c1bb472feb54e2154aef10c8880195183860a3c19dc2f0d9f2e7473b90bb2a9ecdb1a8b144ee27c60ed7ea25838bf6ecd60c2c5dae9213439a9ee8a7a49e970eef3cdbd86f0b259d7ad598230f43e2a5ac0a0f68f947cbded0d20e7a768fca530f3dac41515ec9ca79167de3d800c8bf547163b035a0f3f45c371d53969ebb6d14e5850bab303dbfcf86092b47d41582ede460bf9920c8eee792187d1da134945046d28af67c433fb802f09a6bfa946a8aadba2ae9f89afb530540cbd22960126e6e858be58e6372903698c644253cb5ff72c493b35caa4407d381f96b304b0993ce08b7b0c692c0bb7936f743666db5aebe2afc2c67e3b256fec
-# The key for this test vector uses a weak hash function.
+flags = WeakHash
 
 # tcId = 31
 msg = 31333332313433383039
 result = acceptable
 sig = b6fd6d2d4ebe5860470aec5e25bbbb02d67d46d960008311d1dbfff3b85048cef40642362104e8e544b914b9974eb53ff1cc12cb8b0fd5b8a924e96ad982ccafc1a80092586adbd2905250452e38b342f7921cfc82623ed499742b2fb0b90d1b5285bad2fa03ab82468488356605b5b7693335e8dcf983f639d82c3168020e27a7e0d06b2af184eb96618ce942c99b49bfcc27a4b6b47c5c07865c5b2eafe30c6bba2d9a97818aa0eb5d2288018103668f892e8bf5ef1837521cd2bd41b5b8f6a954f5c4a50de874b8e00784a5546cc9b7ce8de2ff776749b0027b37158cd5b11b440a52a1820b7950fa685bb43505e1d35312a6fdcbecdbe947672dc2be74a1
-# The key for this test vector uses a weak hash function.
+flags = WeakHash
 
 # tcId = 32
 msg = 34343435383035313539
 result = acceptable
 sig = 7fc54d8108368eef19f5877275d07e871a3251cca71c63cafb46808748cce240b8eb95a1f218b77954edd2ab8768e3fcaa8c8d3e9b7d678c0d44f9731d5a58f6ac5f3643187bf88ba6023301200936d9414517f1b13ac2afc01d8cb8e011631109f2e8eb66b61b7110c273e26c2066e9384732b5d978c0b2d6a9f0227533e092373fe9d8c2dc33f8253c13aa5730b3f792dd66c6b6b2be2dc5723a470d8da15c79286d1842c5cea67eaa47b906c4f034d1587610d9fa02cb7241364f8862458feb6d8fff98255b4c81b69c248d5f5dd721ee477b1f7341c73808b880a88f8425dff9c27c2bd0140a61b8c64d8dae15c4359a918de42c8a778b8b8e352b624291
-# The key for this test vector uses a weak hash function.
+flags = WeakHash
 
 # tcId = 33
 msg = 39373637303232323239
 result = acceptable
 sig = 039ca79f8bcf17374bde9dca5b7615b809ac8d49241a48b118c18cbdd4e3fc43c2e3792b73d403062ce800f26955125b7b15beb60a6447710082c6c6bf80d24dbb417a58ab934160b18883ba64f29b461f6f76f833ebd16c38f7664976aaec1521ab6a567b34283a98b8556b4fd346b050ed4b1756c1228f891172a634444779e26798476d481e416e1180aa1709f885fe5c6f091466aba6287f727f26d086618ebbcc2c020a001ad8b24d2ad0dac784456e162d06030567187c25f2e2a023e30decc076eaca92d2c82042dd077abfb788fa03a0daab9714db415822501d99f89600f8d677faa726aa43d2314645b2320588b4cad7208b2fd12d7f99fc37d809
-# The key for this test vector uses a weak hash function.
+flags = WeakHash
 
 # tcId = 34
 msg = 3130373838393031373235
 result = acceptable
 sig = 907f826f39412c22974469bbb28f049d8404b9397bbb86322c742872d8dc008bd199ec7e891c1a799da60ef20c9dd7573ba969761f5d812f72e889af855b833b5aa1cac338cf2a42d4e0a9d14cbc6fb004866aba01341e9dee8e2896df163996d78c4d30d8c68770e7c72eaf689cc49713c3eb479be8452c935aa44c48aecbb0d3f0646614d36750ef126036828be76be580879961932a74f34bac9983fba0b970ac740f584152c5cbb4d6e3815e87701ada8d30a501abdb62ab173aa1a7a3199ca27cfb179895132089c038e40a273be45b471a1a1f70e7d176b7424e852b3f8c608193a7126588c5065cfc5a7117beb72f73ea8a836c8a15f12eca67f84051
-# The key for this test vector uses a weak hash function.
+flags = WeakHash
 
 # tcId = 35
 msg = 38323137333338363331
 result = acceptable
 sig = 7b786c0a1baaf52fb84459e92afaf038bfe997c9a4d910303633fe2750b97448a15bb057b505683bc53ca4b18fff1dd90d1416bb8c0fb2c29550d7dda9c9a7f087386776fe65b1288c1f5508ba9468ed9328c9d6620e6882fc818c4ebe832df36dcb5d92837a711ea6f0d20b784235933d0c571e2d6061445ef5d1bc22d43378d2593b2a762114f687bcf59cadb4ecabf258d3e14a4bdea0b215828b2e7462439fcd4cb99518bb5d5dd9266d6dcd459bf36cf32cb8683067918a225c1685db5e52f9a5305cbe60a38df2babe901367eca57f9cfeee2955549ad9b99318b015ae19402a4dad7752e15b94b25b3414cc9be0c13421f31a41d0b1a3e43ce2c1d309
-# The key for this test vector uses a weak hash function.
+flags = WeakHash
 
 # tcId = 36
 msg = 31313438363037323135
 result = acceptable
 sig = 642e3b94f8c5a0897b5787805c99b04af6c7a2ef47eae10ddcbf58e0f9411373920d1e4d769619f97182db36a9c38b6cd695a1d96daaa9c9288ddd4774f9e085dcb4829f1cd852239016dd23ceb1a493a1294e3d35104f48384acebfa0cbecdc114f445c63d8a1524e608d3f75172782b1c3169d5317902a6796688dd6b0112d0822a5c65a9ab31be84c939cecc4190dfc766cfd29b965ca02baccf2e3a68f13fa304b469c60d7eb49049d78dc1e0ed94daa273dfbde714024e62ba97cfc7b3d32fff034986518e0486124a6d6d33f40474182b2c235306c7d0d5088e7e733b0a895745a4bf4c187d2cdc9d6a8df7153b41f16305a15da7807c6bc69c313b4ca
-# The key for this test vector uses a weak hash function.
+flags = WeakHash
 
 # tcId = 37
 msg = 38303433333530303635
 result = acceptable
 sig = 5ace1b9ce1f57901e8b8a90f033750f807e52361779bfd97c60f029cff8a70774c06781a2ec5d16116e0ea5170b99d0486eefafcff11f2780d7d04139e28e408a358b48ad55c0d62a357323d3ec759205df77c73f89e991f849114d8bfcfe4b6a4eafd86a9cf43500775b1cf4b4980c4f6eee17aef782eb7f94144ab1e7a0ab9c83ef2860c1429d4ac9174295f5aeeb6a3d5fd430807b9c2ec20e0e2cd1242e496e5470b733db52c857be5a65c604779d9e1bfa5a7bacbf2979f1e533278076f102b14efc321e905ae5285e50e3c9998036718b34cff35ea0c082735ea576acc2f18065c7e05df03d3fee209f1a8df7da5a07af3a4ab86e54edf85fe61343fef
-# The key for this test vector uses a weak hash function.
+flags = WeakHash
 
 # tcId = 38
 msg = 36363939343437303335
 result = acceptable
 sig = 30a1a557fc9651e08c004b23a5fc256b13f9f9221082f867643dd707fd5513de72b52d13bd1b1b6fd090fd816beb486813419bd9f426f9d4e8ec7e5c86d4228e3bfb899287b2354d5b720db60b68982e76ba2b14ed22b8bf849244c9ae6b55071bcefd4f7063d15ba43e0a5f747bef7373cb2dcbff6d511b030d3e13f628896406955a77573570305073d92c5cfb2a9c4d92f867c1801e63c8addba43ce3d7faf91af464f941faa48f28f549d897f93c074394137203a19176cbdb41bcff260b7b0053508956970e31f65807b40c3b7905da151b5520931ec5c470f020acb306fc6e969a89966fef4ab1c2a17fd5a112e0a841b853dd1449be32a3b52d2f6e89
-# The key for this test vector uses a weak hash function.
+flags = WeakHash
 
 # tcId = 39
 msg = 393933353239323431
 result = acceptable
 sig = 1960aa85afb75f52a0bee917bd0afd51de8abbe1be7abfa7c8321f74e18921db7d53de052535c2b10c71c32ad84016a998980a89cacfbbda3543c399319538f3a216981ba938a53f52b0d5b078a6cef7047bebce6c5023db080172d90b868698a2909b2fde7013283707f9b74f3d800c39b0f5dcfed845791678c7696324abc97331702f2236620182fb528e2be595ad10161bd889ff688bde34950f2b2fbbb3983f76ca9224df04e2def7ada7dac4ba70d763e2bd7bf0b5a9d05e808f9e4426f04cc94e28510fd8b91a838f86c808851ed88fb0e4755afc73e5716e9e42d794e351a4f31000427336e7052849cc673b7e54547127e7e6f662caf6bc512d525e
-# The key for this test vector uses a weak hash function.
+flags = WeakHash
 
 # tcId = 40
 msg = 34323631373430353530
 result = acceptable
 sig = 596a2b36370dd115ba496109e5a9851b2ff58c2f9a5bfd1b26cdf3eabb840c49b46b6a6887e4c13c4b930b737649bdc56fb89168e46d91a1f1186adecd0fe867cec067c9a90e8e1a663880ec44006722d4a6888b83b764a864925de700b30a6b075204a8978800296d5eb0ef1f0dc9ac87c5fb7a4b2a7cd148566ed6eacdaffe22d914da5f2d6cedf7ada28593b548775d748a61b6ed22ab5934bda0c57782caf1f48a309c80bed4fcaacfae1dc0432847583aee8332eec9435e409fce2e0d3e14f6c4ccf121b8eea6f5b415894eba24ef066a08d5faa9231fe3e7767cd1fbdea7850db1aeaeda755dcbd8aec33a7dabf430bb7002754e38a70117b47d3f677e
-# The key for this test vector uses a weak hash function.
+flags = WeakHash
 
 # tcId = 41
 # first byte of m_hash modified
 msg = 313233343030
 result = invalid
 sig = b8edfcc9ff6451ff5838c470232c4d0f358a88ff6344e62cf4cf9170576e6595fb22f6b2f3b2190a6f286745e39a300cfd368f82f86f12f81ad4f8546cafedb00a38bc85f8e240127fc232ef8287c7bbd35fdaf55ca849c9745ef2ed1371a84e77cdb07513a5e8dc4898e7a9c8c52a3e35b3682abba3b583123026b9840ae286148426c59b4c00566a147c6d89e039b28052a8974f966c2d77cbd26ad94f54ce987748374e88b7bcc4afd24582d408db9cf94906ae9d0039e1bd22ad8a23a8c379777ecac954540f1b13186369fe3480955cbef6090754b286c8e9adaa288b1024d94be0291d20e20a9eeb525d5e9a2e0e0b5cb4419802b308e27554ca3410a0
-# The key for this test vector uses a weak hash function.
+flags = WeakHash
 
 # tcId = 42
 # first byte of m_hash modified
 msg = 313233343030
 result = invalid
 sig = 48c590347b593cab642b07d49bc2229503ad8079dfa82e3ce1f014d1f0046c5862ea5d3d3c3f44705370b15079e1dda2627e3ae861fdff25eefbbb436400702816ff8c60aec8e2cae0e0fd2ea87a3c9ea03731fa2c5fc78299aea7629951cb71adf1608e5843b3f9c99f0c3ad37b6c85e0a271a1f5a07322433c5945f9a471e695c0ee81564a9bc613b73e0700a804d7c8196f160729b8f90167a6704761930bcc5aab75f2d5e71067e799833a8f4d8ed49ea17ec71a29bb9d20c96501241d97931e90b0f50db39a57829c615ca262d756744ba3422c3505484c79e964d840927331a1490889ee67ed1af681d350e0a1fc95b446c95e38a3c14af3236cfdff4d
-# The key for this test vector uses a weak hash function.
+flags = WeakHash
 
 # tcId = 43
 # last byte of m_hash modified
 msg = 313233343030
 result = invalid
 sig = 53dbcdc61acab0d966644f60bba8b9c78261f01afcbee95e206fae665c07fc69c13015941af7b684745191fb78387680a274838d1d9a3bd4b5f556406ed11e1879def7c2f018f57b317320013e9d4995f1610cb3cabb8f8cdbf718d5c3044317b000574244d5fb9fe664bbd40aeb0bd066d4ccfa224a49c3e9e3a3ae323690e5fe77a3c72d5dc752be7d68ecc38958a2bfa8e0c9365b5e546ca15fb95e205a30818b01b61fbf7a6709281b9cccc9a0c1119cb8c11c4fa2e5fea4affc477b1935b8ba738c39089f15c6fe0fec0c78b974646ea0ebb80ca5e8386d9803764704e7f16188a811de89379fab804717364cf9ec39371eaa416c628a55d2dc1a5b5ed9
-# The key for this test vector uses a weak hash function.
+flags = WeakHash
 
 # tcId = 44
 # last byte of m_hash modified
 msg = 313233343030
 result = invalid
 sig = 17b550ac168e25ebf6d1bd66ac30815cfdb680278793fec78b36e2f28d10c32892dd0af9950f8402ad8b54597472249aeb9563215e17a17ad8ffad7c4a1c14c4b92cd8dfc035cfaac6d662e27c0df6b1d787b7136a4abd5ef2abf805cfa68ac8eee0a6b5001b9fe8855a08526da1971d32d0a392424bbd37bd43f68b8119aa5c6ea33da817660ebc35d80c4d477af3363bdca4c976ec84f2aae2cffdf9ce517b50994e6a062f199d71323c532d57e76f8d89674c361e2275326589b142b4db8268a1b36425a7d70c57115df2bc9695d6dc2ad6f3850d0cfda545a8e87a75a49ad2838cd240f3461a285201a83dbb670851a9abcdb11f2b26d8c89f1ee4d44ee9
-# The key for this test vector uses a weak hash function.
+flags = WeakHash
 
 # tcId = 45
 # all bits in m_hash flipped
 msg = 313233343030
 result = invalid
 sig = 11cb2f044d4bae43fa2c7bb967f8f3aef33716e0e519ad0c49570bd7288832239f71be6ab82b9bb96520972df4b45c8b85f0dcbd8aa6839506c8b44a990b20e0c2b58c313559f86aed3bd648d8a7ba5ef2af00b958eb89fd69a3107bdc519c60dffb21a20d4a37df7572b3e496db68ca86f9e85ff132016399bb0cde7a719bc1729df1b1b3e6e4dc1ac02246bda3de9ecd89ac14f4948da298da77e142586ac0d48854b4d1eca36a18af5221ce51789acbf772c06e436009a3b88540e593d4271babce1ecfd149fa5367338e82ff3b8983c8af02df99e37039a7d03f113dff043f598e3d68f3083ec3cd545a52a076487f7ff93c016538dd6fb9f947e87da716
-# The key for this test vector uses a weak hash function.
+flags = WeakHash
 
 # tcId = 46
 # s_len changed to 0
 msg = 313233343030
 result = invalid
 sig = 0dd16c3ccc10b280bc36c0104e7c5fe47107c1ba511d197357aa7a537e90f079a00385744a85a070804e9134a75fa73bf1c053162ed2e622ef1d3a1b9f117c47a7b68f9e1000bf851570987fbb9f8b5fd2bfc058f95f2bd12ca977e44f596df0a1c48de9d0c840732d94ac2f11156c9e739de8df8931efae8aa42cd6254b3fbe1405313e8b19ca86045edf87631bd219f6923b8dfd783ac9e7c913cf7348c7b5028b478898a366b893938a94d2fea92e78001ae2baaf5dc0c31e9b0d4619e0fde45414b0c5863c8826406d87b48fbe0c52164d0a8d1fd00b883ddae8e1235c846d51e5cb20d724576dfdfa01d15f47cbac56b17543fcdfe81dd70dca545ffdd0
-# The key for this test vector uses a weak hash function.
+flags = WeakHash
 
 # tcId = 47
 # s_len changed to 32
 msg = 313233343030
 result = invalid
 sig = 18bd764174873263341771a783534921ccc5f3395ca96a3a57706bab1f78905c002f3cd6e1791e238a8ba6b9fddd74d4e758527bc3ce76a2d9b37e130bccb8e235f8388e54152f447346a580f4808bcc17dfa51c69c2625efee575314b609b8e30f1caf822411ba1cecbb2c295c76620ea1b64fadbd4a8b52ea398f60538f3a19fc9c7c5f7b7de802e16c290d635278590bc367b935eb7209547aa1cb378e54e2e383d8a2c67a69e790fcab540a51cf756c86a5fd0f337b14246eda65e9b8b85e6ebe62e89156a387e9d1b7206da72c0822d20a20637391956d473fea426505e6a541260b92cb4b66980592dcf92bfa71d264c575496dcc098bac82edd5c6dc1
-# The key for this test vector uses a weak hash function.
+flags = WeakHash
 
 # tcId = 48
 # salt is all 0
 msg = 313233343030
 result = acceptable
 sig = 6083e24acbd4973b8e28bd22e996924252e306029c3db5c5353f3e4c505d36f1fb7e580823e21964f9206fbb158465f64b26089e1fd4b8bcb2abcc0384781bb005db9ca71467661cc7e8e6a1c6b5dc8ae646f0e6805920016228f400784906a2339f5e2385cf295506c2233b662a0e01609183261122b309a1874b34cc74242f3620e3dbc639a25a9e28c54e4d3db08d6a793ec468902cf0dffdc3ebcb0982ae7a96951ebf5e7640452ba0f5332273fd9bbe4dba26e7eb106c7ed16c8baa1f1d7e5d160482741e9512b78aa62a942cabbb38789e7bb380157bb42e6a71c580dba254cb8f59620f30ac809d3ed814c5ee0f3106b03806993d79ded94ab4c3b4d0
-# The key for this test vector uses a weak hash function.
+flags = WeakHash
 
 # tcId = 49
 # salt is all 1
 msg = 313233343030
 result = acceptable
 sig = 46df0cd49ca21a0ee84d8d8a2a632c3c3d4188008773c05b6e148f629c62b9dbf3d8b1df5bfebc16efb14e5ed10bb9cd53f815ec3906a2b6e9cccde64f52c23cdfd5605f8c8c2f62eadb0b2445fa79a4e667cb63b10bb9181e8ec11946054dbd13e9ca545cd9da945bd03ae1c4f8ed48555d2e71e1ba8d410a725fafbeee8ef6798fef9d3a9c6d48825c996da1f2215048916bdf96d294c987ca678d6b1606aefab2995b11ee071633eb1c4873c1252a38f3453482cc72ddc92f9f4764adf4327274118d9adbef6e8ddbde84ad7c6991f7155a1f77aab1d01f95931cf73d61925c19d66040e0f7d8bfc68977db948125dd81a0282b30b1942e0597b489c6c2e4
-# The key for this test vector uses a weak hash function.
+flags = WeakHash
 
 # tcId = 50
 # byte 0 in zero padding modified
 msg = 313233343030
 result = invalid
 sig = 21cd7d32c91362b709bc629d9e04b242604c325c9586dff3dc152efe3a05b1e2f1ce85265c94ace1f0ad3c50d327ca582e4b99363c5fc2ca40603676c774b3d706f7e0dfc31e0306f8835273facb8aa9c6503bcff6af471875f8a4bcb5b5b6405ec22e7bcac9fb7fa2ca84cfac60f1190f3dab9ba34ab1304e07e2fa9a25cea4c459e78e05299db7497d4301e05eba538f7845bef4720fede2b541501a6ebcab62a04a1ffdddddff8146513802fa495277ce5f0244213786dea4d5a6d02fcd93cd414907c557107cc53fa5c5409f2fa0d592cba79273c9b9d4deb8d23198909b712198be83c955a915e5529c634d8375dc0559d72e30ea9f47547f6d2d52529b
-# The key for this test vector uses a weak hash function.
+flags = WeakHash
 
 # tcId = 51
 # byte 7 in zero padding modified
 msg = 313233343030
 result = invalid
 sig = 2746d7d48ff2f17364c40a0df277242656af6ccfa89802d6c31ec32388561fbd261c85cc03e2599b845e23ec90493f637a3c1d090b2604cf5c3ecba9b09078560e75523595923910f688e91337185c4d0978623bae7c33d1c3b50d83794c0a5a44a5309ba1d39f3c5dc3b31661c895aba0489cd392290135108cce56794ccea491ab424bac4405cb90a72ab53042b3fa863222c41d156ca0e752f733eb588bd9532ac422beeffac4c01c37262f49fe7e3f9dff3f993eac7b1adaf153805e1b44f7539e04a38c19579764a6d8c0634fcab0cc22ce41051968eeeb44f17fed7ae959d5199ee5e0896a964eefce583b8e0984f41a26d0bdc306b46d97b29d587f88
-# The key for this test vector uses a weak hash function.
+flags = WeakHash
 
 # tcId = 52
 # all bytes in zero padding modified
 msg = 313233343030
 result = invalid
 sig = 39610ebb7505fe8853dd2d4bb0c3a3490b669465c4c83080d643337209802c9b6a11e6c79481cb540616c7f877ac58bba08cf3f93ccd6deac0e8227581aa73461fdcc8908242468a4c57111c637712a1ce5eae6bdbbbdeb085aeccb2cc2479d502260c1d1ff63759d27f58ecdf87fecf5d23072f709b5aa811dbdb067aa394c272c270bd8ed1c9d0491fccad73b74a4b46e2f8fec3e2427661360c41be306015e43364bb459a8c3cd1797fc4a89be3a520396320427f12de28d3001ae257fd98a4f0f906781a2ff696bf51346c92545bd18c37168d943480ad1ea9dcb47a2cc6854bbf7456f205121f1f4f5beb6519521a91711aa157d2441b9bea9a29ccba7c
-# The key for this test vector uses a weak hash function.
+flags = WeakHash
 
 # tcId = 53
 # first byte of hash h modified
 msg = 313233343030
 result = invalid
 sig = 681d7afacadf19dab9252fbc35ba86a8d34f4786759251a91dba18872a070af39e5b3e9a12886b6388cc59d2f83bf19a09d1cf6cdf32f0f57cb70ae8df8d623bc7c2a45a344b02482cdd026b4207735bae6089831c8ef3d97428288e363bdfcf6d313fede6728240af8f069f9b6d7b57e029aab5b92e3dd3627f1d1a9a242de3e14a4cf5025f9a3ba2ddda23080f3d250db320c354158c2a7e530ea77ef38583ba1d3bb2141b053c9466c043e4cc261256baddf57bed45c9a491b49f56d3584a3d6b0df5843408b0287b850e88c43140fa32cfe5da29d06ee051bb0b0013fa6c5b6ef6ea025d106f8be8166a9214e1f77cb19e985298e6d71d8c00b920ae298c
-# The key for this test vector uses a weak hash function.
+flags = WeakHash
 
 # tcId = 54
 # first byte of hash h modified
 msg = 313233343030
 result = invalid
 sig = 02eae2703879522f6660221dc98a84a1a5bf69d2198864da83a633d0eef56d83950645ff9878bf12618ec8cff826c6e3d955d82bc7f6d10ac207467c373d7c7ce8d6db7eb9e966ded3c78a89abae180eb1262b80a976b32d77642f39ebc4388d2844ad2414ba6a0af1b263bfb44f16f6d3bdf44417ac31182a840c83848f1e60b36525b0135bca9718b9c6e8c06ad3c62eb07eb0f7c52793a388edab9b3e37ead929babb8a866645751ded5d331efde2d8363179188bd14ad323dc0f9d343c4c3d07c20a5ed6ad02102d3c804fcefbd43e848d2acaa632eca2e72dcbd2200b5b595868ef1a115336f754a164292c7b465e9d07ed64f0397cf3664fd6f87e0c1e
-# The key for this test vector uses a weak hash function.
+flags = WeakHash
 
 # tcId = 55
 # last byte of hash h modified
 msg = 313233343030
 result = invalid
 sig = 6b8dc366eae1348b770019d1a2d2a3a075eda36f99c1202902bf44c50b3ec8e75c0415eebdc61d70f37c8280b5ae6b2e03ddd0b1f15c6944cde9433b0837265b8cd658f21029b091832ee28c5047db21de4029b0ee17369f99dbfcc2a4ad42dcc58e210673154b4fa1474dbd684f9c7639c0856d936c8b7fdc437bec8d6f8754cd9577639b14413ab7b30ed236440516837f820a0b0e146c48706d534bf03841f3c0172bd698eb8356332d2565dbeb5143a822a0a4b978182618913e64faa71a15d454bc05accb74d1338a4e66ea77e690a6238c90b84a5261b17c6d2fe947c37bbbae99aea0742f6559d6177a272db4d51047a206b804a590edad0f7af7c078
-# The key for this test vector uses a weak hash function.
+flags = WeakHash
 
 # tcId = 56
 # last byte of hash h modified
 msg = 313233343030
 result = invalid
 sig = 96a051980a5db77b94a7adc32f73973dcfcd62e95b0e0d2e084410c37f65b50d018e9946334fa5d268a6848dc164db1d012c5d42da613d9d167dc13723b334acfbb472d32027ee6b52903fb8fc07c1a8ca31156fd73568d3a1d933d144d0f263a2adae751e8d4fb5b949adb34075a6fa59ddfcc49399f9d01dc8d8733be47f2ecfb396a3cfe40d619be4436767f76d0089b845f4a265a5ffbacb69dfcaa68de6b34b6c5b1433e149b3bdca5bc72b98617757a1242b46f1fd0d7d0a7af75adb950433e1b7584fa2de51b93231dd73512cee728a3e6f7cb95177072dcfd25362da537fd4134887ab1b536979f3969a02cdc2f3699e394b001ab227df7daa175b75
-# The key for this test vector uses a weak hash function.
+flags = WeakHash
 
 # tcId = 57
 # all bytes of h replaced by 0
 msg = 313233343030
 result = invalid
 sig = 5bac3103062a5726a57876fabce9d113f9816f30f0330ac8bf0797ebd41c5326ea693ed7a3db0af251ef268fa95ee1165ee3d5fba2630fa75c346ae422c3d14d25e16eb1c3b762d9ace379ad5006e8568b2b494c7cbb90fb7589b607da24cb8cd6a4d851ca4bc6741819ddf9acb7b3cb50cd4356b634ad2778446146b4912b9da430921bff3a8cc7e330e82a38bd9f69eaf47859b5199cceea0b9d111dbde5e20a8451fd989685986172e4f69ba2983c301c51e57ddc457af8feac9709d84d9b3c70fbba423abba4cca6eab1fff42acdeec5ec89936c4ea8f837b01eff954d13fbcfe8731a6c7cc9271a805a98b8877f364335ea239003cc6259aebb922d2f97
-# The key for this test vector uses a weak hash function.
+flags = WeakHash
 
 # tcId = 58
 # all bits of h replaced by 1s
 msg = 313233343030
 result = invalid
 sig = 1e108ddf1d6d931dd568fcde1e11971dcd86b409699909d4c2689ac17fcf0cde9bc27d10f9f2870113cc61f9983d1ec5e4b1b5f8ad0e488a991f1455c5ad4f721056e54d11b77dc7ba73bd3caaeb89c21141f0010501c9f72a3fcd4d7e7e59f701df032fa392bf82a1de9ff9f6c15ef2b0a54201f787bd87ba4fc9696065e5db96cae4b61f66294396eeea94c1c0ac10dd8f1cae928c7b7ffa84a866d69d450f072f746a4af20d4b39d26cbee43b227e96c4ef5ede5aa043d51c6a5e94c8a59758f9b42133cff0b01c365fed57d189106c4e38cc73efe7165aaa76b2a2fb0a2c41536673234c4116a7445dd9fc93e0f27eab8e5d4c19a712e09840151e44053f
-# The key for this test vector uses a weak hash function.
+flags = WeakHash
 
 # tcId = 59
 # all bits in hash h flipped
 msg = 313233343030
 result = invalid
 sig = 4877085bc45b4e538a2f25755ca410032a01af460523bea0ee1da767d73688adf09d8b300c5000d74456a55806dcfa1e1b1c787a69fff295215772173649fbf96c17c858d4be9a7ab9b7b3189243edb997af6a0100f554e368169b115cf44dd1b48665407dfccb41edefa356c297315fe5d32ae91e21705d6002c4c624c4b896dd6024839b0113fc71129052330a309892c13cf5c68ef722d637e97661366d40f8079c5c789857471d73fba4f468a6c26c21e65659b5fe28fea0e34fd47765119e41d3a12a148181a78f85c80446e2de5b42c42b354d710a4f6237a830a59e7952560a8ffce402845c38e9d4a0202e3d4d8a035298e4b48025e03e62bc6c1ff0
-# The key for this test vector uses a weak hash function.
+flags = WeakHash
 
 # tcId = 60
 # hash of salt missing
 msg = 313233343030
 result = invalid
 sig = 49626bd98377f1d2e571a9d9193bcde1c29affe17806554991680beabef4012c73fdccd5854b7dd65a3aff868688b6d4553f79ea5fe9f04d3f6afaef95665502254b1528dd35e14a0d33e7104210ca91397ac766bc7fde1a030b6e2d38ad4d69d05557464602c040888fb6f15f465a61276e6730bb3106908f60e431afa8c1127c82b0f23ddee410e3c5e73691fb6d76f2b6405348728d78a520561fbb3199296dc8b7d43e0190161a289923a1178409b43810e5b710dd74ba5dfad6a9a35675fed1584728f9d222e9b115f83900b6ea833eb28bc856d5b706bca47ff2ca2113e1a7ba969a0de3319d9f815670575b85e216dff8884cec20b56a3bf51836f206
-# The key for this test vector uses a weak hash function.
+flags = WeakHash
 
 # tcId = 61
 # first byte of ps modified
 msg = 313233343030
 result = invalid
 sig = 7df9adda89f83abbdf0e3493578461fb8e01f59dc1046fd01acb4f9c79a9a5f95f7d73dc0a9dff9ac4b03b6853a5e788da820a54e0dc71cd5f4c6e7e191ef985ac99fe3b79e578df13dba521da8082f7addf6af7ef4df649fbae8c9d58b7419f551ad67f061e1653d26ecc41f9dff8dea236462f0da7bb34bea890e21882437d9fa8f675954e1c72a8ae235bbcfea0b72a963435e7c69d7c5be86fcd79a50ecbd53e33f7d3eff268ee87b0cf634a7a9ab2fa3503e8df254bb2f223c1d2a9da9cabbab948ab3b29f53e70cc7ed859e5c3c1c66ee02b2475c86c30b148c640d67d7df0879fd14b4af9fa19a68d6bd3cb866c94db166ef12827b67448d7c316b388
-# The key for this test vector uses a weak hash function.
+flags = WeakHash
 
 # tcId = 62
 # last byte of ps modified
 msg = 313233343030
 result = invalid
 sig = 87ec6a8c3c3f5db0d85630bd76ff0a99007eeb8675ae68f1394c25e1af4f340051626d2da40df653dcb71894b4f292a6c0dc329c9aa8f599418839890089081ca3910f860e1cdfeb9ab1256a0f45ffeeeac861dc6471a902375de4287b05cc59d8cd5b84ff90e951d0b0c574f3f3d63a617ba1e3eae41c931a276af8772fd0d2097d4acd1cce8fd62ea2958d248efa8b96f3aa5afba396b17e290e6a992ee4cd0124810255d4441eb679a47c726eb784201395402b4f144f48c6fb63accd25efab39b6f57373289b33774cc8af37cb2a4b43ceb72a04fc80f2757081ea8f27caea1861296881bd948bd24458892f5cdd1bafb70ae486984af83cbef4fdfc0cc4
-# The key for this test vector uses a weak hash function.
+flags = WeakHash
 
 # tcId = 63
 # all bytes of ps changed to 0xff
 msg = 313233343030
 result = invalid
 sig = a895755f2494f5c35e7203da9ddc02180c77cb1b994f59020ec72f5174ffa59a717a7e7d0ed38f8636907c9eb34807da4c43362f342d5ab0179fdd26885456cc69a4a5cf9e95a0b23c800829eda15fceeeb3b454d5ab920d0044a3cfdecf4c434f28484d3afa70a488839fbc63df9a191c3ee3b5df0598eba155bc962312633bab04b48d47110f19c97facb6ea3d3838e1f441851bcb06ed395a1fc6f6370e065094939dbdec28fb6396cb062eee524853f151a1d2201e51d2daa6680465ed2cef8d6cd36aa43f7734754b9f499620d956c2cd6fd0c2ca3173fdad368436d8313e148085d22c7931fee7ff58d4d09334816c211c1532f1086dd197bfa4b2f628
-# The key for this test vector uses a weak hash function.
+flags = WeakHash
 
 # tcId = 64
 # all bytes of ps changed to 0x80
 msg = 313233343030
 result = invalid
 sig = 0ae88987b001f5a5d5d7b257a57fc2c37f642f136717171fce28430495deefb9407997b9e648b0aaeff568acb3e5b53e657b417e9cd8da5279a52c038d965743096c2d533c25ea98cd747ca5d719f43cc2daca426cf7bee205bf89c225a0817d59079b8162c6022ad029d0946eb99e8e44ec0898c9892614c0c48906df99219275a04fc1efe92d5d6bf98c90a5ac469a36f47a0f23889fd18da1b38ef112dafb696f536bbd04e6c966a9ba326bbd638d82b6d7661916b7bd7d3d4ac426e9f0fd527918505a6027b8dd716a3966fb439cc4a130a13014238c5f104d754fbfec2f1c780b49aaf803618c2a8b69ec7d0f09855cb1019878f52df13c4492a480dce7
-# The key for this test vector uses a weak hash function.
+flags = WeakHash
 
 # tcId = 65
 # ps followed by 0
 msg = 313233343030
 result = invalid
 sig = 3ab3c8cf8b99a2bf882153ef1ad6db449e1edf673a01e014b40d1a23fcb38fba21bd63ccd9df9a0849d59c41520946d46fd26fed9ed4bd65ba0e00705c119ebfcdf31ced34433ecdf9b4170f9990c2a26c4afddd284b7e134b9ba8b6d0d41624a169b8f4ebec7a87d0de0ee7870c99d4d05146a7b71c94606fd178aa655c3edba0f764f3292d76217d4349f90d0919c42c35be21613fcaf824e16ab3f45ef17c14255975cb85f7e1f5ddbc0151ac4961f68a331b97737b171e93c01a0f4605c7256de93ce1e1cc8f5175838999c734809bdaf8b95edfac0d5f98c3de33ad6399e8207a8015373e1f5ed76e304b5e2ac260bbed23c662c38b6f29dcb01faa4894
-# The key for this test vector uses a weak hash function.
+flags = WeakHash
 
 # tcId = 66
 # ps followed by 0xff
 msg = 313233343030
 result = invalid
 sig = 5a7e549f99c138d3fa7ede3ad655473f78c3a8de650bf8db6a5116f0807e5df84445ed72ea6a82a8150db352b85210e120818da13d9800d15823f5780b6051e51bf4488654e6a93c95d19b45378744483b43b37200d933775d2f84a7719cdff6dae2e15716c86a9c5a0042a5268cdc7b5e1860c150d85253573787b2839fedf64df3d54c977f63e7bfaf3168f0153e2ef019244e5cdd9be69b421607fef727bd5442ada4bab802ac9fc0c0044eb5b435a9caf217732b6740571bf9f7b1b3fd83da8d4c806a7e2241e37cd0d06abae28ac5a83ae3b2f81f3374dbea97e46c66e821226fc7cf0b0af2dcbdb7c5cff641775c81fea4c8cb9309e989bca04a4a5d3d
-# The key for this test vector uses a weak hash function.
+flags = WeakHash
 
 # tcId = 67
 # shifted salt
 msg = 313233343030
 result = invalid
 sig = 4975c3fd6358989938633d07cf7bf0121c8a8c987fde1cac405924ab88c5a3175d27207ebbfe42b24404227e388b11d92bbbacbbcf152d3fac0166acb868f908515903e37da98e96aea367c179530a43f78d877cf0838333fcea303cf6710f046513f01d586bc54b42bfcf5dd47b1a01ea8b95aafb4b9406888b3266445f749b1c56459ce4e10a57edc59f610b8b74edf9987c9888460108a11525d0e7228ba5eb9472a0fada1d056c8b0d08efee2761107595c6b221716b6782c27bd7755f1a23aef6cb966a31471921594a1de17ebc7e5b52b933ae52a0794bf4bcd1a792e78a47f019698a37d0d389ca2040c0d3758eedf0fa810041574b32938d290cfb45
-# The key for this test vector uses a weak hash function.
+flags = WeakHash
 
 # tcId = 68
 # including garbage
 msg = 313233343030
 result = invalid
 sig = 881dc4bf8b2c6c17e10bef3dab327b4cbb76413a7e5afbd24f198fa461bce9392d31f0a11d69bd67b75fa30ff2100dcd52b8e0c24c91b0196d172ae3fc1d40fb167b2abdce4b83fed365b9d5946a333d0f669d99edf7b8a3a1c8ddf2397cb77bcb62aecf818807d696af4f186bf2e0628ddb1b9d45dcd6eb965dd1b5eb2bade60fbf5b2ae816f45f9e0ad024039bf64c081e37630d6db51a368e92256268178aebd32963a07693f828d01eebaad0fa04e0ff29d8c7ae681be4ec16d2a6bafc1573e38f58c6c2c36a5d5a2ae7718adb1390770d9a3882f895b3f0fee16a2bdc743b0906567b6938d73a666cc33d85142359d40eabbc1da65ae616c7818f86fe1a
-# The key for this test vector uses a weak hash function.
+flags = WeakHash
 
 # tcId = 69
 # bit 7 of masked_db not cleared
 msg = 313233343030
 result = invalid
 sig = 15872263f8270e7ae9d3127a9b677828cae2077e534ea349070289394d13599392b5f803f8dbfe40a5487223dda2a3c6f30ddc92c4e6d9d22e7d0d2b60197e032f188da35457273ce5518b426196c952d0219ff6190fce905d856d491b00999821ce8d1ea4b18f3423ebad242bc846e0af408f21cddbf44e9e5f5d300d71a3b104eaa2230ee633d2ea44016af735cd5ed9c7b421f322781547bcbb0cd95e4780412f734bf681bb47abd46b158d251ec92056553ac06a59c4ba7fd20bfe50cc58386832b52e548df345b086b5757c4c9f2e133131becc90a72ec6c313e7664dbc922c87a90364bfc746a425df77c9b97dc2afecb2cc36fec415a4e1c6a957b4b3
-# The key for this test vector uses a weak hash function.
+flags = WeakHash
 
 # tcId = 70
 # first byte of masked_db changed to 0
 msg = 313233343030
 result = invalid
 sig = 6de50a9911893547ab56065d2953038768cd0689a63b0703c0dc99e7cda412ff49eca503671f068635f69b38c0627427f02785b3870c6791add37d436a81538e6fe3dd0eafdb50a18d2f2d97e3cba062fc8343a6dfd448c11997d1c5bf6e1895e09ab435ebb16052c20347f4d077c6c7779297a29e76e49cdf0d10713fce20ab51d273febaffd0679a1ed56da5c0430a90a5fca1ec2010293b2eb8fe34a732ef4679318fc5682cd8796d57be09904043961d5171fa3230674501544e3d5482f510afeb0ee4ba9fd1cfe5ba5527c9c32ff09df579884d4a5b0351cefa07baf40961412348b6846fce5bd6d65a5438821218d677e774828108ad805f574ce7b597
-# The key for this test vector uses a weak hash function.
+flags = WeakHash
 
 # tcId = 71
 # last byte in em modified
 msg = 313233343030
 result = invalid
 sig = 1f47ac7fd4585ea42ab08e1002f547dc78dbacda00eb2b3e74d0e46d45ffa8fa7b35d7afdf605b2da772bf54843f15297bcc6f52eeecaefe1c26108c35f9059c8223767c19597f4470de5028b6c522aefc5b61d545ebd6d3312cc092d1fc2a70c524fe0256029d3d357975215b2bb62336c4f4923eaa0cc422a3a088b86f4e0d81b6b4e04c21808a19ac229f2657edd42a6c41e883e69a916717b59fc6980d79884eae5ea918022da28ce2f8e52a2e5dd50d2d2969748c2d97525e672c12113f605b8c4bfcbfdca05bd85285d8fe6d22b73d3b04fafd453cfa7267cefdb5281900389ff53bb4dc3bf0dc366d86912d822410e8f77f33392c0c27fed3659da463
-# The key for this test vector uses a weak hash function.
+flags = WeakHash
 
 # tcId = 72
 # last byte in em modified
 msg = 313233343030
 result = invalid
 sig = 7922bfdd4da222918c573184b1d81a14fe87eca0a30c55f9167ad8144ea06a9d22b108a41437b42aa08afac44e7661f7b4c6293897426cb2e960aff163613349b3581cbd3a884ff9898c45c5c213d996cdc1cc119dbcd7e0e99ed08f99f8b69f8aa079cc6d15006697d4a7fc5bcfd349fcf26f43b6f5074db8e448bc92ab8442b27e82643a11842a0dc70b822cf7ae26e90791f67d25a321aec24ccd7553e631bce74888c43d9ecd18e77fc24615ec445b7d7ee83aaf63c0733da25ecd512f7dc7eec6e3fb499d7eee6165c78a4275a9e6fdcb1b962f38c8139da5089565b39c6d73739f84c70ed60e2c83bb4f351d4c87cba2cf6c68b9879e283b9c5e3de1c8
-# The key for this test vector uses a weak hash function.
+flags = WeakHash
 
 # tcId = 73
 # last byte in em modified
 msg = 313233343030
 result = invalid
 sig = 8a7e600a6675a06e677ff1344fd53a8dd2b99fcca40c2ab799636663594ac3fe2a510bf1e3ec4ca9dd28cced48b4e8457ed74f4ec2adf31b77ff1bfabd0f80c9ab4688f15630406d8ca31edaa3a3cc7980ba1b760cfbd3ff9016e1f3fa0c34cb59378b0f3745b451fd3e053c8711ecc41feaaf350980532a7db67afc35f00da1f191ff4f66b8e7e27368bc26160f540af784e8ecb38e2dadf4be82e4b761626c5c06efe0dada642eb26f12d1ee96684a5ef8e5feeeb0da9ef432647336e4ec715cfa260a8727aec4a080738086ad26b51355b8bfaf1b135e97d108b36c73b436cc5cb59593a7ce0f0e7483152319fceb37479451eeea098a8eeb0dee19756e03
-# The key for this test vector uses a weak hash function.
+flags = WeakHash
 
 # tcId = 74
 # signature is 0
 msg = 313233343030
 result = invalid
 sig = 00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
-# The key for this test vector uses a weak hash function.
+flags = WeakHash
 
 # tcId = 75
 # signature is 1
 msg = 313233343030
 result = invalid
 sig = 00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001
-# The key for this test vector uses a weak hash function.
+flags = WeakHash
 
 # tcId = 76
 # signature is n-1
 msg = 313233343030
 result = invalid
 sig = bd31c7a02691d2d9587ef6a946ff788544ccadd4b2988ad62086792a6bf96c8616b4ad13317d2270b901d0fcd1d880cb8f52fb87304a5258c11b38dfeae8df670aeee7ea1d0d9df8e00e80847e41e5989ed402d44e78b30fef17b5671d3adbf8685e4dc204499ecd1863e1d5aff28a7cf66eadf31fec9236c120add13451522c647c9832a672cd64d328c1c322183f4661d09bda60b8dd5f0328da5420821424afdabb1a80c5d12763a1b0238cd89d0742bfc50b6a2fcb701d824218f9826f4f78a23a2b5aa42ace7f175376fb6cbdb2bad293ba583d4d31c6b8f9029e46b13689249855f505756e00e225a6a45a18769bd8d2b3a4acb9f1c23d3e51882561e4
-# The key for this test vector uses a weak hash function.
+flags = WeakHash
 
 # tcId = 77
 # signature is n
 msg = 313233343030
 result = invalid
 sig = bd31c7a02691d2d9587ef6a946ff788544ccadd4b2988ad62086792a6bf96c8616b4ad13317d2270b901d0fcd1d880cb8f52fb87304a5258c11b38dfeae8df670aeee7ea1d0d9df8e00e80847e41e5989ed402d44e78b30fef17b5671d3adbf8685e4dc204499ecd1863e1d5aff28a7cf66eadf31fec9236c120add13451522c647c9832a672cd64d328c1c322183f4661d09bda60b8dd5f0328da5420821424afdabb1a80c5d12763a1b0238cd89d0742bfc50b6a2fcb701d824218f9826f4f78a23a2b5aa42ace7f175376fb6cbdb2bad293ba583d4d31c6b8f9029e46b13689249855f505756e00e225a6a45a18769bd8d2b3a4acb9f1c23d3e51882561e5
-# The key for this test vector uses a weak hash function.
+flags = WeakHash
 
 # tcId = 78
 # prepending 0's to signature
 msg = 313233343030
 result = invalid
 sig = 00000bb9473d3a8cc4abd63c6f2ac13e278a9cd1dda844fdbd13e9b77cdd52c1b05ac59126e45d276777e8b1bc423cb261d29675988954c9ddc38bb9a67bec5e03e1e780915333dfe494dd8a4f0bfa0d748805885c389d6f7fb6f786c58d21a468b3589346d70e1153e29dcdb91dec8ac185501efea247bac7c63e3c546ed635e647097bae3b8ccb992701a75d209c439c5dbe8122da616a4e230bce08f541abff854fb93c87fdde0fb457c44b2783568bcbbfbba611d8e984410d360c4ec3732cb69426a94191d5a0cb33149b518ded86864706c723b27228d74836513191cebc790793e5809287b0279e7bc82f266d437d192e98975960d0014dd02e172b7fe251
-# The key for this test vector uses a weak hash function.
+flags = WeakHash
 
 # tcId = 79
 # appending 0's to signature
 msg = 313233343030
 result = invalid
 sig = 0bb9473d3a8cc4abd63c6f2ac13e278a9cd1dda844fdbd13e9b77cdd52c1b05ac59126e45d276777e8b1bc423cb261d29675988954c9ddc38bb9a67bec5e03e1e780915333dfe494dd8a4f0bfa0d748805885c389d6f7fb6f786c58d21a468b3589346d70e1153e29dcdb91dec8ac185501efea247bac7c63e3c546ed635e647097bae3b8ccb992701a75d209c439c5dbe8122da616a4e230bce08f541abff854fb93c87fdde0fb457c44b2783568bcbbfbba611d8e984410d360c4ec3732cb69426a94191d5a0cb33149b518ded86864706c723b27228d74836513191cebc790793e5809287b0279e7bc82f266d437d192e98975960d0014dd02e172b7fe2510000
-# The key for this test vector uses a weak hash function.
+flags = WeakHash
 
 # tcId = 80
 # truncated signature
 msg = 313233343030
 result = invalid
 sig = 0bb9473d3a8cc4abd63c6f2ac13e278a9cd1dda844fdbd13e9b77cdd52c1b05ac59126e45d276777e8b1bc423cb261d29675988954c9ddc38bb9a67bec5e03e1e780915333dfe494dd8a4f0bfa0d748805885c389d6f7fb6f786c58d21a468b3589346d70e1153e29dcdb91dec8ac185501efea247bac7c63e3c546ed635e647097bae3b8ccb992701a75d209c439c5dbe8122da616a4e230bce08f541abff854fb93c87fdde0fb457c44b2783568bcbbfbba611d8e984410d360c4ec3732cb69426a94191d5a0cb33149b518ded86864706c723b27228d74836513191cebc790793e5809287b0279e7bc82f266d437d192e98975960d0014dd02e172b7f
-# The key for this test vector uses a weak hash function.
+flags = WeakHash
 
 # tcId = 81
 # empty signature
 msg = 313233343030
 result = invalid
 sig = 
-# The key for this test vector uses a weak hash function.
+flags = WeakHash
 
 # tcId = 82
 # PKCS #1 v1.5 signature
 msg = 313233343030
 result = invalid
 sig = 3598f87916b45e657df63a839c7e544953c0039477b396a276d8df752b0a98192a10fdf431033353f8565c6de1b268f4ccb44c00ce760c67e97409271c55055b3ea885d742def2c6cd32f5fed077193d12bd48d78130353ad4aca34d9148bfe80d8ea455c3ce4b24f70131908e1947feae311e29e0ae9d1074ba73124568468e34c8b073283d16359c530ea613adb4de2ba94ebc470a57055571ef9f575c068e00de09b6d1af2051b93079ddc683090d4427847b4b9ed63a34a01d9aeeef00524278ff54b7d2955ccae5ca1001ee7588f5a21166dde7b2941a6136b38d374aac73752bcfd3e700066b2972c66cef76a48d81811e26fc7646974a149708ae2d21
-# The key for this test vector uses a weak hash function.
+flags = WeakHash
 
diff --git a/third_party/wycheproof_testvectors/rsa_pss_misc_test.txt b/third_party/wycheproof_testvectors/rsa_pss_misc_test.txt
index d3d6bcd..a77f9a9 100644
--- a/third_party/wycheproof_testvectors/rsa_pss_misc_test.txt
+++ b/third_party/wycheproof_testvectors/rsa_pss_misc_test.txt
@@ -18,7 +18,7 @@
 msg = 313233343030
 result = acceptable
 sig = 88f4676b502e365dfd82805ac1db27d1107d1516431ab4f71107b62625b6275af4a5dbfd8314fae255820c0cb577ee2457f510851d2678e4ed3e6839848aca8b67c9ce52c5bf57a01b6683828d03470034b136e6ab1914adbb1d918fdc31f7cef6f44b0b0ba0dbd6c1d3c8d7699ce374dc86c28beb3bee8f81f41162344e688af0d91297da0dd5e8104a5440add89bdc6c05d20a164c0f079b78654f038d443743f94bc45762501034a32b5d05bb86e75dd9a171c81dbe43edf50b2e1fc24297375331d78a8f0399d4aebbeeed911f6d964049e67d89eec0e95443af2ceb37125ea8431cbad2d8416fc15fb9cbed9142fb8cb06dc7ceafac056cc1f6696e3d93
-# The key for this test vector uses a weak hash function.
+flags = WeakHash
 
 [e = 010001]
 [keyAsn = 3082010a0282010100bb0d4124c20130688b8419fabecc427d946c5096dcf69ecb0eb69fcf5aed15d7e1e5fe4e34fbe26f8b244aa3f088d546a00a531464ba4b8980bcc4d5e54bcc20e1a51afa9044f7fdecbc6edb751b5a5fa7ab403a04e5f77ba7865dd6d211da0afa71262a77a63d9c06e8b00b616ca15f11ea5b4948973864183f570347570553e3878376ca4f7536ad5afac10c0a7b34a5c11f8cf16115fbaeb4b323b1ad6f75c7ec3b954891cab2611cf1768cec983c1717c57f67676d721a955bdbbc216a3345bb31d7d63e06bdac96a6b991ba1e0113d01e48c77ab327d36b426c2f8fe4825a37877425885c927e92423b6977fc304122a2c397cb74845fe9961dba22c1a70203010001]
@@ -34,7 +34,7 @@
 msg = 313233343030
 result = acceptable
 sig = a85f06875b529ca61b60df404652e79a499f81a0591bafa3377b80d8e300cbae679a941832eb5569fb88c9f8629e3c2ebf5f32ffe43767d1eaf59016f5904de3f7d39cb470dfc5fb5678fcd7b55d1a30f716b7f04c2568f3c1a2bc780e974a363adc622e679902e966af183d874b35396423d1a263bb1c6e7330179671644c6953cd795a19e2fe4208e7da5244e4760dde142313a781a55b0baf866dc158812a723d74911c8717a512d722669193f8883b1cffac98de8473b7a77198e20560c0c21207e00fc7dd14385fabdd530d568d143ddbee8d1b502f7b194b9827eee9472f2be8b2a541124405582bff393412f6aba9c42e5824d7c24bdd4d82d925d066
-# The key for this test vector uses a weak hash function.
+flags = WeakHash
 
 [e = 010001]
 [keyAsn = 3082010a0282010100bb0d4124c20130688b8419fabecc427d946c5096dcf69ecb0eb69fcf5aed15d7e1e5fe4e34fbe26f8b244aa3f088d546a00a531464ba4b8980bcc4d5e54bcc20e1a51afa9044f7fdecbc6edb751b5a5fa7ab403a04e5f77ba7865dd6d211da0afa71262a77a63d9c06e8b00b616ca15f11ea5b4948973864183f570347570553e3878376ca4f7536ad5afac10c0a7b34a5c11f8cf16115fbaeb4b323b1ad6f75c7ec3b954891cab2611cf1768cec983c1717c57f67676d721a955bdbbc216a3345bb31d7d63e06bdac96a6b991ba1e0113d01e48c77ab327d36b426c2f8fe4825a37877425885c927e92423b6977fc304122a2c397cb74845fe9961dba22c1a70203010001]
@@ -50,7 +50,7 @@
 msg = 313233343030
 result = acceptable
 sig = 8189776015db3a51805f6bf71aa1214ee07f7e385510ea95a0d4c3d53bc0d59f07ca39af40fe8c3138cf6f4ba0f72a3397df6ffda9cf49e467a34d92ec772f6b6d51d52cef86d16f74bea798a85aac873cd4d5d3a0fbbb618998f4b2b691bc14fe1f235601c51a76c4eacd1a33975d9c3cdf1daf579fb943556f0febd948d1b1e15cc85edf486b00499fa9032b6b801b5ae4454c94d7f89dc1fa6dd6a927969b14a4bdf51caf7cc8a87ae05d41e1933849acc5fcb0f478f1e23a0f476372837ade82f8ed1809e2245062009b8e683f563029ddb9892a398dbc2df594c12fb4a0f0c551abdf2fee4cb325fe9800ea741f7b2f2b4db370939bc7e3ea95ab539b10
-# The key for this test vector uses a weak hash function.
+flags = WeakHash
 
 [e = 010001]
 [keyAsn = 3082010a0282010100bb0d4124c20130688b8419fabecc427d946c5096dcf69ecb0eb69fcf5aed15d7e1e5fe4e34fbe26f8b244aa3f088d546a00a531464ba4b8980bcc4d5e54bcc20e1a51afa9044f7fdecbc6edb751b5a5fa7ab403a04e5f77ba7865dd6d211da0afa71262a77a63d9c06e8b00b616ca15f11ea5b4948973864183f570347570553e3878376ca4f7536ad5afac10c0a7b34a5c11f8cf16115fbaeb4b323b1ad6f75c7ec3b954891cab2611cf1768cec983c1717c57f67676d721a955bdbbc216a3345bb31d7d63e06bdac96a6b991ba1e0113d01e48c77ab327d36b426c2f8fe4825a37877425885c927e92423b6977fc304122a2c397cb74845fe9961dba22c1a70203010001]
@@ -66,7 +66,7 @@
 msg = 313233343030
 result = acceptable
 sig = 49e060ccb577eb614274db1ad34249490d1cab2b8d3ae2b708b93c8a8ead302e6efb8d26644d5caa5f62b89f3949942d07470c37d8878eb5cc9c154701feea36ac66d0a9723fb316f7ad6226f634346c17ef47b3e19c7b9979d60118959a5b35cc188200c8f9b2723046f480d95a9a0af07e648225dc35114d8199a431ccf4f44fe8e8c9c0130aa819aeecb09f95eea8f6d89981c05cc82716fe7ea499c55460c95e99871aba1ad3ac3bdbc96850863b23e3e6659ca346ee0e186ad717a8ec9c7a548d8fed0e7b79f896722659ec7e1335de12f361d5e6c65c791441c3c0020de48e60f200c3ab79fe0179513b2c1592e2f0064ba4799f6a0eea199da77d174a
-# The key for this test vector uses a weak hash function.
+flags = WeakHash
 
 [e = 010001]
 [keyAsn = 3082010a0282010100bb0d4124c20130688b8419fabecc427d946c5096dcf69ecb0eb69fcf5aed15d7e1e5fe4e34fbe26f8b244aa3f088d546a00a531464ba4b8980bcc4d5e54bcc20e1a51afa9044f7fdecbc6edb751b5a5fa7ab403a04e5f77ba7865dd6d211da0afa71262a77a63d9c06e8b00b616ca15f11ea5b4948973864183f570347570553e3878376ca4f7536ad5afac10c0a7b34a5c11f8cf16115fbaeb4b323b1ad6f75c7ec3b954891cab2611cf1768cec983c1717c57f67676d721a955bdbbc216a3345bb31d7d63e06bdac96a6b991ba1e0113d01e48c77ab327d36b426c2f8fe4825a37877425885c927e92423b6977fc304122a2c397cb74845fe9961dba22c1a70203010001]
@@ -82,7 +82,7 @@
 msg = 313233343030
 result = acceptable
 sig = 2d4216f277e50736d41cda2191faa97fa99d9e325b34926a363f8dd73c901153f087ac206cf3cb25001dffbb6200b7b35565b466f46f23aafb872e5c39d26156d36d1bab19382e5f15873022e64b58c129d38eee8126130f6210fa5ffb697bb3dcddbd99a9b60b53b25d094f9ec9b7a1cdcd0cc74a3ac478c7a34cc22c7e30e952bfac85638678b8aa2341fb1f108114d43dc849d91a3b174b0dd62f6dfb96459d4c76ab5fb6479d68d690d4a5c120c42a4bf82a8a7e9e7aba127fd5fda3f4c6ffbf2e4eeb72ee695cfeb286ec99e7cee8cf300e4e149cf17e70cf9f2bdb6421087916e945bca42a70a88b1a87e7ca3ac0a1bf2ab1a65ebab7726994a6c9597e
-# The key for this test vector uses a weak hash function.
+flags = WeakHash
 
 [e = 010001]
 [keyAsn = 3082010a0282010100bb0d4124c20130688b8419fabecc427d946c5096dcf69ecb0eb69fcf5aed15d7e1e5fe4e34fbe26f8b244aa3f088d546a00a531464ba4b8980bcc4d5e54bcc20e1a51afa9044f7fdecbc6edb751b5a5fa7ab403a04e5f77ba7865dd6d211da0afa71262a77a63d9c06e8b00b616ca15f11ea5b4948973864183f570347570553e3878376ca4f7536ad5afac10c0a7b34a5c11f8cf16115fbaeb4b323b1ad6f75c7ec3b954891cab2611cf1768cec983c1717c57f67676d721a955bdbbc216a3345bb31d7d63e06bdac96a6b991ba1e0113d01e48c77ab327d36b426c2f8fe4825a37877425885c927e92423b6977fc304122a2c397cb74845fe9961dba22c1a70203010001]
@@ -98,7 +98,7 @@
 msg = 313233343030
 result = acceptable
 sig = b66294f7b1e1a673e566c59f9abf264860200763860cbd666e476dbbd61fc39136353ab74299cbfb64bff88ed51cf9a20694e832fd97235d31ec6aef386ad44487d3753cc1224dbd59a34babc3eb8b538c10705775a27fa88ae35c0f618e0b3c6b91d999fdec5b86f15d1e462feea3af6fa12a5234d526e82039e1df013ef1cc6056221b81d755a13b70c618cefc6dedcc3361b5a910fcd4a812ae48382fddd75d5b51ca3d243dac021aeeaf6e2bd4aed75d7ff6d81c9aaee2356e3d12192b5e75d006b124275b0daec06b5af29b0d3e85f057db59db4b887fdd2bd0a33865eb87e8f3e37b4d8621e2e41c760a973f1ba03722d42bf5b921380b71fea949cf0b
-# The key for this test vector uses a weak hash function.
+flags = WeakHash
 
 [e = 010001]
 [keyAsn = 3082010a0282010100bb0d4124c20130688b8419fabecc427d946c5096dcf69ecb0eb69fcf5aed15d7e1e5fe4e34fbe26f8b244aa3f088d546a00a531464ba4b8980bcc4d5e54bcc20e1a51afa9044f7fdecbc6edb751b5a5fa7ab403a04e5f77ba7865dd6d211da0afa71262a77a63d9c06e8b00b616ca15f11ea5b4948973864183f570347570553e3878376ca4f7536ad5afac10c0a7b34a5c11f8cf16115fbaeb4b323b1ad6f75c7ec3b954891cab2611cf1768cec983c1717c57f67676d721a955bdbbc216a3345bb31d7d63e06bdac96a6b991ba1e0113d01e48c77ab327d36b426c2f8fe4825a37877425885c927e92423b6977fc304122a2c397cb74845fe9961dba22c1a70203010001]
@@ -114,7 +114,7 @@
 msg = 313233343030
 result = acceptable
 sig = 513db066bc72893653d1f7fa3f19546281b6239bc8390c4984999121a1dd75aa94004c3874beb6327205f2ecf8f6eb93eab018de3a6c71ea8b2d3a628188d4aa2b1cd6bab169f3e78229e4383ab68aea4635935e0eabbe9dc1d671416945f1867782900da53451369ccbd548c8f756e7221ee7e1ff28dba099b8f28d1f3aad2ef8bd816a53dfa9bc88e4e3983b0de955e647caf71a607ffea20a9677e687cdda29219c7daa839276de3fe436b96b2c68db64c170ab9e300ced00e72a9c0fdc321a517aa113cdec8e2713f8b54ee2d78820f6f86b2f6e6222493d15cbe8ee9815ef2e7ca9a6ceb55955049db35b1af188b99f2c4bce38f130a75780f41b852917
-# The key for this test vector uses a weak hash function.
+flags = WeakHash
 
 [e = 010001]
 [keyAsn = 3082010a0282010100bb0d4124c20130688b8419fabecc427d946c5096dcf69ecb0eb69fcf5aed15d7e1e5fe4e34fbe26f8b244aa3f088d546a00a531464ba4b8980bcc4d5e54bcc20e1a51afa9044f7fdecbc6edb751b5a5fa7ab403a04e5f77ba7865dd6d211da0afa71262a77a63d9c06e8b00b616ca15f11ea5b4948973864183f570347570553e3878376ca4f7536ad5afac10c0a7b34a5c11f8cf16115fbaeb4b323b1ad6f75c7ec3b954891cab2611cf1768cec983c1717c57f67676d721a955bdbbc216a3345bb31d7d63e06bdac96a6b991ba1e0113d01e48c77ab327d36b426c2f8fe4825a37877425885c927e92423b6977fc304122a2c397cb74845fe9961dba22c1a70203010001]
@@ -130,7 +130,7 @@
 msg = 313233343030
 result = acceptable
 sig = b3e943f3982a29d0c1e241890ebdd9e734baf85bd32de80c6240e34dd1f7f0ca4f37fff2c373f9718e7e900df224d155c4463c66badc8fc3563f36309568436bcbef1d83c63e393d9e1432d50541d45e54b7af1b18cc819d9eaaa65a4b1e4f37ae16ec75e9f44a07262cf3e2dab85a066d92b750ba1cd2a1d42493868123f18017bd9faf1de1a4f87a3f9cf744da1eafc761b7e24c9929d3dfd15d1b08db1e3fc64932816095cea495e0dbb82842b5f3ca90dc7b78895c1f12ba991f3bef6f16451a84880fa31cdfda6b9624a77a3a0489fcfdf6e07b89c0689b5b7b7052372a2b1e06a3457b027285c3b160c0de1dba4910c0162ae8e737a3d7dd1e05c77ace
-# The key for this test vector uses a weak hash function.
+flags = WeakHash
 
 [e = 010001]
 [keyAsn = 3082010a0282010100bb0d4124c20130688b8419fabecc427d946c5096dcf69ecb0eb69fcf5aed15d7e1e5fe4e34fbe26f8b244aa3f088d546a00a531464ba4b8980bcc4d5e54bcc20e1a51afa9044f7fdecbc6edb751b5a5fa7ab403a04e5f77ba7865dd6d211da0afa71262a77a63d9c06e8b00b616ca15f11ea5b4948973864183f570347570553e3878376ca4f7536ad5afac10c0a7b34a5c11f8cf16115fbaeb4b323b1ad6f75c7ec3b954891cab2611cf1768cec983c1717c57f67676d721a955bdbbc216a3345bb31d7d63e06bdac96a6b991ba1e0113d01e48c77ab327d36b426c2f8fe4825a37877425885c927e92423b6977fc304122a2c397cb74845fe9961dba22c1a70203010001]
@@ -146,7 +146,7 @@
 msg = 313233343030
 result = acceptable
 sig = a9b9eef8197c973d6a73bdc165f40f0f53b05848c93957aec2785fa92a9cc6397418a71870f1bbc21a39b244526b4a39a538d149cde62bf8f21f3eabca932751da83120136c48073792c55e2eff4e29e6973cd3f1090c5bf3ced02a1ba4c145addc674d33b0a285d73d14bcd6f374f60c95c4184e2d57388e9c73f697ac0af5116ddbf5081a8f99ace11027835cb3df8ae785491f42850de04b3e01b9317bd04ed488ad72e787c728b4516c7d839d388a2fd7b21994ff3f5b7f264413bedd3d8a5258d2b39e60411de1ee69fe05f4e76b23a9f50b49f7043f9812aeb81cd54cc1dd9ffdc6e73580e2cae821579ba3642ff7793a3995b136e057d2d2ca7aefae4
-# The key for this test vector uses a weak hash function.
+flags = WeakHash
 
 [e = 010001]
 [keyAsn = 3082010a0282010100bb0d4124c20130688b8419fabecc427d946c5096dcf69ecb0eb69fcf5aed15d7e1e5fe4e34fbe26f8b244aa3f088d546a00a531464ba4b8980bcc4d5e54bcc20e1a51afa9044f7fdecbc6edb751b5a5fa7ab403a04e5f77ba7865dd6d211da0afa71262a77a63d9c06e8b00b616ca15f11ea5b4948973864183f570347570553e3878376ca4f7536ad5afac10c0a7b34a5c11f8cf16115fbaeb4b323b1ad6f75c7ec3b954891cab2611cf1768cec983c1717c57f67676d721a955bdbbc216a3345bb31d7d63e06bdac96a6b991ba1e0113d01e48c77ab327d36b426c2f8fe4825a37877425885c927e92423b6977fc304122a2c397cb74845fe9961dba22c1a70203010001]
@@ -162,7 +162,7 @@
 msg = 313233343030
 result = acceptable
 sig = 899a49ab1511bef8727d1ed7093bf7e6a77fa8750d047b203740324d18fc45b587d3392bb7abbe7e6bed7bf2be2fa5e355f8ac5452e675027dbec1835555d059a4ec44120f499e4951cc3fab33d3e8154a4340d29c69fb50728c60eaa58d61b75cfe7efadbff55fc0edffb4af9719cd1a3b2a240936eb6c2ad70b10b72aab7e64d9fb17ba8fadb6f4f0036bc22d5779705b02d261b8c9be700b65c066c27be02db353f4ebcab1ccb41c4bbcfef39abfa8999196951209558463aab1c6d4917ae97006199daaf963666d85c133817035f36ea321714a6b20dadb355a226257fc0abff10c9afac551bb7c3ba9e44737f45ad4f9b7f2db002afb7ad61cda0d96538
-# The key for this test vector uses a weak hash function.
+flags = WeakHash
 
 [e = 010001]
 [keyAsn = 3082010a0282010100bb0d4124c20130688b8419fabecc427d946c5096dcf69ecb0eb69fcf5aed15d7e1e5fe4e34fbe26f8b244aa3f088d546a00a531464ba4b8980bcc4d5e54bcc20e1a51afa9044f7fdecbc6edb751b5a5fa7ab403a04e5f77ba7865dd6d211da0afa71262a77a63d9c06e8b00b616ca15f11ea5b4948973864183f570347570553e3878376ca4f7536ad5afac10c0a7b34a5c11f8cf16115fbaeb4b323b1ad6f75c7ec3b954891cab2611cf1768cec983c1717c57f67676d721a955bdbbc216a3345bb31d7d63e06bdac96a6b991ba1e0113d01e48c77ab327d36b426c2f8fe4825a37877425885c927e92423b6977fc304122a2c397cb74845fe9961dba22c1a70203010001]
@@ -178,7 +178,7 @@
 msg = 313233343030
 result = acceptable
 sig = a9cadc9cf41400ea2a91e86ef6e0715fe5669dd6a8fa3aa50036e521e0c939ad9530d15e52b10404cedcc5405e7178a0444d0c5d20cfe4af10f3c07c10ef0915d05e02c62e5d0874c2ef37d4176655f63f9a9dbc2da1561c09c995581cc811b5d7621e84bedd7546d346a7a0b0a65d7f38f101b24303da0b0236a7c78f4026cc20bb32dcf79cec7f9a88661dcd52d5b209bca191f5c607e8d8e1957d779e5dfdedfec49bc2defc0ff921d5f7e875e5df46f0687a05f03b5ba5ee6bc0fcaf8d67592a96c0abb2f9a99616955222dd1e87ec9aeb4b160ab5ae96afc87a65b522c6bf4d8133901dc3a9fa63acf749ca06d00e0a8fab39a939396cdc70f52b9863a2
-# The key for this test vector uses a weak hash function.
+flags = WeakHash
 
 [e = 010001]
 [keyAsn = 3082010a0282010100bb0d4124c20130688b8419fabecc427d946c5096dcf69ecb0eb69fcf5aed15d7e1e5fe4e34fbe26f8b244aa3f088d546a00a531464ba4b8980bcc4d5e54bcc20e1a51afa9044f7fdecbc6edb751b5a5fa7ab403a04e5f77ba7865dd6d211da0afa71262a77a63d9c06e8b00b616ca15f11ea5b4948973864183f570347570553e3878376ca4f7536ad5afac10c0a7b34a5c11f8cf16115fbaeb4b323b1ad6f75c7ec3b954891cab2611cf1768cec983c1717c57f67676d721a955bdbbc216a3345bb31d7d63e06bdac96a6b991ba1e0113d01e48c77ab327d36b426c2f8fe4825a37877425885c927e92423b6977fc304122a2c397cb74845fe9961dba22c1a70203010001]
@@ -194,7 +194,7 @@
 msg = 313233343030
 result = acceptable
 sig = 807285dc6aeab0a5aa0a7667856993288b9bac9544136a5757c63b23715944df3b9b77953ef1db296ff26d87ff3dfe514e415d9f118fd09e7ac518f982736bcc08b558038c771dd1c1d3b43df922ddda57906cb5e6f5a3ed677061787ffae8eb1ee2de41b5e58f5a012b49937af8d7d44ab5f4c935b73764fb46daaa346c54109c224e16f9c53d3bc4cff2120fc3e0907984052f9e33dc1dd24a171b202a52cdefe13e93cab145416569b5a6a7f29f9b7b36bfbac41959903d765bc91c3c10b645fce9e9893ba1e3325df764bf4ef0f8eb3b3a20701d8e417a86d9b859f2a318a66ab923a49fc25a511900a149e89123b488e44d8f77abe9e7fee56286d7b223
-# The key for this test vector uses a weak hash function.
+flags = WeakHash
 
 [e = 010001]
 [keyAsn = 3082010a0282010100bb0d4124c20130688b8419fabecc427d946c5096dcf69ecb0eb69fcf5aed15d7e1e5fe4e34fbe26f8b244aa3f088d546a00a531464ba4b8980bcc4d5e54bcc20e1a51afa9044f7fdecbc6edb751b5a5fa7ab403a04e5f77ba7865dd6d211da0afa71262a77a63d9c06e8b00b616ca15f11ea5b4948973864183f570347570553e3878376ca4f7536ad5afac10c0a7b34a5c11f8cf16115fbaeb4b323b1ad6f75c7ec3b954891cab2611cf1768cec983c1717c57f67676d721a955bdbbc216a3345bb31d7d63e06bdac96a6b991ba1e0113d01e48c77ab327d36b426c2f8fe4825a37877425885c927e92423b6977fc304122a2c397cb74845fe9961dba22c1a70203010001]
@@ -210,7 +210,7 @@
 msg = 313233343030
 result = acceptable
 sig = 9031c063103542817542fefce9e30a72e9f14be94ef2b7a1df2ba721a9a4efe31476684a491e4849ee8720c1f49cdf9755d549b63fcc0e78af8353bcb42575abf92de06a308142f212ac987d42d5f622b8781c6c215d3760aa4ca8441bb3f4587da6a7463ea9425a45876b0470202315ec1881dbd4f1bfa40801dfb8898561a6ce6f88698dab497442f1ef83b1d3540cc3b0af139d5e125a88646f0dcbae053f6a8fc29a2f083e81d61082812121c3e59c3072a76d4ba830d4331105355693f561adda1ad8278ce0e10ec3f7a5ca24e31d839e4823c683e14d75f764872c2267623faacca1707f4038494557df84cdc3fd4f93e4a134e9b53e7e80ec1d60556a
-# The key for this test vector uses a weak hash function.
+flags = WeakHash
 
 [e = 010001]
 [keyAsn = 3082010a0282010100bb0d4124c20130688b8419fabecc427d946c5096dcf69ecb0eb69fcf5aed15d7e1e5fe4e34fbe26f8b244aa3f088d546a00a531464ba4b8980bcc4d5e54bcc20e1a51afa9044f7fdecbc6edb751b5a5fa7ab403a04e5f77ba7865dd6d211da0afa71262a77a63d9c06e8b00b616ca15f11ea5b4948973864183f570347570553e3878376ca4f7536ad5afac10c0a7b34a5c11f8cf16115fbaeb4b323b1ad6f75c7ec3b954891cab2611cf1768cec983c1717c57f67676d721a955bdbbc216a3345bb31d7d63e06bdac96a6b991ba1e0113d01e48c77ab327d36b426c2f8fe4825a37877425885c927e92423b6977fc304122a2c397cb74845fe9961dba22c1a70203010001]
@@ -226,7 +226,7 @@
 msg = 313233343030
 result = acceptable
 sig = 9dd8855b0abfe98598937629db4455c561b074d270146d6af837c709df76d42ff3e0d50f04f7e9b3c43244e4a893f0d22d54c58b121b78dd604d1903c96109f372ac9162bd0e4188992d9b8957fa08ad9723758299ef70125f916da07cd4a696a16340d7575e4fe6d57365c2e4aec1a5465a2ebc7a4a7b3d83d8395fcc36a11e8337878477312a7fb4ab81b70cab24ff98565559846706a42f2c07a555e92f86be89d7704a5329fb8637b7621112109f42e49cf5f9a059a7225e2587ac41b699a0b27fd477e0b1dcaf8ee88291d62f41692929b87513a5d8e69352cf6e3031f42543cbd9d8442be3c28dca1ef8a9b7e51ba089eb691f6054cec55a8e770158df
-# The key for this test vector uses a weak hash function.
+flags = WeakHash
 
 [e = 010001]
 [keyAsn = 3082010a0282010100bb0d4124c20130688b8419fabecc427d946c5096dcf69ecb0eb69fcf5aed15d7e1e5fe4e34fbe26f8b244aa3f088d546a00a531464ba4b8980bcc4d5e54bcc20e1a51afa9044f7fdecbc6edb751b5a5fa7ab403a04e5f77ba7865dd6d211da0afa71262a77a63d9c06e8b00b616ca15f11ea5b4948973864183f570347570553e3878376ca4f7536ad5afac10c0a7b34a5c11f8cf16115fbaeb4b323b1ad6f75c7ec3b954891cab2611cf1768cec983c1717c57f67676d721a955bdbbc216a3345bb31d7d63e06bdac96a6b991ba1e0113d01e48c77ab327d36b426c2f8fe4825a37877425885c927e92423b6977fc304122a2c397cb74845fe9961dba22c1a70203010001]
@@ -242,7 +242,7 @@
 msg = 313233343030
 result = acceptable
 sig = a61ee300ba0ee8bcad3554a5494a0ddacaeeb8f2e0d4c71383a2684f21a260df6b48d712d7145f62468cd20e3dc70950d89a7d8e962961196e53ddc7f1da53766732e193a7e18b08ab3c71c3547ac5a640cdb9dd3a2dcd866d8b37d57549b17a85b1a97271deb8515324ae30782faca29dae55d50030b4d5eecdaa65b035c048a32f01018a865a9ab1392b477346554ddb403dbc03fd834b72956087b623cdb6d4ad886985576ef75d186d78d50788eeeb70a0c65259f22d5dfb5d08a9c86d6055874b4e38671fc64a36083b34e0f5cc51c26ad876484c47ad7f8e7a524e967f587fb0ada6aa1c06eadb0a149923912565f25031f9c5e721ecb68ff2653e23e8
-# The key for this test vector uses a weak hash function.
+flags = WeakHash
 
 [e = 010001]
 [keyAsn = 3082010a0282010100bb0d4124c20130688b8419fabecc427d946c5096dcf69ecb0eb69fcf5aed15d7e1e5fe4e34fbe26f8b244aa3f088d546a00a531464ba4b8980bcc4d5e54bcc20e1a51afa9044f7fdecbc6edb751b5a5fa7ab403a04e5f77ba7865dd6d211da0afa71262a77a63d9c06e8b00b616ca15f11ea5b4948973864183f570347570553e3878376ca4f7536ad5afac10c0a7b34a5c11f8cf16115fbaeb4b323b1ad6f75c7ec3b954891cab2611cf1768cec983c1717c57f67676d721a955bdbbc216a3345bb31d7d63e06bdac96a6b991ba1e0113d01e48c77ab327d36b426c2f8fe4825a37877425885c927e92423b6977fc304122a2c397cb74845fe9961dba22c1a70203010001]
@@ -258,7 +258,7 @@
 msg = 313233343030
 result = acceptable
 sig = 30389051e99e04c06b5e92773ebe85fe1432ddc868153337a7df1f429b941c779049219a25db26c7ee2f189c4a9b71e690317fad22174b45857a7dee66663ccd608d4ee3da1c26f0f0ce1e87797bdecefd1d794c782a7cac322ad38179aafe3df4cb815885c391b6265244b45a7c870d1836bf361eedaff8995ca882709fe9b32bc08cd6246d74441699bb30462b9df9f74fb597b4d953ae3a4a7f060d464587ccbda79096df38ddf9b10a68cce11d5304d648ba3c5e8e111097a54f2afe1f64eeeec0db303b5f9f8863c300c33a4960a0664b59f18016d48265ec24c6f0bb2e6441262e6ea7afc80ba5399e850fcb37cde3175f63383da272f1f692cd732ca2
-# The key for this test vector uses a weak hash function.
+flags = WeakHash
 
 [e = 010001]
 [keyAsn = 3082010a0282010100bb0d4124c20130688b8419fabecc427d946c5096dcf69ecb0eb69fcf5aed15d7e1e5fe4e34fbe26f8b244aa3f088d546a00a531464ba4b8980bcc4d5e54bcc20e1a51afa9044f7fdecbc6edb751b5a5fa7ab403a04e5f77ba7865dd6d211da0afa71262a77a63d9c06e8b00b616ca15f11ea5b4948973864183f570347570553e3878376ca4f7536ad5afac10c0a7b34a5c11f8cf16115fbaeb4b323b1ad6f75c7ec3b954891cab2611cf1768cec983c1717c57f67676d721a955bdbbc216a3345bb31d7d63e06bdac96a6b991ba1e0113d01e48c77ab327d36b426c2f8fe4825a37877425885c927e92423b6977fc304122a2c397cb74845fe9961dba22c1a70203010001]
@@ -274,7 +274,7 @@
 msg = 313233343030
 result = acceptable
 sig = 2dff26d07bd2e3de20c8b6fa527e9fa16aee9cbfa0d01cd71a0664727bcb505d0518314856c43c602de0fc4647be7f496abaefc1c766fc44f6572ee2b6ae3fa7d4f23c82703d15ccf97e2e8dfa0a15a3f3f639a2f033910ec04494fb2470ec1a6cd7fbb348153f62766e2f84c1542c7e32d4d60d24eda5b26d513f49bf517aa56e43d05c8b12f2de93c36f56bc87f786dbea42fb960cb4423752fb4a811eca396d0552c4f36dd692e2ef551778a9de7843fcf37f767e3d3f63b139a5aa40d8713dfc382a5329b4f90ce43078cccb6a03f18816ef3b053006603cec694bd6e8352c0b545c436213ac5e4cf42b2a3abb5536b68ec05b3cdae133c7105df461f4dc
-# The key for this test vector uses a weak hash function.
+flags = WeakHash
 
 [e = 010001]
 [keyAsn = 3082010a0282010100bb0d4124c20130688b8419fabecc427d946c5096dcf69ecb0eb69fcf5aed15d7e1e5fe4e34fbe26f8b244aa3f088d546a00a531464ba4b8980bcc4d5e54bcc20e1a51afa9044f7fdecbc6edb751b5a5fa7ab403a04e5f77ba7865dd6d211da0afa71262a77a63d9c06e8b00b616ca15f11ea5b4948973864183f570347570553e3878376ca4f7536ad5afac10c0a7b34a5c11f8cf16115fbaeb4b323b1ad6f75c7ec3b954891cab2611cf1768cec983c1717c57f67676d721a955bdbbc216a3345bb31d7d63e06bdac96a6b991ba1e0113d01e48c77ab327d36b426c2f8fe4825a37877425885c927e92423b6977fc304122a2c397cb74845fe9961dba22c1a70203010001]
@@ -290,7 +290,7 @@
 msg = 313233343030
 result = acceptable
 sig = 545a45b222868ac1bfec75f48c52b2addc0f564a7ed54ea7c2805a4640cb54edc58e0b6dad1aaa6b629e2eb4c1c56d53cee00e61ba5596a429e469df55e5964fbf8ce6e1f36ac6adc4aab6663f152fca09729c314449431e96370b51a76261ed37ff264ef4dc9891a41f866e53f98617e496e92bbee75cd2651953afd65ce6d2609f49cb201872ccc6b8d9b853e442bf6e207c394dae3d180bd7126455fe8bc08a9c8d79a97a300884b88e1e2979ad17d15968e80c7b6eaebfcbef488fd4604f24685fc8658560da381ea827d96c78bb17d9e5d09c2d37d61275fbcc333daae6cc3c35a45f7f8d1b869586075ef5f90f60a6e9563f31be4ee6f54c1bfcf85079
-# The key for this test vector uses a weak hash function.
+flags = WeakHash
 
 [e = 010001]
 [keyAsn = 3082010a0282010100bb0d4124c20130688b8419fabecc427d946c5096dcf69ecb0eb69fcf5aed15d7e1e5fe4e34fbe26f8b244aa3f088d546a00a531464ba4b8980bcc4d5e54bcc20e1a51afa9044f7fdecbc6edb751b5a5fa7ab403a04e5f77ba7865dd6d211da0afa71262a77a63d9c06e8b00b616ca15f11ea5b4948973864183f570347570553e3878376ca4f7536ad5afac10c0a7b34a5c11f8cf16115fbaeb4b323b1ad6f75c7ec3b954891cab2611cf1768cec983c1717c57f67676d721a955bdbbc216a3345bb31d7d63e06bdac96a6b991ba1e0113d01e48c77ab327d36b426c2f8fe4825a37877425885c927e92423b6977fc304122a2c397cb74845fe9961dba22c1a70203010001]
@@ -306,7 +306,7 @@
 msg = 313233343030
 result = acceptable
 sig = 40af2e3149996f2bb055dcd6ea3e3fba2d57be6424e206c213abe5b6b3ac7ceff049018abc864118d90c5028857d73db67b94e60208c4304f61412bc856ee76e398e211d5c4927145c3ee61ae101ec071e43be9bf17e2de03cad861f461193efed7950794eaceeeeb34f4944e0bedf1853123557deac03457811270c7925d0c50eab2b6dbe000542fcd3dde5cc8563ecab6ace85bf1c535eed7bd67db0584bd4e911fcd3ff5c4059fe53dea7b382f953a4905d481af39beae68e418d2a4c0d75ed5949dac1327eec5bd9d0fdc4bd9ec67f38f2a74a4d38f0760d3e19eb9dc67c96fbd43f1aa8317aac62781738504a3c0dfa5c2288cbf9a412bbf50025cb4630
-# The key for this test vector uses a weak hash function.
+flags = WeakHash
 
 [e = 010001]
 [keyAsn = 3082010a0282010100bb0d4124c20130688b8419fabecc427d946c5096dcf69ecb0eb69fcf5aed15d7e1e5fe4e34fbe26f8b244aa3f088d546a00a531464ba4b8980bcc4d5e54bcc20e1a51afa9044f7fdecbc6edb751b5a5fa7ab403a04e5f77ba7865dd6d211da0afa71262a77a63d9c06e8b00b616ca15f11ea5b4948973864183f570347570553e3878376ca4f7536ad5afac10c0a7b34a5c11f8cf16115fbaeb4b323b1ad6f75c7ec3b954891cab2611cf1768cec983c1717c57f67676d721a955bdbbc216a3345bb31d7d63e06bdac96a6b991ba1e0113d01e48c77ab327d36b426c2f8fe4825a37877425885c927e92423b6977fc304122a2c397cb74845fe9961dba22c1a70203010001]
@@ -322,7 +322,7 @@
 msg = 313233343030
 result = acceptable
 sig = a7ae22473e8faca5602b9f8dd4e9a235af3c734cbcd2674f19d9234eee077068b2f65b3ed884e1fabef786a559e458e1fb62990c543f987e09ed482bab699cc2fdbb19397452ae3c080c315b65c61ba0d2088c776ac4533d3f877e9d9bd58dabdc9b557b5a2ce2e90e6a8476fdcc0e84bc2d861ec2e09b078e4ae4f32a0c7032f86f9a0e064a711999fa4dde25ed2841d874b172f6fd621c328413d4bffb3f6d8de7f1a329c816702d1ce6343f28cd024d0d81544854a455f337e10049e9b6366dcf96e7c47c1bf3ae0b9f041017530d319cff6a83c7b4b073f6b2a0034698631b3b103bc296773602c198f17b9233b6b8360863a716ae1b5ba54efc7835301d
-# The key for this test vector uses a weak hash function.
+flags = WeakHash
 
 [e = 010001]
 [keyAsn = 3082010a0282010100bb0d4124c20130688b8419fabecc427d946c5096dcf69ecb0eb69fcf5aed15d7e1e5fe4e34fbe26f8b244aa3f088d546a00a531464ba4b8980bcc4d5e54bcc20e1a51afa9044f7fdecbc6edb751b5a5fa7ab403a04e5f77ba7865dd6d211da0afa71262a77a63d9c06e8b00b616ca15f11ea5b4948973864183f570347570553e3878376ca4f7536ad5afac10c0a7b34a5c11f8cf16115fbaeb4b323b1ad6f75c7ec3b954891cab2611cf1768cec983c1717c57f67676d721a955bdbbc216a3345bb31d7d63e06bdac96a6b991ba1e0113d01e48c77ab327d36b426c2f8fe4825a37877425885c927e92423b6977fc304122a2c397cb74845fe9961dba22c1a70203010001]
@@ -338,7 +338,7 @@
 msg = 313233343030
 result = acceptable
 sig = 432ec7a685060666df6bac3f47d8cb960a70b1f8fd4f161da5b3cfb8fd44f83442a1ba43ca8e748a59c6c7ed7924dc0012bbefb69c97750d8d9144b4cbde2394f4b90502c1d8d047355a51265913838ee974f2386ad46531955dee655b72d470456c8cd67467c905cb06b7d46ef14fc8c9cdb70a4d90820cd80cfde02eb164542e8329dc927e199d0f2ca12cf4feb2414eb49329ba397bd2880510329718c558881891d6085211b6fab614847fbef728e961c8cb710d2e0f4d1f0b292cd372f86831c783755d149a511ce619e3ba09f41aa45a47699f266dfb8c15f90e795db4f78d97c29358a037e330ce7b59d4e34ab2e0bb84a3e8898bfce5d585b9b74f6c
-# The key for this test vector uses a weak hash function.
+flags = WeakHash
 
 [e = 010001]
 [keyAsn = 3082010a0282010100bb0d4124c20130688b8419fabecc427d946c5096dcf69ecb0eb69fcf5aed15d7e1e5fe4e34fbe26f8b244aa3f088d546a00a531464ba4b8980bcc4d5e54bcc20e1a51afa9044f7fdecbc6edb751b5a5fa7ab403a04e5f77ba7865dd6d211da0afa71262a77a63d9c06e8b00b616ca15f11ea5b4948973864183f570347570553e3878376ca4f7536ad5afac10c0a7b34a5c11f8cf16115fbaeb4b323b1ad6f75c7ec3b954891cab2611cf1768cec983c1717c57f67676d721a955bdbbc216a3345bb31d7d63e06bdac96a6b991ba1e0113d01e48c77ab327d36b426c2f8fe4825a37877425885c927e92423b6977fc304122a2c397cb74845fe9961dba22c1a70203010001]
@@ -354,7 +354,7 @@
 msg = 313233343030
 result = acceptable
 sig = 3cbc0634c9ec2732ab369624ae58c3a5c18ac10dca48732a4428a042e8b35668b119d24a5e10b5562ffcc6a5b6892a562c36828658b92037a9d48801f0694cf46535825fe450d26b55866979fe4ea2238550e64b2ae639b533a9b4c7c7c9211c8adb41e8e5d0c3c001f50d025b06af353ca11d7277129b6c3d0c3592aa1dd3e6a3371585b0cc97487a8310cc1403dd0dafb21ddf1f4983512c91f9eca9f2c83c376963a1340d4efc61f3ce23bcfed6fa01223b369f99e13003b9b9b78e54ec305569191b3dd2f7c6b53151b5e446d72b5409b18fe4ac749185feedf30e5db3096df982b76168eea32e4298b75e38caef733228a604adeffa8a878468722d36b0
-# The key for this test vector uses a weak hash function.
+flags = WeakHash
 
 [e = 010001]
 [keyAsn = 3082010a0282010100bb0d4124c20130688b8419fabecc427d946c5096dcf69ecb0eb69fcf5aed15d7e1e5fe4e34fbe26f8b244aa3f088d546a00a531464ba4b8980bcc4d5e54bcc20e1a51afa9044f7fdecbc6edb751b5a5fa7ab403a04e5f77ba7865dd6d211da0afa71262a77a63d9c06e8b00b616ca15f11ea5b4948973864183f570347570553e3878376ca4f7536ad5afac10c0a7b34a5c11f8cf16115fbaeb4b323b1ad6f75c7ec3b954891cab2611cf1768cec983c1717c57f67676d721a955bdbbc216a3345bb31d7d63e06bdac96a6b991ba1e0113d01e48c77ab327d36b426c2f8fe4825a37877425885c927e92423b6977fc304122a2c397cb74845fe9961dba22c1a70203010001]
@@ -370,7 +370,7 @@
 msg = 313233343030
 result = acceptable
 sig = 02d5a96749111200cbf977effa208876f80276dc90804910a4142399c24f46060ab148fe7817558657c459be7a59d01b1c6bed2a9d797e76d3eecf3a9099437c73de1ef1b14fa24304fb35782824e72db1adad75e0dc56e503c5a0ae29cdd55a8a6c29594153be4f69ba6dedba71dabbcfb5ac8de3b70cf82aecd6b03db4f9a0d3e7bbfb90b5b3c750e4f33cd3ecc713f8cfc15eacdb5c6e6db41dab5aed521fcc7188afdf059a7c3ebfcd2f1561baadd648cd6bdfff00b6c80130c5a3ecc3a254f8ea8f484520a0522f3aefa0fa79496b8d82117252a566fb9e191c0482398f16be513551e7a6afd9f7f2f1e89adb2627dedd96ead836a8f88e0b361ebeebfe
-# The key for this test vector uses a weak hash function.
+flags = WeakHash
 
 [e = 010001]
 [keyAsn = 3082010a0282010100bb0d4124c20130688b8419fabecc427d946c5096dcf69ecb0eb69fcf5aed15d7e1e5fe4e34fbe26f8b244aa3f088d546a00a531464ba4b8980bcc4d5e54bcc20e1a51afa9044f7fdecbc6edb751b5a5fa7ab403a04e5f77ba7865dd6d211da0afa71262a77a63d9c06e8b00b616ca15f11ea5b4948973864183f570347570553e3878376ca4f7536ad5afac10c0a7b34a5c11f8cf16115fbaeb4b323b1ad6f75c7ec3b954891cab2611cf1768cec983c1717c57f67676d721a955bdbbc216a3345bb31d7d63e06bdac96a6b991ba1e0113d01e48c77ab327d36b426c2f8fe4825a37877425885c927e92423b6977fc304122a2c397cb74845fe9961dba22c1a70203010001]
@@ -386,7 +386,7 @@
 msg = 313233343030
 result = acceptable
 sig = 97c683214a380bdc8701717ce1c4c0bd6b871fd65eb495d449ced17568b7593714f49ca8110281a1fa8b91ddbb40f85c3f0dda165bbac3ea055c8b06a0f4fb887c597b3e9082607c5c9c837d0034dc6d3a0fd4d472976b81a0792f1e31891691498c07dfab88ec72e1ae0f25467f9a4f532493d9657a0fde2f88ef648769419e269abc830e9d6b6d70b0e398cbbd05064935ff71d586f5c363640da6dcd330cf19016aaae85817311fac58f8bddb304c74e0392f2d61ef940124d6a337a3ad6be2bdaf83955474e7f0b2ca63629ef446c9355ce8f52c3c802ef3e160002ffb3824bcd25535bc2b639a4e609e3377e121b3e170e423d3f827132da216e21292ea
-# The key for this test vector uses a weak hash function.
+flags = WeakHash
 
 [e = 010001]
 [keyAsn = 3082010a0282010100bb0d4124c20130688b8419fabecc427d946c5096dcf69ecb0eb69fcf5aed15d7e1e5fe4e34fbe26f8b244aa3f088d546a00a531464ba4b8980bcc4d5e54bcc20e1a51afa9044f7fdecbc6edb751b5a5fa7ab403a04e5f77ba7865dd6d211da0afa71262a77a63d9c06e8b00b616ca15f11ea5b4948973864183f570347570553e3878376ca4f7536ad5afac10c0a7b34a5c11f8cf16115fbaeb4b323b1ad6f75c7ec3b954891cab2611cf1768cec983c1717c57f67676d721a955bdbbc216a3345bb31d7d63e06bdac96a6b991ba1e0113d01e48c77ab327d36b426c2f8fe4825a37877425885c927e92423b6977fc304122a2c397cb74845fe9961dba22c1a70203010001]
@@ -402,7 +402,7 @@
 msg = 313233343030
 result = acceptable
 sig = 0d9595559acb85a317dd798b6a904ec80a2f9afe5870d05e017371408b101710026e149084dd0399a23faeed59b18082dcd3ab62bd67effe619874bebfcb2d4fbfa44e754a4f1853396fdb79d712f1d3a1dd3ff6b0707b9489694dbd30d2fa92e002258d461023f1564c4964c859ed56f93ed42cc7c022d05eca29fd2b0fc2ea252b7e2a68529fe27da9a7a900f18e61fbb2dad4da8816d52746046a6515c29f63406c13634695ad07aa6d2be0abfe0b8e10788f2a3a31e68129bba1bd51cff5c980f6c45fb36041c07b4c863dfb5ee832cb5f3cd870205b23c8176777f4078b2655a0cb447ff34ced584f0e0eb4abdf2f35fc4523a52a9576c9d15b80a6d54f
-# The key for this test vector uses a weak hash function.
+flags = WeakHash
 
 [e = 010001]
 [keyAsn = 3082010a0282010100bb0d4124c20130688b8419fabecc427d946c5096dcf69ecb0eb69fcf5aed15d7e1e5fe4e34fbe26f8b244aa3f088d546a00a531464ba4b8980bcc4d5e54bcc20e1a51afa9044f7fdecbc6edb751b5a5fa7ab403a04e5f77ba7865dd6d211da0afa71262a77a63d9c06e8b00b616ca15f11ea5b4948973864183f570347570553e3878376ca4f7536ad5afac10c0a7b34a5c11f8cf16115fbaeb4b323b1ad6f75c7ec3b954891cab2611cf1768cec983c1717c57f67676d721a955bdbbc216a3345bb31d7d63e06bdac96a6b991ba1e0113d01e48c77ab327d36b426c2f8fe4825a37877425885c927e92423b6977fc304122a2c397cb74845fe9961dba22c1a70203010001]
@@ -418,7 +418,7 @@
 msg = 313233343030
 result = acceptable
 sig = 98bbf3028617ae1a57a689217ddaebf56191c686f8be8e6da7bce27fdf49af2b9d826c64a43f79fc7c603c5885b0c46ac2d175a7662d9ba3d82072069363cd93f7d3a0d61375e16b5a5ea1f18eaf7307e3cf8b27528aeab9d0a3d1900e5599d9ead68ede88e609c213be0a97642cc2dd6e6d2d6cea5b159ae35c42630fa9d8ddfd5155c3c070e12ec914273ce5304f8057eb0fcb0c595d895aabef7abaf6fa12eba65059bf2ed86b7064e9a279bf9adf94b894082760c5e9c15a29feca66e687df5b68e54f3bc0609aa778204fef7f8ea957c0ce1a883d1c8ece6b6b968b5d2c50b726c43f2882cc76f083647ca259e3cb33bdf1fe38d7bf8cf70da5dd9248fa
-# The key for this test vector uses a weak hash function.
+flags = WeakHash
 
 [e = 010001]
 [keyAsn = 3082010a0282010100bb0d4124c20130688b8419fabecc427d946c5096dcf69ecb0eb69fcf5aed15d7e1e5fe4e34fbe26f8b244aa3f088d546a00a531464ba4b8980bcc4d5e54bcc20e1a51afa9044f7fdecbc6edb751b5a5fa7ab403a04e5f77ba7865dd6d211da0afa71262a77a63d9c06e8b00b616ca15f11ea5b4948973864183f570347570553e3878376ca4f7536ad5afac10c0a7b34a5c11f8cf16115fbaeb4b323b1ad6f75c7ec3b954891cab2611cf1768cec983c1717c57f67676d721a955bdbbc216a3345bb31d7d63e06bdac96a6b991ba1e0113d01e48c77ab327d36b426c2f8fe4825a37877425885c927e92423b6977fc304122a2c397cb74845fe9961dba22c1a70203010001]
@@ -434,7 +434,7 @@
 msg = 313233343030
 result = acceptable
 sig = 740edeef36d73719e813faef24d66f1785b278106db66548d311115ef8203669d2eeccbfa7609d9f40e8bf4180612835d6cb07b7a6c70038936334e007b32d3b84fbf2d78dcfbae22dc5c6d4849e1e073392b02badb521247bff1c277cbabf1421ee9690a236efd5067aa3ee0cd7a3ec67cc80166bd928ba14b1105781a74df09928a816e4f2e66e9c5e45ded285a597bdd65159d87f54c8849291cf50d9aca1b57e612f7d4284f24eeed1277c43a8b1a7cb0a3ea988696afd0f14a0bc1d172bc19d4abbeb9339b5a7b8637a88142f04ff9b8d011f7b8fe1d37f75fe3ffcf13bca3c481d806839a520cb6e760bf21d28da20f58742f52ff5459293a70161bb73
-# The key for this test vector uses a weak hash function.
+flags = WeakHash
 
 [e = 010001]
 [keyAsn = 3082010a0282010100bb0d4124c20130688b8419fabecc427d946c5096dcf69ecb0eb69fcf5aed15d7e1e5fe4e34fbe26f8b244aa3f088d546a00a531464ba4b8980bcc4d5e54bcc20e1a51afa9044f7fdecbc6edb751b5a5fa7ab403a04e5f77ba7865dd6d211da0afa71262a77a63d9c06e8b00b616ca15f11ea5b4948973864183f570347570553e3878376ca4f7536ad5afac10c0a7b34a5c11f8cf16115fbaeb4b323b1ad6f75c7ec3b954891cab2611cf1768cec983c1717c57f67676d721a955bdbbc216a3345bb31d7d63e06bdac96a6b991ba1e0113d01e48c77ab327d36b426c2f8fe4825a37877425885c927e92423b6977fc304122a2c397cb74845fe9961dba22c1a70203010001]
@@ -450,7 +450,7 @@
 msg = 313233343030
 result = acceptable
 sig = 71065afdea905874489d3029ffe3979564b3690e980301717f29c2333aa029dc93dec41c26cebb4e28bd0b4beb5843f6b14ecd803d5e49b3223174f2adeb87a69a20977d3bfd486fee88d829e07957648da5fe6c8cd72d0dd492b2242afb3e9578a415b65c9160a37501e22890a25b4638c9cf9685f49c840a04e8bd99f9029be57523e05a3e35de01c7454a06493b5249b4d5be2419a4ec166f6a50f7dfd7a5852d05a89d197dd37efaa3ecd6c27e0786532fe977d35cd65a4ec2d79db053d667e61793d0719a1432b0c0ab66fc3e5dc6eeb415774c1acd448ef95a3be4fc34083891159cf6d630bcd6d9c78eb596caebf963210684ef43a6a64d4a832251cc
-# The key for this test vector uses a weak hash function.
+flags = WeakHash
 
 [e = 010001]
 [keyAsn = 3082010a0282010100bb0d4124c20130688b8419fabecc427d946c5096dcf69ecb0eb69fcf5aed15d7e1e5fe4e34fbe26f8b244aa3f088d546a00a531464ba4b8980bcc4d5e54bcc20e1a51afa9044f7fdecbc6edb751b5a5fa7ab403a04e5f77ba7865dd6d211da0afa71262a77a63d9c06e8b00b616ca15f11ea5b4948973864183f570347570553e3878376ca4f7536ad5afac10c0a7b34a5c11f8cf16115fbaeb4b323b1ad6f75c7ec3b954891cab2611cf1768cec983c1717c57f67676d721a955bdbbc216a3345bb31d7d63e06bdac96a6b991ba1e0113d01e48c77ab327d36b426c2f8fe4825a37877425885c927e92423b6977fc304122a2c397cb74845fe9961dba22c1a70203010001]
@@ -466,7 +466,7 @@
 msg = 313233343030
 result = acceptable
 sig = 2d01cf0fd2d3f2561b34b7eac9f34564a33267a98b2ed4ec00f07197cb3332a7d0cd416e221acbe3b40e9599eca87cb54f1eed51e5cd70ebbebde573215820417bf55ce998f4121da2851fe01477c988553edd2d85f58d7a24ace99ed1bb440206cb30067dd931cabcc3e3bebde0eea9ad1825690de0c5b2022191b978484379c7aa30531d296e6351c61d6be37b04fdb6eb2f11afc47b9437b5cfbb6a6f059c9f6b23fbd64105adfc72662325b5abb446529216dbe772a3a363eeed2de26647652bba01721a5b875036a75a76665031bc26a97d416fe564ec2a9b808553929e48817b6679abe7feedd41aa9c6ed79676c772f0d8acbce65137b66f45242f31a
-# The key for this test vector uses a weak hash function.
+flags = WeakHash
 
 [e = 010001]
 [keyAsn = 3082010a0282010100bb0d4124c20130688b8419fabecc427d946c5096dcf69ecb0eb69fcf5aed15d7e1e5fe4e34fbe26f8b244aa3f088d546a00a531464ba4b8980bcc4d5e54bcc20e1a51afa9044f7fdecbc6edb751b5a5fa7ab403a04e5f77ba7865dd6d211da0afa71262a77a63d9c06e8b00b616ca15f11ea5b4948973864183f570347570553e3878376ca4f7536ad5afac10c0a7b34a5c11f8cf16115fbaeb4b323b1ad6f75c7ec3b954891cab2611cf1768cec983c1717c57f67676d721a955bdbbc216a3345bb31d7d63e06bdac96a6b991ba1e0113d01e48c77ab327d36b426c2f8fe4825a37877425885c927e92423b6977fc304122a2c397cb74845fe9961dba22c1a70203010001]
@@ -482,7 +482,7 @@
 msg = 313233343030
 result = acceptable
 sig = 552c5ea88b09b51b8653fd164ccd3ea62ab84abfe22d01092449620dcbaa86deacaaa7e40e22b16cc30113cee21b5e491c8afa3806ad39da88d2cd116b25851b57c26c6c6c8580261a90150a88928e22524e731dbf979d7ec7bf70f853fbd3f77fba86d5fd325eb41f12c28416c2125e2bcc68297bba44b41dcc9239d93e5ce9f067f93e0f817d439cd17837503bc82eb342fefa658d064b21d14c6f7ee9e0be061364b3b73e441a6b610d63e1de6627276580861b085648748bd575a33b0e75bb9bf2ef699556bcc09f1262d4bce29b8b508aae8278d9e663818f2745186c33733d9255c5a54aeee8f4180816d8fd2aa0a9b9cf22cd0ae3124eee81c477a6b6
-# The key for this test vector uses a weak hash function.
+flags = WeakHash
 
 [e = 010001]
 [keyAsn = 3082010a0282010100bb0d4124c20130688b8419fabecc427d946c5096dcf69ecb0eb69fcf5aed15d7e1e5fe4e34fbe26f8b244aa3f088d546a00a531464ba4b8980bcc4d5e54bcc20e1a51afa9044f7fdecbc6edb751b5a5fa7ab403a04e5f77ba7865dd6d211da0afa71262a77a63d9c06e8b00b616ca15f11ea5b4948973864183f570347570553e3878376ca4f7536ad5afac10c0a7b34a5c11f8cf16115fbaeb4b323b1ad6f75c7ec3b954891cab2611cf1768cec983c1717c57f67676d721a955bdbbc216a3345bb31d7d63e06bdac96a6b991ba1e0113d01e48c77ab327d36b426c2f8fe4825a37877425885c927e92423b6977fc304122a2c397cb74845fe9961dba22c1a70203010001]
diff --git a/third_party/wycheproof_testvectors/rsa_signature_test.txt b/third_party/wycheproof_testvectors/rsa_signature_test.txt
index 4a1e99b..81b8d63 100644
--- a/third_party/wycheproof_testvectors/rsa_signature_test.txt
+++ b/third_party/wycheproof_testvectors/rsa_signature_test.txt
@@ -56,9 +56,7 @@
 msg = 54657374
 result = acceptable
 sig = 38e80b028443d96685ed76d4574b36c43cf9722e5fbcf08bc974385454316dee326a308c935a6e612ed26ef4e470e5f3f19a223e2866a2f1c805f74c804e2184f5620c1e84f894b890be7d46420178a2a5ad97b4bd3d31db24828281587207041a96792d8ee57889c666719c769f759c2175361434b18f188de387c8c13f6fb3a7e96f1abbb6124e94fbb4c6bc1d88caf54136b8f01c9eedfd614bc35375f33277d2e71a4dc5f65254179bbe75634e9dfe05aff9e1f1d792f4e6caf88e4299ed90d212d3d7ac9bfc71a8ac85ffbf2f49f77b41d36a64bccd3fe8948054cbad480451b0ca5f7fe35b0f6c772d64b70346f469808dc0057ba1c25c6ae7ac8450e9
-# Some legacy implementation of RSA PKCS#1 signatures did omit the parameter
-# field instead of using an ASN NULL. Some libraries still accept these legacy
-# signatures. This test vector contains such a legacy signature
+flags = MissingNull
 
 # tcId = 9
 # long form encoding of length of sequence
@@ -1456,43 +1454,43 @@
 msg = 
 result = acceptable
 sig = 132fbab52813cd4404e16812639221c6886bd0122af16b814b331a4ce18146ea9071ad0b298d952900d6fb7e1255cc2d619b207f1fd9a48a3838275fe1bf3400726713175fa92d784778790c214a26491f596481414afee858ebf394da0c18a005f76c56b454a95ff555341a8667848f23ee65ee2814e2d7b673fce167ba5618
-# The key for this test vector has a modulus of size < 2048.
+flags = SmallModulus
 
 # tcId = 240
 msg = 0000000000000000000000000000000000000000
 result = acceptable
 sig = 54107d4ec803c8cab6a0e74103ca3cea53919e484be4be88e6299aea3245289c6e3e5368137600a15694937b830b8d4739f69fe8d3bf8b8a6b4cac119548528ae69367f42f569bf7e2663745a69191312a2404a183d6a849d9d112f8ce18709386bc5c8cfa823061d37ec0275b5a9e4eb11cb6cc82b12465c1482e0b528bc099
-# The key for this test vector has a modulus of size < 2048.
+flags = SmallModulus
 
 # tcId = 241
 msg = 54657374
 result = acceptable
 sig = a168c57dff281db4be76f1840bc8b1976f34c6976ce0391be8f7807165ca1b537fdebf00852bc5a7f46b58625148af5b6dd68a4b3e845737655068776ce64d8002cfc914e24178ff9d86268c6b0c97d49853a9cde82d7d8b1fe6215a78905adee1c3a19f01bb3763d504ef3ba11d0003970cec91ff0d608b6535fe3c032fd293
-# The key for this test vector has a modulus of size < 2048.
+flags = SmallModulus
 
 # tcId = 242
 msg = 313233343030
 result = acceptable
 sig = 89865c4a0e924376ba619c1b0cd28c0d1a5ddf02cea1302cd31e92aa71b7224fd03d5780162a594c2124ecc8f64ddabbdcbe404030636eebe94e63875abd414f1e8dc754dd43869761300569de975adbde0b1ecf9c2b5e1c5e806aac8047ebec99e8e20308ece862d92b40366ecff58fab7a25795a52b6a8d523c640f822bbd0
-# The key for this test vector has a modulus of size < 2048.
+flags = SmallModulus
 
 # tcId = 243
 msg = 4d657373616765
 result = acceptable
 sig = 8c356d84e4156d2ad565be16b1980b5789e97430fad26ff38aa8533f282b9189ccec1be64fa2d7b516abfdcdc4a3870415af68a1efcb19d676db0704cae192bedbfafd00135958ff920062f57b7f4870ff0cfe7116ccbce9afb0c3bb9c841bb6e6d09c455b36b78ba22f82161f08490ed2cf1f3c0008aeff27fef40c43801b1d
-# The key for this test vector has a modulus of size < 2048.
+flags = SmallModulus
 
 # tcId = 244
 msg = 61
 result = acceptable
 sig = 4d9654e213734adb2bb5c914e7b24b7f8fa8cb019349bccc331517fdd7c63420f6dda59542bfbbc7b1f251691425c166753792797aa7c16474ec79a0b844a080fb951a27d8b0b9d5000e54b0e928bb3cc3588290016392a802d846c5872107c8c355c962d78f7993e95c25a26bd2d84a868abdca42c7b967a8fe67307c5295ab
-# The key for this test vector has a modulus of size < 2048.
+flags = SmallModulus
 
 # tcId = 245
 msg = e0e1e2e3e4e5e6e7e8e9eaebecedeeeff0f1f2f3f4f5f6f7f8f9fafbfcfdfeff
 result = acceptable
 sig = 8bfbc9545d3c8dd90c3de13107a64494b092c2c9456aa3f2aa5e2bade6a71c4b1df78cd3fbebbec441c01b4640fa8380390692aa2ff90de7e3af89c456ad84403413d05c29b0266175893eb3afb7cd7d691e1ba3e5a54a1a13e5e3fd6578087aebe77c527de65dea0b8801570a3dd2a708f8d0d1edb43e3a4bf60436b9f88466
-# The key for this test vector has a modulus of size < 2048.
+flags = SmallModulus
 
 [e = 010001]
 [keyAsn = 30818902818100dfbe6f882c8b0c42c3229f29cd858bead25c213b5c0346c3052f844b045ac792c81c1df5ad6a66e9d4f3f7c11096f069f5fc0d1d7da555c6e685cf672ab2a6599f01605f50c93a91d6882f5884e4cf3e9c41a790b0c44247150777f95acf69312b0ed68f3c82693e6b67f0e1ea5927c0eeab3554c2c157181f4634e77bcb088b0203010001]
@@ -1510,43 +1508,43 @@
 msg = 
 result = acceptable
 sig = da3e78febfe4c72621259738abf6db041d526db7a942443e94383e21673c9818afeb3a40b28b6dc190e7a3eed97e821de37800d20bf15815a07c9bf6f305bb68df96579f5df1d0396a45a190e425782259ee5673b5aa13f89036f129c03f51f2735037170144acd22b09dcb409b9ca2bd27b53bebf384bb647ffda195beb3a97
-# The key for this test vector has a modulus of size < 2048.
+flags = SmallModulus
 
 # tcId = 247
 msg = 0000000000000000000000000000000000000000
 result = acceptable
 sig = d65f87b5905594493a1d1ada8566d6fef74193b2e66b1d8c72f7dbac2574cb07d07178ea6c0dcbce03a32dbfabe4c9d9009eb54ac9b7c024a4ac85ac5b8986470bb11c39d1b51e953c4ba99bbd91382962e877a8f33ed8168b342552493c41cd3d01f4125459dd4f05d9def1000ed58b5c99c9652d882d4c3ddbf258b3aaf749
-# The key for this test vector has a modulus of size < 2048.
+flags = SmallModulus
 
 # tcId = 248
 msg = 54657374
 result = acceptable
 sig = 4c8ad93ed06934da7cf3f399c2f62eebc654a4f4952f19d3c6b857ded2fa13a09ed78180167d62c16f0c893ed900a33ff22dfa5f04f571ed23247c58cd247cff7ae8c1d8266ee2e563f3dd53768d51c2c571115c15aa422b39d90ee13ac245b6c866a76edc0ad9b96ca07cded873aa70e26a8537de7372c6d24acb5af466bd46
-# The key for this test vector has a modulus of size < 2048.
+flags = SmallModulus
 
 # tcId = 249
 msg = 313233343030
 result = acceptable
 sig = ba37f892bb52616d65cff715943dc7d53a5d4a0ffb787bded58cf5ddd2edaaf049de7b80db185e12f25790d157d26a636bd1aed5964a5d887f5d2c5f133dc00014a245f7ab6f28c8281740119e2f822507ff8aba9532f41d1ddeb1d16bc363254673343ed3e587ccfba7b72556685ceb87df3b0a6bad26ca7c7a4f3d84fd3b8e
-# The key for this test vector has a modulus of size < 2048.
+flags = SmallModulus
 
 # tcId = 250
 msg = 4d657373616765
 result = acceptable
 sig = 0f973bd8aba9171348a1371b82db74b7e584a9243d85b3a07759253f18e9df44bdfe3bae725f0e0153836e94a9f6dcc234c9e80832a80049e29c7a359eeb5281ab092c50c60ad2c9e2656e2f0b34843b6aebadefa3d6c2b0d62a310688fabdbb01416bfefcbf2bb62e778f23abb22c994acf427d41d15373a30d0c64f6223ebb
-# The key for this test vector has a modulus of size < 2048.
+flags = SmallModulus
 
 # tcId = 251
 msg = 61
 result = acceptable
 sig = a566ee4a974be5e9181a98c09b9c84e0cb717655643fb8326540b22d884e70eff104a8313e0977e5a9efdbfe913c672ce91621dad54bcfb30cb5200f705238c76ea31b062e3364ea855c88c10acf658355c9cd9b598ebb7905e68a3dce23dde6dd77d50c00bd8148160f423c8c563f0c5b52e5aac784850ffaa5a181055d64e8
-# The key for this test vector has a modulus of size < 2048.
+flags = SmallModulus
 
 # tcId = 252
 msg = e0e1e2e3e4e5e6e7e8e9eaebecedeeeff0f1f2f3f4f5f6f7f8f9fafbfcfdfeff
 result = acceptable
 sig = d821f083507540839086dc8dbe171a119f7605ee6dc81d480a273f725c1d4cd134c143194f615e710baa82e52010ba1716ae0cface42b4d6edf68d9f5c90bd9b7d338bd8af0cf25911ca9169aa5b442c36f854c6c65370db4645ce3552e93487aac3cfa7239a1abd9ec9ca2e965c02f280920e846b4945d74df9a99f81518f4b
-# The key for this test vector has a modulus of size < 2048.
+flags = SmallModulus
 
 [e = 010001]
 [keyAsn = 30818902818100ac9048a7a4f560af91b4fcaf62a14595cb9ca9ec12000fc845e48572113cab2890adb011a919575a40760d1f23fe92509c8a5810b6d05990b909dd0f4c6014f2b31b6abd805bace99816e2eda41fd7b95405db7c5c8f4cf6babb14f550d5d0dd5179b54951fff6aa9686f30f478db649b7c7044cc202dccad00343468eaacfbf0203010001]
@@ -1564,43 +1562,43 @@
 msg = 
 result = acceptable
 sig = a0abd165a5ef8733ba111fa0fa092630222d809d8ae811f24f8bead4968b7533af31019663713ba134e7dd345c38e7166a037025eb34adcd6891c9ec941d2e3eb1e4bded1d269272b602cb9b53568b992ddb5103914e6424c75505701a37996c8318b0b6f8640cb6b6e770ac44314b866a7c683a6903f7bba07b6f197ec554fc
-# The key for this test vector has a modulus of size < 2048.
+flags = SmallModulus
 
 # tcId = 254
 msg = 0000000000000000000000000000000000000000
 result = acceptable
 sig = 41339884a9b3940e8488d666bb158063c6a2a2717cae7f564834a876fcbf7098ecf3acbfabf37d38a8e6127b1e313744f1f896e165efdaea0b2e7673867842b9e94db0868ed9a92bcdcb370a4e20ff275c82595e4400a8b9e9f12482f014846b48216f321266ae6ae6338dbcdc41b711e483e6e3e728772e7f9f5ef95c30196b
-# The key for this test vector has a modulus of size < 2048.
+flags = SmallModulus
 
 # tcId = 255
 msg = 54657374
 result = acceptable
 sig = 8883676becdc27878ccdff53dda011e5e2f886e31e1e88d520bb161cd63aa001fded9f0656109c1507bd1ba5d3bb3e725029a236b4c3c0420a1fcfffe348c5277d6aa51bf75d9af26fdc15fc49d637b078a8b0478b5b0a9c428756d260068e5e622f193b9f9a2c1d979e3322d7f3edc32053541c6efa2485e42e99a804f94388
-# The key for this test vector has a modulus of size < 2048.
+flags = SmallModulus
 
 # tcId = 256
 msg = 313233343030
 result = acceptable
 sig = 9f2e01b92bc9dd32dcf24aee91467797396649a3255bac943dd0e03c9ef416f349c0cbb728704730f3c7a7c244066a94b229a6e86bde7753c8940129626307b542cc7f596583932b4fe6ea9384d5353e08654e966a64b63bd6745503f7e4383dcef74ad4516ac25c8790db6702ac5b8b057a8fae75669b6a9e689e9211a337b9
-# The key for this test vector has a modulus of size < 2048.
+flags = SmallModulus
 
 # tcId = 257
 msg = 4d657373616765
 result = acceptable
 sig = 3cb9557d9fe49b889319e0d41efc00cba34277caeed2b2c54fc89772c669200dd63f02f340cb6ed579a379a3fd6a568ca9d4bce206655ae4586850638ee6bffaae2bed7c7afe7353d22418d7e4f6b15e198c85b649d3e5a67f00702dd9fefed7dc72136bb4440fac58e64453e4ee63a81de4270446571b192f414116e165efc0
-# The key for this test vector has a modulus of size < 2048.
+flags = SmallModulus
 
 # tcId = 258
 msg = 61
 result = acceptable
 sig = 06e6fb568e366fa20d48704be40e991a291d47a464296a49c37718c1153b0fea17ac18a01ff97b32a92d07635dfb9143d011d003c9153020f5ef7fd3ef258cfe92a7a2120718fcc85c73acd34cbd50670c2e044dc3b82fca29b1017912b65d8a844515655308367d8797ae5b7fb91042df573f32de69c1842a128ac88937c0e9
-# The key for this test vector has a modulus of size < 2048.
+flags = SmallModulus
 
 # tcId = 259
 msg = e0e1e2e3e4e5e6e7e8e9eaebecedeeeff0f1f2f3f4f5f6f7f8f9fafbfcfdfeff
 result = acceptable
 sig = 327238fd701dc4a829827550aad98f9bcd75e9f3831c3679998c869c1dd8381bc6b74b721e9d3377034e059d6637690ba3a184ffd98af951d43a22105a51838f72cf592d658af01adeedf721cf2eb2bb2c90c68311cb267f0cfacca903c1a2a73f7228badb5d86976f5d3371fe9b00cca048a7a0b0fc4b03da11c5a098045e07
-# The key for this test vector has a modulus of size < 2048.
+flags = SmallModulus
 
 [e = 010001]
 [keyAsn = 30818902818100a1d3912e65d994e0ba51135f78844d9a3ea5161e5450d16a8cf0173a0a309a1ee94e94385dffc5e27dea6692a1713516af86df2283c8e327e60ee26a7b7cfccb0af3f4b5efec358651996b97d5b25da933b063490cf7b67073d399b04ad55c0a89f8ec36d7f5cae757dbd3d6d0f5b77f7c94e28878397cb45cfd178f3f07ed010203010001]
@@ -1618,43 +1616,43 @@
 msg = 
 result = acceptable
 sig = 0aeda7c92b470df777748f299de6f4b2e9ac2cbe74b5488f15e6e1e38e5a625b292b293d5ac04bf60a51f47f89741f38723fdebcda4943850cfa333bdf9a80689aaac240e23d5f7cd9f3b264eeff491e391a0b8931a705ccb2d9207d5a39edcdbe739fc8c367910070f314e225de55079c5ca963b404bb7ac72358c578e9135d
-# The key for this test vector has a modulus of size < 2048.
+flags = SmallModulus
 
 # tcId = 261
 msg = 0000000000000000000000000000000000000000
 result = acceptable
 sig = 6d20db04efb28fbe87622aad88b51d9294d33b55e7dea653eca9266caf461ff6aaa344f84671b8e06ae3cff54b315b3d3bdfaf762e168eaeb62b71d11dd371ffe141e9effa0e294f7d663302d1f7b260516682de975bf9bd873a9ae4f6f1562f9a24de696305f2f4127174d762b59692a1b4245169237b6f3899bbb1dc8afddd
-# The key for this test vector has a modulus of size < 2048.
+flags = SmallModulus
 
 # tcId = 262
 msg = 54657374
 result = acceptable
 sig = 0428bad54ff7c7a35f094d44543a9045da24feb3da97e7fbc600667faa4eec1b28c8ef3b1fed8bc247ce85779c7dec0197c901f7874b3ff0b4d02156346511799d22c5182f0f93b531138e0ac2c5645747670a5e9e2c76dbcd1b961bb6d54a99c1838bf872e28735e778051563e139c278f22ca071a7cec0ed95c29d94d51d1d
-# The key for this test vector has a modulus of size < 2048.
+flags = SmallModulus
 
 # tcId = 263
 msg = 313233343030
 result = acceptable
 sig = 4bc7a3a501e418fbfb5687425fbb59d02e4197f1de865631ed82e8188ff3d854e25d64e8b770cb40bc8902a80e26349e82b63096705e900d235ac3dc44744d29c0acd1cec3988a04cd341a76dd1aceeaa56b6e02fa53a53a6437d208dda2faeb46f70e4910651b0cf9b31049e1efb20955f223957906df66a48bde48766e6fe4
-# The key for this test vector has a modulus of size < 2048.
+flags = SmallModulus
 
 # tcId = 264
 msg = 4d657373616765
 result = acceptable
 sig = 6cb2195bbae362faa881a5e3ea3f8921784f81f64ce2d9e578030920234d0ef020a0a22bda4285d74ba416a06bdf1c4d2a4740ffef857958eeb0a5ea32dc52a9b01cf0bce3b5afcaa356bb0258befe8eebceadf0d6123453b195ecdf078f684047abe49c9691bc0ecb81ab466616811378d80271ca3c598ba75484a7b11c8a08
-# The key for this test vector has a modulus of size < 2048.
+flags = SmallModulus
 
 # tcId = 265
 msg = 61
 result = acceptable
 sig = 6f2d903eaaa24f3c5971551682bbe3e76fc041d418309bb2519de7bc3b78ac9ebc07048a901ab213ffefdcd39eb7bb640e298000665e5be765f886c320b5afbed99564f8e3bf60bee38ea747105d375e7e8c10f5b932847978bf6fabbc9ea2b253ca2f46a44a50a06a6980dc7a2f653840c777e5c81da1691e521cfaf588b088
-# The key for this test vector has a modulus of size < 2048.
+flags = SmallModulus
 
 # tcId = 266
 msg = e0e1e2e3e4e5e6e7e8e9eaebecedeeeff0f1f2f3f4f5f6f7f8f9fafbfcfdfeff
 result = acceptable
 sig = 57ba5067e97774fb26e7ea9ef0f4dae8afc5ec455d47e6e8a8d4f476d338cf2e697d938282fefa5d1eadba220f3fab2e0ed33d2494663ad0764c05f0acaf28465f5d2fea34bdc46d89a266a5ee36c4c9e9bcf497b5c975ba200f0d8c8549d073bddccd5a1474e409e3c8e4cd211ae1388d9ace40b0384359dc9295cf3e81372c
-# The key for this test vector has a modulus of size < 2048.
+flags = SmallModulus
 
 [e = 010001]
 [keyAsn = 3081c90281c100b8be129638e9c805359e6169b263265e2a8ec4b849101f2a321ce523665e399954ac3865ee8c85d14f3d3f24fbd583664bf09394cbc7f7ffc98aadc94eda35ca4b9614fd2d773c782086a1ea9ca23f357cb2cdc465fb85100172845d6b2906dc9315a542d204bcc4dce68d90484198e2350cd682eef9313a13df3607669aa4dd186f563ba0ae3ee054f857a92985f2694a54e1a87ed7327acbfda3e61ecbfecfdd1b7b2d08dd306122fd44268f08463306760f40dfb7634e71d7a72f1224e6110203010001]
@@ -1672,43 +1670,43 @@
 msg = 
 result = acceptable
 sig = 39272b0e30fb83671b02d1986e9ea30ce3c7d9dffbf495192235f408e2f28ea8f42aaa25c94bb808b8c9c4c886146136ba1afa92dec2479e46943d8b7c96b0b6983baaff7421a5ba44f8a26c7b2ff8940c647c7068cf521266b9a2b088b6271f3af48d6f4fa6ae94f1c9267947ce625881bfbe886b86625289ade51dfb677a042250797a6ab4f829341bcc2385ea0e2552bb9427f9391647cb23bef53877c69aa0143c8496e9eaf2475ab49746c290c73d484e06ce483df0e60e47b1bb4c66b4
-# The key for this test vector has a modulus of size < 2048.
+flags = SmallModulus
 
 # tcId = 268
 msg = 0000000000000000000000000000000000000000
 result = acceptable
 sig = 8d0ad645dc973828bf3d7dccf94edea7b31440ea5f5ad27686bbd34293d7fd36b524d20f27956bfbc0aaf947e9d822e5b5a9d26c502c4b1cff5e3cbabdc27c77719abe74027a589b38137ebf435ffda08f846feafac434530b25f9e96b718480c49179d13eba9e20f986ac3314e416e2770d01dab69b2c21ceaa0ebf353a28ab60b2cd3708a37b091ee0cb5e7fc5cc654a8096d5aae1803fb648dbadea2a9481847be11c2fd60c6fdede268b24af4ee8f47b33cfee135b7a7f89d9421b220806
-# The key for this test vector has a modulus of size < 2048.
+flags = SmallModulus
 
 # tcId = 269
 msg = 54657374
 result = acceptable
 sig = 1b0461cf5fcc7efae2dbd53011bf319389047852324c5637985db3e7d28c0d40a2caf87f4aba79bfc9b9e44719daf1068492f57a27ceaf26bd7a4b16145ec5e7136ba970dc231b5aabbe93244137e5706d8053c94aeee2a022a5eccd25f695dde5d649b6f19456173d39aaf6757fd46527182b0f37964ed49f42e5cb7c02494d38aaa99c8c627a03ad8f054a272cef14be6f6d7b14d37499cf4c928b86a307873d6a71645ef2c49fcb46b01fcd1b7c16536b96f8ef8b0b1dac30aebf352b5ea3
-# The key for this test vector has a modulus of size < 2048.
+flags = SmallModulus
 
 # tcId = 270
 msg = 313233343030
 result = acceptable
 sig = 57be7f2aa961911f31cb34e9c6c0c65117fc1ba53b60b77bbc60b1ac7607fc299a79d62020bb420ce55ffff7c7b9c07035beaee2d9d2082ee9060ea6481fd8ede27975b66a7b5c66db873540393f703ba32005925ecab11e6241a5c7e8da39b43e238a2446495df902156df3aa23a8394009f501699aaa3400c294b1227ac6dd5ef70e22a6ccfa61119f0e29346f10b659ae8194e262ccfe390c2ddb4738cc945f7b0bc1203b43df76831fea24b1234f193c3d9a9541e72be5b593df2b0dbc7e
-# The key for this test vector has a modulus of size < 2048.
+flags = SmallModulus
 
 # tcId = 271
 msg = 4d657373616765
 result = acceptable
 sig = 79ff385f6073b2574f21d3b28282b5e822bb3f26d51c5654142b6d5c718a4ca0d7129a142676ec4c833d281b8403253271e1f254f71f0e131352f860fcab9800fedd7f1aecb560950d6b15e1c4beb99287205318b308a12e38ea4e112f8ff45a84c12ccfe11ee6741da9a79d539e697ea9b083bf6bc06aa97d8029093c42d0666f601813a014ecbfa988b44adce9ebccad311b170b446156a91776dd8edbe92578b79edcddf11403aeccba696764ac33b75b70ceec71997085e5d858d01d04b7
-# The key for this test vector has a modulus of size < 2048.
+flags = SmallModulus
 
 # tcId = 272
 msg = 61
 result = acceptable
 sig = 2ad9a66e8407294555000e5125054c323f93098c33b38fbe7aef4c4350ee76147ff6ccf80ac41d5620ad7b452d5f98d197b277c53db82a1ad757c913a2c4e685fb6e942d1a0c2db092aef8f80e99c76ad02e9d0a2aa82bcba1305d2590db790f8c138143db1545887db744b2c3e2bf5308c1fa1b9948553538801a95a113b282623ef26e19eaab22b8f31126692d650e945b9c195e2e57cc60607fc3136a79816b2d9d5bfa0d8515280d4e1619e81eaa17ab5d9db4625094fb6f6eabb94271d6
-# The key for this test vector has a modulus of size < 2048.
+flags = SmallModulus
 
 # tcId = 273
 msg = e0e1e2e3e4e5e6e7e8e9eaebecedeeeff0f1f2f3f4f5f6f7f8f9fafbfcfdfeff
 result = acceptable
 sig = 13a5d04406300725b9c7ef91961257d094d08d8f40e4133fa182f476a209bfa57082f231e87c87f8286d0ee7158182be811ae5a045295d5955f2e73314476566ddea15e35c02de35abaf83fcf405e913e5f27fac0d288b7959a9612d1f75c81763690f869826352b3d1d6f02b4a8e48347a256a46c71396ae6fcf436bf59cbb83164eda84455d357a046576d58b72a5b4e7d4c9a008bd2d6006d17529b9c4b2b3d20de77805d41718e26865264b80cacb16c577782f1d4eecdc303a03f1f7eb7
-# The key for this test vector has a modulus of size < 2048.
+flags = SmallModulus
 
 [e = 010001]
 [keyAsn = 3081c90281c100eb477c90d46bd1896cf4930cf2615140e029a743f0649ae586eb04d51f21ac5241744b5872ccebc87b401487a9c859176c9fc8200b2054875e2c811a56b5d9468e6d3a99c058b1c89547f55a3d7b1d08852f673d3288544aab906e57364cac817728dcea18bc1193e62269e04112c19451702cfaa46fcaf716db14f2e1c9b8d312bdb15dde506945395bdb0865f22ac0553f827a27719c2c703a83c6cbfd949d06d4eb560a8fddff052fd6f0a20f6cdeb2909211b75f8182e58590d069a2a2710203010001]
@@ -1726,43 +1724,43 @@
 msg = 
 result = acceptable
 sig = e4f7f0076b4bddb632c470881bbffe95a148573a75c014689eda7acf5e57a546327d4bead01da0b093b2c4eb5b048fd707d27a4baf85d610e4ff8861feca57e1ea88ff0c4b803c4b0d62ae0cb89012b0ff041b438e49a79680f2cb30722a5a2a3aa9b516ff2a02947ebe27186aa9ffdb35e15328c0f49f172af51f764258e909651469ebc6a59cd98c996fa3417008252e3386b9a2d059d3c67983ce62ae2d052733c55732320679eae156d0e4b89da1022bd052340819cfcdd7366c34b65a01
-# The key for this test vector has a modulus of size < 2048.
+flags = SmallModulus
 
 # tcId = 275
 msg = 0000000000000000000000000000000000000000
 result = acceptable
 sig = 8d2611d4c79f6b2087ae8bc76610905c361b9fe0a6629388197b4293f9e14ecbeb377206e4c1db35cdc0ab163dc5c51e8a7370a059e9ee8014d18ef0937f7936879d7825c792180a4f10a0d46e0a954f093d703b82bd076dcec0b8a66fc3be9bdf79ce4550c453015dc1c7397ec1bfceed040a4d777915546b9cbcf1eeb13eb71ac49c235e69cb07c315d529442f4863d61b7d5caa5ce07820edf649a9342211a26f8280dab9c5dd11af0752168326f8e8d5e834ddba3bce063f011eccc8f46d
-# The key for this test vector has a modulus of size < 2048.
+flags = SmallModulus
 
 # tcId = 276
 msg = 54657374
 result = acceptable
 sig = e12e3540e7f20fb5533772e91b708151c12d8440ba9bc994791f5916d521726b53969063f9e13114ab89de0b0adf119cfaf19dd74a65b5eee32f39e69ab6776dba721adb2a8dea1495c51d5984b6aa2b5d216eb48459103907442f725410f53ddd5d006762dd3167c2da3bdb19f07d27e3fda712f444c093f4c8126d40ca7c381ab1d3875294df84055239ebac5039490b597366b58c2806e52f1f259c9ed16f829f41851b6ce7e390ea73251395bf940997d47bc323657160ede973f2342b91
-# The key for this test vector has a modulus of size < 2048.
+flags = SmallModulus
 
 # tcId = 277
 msg = 313233343030
 result = acceptable
 sig = 90ea80b14758fa12319e54c446e70bf5bede38f5d8d8e978531e6c54c567b63a0fb7b870ab963f979c4015c27714dc9292a48123c0a1f13896055f6628687040459488bca149f410cdae4249ef918f10329e902f1344a666fdf96085b7bbfb086ee2f4e5891904f945d867a50289da018c245be31b684bebb8dc367d43d53448865dc005ffd58e2f76f1ae8ac51fa7ad723db9bf3b78b82bc5b0e209ed216575009c27a6d46bfd1d9ba35fd50eaf4a39afd7b3dfdbd2f437d0d97b5b08e1870b
-# The key for this test vector has a modulus of size < 2048.
+flags = SmallModulus
 
 # tcId = 278
 msg = 4d657373616765
 result = acceptable
 sig = 3ebfdd69af2a561bdf4315d015d397b8af75f6c17a3e6e1c6b52bd6e812bd9112e1920f6cabd82b996b1b48be3aa40e447d29689be7dc64b8548ce5414318c4288a6ccee97f55c523661e629d3cb124b97a042c1e77a9b039a8631815c535c8216912ea47684a7220a63c198ef2b80568882e153be8fe92ae4c786a5fd56a1e64fdb235663f3a242c121e59df3a19c29282e647a5123583378577925f399560f6ad3b2a4c2b18ca2547aab5e3ed4030c6585fd2abd1d65fc720bb30354c966d9
-# The key for this test vector has a modulus of size < 2048.
+flags = SmallModulus
 
 # tcId = 279
 msg = 61
 result = acceptable
 sig = 7fbb42d2bc1c3e5a0f66fedd581e5ce3e555f6f1c736db24b6e963d2ba72118cc989e2969c21bede87ff3f4209f2b009263b7ca3716a9d3e7115dfe65bad1ea2a1013304696248dd2b1d70764dae248bd1e9d49623826f2c6640247cbe8bcda47d882e298f30bcf3db1f496c26b738848e9876e4b70f0ca8259760e919e5c5c0a2ce3d05b5804a94b67f4c719fdeb3ce23657a26635f867af0271736ba20abb7fff18bda006c48d9c3ed774365d00aa0340a04906fc07f00b18a572c96f986f5
-# The key for this test vector has a modulus of size < 2048.
+flags = SmallModulus
 
 # tcId = 280
 msg = e0e1e2e3e4e5e6e7e8e9eaebecedeeeff0f1f2f3f4f5f6f7f8f9fafbfcfdfeff
 result = acceptable
 sig = b9b478f6ddabce2b1ffb306e2135132df09585be16eaa5182b8476796c10b0eecaff9b91100882f5872e00e3d1df2df40969ca4d00596b6d6c9c13d3a956dd8d91decbd3a48728aea05b8f7707414a8a5de3bf0becbc20ae0ba852ee7c4f2c177f3d95a4a8375ac50e11fd2be4da1f94608786fc84747117604138d06956387924e5d7baa2c97e25d1b0125122c0a13981559db80ac2d6848f4db163027c4484a51ac5095f5653b12059440dac69970b5680e017a7eb2861c857a607446b9420
-# The key for this test vector has a modulus of size < 2048.
+flags = SmallModulus
 
 [e = 010001]
 [keyAsn = 3081c90281c100d1060fe7c6d185f09c3c1865cf6beaf5dc9306f2f3646bbccf19e47fadf98cfda7716c797d15afe506d573f19163ae2ab0ed9964c7b125dad7841125d38dd9f430b30fe5ea0d24083cb9b09f241b0700821cb5e40dc781e72ed95a2a8cfd33da065c58db8b8166aaec385a5db04f473198fa3b27d4de0a3267b11769af1178d284fb9ca6ac2ffd03b940509dbf2383838d39e0d5c93fe29a6802e12716431e25965f5b7b146663f4e5567ac4c3edf8824913d26ff2dd03830c8a0645adb04d7f0203010001]
@@ -1780,43 +1778,43 @@
 msg = 
 result = acceptable
 sig = 6ad0dd65817b10486fe56f76f21a6440359e267eaed42efd149363768eafb8744b23d5041b9b8a38d62ed614217c034dd6021b56bbf6591fef3f3fe94b8459bea1f4de143fe8a8df26ce11e979629ee0b8708253dbb30efb17bf5697874767fa6076147419305e9d2b8fd708fc7d2ca97faeaf7d555dc65337766b1150dd3020391e7901c5b170d3b2311cef2f849f5a6e7a0b513f4f9cadf8be86ca9976772ecec71065660974e923eecdb273408bbb438dd16e92c3a50521d44b146d5a4e9f
-# The key for this test vector has a modulus of size < 2048.
+flags = SmallModulus
 
 # tcId = 282
 msg = 0000000000000000000000000000000000000000
 result = acceptable
 sig = 3abc0bb585283d073261513c0fd160724f18cb6754d09cee83fd3e2f7f75b5f30219df05302708aab7ccf88457afcedbc0bf822a9aeb81280cad4c3077e352ec05b2146edf2a5e60d4019552d56ad9db03775b7ce532d7a75a5edeaa45193a91984d129e420b4c660bc735204654ed332951ec701cfa6093772608c448caca2362351cfe02178c2e10c1f4889b42c30b807370589d30dba7d0f1fbf19f9379a37377193e59fe18949be88b7fb7454bfdfd70d4431d02455451ab041643349d38
-# The key for this test vector has a modulus of size < 2048.
+flags = SmallModulus
 
 # tcId = 283
 msg = 54657374
 result = acceptable
 sig = bc3fb8fe3e7a878f63a2773776be6d7ea625036ba977abe44e4734d9d69b34c6d988f02db4de9786e12167c6a8879cd17f960b1cd30241c37c28a6517a44c14c9cf720ae5669bcf00ef562e0e8f7187173d804586d715412e3b96fb6e2a4544521e7a8c88c626d7b9e5a2e860df0e73e1e7aea674d6b24b0738c87636fab9a871ee163e911b7ff6fa056b730c9d6d6b3c22616bd14bdd7440e3958b07f462ce1aff8e0e774964e33e2ac34ec9cc018b6e487dd4258113a2797916e50e80a607f
-# The key for this test vector has a modulus of size < 2048.
+flags = SmallModulus
 
 # tcId = 284
 msg = 313233343030
 result = acceptable
 sig = 8de0a726953328ca953cf5c947a7c9f8bf1388e8caadf5c3d7dd8aa7ef69ad57fc481f9ae9edcbd2c5d9d5eccea94736cf5be8eaa401588ab14a5e73277525ce3944a4e27172775af0d386b9ea00f7016cae8537b32bfa74d454ad7008db5f82c9986cd9e6312803dc60285fbe38a4cc40a6b9304f75968891a95a9e0b45e589f2a7f20e177f275d5ffa064e629b4df7fbfc9e004dcdc27ae17994a9bfc1db7c6eaa44842fc7916d93182a9b573bb6b70c593c4a77087c2f6ca4ec851f964450
-# The key for this test vector has a modulus of size < 2048.
+flags = SmallModulus
 
 # tcId = 285
 msg = 4d657373616765
 result = acceptable
 sig = b1f009cf8cbd1cd2466b157f0dd94bf389fc43202fb8d4028d9a22152e9f20bc24d7b5864a1e0ba93f21f153993fe03ea40f208473200f9abe72fae78cbc23866c47937e6133ba36753f5c86f6e98868a45897c9782779b5118b5d15f83c9029b570406d86ba4cb64f4724de0ec073c63b5b7cbd3b551a31f260d70d1b83150d5481298df0be246d055aced5eb952c4f63c10b1c73aeaad9088cb295c2ccf67b85dee5884255caf9d43edb8da9240d0f81a77422edce7ef3de6275cdefcf3e99
-# The key for this test vector has a modulus of size < 2048.
+flags = SmallModulus
 
 # tcId = 286
 msg = 61
 result = acceptable
 sig = a1c38eda275127dfcc0fff930a922fae94ade9dd62c5a06e7c31cd1744d39432419cf980631f49470b6e252a920a9227ec92ca4c49a922eff890095f9898f11b3ef51e50f1c44db53ad3cfa58d2406377e6f7999f18b2d5f8a0b99531580fa8b83e542e196ef779825d3c1213a6c0400270a34c9ef8de104705c093b8dcc256374ca532db77eecaa5c7c6cdbdade86756a1c771c4176e5e1fbcd59de5cfcb506217d66bf5e7ae5f67955261a4032cebb1fd31bf1a48e6fed6ec287bcbd8244e6
-# The key for this test vector has a modulus of size < 2048.
+flags = SmallModulus
 
 # tcId = 287
 msg = e0e1e2e3e4e5e6e7e8e9eaebecedeeeff0f1f2f3f4f5f6f7f8f9fafbfcfdfeff
 result = acceptable
 sig = 9bcb95b7ac8607d7b468fa68640c9b03fc66e39970b96789b61e2dda56ea42b0c105e75e8fa3bc57e975381a348d6bed64bd3d0ad7d3c4ed608324751a6e4c3b66fe755763c8ae38f00d8558519512ef089284efb144d8cb9f28f597b1ea6f5a270a615ab6575e857dec62d66a398c03284160cc910f6f1c44a6497a9ed7c0d8d99bf3f35dd09b836f5a3c552068eca9b7eda3721cef01b9b861e3eca2fe20341272090004779e5db2da98d61ef1c306e7b7966abccd01fd611ea6931955d226
-# The key for this test vector has a modulus of size < 2048.
+flags = SmallModulus
 
 [e = 010001]
 [keyAsn = 3081c90281c100d1f33c4d0c3b127cfd4c711aef054e291cb9a9b7b769d6dfcea5ba02d99f0807ffb63f097ed7b5c5e2ad09578c749863a96a2bedc3e72738fe887a4a1fae6ca8c8e722c8dedc065a4df9f5c38e950175a7e0de9008f3a9a67e3413f9891e2f8a70b29f55dd21d2cba16f8e2300ef7c35ed1e42ebfbe70645230ddd8c067dae9069ae5f32937a207e0e7896e87fb399e6c93bc5bf6c2504fbdb3ecfc281f8da29115b2ec41eb9acc4176e311fe8dbcac24b57f8d656600e5fb4095eb4bf90b6e90203010001]
@@ -1834,43 +1832,43 @@
 msg = 
 result = acceptable
 sig = 5d8f4485ca79ed8d487eab377326b138b29948f477d3da0ed934d299e2b06b7d9409f5c312b17321fa20b2c66ae8ef9d084fff2e8cc596d6d417887e04e2ef8a2b73dcb1a04400cdec16af177f8017047c3ae546e03e6fe31ad3bc6d89862d94229baa49f6277392b252d4f715c7a41e41a6200a200f7343b50a72e5d7a3ed0f264c03d381963ccd16777e3d9cb4187e7a5a9886680581c9977299df16d06318f5bb94cd157954792a71976a795da8e6fe088802823b6ba69359f08b9e42b891
-# The key for this test vector has a modulus of size < 2048.
+flags = SmallModulus
 
 # tcId = 289
 msg = 0000000000000000000000000000000000000000
 result = acceptable
 sig = 4d98f3a8d8bb66578c89245b8a095f043edcc4429b0fea86eb673c5f0da52acf3d16e2af500c18b7b53435a98222d0f9fe299cf4156651f629b24ec525be4c409bb583f371b2803485cf6ae37849a46ebef52895225e9cb671e6c9055f2f3e3f74cbb6fcc222361822552191026d372892a531f05f3f81884213d093b008c988f01941b9a9208c2ffb325f2028e5dd31710610bb7d48f5d0b34f4dd83e26e9a88d7c030c4df0e031ca99ed46975d0d893515eb84d86cf39249dc90bc0e08a7ba
-# The key for this test vector has a modulus of size < 2048.
+flags = SmallModulus
 
 # tcId = 290
 msg = 54657374
 result = acceptable
 sig = 03173d361263214f6d72afb3dff674613ae3b9712ba4b3f0fca1193843dae58f38ad514cd5f6a46d0a6ffaec4fdac08897d0cffdf6e20c51a961df24ed1982b426e218fc52ba8919f60fa71c156717a5ed9f3030cd864fd810acc9343ad8b8f441863bd0bf3e80e5bf874200896f0abce8af141ce61f2d5e87db31a0f19baa54e41f75c5df29853e1fe678318657a217649c8fa2337c13b0e514fbb916b5747fccf7b6bacbbf0a4d7771a00d3ad88289bf854d5f9db6fb8954332fea68e8e746
-# The key for this test vector has a modulus of size < 2048.
+flags = SmallModulus
 
 # tcId = 291
 msg = 313233343030
 result = acceptable
 sig = 8f404e26dd9a51485d1546e9bb7f56f68f0927f2f19b8bc0c4db218f3df28e1c9674650ffcf9645e02d1f44d98404c8ddf54438bee61524e2d69091f76a99dfdf796a83499f8870adc182e55712a642922b8e98ca33ef0cf05903ba51f1be648220a19194dab35082559d5f1c087c6702f102f526fc0de1dc98756b29e817f4792e3d0ff40a931002c077e0eaaa5f63a5a1be90de3b9e6800803cf909fed91059e83f4bcde83c6e528808e20c000009bad95f8030ccba058a21073247c3bc3cc
-# The key for this test vector has a modulus of size < 2048.
+flags = SmallModulus
 
 # tcId = 292
 msg = 4d657373616765
 result = acceptable
 sig = 3b96356882fa7825599f7d5295d9a367158d4729887827522fbad2f7a741fc031a9fd66f70a9ad398eca4054ecafdd7da2d821b5a940d633d2a7540c18ca311e9cbdef6fa5148bca6bd2ddc1a6b4f9e8665b49042baf99de02fa86d68f0c0f4d8bab3f46c7e65b6f9b7447140cebd230a8aaca90d1f6a5725dd3e85874f10a6564b897f83a7b2b3a07cf758ca6cea8383ecbf907a1479fe8510f22b3614b133bd0bcacca8f8daf4016cee0cd2f9f69b628d4d45ebf5d0cb545349f6f94b0e4bc
-# The key for this test vector has a modulus of size < 2048.
+flags = SmallModulus
 
 # tcId = 293
 msg = 61
 result = acceptable
 sig = ad5baaebabdc825e48072ef1cb22bf8d697f5a86a2cee89bd0313f7edb02cdab90e31b5d83a33322b8987c0c3dc54b110c9a2f0f56429d39ff96f7cfc7fb2570de2efc918f792fbec177a95bf2362429b936b3c65187b13c04304bb660646638cdd3a9be2e4d47a11b1ececcfaa99fc43359e5e4cf435730ec059203f476a06bf997ea7044a0a8b2f55cfc82d24c9542a0a9df9a584a148386d8a03266b71f8ed8114f3fc0dfb534a3b44778c40d5a3e44d04f76eab464659d53204abf97a8b6
-# The key for this test vector has a modulus of size < 2048.
+flags = SmallModulus
 
 # tcId = 294
 msg = e0e1e2e3e4e5e6e7e8e9eaebecedeeeff0f1f2f3f4f5f6f7f8f9fafbfcfdfeff
 result = acceptable
 sig = 91e47e671a2e9d0e68ac78a8716e02d68ccbfe350677ae53ba1b0bbe085e71e47090653a7b7d18a3d80a67e4023ce56ff59d9565838f9c0c74503addb3c9787977de5286cb6b602dcfe0721fc7a3998ef018b56d4a4e3d578e8021d08599ccc8895df7a9324e8abd2162e81576fe19ea678bdffc86660fd7a180e96ed872710e6ec96132530b16afc47427f91df4ab95300633c028f433ba0c308638992e61ae8c2b6b83af10e622fb1cb269cb453ffa4a67d211f23029e093d4dcb434361356
-# The key for this test vector has a modulus of size < 2048.
+flags = SmallModulus
 
 [e = 010001]
 [keyAsn = 3082010a0282010100bd31c7a02691d2d9587ef6a946ff788544ccadd4b2988ad62086792a6bf96c8616b4ad13317d2270b901d0fcd1d880cb8f52fb87304a5258c11b38dfeae8df670aeee7ea1d0d9df8e00e80847e41e5989ed402d44e78b30fef17b5671d3adbf8685e4dc204499ecd1863e1d5aff28a7cf66eadf31fec9236c120add13451522c647c9832a672cd64d328c1c322183f4661d09bda60b8dd5f0328da5420821424afdabb1a80c5d12763a1b0238cd89d0742bfc50b6a2fcb701d824218f9826f4f78a23a2b5aa42ace7f175376fb6cbdb2bad293ba583d4d31c6b8f9029e46b13689249855f505756e00e225a6a45a18769bd8d2b3a4acb9f1c23d3e51882561e50203010001]
@@ -2406,8 +2404,7 @@
 msg = 3831
 result = acceptable
 sig = 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000020c68149efc8a4a913a26c9170590a1ed9064323c12b6ebde15ae8c05a0e5205c91f57f5753815ff39c918
-# The key for this test vector has a modulus of size < 2048.
-# The key for this test vector uses a small public key.
+flags = SmallModulus,SmallPublicKey
 
 [e = 03]
 [keyAsn = 30820108028201010090a5d7aba2c8dc828e616fc1fc45c7c52130c8589dcbe2913da187572f6c23217b89a5186b6f90cbe053abfb0885a91f141dbe106ce6ad303904a5941df26ced10478cb56a7bd6cf1313c4966d9cf7c4509d9dc63566aa323e110af219f3398c04e79bb486de8703793473136f5c9051af24bd2c0208ea1bf9321a3e8f24af00aaca1216842eab248d58cf46ac786c49fd3ca8557e9b53993a4b9718cdc5c474bf1cfe58c07ad97b2c5acb7d86accc0fc7bed147adb2e77b8697d80150948117714b806ff76f9d88147d84e93987b724bf4870429e85a7a7b51486a78d8a88f1688f60e215d43d06221e2b993b5c12a607b80e9e0122472b29945f76b55737c1020103]
@@ -2426,7 +2423,7 @@
 msg = 33363730
 result = acceptable
 sig = 00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000989e7ff72e67e680bd21d5f966e4ad8a48c3592dbacc4a2f035b4ef4d17a2f25f8a9fef7e78eb99d76d68629ed02d67c43c4b7ec8c3badc32e3d0a524c326537739b0fde156723b27c23ae2b09895e470c64d700f5c
-# The key for this test vector uses a small public key.
+flags = SmallPublicKey
 
 [e = 03]
 [keyAsn = 308201080282010100f2ed0e93228f37c2ce1c215e00cce4ef00e2c08a004a39c4170dc73e5fbd9b91e7c55e596579ec9c60b9bd341e83029b1934e6493eb60099b6cfbb9804d4179c983099e19102bba49eaa28fa505efacc5a9d5374499c0c5775778317ed370de1919f38aff22d5aee8c8af36a86d036029e761f243dff3c205a11e9bce9ac1d6baf81e79ad4146b119abb13903f8562e8f3e6a918f48223465bc93d5e7d5abe3d08503ec42998fe087a1f935d1b8673c495f005dfa7453daf977e1608a8c276da2a4cd0567e4af4d18cba05fdbedcde74493ccabd9060c27d35a02f35c760b12a4deae1359f649f273fa408626fb789c916434a642d528f41db868ff93b7f889f020103]
@@ -2445,7 +2442,7 @@
 msg = 38343432
 result = acceptable
 sig = 000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000009e7a1269086f0bbc0778ded8d7108ff4edcc2313425088117b2d5c53e9d9971950a5fe8b2b67d2bcd1be74f6b557a3f90650a96d7e4dbd63c05b94f73337eea682417c058d66ce523e4461065ac8ba990c4ecd04932
-# The key for this test vector uses a small public key.
+flags = SmallPublicKey
 
 [e = 03]
 [keyAsn = 308201880282018100ab54a4f2560b9f65faa2f83bcf77d41803c080e4e5c3eab3534210982bba8a5d7e513ba50ba1ece33555c5457c41ba58f3f605a04369408f586c26dfda464c7b300a01f1616893264c7606daad4ced14df9a894a1f34586181294297e3ceb9580b0c785c056d5c566467f6f227f3084918d1cd17ed156e7f9fcce4757c5794f92770771ea5cf3101ca0425c846775f56938c1d1cad4401f4df2f5e0d3a3b2770f99e3c1cb4d9d4896c7ca89287b45831218b099add4bdf1dab6e2fb55d2775429386c85dff32c07a6dda504a9627529dd82c943554aaf23c5a5f6cea9c301b4b1f066b86bbef2e4bae9dc5b5e82e1fa03c29ff8bf38556729b356d5ba41d37a069fcc8fc23ac715bbea04c1972a2d50c57cc0159a46b5919fb670fb2a502d5ab66f0aa99e51016b83a406943ce9bdf0ab9b9e946574a5b32ce95d97ac8b1fbb48f0bf7e3c0d4b7a00d131966d009997a166a6630dee4a74c141cde0114aa423351b1dfdd3893a856fc632b6d90dbc79c8a61a9f9e31702ba69fb222860e60a83020103]
@@ -2464,7 +2461,7 @@
 msg = 34333630
 result = acceptable
 sig = 000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000011a21abeac8409398319e65c8656f8f72e179dd1e99358c7531fddc037e47c1e688cd70eafd6eea01c823516bc79f89d7e52ee1eb4ffdeaad1d550dc0a47185bc9c42e47fce5503c3370a60510f834b4691152ef668deca633cf3873ce6613951784aa7dafde118f37f1cdf1a687ac236d5c956bced564b73cf202e3bace59667
-# The key for this test vector uses a small public key.
+flags = SmallPublicKey
 
 [e = 03]
 [keyAsn = 3082018802820181008733b9c2bc754216fac899159abb71c5ca84be37153720040f33f291f5f7861bc122cafde3091b5211bc81ee03e280e3c6c2902ec49afb8432c3273536edce7116048513e9b33e2fcfe56f9597c81bc9be81a1b1d46e863ca11db2c33ac1bdebf7c552332067e2e588497e7d9e0738caa57a73dd28157e88fc202b31bbe3b9993548399a0b0df9b72dfeece75ecd78376227e9cd21c8d24ca4aa64fa50a59ee8e7621158e7bac2420fc0d77064d3959afab664ecda0decb8c979eb402795b9a562f2de310aa7fc6864469ac88867788c57ee96f6dc32dbdbe3aa7d3ff47ae4b78e1106e1bc80350b2383dae54140a4605f4130d7e5d3f7818262a27c76a51e4c6db4ab4590b4766b8c50ec1bfed53f0d716b5c7d9dc971399246c75ce27745147151f2e7629039f0b2efed99c7f17cda8f3c3df764dfb40cc0c2ad7bf2b6c72829df93329a4bad6be8635953dd10840888784eea738c763be9f5dc3ba47a9e9d800e21b4ffcc18193e591e8a5283192426e8867331c72bdda06a0eb49367bb01020103]
@@ -2483,7 +2480,7 @@
 msg = 36313237
 result = acceptable
 sig = 00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001bdd0c9e451b5b3e5513a94492dbee1ada9ea87e65a8cd95cceb4d304294ce34bf09a212f14908f5b865c7a34a72e68e389794a2d1c5767ba17829e2044108ac7842b6bfe0a5663b433d656f4e38522c5a5a23c460b898833828d257350e5814291b54cf13089080f84998edcacf0fe5fca0c1f8b176b172c5f9989491a039bef
-# The key for this test vector uses a small public key.
+flags = SmallPublicKey
 
 [e = 03]
 [keyAsn = 30820108028201010092bf17cdbffb42fa9957ce37826bb451708e7cdec8752b809c81a8d16fe5fe4dab6a9db6d11dbb12086645db7546642b322e8331dd7f29eff68bf40b24f80884f5152b1fda9b9f7ae2fce2721cdee0fc48f85a6e8e64f767ed9727fd2dc597967e276a5e2e768528afdd9df4b6ddda4c174300e4da3c19a3c32299e1e7857934c14dd6203d8c2671289bc392711597155364a59046b2b9f1905fe717ca7efebb4c1969b804118effa240c11ebf97cd68c2aa19c787b3be21e68c0e397c7f04c6ef98950e27e0e19a40da92a3ea10800fe9252b77026d14c2fa1eb4ac102491e5773279f07d856d446f45169b09bf60b8a2695f5e4864eaaf9590aec8c7c2f86d020103]
@@ -2502,5 +2499,5 @@
 msg = 32353934
 result = acceptable
 sig = 92bf17cdbffb42fa9957ce37826bb451708e7cdec8752b809c81a8d16fe5fe4dab6a9db6d11dbb12086645db7546642b322e8331dd7f29eff68bf40b24f80884f5152b1fda9b9f7ae2fce2721cdee0fc48f85a6e8e64f767ed9727fd2dc597967e276a5e2e768528afdd9df4b6ddda4c174300e4da3c19a3c32299e1e7857934c14dd6203d8c2671289bc392711597155364a59046b2b9f1905fe717ca7efebb4c1969b804118effa240b8bf4bb1a6d0616fd5be2f081dc9ef741a9a4ae7274418b791432de470c4556463108388e8e8ed5dcebf3558e4650c2ac97c86fa682176f09b5dd8cfbf15d19c3fe4f961f4607c12cb3dfad9b6a0e59c92faa1fc8622
-# The key for this test vector uses a small public key.
+flags = SmallPublicKey
 
diff --git a/third_party/wycheproof_testvectors/x25519_test.txt b/third_party/wycheproof_testvectors/x25519_test.txt
index 11eab81..f49bce4 100644
--- a/third_party/wycheproof_testvectors/x25519_test.txt
+++ b/third_party/wycheproof_testvectors/x25519_test.txt
@@ -19,12 +19,7 @@
 public = 63aa40c6e38346c5caf23a6df0a5e6c80889a08647e551b3563449befcfc9733
 result = acceptable
 shared = 279df67a7c4611db4708a0e8282b195e5ac0ed6f4b2f292c6fbd0acac30d1332
-# Public keys are either points on a given curve or points on its twist. The
-# functions X25519 and X448 are defined for points on a twist with the goal that
-# the output of computations do not leak private keys. Implementations may
-# accept or reject points on a twist. If a point multiplication is performed
-# then it is important that the result is correct, since otherwise attacks with
-# invalid keys are possible.
+flags = Twist
 
 # tcId = 3
 # public key on twist
@@ -32,12 +27,7 @@
 public = 0f83c36fded9d32fadf4efa3ae93a90bb5cfa66893bc412c43fa7287dbb99779
 result = acceptable
 shared = 4bc7e01e7d83d6cf67632bf90033487a5fc29eba5328890ea7b1026d23b9a45f
-# Public keys are either points on a given curve or points on its twist. The
-# functions X25519 and X448 are defined for points on a twist with the goal that
-# the output of computations do not leak private keys. Implementations may
-# accept or reject points on a twist. If a point multiplication is performed
-# then it is important that the result is correct, since otherwise attacks with
-# invalid keys are possible.
+flags = Twist
 
 # tcId = 4
 # public key on twist
@@ -45,12 +35,7 @@
 public = 0b8211a2b6049097f6871c6c052d3c5fc1ba17da9e32ae458403b05bb283092a
 result = acceptable
 shared = 119d37ed4b109cbd6418b1f28dea83c836c844715cdf98a3a8c362191debd514
-# Public keys are either points on a given curve or points on its twist. The
-# functions X25519 and X448 are defined for points on a twist with the goal that
-# the output of computations do not leak private keys. Implementations may
-# accept or reject points on a twist. If a point multiplication is performed
-# then it is important that the result is correct, since otherwise attacks with
-# invalid keys are possible.
+flags = Twist
 
 # tcId = 5
 # public key on twist
@@ -58,12 +43,7 @@
 public = 343ac20a3b9c6a27b1008176509ad30735856ec1c8d8fcae13912d08d152f46c
 result = acceptable
 shared = cc4873aed3fcee4b3aaea7f0d20716b4276359081f634b7bea4b705bfc8a4d3e
-# Public keys are either points on a given curve or points on its twist. The
-# functions X25519 and X448 are defined for points on a twist with the goal that
-# the output of computations do not leak private keys. Implementations may
-# accept or reject points on a twist. If a point multiplication is performed
-# then it is important that the result is correct, since otherwise attacks with
-# invalid keys are possible.
+flags = Twist
 
 # tcId = 6
 # public key on twist
@@ -71,12 +51,7 @@
 public = fa695fc7be8d1be5bf704898f388c452bafdd3b8eae805f8681a8d15c2d4e142
 result = acceptable
 shared = b6f8e2fcb1affc79e2ff798319b2701139b95ad6dd07f05cbac78bd83edfd92e
-# Public keys are either points on a given curve or points on its twist. The
-# functions X25519 and X448 are defined for points on a twist with the goal that
-# the output of computations do not leak private keys. Implementations may
-# accept or reject points on a twist. If a point multiplication is performed
-# then it is important that the result is correct, since otherwise attacks with
-# invalid keys are possible.
+flags = Twist
 
 # tcId = 7
 # public key on twist
@@ -84,12 +59,7 @@
 public = 0200000000000000000000000000000000000000000000000000000000000000
 result = acceptable
 shared = b87a1722cc6c1e2feecb54e97abd5a22acc27616f78f6e315fd2b73d9f221e57
-# Public keys are either points on a given curve or points on its twist. The
-# functions X25519 and X448 are defined for points on a twist with the goal that
-# the output of computations do not leak private keys. Implementations may
-# accept or reject points on a twist. If a point multiplication is performed
-# then it is important that the result is correct, since otherwise attacks with
-# invalid keys are possible.
+flags = Twist
 
 # tcId = 8
 # public key on twist
@@ -97,12 +67,7 @@
 public = 0300000000000000000000000000000000000000000000000000000000000000
 result = acceptable
 shared = a29d8dad28d590cd3017aa97a4761f851bf1d3672b042a4256a45881e2ad9035
-# Public keys are either points on a given curve or points on its twist. The
-# functions X25519 and X448 are defined for points on a twist with the goal that
-# the output of computations do not leak private keys. Implementations may
-# accept or reject points on a twist. If a point multiplication is performed
-# then it is important that the result is correct, since otherwise attacks with
-# invalid keys are possible.
+flags = Twist
 
 # tcId = 9
 # public key on twist
@@ -110,12 +75,7 @@
 public = ff00000000000000000000000000000000000000000000000000000000000000
 result = acceptable
 shared = e703bc8aa94b7d87ba34e2678353d12cdaaa1a97b5ca3e1b8c060c4636087f07
-# Public keys are either points on a given curve or points on its twist. The
-# functions X25519 and X448 are defined for points on a twist with the goal that
-# the output of computations do not leak private keys. Implementations may
-# accept or reject points on a twist. If a point multiplication is performed
-# then it is important that the result is correct, since otherwise attacks with
-# invalid keys are possible.
+flags = Twist
 
 # tcId = 10
 # public key on twist
@@ -123,12 +83,7 @@
 public = ffff000000000000000000000000000000000000000000000000000000000000
 result = acceptable
 shared = ff5cf041e924dbe1a64ac9bdba96bdcdfaf7d59d91c7e33e76ed0e4c8c836446
-# Public keys are either points on a given curve or points on its twist. The
-# functions X25519 and X448 are defined for points on a twist with the goal that
-# the output of computations do not leak private keys. Implementations may
-# accept or reject points on a twist. If a point multiplication is performed
-# then it is important that the result is correct, since otherwise attacks with
-# invalid keys are possible.
+flags = Twist
 
 # tcId = 11
 # public key on twist
@@ -136,12 +91,7 @@
 public = 0000010000000000000000000000000000000000000000000000000000000000
 result = acceptable
 shared = a92a96fa029960f9530e6fe37e2429cd113be4d8f3f4431f8546e6c76351475d
-# Public keys are either points on a given curve or points on its twist. The
-# functions X25519 and X448 are defined for points on a twist with the goal that
-# the output of computations do not leak private keys. Implementations may
-# accept or reject points on a twist. If a point multiplication is performed
-# then it is important that the result is correct, since otherwise attacks with
-# invalid keys are possible.
+flags = Twist
 
 # tcId = 12
 # public key on twist
@@ -149,12 +99,7 @@
 public = ffffff0f00000000000000000000000000000000000000000000000000000000
 result = acceptable
 shared = 9f8954868158ec62b6b586b8cae1d67d1b9f4c03d5b3ca0393cee71accc9ab65
-# Public keys are either points on a given curve or points on its twist. The
-# functions X25519 and X448 are defined for points on a twist with the goal that
-# the output of computations do not leak private keys. Implementations may
-# accept or reject points on a twist. If a point multiplication is performed
-# then it is important that the result is correct, since otherwise attacks with
-# invalid keys are possible.
+flags = Twist
 
 # tcId = 13
 # public key on twist
@@ -162,12 +107,7 @@
 public = ffffffff00000000000000000000000000000000000000000000000000000000
 result = acceptable
 shared = 6cbf1dc9af97bc148513a18be4a257de1a3b065584df94e8b43c1ab89720b110
-# Public keys are either points on a given curve or points on its twist. The
-# functions X25519 and X448 are defined for points on a twist with the goal that
-# the output of computations do not leak private keys. Implementations may
-# accept or reject points on a twist. If a point multiplication is performed
-# then it is important that the result is correct, since otherwise attacks with
-# invalid keys are possible.
+flags = Twist
 
 # tcId = 14
 # public key on twist
@@ -175,12 +115,7 @@
 public = 0000000000001000000000000000000000000000000000000000000000000000
 result = acceptable
 shared = 38284b7086095a9406028c1f800c071ea106039ad7a1d7f82fe00906fd90594b
-# Public keys are either points on a given curve or points on its twist. The
-# functions X25519 and X448 are defined for points on a twist with the goal that
-# the output of computations do not leak private keys. Implementations may
-# accept or reject points on a twist. If a point multiplication is performed
-# then it is important that the result is correct, since otherwise attacks with
-# invalid keys are possible.
+flags = Twist
 
 # tcId = 15
 # public key on twist
@@ -188,12 +123,7 @@
 public = 0000000000000001000000000000000000000000000000000000000000000000
 result = acceptable
 shared = c721041df0244071794a8db06b9f7eaeec690c257265343666f4416f4166840f
-# Public keys are either points on a given curve or points on its twist. The
-# functions X25519 and X448 are defined for points on a twist with the goal that
-# the output of computations do not leak private keys. Implementations may
-# accept or reject points on a twist. If a point multiplication is performed
-# then it is important that the result is correct, since otherwise attacks with
-# invalid keys are possible.
+flags = Twist
 
 # tcId = 16
 # public key on twist
@@ -201,12 +131,7 @@
 public = ffffffffffffffff000000000000000000000000000000000000000000000000
 result = acceptable
 shared = 25ff9a6631b143dbdbdc207b38e38f832ae079a52a618c534322e77345fd9049
-# Public keys are either points on a given curve or points on its twist. The
-# functions X25519 and X448 are defined for points on a twist with the goal that
-# the output of computations do not leak private keys. Implementations may
-# accept or reject points on a twist. If a point multiplication is performed
-# then it is important that the result is correct, since otherwise attacks with
-# invalid keys are possible.
+flags = Twist
 
 # tcId = 17
 # public key on twist
@@ -214,12 +139,7 @@
 public = 0000000000000000000000000000000000000000000000000100000000000000
 result = acceptable
 shared = f294e7922c6cea587aefe72911630d50f2456a2ba7f21207d57f1ecce04f6213
-# Public keys are either points on a given curve or points on its twist. The
-# functions X25519 and X448 are defined for points on a twist with the goal that
-# the output of computations do not leak private keys. Implementations may
-# accept or reject points on a twist. If a point multiplication is performed
-# then it is important that the result is correct, since otherwise attacks with
-# invalid keys are possible.
+flags = Twist
 
 # tcId = 18
 # public key on twist
@@ -227,12 +147,7 @@
 public = ffffffffffffffffffffffffffffffffffffffffffffffffffffffff00000000
 result = acceptable
 shared = ff4715bd8cf847b77c244ce2d9b008b19efaa8e845feb85ce4889b5b2c6a4b4d
-# Public keys are either points on a given curve or points on its twist. The
-# functions X25519 and X448 are defined for points on a twist with the goal that
-# the output of computations do not leak private keys. Implementations may
-# accept or reject points on a twist. If a point multiplication is performed
-# then it is important that the result is correct, since otherwise attacks with
-# invalid keys are possible.
+flags = Twist
 
 # tcId = 19
 # public key on twist
@@ -240,12 +155,7 @@
 public = ffffff030000f8ffff1f0000c0ffffff000000feffff070000f0ffff3f000000
 result = acceptable
 shared = 61eace52da5f5ecefafa4f199b077ff64f2e3d2a6ece6f8ec0497826b212ef5f
-# Public keys are either points on a given curve or points on its twist. The
-# functions X25519 and X448 are defined for points on a twist with the goal that
-# the output of computations do not leak private keys. Implementations may
-# accept or reject points on a twist. If a point multiplication is performed
-# then it is important that the result is correct, since otherwise attacks with
-# invalid keys are possible.
+flags = Twist
 
 # tcId = 20
 # public key on twist
@@ -253,12 +163,7 @@
 public = ffffffffffffffffffffffffffffffffffffffffffffffffffffffffff7f0000
 result = acceptable
 shared = ff1b509a0a1a54726086f1e1c0acf040ab463a2a542e5d54e92c6df8126cf636
-# Public keys are either points on a given curve or points on its twist. The
-# functions X25519 and X448 are defined for points on a twist with the goal that
-# the output of computations do not leak private keys. Implementations may
-# accept or reject points on a twist. If a point multiplication is performed
-# then it is important that the result is correct, since otherwise attacks with
-# invalid keys are possible.
+flags = Twist
 
 # tcId = 21
 # public key on twist
@@ -266,12 +171,7 @@
 public = 0000000000000000000000000000000000000000000000000000000000800000
 result = acceptable
 shared = f134e6267bf93903085117b99932cc0c7ba26f25fca12102a26d7533d9c4272a
-# Public keys are either points on a given curve or points on its twist. The
-# functions X25519 and X448 are defined for points on a twist with the goal that
-# the output of computations do not leak private keys. Implementations may
-# accept or reject points on a twist. If a point multiplication is performed
-# then it is important that the result is correct, since otherwise attacks with
-# invalid keys are possible.
+flags = Twist
 
 # tcId = 22
 # public key on twist
@@ -279,12 +179,7 @@
 public = ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff1f
 result = acceptable
 shared = 74bfc15e5597e9f5193f941e10a5c008fc89f051392723886a4a8fe5093a7354
-# Public keys are either points on a given curve or points on its twist. The
-# functions X25519 and X448 are defined for points on a twist with the goal that
-# the output of computations do not leak private keys. Implementations may
-# accept or reject points on a twist. If a point multiplication is performed
-# then it is important that the result is correct, since otherwise attacks with
-# invalid keys are possible.
+flags = Twist
 
 # tcId = 23
 # public key on twist
@@ -292,12 +187,7 @@
 public = 0000000000000000000000000000000000000000000000000000000000000020
 result = acceptable
 shared = 0d41a5b3af770bf2fcd34ff7972243a0e2cf4d34f2046a144581ae1ec68df03b
-# Public keys are either points on a given curve or points on its twist. The
-# functions X25519 and X448 are defined for points on a twist with the goal that
-# the output of computations do not leak private keys. Implementations may
-# accept or reject points on a twist. If a point multiplication is performed
-# then it is important that the result is correct, since otherwise attacks with
-# invalid keys are possible.
+flags = Twist
 
 # tcId = 24
 # public key on twist
@@ -305,12 +195,7 @@
 public = 000000fcffff070000e0ffff3f000000ffffff010000f8ffff0f0000c0ffff7f
 result = acceptable
 shared = 5894e0963583ae14a0b80420894167f4b759c8d2eb9b69cb675543f66510f646
-# Public keys are either points on a given curve or points on its twist. The
-# functions X25519 and X448 are defined for points on a twist with the goal that
-# the output of computations do not leak private keys. Implementations may
-# accept or reject points on a twist. If a point multiplication is performed
-# then it is important that the result is correct, since otherwise attacks with
-# invalid keys are possible.
+flags = Twist
 
 # tcId = 25
 # public key on twist
@@ -318,12 +203,7 @@
 public = ffffffffffffff00000000000000ffffffffffffff00000000000000ffffff7f
 result = acceptable
 shared = f8624d6e35e6c548ac47832f2e5d151a8e53b9290363b28d2ab8d84ab7cb6a72
-# Public keys are either points on a given curve or points on its twist. The
-# functions X25519 and X448 are defined for points on a twist with the goal that
-# the output of computations do not leak private keys. Implementations may
-# accept or reject points on a twist. If a point multiplication is performed
-# then it is important that the result is correct, since otherwise attacks with
-# invalid keys are possible.
+flags = Twist
 
 # tcId = 26
 # public key on twist
@@ -331,12 +211,7 @@
 public = 00000000ffffffff00000000ffffffff00000000ffffffff00000000ffffff7f
 result = acceptable
 shared = bfe183ba3d4157a7b53ef178613db619e27800f85359c0b39a9fd6e32152c208
-# Public keys are either points on a given curve or points on its twist. The
-# functions X25519 and X448 are defined for points on a twist with the goal that
-# the output of computations do not leak private keys. Implementations may
-# accept or reject points on a twist. If a point multiplication is performed
-# then it is important that the result is correct, since otherwise attacks with
-# invalid keys are possible.
+flags = Twist
 
 # tcId = 27
 # public key on twist
@@ -344,12 +219,7 @@
 public = edfffffffffffffffffffffffffffeffffffffffffffffffffffffffffffff7f
 result = acceptable
 shared = bca4a0724f5c1feb184078448c898c8620e7caf81f64cca746f557dff2498859
-# Public keys are either points on a given curve or points on its twist. The
-# functions X25519 and X448 are defined for points on a twist with the goal that
-# the output of computations do not leak private keys. Implementations may
-# accept or reject points on a twist. If a point multiplication is performed
-# then it is important that the result is correct, since otherwise attacks with
-# invalid keys are possible.
+flags = Twist
 
 # tcId = 28
 # public key on twist
@@ -357,12 +227,7 @@
 public = edfffffffffffffeffffffffffffffffffffffffffffffffffffffffffffff7f
 result = acceptable
 shared = b3418a52464c15ab0cacbbd43887a1199206d59229ced49202300638d7a40f04
-# Public keys are either points on a given curve or points on its twist. The
-# functions X25519 and X448 are defined for points on a twist with the goal that
-# the output of computations do not leak private keys. Implementations may
-# accept or reject points on a twist. If a point multiplication is performed
-# then it is important that the result is correct, since otherwise attacks with
-# invalid keys are possible.
+flags = Twist
 
 # tcId = 29
 # public key on twist
@@ -370,12 +235,7 @@
 public = edffffffffffefffffffffffffffffffffffffffffffffffffffffffffffff7f
 result = acceptable
 shared = fcde6e0a3d5fd5b63f10c2d3aad4efa05196f26bc0cb26fd6d9d3bd015eaa74f
-# Public keys are either points on a given curve or points on its twist. The
-# functions X25519 and X448 are defined for points on a twist with the goal that
-# the output of computations do not leak private keys. Implementations may
-# accept or reject points on a twist. If a point multiplication is performed
-# then it is important that the result is correct, since otherwise attacks with
-# invalid keys are possible.
+flags = Twist
 
 # tcId = 30
 # public key on twist
@@ -383,12 +243,7 @@
 public = edfeffffffffffffffffffffffffffffffffffffffffffffffffffffffffff7f
 result = acceptable
 shared = 7d62f189444c6231a48afab10a0af2eee4a52e431ea05ff781d616af2114672f
-# Public keys are either points on a given curve or points on its twist. The
-# functions X25519 and X448 are defined for points on a twist with the goal that
-# the output of computations do not leak private keys. Implementations may
-# accept or reject points on a twist. If a point multiplication is performed
-# then it is important that the result is correct, since otherwise attacks with
-# invalid keys are possible.
+flags = Twist
 
 # tcId = 31
 # public key on twist
@@ -396,12 +251,7 @@
 public = eaffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff7f
 result = acceptable
 shared = 07ba5fcbda21a9a17845c401492b10e6de0a168d5c94b606694c11bac39bea41
-# Public keys are either points on a given curve or points on its twist. The
-# functions X25519 and X448 are defined for points on a twist with the goal that
-# the output of computations do not leak private keys. Implementations may
-# accept or reject points on a twist. If a point multiplication is performed
-# then it is important that the result is correct, since otherwise attacks with
-# invalid keys are possible.
+flags = Twist
 
 # tcId = 32
 # public key = 0
@@ -409,13 +259,7 @@
 public = 0000000000000000000000000000000000000000000000000000000000000000
 result = acceptable
 shared = 0000000000000000000000000000000000000000000000000000000000000000
-# The public key is insecure and does not belong to a valid private key. Some
-# libraries reject such keys.
-# The curves and its twists contain some points of low order. This test vector
-# contains a public key with such a point. While many libraries reject such
-# public keys, doing so is not a strict requirement according to RFC 7748.
-# Some libraries include a check that the shared secret is not all-zero. This
-# check is described in Section 6.1 of RFC 7748. 
+flags = SmallPublicKey,LowOrderPublic,ZeroSharedSecret
 
 # tcId = 33
 # public key = 1
@@ -423,13 +267,7 @@
 public = 0100000000000000000000000000000000000000000000000000000000000000
 result = acceptable
 shared = 0000000000000000000000000000000000000000000000000000000000000000
-# The public key is insecure and does not belong to a valid private key. Some
-# libraries reject such keys.
-# The curves and its twists contain some points of low order. This test vector
-# contains a public key with such a point. While many libraries reject such
-# public keys, doing so is not a strict requirement according to RFC 7748.
-# Some libraries include a check that the shared secret is not all-zero. This
-# check is described in Section 6.1 of RFC 7748. 
+flags = SmallPublicKey,LowOrderPublic,ZeroSharedSecret
 
 # tcId = 34
 # edge case public key
@@ -640,11 +478,7 @@
 public = e0eb7a7c3b41b8ae1656e3faf19fc46ada098deb9c32b1fd866205165f49b800
 result = acceptable
 shared = 0000000000000000000000000000000000000000000000000000000000000000
-# The curves and its twists contain some points of low order. This test vector
-# contains a public key with such a point. While many libraries reject such
-# public keys, doing so is not a strict requirement according to RFC 7748.
-# Some libraries include a check that the shared secret is not all-zero. This
-# check is described in Section 6.1 of RFC 7748. 
+flags = LowOrderPublic,ZeroSharedSecret
 
 # tcId = 64
 # public key with low order
@@ -652,11 +486,7 @@
 public = 5f9c95bca3508c24b1d0b1559c83ef5b04445cc4581c8e86d8224eddd09f1157
 result = acceptable
 shared = 0000000000000000000000000000000000000000000000000000000000000000
-# The curves and its twists contain some points of low order. This test vector
-# contains a public key with such a point. While many libraries reject such
-# public keys, doing so is not a strict requirement according to RFC 7748.
-# Some libraries include a check that the shared secret is not all-zero. This
-# check is described in Section 6.1 of RFC 7748. 
+flags = LowOrderPublic,ZeroSharedSecret
 
 # tcId = 65
 # public key with low order
@@ -664,17 +494,7 @@
 public = ecffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff7f
 result = acceptable
 shared = 0000000000000000000000000000000000000000000000000000000000000000
-# The curves and its twists contain some points of low order. This test vector
-# contains a public key with such a point. While many libraries reject such
-# public keys, doing so is not a strict requirement according to RFC 7748.
-# Public keys are either points on a given curve or points on its twist. The
-# functions X25519 and X448 are defined for points on a twist with the goal that
-# the output of computations do not leak private keys. Implementations may
-# accept or reject points on a twist. If a point multiplication is performed
-# then it is important that the result is correct, since otherwise attacks with
-# invalid keys are possible.
-# Some libraries include a check that the shared secret is not all-zero. This
-# check is described in Section 6.1 of RFC 7748. 
+flags = LowOrderPublic,Twist,ZeroSharedSecret
 
 # tcId = 66
 # public key with low order
@@ -682,21 +502,7 @@
 public = e0eb7a7c3b41b8ae1656e3faf19fc46ada098deb9c32b1fd866205165f49b880
 result = acceptable
 shared = 0000000000000000000000000000000000000000000000000000000000000000
-# The curves and its twists contain some points of low order. This test vector
-# contains a public key with such a point. While many libraries reject such
-# public keys, doing so is not a strict requirement according to RFC 7748.
-# The public key is in non-canonical form. RFC 7749, section 5 defines the value
-# that this public key represents. Section 7 of the same RFC recommends
-# accepting such keys. If a non-canonical key is accepted then it must follow
-# the RFC.
-# Public keys are either points on a given curve or points on its twist. The
-# functions X25519 and X448 are defined for points on a twist with the goal that
-# the output of computations do not leak private keys. Implementations may
-# accept or reject points on a twist. If a point multiplication is performed
-# then it is important that the result is correct, since otherwise attacks with
-# invalid keys are possible.
-# Some libraries include a check that the shared secret is not all-zero. This
-# check is described in Section 6.1 of RFC 7748. 
+flags = LowOrderPublic,NonCanonicalPublic,Twist,ZeroSharedSecret
 
 # tcId = 67
 # public key with low order
@@ -704,21 +510,7 @@
 public = 5f9c95bca3508c24b1d0b1559c83ef5b04445cc4581c8e86d8224eddd09f11d7
 result = acceptable
 shared = 0000000000000000000000000000000000000000000000000000000000000000
-# The curves and its twists contain some points of low order. This test vector
-# contains a public key with such a point. While many libraries reject such
-# public keys, doing so is not a strict requirement according to RFC 7748.
-# The public key is in non-canonical form. RFC 7749, section 5 defines the value
-# that this public key represents. Section 7 of the same RFC recommends
-# accepting such keys. If a non-canonical key is accepted then it must follow
-# the RFC.
-# Public keys are either points on a given curve or points on its twist. The
-# functions X25519 and X448 are defined for points on a twist with the goal that
-# the output of computations do not leak private keys. Implementations may
-# accept or reject points on a twist. If a point multiplication is performed
-# then it is important that the result is correct, since otherwise attacks with
-# invalid keys are possible.
-# Some libraries include a check that the shared secret is not all-zero. This
-# check is described in Section 6.1 of RFC 7748. 
+flags = LowOrderPublic,NonCanonicalPublic,Twist,ZeroSharedSecret
 
 # tcId = 68
 # public key with low order
@@ -726,15 +518,7 @@
 public = ecffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
 result = acceptable
 shared = 0000000000000000000000000000000000000000000000000000000000000000
-# The curves and its twists contain some points of low order. This test vector
-# contains a public key with such a point. While many libraries reject such
-# public keys, doing so is not a strict requirement according to RFC 7748.
-# The public key is in non-canonical form. RFC 7749, section 5 defines the value
-# that this public key represents. Section 7 of the same RFC recommends
-# accepting such keys. If a non-canonical key is accepted then it must follow
-# the RFC.
-# Some libraries include a check that the shared secret is not all-zero. This
-# check is described in Section 6.1 of RFC 7748. 
+flags = LowOrderPublic,NonCanonicalPublic,ZeroSharedSecret
 
 # tcId = 69
 # public key with low order
@@ -742,11 +526,7 @@
 public = 0000000000000000000000000000000000000000000000000000000000000000
 result = acceptable
 shared = 0000000000000000000000000000000000000000000000000000000000000000
-# The curves and its twists contain some points of low order. This test vector
-# contains a public key with such a point. While many libraries reject such
-# public keys, doing so is not a strict requirement according to RFC 7748.
-# Some libraries include a check that the shared secret is not all-zero. This
-# check is described in Section 6.1 of RFC 7748. 
+flags = LowOrderPublic,ZeroSharedSecret
 
 # tcId = 70
 # public key with low order
@@ -754,11 +534,7 @@
 public = 0100000000000000000000000000000000000000000000000000000000000000
 result = acceptable
 shared = 0000000000000000000000000000000000000000000000000000000000000000
-# The curves and its twists contain some points of low order. This test vector
-# contains a public key with such a point. While many libraries reject such
-# public keys, doing so is not a strict requirement according to RFC 7748.
-# Some libraries include a check that the shared secret is not all-zero. This
-# check is described in Section 6.1 of RFC 7748. 
+flags = LowOrderPublic,ZeroSharedSecret
 
 # tcId = 71
 # public key with low order
@@ -766,11 +542,7 @@
 public = ecffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff7f
 result = acceptable
 shared = 0000000000000000000000000000000000000000000000000000000000000000
-# The curves and its twists contain some points of low order. This test vector
-# contains a public key with such a point. While many libraries reject such
-# public keys, doing so is not a strict requirement according to RFC 7748.
-# Some libraries include a check that the shared secret is not all-zero. This
-# check is described in Section 6.1 of RFC 7748. 
+flags = LowOrderPublic,ZeroSharedSecret
 
 # tcId = 72
 # public key with low order
@@ -778,11 +550,7 @@
 public = 5f9c95bca3508c24b1d0b1559c83ef5b04445cc4581c8e86d8224eddd09f1157
 result = acceptable
 shared = 0000000000000000000000000000000000000000000000000000000000000000
-# The curves and its twists contain some points of low order. This test vector
-# contains a public key with such a point. While many libraries reject such
-# public keys, doing so is not a strict requirement according to RFC 7748.
-# Some libraries include a check that the shared secret is not all-zero. This
-# check is described in Section 6.1 of RFC 7748. 
+flags = LowOrderPublic,ZeroSharedSecret
 
 # tcId = 73
 # public key with low order
@@ -790,11 +558,7 @@
 public = e0eb7a7c3b41b8ae1656e3faf19fc46ada098deb9c32b1fd866205165f49b800
 result = acceptable
 shared = 0000000000000000000000000000000000000000000000000000000000000000
-# The curves and its twists contain some points of low order. This test vector
-# contains a public key with such a point. While many libraries reject such
-# public keys, doing so is not a strict requirement according to RFC 7748.
-# Some libraries include a check that the shared secret is not all-zero. This
-# check is described in Section 6.1 of RFC 7748. 
+flags = LowOrderPublic,ZeroSharedSecret
 
 # tcId = 74
 # public key with low order
@@ -802,11 +566,7 @@
 public = edffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff7f
 result = acceptable
 shared = 0000000000000000000000000000000000000000000000000000000000000000
-# The curves and its twists contain some points of low order. This test vector
-# contains a public key with such a point. While many libraries reject such
-# public keys, doing so is not a strict requirement according to RFC 7748.
-# Some libraries include a check that the shared secret is not all-zero. This
-# check is described in Section 6.1 of RFC 7748. 
+flags = LowOrderPublic,ZeroSharedSecret
 
 # tcId = 75
 # public key with low order
@@ -814,11 +574,7 @@
 public = eeffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff7f
 result = acceptable
 shared = 0000000000000000000000000000000000000000000000000000000000000000
-# The curves and its twists contain some points of low order. This test vector
-# contains a public key with such a point. While many libraries reject such
-# public keys, doing so is not a strict requirement according to RFC 7748.
-# Some libraries include a check that the shared secret is not all-zero. This
-# check is described in Section 6.1 of RFC 7748. 
+flags = LowOrderPublic,ZeroSharedSecret
 
 # tcId = 76
 # public key with low order
@@ -826,11 +582,7 @@
 public = 0000000000000000000000000000000000000000000000000000000000000080
 result = acceptable
 shared = 0000000000000000000000000000000000000000000000000000000000000000
-# The curves and its twists contain some points of low order. This test vector
-# contains a public key with such a point. While many libraries reject such
-# public keys, doing so is not a strict requirement according to RFC 7748.
-# Some libraries include a check that the shared secret is not all-zero. This
-# check is described in Section 6.1 of RFC 7748. 
+flags = LowOrderPublic,ZeroSharedSecret
 
 # tcId = 77
 # public key with low order
@@ -838,11 +590,7 @@
 public = 0100000000000000000000000000000000000000000000000000000000000080
 result = acceptable
 shared = 0000000000000000000000000000000000000000000000000000000000000000
-# The curves and its twists contain some points of low order. This test vector
-# contains a public key with such a point. While many libraries reject such
-# public keys, doing so is not a strict requirement according to RFC 7748.
-# Some libraries include a check that the shared secret is not all-zero. This
-# check is described in Section 6.1 of RFC 7748. 
+flags = LowOrderPublic,ZeroSharedSecret
 
 # tcId = 78
 # public key with low order
@@ -850,11 +598,7 @@
 public = ecffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
 result = acceptable
 shared = 0000000000000000000000000000000000000000000000000000000000000000
-# The curves and its twists contain some points of low order. This test vector
-# contains a public key with such a point. While many libraries reject such
-# public keys, doing so is not a strict requirement according to RFC 7748.
-# Some libraries include a check that the shared secret is not all-zero. This
-# check is described in Section 6.1 of RFC 7748. 
+flags = LowOrderPublic,ZeroSharedSecret
 
 # tcId = 79
 # public key with low order
@@ -862,11 +606,7 @@
 public = 5f9c95bca3508c24b1d0b1559c83ef5b04445cc4581c8e86d8224eddd09f11d7
 result = acceptable
 shared = 0000000000000000000000000000000000000000000000000000000000000000
-# The curves and its twists contain some points of low order. This test vector
-# contains a public key with such a point. While many libraries reject such
-# public keys, doing so is not a strict requirement according to RFC 7748.
-# Some libraries include a check that the shared secret is not all-zero. This
-# check is described in Section 6.1 of RFC 7748. 
+flags = LowOrderPublic,ZeroSharedSecret
 
 # tcId = 80
 # public key with low order
@@ -874,11 +614,7 @@
 public = e0eb7a7c3b41b8ae1656e3faf19fc46ada098deb9c32b1fd866205165f49b880
 result = acceptable
 shared = 0000000000000000000000000000000000000000000000000000000000000000
-# The curves and its twists contain some points of low order. This test vector
-# contains a public key with such a point. While many libraries reject such
-# public keys, doing so is not a strict requirement according to RFC 7748.
-# Some libraries include a check that the shared secret is not all-zero. This
-# check is described in Section 6.1 of RFC 7748. 
+flags = LowOrderPublic,ZeroSharedSecret
 
 # tcId = 81
 # public key with low order
@@ -886,11 +622,7 @@
 public = edffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
 result = acceptable
 shared = 0000000000000000000000000000000000000000000000000000000000000000
-# The curves and its twists contain some points of low order. This test vector
-# contains a public key with such a point. While many libraries reject such
-# public keys, doing so is not a strict requirement according to RFC 7748.
-# Some libraries include a check that the shared secret is not all-zero. This
-# check is described in Section 6.1 of RFC 7748. 
+flags = LowOrderPublic,ZeroSharedSecret
 
 # tcId = 82
 # public key with low order
@@ -898,11 +630,7 @@
 public = eeffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
 result = acceptable
 shared = 0000000000000000000000000000000000000000000000000000000000000000
-# The curves and its twists contain some points of low order. This test vector
-# contains a public key with such a point. While many libraries reject such
-# public keys, doing so is not a strict requirement according to RFC 7748.
-# Some libraries include a check that the shared secret is not all-zero. This
-# check is described in Section 6.1 of RFC 7748. 
+flags = LowOrderPublic,ZeroSharedSecret
 
 # tcId = 83
 # public key =
@@ -911,13 +639,7 @@
 public = edffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff7f
 result = acceptable
 shared = 0000000000000000000000000000000000000000000000000000000000000000
-# The public key is insecure and does not belong to a valid private key. Some
-# libraries reject such keys.
-# The curves and its twists contain some points of low order. This test vector
-# contains a public key with such a point. While many libraries reject such
-# public keys, doing so is not a strict requirement according to RFC 7748.
-# Some libraries include a check that the shared secret is not all-zero. This
-# check is described in Section 6.1 of RFC 7748. 
+flags = SmallPublicKey,LowOrderPublic,ZeroSharedSecret
 
 # tcId = 84
 # public key =
@@ -926,17 +648,7 @@
 public = eeffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff7f
 result = acceptable
 shared = 0000000000000000000000000000000000000000000000000000000000000000
-# The public key is insecure and does not belong to a valid private key. Some
-# libraries reject such keys.
-# The curves and its twists contain some points of low order. This test vector
-# contains a public key with such a point. While many libraries reject such
-# public keys, doing so is not a strict requirement according to RFC 7748.
-# The public key is in non-canonical form. RFC 7749, section 5 defines the value
-# that this public key represents. Section 7 of the same RFC recommends
-# accepting such keys. If a non-canonical key is accepted then it must follow
-# the RFC.
-# Some libraries include a check that the shared secret is not all-zero. This
-# check is described in Section 6.1 of RFC 7748. 
+flags = SmallPublicKey,LowOrderPublic,NonCanonicalPublic,ZeroSharedSecret
 
 # tcId = 85
 # non-canonical public key
@@ -944,16 +656,7 @@
 public = efffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff7f
 result = acceptable
 shared = b4d10e832714972f96bd3382e4d082a21a8333a16315b3ffb536061d2482360d
-# The public key is in non-canonical form. RFC 7749, section 5 defines the value
-# that this public key represents. Section 7 of the same RFC recommends
-# accepting such keys. If a non-canonical key is accepted then it must follow
-# the RFC.
-# Public keys are either points on a given curve or points on its twist. The
-# functions X25519 and X448 are defined for points on a twist with the goal that
-# the output of computations do not leak private keys. Implementations may
-# accept or reject points on a twist. If a point multiplication is performed
-# then it is important that the result is correct, since otherwise attacks with
-# invalid keys are possible.
+flags = NonCanonicalPublic,Twist
 
 # tcId = 86
 # non-canonical public key
@@ -961,16 +664,7 @@
 public = f0ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff7f
 result = acceptable
 shared = 515eac8f1ed0b00c70762322c3ef86716cd2c51fe77cec3d31b6388bc6eea336
-# The public key is in non-canonical form. RFC 7749, section 5 defines the value
-# that this public key represents. Section 7 of the same RFC recommends
-# accepting such keys. If a non-canonical key is accepted then it must follow
-# the RFC.
-# Public keys are either points on a given curve or points on its twist. The
-# functions X25519 and X448 are defined for points on a twist with the goal that
-# the output of computations do not leak private keys. Implementations may
-# accept or reject points on a twist. If a point multiplication is performed
-# then it is important that the result is correct, since otherwise attacks with
-# invalid keys are possible.
+flags = NonCanonicalPublic,Twist
 
 # tcId = 87
 # non-canonical public key
@@ -978,10 +672,7 @@
 public = f1ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff7f
 result = acceptable
 shared = 6919992d6a591e77b3f2bacbd74caf3aea4be4802b18b2bc07eb09ade3ad6662
-# The public key is in non-canonical form. RFC 7749, section 5 defines the value
-# that this public key represents. Section 7 of the same RFC recommends
-# accepting such keys. If a non-canonical key is accepted then it must follow
-# the RFC.
+flags = NonCanonicalPublic
 
 # tcId = 88
 # non-canonical public key
@@ -989,10 +680,7 @@
 public = ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff7f
 result = acceptable
 shared = 9c034fcd8d3bf69964958c0105161fcb5d1ea5b8f8abb371491e42a7684c2322
-# The public key is in non-canonical form. RFC 7749, section 5 defines the value
-# that this public key represents. Section 7 of the same RFC recommends
-# accepting such keys. If a non-canonical key is accepted then it must follow
-# the RFC.
+flags = NonCanonicalPublic
 
 # tcId = 89
 # non-canonical public key
@@ -1000,16 +688,7 @@
 public = 0200000000000000000000000000000000000000000000000000000000000080
 result = acceptable
 shared = ed18b06da512cab63f22d2d51d77d99facd3c4502e4abf4e97b094c20a9ddf10
-# The public key is in non-canonical form. RFC 7749, section 5 defines the value
-# that this public key represents. Section 7 of the same RFC recommends
-# accepting such keys. If a non-canonical key is accepted then it must follow
-# the RFC.
-# Public keys are either points on a given curve or points on its twist. The
-# functions X25519 and X448 are defined for points on a twist with the goal that
-# the output of computations do not leak private keys. Implementations may
-# accept or reject points on a twist. If a point multiplication is performed
-# then it is important that the result is correct, since otherwise attacks with
-# invalid keys are possible.
+flags = NonCanonicalPublic,Twist
 
 # tcId = 90
 # non-canonical public key
@@ -1017,16 +696,7 @@
 public = 0300000000000000000000000000000000000000000000000000000000000080
 result = acceptable
 shared = 448ce410fffc7e6149c5abec0ad5f3607dfde8a34e2ac3243c3009176168b432
-# The public key is in non-canonical form. RFC 7749, section 5 defines the value
-# that this public key represents. Section 7 of the same RFC recommends
-# accepting such keys. If a non-canonical key is accepted then it must follow
-# the RFC.
-# Public keys are either points on a given curve or points on its twist. The
-# functions X25519 and X448 are defined for points on a twist with the goal that
-# the output of computations do not leak private keys. Implementations may
-# accept or reject points on a twist. If a point multiplication is performed
-# then it is important that the result is correct, since otherwise attacks with
-# invalid keys are possible.
+flags = NonCanonicalPublic,Twist
 
 # tcId = 91
 # non-canonical public key
@@ -1034,10 +704,7 @@
 public = 0400000000000000000000000000000000000000000000000000000000000080
 result = acceptable
 shared = 03a633df01480d0d5048d92f51b20dc1d11f73e9515c699429b90a4f6903122a
-# The public key is in non-canonical form. RFC 7749, section 5 defines the value
-# that this public key represents. Section 7 of the same RFC recommends
-# accepting such keys. If a non-canonical key is accepted then it must follow
-# the RFC.
+flags = NonCanonicalPublic
 
 # tcId = 92
 # non-canonical public key
@@ -1045,10 +712,7 @@
 public = daffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
 result = acceptable
 shared = 9b01287717d72f4cfb583ec85f8f936849b17d978dbae7b837db56a62f100a68
-# The public key is in non-canonical form. RFC 7749, section 5 defines the value
-# that this public key represents. Section 7 of the same RFC recommends
-# accepting such keys. If a non-canonical key is accepted then it must follow
-# the RFC.
+flags = NonCanonicalPublic
 
 # tcId = 93
 # non-canonical public key
@@ -1056,10 +720,7 @@
 public = dbffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
 result = acceptable
 shared = dfe60831c9f4f96c816e51048804dbdc27795d760eced75ef575cbe3b464054b
-# The public key is in non-canonical form. RFC 7749, section 5 defines the value
-# that this public key represents. Section 7 of the same RFC recommends
-# accepting such keys. If a non-canonical key is accepted then it must follow
-# the RFC.
+flags = NonCanonicalPublic
 
 # tcId = 94
 # non-canonical public key
@@ -1067,16 +728,7 @@
 public = dcffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
 result = acceptable
 shared = 50bfa826ca77036dd2bbfd092c3f78e2e4a1f980d7c8e78f2f14dca3cce5cc3c
-# The public key is in non-canonical form. RFC 7749, section 5 defines the value
-# that this public key represents. Section 7 of the same RFC recommends
-# accepting such keys. If a non-canonical key is accepted then it must follow
-# the RFC.
-# Public keys are either points on a given curve or points on its twist. The
-# functions X25519 and X448 are defined for points on a twist with the goal that
-# the output of computations do not leak private keys. Implementations may
-# accept or reject points on a twist. If a point multiplication is performed
-# then it is important that the result is correct, since otherwise attacks with
-# invalid keys are possible.
+flags = NonCanonicalPublic,Twist
 
 # tcId = 95
 # non-canonical public key
@@ -1084,10 +736,7 @@
 public = eaffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
 result = acceptable
 shared = 13da5695a4c206115409b5277a934782fe985fa050bc902cba5616f9156fe277
-# The public key is in non-canonical form. RFC 7749, section 5 defines the value
-# that this public key represents. Section 7 of the same RFC recommends
-# accepting such keys. If a non-canonical key is accepted then it must follow
-# the RFC.
+flags = NonCanonicalPublic
 
 # tcId = 96
 # non-canonical public key
@@ -1095,10 +744,7 @@
 public = ebffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
 result = acceptable
 shared = 63483b5d69236c63cddbed33d8e22baecc2b0ccf886598e863c844d2bf256704
-# The public key is in non-canonical form. RFC 7749, section 5 defines the value
-# that this public key represents. Section 7 of the same RFC recommends
-# accepting such keys. If a non-canonical key is accepted then it must follow
-# the RFC.
+flags = NonCanonicalPublic
 
 # tcId = 97
 # non-canonical public key
@@ -1106,10 +752,7 @@
 public = ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
 result = acceptable
 shared = e9db74bc88d0d9bf046ddd13f943bccbe6dbb47d49323f8dfeedc4a694991a3c
-# The public key is in non-canonical form. RFC 7749, section 5 defines the value
-# that this public key represents. Section 7 of the same RFC recommends
-# accepting such keys. If a non-canonical key is accepted then it must follow
-# the RFC.
+flags = NonCanonicalPublic
 
 # tcId = 98
 # public key =
@@ -1118,17 +761,7 @@
 public = 0000000000000000000000000000000000000000000000000000000000000080
 result = acceptable
 shared = 0000000000000000000000000000000000000000000000000000000000000000
-# The public key is insecure and does not belong to a valid private key. Some
-# libraries reject such keys.
-# The curves and its twists contain some points of low order. This test vector
-# contains a public key with such a point. While many libraries reject such
-# public keys, doing so is not a strict requirement according to RFC 7748.
-# The public key is in non-canonical form. RFC 7749, section 5 defines the value
-# that this public key represents. Section 7 of the same RFC recommends
-# accepting such keys. If a non-canonical key is accepted then it must follow
-# the RFC.
-# Some libraries include a check that the shared secret is not all-zero. This
-# check is described in Section 6.1 of RFC 7748. 
+flags = SmallPublicKey,LowOrderPublic,NonCanonicalPublic,ZeroSharedSecret
 
 # tcId = 99
 # public key =
@@ -1137,23 +770,7 @@
 public = 0100000000000000000000000000000000000000000000000000000000000080
 result = acceptable
 shared = 0000000000000000000000000000000000000000000000000000000000000000
-# The public key is insecure and does not belong to a valid private key. Some
-# libraries reject such keys.
-# The curves and its twists contain some points of low order. This test vector
-# contains a public key with such a point. While many libraries reject such
-# public keys, doing so is not a strict requirement according to RFC 7748.
-# The public key is in non-canonical form. RFC 7749, section 5 defines the value
-# that this public key represents. Section 7 of the same RFC recommends
-# accepting such keys. If a non-canonical key is accepted then it must follow
-# the RFC.
-# Public keys are either points on a given curve or points on its twist. The
-# functions X25519 and X448 are defined for points on a twist with the goal that
-# the output of computations do not leak private keys. Implementations may
-# accept or reject points on a twist. If a point multiplication is performed
-# then it is important that the result is correct, since otherwise attacks with
-# invalid keys are possible.
-# Some libraries include a check that the shared secret is not all-zero. This
-# check is described in Section 6.1 of RFC 7748. 
+flags = SmallPublicKey,LowOrderPublic,NonCanonicalPublic,Twist,ZeroSharedSecret
 
 # tcId = 100
 # RFC 7748
@@ -1182,12 +799,7 @@
 public = b7b6d39c765cb60c0c8542f4f3952ffb51d3002d4aeb9f8ff988b192043e6d0a
 result = acceptable
 shared = 0200000000000000000000000000000000000000000000000000000000000000
-# Public keys are either points on a given curve or points on its twist. The
-# functions X25519 and X448 are defined for points on a twist with the goal that
-# the output of computations do not leak private keys. Implementations may
-# accept or reject points on a twist. If a point multiplication is performed
-# then it is important that the result is correct, since otherwise attacks with
-# invalid keys are possible.
+flags = Twist
 
 # tcId = 104
 # edge case for shared secret
@@ -1209,12 +821,7 @@
 public = 4977d0d897e1ba566590f60f2eb0db6f7b24c13d436918ccfd32708dfad7e247
 result = acceptable
 shared = feffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff3f
-# Public keys are either points on a given curve or points on its twist. The
-# functions X25519 and X448 are defined for points on a twist with the goal that
-# the output of computations do not leak private keys. Implementations may
-# accept or reject points on a twist. If a point multiplication is performed
-# then it is important that the result is correct, since otherwise attacks with
-# invalid keys are possible.
+flags = Twist
 
 # tcId = 107
 # edge case for shared secret
@@ -1229,12 +836,7 @@
 public = 97b4fff682df7f096cd1756569e252db482d45406a3198a1aff282a5da474c49
 result = acceptable
 shared = f9ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff3f
-# Public keys are either points on a given curve or points on its twist. The
-# functions X25519 and X448 are defined for points on a twist with the goal that
-# the output of computations do not leak private keys. Implementations may
-# accept or reject points on a twist. If a point multiplication is performed
-# then it is important that the result is correct, since otherwise attacks with
-# invalid keys are possible.
+flags = Twist
 
 # tcId = 109
 # edge case for shared secret
@@ -1256,12 +858,7 @@
 public = e96d2780e5469a74620ab5aa2f62151d140c473320dbe1b028f1a48f8e76f95f
 result = acceptable
 shared = e5ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff7f
-# Public keys are either points on a given curve or points on its twist. The
-# functions X25519 and X448 are defined for points on a twist with the goal that
-# the output of computations do not leak private keys. Implementations may
-# accept or reject points on a twist. If a point multiplication is performed
-# then it is important that the result is correct, since otherwise attacks with
-# invalid keys are possible.
+flags = Twist
 
 # tcId = 112
 # edge case for shared secret
@@ -1269,12 +866,7 @@
 public = 8d612c5831aa64b057300e7e310f3aa332af34066fefcab2b089c9592878f832
 result = acceptable
 shared = e3ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff7f
-# Public keys are either points on a given curve or points on its twist. The
-# functions X25519 and X448 are defined for points on a twist with the goal that
-# the output of computations do not leak private keys. Implementations may
-# accept or reject points on a twist. If a point multiplication is performed
-# then it is important that the result is correct, since otherwise attacks with
-# invalid keys are possible.
+flags = Twist
 
 # tcId = 113
 # edge case for shared secret
@@ -1289,12 +881,7 @@
 public = 21a35d5db1b6237c739b56345a930aeee373cdcfb4701266782a8ac594913b29
 result = acceptable
 shared = dbffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff7f
-# Public keys are either points on a given curve or points on its twist. The
-# functions X25519 and X448 are defined for points on a twist with the goal that
-# the output of computations do not leak private keys. Implementations may
-# accept or reject points on a twist. If a point multiplication is performed
-# then it is important that the result is correct, since otherwise attacks with
-# invalid keys are possible.
+flags = Twist
 
 # tcId = 115
 # edge case for shared secret
@@ -1302,12 +889,7 @@
 public = 3e5efb63c352ce942762482bc9337a5d35ba55664743ac5e93d11f957336cb10
 result = acceptable
 shared = 0000000000000000000000000000000000000000000000000000000000000002
-# Public keys are either points on a given curve or points on its twist. The
-# functions X25519 and X448 are defined for points on a twist with the goal that
-# the output of computations do not leak private keys. Implementations may
-# accept or reject points on a twist. If a point multiplication is performed
-# then it is important that the result is correct, since otherwise attacks with
-# invalid keys are possible.
+flags = Twist
 
 # tcId = 116
 # edge case for shared secret
@@ -1315,12 +897,7 @@
 public = 8e41f05ea3c76572be104ad8788e970863c6e2ca3daae64d1c2f46decfffa571
 result = acceptable
 shared = 0000000000000000000000000000000000000000000000000000000000008000
-# Public keys are either points on a given curve or points on its twist. The
-# functions X25519 and X448 are defined for points on a twist with the goal that
-# the output of computations do not leak private keys. Implementations may
-# accept or reject points on a twist. If a point multiplication is performed
-# then it is important that the result is correct, since otherwise attacks with
-# invalid keys are possible.
+flags = Twist
 
 # tcId = 117
 # special case public key
@@ -1328,13 +905,7 @@
 public = 0000000000000000000000000000000000000000000000000000000000000000
 result = acceptable
 shared = 0000000000000000000000000000000000000000000000000000000000000000
-# The public key is insecure and does not belong to a valid private key. Some
-# libraries reject such keys.
-# The curves and its twists contain some points of low order. This test vector
-# contains a public key with such a point. While many libraries reject such
-# public keys, doing so is not a strict requirement according to RFC 7748.
-# Some libraries include a check that the shared secret is not all-zero. This
-# check is described in Section 6.1 of RFC 7748. 
+flags = SmallPublicKey,LowOrderPublic,ZeroSharedSecret
 
 # tcId = 118
 # special case public key
@@ -1342,13 +913,7 @@
 public = 0100000000000000000000000000000000000000000000000000000000000000
 result = acceptable
 shared = 0000000000000000000000000000000000000000000000000000000000000000
-# The public key is insecure and does not belong to a valid private key. Some
-# libraries reject such keys.
-# The curves and its twists contain some points of low order. This test vector
-# contains a public key with such a point. While many libraries reject such
-# public keys, doing so is not a strict requirement according to RFC 7748.
-# Some libraries include a check that the shared secret is not all-zero. This
-# check is described in Section 6.1 of RFC 7748. 
+flags = SmallPublicKey,LowOrderPublic,ZeroSharedSecret
 
 # tcId = 119
 # special case public key
@@ -1356,12 +921,7 @@
 public = 0200000000000000000000000000000000000000000000000000000000000000
 result = acceptable
 shared = 0c50ac2bfb6815b47d0734c5981379882a24a2de6166853c735329d978baee4d
-# Public keys are either points on a given curve or points on its twist. The
-# functions X25519 and X448 are defined for points on a twist with the goal that
-# the output of computations do not leak private keys. Implementations may
-# accept or reject points on a twist. If a point multiplication is performed
-# then it is important that the result is correct, since otherwise attacks with
-# invalid keys are possible.
+flags = Twist
 
 # tcId = 120
 # special case public key
@@ -1376,12 +936,7 @@
 public = 1400000000000000000000000000000000000000000000000000000000000000
 result = acceptable
 shared = c88e719ae5c2248b5f90da346a92ae214f44a5d129fd4e9c26cf6a0da1efe077
-# Public keys are either points on a given curve or points on its twist. The
-# functions X25519 and X448 are defined for points on a twist with the goal that
-# the output of computations do not leak private keys. Implementations may
-# accept or reject points on a twist. If a point multiplication is performed
-# then it is important that the result is correct, since otherwise attacks with
-# invalid keys are possible.
+flags = Twist
 
 # tcId = 122
 # special case public key
@@ -1403,12 +958,7 @@
 public = 0100000000000000000000000000010000000000000000000000000000000000
 result = acceptable
 shared = 5dd7d16fff25cc5fdf9e03c3157cb0a235cea17d618f36e6f13461567edeb943
-# Public keys are either points on a given curve or points on its twist. The
-# functions X25519 and X448 are defined for points on a twist with the goal that
-# the output of computations do not leak private keys. Implementations may
-# accept or reject points on a twist. If a point multiplication is performed
-# then it is important that the result is correct, since otherwise attacks with
-# invalid keys are possible.
+flags = Twist
 
 # tcId = 125
 # special case public key
@@ -1423,12 +973,7 @@
 public = 0000000000000000000000000000000000000000000000000000008000000000
 result = acceptable
 shared = 7ed8f2d5424e7ebb3edbdf4abe455447e5a48b658e64abd06c218f33bd151f64
-# Public keys are either points on a given curve or points on its twist. The
-# functions X25519 and X448 are defined for points on a twist with the goal that
-# the output of computations do not leak private keys. Implementations may
-# accept or reject points on a twist. If a point multiplication is performed
-# then it is important that the result is correct, since otherwise attacks with
-# invalid keys are possible.
+flags = Twist
 
 # tcId = 127
 # special case public key
@@ -1436,12 +981,7 @@
 public = ffffffffffffffffffffffffffffffffffffffffffffffffffffffff00000000
 result = acceptable
 shared = e8620ed5ca89c72c5ea5503e6dcd01131cd5e875c30e13d5dc619ce28ec7d559
-# Public keys are either points on a given curve or points on its twist. The
-# functions X25519 and X448 are defined for points on a twist with the goal that
-# the output of computations do not leak private keys. Implementations may
-# accept or reject points on a twist. If a point multiplication is performed
-# then it is important that the result is correct, since otherwise attacks with
-# invalid keys are possible.
+flags = Twist
 
 # tcId = 128
 # special case public key
@@ -1456,12 +996,7 @@
 public = a8b9c7372118a53a9de9eaf0868e3b1a3d88e81cb2e407ff7125e9f5c5088715
 result = acceptable
 shared = f86cc7bf1be49574fc97a074282e9bb5cd238e002bc8e9a7b8552b2d60eccb52
-# Public keys are either points on a given curve or points on its twist. The
-# functions X25519 and X448 are defined for points on a twist with the goal that
-# the output of computations do not leak private keys. Implementations may
-# accept or reject points on a twist. If a point multiplication is performed
-# then it is important that the result is correct, since otherwise attacks with
-# invalid keys are possible.
+flags = Twist
 
 # tcId = 130
 # special case public key
@@ -1469,12 +1004,7 @@
 public = aab9c7372118a53a9de9eaf0868e3b1a3d88e81cb2e407ff7125e9f5c5088715
 result = acceptable
 shared = ccbb8fd9dee165a398b2dbd7c8396f81736c1b3da36b35fbec8f326f38f92767
-# Public keys are either points on a given curve or points on its twist. The
-# functions X25519 and X448 are defined for points on a twist with the goal that
-# the output of computations do not leak private keys. Implementations may
-# accept or reject points on a twist. If a point multiplication is performed
-# then it is important that the result is correct, since otherwise attacks with
-# invalid keys are possible.
+flags = Twist
 
 # tcId = 131
 # special case public key
@@ -1496,12 +1026,7 @@
 public = 0000000000000000000000000000000000000000000000000000000000000020
 result = acceptable
 shared = e12cc58fbeb70a5e35c861c33710be6516a6a92e52376060211b2487db542b4f
-# Public keys are either points on a given curve or points on its twist. The
-# functions X25519 and X448 are defined for points on a twist with the goal that
-# the output of computations do not leak private keys. Implementations may
-# accept or reject points on a twist. If a point multiplication is performed
-# then it is important that the result is correct, since otherwise attacks with
-# invalid keys are possible.
+flags = Twist
 
 # tcId = 134
 # special case public key
@@ -1523,12 +1048,7 @@
 public = fbffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff2f
 result = acceptable
 shared = 686eb910a937211b9147c8a051a1197906818fdc626668eb5f5d394afd86d41b
-# Public keys are either points on a given curve or points on its twist. The
-# functions X25519 and X448 are defined for points on a twist with the goal that
-# the output of computations do not leak private keys. Implementations may
-# accept or reject points on a twist. If a point multiplication is performed
-# then it is important that the result is correct, since otherwise attacks with
-# invalid keys are possible.
+flags = Twist
 
 # tcId = 137
 # special case public key
@@ -1550,12 +1070,7 @@
 public = f7ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff3f
 result = acceptable
 shared = e995ad6a1ec6c5ab32922cff9d204721704673143c4a11deaa203f3c81989b3f
-# Public keys are either points on a given curve or points on its twist. The
-# functions X25519 and X448 are defined for points on a twist with the goal that
-# the output of computations do not leak private keys. Implementations may
-# accept or reject points on a twist. If a point multiplication is performed
-# then it is important that the result is correct, since otherwise attacks with
-# invalid keys are possible.
+flags = Twist
 
 # tcId = 140
 # special case public key
@@ -1563,12 +1078,7 @@
 public = feffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff3f
 result = acceptable
 shared = 32b6dabe01d13867f3b5b0892fefd80dca666f2edc5afb43cd0baf703c3e6926
-# Public keys are either points on a given curve or points on its twist. The
-# functions X25519 and X448 are defined for points on a twist with the goal that
-# the output of computations do not leak private keys. Implementations may
-# accept or reject points on a twist. If a point multiplication is performed
-# then it is important that the result is correct, since otherwise attacks with
-# invalid keys are possible.
+flags = Twist
 
 # tcId = 141
 # special case public key
@@ -1618,12 +1128,7 @@
 public = 95aff85a6cf2889dc30d68a9fc735e682c140261b37f596a7a101fd8bf6d3e6a
 result = acceptable
 shared = dfa988a477003be125b95ccbf2223d97729577d25e1d6e89e3da0afabdd0ae71
-# Public keys are either points on a given curve or points on its twist. The
-# functions X25519 and X448 are defined for points on a twist with the goal that
-# the output of computations do not leak private keys. Implementations may
-# accept or reject points on a twist. If a point multiplication is performed
-# then it is important that the result is correct, since otherwise attacks with
-# invalid keys are possible.
+flags = Twist
 
 # tcId = 148
 # special case public key
@@ -1631,12 +1136,7 @@
 public = 434638c8dee75ac56216150f7971c4e5c27717e34d1bf8008eda160a3af7786a
 result = acceptable
 shared = d450af45b8ed5fe140cc5263ffb7b52e66736899a8b872b6e28552129819b25b
-# Public keys are either points on a given curve or points on its twist. The
-# functions X25519 and X448 are defined for points on a twist with the goal that
-# the output of computations do not leak private keys. Implementations may
-# accept or reject points on a twist. If a point multiplication is performed
-# then it is important that the result is correct, since otherwise attacks with
-# invalid keys are possible.
+flags = Twist
 
 # tcId = 149
 # special case public key
@@ -1679,17 +1179,7 @@
 public = ecffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff7f
 result = acceptable
 shared = 0000000000000000000000000000000000000000000000000000000000000000
-# The curves and its twists contain some points of low order. This test vector
-# contains a public key with such a point. While many libraries reject such
-# public keys, doing so is not a strict requirement according to RFC 7748.
-# Public keys are either points on a given curve or points on its twist. The
-# functions X25519 and X448 are defined for points on a twist with the goal that
-# the output of computations do not leak private keys. Implementations may
-# accept or reject points on a twist. If a point multiplication is performed
-# then it is important that the result is correct, since otherwise attacks with
-# invalid keys are possible.
-# Some libraries include a check that the shared secret is not all-zero. This
-# check is described in Section 6.1 of RFC 7748. 
+flags = LowOrderPublic,Twist,ZeroSharedSecret
 
 # tcId = 155
 # special case for E in multiplication by 2
@@ -1697,12 +1187,7 @@
 public = 0000000000000000000008000000000000000000000000000000000000000000
 result = acceptable
 shared = 59e7b1e6f47065a48bd34913d910176b6792a1372aad22e73cd7df45fcf91a0e
-# Public keys are either points on a given curve or points on its twist. The
-# functions X25519 and X448 are defined for points on a twist with the goal that
-# the output of computations do not leak private keys. Implementations may
-# accept or reject points on a twist. If a point multiplication is performed
-# then it is important that the result is correct, since otherwise attacks with
-# invalid keys are possible.
+flags = Twist
 
 # tcId = 156
 # special case for E in multiplication by 2
@@ -1731,12 +1216,7 @@
 public = 770f4218ef234f5e185466e32442c302bbec21bbb6cd28c979e783fe5013333f
 result = acceptable
 shared = d5d650dc621072eca952e4344efc7320b2b1459aba48f5e2480db881c50cc650
-# Public keys are either points on a given curve or points on its twist. The
-# functions X25519 and X448 are defined for points on a twist with the goal that
-# the output of computations do not leak private keys. Implementations may
-# accept or reject points on a twist. If a point multiplication is performed
-# then it is important that the result is correct, since otherwise attacks with
-# invalid keys are possible.
+flags = Twist
 
 # tcId = 160
 # special case for E in multiplication by 2
@@ -1744,12 +1224,7 @@
 public = 5c6118c4c74cfb842d9a87449f9d8db8b992d46c5a9093ce2fcb7a49b535c451
 result = acceptable
 shared = 909cc57275d54f20c67b45f9af9484fd67581afb7d887bee1db5461f303ef257
-# Public keys are either points on a given curve or points on its twist. The
-# functions X25519 and X448 are defined for points on a twist with the goal that
-# the output of computations do not leak private keys. Implementations may
-# accept or reject points on a twist. If a point multiplication is performed
-# then it is important that the result is correct, since otherwise attacks with
-# invalid keys are possible.
+flags = Twist
 
 # tcId = 161
 # special case for E in multiplication by 2
@@ -1764,12 +1239,7 @@
 public = 078fa523498fb51cba1112d83b20af448b8009d8eea14368564d01b8f9b6086f
 result = acceptable
 shared = c0ee59d3685fc2c3c803608b5ee39a7f8da30b48e4293ae011f0ea1e5aeb7173
-# Public keys are either points on a given curve or points on its twist. The
-# functions X25519 and X448 are defined for points on a twist with the goal that
-# the output of computations do not leak private keys. Implementations may
-# accept or reject points on a twist. If a point multiplication is performed
-# then it is important that the result is correct, since otherwise attacks with
-# invalid keys are possible.
+flags = Twist
 
 # tcId = 163
 # special case for E in multiplication by 2
@@ -1791,11 +1261,7 @@
 public = e0eb7a7c3b41b8ae1656e3faf19fc46ada098deb9c32b1fd866205165f49b800
 result = acceptable
 shared = 0000000000000000000000000000000000000000000000000000000000000000
-# The curves and its twists contain some points of low order. This test vector
-# contains a public key with such a point. While many libraries reject such
-# public keys, doing so is not a strict requirement according to RFC 7748.
-# Some libraries include a check that the shared secret is not all-zero. This
-# check is described in Section 6.1 of RFC 7748. 
+flags = LowOrderPublic,ZeroSharedSecret
 
 # tcId = 166
 # D = 0 in multiplication by 2
@@ -1803,11 +1269,7 @@
 public = 5f9c95bca3508c24b1d0b1559c83ef5b04445cc4581c8e86d8224eddd09f1157
 result = acceptable
 shared = 0000000000000000000000000000000000000000000000000000000000000000
-# The curves and its twists contain some points of low order. This test vector
-# contains a public key with such a point. While many libraries reject such
-# public keys, doing so is not a strict requirement according to RFC 7748.
-# Some libraries include a check that the shared secret is not all-zero. This
-# check is described in Section 6.1 of RFC 7748. 
+flags = LowOrderPublic,ZeroSharedSecret
 
 # tcId = 167
 # special case for DA - CB in multiplication by 2
@@ -1815,12 +1277,7 @@
 public = b0224e7134cf92d40a31515f2f0e89c2a2777e8ac2fe741db0dc39399fdf2702
 result = acceptable
 shared = 8dacfe7beaaa62b94bf6e50ee5214d99ad7cda5a431ea0c62f2b20a89d73c62e
-# Public keys are either points on a given curve or points on its twist. The
-# functions X25519 and X448 are defined for points on a twist with the goal that
-# the output of computations do not leak private keys. Implementations may
-# accept or reject points on a twist. If a point multiplication is performed
-# then it is important that the result is correct, since otherwise attacks with
-# invalid keys are possible.
+flags = Twist
 
 # tcId = 168
 # special case for DA - CB in multiplication by 2
@@ -1835,12 +1292,7 @@
 public = 82a3807bbdec2fa9938fb4141e27dc57456606301f78ff7133cf24f3d13ee117
 result = acceptable
 shared = 2b28cc5140b816add5ad3a77a81b1c073d67bf51bf95bda2064a14eb12d5f766
-# Public keys are either points on a given curve or points on its twist. The
-# functions X25519 and X448 are defined for points on a twist with the goal that
-# the output of computations do not leak private keys. Implementations may
-# accept or reject points on a twist. If a point multiplication is performed
-# then it is important that the result is correct, since otherwise attacks with
-# invalid keys are possible.
+flags = Twist
 
 # tcId = 170
 # special case for DA - CB in multiplication by 2
@@ -1890,12 +1342,7 @@
 public = bee386527b772490aeb96fc4d23b9304037cb4430f64b228f3d8b3b498319f22
 result = acceptable
 shared = 3fe710d6344ff0cb342e52349e1c5b57b7a271f2a133bb5249bbe40dc86e1b40
-# Public keys are either points on a given curve or points on its twist. The
-# functions X25519 and X448 are defined for points on a twist with the goal that
-# the output of computations do not leak private keys. Implementations may
-# accept or reject points on a twist. If a point multiplication is performed
-# then it is important that the result is correct, since otherwise attacks with
-# invalid keys are possible.
+flags = Twist
 
 # tcId = 177
 # special case for x_2 in multiplication by 2
@@ -1931,12 +1378,7 @@
 public = cb3d4a90f86b3011da3369d9988597c7fff1499273b4a04f84d0e26ed1683c0d
 result = acceptable
 shared = dbf6203516635840cf69a02db87cf0d95dae315da7fc1ec7ce2b29e1f2db6666
-# Public keys are either points on a given curve or points on its twist. The
-# functions X25519 and X448 are defined for points on a twist with the goal that
-# the output of computations do not leak private keys. Implementations may
-# accept or reject points on a twist. If a point multiplication is performed
-# then it is important that the result is correct, since otherwise attacks with
-# invalid keys are possible.
+flags = Twist
 
 # tcId = 182
 # special case for AA in multiplication by 2
@@ -1944,12 +1386,7 @@
 public = 101e13f7bc0570fa2638caa20a67c6e0c21dab132f4b456191590264c493d018
 result = acceptable
 shared = 1fe314744390d525278b1f5fbf108101b8ded587081375ed4ac4ac690d92414f
-# Public keys are either points on a given curve or points on its twist. The
-# functions X25519 and X448 are defined for points on a twist with the goal that
-# the output of computations do not leak private keys. Implementations may
-# accept or reject points on a twist. If a point multiplication is performed
-# then it is important that the result is correct, since otherwise attacks with
-# invalid keys are possible.
+flags = Twist
 
 # tcId = 183
 # special case for AA in multiplication by 2
@@ -1957,12 +1394,7 @@
 public = dce1ec0843fa8f05d9c7355df598391f3de254ecd0b4ba9e6ea6fd9b3b6c2f67
 result = acceptable
 shared = ad454395ee392be677be7b9cb914038d57d2d87ec56cc98678dd84f19920912b
-# Public keys are either points on a given curve or points on its twist. The
-# functions X25519 and X448 are defined for points on a twist with the goal that
-# the output of computations do not leak private keys. Implementations may
-# accept or reject points on a twist. If a point multiplication is performed
-# then it is important that the result is correct, since otherwise attacks with
-# invalid keys are possible.
+flags = Twist
 
 # tcId = 184
 # special case for AA in multiplication by 2
@@ -1984,12 +1416,7 @@
 public = 111e13f7bc0570fa2638caa20a67c6e0c21dab132f4b456191590264c493d018
 result = acceptable
 shared = 7b9dbf8d6c6d65898b518167bf4011d54ddc265d953c0743d7868e22d9909e67
-# Public keys are either points on a given curve or points on its twist. The
-# functions X25519 and X448 are defined for points on a twist with the goal that
-# the output of computations do not leak private keys. Implementations may
-# accept or reject points on a twist. If a point multiplication is performed
-# then it is important that the result is correct, since otherwise attacks with
-# invalid keys are possible.
+flags = Twist
 
 # tcId = 187
 # special case for BB in multiplication by 2
@@ -2032,12 +1459,7 @@
 public = 6dffb0a25888bf23cf1ac701bfbdede8a18e323b9d4d3d31e516a05fce7ce872
 result = acceptable
 shared = e6a2fc8ed93ce3530178fef94bb0056f43118e5be3a6eabee7d2ed384a73800c
-# Public keys are either points on a given curve or points on its twist. The
-# functions X25519 and X448 are defined for points on a twist with the goal that
-# the output of computations do not leak private keys. Implementations may
-# accept or reject points on a twist. If a point multiplication is performed
-# then it is important that the result is correct, since otherwise attacks with
-# invalid keys are possible.
+flags = Twist
 
 # tcId = 193
 # special case for D in multiplication by 2
@@ -2045,12 +1467,7 @@
 public = 21f86d123c923a92aaf2563df94b5b5c93874f5b7ab9954aaa53e3d72f0ff67e
 result = acceptable
 shared = 7fc28781631410c5a6f25c9cfd91ec0a848adb7a9eb40bc5b495d0f4753f2260
-# Public keys are either points on a given curve or points on its twist. The
-# functions X25519 and X448 are defined for points on a twist with the goal that
-# the output of computations do not leak private keys. Implementations may
-# accept or reject points on a twist. If a point multiplication is performed
-# then it is important that the result is correct, since otherwise attacks with
-# invalid keys are possible.
+flags = Twist
 
 # tcId = 194
 # special case for D in multiplication by 2
@@ -2072,12 +1489,7 @@
 public = 9316c06d27b24abc673ffb5105c5b9a89bdfaa79e81cdbb89556074377c70320
 result = acceptable
 shared = d53c3d6f538c126b9336785d1d4e6935dc8b21f3d7e9c25bc240a03e39023363
-# Public keys are either points on a given curve or points on its twist. The
-# functions X25519 and X448 are defined for points on a twist with the goal that
-# the output of computations do not leak private keys. Implementations may
-# accept or reject points on a twist. If a point multiplication is performed
-# then it is important that the result is correct, since otherwise attacks with
-# invalid keys are possible.
+flags = Twist
 
 # tcId = 197
 # special case for DA + CB in multiplication by 2
@@ -2085,12 +1497,7 @@
 public = 8a4179807b07649e04f711bf9473a79993f84293e4a8b9afee44a22ef1000b21
 result = acceptable
 shared = 4531881ad9cf011693ddf02842fbdab86d71e27680e9b4b3f93b4cf15e737e50
-# Public keys are either points on a given curve or points on its twist. The
-# functions X25519 and X448 are defined for points on a twist with the goal that
-# the output of computations do not leak private keys. Implementations may
-# accept or reject points on a twist. If a point multiplication is performed
-# then it is important that the result is correct, since otherwise attacks with
-# invalid keys are possible.
+flags = Twist
 
 # tcId = 198
 # special case for DA + CB in multiplication by 2
@@ -2098,12 +1505,7 @@
 public = a773277ae1029f854749137b0f3a02b5b3560b9c4ca4dbdeb3125ec896b81841
 result = acceptable
 shared = 7ba4d3de697aa11addf3911e93c94b7e943beff3e3b1b56b7de4461f9e48be6b
-# Public keys are either points on a given curve or points on its twist. The
-# functions X25519 and X448 are defined for points on a twist with the goal that
-# the output of computations do not leak private keys. Implementations may
-# accept or reject points on a twist. If a point multiplication is performed
-# then it is important that the result is correct, since otherwise attacks with
-# invalid keys are possible.
+flags = Twist
 
 # tcId = 199
 # special case for DA + CB in multiplication by 2
@@ -2111,12 +1513,7 @@
 public = 1eceb2b3763231bc3c99dc62266a09ab5d3661c756524cddc5aabcedee92da61
 result = acceptable
 shared = bcf0884052f912a63bbab8c5c674b91c4989ae051fa07fcf30cb5317fb1f2e72
-# Public keys are either points on a given curve or points on its twist. The
-# functions X25519 and X448 are defined for points on a twist with the goal that
-# the output of computations do not leak private keys. Implementations may
-# accept or reject points on a twist. If a point multiplication is performed
-# then it is important that the result is correct, since otherwise attacks with
-# invalid keys are possible.
+flags = Twist
 
 # tcId = 200
 # special case for DA + CB in multiplication by 2
@@ -2124,12 +1521,7 @@
 public = 9a2acbb3b5a386a6102e3728be3a97de03981d5c71fd2d954604bee3d3d0ce62
 result = acceptable
 shared = e5772a92b103ee696a999705cf07110c460f0545682db3fac5d875d69648bc68
-# Public keys are either points on a given curve or points on its twist. The
-# functions X25519 and X448 are defined for points on a twist with the goal that
-# the output of computations do not leak private keys. Implementations may
-# accept or reject points on a twist. If a point multiplication is performed
-# then it is important that the result is correct, since otherwise attacks with
-# invalid keys are possible.
+flags = Twist
 
 # tcId = 201
 # special case for DA + CB in multiplication by 2
@@ -2137,12 +1529,7 @@
 public = 27430e1c2d3089708bca56d7a5ad03792828d47685b6131e023dd0808716b863
 result = acceptable
 shared = 378c29e3be97a21b9f81afca0d0f5c242fd4f896114f77a77155d06ce5fbfa5e
-# Public keys are either points on a given curve or points on its twist. The
-# functions X25519 and X448 are defined for points on a twist with the goal that
-# the output of computations do not leak private keys. Implementations may
-# accept or reject points on a twist. If a point multiplication is performed
-# then it is important that the result is correct, since otherwise attacks with
-# invalid keys are possible.
+flags = Twist
 
 # tcId = 202
 # special case for z_2 in multiplication by 2
@@ -2171,12 +1558,7 @@
 public = 8a7a939310df7ea768454df51bcd0dfbd7be4fcbb2ffc98429d913ec6911f337
 result = acceptable
 shared = b568ed46d04f6291f8c176dca8aff6d221de4c9cce4b404d5401fbe70a324501
-# Public keys are either points on a given curve or points on its twist. The
-# functions X25519 and X448 are defined for points on a twist with the goal that
-# the output of computations do not leak private keys. Implementations may
-# accept or reject points on a twist. If a point multiplication is performed
-# then it is important that the result is correct, since otherwise attacks with
-# invalid keys are possible.
+flags = Twist
 
 # tcId = 206
 # special case for z_2 in multiplication by 2
@@ -2184,12 +1566,7 @@
 public = fe3590fc382da7a82e28d07fafe40d4afc91183a4536e3e6b550fee84a4b7b4b
 result = acceptable
 shared = 11fb44e810bce8536a957eaa56e02d04dd866700298f13b04ebeb48e20d93647
-# Public keys are either points on a given curve or points on its twist. The
-# functions X25519 and X448 are defined for points on a twist with the goal that
-# the output of computations do not leak private keys. Implementations may
-# accept or reject points on a twist. If a point multiplication is performed
-# then it is important that the result is correct, since otherwise attacks with
-# invalid keys are possible.
+flags = Twist
 
 # tcId = 207
 # special case for z_2 in multiplication by 2
@@ -2197,12 +1574,7 @@
 public = fad9ab3e803b49fc81b27ee69db6fc9fdb82e35453b59ef8fab2a3beb5e1134c
 result = acceptable
 shared = 85d9db8f182bc68db67de3471f786b45b1619aec0f32b108ace30ee7b2624305
-# Public keys are either points on a given curve or points on its twist. The
-# functions X25519 and X448 are defined for points on a twist with the goal that
-# the output of computations do not leak private keys. Implementations may
-# accept or reject points on a twist. If a point multiplication is performed
-# then it is important that the result is correct, since otherwise attacks with
-# invalid keys are possible.
+flags = Twist
 
 # tcId = 208
 # special case for z_2 in multiplication by 2
@@ -2224,12 +1596,7 @@
 public = 8c9885a26cb334054700a270f7a5f4aac06bad8263b651ebf0712eca1ebb6416
 result = acceptable
 shared = a5952588613eb7a5cd49dd526f1f20a4f0ffe9423e82cea302c2dd90ce559955
-# Public keys are either points on a given curve or points on its twist. The
-# functions X25519 and X448 are defined for points on a twist with the goal that
-# the output of computations do not leak private keys. Implementations may
-# accept or reject points on a twist. If a point multiplication is performed
-# then it is important that the result is correct, since otherwise attacks with
-# invalid keys are possible.
+flags = Twist
 
 # tcId = 211
 # special case for A in multiplication by 2
@@ -2237,12 +1604,7 @@
 public = f6135fe9741c2c9de7dcf7627ef08832f351cb325dbb3a26f93a2b48620e1727
 result = acceptable
 shared = cb6fb623084b6197443ec9ba1050c0923332e5e829ae0194269cfaf920a43601
-# Public keys are either points on a given curve or points on its twist. The
-# functions X25519 and X448 are defined for points on a twist with the goal that
-# the output of computations do not leak private keys. Implementations may
-# accept or reject points on a twist. If a point multiplication is performed
-# then it is important that the result is correct, since otherwise attacks with
-# invalid keys are possible.
+flags = Twist
 
 # tcId = 212
 # special case for A in multiplication by 2
@@ -2271,12 +1633,7 @@
 public = 60677a5d934ccbfab8ff5d8f085a0b553f94527d9c49ae140f8ed135e1449b69
 result = acceptable
 shared = 834bbad5470e1498c4b0148782dfe630e8bfadff1997de802ac8ce302a1bda28
-# Public keys are either points on a given curve or points on its twist. The
-# functions X25519 and X448 are defined for points on a twist with the goal that
-# the output of computations do not leak private keys. Implementations may
-# accept or reject points on a twist. If a point multiplication is performed
-# then it is important that the result is correct, since otherwise attacks with
-# invalid keys are possible.
+flags = Twist
 
 # tcId = 216
 # special case for B in multiplication by 2
@@ -2284,12 +1641,7 @@
 public = 8d9885a26cb334054700a270f7a5f4aac06bad8263b651ebf0712eca1ebb6416
 result = acceptable
 shared = ec9070ad3491a5ff50d7d0db6c9c844783dde1c6fbd4fe163e9ade1ce9cd041d
-# Public keys are either points on a given curve or points on its twist. The
-# functions X25519 and X448 are defined for points on a twist with the goal that
-# the output of computations do not leak private keys. Implementations may
-# accept or reject points on a twist. If a point multiplication is performed
-# then it is important that the result is correct, since otherwise attacks with
-# invalid keys are possible.
+flags = Twist
 
 # tcId = 217
 # special case for B in multiplication by 2
@@ -2297,12 +1649,7 @@
 public = f7135fe9741c2c9de7dcf7627ef08832f351cb325dbb3a26f93a2b48620e1727
 result = acceptable
 shared = dc6d05b92edcdb5dc334b1fc3dff58fe5b24a5c5f0b2d4311555d0fc945d7759
-# Public keys are either points on a given curve or points on its twist. The
-# functions X25519 and X448 are defined for points on a twist with the goal that
-# the output of computations do not leak private keys. Implementations may
-# accept or reject points on a twist. If a point multiplication is performed
-# then it is important that the result is correct, since otherwise attacks with
-# invalid keys are possible.
+flags = Twist
 
 # tcId = 218
 # special case for B in multiplication by 2
@@ -2331,12 +1678,7 @@
 public = 61677a5d934ccbfab8ff5d8f085a0b553f94527d9c49ae140f8ed135e1449b69
 result = acceptable
 shared = cb92a98b6aa99ac9e3c5750cea6f0846b0181faa5992845b798923d419e82756
-# Public keys are either points on a given curve or points on its twist. The
-# functions X25519 and X448 are defined for points on a twist with the goal that
-# the output of computations do not leak private keys. Implementations may
-# accept or reject points on a twist. If a point multiplication is performed
-# then it is important that the result is correct, since otherwise attacks with
-# invalid keys are possible.
+flags = Twist
 
 # tcId = 222
 # special case for C in multiplication by 2
@@ -2344,12 +1686,7 @@
 public = c8239b710136fe431fb4d98436157e47c9e78a10f09ff92e98baff159926061c
 result = acceptable
 shared = f1bd12d9d32c6f4c5b2dcb3a5c52d9fd454d52ca704c2c137956ec8ad9aef107
-# Public keys are either points on a given curve or points on its twist. The
-# functions X25519 and X448 are defined for points on a twist with the goal that
-# the output of computations do not leak private keys. Implementations may
-# accept or reject points on a twist. If a point multiplication is performed
-# then it is important that the result is correct, since otherwise attacks with
-# invalid keys are possible.
+flags = Twist
 
 # tcId = 223
 # special case for C in multiplication by 2
@@ -2378,12 +1715,7 @@
 public = 737d45477e2beb77a6c38b98e2a19b05c395df7da998cb91f6dfab5819614f27
 result = acceptable
 shared = 8cf4538ae5f445cc6d273df4ad300a45d7bb2f6e373a562440f1b37773904e32
-# Public keys are either points on a given curve or points on its twist. The
-# functions X25519 and X448 are defined for points on a twist with the goal that
-# the output of computations do not leak private keys. Implementations may
-# accept or reject points on a twist. If a point multiplication is performed
-# then it is important that the result is correct, since otherwise attacks with
-# invalid keys are possible.
+flags = Twist
 
 # tcId = 227
 # special case for CB in multiplication by 2
@@ -2405,12 +1737,7 @@
 public = f85a06065ea2527238fc5ec1b75ead9262e6b1aed61feff83b91230aeb4b7d01
 result = acceptable
 shared = f12acd36f6299a4d192c03aa4efeea7df51e2d15d763172e68accf7bc6f5c230
-# Public keys are either points on a given curve or points on its twist. The
-# functions X25519 and X448 are defined for points on a twist with the goal that
-# the output of computations do not leak private keys. Implementations may
-# accept or reject points on a twist. If a point multiplication is performed
-# then it is important that the result is correct, since otherwise attacks with
-# invalid keys are possible.
+flags = Twist
 
 # tcId = 230
 # special case for x_2 in multiplication by 3
@@ -2425,12 +1752,7 @@
 public = 696757ced3097fa960c8390a09e8bd6d390dbde8d1fa170261f3422edc192929
 result = acceptable
 shared = 45ecfa275f1daa25d3fadf33cdf89a152afea25eae37e68e00b30c367789887a
-# Public keys are either points on a given curve or points on its twist. The
-# functions X25519 and X448 are defined for points on a twist with the goal that
-# the output of computations do not leak private keys. Implementations may
-# accept or reject points on a twist. If a point multiplication is performed
-# then it is important that the result is correct, since otherwise attacks with
-# invalid keys are possible.
+flags = Twist
 
 # tcId = 232
 # special case for x_2 in multiplication by 3
@@ -2438,12 +1760,7 @@
 public = fd84b3f2fbfa16aebf40c27f46e18d77bafa0c7971bedde4909212e771bd3c35
 result = acceptable
 shared = 595e144e07bbe65b38e0e4163d02ad75a65e422e74067db35c90dfa6e055d456
-# Public keys are either points on a given curve or points on its twist. The
-# functions X25519 and X448 are defined for points on a twist with the goal that
-# the output of computations do not leak private keys. Implementations may
-# accept or reject points on a twist. If a point multiplication is performed
-# then it is important that the result is correct, since otherwise attacks with
-# invalid keys are possible.
+flags = Twist
 
 # tcId = 233
 # special case for x_2 in multiplication by 3
@@ -2451,12 +1768,7 @@
 public = 805485703ccfc4a221ef281267f52b61cebc879f0f13b1e5f521c17352a0784f
 result = acceptable
 shared = 226e16a279ac81e268437eb3e09e07406324cb72a9d4ee58e4cf009147497201
-# Public keys are either points on a given curve or points on its twist. The
-# functions X25519 and X448 are defined for points on a twist with the goal that
-# the output of computations do not leak private keys. Implementations may
-# accept or reject points on a twist. If a point multiplication is performed
-# then it is important that the result is correct, since otherwise attacks with
-# invalid keys are possible.
+flags = Twist
 
 # tcId = 234
 # special case for x_2 in multiplication by 3
@@ -2464,12 +1776,7 @@
 public = 80642a3279da6bf5fc13db14a569c7089db014225cfcae7dff5a0d25ecc9235b
 result = acceptable
 shared = 790d09b1726d210957ce8f65869ca1ec8fa0b2b06b6bcf9483b3eb55e49e9272
-# Public keys are either points on a given curve or points on its twist. The
-# functions X25519 and X448 are defined for points on a twist with the goal that
-# the output of computations do not leak private keys. Implementations may
-# accept or reject points on a twist. If a point multiplication is performed
-# then it is important that the result is correct, since otherwise attacks with
-# invalid keys are possible.
+flags = Twist
 
 # tcId = 235
 # special case for z_2 in multiplication by 3
@@ -2491,12 +1798,7 @@
 public = f26aa6151a4b22390176f6233e742f40f2ecd5137166fb2e1ec9b2f2454ac277
 result = acceptable
 shared = 862df92e25277bd94f9af2e1dda51f905a6e2a3f6068a92fabfc6c53da21ec11
-# Public keys are either points on a given curve or points on its twist. The
-# functions X25519 and X448 are defined for points on a twist with the goal that
-# the output of computations do not leak private keys. Implementations may
-# accept or reject points on a twist. If a point multiplication is performed
-# then it is important that the result is correct, since otherwise attacks with
-# invalid keys are possible.
+flags = Twist
 
 # tcId = 238
 # special case for DA - CB in multiplication by 3
@@ -2511,12 +1813,7 @@
 public = d71dd7db122330c9bbaab5da6cf1f6e1c25345ee6a66b17512b1804ace287359
 result = acceptable
 shared = 95f3f1849b0a070184e6077c92ae36ba3324bf1441168b89bb4b9167edd67308
-# Public keys are either points on a given curve or points on its twist. The
-# functions X25519 and X448 are defined for points on a twist with the goal that
-# the output of computations do not leak private keys. Implementations may
-# accept or reject points on a twist. If a point multiplication is performed
-# then it is important that the result is correct, since otherwise attacks with
-# invalid keys are possible.
+flags = Twist
 
 # tcId = 240
 # special case for BB in multiplication by 3
@@ -2524,12 +1821,7 @@
 public = 737bc07de0729bbcfbee3a08e696f97f3770577e4b01ec108f59caf46406d205
 result = acceptable
 shared = 6a969af6d236aba08fa83160f699e9ed76fb6355f0662f03dbc5915a3c23063e
-# Public keys are either points on a given curve or points on its twist. The
-# functions X25519 and X448 are defined for points on a twist with the goal that
-# the output of computations do not leak private keys. Implementations may
-# accept or reject points on a twist. If a point multiplication is performed
-# then it is important that the result is correct, since otherwise attacks with
-# invalid keys are possible.
+flags = Twist
 
 # tcId = 241
 # special case for BB in multiplication by 3
@@ -2544,12 +1836,7 @@
 public = 37cd65d33036205f3449e8655a50d4b0c86fec02100b4f2db7da92dcf5e3aa0a
 result = acceptable
 shared = 13de41659e3e308d6e26c94282fcc3e0364ddf0809ddee6c8e7abb5091b02b00
-# Public keys are either points on a given curve or points on its twist. The
-# functions X25519 and X448 are defined for points on a twist with the goal that
-# the output of computations do not leak private keys. Implementations may
-# accept or reject points on a twist. If a point multiplication is performed
-# then it is important that the result is correct, since otherwise attacks with
-# invalid keys are possible.
+flags = Twist
 
 # tcId = 243
 # special case for BB in multiplication by 3
@@ -2557,12 +1844,7 @@
 public = a9b6e8081460383adc587c8f91a02c59a7a35576ca62436ccd1b5fef1b92545d
 result = acceptable
 shared = 69ed8a0a27812ae6741474bd5c6a4e683a126649f7245aa0f91a3a384bcde25a
-# Public keys are either points on a given curve or points on its twist. The
-# functions X25519 and X448 are defined for points on a twist with the goal that
-# the output of computations do not leak private keys. Implementations may
-# accept or reject points on a twist. If a point multiplication is performed
-# then it is important that the result is correct, since otherwise attacks with
-# invalid keys are possible.
+flags = Twist
 
 # tcId = 244
 # special case for E in multiplication by 3
@@ -2591,12 +1873,7 @@
 public = 2a209e2ace0e3d6973ffbf7403f9857ff97a5fdcd27f2c7098b444fc3c166738
 result = acceptable
 shared = 9f66848681d534e52b659946ea2c92d2fabed43fe6e69032c11153db43dca75b
-# Public keys are either points on a given curve or points on its twist. The
-# functions X25519 and X448 are defined for points on a twist with the goal that
-# the output of computations do not leak private keys. Implementations may
-# accept or reject points on a twist. If a point multiplication is performed
-# then it is important that the result is correct, since otherwise attacks with
-# invalid keys are possible.
+flags = Twist
 
 # tcId = 248
 # special case for E in multiplication by 3
@@ -2625,12 +1902,7 @@
 public = c3ba28057728d0533965ec34979fe7bd93cf6cb644e8da038baa87997b8dc20e
 result = acceptable
 shared = 74f95b4700f0185f33c5b5528ed5012a3363f8bbd6f6a840aa1f0f3bdb7c9650
-# Public keys are either points on a given curve or points on its twist. The
-# functions X25519 and X448 are defined for points on a twist with the goal that
-# the output of computations do not leak private keys. Implementations may
-# accept or reject points on a twist. If a point multiplication is performed
-# then it is important that the result is correct, since otherwise attacks with
-# invalid keys are possible.
+flags = Twist
 
 # tcId = 252
 # special case for AA in multiplication by 3
@@ -2645,12 +1917,7 @@
 public = 83f67d7c92b11c8fb072484642a01f43deb022b54d94a4015e39849a2e2e9555
 result = acceptable
 shared = f148716ebe7269a7076f0cf1f22b6978d3c7e3607b0bcc87a8c7a85b9fd20c2f
-# Public keys are either points on a given curve or points on its twist. The
-# functions X25519 and X448 are defined for points on a twist with the goal that
-# the output of computations do not leak private keys. Implementations may
-# accept or reject points on a twist. If a point multiplication is performed
-# then it is important that the result is correct, since otherwise attacks with
-# invalid keys are possible.
+flags = Twist
 
 # tcId = 254
 # special case for AA in multiplication by 3
@@ -2672,12 +1939,7 @@
 public = d8c8e2c6f33a98525df3767d1d04430dab0bda41f1f904c95bc61cc122caca74
 result = acceptable
 shared = ef7612c156078dae3a81e50ef33951cab661fb07731d8f419bc0105c4d6d6050
-# Public keys are either points on a given curve or points on its twist. The
-# functions X25519 and X448 are defined for points on a twist with the goal that
-# the output of computations do not leak private keys. Implementations may
-# accept or reject points on a twist. If a point multiplication is performed
-# then it is important that the result is correct, since otherwise attacks with
-# invalid keys are possible.
+flags = Twist
 
 # tcId = 257
 # special case for AA in multiplication by 3
@@ -2685,12 +1947,7 @@
 public = 1833619516b80db0c05b225509e6698df028d83b66ed6bac6f0f6308970d2c7d
 result = acceptable
 shared = a3cf3d81ec56896a68fca0da6335171d0c622568738c0db26fe117033726a049
-# Public keys are either points on a given curve or points on its twist. The
-# functions X25519 and X448 are defined for points on a twist with the goal that
-# the output of computations do not leak private keys. Implementations may
-# accept or reject points on a twist. If a point multiplication is performed
-# then it is important that the result is correct, since otherwise attacks with
-# invalid keys are possible.
+flags = Twist
 
 # tcId = 258
 # special case for AA in multiplication by 3
@@ -2705,12 +1962,7 @@
 public = b9bd793624d6a7e808486110058853edb25e136bd4d6a795d6d2ef53b25e3804
 result = acceptable
 shared = 7c6148134c9e8b2ba5daeca41e6a1f3a82d8f75d0b292b23c40fe7f5ce0a2b7a
-# Public keys are either points on a given curve or points on its twist. The
-# functions X25519 and X448 are defined for points on a twist with the goal that
-# the output of computations do not leak private keys. Implementations may
-# accept or reject points on a twist. If a point multiplication is performed
-# then it is important that the result is correct, since otherwise attacks with
-# invalid keys are possible.
+flags = Twist
 
 # tcId = 260
 # special case for D in multiplication by 4
@@ -2718,12 +1970,7 @@
 public = e3f444e208da9043f3f74c20e28d7f404bb687a346709abcd555156f88607820
 result = acceptable
 shared = ea5e772bac4693ce69ea3ac761011fa7674037653a433c7f05456e7291cd3c4e
-# Public keys are either points on a given curve or points on its twist. The
-# functions X25519 and X448 are defined for points on a twist with the goal that
-# the output of computations do not leak private keys. Implementations may
-# accept or reject points on a twist. If a point multiplication is performed
-# then it is important that the result is correct, since otherwise attacks with
-# invalid keys are possible.
+flags = Twist
 
 # tcId = 261
 # special case for D in multiplication by 4
@@ -2731,12 +1978,7 @@
 public = 87b43f90f76d12fb3a469fa8687c27e369d4a82f95cf95e8dc3970de8f86d92b
 result = acceptable
 shared = 81c395aed5cc5f5e2a206a8a4cacecd501df5b81e49433835ad8a3779edffb30
-# Public keys are either points on a given curve or points on its twist. The
-# functions X25519 and X448 are defined for points on a twist with the goal that
-# the output of computations do not leak private keys. Implementations may
-# accept or reject points on a twist. If a point multiplication is performed
-# then it is important that the result is correct, since otherwise attacks with
-# invalid keys are possible.
+flags = Twist
 
 # tcId = 262
 # special case for D in multiplication by 4
@@ -2744,12 +1986,7 @@
 public = 86441ea06c5cd2a34c6b51261e93a2f30ea7db0f74e14c42f0fc443c6735973c
 result = acceptable
 shared = 513eba5870dc5187e2552fe3ba8292b516d2af9ecb9a9bdc51eac2ce2de40112
-# Public keys are either points on a given curve or points on its twist. The
-# functions X25519 and X448 are defined for points on a twist with the goal that
-# the output of computations do not leak private keys. Implementations may
-# accept or reject points on a twist. If a point multiplication is performed
-# then it is important that the result is correct, since otherwise attacks with
-# invalid keys are possible.
+flags = Twist
 
 # tcId = 263
 # special case for D in multiplication by 4
@@ -2757,12 +1994,7 @@
 public = 4624aa4ae9d12725bf92b85f93e3e8cea16b7bd83fda0eb18fab2dbe0e8bf742
 result = acceptable
 shared = 983b7e236ffaddb4b759b7353fe87846f59fb6f28a3ed65c256176b6609b7c6e
-# Public keys are either points on a given curve or points on its twist. The
-# functions X25519 and X448 are defined for points on a twist with the goal that
-# the output of computations do not leak private keys. Implementations may
-# accept or reject points on a twist. If a point multiplication is performed
-# then it is important that the result is correct, since otherwise attacks with
-# invalid keys are possible.
+flags = Twist
 
 # tcId = 264
 # special case for D in multiplication by 4
@@ -2777,12 +2009,7 @@
 public = 8a5f2063f259f3317ae3e0b459f82c4677666e49a2eb9bf0369aee663631265b
 result = acceptable
 shared = a3f7e169db44d0d179c242e66347364ab92744dc6ad80e4775aef7f4ff9d5f34
-# Public keys are either points on a given curve or points on its twist. The
-# functions X25519 and X448 are defined for points on a twist with the goal that
-# the output of computations do not leak private keys. Implementations may
-# accept or reject points on a twist. If a point multiplication is performed
-# then it is important that the result is correct, since otherwise attacks with
-# invalid keys are possible.
+flags = Twist
 
 # tcId = 266
 # special case for D in multiplication by 4
@@ -2790,12 +2017,7 @@
 public = 54cfb6ad0d03e3115acafee12606397f2bb46a8c5f326a255c494118aead3b62
 result = acceptable
 shared = 401aabfbb73fe6694c446ecfffb43006427a9d4756e049a1ffc79578d62f1660
-# Public keys are either points on a given curve or points on its twist. The
-# functions X25519 and X448 are defined for points on a twist with the goal that
-# the output of computations do not leak private keys. Implementations may
-# accept or reject points on a twist. If a point multiplication is performed
-# then it is important that the result is correct, since otherwise attacks with
-# invalid keys are possible.
+flags = Twist
 
 # tcId = 267
 # special case for E in multiplication by 4
@@ -2831,12 +2053,7 @@
 public = e559c417da7fd5851352f508b90031d49b5d2d0aac88a9c8b5fb6e80165ac10b
 result = acceptable
 shared = c7c6f6d7ce1e4f54c727e5900686c34e6a6953254bd470bbbf0c7c18bbddad73
-# Public keys are either points on a given curve or points on its twist. The
-# functions X25519 and X448 are defined for points on a twist with the goal that
-# the output of computations do not leak private keys. Implementations may
-# accept or reject points on a twist. If a point multiplication is performed
-# then it is important that the result is correct, since otherwise attacks with
-# invalid keys are possible.
+flags = Twist
 
 # tcId = 272
 # special case for B in multiplication by 4
@@ -2844,12 +2061,7 @@
 public = 746d97e7774292a3d703f604e79d8764c99a6a2fe280eaa9811115f5e038f21a
 result = acceptable
 shared = cf7d2a66ea4dfed94469b2d343533ff302a576f8402ed2187904437038e54665
-# Public keys are either points on a given curve or points on its twist. The
-# functions X25519 and X448 are defined for points on a twist with the goal that
-# the output of computations do not leak private keys. Implementations may
-# accept or reject points on a twist. If a point multiplication is performed
-# then it is important that the result is correct, since otherwise attacks with
-# invalid keys are possible.
+flags = Twist
 
 # tcId = 273
 # special case for B in multiplication by 4
@@ -2864,12 +2076,7 @@
 public = 9c3f0023e1a4832586af2483bbec64ce9f06f3ea806d4019a5e4abb1b5627029
 result = acceptable
 shared = b9f21465615f39dddcc37520ce9b956f7de9883ac93a870d74e388b8e1775463
-# Public keys are either points on a given curve or points on its twist. The
-# functions X25519 and X448 are defined for points on a twist with the goal that
-# the output of computations do not leak private keys. Implementations may
-# accept or reject points on a twist. If a point multiplication is performed
-# then it is important that the result is correct, since otherwise attacks with
-# invalid keys are possible.
+flags = Twist
 
 # tcId = 275
 # special case for B in multiplication by 4
@@ -2884,12 +2091,7 @@
 public = c4a19b8686e18c29359aa548427f06a368d55a8737483d4893523adac6795a4c
 result = acceptable
 shared = 652b18ffd41cfb7d1f0b6dc79baa3b2a392ef1617f5cf6259b5b4ff065916a16
-# Public keys are either points on a given curve or points on its twist. The
-# functions X25519 and X448 are defined for points on a twist with the goal that
-# the output of computations do not leak private keys. Implementations may
-# accept or reject points on a twist. If a point multiplication is performed
-# then it is important that the result is correct, since otherwise attacks with
-# invalid keys are possible.
+flags = Twist
 
 # tcId = 277
 # special case for B in multiplication by 4
@@ -2911,12 +2113,7 @@
 public = 1df3dfdab74ff38177dac294b2da2f49a348bc3b3bc6ce9312bea5ef3ecdd30b
 result = acceptable
 shared = bcc95fb4890ed311f3fb4f44c2b60866cdddec97db820a7f79f475337e16284a
-# Public keys are either points on a given curve or points on its twist. The
-# functions X25519 and X448 are defined for points on a twist with the goal that
-# the output of computations do not leak private keys. Implementations may
-# accept or reject points on a twist. If a point multiplication is performed
-# then it is important that the result is correct, since otherwise attacks with
-# invalid keys are possible.
+flags = Twist
 
 # tcId = 280
 # special case for BB in multiplication by 4
@@ -2931,12 +2128,7 @@
 public = b279b6c065f95c7040f148bcb4a3d310e34bdb005931a879be469573deedd041
 result = acceptable
 shared = cce7bb644df94501421db49d15e821c7b0aaabecdf8837ab989b1f23bac08f35
-# Public keys are either points on a given curve or points on its twist. The
-# functions X25519 and X448 are defined for points on a twist with the goal that
-# the output of computations do not leak private keys. Implementations may
-# accept or reject points on a twist. If a point multiplication is performed
-# then it is important that the result is correct, since otherwise attacks with
-# invalid keys are possible.
+flags = Twist
 
 # tcId = 282
 # special case for BB in multiplication by 4
@@ -2951,12 +2143,7 @@
 public = 872897f1bd1885da08b9d03e46811044fbb04186ba30c806f38b94ebdc27186a
 result = acceptable
 shared = bf280aeecb74ab34e1310aa6fe8dc972f94dc40c7f88b72137ccfe34ed343c13
-# Public keys are either points on a given curve or points on its twist. The
-# functions X25519 and X448 are defined for points on a twist with the goal that
-# the output of computations do not leak private keys. Implementations may
-# accept or reject points on a twist. If a point multiplication is performed
-# then it is important that the result is correct, since otherwise attacks with
-# invalid keys are possible.
+flags = Twist
 
 # tcId = 284
 # special case for x_2 in multiplication by 4
@@ -2964,12 +2151,7 @@
 public = c08f72760d9cb4a542aad6e2af777920c44563bd90356168c3608c6b9af2ef0f
 result = acceptable
 shared = 72566a91ccd2bcf38cf639e4a5fcb296f0b67de192c6091242a62fae467fb635
-# Public keys are either points on a given curve or points on its twist. The
-# functions X25519 and X448 are defined for points on a twist with the goal that
-# the output of computations do not leak private keys. Implementations may
-# accept or reject points on a twist. If a point multiplication is performed
-# then it is important that the result is correct, since otherwise attacks with
-# invalid keys are possible.
+flags = Twist
 
 # tcId = 285
 # special case for x_2 in multiplication by 4
@@ -2984,12 +2166,7 @@
 public = 4959771a931e242d5713d5cb76f33310c6a283df16645604289553809cda6518
 result = acceptable
 shared = 5ba2112a41b5bb381f202446fa9f23c54d2de149f9ad233753417263840ea432
-# Public keys are either points on a given curve or points on its twist. The
-# functions X25519 and X448 are defined for points on a twist with the goal that
-# the output of computations do not leak private keys. Implementations may
-# accept or reject points on a twist. If a point multiplication is performed
-# then it is important that the result is correct, since otherwise attacks with
-# invalid keys are possible.
+flags = Twist
 
 # tcId = 287
 # special case for x_2 in multiplication by 4
@@ -2997,12 +2174,7 @@
 public = f6fe690cf547049635bb3a7785537b4379c9ee06b46120493b8bdb152e09c81d
 result = acceptable
 shared = a87c9fdf40c409b9edab481b2cc69687ee1ab92e340c3db0107d40b5de6e7a20
-# Public keys are either points on a given curve or points on its twist. The
-# functions X25519 and X448 are defined for points on a twist with the goal that
-# the output of computations do not leak private keys. Implementations may
-# accept or reject points on a twist. If a point multiplication is performed
-# then it is important that the result is correct, since otherwise attacks with
-# invalid keys are possible.
+flags = Twist
 
 # tcId = 288
 # special case for x_2 in multiplication by 4
@@ -3010,12 +2182,7 @@
 public = b468681a1275850c11d37ec736af939a75a7098514e04cfc1c6ca78239a88426
 result = acceptable
 shared = 3be98798f01e71639f3cb8fd4a17bf273e10c67f8974dd9802eed59d847d4020
-# Public keys are either points on a given curve or points on its twist. The
-# functions X25519 and X448 are defined for points on a twist with the goal that
-# the output of computations do not leak private keys. Implementations may
-# accept or reject points on a twist. If a point multiplication is performed
-# then it is important that the result is correct, since otherwise attacks with
-# invalid keys are possible.
+flags = Twist
 
 # tcId = 289
 # special case for x_2 in multiplication by 4
@@ -3030,12 +2197,7 @@
 public = fa8f24e944de5d003746d4630350c0f4f6175a3269c19184824105398fbdd329
 result = acceptable
 shared = 56e2bfc7f6ab7da8fc734afc515e57d0794d002434f9bc8e18bd0b72c0df3c4a
-# Public keys are either points on a given curve or points on its twist. The
-# functions X25519 and X448 are defined for points on a twist with the goal that
-# the output of computations do not leak private keys. Implementations may
-# accept or reject points on a twist. If a point multiplication is performed
-# then it is important that the result is correct, since otherwise attacks with
-# invalid keys are possible.
+flags = Twist
 
 # tcId = 291
 # special case for x_2 in multiplication by 4
@@ -3043,12 +2205,7 @@
 public = ae4e37ef53c79e25e8275a60f2fc1dfc277ebc5d3b88428c6432c3f98494212c
 result = acceptable
 shared = 17fa1276d9fd5025172736449a1c0ae33512e5037014a18db5903e47bb3bc950
-# Public keys are either points on a given curve or points on its twist. The
-# functions X25519 and X448 are defined for points on a twist with the goal that
-# the output of computations do not leak private keys. Implementations may
-# accept or reject points on a twist. If a point multiplication is performed
-# then it is important that the result is correct, since otherwise attacks with
-# invalid keys are possible.
+flags = Twist
 
 # tcId = 292
 # special case for x_2 in multiplication by 4
@@ -3063,12 +2220,7 @@
 public = 5f16aa7ccabf4da6b686bd28c7460e106bb1b97a823792527765c29a9ad8fc71
 result = acceptable
 shared = 30a4ba793f2dffe1700c61428b4d84b5fcd0aa99a23b903f84a48eca5cc9fb0a
-# Public keys are either points on a given curve or points on its twist. The
-# functions X25519 and X448 are defined for points on a twist with the goal that
-# the output of computations do not leak private keys. Implementations may
-# accept or reject points on a twist. If a point multiplication is performed
-# then it is important that the result is correct, since otherwise attacks with
-# invalid keys are possible.
+flags = Twist
 
 # tcId = 294
 # special case for DA + CB in multiplication by 4
@@ -3090,12 +2242,7 @@
 public = 4eca5f8731b0fa0c106acf578b83a350fa8173a290f1eba803956de34eeb7671
 result = acceptable
 shared = 833afb867054b8b9ac70d6013c163e8b7676fd45ae49a1325f3acb75975d8c13
-# Public keys are either points on a given curve or points on its twist. The
-# functions X25519 and X448 are defined for points on a twist with the goal that
-# the output of computations do not leak private keys. Implementations may
-# accept or reject points on a twist. If a point multiplication is performed
-# then it is important that the result is correct, since otherwise attacks with
-# invalid keys are possible.
+flags = Twist
 
 # tcId = 297
 # special case for A in multiplication by 4
@@ -3110,12 +2257,7 @@
 public = 88ae1631cd08ab54c24a31e1fec860391fe29bc50db23eb66709362ec4264929
 result = acceptable
 shared = c1988b6e1f020151ec913b4fb2695bae2c21cc553d0f91cf0c668623a3e5a43d
-# Public keys are either points on a given curve or points on its twist. The
-# functions X25519 and X448 are defined for points on a twist with the goal that
-# the output of computations do not leak private keys. Implementations may
-# accept or reject points on a twist. If a point multiplication is performed
-# then it is important that the result is correct, since otherwise attacks with
-# invalid keys are possible.
+flags = Twist
 
 # tcId = 299
 # special case for A in multiplication by 4
@@ -3130,12 +2272,7 @@
 public = d66a2f9f7577e2df4a56cb51962b3056ff5cc0494c60f39511782e79923edd41
 result = acceptable
 shared = b3b4513f8a3102e1ae782fbc69888177f2c24c569303a5d01ab1c3c5e285524a
-# Public keys are either points on a given curve or points on its twist. The
-# functions X25519 and X448 are defined for points on a twist with the goal that
-# the output of computations do not leak private keys. Implementations may
-# accept or reject points on a twist. If a point multiplication is performed
-# then it is important that the result is correct, since otherwise attacks with
-# invalid keys are possible.
+flags = Twist
 
 # tcId = 301
 # special case for DA - CB in multiplication by 4
@@ -3150,12 +2287,7 @@
 public = 6418d49fe440a755c9ff1a3582d35dc9b44c818498f15782c95284fe868a914c
 result = acceptable
 shared = cdb3ca02d5fdb536dbc7395bab12bdcfd55b1ae771a4176dedb55eb4d755c752
-# Public keys are either points on a given curve or points on its twist. The
-# functions X25519 and X448 are defined for points on a twist with the goal that
-# the output of computations do not leak private keys. Implementations may
-# accept or reject points on a twist. If a point multiplication is performed
-# then it is important that the result is correct, since otherwise attacks with
-# invalid keys are possible.
+flags = Twist
 
 # tcId = 303
 # special case for DA - CB in multiplication by 4
@@ -3184,12 +2316,7 @@
 public = 4d19e156e084fe582a0eb79b2f12b61d0b03f3f229227e798a933eea5a1b6129
 result = acceptable
 shared = c46057fcf63088b3a80e0be5ce24c8026dfadd341b5d8215b8afcb2a5a02bb2b
-# Public keys are either points on a given curve or points on its twist. The
-# functions X25519 and X448 are defined for points on a twist with the goal that
-# the output of computations do not leak private keys. Implementations may
-# accept or reject points on a twist. If a point multiplication is performed
-# then it is important that the result is correct, since otherwise attacks with
-# invalid keys are possible.
+flags = Twist
 
 # tcId = 307
 # special case for C in multiplication by 4
@@ -3197,12 +2324,7 @@
 public = cc4729c4eae292e431ec3a5cf5020e19f9bea50ef3218d9a790034526c3ee14a
 result = acceptable
 shared = d4361e26127adfbe37c2ed8f42cce4ebab8ab74ed9e74f14c3435d612c1a992a
-# Public keys are either points on a given curve or points on its twist. The
-# functions X25519 and X448 are defined for points on a twist with the goal that
-# the output of computations do not leak private keys. Implementations may
-# accept or reject points on a twist. If a point multiplication is performed
-# then it is important that the result is correct, since otherwise attacks with
-# invalid keys are possible.
+flags = Twist
 
 # tcId = 308
 # special case for C in multiplication by 4
@@ -3245,12 +2367,7 @@
 public = 340b9f613550d14e3c6256caf029b31cad3fe6db588294e2d3af37605a68d837
 result = acceptable
 shared = 9efe5cd71102d899a333a45ea6d2c089604b926db8c2645ce5ff21492f27a314
-# Public keys are either points on a given curve or points on its twist. The
-# functions X25519 and X448 are defined for points on a twist with the goal that
-# the output of computations do not leak private keys. Implementations may
-# accept or reject points on a twist. If a point multiplication is performed
-# then it is important that the result is correct, since otherwise attacks with
-# invalid keys are possible.
+flags = Twist
 
 # tcId = 314
 # special case for CB in multiplication by 4
@@ -3258,12 +2375,7 @@
 public = edfbd6f09aa32435440b0ca8ba436308319613f8f2d501133c526c3ff55c7b3d
 result = acceptable
 shared = 196182095bcd2ef46b18f64c63607e0ab162a0869e6265ac8ae35e358c3d8a63
-# Public keys are either points on a given curve or points on its twist. The
-# functions X25519 and X448 are defined for points on a twist with the goal that
-# the output of computations do not leak private keys. Implementations may
-# accept or reject points on a twist. If a point multiplication is performed
-# then it is important that the result is correct, since otherwise attacks with
-# invalid keys are possible.
+flags = Twist
 
 # tcId = 315
 # special case for CB in multiplication by 4
@@ -3271,12 +2383,7 @@
 public = 9b0538cd618b0a4de09e45420f84d54d74514fbb1a31c1a4aa1e93306f20723f
 result = acceptable
 shared = a3c6b75168211e8e0a49ca815bfe3f469f29864dc8166152b456e7074afa9b5b
-# Public keys are either points on a given curve or points on its twist. The
-# functions X25519 and X448 are defined for points on a twist with the goal that
-# the output of computations do not leak private keys. Implementations may
-# accept or reject points on a twist. If a point multiplication is performed
-# then it is important that the result is correct, since otherwise attacks with
-# invalid keys are possible.
+flags = Twist
 
 # tcId = 316
 # special case for CB in multiplication by 4
@@ -3298,12 +2405,7 @@
 public = 836c8e45dd890e658c33e69b6f578a5a774c48b435bc3b91ac693df94a055857
 result = acceptable
 shared = c5457487e90932f57b94af2e8750403e09c9ac727e2bd213590462b6937b0753
-# Public keys are either points on a given curve or points on its twist. The
-# functions X25519 and X448 are defined for points on a twist with the goal that
-# the output of computations do not leak private keys. Implementations may
-# accept or reject points on a twist. If a point multiplication is performed
-# then it is important that the result is correct, since otherwise attacks with
-# invalid keys are possible.
+flags = Twist
 
 # tcId = 319
 # special case for AA in multiplication by 4
@@ -3318,12 +2420,7 @@
 public = 32f34da84ab4bfca369c4b884691becf54be7fbed16449dc86969da7ea9abf62
 result = acceptable
 shared = 521a5b8149a132d155e6b4ed113900506cfc2f76d2a3e14196d69eb85db3c952
-# Public keys are either points on a given curve or points on its twist. The
-# functions X25519 and X448 are defined for points on a twist with the goal that
-# the output of computations do not leak private keys. Implementations may
-# accept or reject points on a twist. If a point multiplication is performed
-# then it is important that the result is correct, since otherwise attacks with
-# invalid keys are possible.
+flags = Twist
 
 # tcId = 321
 # special case for AA in multiplication by 4
@@ -3345,12 +2442,7 @@
 public = 18e58df6bfbe184b0e3c7c4bf2a051ed055b793501c0d4fc47bc8a95c4deec7c
 result = acceptable
 shared = ade71d6460287fe808e947560e67a9d6ff2f96eaa1355d2e9fbbe549e883381b
-# Public keys are either points on a given curve or points on its twist. The
-# functions X25519 and X448 are defined for points on a twist with the goal that
-# the output of computations do not leak private keys. Implementations may
-# accept or reject points on a twist. If a point multiplication is performed
-# then it is important that the result is correct, since otherwise attacks with
-# invalid keys are possible.
+flags = Twist
 
 # tcId = 324
 # special case for DA in multiplication by 4
@@ -3372,12 +2464,7 @@
 public = 33c94be58b0f0e6cf363e1b12a2ebfb93040715be91518f21df2953eeab5fb01
 result = acceptable
 shared = d4c3b3467714f2d105904a84cc7e81d7f291304e908041682d8906a683c12125
-# Public keys are either points on a given curve or points on its twist. The
-# functions X25519 and X448 are defined for points on a twist with the goal that
-# the output of computations do not leak private keys. Implementations may
-# accept or reject points on a twist. If a point multiplication is performed
-# then it is important that the result is correct, since otherwise attacks with
-# invalid keys are possible.
+flags = Twist
 
 # tcId = 327
 # special case for z_2 in multiplication by 5
@@ -3385,12 +2472,7 @@
 public = a218ae9624b07ce05178b9d0cc1b71dee21f27852a2ceb18610b4052b244f00f
 result = acceptable
 shared = 1ebe6ca711a649ae487b332747e3dc0306340560cab6bc6029e44f6a7e0ee41c
-# Public keys are either points on a given curve or points on its twist. The
-# functions X25519 and X448 are defined for points on a twist with the goal that
-# the output of computations do not leak private keys. Implementations may
-# accept or reject points on a twist. If a point multiplication is performed
-# then it is important that the result is correct, since otherwise attacks with
-# invalid keys are possible.
+flags = Twist
 
 # tcId = 328
 # special case for z_2 in multiplication by 5
@@ -3398,12 +2480,7 @@
 public = d7067faeafd3e966e57525f930b3317c9e8b9c9a9ae946e76c1e4602a59a7e33
 result = acceptable
 shared = 03e7a777e648bdc612189f3cd42d34e35736d3e52e6edc8ac873a58e244a6073
-# Public keys are either points on a given curve or points on its twist. The
-# functions X25519 and X448 are defined for points on a twist with the goal that
-# the output of computations do not leak private keys. Implementations may
-# accept or reject points on a twist. If a point multiplication is performed
-# then it is important that the result is correct, since otherwise attacks with
-# invalid keys are possible.
+flags = Twist
 
 # tcId = 329
 # special case for z_2 in multiplication by 5
@@ -3411,12 +2488,7 @@
 public = 8df9682cbe8802478a8531377e752cdde54738d528d639bea9eaf47702f8bf3b
 result = acceptable
 shared = 308ef99dae1064a444fa90775b5dd5b1952d7224a0e5ae031df432640f416208
-# Public keys are either points on a given curve or points on its twist. The
-# functions X25519 and X448 are defined for points on a twist with the goal that
-# the output of computations do not leak private keys. Implementations may
-# accept or reject points on a twist. If a point multiplication is performed
-# then it is important that the result is correct, since otherwise attacks with
-# invalid keys are possible.
+flags = Twist
 
 # tcId = 330
 # special case for z_2 in multiplication by 5
@@ -3445,12 +2517,7 @@
 public = 832a46aec02240d716fe22dea94ad566a3fafbeedcce35c83e41e58076c99749
 result = acceptable
 shared = cd0686b32ea4cddb8e13ff20a78d380749a5d4f6a3dc55d72f4813d949a0ea57
-# Public keys are either points on a given curve or points on its twist. The
-# functions X25519 and X448 are defined for points on a twist with the goal that
-# the output of computations do not leak private keys. Implementations may
-# accept or reject points on a twist. If a point multiplication is performed
-# then it is important that the result is correct, since otherwise attacks with
-# invalid keys are possible.
+flags = Twist
 
 # tcId = 334
 # special case for E in multiplication by 5
@@ -3465,12 +2532,7 @@
 public = 6df799bba6cdf5f46a57ab227f93fba491dad296a2fdb7e491921d610cce8f5e
 result = acceptable
 shared = 54f5ae57e676d08c8f8a3cf891e36ddaab751093f92f409060c57e745941700e
-# Public keys are either points on a given curve or points on its twist. The
-# functions X25519 and X448 are defined for points on a twist with the goal that
-# the output of computations do not leak private keys. Implementations may
-# accept or reject points on a twist. If a point multiplication is performed
-# then it is important that the result is correct, since otherwise attacks with
-# invalid keys are possible.
+flags = Twist
 
 # tcId = 336
 # special case for AA in multiplication by 5
@@ -3492,12 +2554,7 @@
 public = 73bdeef8cc044f5ad8d6a241273e1995e0007dc9e6579046df86aa6cd97f5d2a
 result = acceptable
 shared = 5aa750de4207869ec7fddab34c639559b1eb27ef244aaf2a702c84963b6d6e7c
-# Public keys are either points on a given curve or points on its twist. The
-# functions X25519 and X448 are defined for points on a twist with the goal that
-# the output of computations do not leak private keys. Implementations may
-# accept or reject points on a twist. If a point multiplication is performed
-# then it is important that the result is correct, since otherwise attacks with
-# invalid keys are possible.
+flags = Twist
 
 # tcId = 339
 # special case for AA in multiplication by 5
@@ -3540,12 +2597,7 @@
 public = 48d952a2924ff167f037707469ec715da72bb65f49aaf4dce7ec5a17039ddb42
 result = acceptable
 shared = de88af905d37417d8331105345dabaab9fd2d3cb1ee902911c1c8eae2991d911
-# Public keys are either points on a given curve or points on its twist. The
-# functions X25519 and X448 are defined for points on a twist with the goal that
-# the output of computations do not leak private keys. Implementations may
-# accept or reject points on a twist. If a point multiplication is performed
-# then it is important that the result is correct, since otherwise attacks with
-# invalid keys are possible.
+flags = Twist
 
 # tcId = 345
 # special case for BB in multiplication by 5
@@ -3560,12 +2612,7 @@
 public = 9051e55a4050ef4dce0b0c40811f16371e8b16932541da37f069406d848ea424
 result = acceptable
 shared = 212dbf9bc89b6873a60dfc8731a10be11ab2dca4b172142e6c9f06614cd72852
-# Public keys are either points on a given curve or points on its twist. The
-# functions X25519 and X448 are defined for points on a twist with the goal that
-# the output of computations do not leak private keys. Implementations may
-# accept or reject points on a twist. If a point multiplication is performed
-# then it is important that the result is correct, since otherwise attacks with
-# invalid keys are possible.
+flags = Twist
 
 # tcId = 347
 # special case for x_2 in multiplication by 5
@@ -3594,12 +2641,7 @@
 public = 0e67ee5c6b65aa802259810b2605f8d7accf9b49bf14cb4a536928e883172915
 result = acceptable
 shared = 1d730158da880533dbf1e6c64a8e99f9169611660969b0a84fb42dd8dc2efa3d
-# Public keys are either points on a given curve or points on its twist. The
-# functions X25519 and X448 are defined for points on a twist with the goal that
-# the output of computations do not leak private keys. Implementations may
-# accept or reject points on a twist. If a point multiplication is performed
-# then it is important that the result is correct, since otherwise attacks with
-# invalid keys are possible.
+flags = Twist
 
 # tcId = 351
 # special case for C in multiplication by 6
@@ -3642,12 +2684,7 @@
 public = 0e9c4431999ef1ce177e900d37ec6ae665e387e2d4fa27cba8e7baebc65c6520
 result = acceptable
 shared = 8ff2ac65c85ee2fe9452fce460f8c87f9570d769cadddc87fe93ef8b7657c726
-# Public keys are either points on a given curve or points on its twist. The
-# functions X25519 and X448 are defined for points on a twist with the goal that
-# the output of computations do not leak private keys. Implementations may
-# accept or reject points on a twist. If a point multiplication is performed
-# then it is important that the result is correct, since otherwise attacks with
-# invalid keys are possible.
+flags = Twist
 
 # tcId = 357
 # special case for CB in multiplication by 6
@@ -3655,12 +2692,7 @@
 public = 5761d6c08624104d4117ff17c75e9211a591c9ca9aecca3a665a7ed844195225
 result = acceptable
 shared = 97c91a23c3e4f3ff727d188a352b67ad490b62381566fb3e111cb67aa9e3435c
-# Public keys are either points on a given curve or points on its twist. The
-# functions X25519 and X448 are defined for points on a twist with the goal that
-# the output of computations do not leak private keys. Implementations may
-# accept or reject points on a twist. If a point multiplication is performed
-# then it is important that the result is correct, since otherwise attacks with
-# invalid keys are possible.
+flags = Twist
 
 # tcId = 358
 # special case for CB in multiplication by 6
@@ -3696,12 +2728,7 @@
 public = a244413ddc3a205d038d64266833eea1efba51ba62c9c6cdcdbe943be52bb00c
 result = acceptable
 shared = 66484a4120e0eb0c7e0505e1d2c5d15de9b52b72e094c9bac88634200c557267
-# Public keys are either points on a given curve or points on its twist. The
-# functions X25519 and X448 are defined for points on a twist with the goal that
-# the output of computations do not leak private keys. Implementations may
-# accept or reject points on a twist. If a point multiplication is performed
-# then it is important that the result is correct, since otherwise attacks with
-# invalid keys are possible.
+flags = Twist
 
 # tcId = 363
 # special case for x_2 in multiplication by 6
@@ -3716,12 +2743,7 @@
 public = 6330d3e28a8b6126ace165a9dfccc6e4bd40dbc9768cfb16330cb7f27f906230
 result = acceptable
 shared = 8daf5f4b84730144ea8a53ce39cc907e39a89ed09f0202e7be0d3bda38da663b
-# Public keys are either points on a given curve or points on its twist. The
-# functions X25519 and X448 are defined for points on a twist with the goal that
-# the output of computations do not leak private keys. Implementations may
-# accept or reject points on a twist. If a point multiplication is performed
-# then it is important that the result is correct, since otherwise attacks with
-# invalid keys are possible.
+flags = Twist
 
 # tcId = 365
 # special case for x_2 in multiplication by 6
@@ -3729,12 +2751,7 @@
 public = 8678aa29cbc06e78b218d22a3e66c38ec0da8fdb0f2570c585c62517c9704f37
 result = acceptable
 shared = da8b7eba6f72c3f3ef33d8982093492e06be39bb0db29c465d95a8e52ef64341
-# Public keys are either points on a given curve or points on its twist. The
-# functions X25519 and X448 are defined for points on a twist with the goal that
-# the output of computations do not leak private keys. Implementations may
-# accept or reject points on a twist. If a point multiplication is performed
-# then it is important that the result is correct, since otherwise attacks with
-# invalid keys are possible.
+flags = Twist
 
 # tcId = 366
 # special case for x_2 in multiplication by 6
@@ -3742,12 +2759,7 @@
 public = 303289c2b1079ea59412faccfeba8c113d2299b9dcfedeabc42697b0829c4658
 result = acceptable
 shared = 0419a71a08d3fdd574cbc932e8f1605933ddcdd9774f5614269b7ed850c8650e
-# Public keys are either points on a given curve or points on its twist. The
-# functions X25519 and X448 are defined for points on a twist with the goal that
-# the output of computations do not leak private keys. Implementations may
-# accept or reject points on a twist. If a point multiplication is performed
-# then it is important that the result is correct, since otherwise attacks with
-# invalid keys are possible.
+flags = Twist
 
 # tcId = 367
 # special case for x_2 in multiplication by 6
@@ -3776,12 +2788,7 @@
 public = c588dfe6e733d90581cbe112079749d8eb30ab8631134ec29abfb98b32e76522
 result = acceptable
 shared = 6e88bb6bf75596bbe5f1fbe91e365a527a156f4f1b57c13ac1e3e6db93191239
-# Public keys are either points on a given curve or points on its twist. The
-# functions X25519 and X448 are defined for points on a twist with the goal that
-# the output of computations do not leak private keys. Implementations may
-# accept or reject points on a twist. If a point multiplication is performed
-# then it is important that the result is correct, since otherwise attacks with
-# invalid keys are possible.
+flags = Twist
 
 # tcId = 371
 # special case for DA - CB in multiplication by 6
@@ -3803,12 +2810,7 @@
 public = 419a076b179f79720096eaabaf03477e8f89d61f885c8d7f58f6eaa4fa77df5f
 result = acceptable
 shared = c1a96ccba08bdd82d0fc12e8cde4cc1f25cfd5276dce7f18e407ed0e4a898466
-# Public keys are either points on a given curve or points on its twist. The
-# functions X25519 and X448 are defined for points on a twist with the goal that
-# the output of computations do not leak private keys. Implementations may
-# accept or reject points on a twist. If a point multiplication is performed
-# then it is important that the result is correct, since otherwise attacks with
-# invalid keys are possible.
+flags = Twist
 
 # tcId = 374
 # special case for DA + CB in multiplication by 6
@@ -3823,12 +2825,7 @@
 public = 1f06cfe464ccc0e27a5ec5f9edd9bc7bc822ad2ff5068ca5c963d20edd1a2d22
 result = acceptable
 shared = eb40a3974b1b0310b1597d1f1f4101c08dca727455a9d8224cd061a7aa3cb628
-# Public keys are either points on a given curve or points on its twist. The
-# functions X25519 and X448 are defined for points on a twist with the goal that
-# the output of computations do not leak private keys. Implementations may
-# accept or reject points on a twist. If a point multiplication is performed
-# then it is important that the result is correct, since otherwise attacks with
-# invalid keys are possible.
+flags = Twist
 
 # tcId = 376
 # special case for DA + CB in multiplication by 6
@@ -3864,12 +2861,7 @@
 public = c31e37b04332abca8315f317171566aef38111f622d8bffa29c23c0151cdad6e
 result = acceptable
 shared = 91ac72b0ed8d7fc4c8846b8a2530d9fb8f0532064880c00dab100c977697db28
-# Public keys are either points on a given curve or points on its twist. The
-# functions X25519 and X448 are defined for points on a twist with the goal that
-# the output of computations do not leak private keys. Implementations may
-# accept or reject points on a twist. If a point multiplication is performed
-# then it is important that the result is correct, since otherwise attacks with
-# invalid keys are possible.
+flags = Twist
 
 # tcId = 381
 # special case for z_2 in multiplication by 6
@@ -3877,12 +2869,7 @@
 public = b775e016b32a97f49971121906763f3a0b41689092b9583b6710cf7dee03a61c
 result = acceptable
 shared = 11393bb548813e04fb54133edbe0626458e80981885e1fe5f3377e8ebe9afa52
-# Public keys are either points on a given curve or points on its twist. The
-# functions X25519 and X448 are defined for points on a twist with the goal that
-# the output of computations do not leak private keys. Implementations may
-# accept or reject points on a twist. If a point multiplication is performed
-# then it is important that the result is correct, since otherwise attacks with
-# invalid keys are possible.
+flags = Twist
 
 # tcId = 382
 # special case for z_2 in multiplication by 6
@@ -3890,12 +2877,7 @@
 public = f8bd0e7cf6ec6186f205ab03ab72c8f6b3cde8f6ad9b166916a04d43d1d6d546
 result = acceptable
 shared = 0a83a224fbfcbc5d0f07f6dd8ebb2e9bbee8134f0fab268002ce837f5495d833
-# Public keys are either points on a given curve or points on its twist. The
-# functions X25519 and X448 are defined for points on a twist with the goal that
-# the output of computations do not leak private keys. Implementations may
-# accept or reject points on a twist. If a point multiplication is performed
-# then it is important that the result is correct, since otherwise attacks with
-# invalid keys are possible.
+flags = Twist
 
 # tcId = 383
 # special case for z_2 in multiplication by 6
@@ -3931,12 +2913,7 @@
 public = ed1c82082b74cc2aaebf3dc772ba09557c0fc14139a8814fc5f9370bb8e98858
 result = acceptable
 shared = e0a82f313046024b3cea93b98e2f8ecf228cbfab8ae10b10292c32feccff1603
-# Public keys are either points on a given curve or points on its twist. The
-# functions X25519 and X448 are defined for points on a twist with the goal that
-# the output of computations do not leak private keys. Implementations may
-# accept or reject points on a twist. If a point multiplication is performed
-# then it is important that the result is correct, since otherwise attacks with
-# invalid keys are possible.
+flags = Twist
 
 # tcId = 388
 # special case for D in multiplication by 6
@@ -3944,12 +2921,7 @@
 public = 12e1589a34094af5f121c9bd3c1119f2b1f05264c573f667a748683c5633a47e
 result = acceptable
 shared = 1fcc50333eb90706935f25b02f437bfd22b6b16cc375afff8a1aa7432fb86251
-# Public keys are either points on a given curve or points on its twist. The
-# functions X25519 and X448 are defined for points on a twist with the goal that
-# the output of computations do not leak private keys. Implementations may
-# accept or reject points on a twist. If a point multiplication is performed
-# then it is important that the result is correct, since otherwise attacks with
-# invalid keys are possible.
+flags = Twist
 
 # tcId = 389
 # special case for DA in multiplication by 6
@@ -3964,12 +2936,7 @@
 public = a819c667ed466bd9a69ea0b38642ee8e53f40a50377b051eb590142dd27e3431
 result = acceptable
 shared = 17f6543c4727e7f129ee82477655577635c125a20c3dc8ba206ca3cc4854ca6c
-# Public keys are either points on a given curve or points on its twist. The
-# functions X25519 and X448 are defined for points on a twist with the goal that
-# the output of computations do not leak private keys. Implementations may
-# accept or reject points on a twist. If a point multiplication is performed
-# then it is important that the result is correct, since otherwise attacks with
-# invalid keys are possible.
+flags = Twist
 
 # tcId = 391
 # special case for DA in multiplication by 6
@@ -3984,12 +2951,7 @@
 public = e7dd0549a765bbef34be2e8da18a1bc1b989a8b0614d358ebf38c12a9ca64079
 result = acceptable
 shared = 37232fb397af27f5fb5ca493284ff1c5d25786b0d716c73b33aca8d42265f318
-# Public keys are either points on a given curve or points on its twist. The
-# functions X25519 and X448 are defined for points on a twist with the goal that
-# the output of computations do not leak private keys. Implementations may
-# accept or reject points on a twist. If a point multiplication is performed
-# then it is important that the result is correct, since otherwise attacks with
-# invalid keys are possible.
+flags = Twist
 
 # tcId = 393
 # special case for z_2 in multiplication by 7
@@ -4004,12 +2966,7 @@
 public = f226c2d6bd7831eda1b51ee5aec29443a507ef9f7a04e2340f349dbf14933844
 result = acceptable
 shared = a5976fda89954a81e442107f9e416a2b4b481bbd4654ebc0c7b57a78b45b4979
-# Public keys are either points on a given curve or points on its twist. The
-# functions X25519 and X448 are defined for points on a twist with the goal that
-# the output of computations do not leak private keys. Implementations may
-# accept or reject points on a twist. If a point multiplication is performed
-# then it is important that the result is correct, since otherwise attacks with
-# invalid keys are possible.
+flags = Twist
 
 # tcId = 395
 # special case for z_2 in multiplication by 7
@@ -4017,12 +2974,7 @@
 public = c5197312de3a7a3ee11b29873bae3fc8c85109c66784804f89435db210fcc24b
 result = acceptable
 shared = 55b5b5eb38b127617ffe00056d84d35a5071d18783e3a82b5f4e131b1538b150
-# Public keys are either points on a given curve or points on its twist. The
-# functions X25519 and X448 are defined for points on a twist with the goal that
-# the output of computations do not leak private keys. Implementations may
-# accept or reject points on a twist. If a point multiplication is performed
-# then it is important that the result is correct, since otherwise attacks with
-# invalid keys are possible.
+flags = Twist
 
 # tcId = 396
 # special case for z_2 in multiplication by 7
@@ -4030,12 +2982,7 @@
 public = 590ed0b879319c38a19962a5d216ff2bfaf33555518877969c20c054cbe43e56
 result = acceptable
 shared = 0080e5b9985a960a832133812a7ab9951c6b2c75894deb3e35509190a6bdf457
-# Public keys are either points on a given curve or points on its twist. The
-# functions X25519 and X448 are defined for points on a twist with the goal that
-# the output of computations do not leak private keys. Implementations may
-# accept or reject points on a twist. If a point multiplication is performed
-# then it is important that the result is correct, since otherwise attacks with
-# invalid keys are possible.
+flags = Twist
 
 # tcId = 397
 # special case for z_2 in multiplication by 7
@@ -4071,12 +3018,7 @@
 public = 0f460100d88a1d316dff02d1b22ffb2e42d99d0b92474fc3ec7d62567d0cf112
 result = acceptable
 shared = ed83e810ce5ff0868f8589623bb13478dec1c22326c92765ae5e48c84bbabb24
-# Public keys are either points on a given curve or points on its twist. The
-# functions X25519 and X448 are defined for points on a twist with the goal that
-# the output of computations do not leak private keys. Implementations may
-# accept or reject points on a twist. If a point multiplication is performed
-# then it is important that the result is correct, since otherwise attacks with
-# invalid keys are possible.
+flags = Twist
 
 # tcId = 402
 # special case for E in multiplication by 7
@@ -4105,12 +3047,7 @@
 public = 102e95eadca7c3c28e5d52336c857bad99ea246f299b06334f401276f49ca814
 result = acceptable
 shared = 3952efb93573ae9ce2162d10e4b8c46435859f3f2778db89f72bc579e695cb51
-# Public keys are either points on a given curve or points on its twist. The
-# functions X25519 and X448 are defined for points on a twist with the goal that
-# the output of computations do not leak private keys. Implementations may
-# accept or reject points on a twist. If a point multiplication is performed
-# then it is important that the result is correct, since otherwise attacks with
-# invalid keys are possible.
+flags = Twist
 
 # tcId = 406
 # special case for AA in multiplication by 7
@@ -4118,12 +3055,7 @@
 public = 3548c16bf31afdcd445ad9bef0e60d7bd6195aa591ca8c82813cd7d446226720
 result = acceptable
 shared = 96128f929fc03c1269d429f609a1a8acac7a758e3446a125ecf4a359a0e37b73
-# Public keys are either points on a given curve or points on its twist. The
-# functions X25519 and X448 are defined for points on a twist with the goal that
-# the output of computations do not leak private keys. Implementations may
-# accept or reject points on a twist. If a point multiplication is performed
-# then it is important that the result is correct, since otherwise attacks with
-# invalid keys are possible.
+flags = Twist
 
 # tcId = 407
 # special case for AA in multiplication by 7
@@ -4166,12 +3098,7 @@
 public = 2743ba408d5f68c65324a485086a004b6bbf784cc9e8b1a7dbeb8c4b9414b018
 result = acceptable
 shared = a6b97da989dccf730f122d455152328051c8ed9abc1815c19eec6501d6cfc77c
-# Public keys are either points on a given curve or points on its twist. The
-# functions X25519 and X448 are defined for points on a twist with the goal that
-# the output of computations do not leak private keys. Implementations may
-# accept or reject points on a twist. If a point multiplication is performed
-# then it is important that the result is correct, since otherwise attacks with
-# invalid keys are possible.
+flags = Twist
 
 # tcId = 413
 # special case for x_2 in multiplication by 7
@@ -4193,12 +3120,7 @@
 public = 1324e0368597b3181555bb5b2cc7b7ebba46931aeabb6f05ababd4240f0fb933
 result = acceptable
 shared = 6dcdf8e86903b0caded124d8a7da18e623430ca869aaf267d31029d93de99e66
-# Public keys are either points on a given curve or points on its twist. The
-# functions X25519 and X448 are defined for points on a twist with the goal that
-# the output of computations do not leak private keys. Implementations may
-# accept or reject points on a twist. If a point multiplication is performed
-# then it is important that the result is correct, since otherwise attacks with
-# invalid keys are possible.
+flags = Twist
 
 # tcId = 416
 # special case for x_2 in multiplication by 7
@@ -4206,12 +3128,7 @@
 public = c7f3842297d6941cac63d6f1bdaea0709437c82dbc9161fc1bae6c79d668eb44
 result = acceptable
 shared = 385ddbf2505ebf537bf5e976b61a4b69d190ae965b7e4a81ae4e1c16b7148748
-# Public keys are either points on a given curve or points on its twist. The
-# functions X25519 and X448 are defined for points on a twist with the goal that
-# the output of computations do not leak private keys. Implementations may
-# accept or reject points on a twist. If a point multiplication is performed
-# then it is important that the result is correct, since otherwise attacks with
-# invalid keys are possible.
+flags = Twist
 
 # tcId = 417
 # special case for x_2 in multiplication by 7
@@ -4226,12 +3143,7 @@
 public = 2488bb6fadb79d46585ff01c160c5b4172799d92bd168edceb65cededc492762
 result = acceptable
 shared = 510c64151e5d0737fc324bd15fb5d3966908751cd1a06954b556196655ee5540
-# Public keys are either points on a given curve or points on its twist. The
-# functions X25519 and X448 are defined for points on a twist with the goal that
-# the output of computations do not leak private keys. Implementations may
-# accept or reject points on a twist. If a point multiplication is performed
-# then it is important that the result is correct, since otherwise attacks with
-# invalid keys are possible.
+flags = Twist
 
 # tcId = 419
 # special case for x_2 in multiplication by 7
@@ -4239,12 +3151,7 @@
 public = a0c1087811af1491171bc51691b8ca84716af36c4baa764ec536280cc1983d6d
 result = acceptable
 shared = 23ef825e1c8e6e64428001a7463e32a9701c81cf78203e6ae753740c91570e6b
-# Public keys are either points on a given curve or points on its twist. The
-# functions X25519 and X448 are defined for points on a twist with the goal that
-# the output of computations do not leak private keys. Implementations may
-# accept or reject points on a twist. If a point multiplication is performed
-# then it is important that the result is correct, since otherwise attacks with
-# invalid keys are possible.
+flags = Twist
 
 # tcId = 420
 # special case for x_2 in multiplication by 7
@@ -4252,12 +3159,7 @@
 public = cc5c97934607d8b981bce1d6a232bb3aecc3001f698ae1ae84938fbf2861077b
 result = acceptable
 shared = 0e55a7ec1a2ddbea1ac5981200812232f7f4c3a60ee3c9ab09f2163bd13da329
-# Public keys are either points on a given curve or points on its twist. The
-# functions X25519 and X448 are defined for points on a twist with the goal that
-# the output of computations do not leak private keys. Implementations may
-# accept or reject points on a twist. If a point multiplication is performed
-# then it is important that the result is correct, since otherwise attacks with
-# invalid keys are possible.
+flags = Twist
 
 # tcId = 421
 # special case for DA - CB in multiplication by 7
@@ -4265,12 +3167,7 @@
 public = 238de7fcc8a3f194c3554c328efb1215d0640ac674b61a98ef934ec004cfd73b
 result = acceptable
 shared = 0681036a0d27583ba6f2be7630613171a33fb8a6c8991c53b379999f0f15923b
-# Public keys are either points on a given curve or points on its twist. The
-# functions X25519 and X448 are defined for points on a twist with the goal that
-# the output of computations do not leak private keys. Implementations may
-# accept or reject points on a twist. If a point multiplication is performed
-# then it is important that the result is correct, since otherwise attacks with
-# invalid keys are possible.
+flags = Twist
 
 # tcId = 422
 # special case for DA - CB in multiplication by 7
@@ -4299,12 +3196,7 @@
 public = dc99ad0031463e4537c01e16629966d1b962c0b4e4872f067ca3c26ccc957001
 result = acceptable
 shared = 6cfa935f24b031ff261a7cd3526660fd6b396c5c30e299575f6a322281191e03
-# Public keys are either points on a given curve or points on its twist. The
-# functions X25519 and X448 are defined for points on a twist with the goal that
-# the output of computations do not leak private keys. Implementations may
-# accept or reject points on a twist. If a point multiplication is performed
-# then it is important that the result is correct, since otherwise attacks with
-# invalid keys are possible.
+flags = Twist
 
 # tcId = 426
 # special case for D in multiplication by 8
@@ -4319,12 +3211,7 @@
 public = e7b3205777b375f1b1515a50a16a6067953ff221e12b4f416d74fb28c1c85865
 result = acceptable
 shared = 388ea421650a8d837bad8904018195e99ef494c2d170b93ee721a67d2c108729
-# Public keys are either points on a given curve or points on its twist. The
-# functions X25519 and X448 are defined for points on a twist with the goal that
-# the output of computations do not leak private keys. Implementations may
-# accept or reject points on a twist. If a point multiplication is performed
-# then it is important that the result is correct, since otherwise attacks with
-# invalid keys are possible.
+flags = Twist
 
 # tcId = 428
 # special case for DA + CB in multiplication by 8
@@ -4346,12 +3233,7 @@
 public = 8abb8cfd60c6f8a4d84d0750d3b40a4f846b30edf2052fef7df84142cd0d9e47
 result = acceptable
 shared = 5faba645fc21f9421ebd35c69bdb1d85b46f95e3746ff7f4886bc280a9ab2522
-# Public keys are either points on a given curve or points on its twist. The
-# functions X25519 and X448 are defined for points on a twist with the goal that
-# the output of computations do not leak private keys. Implementations may
-# accept or reject points on a twist. If a point multiplication is performed
-# then it is important that the result is correct, since otherwise attacks with
-# invalid keys are possible.
+flags = Twist
 
 # tcId = 431
 # special case for DA + CB in multiplication by 8
@@ -4359,12 +3241,7 @@
 public = 9fd7b49a08f206688d72db737df8e517aa7b764f5de7c9a2b1c3fcbaa985f64c
 result = acceptable
 shared = 9cb8a0f4ad86a27b96ca61242eab198db2767d3862dd323e41368fcdcc5fab68
-# Public keys are either points on a given curve or points on its twist. The
-# functions X25519 and X448 are defined for points on a twist with the goal that
-# the output of computations do not leak private keys. Implementations may
-# accept or reject points on a twist. If a point multiplication is performed
-# then it is important that the result is correct, since otherwise attacks with
-# invalid keys are possible.
+flags = Twist
 
 # tcId = 432
 # special case for DA + CB in multiplication by 8
@@ -4372,12 +3249,7 @@
 public = c4fefac7acd448e8fd4d6ac4f5dd1bc21f2c67d638444060918fb344aa77e757
 result = acceptable
 shared = 4b42fcf84b51b2b82f1f70b3cf49bd9dc6ab2672920a8de37e81ba7e99acf734
-# Public keys are either points on a given curve or points on its twist. The
-# functions X25519 and X448 are defined for points on a twist with the goal that
-# the output of computations do not leak private keys. Implementations may
-# accept or reject points on a twist. If a point multiplication is performed
-# then it is important that the result is correct, since otherwise attacks with
-# invalid keys are possible.
+flags = Twist
 
 # tcId = 433
 # special case for DA + CB in multiplication by 8
@@ -4399,12 +3271,7 @@
 public = 7976d520f1a2512d564af41c68313f5351b0156d5118be4817f192798ae9777d
 result = acceptable
 shared = 3bb3e30105a71901b115065e39bdb3e053d387b39027b12c92cdf4c638adf00d
-# Public keys are either points on a given curve or points on its twist. The
-# functions X25519 and X448 are defined for points on a twist with the goal that
-# the output of computations do not leak private keys. Implementations may
-# accept or reject points on a twist. If a point multiplication is performed
-# then it is important that the result is correct, since otherwise attacks with
-# invalid keys are possible.
+flags = Twist
 
 # tcId = 436
 # special case for AA in multiplication by 8
@@ -4426,12 +3293,7 @@
 public = eebd858850b56febb707f27a7aad5ff5ab4b0e0c73b9c86ec4ca0f42e7f38e75
 result = acceptable
 shared = 581e4b12b0f39a7cc42dee4513ecfdd20b595f905f17ad8c1fbf1b5cb2068b31
-# Public keys are either points on a given curve or points on its twist. The
-# functions X25519 and X448 are defined for points on a twist with the goal that
-# the output of computations do not leak private keys. Implementations may
-# accept or reject points on a twist. If a point multiplication is performed
-# then it is important that the result is correct, since otherwise attacks with
-# invalid keys are possible.
+flags = Twist
 
 # tcId = 439
 # special case for z_2 in multiplication by 8
@@ -4467,12 +3329,7 @@
 public = 66a09767a0d83bb18d404e1200375a745d1f1f749d5dc6f84a205efa6a11bc65
 result = acceptable
 shared = 1401829aac4e64bcfa297a7effc60477090d3627a64a35b872ae055d2091785f
-# Public keys are either points on a given curve or points on its twist. The
-# functions X25519 and X448 are defined for points on a twist with the goal that
-# the output of computations do not leak private keys. Implementations may
-# accept or reject points on a twist. If a point multiplication is performed
-# then it is important that the result is correct, since otherwise attacks with
-# invalid keys are possible.
+flags = Twist
 
 # tcId = 444
 # special case for B in multiplication by 8
@@ -4487,12 +3344,7 @@
 public = 84c92d8ecf3d0cb22dde7d721f04140c2d9c179cc813ce6cf8db2dce6168880d
 result = acceptable
 shared = 07538f1b6583041c4949fafae3349d62f9dd302d3d86857af0dedc0d5ad6741f
-# Public keys are either points on a given curve or points on its twist. The
-# functions X25519 and X448 are defined for points on a twist with the goal that
-# the output of computations do not leak private keys. Implementations may
-# accept or reject points on a twist. If a point multiplication is performed
-# then it is important that the result is correct, since otherwise attacks with
-# invalid keys are possible.
+flags = Twist
 
 # tcId = 446
 # special case for C in multiplication by 8
@@ -4500,12 +3352,7 @@
 public = a9cedb9e942a47221e4296953220d10007db327d2acb68da6ef3a4f877b8ef1e
 result = acceptable
 shared = 1223505fbb534c1bc6108e6b98b4f0af29e11158c02d333d6559beecd6d3e558
-# Public keys are either points on a given curve or points on its twist. The
-# functions X25519 and X448 are defined for points on a twist with the goal that
-# the output of computations do not leak private keys. Implementations may
-# accept or reject points on a twist. If a point multiplication is performed
-# then it is important that the result is correct, since otherwise attacks with
-# invalid keys are possible.
+flags = Twist
 
 # tcId = 447
 # special case for C in multiplication by 8
@@ -4513,12 +3360,7 @@
 public = 64e1c0c5f59405bbc6c7db41a3485cc9f91c183b0f2b7e1894a7abd8fbbeeb23
 result = acceptable
 shared = ee031868165f456f75907bf39742b820e0f8e6df9f9768d757d408e1cc92ff7b
-# Public keys are either points on a given curve or points on its twist. The
-# functions X25519 and X448 are defined for points on a twist with the goal that
-# the output of computations do not leak private keys. Implementations may
-# accept or reject points on a twist. If a point multiplication is performed
-# then it is important that the result is correct, since otherwise attacks with
-# invalid keys are possible.
+flags = Twist
 
 # tcId = 448
 # special case for C in multiplication by 8
@@ -4526,12 +3368,7 @@
 public = a68d2f55e60eac7983926310f4fae13f95b2bbf140be5ea91751884d900ab44d
 result = acceptable
 shared = c954fa7b042c32943e03191e367d54be0085fa8950ef2bec99620df79ecbea4b
-# Public keys are either points on a given curve or points on its twist. The
-# functions X25519 and X448 are defined for points on a twist with the goal that
-# the output of computations do not leak private keys. Implementations may
-# accept or reject points on a twist. If a point multiplication is performed
-# then it is important that the result is correct, since otherwise attacks with
-# invalid keys are possible.
+flags = Twist
 
 # tcId = 449
 # special case for x_2 in multiplication by 8
@@ -4546,12 +3383,7 @@
 public = 8f195547346b3d53b7ea4f742b22f1ef7b3cc01a7d3dcd19aa7c5b03f31bd214
 result = acceptable
 shared = a31f6b249d64a87c4aed329c6c05c3f2240b3ca938ccdc920ba8016c1aeaeb45
-# Public keys are either points on a given curve or points on its twist. The
-# functions X25519 and X448 are defined for points on a twist with the goal that
-# the output of computations do not leak private keys. Implementations may
-# accept or reject points on a twist. If a point multiplication is performed
-# then it is important that the result is correct, since otherwise attacks with
-# invalid keys are possible.
+flags = Twist
 
 # tcId = 451
 # special case for x_2 in multiplication by 8
@@ -4559,12 +3391,7 @@
 public = ffc4fe2c2127a309c739565651e9812f834a86dbadbb78776977f786ecdb0217
 result = acceptable
 shared = 4cff9f53ce82064882329a18ea4e4d0bc6d80a631c87c9e6fdc918f9c1bda34a
-# Public keys are either points on a given curve or points on its twist. The
-# functions X25519 and X448 are defined for points on a twist with the goal that
-# the output of computations do not leak private keys. Implementations may
-# accept or reject points on a twist. If a point multiplication is performed
-# then it is important that the result is correct, since otherwise attacks with
-# invalid keys are possible.
+flags = Twist
 
 # tcId = 452
 # special case for x_2 in multiplication by 8
@@ -4572,12 +3399,7 @@
 public = 8475babeeab9980d426abd5323dfb335b219e129bddae4d6cebcda50754a6825
 result = acceptable
 shared = 248d3d1a49b7d173eb080ab716ac8fde6bd1c3ed8e7fd5b448af21bcdc2c1616
-# Public keys are either points on a given curve or points on its twist. The
-# functions X25519 and X448 are defined for points on a twist with the goal that
-# the output of computations do not leak private keys. Implementations may
-# accept or reject points on a twist. If a point multiplication is performed
-# then it is important that the result is correct, since otherwise attacks with
-# invalid keys are possible.
+flags = Twist
 
 # tcId = 453
 # special case for x_2 in multiplication by 8
@@ -4613,12 +3435,7 @@
 public = 4d96320cdb0ca52655e91118c33f93afe4ae69e9e513ff4506750b8ea784ce46
 result = acceptable
 shared = c8d85bfa74b4b26461297b350c975183fea9d33ba29c3a4934509c2ecda58a79
-# Public keys are either points on a given curve or points on its twist. The
-# functions X25519 and X448 are defined for points on a twist with the goal that
-# the output of computations do not leak private keys. Implementations may
-# accept or reject points on a twist. If a point multiplication is performed
-# then it is important that the result is correct, since otherwise attacks with
-# invalid keys are possible.
+flags = Twist
 
 # tcId = 458
 # special case for x_2 in multiplication by 8
@@ -4626,12 +3443,7 @@
 public = c0ef1b7c20237db370501f24274e4eba91998ae4545f937007e1c4a2eab63365
 result = acceptable
 shared = 22557e0d8741ed2a63afd5e313aa1579fc0c88c7772e23a676c94b60c89df577
-# Public keys are either points on a given curve or points on its twist. The
-# functions X25519 and X448 are defined for points on a twist with the goal that
-# the output of computations do not leak private keys. Implementations may
-# accept or reject points on a twist. If a point multiplication is performed
-# then it is important that the result is correct, since otherwise attacks with
-# invalid keys are possible.
+flags = Twist
 
 # tcId = 459
 # special case for x_2 in multiplication by 8
@@ -4653,12 +3465,7 @@
 public = 35738dd539d60f69cd1a1cffc8a42b6af68fe7de45392d02831e2a77500ea278
 result = acceptable
 shared = f6d1a664257fa5de3d4d57f04eda2976bf1e35cc3ac513e1ee84d57d2135ed13
-# Public keys are either points on a given curve or points on its twist. The
-# functions X25519 and X448 are defined for points on a twist with the goal that
-# the output of computations do not leak private keys. Implementations may
-# accept or reject points on a twist. If a point multiplication is performed
-# then it is important that the result is correct, since otherwise attacks with
-# invalid keys are possible.
+flags = Twist
 
 # tcId = 462
 # special case for x_2 in multiplication by 8
@@ -4666,12 +3473,7 @@
 public = ce932b5af4be4721f96f7b79ba1c43b20687d4af49c37b58dc894279e04bb578
 result = acceptable
 shared = f8f7625ac5bde63f753a9bb4aefbfb9c4647207708af9d774ef08ff1b1e5a354
-# Public keys are either points on a given curve or points on its twist. The
-# functions X25519 and X448 are defined for points on a twist with the goal that
-# the output of computations do not leak private keys. Implementations may
-# accept or reject points on a twist. If a point multiplication is performed
-# then it is important that the result is correct, since otherwise attacks with
-# invalid keys are possible.
+flags = Twist
 
 # tcId = 463
 # special case for E in multiplication by 8
@@ -4679,12 +3481,7 @@
 public = e3655448339e4850806eb58abba0c89185511ea72c37c49e9583ee6dd235d213
 result = acceptable
 shared = 5e10dfbff4443efcae2ccc78c289a41460d5a82f79df726b8824ccbef7146d40
-# Public keys are either points on a given curve or points on its twist. The
-# functions X25519 and X448 are defined for points on a twist with the goal that
-# the output of computations do not leak private keys. Implementations may
-# accept or reject points on a twist. If a point multiplication is performed
-# then it is important that the result is correct, since otherwise attacks with
-# invalid keys are possible.
+flags = Twist
 
 # tcId = 464
 # special case for E in multiplication by 8
@@ -4692,12 +3489,7 @@
 public = 4d16965b1637e9d7ae8feb499ed0553962a9aa0022d1620c928072f6501bc41b
 result = acceptable
 shared = 19d7b44c1847c44e8f37a22ab69c180fd9d787f204123013e1b16800b9cd0f57
-# Public keys are either points on a given curve or points on its twist. The
-# functions X25519 and X448 are defined for points on a twist with the goal that
-# the output of computations do not leak private keys. Implementations may
-# accept or reject points on a twist. If a point multiplication is performed
-# then it is important that the result is correct, since otherwise attacks with
-# invalid keys are possible.
+flags = Twist
 
 # tcId = 465
 # special case for E in multiplication by 8
@@ -4712,12 +3504,7 @@
 public = d566fab505ac4c7a3dc3b9403ef121392cbbe21216e5bcb8eab2dc9408986e34
 result = acceptable
 shared = 6d7fc5d4a8f534b1bc0fa5e078104234675c02664736957abdb27df6faf07c00
-# Public keys are either points on a given curve or points on its twist. The
-# functions X25519 and X448 are defined for points on a twist with the goal that
-# the output of computations do not leak private keys. Implementations may
-# accept or reject points on a twist. If a point multiplication is performed
-# then it is important that the result is correct, since otherwise attacks with
-# invalid keys are possible.
+flags = Twist
 
 # tcId = 467
 # special case for E in multiplication by 8
@@ -4739,12 +3526,7 @@
 public = 2d7ab4c6f59865355ee8e9de57db19aadf7708b7c1d1a818487c340623badc6d
 result = acceptable
 shared = 2a0340aaafa05d00529c09057ed0145f34d2de66a3e149cf084ea97168914f39
-# Public keys are either points on a given curve or points on its twist. The
-# functions X25519 and X448 are defined for points on a twist with the goal that
-# the output of computations do not leak private keys. Implementations may
-# accept or reject points on a twist. If a point multiplication is performed
-# then it is important that the result is correct, since otherwise attacks with
-# invalid keys are possible.
+flags = Twist
 
 # tcId = 470
 # special case for E in multiplication by 8
@@ -4766,12 +3548,7 @@
 public = 42e5a6b8e9654bb4ad624af3f491877977513cc8775c8fb312ad19dbf3903a28
 result = acceptable
 shared = 223f1eb552308373026d11c954684ce6db870b638b190b9443e50aae219f4e3e
-# Public keys are either points on a given curve or points on its twist. The
-# functions X25519 and X448 are defined for points on a twist with the goal that
-# the output of computations do not leak private keys. Implementations may
-# accept or reject points on a twist. If a point multiplication is performed
-# then it is important that the result is correct, since otherwise attacks with
-# invalid keys are possible.
+flags = Twist
 
 # tcId = 473
 # special case for DA - CB in multiplication by 8
@@ -4779,12 +3556,7 @@
 public = 0a51dd90ab985f6deaf72f16c45014da26df848697f6582d75688f5223342b51
 result = acceptable
 shared = fb95ce4a3c1f325638b7d47f4216d39a7c6c5da9a01caa297c37b62816555b2a
-# Public keys are either points on a given curve or points on its twist. The
-# functions X25519 and X448 are defined for points on a twist with the goal that
-# the output of computations do not leak private keys. Implementations may
-# accept or reject points on a twist. If a point multiplication is performed
-# then it is important that the result is correct, since otherwise attacks with
-# invalid keys are possible.
+flags = Twist
 
 # tcId = 474
 # special case for DA - CB in multiplication by 8
@@ -4813,12 +3585,7 @@
 public = d128ea3e13325ed6ebd6533a9fd3045a55f25ad8b67def30912843504c1aab29
 result = acceptable
 shared = 30512142d3e3a4cad6726d9d35f2e043fca9dfb750884ae22b2547c840f3587b
-# Public keys are either points on a given curve or points on its twist. The
-# functions X25519 and X448 are defined for points on a twist with the goal that
-# the output of computations do not leak private keys. Implementations may
-# accept or reject points on a twist. If a point multiplication is performed
-# then it is important that the result is correct, since otherwise attacks with
-# invalid keys are possible.
+flags = Twist
 
 # tcId = 478
 # special case for CB in multiplication by 8
@@ -4826,12 +3593,7 @@
 public = e079c8f8423165c7e0a2c48b4abe90aece4e6d903d7a5a1625fad0410cd55b32
 result = acceptable
 shared = 5b81b3761a66d199e8ef99d2494bd57a0229d4564a7f6d6055f22aa48681bd3a
-# Public keys are either points on a given curve or points on its twist. The
-# functions X25519 and X448 are defined for points on a twist with the goal that
-# the output of computations do not leak private keys. Implementations may
-# accept or reject points on a twist. If a point multiplication is performed
-# then it is important that the result is correct, since otherwise attacks with
-# invalid keys are possible.
+flags = Twist
 
 # tcId = 479
 # special case for BB in multiplication by 8
@@ -4853,12 +3615,7 @@
 public = 4f5b8b9892b8a46df08d76a4745b1c58d4e7a394905435875688ca11f1e9d86a
 result = acceptable
 shared = a25e1306684ad7870a31f0404566e8d28f2d83d4b9497822c57f8781b18fec20
-# Public keys are either points on a given curve or points on its twist. The
-# functions X25519 and X448 are defined for points on a twist with the goal that
-# the output of computations do not leak private keys. Implementations may
-# accept or reject points on a twist. If a point multiplication is performed
-# then it is important that the result is correct, since otherwise attacks with
-# invalid keys are possible.
+flags = Twist
 
 # tcId = 482
 # special case for BB in multiplication by 8
@@ -4866,12 +3623,7 @@
 public = aa2f02628269139a7a8a16fde95c9bad7da7ffbd5439c396a7d77b6c3213e67f
 result = acceptable
 shared = bb4431bea7a5871c1be27a2674094627eaaa4425c99cd3fa41bd7e13cbd7bf7e
-# Public keys are either points on a given curve or points on its twist. The
-# functions X25519 and X448 are defined for points on a twist with the goal that
-# the output of computations do not leak private keys. Implementations may
-# accept or reject points on a twist. If a point multiplication is performed
-# then it is important that the result is correct, since otherwise attacks with
-# invalid keys are possible.
+flags = Twist
 
 # tcId = 483
 # special case for A in multiplication by 8
@@ -4886,12 +3638,7 @@
 public = 479afb1e73dc77c3743e51e9ec0bcc61ce66ed084dc10bfa2794b4c3e4953769
 result = acceptable
 shared = bdef00caa514b2f8ab1fb2241e83787a02601ecdff6cf166c4210f8c1ade4211
-# Public keys are either points on a given curve or points on its twist. The
-# functions X25519 and X448 are defined for points on a twist with the goal that
-# the output of computations do not leak private keys. Implementations may
-# accept or reject points on a twist. If a point multiplication is performed
-# then it is important that the result is correct, since otherwise attacks with
-# invalid keys are possible.
+flags = Twist
 
 # tcId = 485
 # special case for DA in multiplication by 8
@@ -4899,12 +3646,7 @@
 public = 378eda41470b0f238a200f80809ad562ca41e62411a61feb7f7e9b752b554642
 result = acceptable
 shared = bfd5b5acd2d89f213a26caf54062f9a24e6f6fd8ddd0cd2e5e47b7fea4a9c537
-# Public keys are either points on a given curve or points on its twist. The
-# functions X25519 and X448 are defined for points on a twist with the goal that
-# the output of computations do not leak private keys. Implementations may
-# accept or reject points on a twist. If a point multiplication is performed
-# then it is important that the result is correct, since otherwise attacks with
-# invalid keys are possible.
+flags = Twist
 
 # tcId = 486
 # special case for DA in multiplication by 8
@@ -4926,12 +3668,7 @@
 public = f93a73270ac19194b8e4ffd02be4b1438525f84a76224688ea89a9dd6a1bd623
 result = acceptable
 shared = 7285fbb3f76340a979ab6e288727a2113332cf933809b018b8739a796a09d00b
-# Public keys are either points on a given curve or points on its twist. The
-# functions X25519 and X448 are defined for points on a twist with the goal that
-# the output of computations do not leak private keys. Implementations may
-# accept or reject points on a twist. If a point multiplication is performed
-# then it is important that the result is correct, since otherwise attacks with
-# invalid keys are possible.
+flags = Twist
 
 # tcId = 489
 # special case for AA in multiplication by 9
@@ -4939,12 +3676,7 @@
 public = cf80c30fcbfd535666ca1da499e2e99cc537063e2de19458fcf92f5ee34acf47
 result = acceptable
 shared = dabc3bd49f19cf7071802e43c863ed0b1d93a841588098b98a0c581bf4fe0a11
-# Public keys are either points on a given curve or points on its twist. The
-# functions X25519 and X448 are defined for points on a twist with the goal that
-# the output of computations do not leak private keys. Implementations may
-# accept or reject points on a twist. If a point multiplication is performed
-# then it is important that the result is correct, since otherwise attacks with
-# invalid keys are possible.
+flags = Twist
 
 # tcId = 490
 # special case for AA in multiplication by 9
@@ -4966,12 +3698,7 @@
 public = b8649e13843f80cf5702398e4a9a8c378f29da96dfd6579f1eb4f7ea34df6765
 result = acceptable
 shared = 844a5dd5139554ca7b41cbe6a4796193912e7aa4e201cc68944ce2a55774a10f
-# Public keys are either points on a given curve or points on its twist. The
-# functions X25519 and X448 are defined for points on a twist with the goal that
-# the output of computations do not leak private keys. Implementations may
-# accept or reject points on a twist. If a point multiplication is performed
-# then it is important that the result is correct, since otherwise attacks with
-# invalid keys are possible.
+flags = Twist
 
 # tcId = 493
 # special case for AA in multiplication by 9
@@ -4986,12 +3713,7 @@
 public = 557b825012d98f065bb95a2ab9b2d2d8b83fd2037912508c263f86d7e36c4f24
 result = acceptable
 shared = 5ce84842dbae8b795b3d545343558045508f271383bfb3dd3943f4101398c864
-# Public keys are either points on a given curve or points on its twist. The
-# functions X25519 and X448 are defined for points on a twist with the goal that
-# the output of computations do not leak private keys. Implementations may
-# accept or reject points on a twist. If a point multiplication is performed
-# then it is important that the result is correct, since otherwise attacks with
-# invalid keys are possible.
+flags = Twist
 
 # tcId = 495
 # special case for z_2 in multiplication by 9
@@ -5020,12 +3742,7 @@
 public = ccc1dc186229dba9a9360a0f7ff00247a3732625acaacd18ea13a9a8b40fac4f
 result = acceptable
 shared = 4f678b64fd1f85cbbd5f7e7f3c8ac95ec7500e102e9006d6d42f48fb2473ab02
-# Public keys are either points on a given curve or points on its twist. The
-# functions X25519 and X448 are defined for points on a twist with the goal that
-# the output of computations do not leak private keys. Implementations may
-# accept or reject points on a twist. If a point multiplication is performed
-# then it is important that the result is correct, since otherwise attacks with
-# invalid keys are possible.
+flags = Twist
 
 # tcId = 499
 # special case for z_2 in multiplication by 9
@@ -5047,12 +3764,7 @@
 public = e853062b2d6f38d021d645163ea208d0e193a479f11f99971b98e21188fd0b2c
 result = acceptable
 shared = 64bdfa0207a174ca17eeba8df74d79b25f54510e6174923034a4d6ee0c167e7b
-# Public keys are either points on a given curve or points on its twist. The
-# functions X25519 and X448 are defined for points on a twist with the goal that
-# the output of computations do not leak private keys. Implementations may
-# accept or reject points on a twist. If a point multiplication is performed
-# then it is important that the result is correct, since otherwise attacks with
-# invalid keys are possible.
+flags = Twist
 
 # tcId = 502
 # special case for E in multiplication by 9
@@ -5067,12 +3779,7 @@
 public = ff543f1e81996e88631f030ceba7e603b13033efd205e68bd36b28468134aa73
 result = acceptable
 shared = c1b5e5f4401c98fa14eba8aafae30a641bfd8fb132be03413f3bf29290d49e0b
-# Public keys are either points on a given curve or points on its twist. The
-# functions X25519 and X448 are defined for points on a twist with the goal that
-# the output of computations do not leak private keys. Implementations may
-# accept or reject points on a twist. If a point multiplication is performed
-# then it is important that the result is correct, since otherwise attacks with
-# invalid keys are possible.
+flags = Twist
 
 # tcId = 504
 # special case for x_2 in multiplication by 9
@@ -5087,12 +3794,7 @@
 public = 88c1ae575ad073dda66c6eacb7b7f436e1f8ad72a0db5c04e5660b7b719e4c4b
 result = acceptable
 shared = 335394be9c154901c0b4063300001804b1cd01b27fa562e44f3302168837166e
-# Public keys are either points on a given curve or points on its twist. The
-# functions X25519 and X448 are defined for points on a twist with the goal that
-# the output of computations do not leak private keys. Implementations may
-# accept or reject points on a twist. If a point multiplication is performed
-# then it is important that the result is correct, since otherwise attacks with
-# invalid keys are possible.
+flags = Twist
 
 # tcId = 506
 # special case for x_2 in multiplication by 9
@@ -5100,12 +3802,7 @@
 public = dcffc4c1e1fba5fda9d5c98421d99c257afa90921bc212a046d90f6683e8a467
 result = acceptable
 shared = 7ecdd54c5e15f7b4061be2c30b5a4884a0256581f87df60d579a3345653eb641
-# Public keys are either points on a given curve or points on its twist. The
-# functions X25519 and X448 are defined for points on a twist with the goal that
-# the output of computations do not leak private keys. Implementations may
-# accept or reject points on a twist. If a point multiplication is performed
-# then it is important that the result is correct, since otherwise attacks with
-# invalid keys are possible.
+flags = Twist
 
 # tcId = 507
 # special case for BB in multiplication by 9
@@ -5148,12 +3845,7 @@
 public = 2eae5ec3dd494e9f2d37d258f873a8e6e9d0dbd1e383ef64d98bb91b3e0be035
 result = acceptable
 shared = 2eae5ec3dd494e9f2d37d258f873a8e6e9d0dbd1e383ef64d98bb91b3e0be035
-# Public keys are either points on a given curve or points on its twist. The
-# functions X25519 and X448 are defined for points on a twist with the goal that
-# the output of computations do not leak private keys. Implementations may
-# accept or reject points on a twist. If a point multiplication is performed
-# then it is important that the result is correct, since otherwise attacks with
-# invalid keys are possible.
+flags = Twist
 
 # tcId = 513
 # special case private key
diff --git a/util/convert_wycheproof.go b/util/convert_wycheproof.go
index c774cc5..ffb5cf9 100644
--- a/util/convert_wycheproof.go
+++ b/util/convert_wycheproof.go
@@ -174,12 +174,15 @@
 					return err
 				}
 			}
-			if flags, ok := test["flags"]; ok {
-				for _, flag := range flags.([]interface{}) {
-					if note, ok := w.Notes[flag.(string)]; ok {
-						if err := printComment(f, note); err != nil {
-							return err
-						}
+			if flagsI, ok := test["flags"]; ok {
+				var flags []string
+				for _, flagI := range flagsI.([]interface{}) {
+					flag := flagI.(string)
+					flags = append(flags, flag)
+				}
+				if len(flags) != 0 {
+					if err := printAttribute(f, "flags", strings.Join(flags, ","), false); err != nil {
+						return err
 					}
 				}
 			}