Handle "acceptable" Wycheproof inputs unambiguously.

This CL updates the JSON conversion to preserve the flags. A
WycheproofResult now captures both "result" and "flags". An "acceptable"
test case's validity is determined by its flags. By default, we consider
an "acceptable" case as invalid, but a test driver may mark some of them
as valid by listing the flags as a parameter.

Previously, some Wycheproof tests (I think it was x25519_tests.txt?) did
not contain enough information to resolve this unambiguously. This has
since been fixed.

This also makes the converted files smaller because we no longer expand the
flags into comments.

Change-Id: I2ca02d7f1b95f250409e8b23c4ad7bb595d77fdf
Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/39188
Commit-Queue: Adam Langley <agl@google.com>
Reviewed-by: Adam Langley <agl@google.com>
diff --git a/crypto/cipher_extra/aead_test.cc b/crypto/cipher_extra/aead_test.cc
index 520ad72..bb3db9e 100644
--- a/crypto/cipher_extra/aead_test.cc
+++ b/crypto/cipher_extra/aead_test.cc
@@ -728,8 +728,8 @@
   size_t out_len;
   // Wycheproof tags small AES-GCM IVs as "acceptable" and otherwise does not
   // use it in AEADs. Any AES-GCM IV that isn't 96 bits is absurd, but our API
-  // supports those, so we treat "acceptable" as "valid" here.
-  if (result != WycheproofResult::kInvalid) {
+  // supports those, so we treat SmallIv tests as valid.
+  if (result.IsValid({"SmallIv"})) {
     // Decryption should succeed.
     ASSERT_TRUE(EVP_AEAD_CTX_open(ctx.get(), out.data(), &out_len, out.size(),
                                   iv.data(), iv.size(), ct_and_tag.data(),
diff --git a/crypto/cipher_extra/cipher_test.cc b/crypto/cipher_extra/cipher_test.cc
index 0a96bf3..a28e6e3 100644
--- a/crypto/cipher_extra/cipher_test.cc
+++ b/crypto/cipher_extra/cipher_test.cc
@@ -357,7 +357,7 @@
                                              17, 31, 32, 33, 63, 64, 65, 512};
     for (size_t chunk : chunk_sizes) {
       SCOPED_TRACE(chunk);
-      if (result == WycheproofResult::kValid) {
+      if (result.IsValid()) {
         ASSERT_TRUE(EVP_DecryptInit_ex(ctx.get(), cipher, nullptr, key.data(),
                                        iv.data()));
         ASSERT_TRUE(DoCipher(ctx.get(), &out, ct, chunk));
diff --git a/crypto/cmac/cmac_test.cc b/crypto/cmac/cmac_test.cc
index bd6651d..e8a220a 100644
--- a/crypto/cmac/cmac_test.cc
+++ b/crypto/cmac/cmac_test.cc
@@ -148,7 +148,7 @@
         // Some test vectors intentionally give the wrong key size. Our API
         // requires the caller pick the sized CBC primitive, so these tests
         // aren't useful for us.
-        EXPECT_EQ(WycheproofResult::kInvalid, result);
+        EXPECT_FALSE(result.IsValid());
         return;
     }
 
@@ -164,7 +164,7 @@
     // Truncate the tag, if requested.
     out_len = std::min(out_len, tag_len);
 
-    if (result == WycheproofResult::kValid) {
+    if (result.IsValid()) {
       EXPECT_EQ(Bytes(tag), Bytes(out, out_len));
 
       // Test the streaming API as well.
diff --git a/crypto/curve25519/x25519_test.cc b/crypto/curve25519/x25519_test.cc
index 9578dd0..1bf398f 100644
--- a/crypto/curve25519/x25519_test.cc
+++ b/crypto/curve25519/x25519_test.cc
@@ -23,6 +23,7 @@
 #include "../internal.h"
 #include "../test/file_test.h"
 #include "../test/test_util.h"
+#include "../test/wycheproof_util.h"
 
 
 TEST(X25519Test, TestVector) {
@@ -132,11 +133,8 @@
       t->IgnoreInstruction("curve");
       t->IgnoreAttribute("curve");
 
-      // Our implementation tolerates the Wycheproof "acceptable"
-      // inputs. Wycheproof's valid vs. acceptable criteria does not match our
-      // X25519 return value, so we test only the overall output.
-      t->IgnoreAttribute("result");
-
+      WycheproofResult result;
+      ASSERT_TRUE(GetWycheproofResult(t, &result));
       std::vector<uint8_t> priv, pub, shared;
       ASSERT_TRUE(t->GetBytes(&priv, "private"));
       ASSERT_TRUE(t->GetBytes(&pub, "public"));
@@ -144,7 +142,8 @@
       ASSERT_EQ(32u, priv.size());
       ASSERT_EQ(32u, pub.size());
       uint8_t secret[32];
-      X25519(secret, priv.data(), pub.data());
+      int ret = X25519(secret, priv.data(), pub.data());
+      EXPECT_EQ(ret, result.IsValid({"NonCanonicalPublic", "Twist"}) ? 1 : 0);
       EXPECT_EQ(Bytes(secret), Bytes(shared));
   });
 }
diff --git a/crypto/ecdh_extra/ecdh_test.cc b/crypto/ecdh_extra/ecdh_test.cc
index 52e49f1..4b88754 100644
--- a/crypto/ecdh_extra/ecdh_test.cc
+++ b/crypto/ecdh_extra/ecdh_test.cc
@@ -140,22 +140,16 @@
   ASSERT_TRUE(GetWycheproofResult(t, &result));
   std::vector<uint8_t> shared;
   ASSERT_TRUE(t->GetBytes(&shared, "shared"));
+  // BoringSSL supports compressed coordinates.
+  bool is_valid = result.IsValid({"CompressedPoint"});
 
   // Wycheproof stores the peer key in an SPKI to mimic a Java API mistake.
   // This is non-standard and error-prone.
   CBS cbs;
   CBS_init(&cbs, peer_spki.data(), peer_spki.size());
   bssl::UniquePtr<EVP_PKEY> peer_evp(EVP_parse_public_key(&cbs));
-  if (!peer_evp) {
-    // Note some of Wycheproof's "acceptable" entries are unsupported by
-    // BoringSSL because they test explicit curves (forbidden by RFC 5480),
-    // while others are supported because they used compressed coordinates. If
-    // the peer key fails to parse, we consider it to match "acceptable", but if
-    // the resulting shared secret matches below, it too matches "acceptable".
-    //
-    // TODO(davidben): Use the flags field to disambiguate these. Possibly
-    // first get the Wycheproof folks to use flags more consistently.
-    EXPECT_NE(WycheproofResult::kValid, result);
+  if (!peer_evp || CBS_len(&cbs) != 0) {
+    EXPECT_FALSE(is_valid);
     return;
   }
   EC_KEY *peer_ec = EVP_PKEY_get0_EC_KEY(peer_evp.get());
@@ -170,11 +164,11 @@
   int ret =
       ECDH_compute_key(actual.data(), actual.size(),
                        EC_KEY_get0_public_key(peer_ec), key.get(), nullptr);
-  if (result == WycheproofResult::kInvalid) {
-    EXPECT_EQ(-1, ret);
-  } else {
+  if (is_valid) {
     EXPECT_EQ(static_cast<int>(actual.size()), ret);
     EXPECT_EQ(Bytes(shared), Bytes(actual.data(), static_cast<size_t>(ret)));
+  } else {
+    EXPECT_EQ(-1, ret);
   }
 }
 
diff --git a/crypto/evp/evp_test.cc b/crypto/evp/evp_test.cc
index 4846fbc..9932982 100644
--- a/crypto/evp/evp_test.cc
+++ b/crypto/evp/evp_test.cc
@@ -645,13 +645,7 @@
       bool sig_ok = DSA_check_signature(&valid, digest, digest_len, sig.data(),
                                         sig.size(), dsa) &&
                     valid;
-      if (result == WycheproofResult::kValid) {
-        EXPECT_TRUE(sig_ok);
-      } else if (result == WycheproofResult::kInvalid) {
-        EXPECT_FALSE(sig_ok);
-      } else {
-        // this is a legacy signature, which may or may not be accepted.
-      }
+      EXPECT_EQ(sig_ok, result.IsValid());
     } else {
       bssl::ScopedEVP_MD_CTX ctx;
       EVP_PKEY_CTX *pctx;
@@ -664,14 +658,12 @@
       }
       int ret = EVP_DigestVerify(ctx.get(), sig.data(), sig.size(), msg.data(),
                                  msg.size());
-      if (result == WycheproofResult::kValid) {
-        EXPECT_EQ(1, ret);
-      } else if (result == WycheproofResult::kInvalid) {
-        EXPECT_EQ(0, ret);
-      } else {
-        // this is a legacy signature, which may or may not be accepted.
-        EXPECT_TRUE(ret == 1 || ret == 0);
-      }
+      // BoringSSL does not enforce policies on weak keys and leaves it to the
+      // caller.
+      EXPECT_EQ(ret,
+                result.IsValid({"SmallModulus", "SmallPublicKey", "WeakHash"})
+                    ? 1
+                    : 0);
     }
   });
 }
diff --git a/crypto/fipsmodule/aes/aes_test.cc b/crypto/fipsmodule/aes/aes_test.cc
index 5061e01..4c913d3 100644
--- a/crypto/fipsmodule/aes/aes_test.cc
+++ b/crypto/fipsmodule/aes/aes_test.cc
@@ -176,7 +176,7 @@
     WycheproofResult result;
     ASSERT_TRUE(GetWycheproofResult(t, &result));
 
-    if (result != WycheproofResult::kInvalid) {
+    if (result.IsValid()) {
       ASSERT_GE(ct.size(), 8u);
 
       AES_KEY aes;
@@ -218,7 +218,10 @@
     // should pass. However, both RFC 5649 and SP 800-38F section 5.3.1 say that
     // the minimum length is one. Therefore we consider test cases with an empty
     // message to be invalid.
-    if (result != WycheproofResult::kInvalid && !msg.empty()) {
+    //
+    // Wycheproof marks various weak parameters as acceptable. We do not enforce
+    // policy in the library, so we map those flags to valid.
+    if (result.IsValid({"SmallKey", "WeakWrapping"}) && !msg.empty()) {
       AES_KEY aes;
       ASSERT_EQ(0, AES_set_decrypt_key(key.data(), 8 * key.size(), &aes));
       std::vector<uint8_t> out(ct.size() - 8);
diff --git a/crypto/hkdf/hkdf_test.cc b/crypto/hkdf/hkdf_test.cc
index 504e927..793506f 100644
--- a/crypto/hkdf/hkdf_test.cc
+++ b/crypto/hkdf/hkdf_test.cc
@@ -286,8 +286,8 @@
     std::vector<uint8_t> out(atoi(size_str.c_str()));
     bool ret = HKDF(out.data(), out.size(), md, ikm.data(), ikm.size(),
                     salt.data(), salt.size(), info.data(), info.size());
-    EXPECT_EQ(result == WycheproofResult::kValid, ret);
-    if (result == WycheproofResult::kValid) {
+    EXPECT_EQ(result.IsValid(), ret);
+    if (result.IsValid()) {
       EXPECT_EQ(Bytes(okm), Bytes(out));
     }
   });
diff --git a/crypto/hmac_extra/hmac_test.cc b/crypto/hmac_extra/hmac_test.cc
index b96abbd..c2d6199 100644
--- a/crypto/hmac_extra/hmac_test.cc
+++ b/crypto/hmac_extra/hmac_test.cc
@@ -142,7 +142,7 @@
     WycheproofResult result;
     ASSERT_TRUE(GetWycheproofResult(t, &result));
 
-    if (result != WycheproofResult::kValid) {
+    if (!result.IsValid()) {
       // Wycheproof tests assume the HMAC implementation checks the MAC. Ours
       // simply computes the HMAC, so skip the tests with invalid outputs.
       return;
diff --git a/crypto/test/wycheproof_util.cc b/crypto/test/wycheproof_util.cc
index 8f7dfeb..cd870dd 100644
--- a/crypto/test/wycheproof_util.cc
+++ b/crypto/test/wycheproof_util.cc
@@ -14,6 +14,10 @@
 
 #include "./wycheproof_util.h"
 
+#include <stdlib.h>
+
+#include <algorithm>
+
 #include <openssl/bn.h>
 #include <openssl/digest.h>
 #include <openssl/ec.h>
@@ -22,21 +26,55 @@
 #include "./file_test.h"
 
 
+bool WycheproofResult::IsValid(
+    const std::vector<std::string> &acceptable_flags) const {
+  switch (raw_result) {
+    case WycheproofRawResult::kValid:
+      return true;
+    case WycheproofRawResult::kInvalid:
+      return false;
+    case WycheproofRawResult::kAcceptable:
+      for (const auto &flag : flags) {
+        if (std::find(acceptable_flags.begin(), acceptable_flags.end(), flag) ==
+            acceptable_flags.end()) {
+          return false;
+        }
+      }
+      return true;
+  }
+
+  abort();
+}
+
 bool GetWycheproofResult(FileTest *t, WycheproofResult *out) {
   std::string result;
   if (!t->GetAttribute(&result, "result")) {
     return false;
   }
   if (result == "valid") {
-    *out = WycheproofResult::kValid;
+    out->raw_result = WycheproofRawResult::kValid;
   } else if (result == "invalid") {
-    *out = WycheproofResult::kInvalid;
+    out->raw_result = WycheproofRawResult::kInvalid;
   } else if (result == "acceptable") {
-    *out = WycheproofResult::kAcceptable;
+    out->raw_result = WycheproofRawResult::kAcceptable;
   } else {
     t->PrintLine("Bad result string '%s'", result.c_str());
     return false;
   }
+
+  out->flags.clear();
+  if (t->HasAttribute("flags")) {
+    std::string flags = t->GetAttributeOrDie("flags");
+    size_t idx = 0;
+    while (idx < flags.size()) {
+      size_t comma = flags.find(',', idx);
+      if (comma == std::string::npos) {
+        comma = flags.size();
+      }
+      out->flags.push_back(flags.substr(idx, comma - idx));
+      idx = comma + 1;
+    }
+  }
   return true;
 }
 
diff --git a/crypto/test/wycheproof_util.h b/crypto/test/wycheproof_util.h
index 4d8a14c..67e0ed3 100644
--- a/crypto/test/wycheproof_util.h
+++ b/crypto/test/wycheproof_util.h
@@ -17,18 +17,31 @@
 
 #include <openssl/base.h>
 
+#include <string>
+#include <vector>
+
 
 // This header contains convenience functions for Wycheproof tests.
 
 class FileTest;
 
-enum class WycheproofResult {
+enum class WycheproofRawResult {
   kValid,
   kInvalid,
   kAcceptable,
 };
 
-// GetWycheproofResult sets |*out| to the parsed "result" key of |t|.
+struct WycheproofResult {
+  WycheproofRawResult raw_result;
+  std::vector<std::string> flags;
+
+  // IsValid returns true if the Wycheproof test should be considered valid. A
+  // test result of "acceptable" is treated as valid if all flags are included
+  // in |acceptable_flags| and invalid otherwise.
+  bool IsValid(const std::vector<std::string> &acceptable_flags = {}) const;
+};
+
+// GetWycheproofResult sets |*out| to the parsed "result" and "flags" keys of |t|.
 bool GetWycheproofResult(FileTest *t, WycheproofResult *out);
 
 // GetWycheproofDigest returns a digest function using the Wycheproof name, or
diff --git a/third_party/wycheproof_testvectors/aes_cbc_pkcs5_test.txt b/third_party/wycheproof_testvectors/aes_cbc_pkcs5_test.txt
index f15837c..0a259b8 100644
--- a/third_party/wycheproof_testvectors/aes_cbc_pkcs5_test.txt
+++ b/third_party/wycheproof_testvectors/aes_cbc_pkcs5_test.txt
@@ -206,9 +206,7 @@
 key = db4f3e5e3795cc09a073fa6a81e5a6bc
 msg = 
 result = invalid
-# The ciphertext in this test vector is the message encrypted with an invalid or
-# unexpected padding. This allows to find implementations that are not properly
-# checking the padding during decryption.
+flags = BadPadding
 
 # tcId = 26
 # zero padding
@@ -217,9 +215,7 @@
 key = db4f3e5e3795cc09a073fa6a81e5a6bc
 msg = 6162636465666768
 result = invalid
-# The ciphertext in this test vector is the message encrypted with an invalid or
-# unexpected padding. This allows to find implementations that are not properly
-# checking the padding during decryption.
+flags = BadPadding
 
 # tcId = 27
 # zero padding
@@ -228,9 +224,7 @@
 key = db4f3e5e3795cc09a073fa6a81e5a6bc
 msg = 303132333435363738396162636465
 result = invalid
-# The ciphertext in this test vector is the message encrypted with an invalid or
-# unexpected padding. This allows to find implementations that are not properly
-# checking the padding during decryption.
+flags = BadPadding
 
 # tcId = 28
 # zero padding
@@ -239,9 +233,7 @@
 key = db4f3e5e3795cc09a073fa6a81e5a6bc
 msg = 30313233343536373839414243444546
 result = invalid
-# The ciphertext in this test vector is the message encrypted with an invalid or
-# unexpected padding. This allows to find implementations that are not properly
-# checking the padding during decryption.
+flags = BadPadding
 
 # tcId = 29
 # zero padding
@@ -250,9 +242,7 @@
 key = db4f3e5e3795cc09a073fa6a81e5a6bc
 msg = 3031323334353637383941424344454647
 result = invalid
-# The ciphertext in this test vector is the message encrypted with an invalid or
-# unexpected padding. This allows to find implementations that are not properly
-# checking the padding during decryption.
+flags = BadPadding
 
 # tcId = 30
 # padding with 0xff
@@ -261,9 +251,7 @@
 key = db4f3e5e3795cc09a073fa6a81e5a6bc
 msg = 
 result = invalid
-# The ciphertext in this test vector is the message encrypted with an invalid or
-# unexpected padding. This allows to find implementations that are not properly
-# checking the padding during decryption.
+flags = BadPadding
 
 # tcId = 31
 # padding with 0xff
@@ -272,9 +260,7 @@
 key = db4f3e5e3795cc09a073fa6a81e5a6bc
 msg = 6162636465666768
 result = invalid
-# The ciphertext in this test vector is the message encrypted with an invalid or
-# unexpected padding. This allows to find implementations that are not properly
-# checking the padding during decryption.
+flags = BadPadding
 
 # tcId = 32
 # padding with 0xff
@@ -283,9 +269,7 @@
 key = db4f3e5e3795cc09a073fa6a81e5a6bc
 msg = 303132333435363738396162636465
 result = invalid
-# The ciphertext in this test vector is the message encrypted with an invalid or
-# unexpected padding. This allows to find implementations that are not properly
-# checking the padding during decryption.
+flags = BadPadding
 
 # tcId = 33
 # padding with 0xff
@@ -294,9 +278,7 @@
 key = db4f3e5e3795cc09a073fa6a81e5a6bc
 msg = 30313233343536373839414243444546
 result = invalid
-# The ciphertext in this test vector is the message encrypted with an invalid or
-# unexpected padding. This allows to find implementations that are not properly
-# checking the padding during decryption.
+flags = BadPadding
 
 # tcId = 34
 # padding with 0xff
@@ -305,9 +287,7 @@
 key = db4f3e5e3795cc09a073fa6a81e5a6bc
 msg = 3031323334353637383941424344454647
 result = invalid
-# The ciphertext in this test vector is the message encrypted with an invalid or
-# unexpected padding. This allows to find implementations that are not properly
-# checking the padding during decryption.
+flags = BadPadding
 
 # tcId = 35
 # bit padding
@@ -316,9 +296,7 @@
 key = db4f3e5e3795cc09a073fa6a81e5a6bc
 msg = 
 result = invalid
-# The ciphertext in this test vector is the message encrypted with an invalid or
-# unexpected padding. This allows to find implementations that are not properly
-# checking the padding during decryption.
+flags = BadPadding
 
 # tcId = 36
 # bit padding
@@ -327,9 +305,7 @@
 key = db4f3e5e3795cc09a073fa6a81e5a6bc
 msg = 6162636465666768
 result = invalid
-# The ciphertext in this test vector is the message encrypted with an invalid or
-# unexpected padding. This allows to find implementations that are not properly
-# checking the padding during decryption.
+flags = BadPadding
 
 # tcId = 37
 # bit padding
@@ -338,9 +314,7 @@
 key = db4f3e5e3795cc09a073fa6a81e5a6bc
 msg = 303132333435363738396162636465
 result = invalid
-# The ciphertext in this test vector is the message encrypted with an invalid or
-# unexpected padding. This allows to find implementations that are not properly
-# checking the padding during decryption.
+flags = BadPadding
 
 # tcId = 38
 # bit padding
@@ -349,9 +323,7 @@
 key = db4f3e5e3795cc09a073fa6a81e5a6bc
 msg = 30313233343536373839414243444546
 result = invalid
-# The ciphertext in this test vector is the message encrypted with an invalid or
-# unexpected padding. This allows to find implementations that are not properly
-# checking the padding during decryption.
+flags = BadPadding
 
 # tcId = 39
 # bit padding
@@ -360,9 +332,7 @@
 key = db4f3e5e3795cc09a073fa6a81e5a6bc
 msg = 3031323334353637383941424344454647
 result = invalid
-# The ciphertext in this test vector is the message encrypted with an invalid or
-# unexpected padding. This allows to find implementations that are not properly
-# checking the padding during decryption.
+flags = BadPadding
 
 # tcId = 40
 # padding longer than 1 block
@@ -371,9 +341,7 @@
 key = db4f3e5e3795cc09a073fa6a81e5a6bc
 msg = 
 result = invalid
-# The ciphertext in this test vector is the message encrypted with an invalid or
-# unexpected padding. This allows to find implementations that are not properly
-# checking the padding during decryption.
+flags = BadPadding
 
 # tcId = 41
 # padding longer than 1 block
@@ -382,9 +350,7 @@
 key = db4f3e5e3795cc09a073fa6a81e5a6bc
 msg = 6162636465666768
 result = invalid
-# The ciphertext in this test vector is the message encrypted with an invalid or
-# unexpected padding. This allows to find implementations that are not properly
-# checking the padding during decryption.
+flags = BadPadding
 
 # tcId = 42
 # padding longer than 1 block
@@ -393,9 +359,7 @@
 key = db4f3e5e3795cc09a073fa6a81e5a6bc
 msg = 303132333435363738396162636465
 result = invalid
-# The ciphertext in this test vector is the message encrypted with an invalid or
-# unexpected padding. This allows to find implementations that are not properly
-# checking the padding during decryption.
+flags = BadPadding
 
 # tcId = 43
 # padding longer than 1 block
@@ -404,9 +368,7 @@
 key = db4f3e5e3795cc09a073fa6a81e5a6bc
 msg = 30313233343536373839414243444546
 result = invalid
-# The ciphertext in this test vector is the message encrypted with an invalid or
-# unexpected padding. This allows to find implementations that are not properly
-# checking the padding during decryption.
+flags = BadPadding
 
 # tcId = 44
 # padding longer than 1 block
@@ -415,9 +377,7 @@
 key = db4f3e5e3795cc09a073fa6a81e5a6bc
 msg = 3031323334353637383941424344454647
 result = invalid
-# The ciphertext in this test vector is the message encrypted with an invalid or
-# unexpected padding. This allows to find implementations that are not properly
-# checking the padding during decryption.
+flags = BadPadding
 
 # tcId = 45
 # ANSI X.923 padding
@@ -426,9 +386,7 @@
 key = db4f3e5e3795cc09a073fa6a81e5a6bc
 msg = 
 result = invalid
-# The ciphertext in this test vector is the message encrypted with an invalid or
-# unexpected padding. This allows to find implementations that are not properly
-# checking the padding during decryption.
+flags = BadPadding
 
 # tcId = 46
 # ANSI X.923 padding
@@ -437,9 +395,7 @@
 key = db4f3e5e3795cc09a073fa6a81e5a6bc
 msg = 6162636465666768
 result = invalid
-# The ciphertext in this test vector is the message encrypted with an invalid or
-# unexpected padding. This allows to find implementations that are not properly
-# checking the padding during decryption.
+flags = BadPadding
 
 # tcId = 47
 # ANSI X.923 padding
@@ -448,9 +404,7 @@
 key = db4f3e5e3795cc09a073fa6a81e5a6bc
 msg = 30313233343536373839414243444546
 result = invalid
-# The ciphertext in this test vector is the message encrypted with an invalid or
-# unexpected padding. This allows to find implementations that are not properly
-# checking the padding during decryption.
+flags = BadPadding
 
 # tcId = 48
 # ANSI X.923 padding
@@ -459,9 +413,7 @@
 key = db4f3e5e3795cc09a073fa6a81e5a6bc
 msg = 3031323334353637383941424344454647
 result = invalid
-# The ciphertext in this test vector is the message encrypted with an invalid or
-# unexpected padding. This allows to find implementations that are not properly
-# checking the padding during decryption.
+flags = BadPadding
 
 # tcId = 49
 # ISO 10126 padding
@@ -470,9 +422,7 @@
 key = db4f3e5e3795cc09a073fa6a81e5a6bc
 msg = 
 result = invalid
-# The ciphertext in this test vector is the message encrypted with an invalid or
-# unexpected padding. This allows to find implementations that are not properly
-# checking the padding during decryption.
+flags = BadPadding
 
 # tcId = 50
 # ISO 10126 padding
@@ -481,9 +431,7 @@
 key = db4f3e5e3795cc09a073fa6a81e5a6bc
 msg = 6162636465666768
 result = invalid
-# The ciphertext in this test vector is the message encrypted with an invalid or
-# unexpected padding. This allows to find implementations that are not properly
-# checking the padding during decryption.
+flags = BadPadding
 
 # tcId = 51
 # ISO 10126 padding
@@ -492,9 +440,7 @@
 key = db4f3e5e3795cc09a073fa6a81e5a6bc
 msg = 30313233343536373839414243444546
 result = invalid
-# The ciphertext in this test vector is the message encrypted with an invalid or
-# unexpected padding. This allows to find implementations that are not properly
-# checking the padding during decryption.
+flags = BadPadding
 
 # tcId = 52
 # ISO 10126 padding
@@ -503,9 +449,7 @@
 key = db4f3e5e3795cc09a073fa6a81e5a6bc
 msg = 3031323334353637383941424344454647
 result = invalid
-# The ciphertext in this test vector is the message encrypted with an invalid or
-# unexpected padding. This allows to find implementations that are not properly
-# checking the padding during decryption.
+flags = BadPadding
 
 # tcId = 53
 # padding longer than message
@@ -514,9 +458,7 @@
 key = db4f3e5e3795cc09a073fa6a81e5a6bc
 msg = 
 result = invalid
-# The ciphertext in this test vector is the message encrypted with an invalid or
-# unexpected padding. This allows to find implementations that are not properly
-# checking the padding during decryption.
+flags = BadPadding
 
 # tcId = 54
 # padding longer than message
@@ -525,9 +467,7 @@
 key = db4f3e5e3795cc09a073fa6a81e5a6bc
 msg = 6162636465666768
 result = invalid
-# The ciphertext in this test vector is the message encrypted with an invalid or
-# unexpected padding. This allows to find implementations that are not properly
-# checking the padding during decryption.
+flags = BadPadding
 
 # tcId = 55
 # padding longer than message
@@ -536,9 +476,7 @@
 key = db4f3e5e3795cc09a073fa6a81e5a6bc
 msg = 303132333435363738396162636465
 result = invalid
-# The ciphertext in this test vector is the message encrypted with an invalid or
-# unexpected padding. This allows to find implementations that are not properly
-# checking the padding during decryption.
+flags = BadPadding
 
 # tcId = 56
 # padding longer than message
@@ -547,9 +485,7 @@
 key = db4f3e5e3795cc09a073fa6a81e5a6bc
 msg = 30313233343536373839414243444546
 result = invalid
-# The ciphertext in this test vector is the message encrypted with an invalid or
-# unexpected padding. This allows to find implementations that are not properly
-# checking the padding during decryption.
+flags = BadPadding
 
 # tcId = 57
 # padding longer than message
@@ -558,9 +494,7 @@
 key = db4f3e5e3795cc09a073fa6a81e5a6bc
 msg = 3031323334353637383941424344454647
 result = invalid
-# The ciphertext in this test vector is the message encrypted with an invalid or
-# unexpected padding. This allows to find implementations that are not properly
-# checking the padding during decryption.
+flags = BadPadding
 
 # tcId = 58
 #  invalid padding
@@ -569,9 +503,7 @@
 key = db4f3e5e3795cc09a073fa6a81e5a6bc
 msg = 
 result = invalid
-# The ciphertext in this test vector is the message encrypted with an invalid or
-# unexpected padding. This allows to find implementations that are not properly
-# checking the padding during decryption.
+flags = BadPadding
 
 # tcId = 59
 #  invalid padding
@@ -580,9 +512,7 @@
 key = db4f3e5e3795cc09a073fa6a81e5a6bc
 msg = 6162636465666768
 result = invalid
-# The ciphertext in this test vector is the message encrypted with an invalid or
-# unexpected padding. This allows to find implementations that are not properly
-# checking the padding during decryption.
+flags = BadPadding
 
 # tcId = 60
 #  invalid padding
@@ -591,9 +521,7 @@
 key = db4f3e5e3795cc09a073fa6a81e5a6bc
 msg = 30313233343536373839414243444546
 result = invalid
-# The ciphertext in this test vector is the message encrypted with an invalid or
-# unexpected padding. This allows to find implementations that are not properly
-# checking the padding during decryption.
+flags = BadPadding
 
 # tcId = 61
 #  invalid padding
@@ -602,9 +530,7 @@
 key = db4f3e5e3795cc09a073fa6a81e5a6bc
 msg = 3031323334353637383941424344454647
 result = invalid
-# The ciphertext in this test vector is the message encrypted with an invalid or
-# unexpected padding. This allows to find implementations that are not properly
-# checking the padding during decryption.
+flags = BadPadding
 
 [ivSize = 128]
 [keySize = 192]
@@ -808,9 +734,7 @@
 key = 9e20311eaf2eaf3e3a04bc52564e67313c84940a2996e3f2
 msg = 
 result = invalid
-# The ciphertext in this test vector is the message encrypted with an invalid or
-# unexpected padding. This allows to find implementations that are not properly
-# checking the padding during decryption.
+flags = BadPadding
 
 # tcId = 87
 # zero padding
@@ -819,9 +743,7 @@
 key = 9e20311eaf2eaf3e3a04bc52564e67313c84940a2996e3f2
 msg = 6162636465666768
 result = invalid
-# The ciphertext in this test vector is the message encrypted with an invalid or
-# unexpected padding. This allows to find implementations that are not properly
-# checking the padding during decryption.
+flags = BadPadding
 
 # tcId = 88
 # zero padding
@@ -830,9 +752,7 @@
 key = 9e20311eaf2eaf3e3a04bc52564e67313c84940a2996e3f2
 msg = 303132333435363738396162636465
 result = invalid
-# The ciphertext in this test vector is the message encrypted with an invalid or
-# unexpected padding. This allows to find implementations that are not properly
-# checking the padding during decryption.
+flags = BadPadding
 
 # tcId = 89
 # zero padding
@@ -841,9 +761,7 @@
 key = 9e20311eaf2eaf3e3a04bc52564e67313c84940a2996e3f2
 msg = 30313233343536373839414243444546
 result = invalid
-# The ciphertext in this test vector is the message encrypted with an invalid or
-# unexpected padding. This allows to find implementations that are not properly
-# checking the padding during decryption.
+flags = BadPadding
 
 # tcId = 90
 # zero padding
@@ -852,9 +770,7 @@
 key = 9e20311eaf2eaf3e3a04bc52564e67313c84940a2996e3f2
 msg = 3031323334353637383941424344454647
 result = invalid
-# The ciphertext in this test vector is the message encrypted with an invalid or
-# unexpected padding. This allows to find implementations that are not properly
-# checking the padding during decryption.
+flags = BadPadding
 
 # tcId = 91
 # padding with 0xff
@@ -863,9 +779,7 @@
 key = 9e20311eaf2eaf3e3a04bc52564e67313c84940a2996e3f2
 msg = 
 result = invalid
-# The ciphertext in this test vector is the message encrypted with an invalid or
-# unexpected padding. This allows to find implementations that are not properly
-# checking the padding during decryption.
+flags = BadPadding
 
 # tcId = 92
 # padding with 0xff
@@ -874,9 +788,7 @@
 key = 9e20311eaf2eaf3e3a04bc52564e67313c84940a2996e3f2
 msg = 6162636465666768
 result = invalid
-# The ciphertext in this test vector is the message encrypted with an invalid or
-# unexpected padding. This allows to find implementations that are not properly
-# checking the padding during decryption.
+flags = BadPadding
 
 # tcId = 93
 # padding with 0xff
@@ -885,9 +797,7 @@
 key = 9e20311eaf2eaf3e3a04bc52564e67313c84940a2996e3f2
 msg = 303132333435363738396162636465
 result = invalid
-# The ciphertext in this test vector is the message encrypted with an invalid or
-# unexpected padding. This allows to find implementations that are not properly
-# checking the padding during decryption.
+flags = BadPadding
 
 # tcId = 94
 # padding with 0xff
@@ -896,9 +806,7 @@
 key = 9e20311eaf2eaf3e3a04bc52564e67313c84940a2996e3f2
 msg = 30313233343536373839414243444546
 result = invalid
-# The ciphertext in this test vector is the message encrypted with an invalid or
-# unexpected padding. This allows to find implementations that are not properly
-# checking the padding during decryption.
+flags = BadPadding
 
 # tcId = 95
 # padding with 0xff
@@ -907,9 +815,7 @@
 key = 9e20311eaf2eaf3e3a04bc52564e67313c84940a2996e3f2
 msg = 3031323334353637383941424344454647
 result = invalid
-# The ciphertext in this test vector is the message encrypted with an invalid or
-# unexpected padding. This allows to find implementations that are not properly
-# checking the padding during decryption.
+flags = BadPadding
 
 # tcId = 96
 # bit padding
@@ -918,9 +824,7 @@
 key = 9e20311eaf2eaf3e3a04bc52564e67313c84940a2996e3f2
 msg = 
 result = invalid
-# The ciphertext in this test vector is the message encrypted with an invalid or
-# unexpected padding. This allows to find implementations that are not properly
-# checking the padding during decryption.
+flags = BadPadding
 
 # tcId = 97
 # bit padding
@@ -929,9 +833,7 @@
 key = 9e20311eaf2eaf3e3a04bc52564e67313c84940a2996e3f2
 msg = 6162636465666768
 result = invalid
-# The ciphertext in this test vector is the message encrypted with an invalid or
-# unexpected padding. This allows to find implementations that are not properly
-# checking the padding during decryption.
+flags = BadPadding
 
 # tcId = 98
 # bit padding
@@ -940,9 +842,7 @@
 key = 9e20311eaf2eaf3e3a04bc52564e67313c84940a2996e3f2
 msg = 303132333435363738396162636465
 result = invalid
-# The ciphertext in this test vector is the message encrypted with an invalid or
-# unexpected padding. This allows to find implementations that are not properly
-# checking the padding during decryption.
+flags = BadPadding
 
 # tcId = 99
 # bit padding
@@ -951,9 +851,7 @@
 key = 9e20311eaf2eaf3e3a04bc52564e67313c84940a2996e3f2
 msg = 30313233343536373839414243444546
 result = invalid
-# The ciphertext in this test vector is the message encrypted with an invalid or
-# unexpected padding. This allows to find implementations that are not properly
-# checking the padding during decryption.
+flags = BadPadding
 
 # tcId = 100
 # bit padding
@@ -962,9 +860,7 @@
 key = 9e20311eaf2eaf3e3a04bc52564e67313c84940a2996e3f2
 msg = 3031323334353637383941424344454647
 result = invalid
-# The ciphertext in this test vector is the message encrypted with an invalid or
-# unexpected padding. This allows to find implementations that are not properly
-# checking the padding during decryption.
+flags = BadPadding
 
 # tcId = 101
 # padding longer than 1 block
@@ -973,9 +869,7 @@
 key = 9e20311eaf2eaf3e3a04bc52564e67313c84940a2996e3f2
 msg = 
 result = invalid
-# The ciphertext in this test vector is the message encrypted with an invalid or
-# unexpected padding. This allows to find implementations that are not properly
-# checking the padding during decryption.
+flags = BadPadding
 
 # tcId = 102
 # padding longer than 1 block
@@ -984,9 +878,7 @@
 key = 9e20311eaf2eaf3e3a04bc52564e67313c84940a2996e3f2
 msg = 6162636465666768
 result = invalid
-# The ciphertext in this test vector is the message encrypted with an invalid or
-# unexpected padding. This allows to find implementations that are not properly
-# checking the padding during decryption.
+flags = BadPadding
 
 # tcId = 103
 # padding longer than 1 block
@@ -995,9 +887,7 @@
 key = 9e20311eaf2eaf3e3a04bc52564e67313c84940a2996e3f2
 msg = 303132333435363738396162636465
 result = invalid
-# The ciphertext in this test vector is the message encrypted with an invalid or
-# unexpected padding. This allows to find implementations that are not properly
-# checking the padding during decryption.
+flags = BadPadding
 
 # tcId = 104
 # padding longer than 1 block
@@ -1006,9 +896,7 @@
 key = 9e20311eaf2eaf3e3a04bc52564e67313c84940a2996e3f2
 msg = 30313233343536373839414243444546
 result = invalid
-# The ciphertext in this test vector is the message encrypted with an invalid or
-# unexpected padding. This allows to find implementations that are not properly
-# checking the padding during decryption.
+flags = BadPadding
 
 # tcId = 105
 # padding longer than 1 block
@@ -1017,9 +905,7 @@
 key = 9e20311eaf2eaf3e3a04bc52564e67313c84940a2996e3f2
 msg = 3031323334353637383941424344454647
 result = invalid
-# The ciphertext in this test vector is the message encrypted with an invalid or
-# unexpected padding. This allows to find implementations that are not properly
-# checking the padding during decryption.
+flags = BadPadding
 
 # tcId = 106
 # ANSI X.923 padding
@@ -1028,9 +914,7 @@
 key = 9e20311eaf2eaf3e3a04bc52564e67313c84940a2996e3f2
 msg = 
 result = invalid
-# The ciphertext in this test vector is the message encrypted with an invalid or
-# unexpected padding. This allows to find implementations that are not properly
-# checking the padding during decryption.
+flags = BadPadding
 
 # tcId = 107
 # ANSI X.923 padding
@@ -1039,9 +923,7 @@
 key = 9e20311eaf2eaf3e3a04bc52564e67313c84940a2996e3f2
 msg = 6162636465666768
 result = invalid
-# The ciphertext in this test vector is the message encrypted with an invalid or
-# unexpected padding. This allows to find implementations that are not properly
-# checking the padding during decryption.
+flags = BadPadding
 
 # tcId = 108
 # ANSI X.923 padding
@@ -1050,9 +932,7 @@
 key = 9e20311eaf2eaf3e3a04bc52564e67313c84940a2996e3f2
 msg = 30313233343536373839414243444546
 result = invalid
-# The ciphertext in this test vector is the message encrypted with an invalid or
-# unexpected padding. This allows to find implementations that are not properly
-# checking the padding during decryption.
+flags = BadPadding
 
 # tcId = 109
 # ANSI X.923 padding
@@ -1061,9 +941,7 @@
 key = 9e20311eaf2eaf3e3a04bc52564e67313c84940a2996e3f2
 msg = 3031323334353637383941424344454647
 result = invalid
-# The ciphertext in this test vector is the message encrypted with an invalid or
-# unexpected padding. This allows to find implementations that are not properly
-# checking the padding during decryption.
+flags = BadPadding
 
 # tcId = 110
 # ISO 10126 padding
@@ -1072,9 +950,7 @@
 key = 9e20311eaf2eaf3e3a04bc52564e67313c84940a2996e3f2
 msg = 
 result = invalid
-# The ciphertext in this test vector is the message encrypted with an invalid or
-# unexpected padding. This allows to find implementations that are not properly
-# checking the padding during decryption.
+flags = BadPadding
 
 # tcId = 111
 # ISO 10126 padding
@@ -1083,9 +959,7 @@
 key = 9e20311eaf2eaf3e3a04bc52564e67313c84940a2996e3f2
 msg = 6162636465666768
 result = invalid
-# The ciphertext in this test vector is the message encrypted with an invalid or
-# unexpected padding. This allows to find implementations that are not properly
-# checking the padding during decryption.
+flags = BadPadding
 
 # tcId = 112
 # ISO 10126 padding
@@ -1094,9 +968,7 @@
 key = 9e20311eaf2eaf3e3a04bc52564e67313c84940a2996e3f2
 msg = 30313233343536373839414243444546
 result = invalid
-# The ciphertext in this test vector is the message encrypted with an invalid or
-# unexpected padding. This allows to find implementations that are not properly
-# checking the padding during decryption.
+flags = BadPadding
 
 # tcId = 113
 # ISO 10126 padding
@@ -1105,9 +977,7 @@
 key = 9e20311eaf2eaf3e3a04bc52564e67313c84940a2996e3f2
 msg = 3031323334353637383941424344454647
 result = invalid
-# The ciphertext in this test vector is the message encrypted with an invalid or
-# unexpected padding. This allows to find implementations that are not properly
-# checking the padding during decryption.
+flags = BadPadding
 
 # tcId = 114
 # padding longer than message
@@ -1116,9 +986,7 @@
 key = 9e20311eaf2eaf3e3a04bc52564e67313c84940a2996e3f2
 msg = 
 result = invalid
-# The ciphertext in this test vector is the message encrypted with an invalid or
-# unexpected padding. This allows to find implementations that are not properly
-# checking the padding during decryption.
+flags = BadPadding
 
 # tcId = 115
 # padding longer than message
@@ -1127,9 +995,7 @@
 key = 9e20311eaf2eaf3e3a04bc52564e67313c84940a2996e3f2
 msg = 6162636465666768
 result = invalid
-# The ciphertext in this test vector is the message encrypted with an invalid or
-# unexpected padding. This allows to find implementations that are not properly
-# checking the padding during decryption.
+flags = BadPadding
 
 # tcId = 116
 # padding longer than message
@@ -1138,9 +1004,7 @@
 key = 9e20311eaf2eaf3e3a04bc52564e67313c84940a2996e3f2
 msg = 303132333435363738396162636465
 result = invalid
-# The ciphertext in this test vector is the message encrypted with an invalid or
-# unexpected padding. This allows to find implementations that are not properly
-# checking the padding during decryption.
+flags = BadPadding
 
 # tcId = 117
 # padding longer than message
@@ -1149,9 +1013,7 @@
 key = 9e20311eaf2eaf3e3a04bc52564e67313c84940a2996e3f2
 msg = 30313233343536373839414243444546
 result = invalid
-# The ciphertext in this test vector is the message encrypted with an invalid or
-# unexpected padding. This allows to find implementations that are not properly
-# checking the padding during decryption.
+flags = BadPadding
 
 # tcId = 118
 # padding longer than message
@@ -1160,9 +1022,7 @@
 key = 9e20311eaf2eaf3e3a04bc52564e67313c84940a2996e3f2
 msg = 3031323334353637383941424344454647
 result = invalid
-# The ciphertext in this test vector is the message encrypted with an invalid or
-# unexpected padding. This allows to find implementations that are not properly
-# checking the padding during decryption.
+flags = BadPadding
 
 # tcId = 119
 #  invalid padding
@@ -1171,9 +1031,7 @@
 key = 9e20311eaf2eaf3e3a04bc52564e67313c84940a2996e3f2
 msg = 
 result = invalid
-# The ciphertext in this test vector is the message encrypted with an invalid or
-# unexpected padding. This allows to find implementations that are not properly
-# checking the padding during decryption.
+flags = BadPadding
 
 # tcId = 120
 #  invalid padding
@@ -1182,9 +1040,7 @@
 key = 9e20311eaf2eaf3e3a04bc52564e67313c84940a2996e3f2
 msg = 6162636465666768
 result = invalid
-# The ciphertext in this test vector is the message encrypted with an invalid or
-# unexpected padding. This allows to find implementations that are not properly
-# checking the padding during decryption.
+flags = BadPadding
 
 # tcId = 121
 #  invalid padding
@@ -1193,9 +1049,7 @@
 key = 9e20311eaf2eaf3e3a04bc52564e67313c84940a2996e3f2
 msg = 30313233343536373839414243444546
 result = invalid
-# The ciphertext in this test vector is the message encrypted with an invalid or
-# unexpected padding. This allows to find implementations that are not properly
-# checking the padding during decryption.
+flags = BadPadding
 
 # tcId = 122
 #  invalid padding
@@ -1204,9 +1058,7 @@
 key = 9e20311eaf2eaf3e3a04bc52564e67313c84940a2996e3f2
 msg = 3031323334353637383941424344454647
 result = invalid
-# The ciphertext in this test vector is the message encrypted with an invalid or
-# unexpected padding. This allows to find implementations that are not properly
-# checking the padding during decryption.
+flags = BadPadding
 
 [ivSize = 128]
 [keySize = 256]
@@ -1410,9 +1262,7 @@
 key = 7c78f34dbce8f0557d43630266f59babd1cb92ba624bd1a8f45a2a91c84a804a
 msg = 
 result = invalid
-# The ciphertext in this test vector is the message encrypted with an invalid or
-# unexpected padding. This allows to find implementations that are not properly
-# checking the padding during decryption.
+flags = BadPadding
 
 # tcId = 148
 # zero padding
@@ -1421,9 +1271,7 @@
 key = 7c78f34dbce8f0557d43630266f59babd1cb92ba624bd1a8f45a2a91c84a804a
 msg = 6162636465666768
 result = invalid
-# The ciphertext in this test vector is the message encrypted with an invalid or
-# unexpected padding. This allows to find implementations that are not properly
-# checking the padding during decryption.
+flags = BadPadding
 
 # tcId = 149
 # zero padding
@@ -1432,9 +1280,7 @@
 key = 7c78f34dbce8f0557d43630266f59babd1cb92ba624bd1a8f45a2a91c84a804a
 msg = 303132333435363738396162636465
 result = invalid
-# The ciphertext in this test vector is the message encrypted with an invalid or
-# unexpected padding. This allows to find implementations that are not properly
-# checking the padding during decryption.
+flags = BadPadding
 
 # tcId = 150
 # zero padding
@@ -1443,9 +1289,7 @@
 key = 7c78f34dbce8f0557d43630266f59babd1cb92ba624bd1a8f45a2a91c84a804a
 msg = 30313233343536373839414243444546
 result = invalid
-# The ciphertext in this test vector is the message encrypted with an invalid or
-# unexpected padding. This allows to find implementations that are not properly
-# checking the padding during decryption.
+flags = BadPadding
 
 # tcId = 151
 # zero padding
@@ -1454,9 +1298,7 @@
 key = 7c78f34dbce8f0557d43630266f59babd1cb92ba624bd1a8f45a2a91c84a804a
 msg = 3031323334353637383941424344454647
 result = invalid
-# The ciphertext in this test vector is the message encrypted with an invalid or
-# unexpected padding. This allows to find implementations that are not properly
-# checking the padding during decryption.
+flags = BadPadding
 
 # tcId = 152
 # padding with 0xff
@@ -1465,9 +1307,7 @@
 key = 7c78f34dbce8f0557d43630266f59babd1cb92ba624bd1a8f45a2a91c84a804a
 msg = 
 result = invalid
-# The ciphertext in this test vector is the message encrypted with an invalid or
-# unexpected padding. This allows to find implementations that are not properly
-# checking the padding during decryption.
+flags = BadPadding
 
 # tcId = 153
 # padding with 0xff
@@ -1476,9 +1316,7 @@
 key = 7c78f34dbce8f0557d43630266f59babd1cb92ba624bd1a8f45a2a91c84a804a
 msg = 6162636465666768
 result = invalid
-# The ciphertext in this test vector is the message encrypted with an invalid or
-# unexpected padding. This allows to find implementations that are not properly
-# checking the padding during decryption.
+flags = BadPadding
 
 # tcId = 154
 # padding with 0xff
@@ -1487,9 +1325,7 @@
 key = 7c78f34dbce8f0557d43630266f59babd1cb92ba624bd1a8f45a2a91c84a804a
 msg = 303132333435363738396162636465
 result = invalid
-# The ciphertext in this test vector is the message encrypted with an invalid or
-# unexpected padding. This allows to find implementations that are not properly
-# checking the padding during decryption.
+flags = BadPadding
 
 # tcId = 155
 # padding with 0xff
@@ -1498,9 +1334,7 @@
 key = 7c78f34dbce8f0557d43630266f59babd1cb92ba624bd1a8f45a2a91c84a804a
 msg = 30313233343536373839414243444546
 result = invalid
-# The ciphertext in this test vector is the message encrypted with an invalid or
-# unexpected padding. This allows to find implementations that are not properly
-# checking the padding during decryption.
+flags = BadPadding
 
 # tcId = 156
 # padding with 0xff
@@ -1509,9 +1343,7 @@
 key = 7c78f34dbce8f0557d43630266f59babd1cb92ba624bd1a8f45a2a91c84a804a
 msg = 3031323334353637383941424344454647
 result = invalid
-# The ciphertext in this test vector is the message encrypted with an invalid or
-# unexpected padding. This allows to find implementations that are not properly
-# checking the padding during decryption.
+flags = BadPadding
 
 # tcId = 157
 # bit padding
@@ -1520,9 +1352,7 @@
 key = 7c78f34dbce8f0557d43630266f59babd1cb92ba624bd1a8f45a2a91c84a804a
 msg = 
 result = invalid
-# The ciphertext in this test vector is the message encrypted with an invalid or
-# unexpected padding. This allows to find implementations that are not properly
-# checking the padding during decryption.
+flags = BadPadding
 
 # tcId = 158
 # bit padding
@@ -1531,9 +1361,7 @@
 key = 7c78f34dbce8f0557d43630266f59babd1cb92ba624bd1a8f45a2a91c84a804a
 msg = 6162636465666768
 result = invalid
-# The ciphertext in this test vector is the message encrypted with an invalid or
-# unexpected padding. This allows to find implementations that are not properly
-# checking the padding during decryption.
+flags = BadPadding
 
 # tcId = 159
 # bit padding
@@ -1542,9 +1370,7 @@
 key = 7c78f34dbce8f0557d43630266f59babd1cb92ba624bd1a8f45a2a91c84a804a
 msg = 303132333435363738396162636465
 result = invalid
-# The ciphertext in this test vector is the message encrypted with an invalid or
-# unexpected padding. This allows to find implementations that are not properly
-# checking the padding during decryption.
+flags = BadPadding
 
 # tcId = 160
 # bit padding
@@ -1553,9 +1379,7 @@
 key = 7c78f34dbce8f0557d43630266f59babd1cb92ba624bd1a8f45a2a91c84a804a
 msg = 30313233343536373839414243444546
 result = invalid
-# The ciphertext in this test vector is the message encrypted with an invalid or
-# unexpected padding. This allows to find implementations that are not properly
-# checking the padding during decryption.
+flags = BadPadding
 
 # tcId = 161
 # bit padding
@@ -1564,9 +1388,7 @@
 key = 7c78f34dbce8f0557d43630266f59babd1cb92ba624bd1a8f45a2a91c84a804a
 msg = 3031323334353637383941424344454647
 result = invalid
-# The ciphertext in this test vector is the message encrypted with an invalid or
-# unexpected padding. This allows to find implementations that are not properly
-# checking the padding during decryption.
+flags = BadPadding
 
 # tcId = 162
 # padding longer than 1 block
@@ -1575,9 +1397,7 @@
 key = 7c78f34dbce8f0557d43630266f59babd1cb92ba624bd1a8f45a2a91c84a804a
 msg = 
 result = invalid
-# The ciphertext in this test vector is the message encrypted with an invalid or
-# unexpected padding. This allows to find implementations that are not properly
-# checking the padding during decryption.
+flags = BadPadding
 
 # tcId = 163
 # padding longer than 1 block
@@ -1586,9 +1406,7 @@
 key = 7c78f34dbce8f0557d43630266f59babd1cb92ba624bd1a8f45a2a91c84a804a
 msg = 6162636465666768
 result = invalid
-# The ciphertext in this test vector is the message encrypted with an invalid or
-# unexpected padding. This allows to find implementations that are not properly
-# checking the padding during decryption.
+flags = BadPadding
 
 # tcId = 164
 # padding longer than 1 block
@@ -1597,9 +1415,7 @@
 key = 7c78f34dbce8f0557d43630266f59babd1cb92ba624bd1a8f45a2a91c84a804a
 msg = 303132333435363738396162636465
 result = invalid
-# The ciphertext in this test vector is the message encrypted with an invalid or
-# unexpected padding. This allows to find implementations that are not properly
-# checking the padding during decryption.
+flags = BadPadding
 
 # tcId = 165
 # padding longer than 1 block
@@ -1608,9 +1424,7 @@
 key = 7c78f34dbce8f0557d43630266f59babd1cb92ba624bd1a8f45a2a91c84a804a
 msg = 30313233343536373839414243444546
 result = invalid
-# The ciphertext in this test vector is the message encrypted with an invalid or
-# unexpected padding. This allows to find implementations that are not properly
-# checking the padding during decryption.
+flags = BadPadding
 
 # tcId = 166
 # padding longer than 1 block
@@ -1619,9 +1433,7 @@
 key = 7c78f34dbce8f0557d43630266f59babd1cb92ba624bd1a8f45a2a91c84a804a
 msg = 3031323334353637383941424344454647
 result = invalid
-# The ciphertext in this test vector is the message encrypted with an invalid or
-# unexpected padding. This allows to find implementations that are not properly
-# checking the padding during decryption.
+flags = BadPadding
 
 # tcId = 167
 # ANSI X.923 padding
@@ -1630,9 +1442,7 @@
 key = 7c78f34dbce8f0557d43630266f59babd1cb92ba624bd1a8f45a2a91c84a804a
 msg = 
 result = invalid
-# The ciphertext in this test vector is the message encrypted with an invalid or
-# unexpected padding. This allows to find implementations that are not properly
-# checking the padding during decryption.
+flags = BadPadding
 
 # tcId = 168
 # ANSI X.923 padding
@@ -1641,9 +1451,7 @@
 key = 7c78f34dbce8f0557d43630266f59babd1cb92ba624bd1a8f45a2a91c84a804a
 msg = 6162636465666768
 result = invalid
-# The ciphertext in this test vector is the message encrypted with an invalid or
-# unexpected padding. This allows to find implementations that are not properly
-# checking the padding during decryption.
+flags = BadPadding
 
 # tcId = 169
 # ANSI X.923 padding
@@ -1652,9 +1460,7 @@
 key = 7c78f34dbce8f0557d43630266f59babd1cb92ba624bd1a8f45a2a91c84a804a
 msg = 30313233343536373839414243444546
 result = invalid
-# The ciphertext in this test vector is the message encrypted with an invalid or
-# unexpected padding. This allows to find implementations that are not properly
-# checking the padding during decryption.
+flags = BadPadding
 
 # tcId = 170
 # ANSI X.923 padding
@@ -1663,9 +1469,7 @@
 key = 7c78f34dbce8f0557d43630266f59babd1cb92ba624bd1a8f45a2a91c84a804a
 msg = 3031323334353637383941424344454647
 result = invalid
-# The ciphertext in this test vector is the message encrypted with an invalid or
-# unexpected padding. This allows to find implementations that are not properly
-# checking the padding during decryption.
+flags = BadPadding
 
 # tcId = 171
 # ISO 10126 padding
@@ -1674,9 +1478,7 @@
 key = 7c78f34dbce8f0557d43630266f59babd1cb92ba624bd1a8f45a2a91c84a804a
 msg = 
 result = invalid
-# The ciphertext in this test vector is the message encrypted with an invalid or
-# unexpected padding. This allows to find implementations that are not properly
-# checking the padding during decryption.
+flags = BadPadding
 
 # tcId = 172
 # ISO 10126 padding
@@ -1685,9 +1487,7 @@
 key = 7c78f34dbce8f0557d43630266f59babd1cb92ba624bd1a8f45a2a91c84a804a
 msg = 6162636465666768
 result = invalid
-# The ciphertext in this test vector is the message encrypted with an invalid or
-# unexpected padding. This allows to find implementations that are not properly
-# checking the padding during decryption.
+flags = BadPadding
 
 # tcId = 173
 # ISO 10126 padding
@@ -1696,9 +1496,7 @@
 key = 7c78f34dbce8f0557d43630266f59babd1cb92ba624bd1a8f45a2a91c84a804a
 msg = 30313233343536373839414243444546
 result = invalid
-# The ciphertext in this test vector is the message encrypted with an invalid or
-# unexpected padding. This allows to find implementations that are not properly
-# checking the padding during decryption.
+flags = BadPadding
 
 # tcId = 174
 # ISO 10126 padding
@@ -1707,9 +1505,7 @@
 key = 7c78f34dbce8f0557d43630266f59babd1cb92ba624bd1a8f45a2a91c84a804a
 msg = 3031323334353637383941424344454647
 result = invalid
-# The ciphertext in this test vector is the message encrypted with an invalid or
-# unexpected padding. This allows to find implementations that are not properly
-# checking the padding during decryption.
+flags = BadPadding
 
 # tcId = 175
 # padding longer than message
@@ -1718,9 +1514,7 @@
 key = 7c78f34dbce8f0557d43630266f59babd1cb92ba624bd1a8f45a2a91c84a804a
 msg = 
 result = invalid
-# The ciphertext in this test vector is the message encrypted with an invalid or
-# unexpected padding. This allows to find implementations that are not properly
-# checking the padding during decryption.
+flags = BadPadding
 
 # tcId = 176
 # padding longer than message
@@ -1729,9 +1523,7 @@
 key = 7c78f34dbce8f0557d43630266f59babd1cb92ba624bd1a8f45a2a91c84a804a
 msg = 6162636465666768
 result = invalid
-# The ciphertext in this test vector is the message encrypted with an invalid or
-# unexpected padding. This allows to find implementations that are not properly
-# checking the padding during decryption.
+flags = BadPadding
 
 # tcId = 177
 # padding longer than message
@@ -1740,9 +1532,7 @@
 key = 7c78f34dbce8f0557d43630266f59babd1cb92ba624bd1a8f45a2a91c84a804a
 msg = 303132333435363738396162636465
 result = invalid
-# The ciphertext in this test vector is the message encrypted with an invalid or
-# unexpected padding. This allows to find implementations that are not properly
-# checking the padding during decryption.
+flags = BadPadding
 
 # tcId = 178
 # padding longer than message
@@ -1751,9 +1541,7 @@
 key = 7c78f34dbce8f0557d43630266f59babd1cb92ba624bd1a8f45a2a91c84a804a
 msg = 30313233343536373839414243444546
 result = invalid
-# The ciphertext in this test vector is the message encrypted with an invalid or
-# unexpected padding. This allows to find implementations that are not properly
-# checking the padding during decryption.
+flags = BadPadding
 
 # tcId = 179
 # padding longer than message
@@ -1762,9 +1550,7 @@
 key = 7c78f34dbce8f0557d43630266f59babd1cb92ba624bd1a8f45a2a91c84a804a
 msg = 3031323334353637383941424344454647
 result = invalid
-# The ciphertext in this test vector is the message encrypted with an invalid or
-# unexpected padding. This allows to find implementations that are not properly
-# checking the padding during decryption.
+flags = BadPadding
 
 # tcId = 180
 #  invalid padding
@@ -1773,9 +1559,7 @@
 key = 7c78f34dbce8f0557d43630266f59babd1cb92ba624bd1a8f45a2a91c84a804a
 msg = 
 result = invalid
-# The ciphertext in this test vector is the message encrypted with an invalid or
-# unexpected padding. This allows to find implementations that are not properly
-# checking the padding during decryption.
+flags = BadPadding
 
 # tcId = 181
 #  invalid padding
@@ -1784,9 +1568,7 @@
 key = 7c78f34dbce8f0557d43630266f59babd1cb92ba624bd1a8f45a2a91c84a804a
 msg = 6162636465666768
 result = invalid
-# The ciphertext in this test vector is the message encrypted with an invalid or
-# unexpected padding. This allows to find implementations that are not properly
-# checking the padding during decryption.
+flags = BadPadding
 
 # tcId = 182
 #  invalid padding
@@ -1795,9 +1577,7 @@
 key = 7c78f34dbce8f0557d43630266f59babd1cb92ba624bd1a8f45a2a91c84a804a
 msg = 30313233343536373839414243444546
 result = invalid
-# The ciphertext in this test vector is the message encrypted with an invalid or
-# unexpected padding. This allows to find implementations that are not properly
-# checking the padding during decryption.
+flags = BadPadding
 
 # tcId = 183
 #  invalid padding
@@ -1806,7 +1586,5 @@
 key = 7c78f34dbce8f0557d43630266f59babd1cb92ba624bd1a8f45a2a91c84a804a
 msg = 3031323334353637383941424344454647
 result = invalid
-# The ciphertext in this test vector is the message encrypted with an invalid or
-# unexpected padding. This allows to find implementations that are not properly
-# checking the padding during decryption.
+flags = BadPadding
 
diff --git a/third_party/wycheproof_testvectors/aes_gcm_siv_test.txt b/third_party/wycheproof_testvectors/aes_gcm_siv_test.txt
index 3a4b556..9f0ba23 100644
--- a/third_party/wycheproof_testvectors/aes_gcm_siv_test.txt
+++ b/third_party/wycheproof_testvectors/aes_gcm_siv_test.txt
@@ -383,8 +383,7 @@
 msg = 43488548d88e6f774bcd2d52c18fbcc933a4e9a9613ff3edbe959ec59522adc098b3133b8d17b9e9dad631ad33752c95
 result = valid
 tag = 00000000000000000000000000000000
-# The counter for AES-GCM-SIV is reduced modulo 2**32. This test vector was
-# constructed to test for correct wrapping of the counter.
+flags = ConstructedIv
 
 # tcId = 40
 # Testing for ctr overflow
@@ -395,8 +394,7 @@
 msg = f012c6a7eb0e8af5bc45e015e7680a693dc709b95383f6a94babec1bc36e4be3cf4f55a31a94f11c6c3f90eed99682bc
 result = valid
 tag = ffffffffffffffffffffffffffffffff
-# The counter for AES-GCM-SIV is reduced modulo 2**32. This test vector was
-# constructed to test for correct wrapping of the counter.
+flags = ConstructedIv
 
 # tcId = 41
 # Testing for ctr overflow
@@ -407,8 +405,7 @@
 msg = 71ceee58179d6fb968521e9594dbf98cc0040f6aa38fe873c32a9b122d6cbfd51aa4778b3f4f37be7348690d97e2468b
 result = valid
 tag = fefffffffefffffffefffffffeffffff
-# The counter for AES-GCM-SIV is reduced modulo 2**32. This test vector was
-# constructed to test for correct wrapping of the counter.
+flags = ConstructedIv
 
 # tcId = 42
 # Testing for ctr overflow
@@ -419,8 +416,7 @@
 msg = 2e14f9e9a09ea204557367898a80dcad117af3666bea25762b70633a9f3614fbe631ba617c371fd5566d5e613496e69f
 result = valid
 tag = ffffff7f00112233445566778899aabb
-# The counter for AES-GCM-SIV is reduced modulo 2**32. This test vector was
-# constructed to test for correct wrapping of the counter.
+flags = ConstructedIv
 
 # tcId = 43
 # Testing for ctr overflow
@@ -431,8 +427,7 @@
 msg = 27fac75879c9d87cd52a0793137ba792f6f145148158eb538f2081e09cd0315986a7025045ecbb2ca1bb18a17bfcd567
 result = valid
 tag = ffffffffffffff7f0011223344556677
-# The counter for AES-GCM-SIV is reduced modulo 2**32. This test vector was
-# constructed to test for correct wrapping of the counter.
+flags = ConstructedIv
 
 # tcId = 44
 # Flipped bit 0 in tag
@@ -1153,8 +1148,7 @@
 msg = bdd411814564c4218d224d50591c818855a862a0a519ac0b3d71a2edb12aa71eb81959bcc6b84c45aa424c9aca0b7bdd
 result = valid
 tag = 00000000000000000000000000000000
-# The counter for AES-GCM-SIV is reduced modulo 2**32. This test vector was
-# constructed to test for correct wrapping of the counter.
+flags = ConstructedIv
 
 # tcId = 117
 # Testing for ctr overflow
@@ -1165,8 +1159,7 @@
 msg = d04846a01f472262e60a1cb4cfcbdcb05c3f819628a3a49395c5dae96c434b2417ce071699afa74a60c32c0bafd9c01a
 result = valid
 tag = ffffffffffffffffffffffffffffffff
-# The counter for AES-GCM-SIV is reduced modulo 2**32. This test vector was
-# constructed to test for correct wrapping of the counter.
+flags = ConstructedIv
 
 # tcId = 118
 # Testing for ctr overflow
@@ -1177,8 +1170,7 @@
 msg = 79637cee9decf33e3080de3d2c55bd21cd529ba8080b583edb6cfe13cda04bd00debe58b8cd48d6e02a1ecfc4d87923a
 result = valid
 tag = fefffffffefffffffefffffffeffffff
-# The counter for AES-GCM-SIV is reduced modulo 2**32. This test vector was
-# constructed to test for correct wrapping of the counter.
+flags = ConstructedIv
 
 # tcId = 119
 # Testing for ctr overflow
@@ -1189,8 +1181,7 @@
 msg = 6492a73880dac7f36743715b0fc7063d3e46a25044310bba5849ed88bfcb54b0adbe3978040bda849906e1aa09d1a8e3
 result = valid
 tag = ffffff7f00112233445566778899aabb
-# The counter for AES-GCM-SIV is reduced modulo 2**32. This test vector was
-# constructed to test for correct wrapping of the counter.
+flags = ConstructedIv
 
 # tcId = 120
 # Testing for ctr overflow
@@ -1201,8 +1192,7 @@
 msg = 7848d9e872f40bca1b82a4e7185fb75193b3496cc1dc2a72b86ed156ab8389e71687ed25eb6485e66561fa8c39853368
 result = valid
 tag = ffffffffffffff7f0011223344556677
-# The counter for AES-GCM-SIV is reduced modulo 2**32. This test vector was
-# constructed to test for correct wrapping of the counter.
+flags = ConstructedIv
 
 # tcId = 121
 # Flipped bit 0 in tag
diff --git a/third_party/wycheproof_testvectors/aes_gcm_test.txt b/third_party/wycheproof_testvectors/aes_gcm_test.txt
index e879921..4600340 100644
--- a/third_party/wycheproof_testvectors/aes_gcm_test.txt
+++ b/third_party/wycheproof_testvectors/aes_gcm_test.txt
@@ -500,9 +500,7 @@
 msg = 
 result = acceptable
 tag = 44aca00f42e4199b829a55e69b073d9e
-# AES-GCM leaks the authentication key if the same IV is used twice. Hence short
-# IV sizes are typically discouraged. This test vector uses an IV smaller than
-# 12 bytes
+flags = SmallIv
 
 # tcId = 52
 # small IV sizes
@@ -513,9 +511,7 @@
 msg = d8986df0241ed3297582c0c239c724cb
 result = acceptable
 tag = 3290aa95af505a742f517fabcc9b2094
-# AES-GCM leaks the authentication key if the same IV is used twice. Hence short
-# IV sizes are typically discouraged. This test vector uses an IV smaller than
-# 12 bytes
+flags = SmallIv
 
 [ivSize = 128]
 [keySize = 128]
@@ -584,8 +580,7 @@
 msg = 00000000000000000000000000000000000000000000000000000000000000000000000000000000
 result = valid
 tag = 152a65045fe674f97627427af5be22da
-# The counter for AES-GCM is reduced modulo 2**32. This test vector was
-# constructed to test for correct wrapping of the counter.
+flags = ConstructedIv
 
 # tcId = 60
 # J0:00000000000000000000000000000000
@@ -596,8 +591,7 @@
 msg = 00000000000000000000000000000000000000000000000000000000000000000000000000000000
 result = valid
 tag = 213a3cb93855d18e69337eee66aeec07
-# The counter for AES-GCM is reduced modulo 2**32. This test vector was
-# constructed to test for correct wrapping of the counter.
+flags = ConstructedIv
 
 # tcId = 61
 # J0:ffffffffffffffffffffffffffffffff
@@ -608,8 +602,7 @@
 msg = 00000000000000000000000000000000000000000000000000000000000000000000000000000000
 result = valid
 tag = 99b381bfa2af9751c39d1b6e86d1be6a
-# The counter for AES-GCM is reduced modulo 2**32. This test vector was
-# constructed to test for correct wrapping of the counter.
+flags = ConstructedIv
 
 # tcId = 62
 # J0:fffffffffffffffffffffffffffffffe
@@ -620,8 +613,7 @@
 msg = 00000000000000000000000000000000000000000000000000000000000000000000000000000000
 result = valid
 tag = 5281efc7f13ac8e14ccf5dca7bfbfdd1
-# The counter for AES-GCM is reduced modulo 2**32. This test vector was
-# constructed to test for correct wrapping of the counter.
+flags = ConstructedIv
 
 # tcId = 63
 # J0:fffffffffffffffffffffffffffffffd
@@ -632,8 +624,7 @@
 msg = 00000000000000000000000000000000000000000000000000000000000000000000000000000000
 result = valid
 tag = a3ea2c09ee4f8c8a12f45cddf9aeff81
-# The counter for AES-GCM is reduced modulo 2**32. This test vector was
-# constructed to test for correct wrapping of the counter.
+flags = ConstructedIv
 
 # tcId = 64
 # J0:000102030405060708090a0bffffffff
@@ -644,8 +635,7 @@
 msg = 00000000000000000000000000000000000000000000000000000000000000000000000000000000
 result = valid
 tag = 07eb2fe4a958f8434d40684899507c7c
-# The counter for AES-GCM is reduced modulo 2**32. This test vector was
-# constructed to test for correct wrapping of the counter.
+flags = ConstructedIv
 
 # tcId = 65
 # J0:000102030405060708090a0bfffffffe
@@ -656,8 +646,7 @@
 msg = 00000000000000000000000000000000000000000000000000000000000000000000000000000000
 result = valid
 tag = f145c2dcaf339eede427be934357eac0
-# The counter for AES-GCM is reduced modulo 2**32. This test vector was
-# constructed to test for correct wrapping of the counter.
+flags = ConstructedIv
 
 # tcId = 66
 # J0:000102030405060708090a0bfffffffd
@@ -668,8 +657,7 @@
 msg = 00000000000000000000000000000000000000000000000000000000000000000000000000000000
 result = valid
 tag = facd0bfe8701b7b4a2ba96d98af52bd9
-# The counter for AES-GCM is reduced modulo 2**32. This test vector was
-# constructed to test for correct wrapping of the counter.
+flags = ConstructedIv
 
 # tcId = 67
 # J0:000102030405060708090a0b7fffffff
@@ -680,8 +668,7 @@
 msg = 00000000000000000000000000000000000000000000000000000000000000000000000000000000
 result = valid
 tag = a03e729dcfd7a03155655fece8affd7e
-# The counter for AES-GCM is reduced modulo 2**32. This test vector was
-# constructed to test for correct wrapping of the counter.
+flags = ConstructedIv
 
 # tcId = 68
 # J0:000102030405060708090a0b7ffffffe
@@ -692,8 +679,7 @@
 msg = 00000000000000000000000000000000000000000000000000000000000000000000000000000000
 result = valid
 tag = 1e43926828bc9a1614c7b1639096c195
-# The counter for AES-GCM is reduced modulo 2**32. This test vector was
-# constructed to test for correct wrapping of the counter.
+flags = ConstructedIv
 
 # tcId = 69
 # J0:000102030405060708090a0bffff7fff
@@ -704,8 +690,7 @@
 msg = 00000000000000000000000000000000000000000000000000000000000000000000000000000000
 result = valid
 tag = f08baddf0b5285c91fc06a67fe4708ca
-# The counter for AES-GCM is reduced modulo 2**32. This test vector was
-# constructed to test for correct wrapping of the counter.
+flags = ConstructedIv
 
 # tcId = 70
 # J0:000102030405060708090a0bffff7ffe
@@ -716,8 +701,7 @@
 msg = 00000000000000000000000000000000000000000000000000000000000000000000000000000000
 result = valid
 tag = 62a4b6875c288345d6a454399eac1afa
-# The counter for AES-GCM is reduced modulo 2**32. This test vector was
-# constructed to test for correct wrapping of the counter.
+flags = ConstructedIv
 
 # tcId = 71
 # special case
@@ -1217,8 +1201,7 @@
 msg = 00000000000000000000000000000000000000000000000000000000000000000000000000000000
 result = valid
 tag = 09338a42f0acc14f97c064f52f5f1688
-# The counter for AES-GCM is reduced modulo 2**32. This test vector was
-# constructed to test for correct wrapping of the counter.
+flags = ConstructedIv
 
 # tcId = 122
 # J0:00000000000000000000000000000000
@@ -1229,8 +1212,7 @@
 msg = 00000000000000000000000000000000000000000000000000000000000000000000000000000000
 result = valid
 tag = 90be3606de58bd778fa5beff4a4102bd
-# The counter for AES-GCM is reduced modulo 2**32. This test vector was
-# constructed to test for correct wrapping of the counter.
+flags = ConstructedIv
 
 # tcId = 123
 # J0:ffffffffffffffffffffffffffffffff
@@ -1241,8 +1223,7 @@
 msg = 00000000000000000000000000000000000000000000000000000000000000000000000000000000
 result = valid
 tag = 6e4d6396125a10df5443bd0cbc8566d1
-# The counter for AES-GCM is reduced modulo 2**32. This test vector was
-# constructed to test for correct wrapping of the counter.
+flags = ConstructedIv
 
 # tcId = 124
 # J0:fffffffffffffffffffffffffffffffe
@@ -1253,8 +1234,7 @@
 msg = 00000000000000000000000000000000000000000000000000000000000000000000000000000000
 result = valid
 tag = dc481f172545268eff63ab0490403dc3
-# The counter for AES-GCM is reduced modulo 2**32. This test vector was
-# constructed to test for correct wrapping of the counter.
+flags = ConstructedIv
 
 # tcId = 125
 # J0:fffffffffffffffffffffffffffffffd
@@ -1265,8 +1245,7 @@
 msg = 00000000000000000000000000000000000000000000000000000000000000000000000000000000
 result = valid
 tag = 8a3a22bf2592958b930292aa47f590e8
-# The counter for AES-GCM is reduced modulo 2**32. This test vector was
-# constructed to test for correct wrapping of the counter.
+flags = ConstructedIv
 
 # tcId = 126
 # J0:000102030405060708090a0bffffffff
@@ -1277,8 +1256,7 @@
 msg = 00000000000000000000000000000000000000000000000000000000000000000000000000000000
 result = valid
 tag = 2db9dc1b7fd315df1c95432432fcf474
-# The counter for AES-GCM is reduced modulo 2**32. This test vector was
-# constructed to test for correct wrapping of the counter.
+flags = ConstructedIv
 
 # tcId = 127
 # J0:000102030405060708090a0bfffffffe
@@ -1289,8 +1267,7 @@
 msg = 00000000000000000000000000000000000000000000000000000000000000000000000000000000
 result = valid
 tag = 82ad967f7ac19084354f69a751443fb2
-# The counter for AES-GCM is reduced modulo 2**32. This test vector was
-# constructed to test for correct wrapping of the counter.
+flags = ConstructedIv
 
 # tcId = 128
 # J0:000102030405060708090a0bfffffffd
@@ -1301,8 +1278,7 @@
 msg = 00000000000000000000000000000000000000000000000000000000000000000000000000000000
 result = valid
 tag = 472d5dd582dc05ef5fc496b612023cb2
-# The counter for AES-GCM is reduced modulo 2**32. This test vector was
-# constructed to test for correct wrapping of the counter.
+flags = ConstructedIv
 
 # tcId = 129
 # J0:000102030405060708090a0b7fffffff
@@ -1313,8 +1289,7 @@
 msg = 00000000000000000000000000000000000000000000000000000000000000000000000000000000
 result = valid
 tag = caff723826df150934aee3201ba175e7
-# The counter for AES-GCM is reduced modulo 2**32. This test vector was
-# constructed to test for correct wrapping of the counter.
+flags = ConstructedIv
 
 # tcId = 130
 # J0:000102030405060708090a0b7ffffffe
@@ -1325,8 +1300,7 @@
 msg = 00000000000000000000000000000000000000000000000000000000000000000000000000000000
 result = valid
 tag = 3b08958be1286c2b4acba02b3674adb2
-# The counter for AES-GCM is reduced modulo 2**32. This test vector was
-# constructed to test for correct wrapping of the counter.
+flags = ConstructedIv
 
 # tcId = 131
 # J0:000102030405060708090a0bffff7fff
@@ -1337,8 +1311,7 @@
 msg = 00000000000000000000000000000000000000000000000000000000000000000000000000000000
 result = valid
 tag = c14d52208f0f51b816a48971eaf8ff7e
-# The counter for AES-GCM is reduced modulo 2**32. This test vector was
-# constructed to test for correct wrapping of the counter.
+flags = ConstructedIv
 
 # tcId = 132
 # J0:000102030405060708090a0bffff7ffe
@@ -1349,8 +1322,7 @@
 msg = 00000000000000000000000000000000000000000000000000000000000000000000000000000000
 result = valid
 tag = ea2d018099cd7925c507cef0ceddb0ae
-# The counter for AES-GCM is reduced modulo 2**32. This test vector was
-# constructed to test for correct wrapping of the counter.
+flags = ConstructedIv
 
 # tcId = 133
 # special case
@@ -1877,8 +1849,7 @@
 msg = 00000000000000000000000000000000000000000000000000000000000000000000000000000000
 result = valid
 tag = d5808a1bd11a01129bf3c6919aff2339
-# The counter for AES-GCM is reduced modulo 2**32. This test vector was
-# constructed to test for correct wrapping of the counter.
+flags = ConstructedIv
 
 # tcId = 187
 # J0:00000000000000000000000000000000
@@ -1889,8 +1860,7 @@
 msg = 00000000000000000000000000000000000000000000000000000000000000000000000000000000
 result = valid
 tag = 8132e865b69d64ef37db261f80cbbe24
-# The counter for AES-GCM is reduced modulo 2**32. This test vector was
-# constructed to test for correct wrapping of the counter.
+flags = ConstructedIv
 
 # tcId = 188
 # J0:ffffffffffffffffffffffffffffffff
@@ -1901,8 +1871,7 @@
 msg = 00000000000000000000000000000000000000000000000000000000000000000000000000000000
 result = valid
 tag = 155da6441ec071ef2d8e6cffbacc1c7c
-# The counter for AES-GCM is reduced modulo 2**32. This test vector was
-# constructed to test for correct wrapping of the counter.
+flags = ConstructedIv
 
 # tcId = 189
 # J0:fffffffffffffffffffffffffffffffe
@@ -1913,8 +1882,7 @@
 msg = 00000000000000000000000000000000000000000000000000000000000000000000000000000000
 result = valid
 tag = 6c574aa6a2490cc3b2f2f8f0ffbc56c4
-# The counter for AES-GCM is reduced modulo 2**32. This test vector was
-# constructed to test for correct wrapping of the counter.
+flags = ConstructedIv
 
 # tcId = 190
 # J0:fffffffffffffffffffffffffffffffd
@@ -1925,8 +1893,7 @@
 msg = 00000000000000000000000000000000000000000000000000000000000000000000000000000000
 result = valid
 tag = 8082a761e1d755344bf29622144e7d39
-# The counter for AES-GCM is reduced modulo 2**32. This test vector was
-# constructed to test for correct wrapping of the counter.
+flags = ConstructedIv
 
 # tcId = 191
 # J0:000102030405060708090a0bffffffff
@@ -1937,8 +1904,7 @@
 msg = 00000000000000000000000000000000000000000000000000000000000000000000000000000000
 result = valid
 tag = 033e0ef2953ebfd8425737c7d393f89a
-# The counter for AES-GCM is reduced modulo 2**32. This test vector was
-# constructed to test for correct wrapping of the counter.
+flags = ConstructedIv
 
 # tcId = 192
 # J0:000102030405060708090a0bfffffffe
@@ -1949,8 +1915,7 @@
 msg = 00000000000000000000000000000000000000000000000000000000000000000000000000000000
 result = valid
 tag = ca448bb7e52e897eca234ef343d057d0
-# The counter for AES-GCM is reduced modulo 2**32. This test vector was
-# constructed to test for correct wrapping of the counter.
+flags = ConstructedIv
 
 # tcId = 193
 # J0:000102030405060708090a0bfffffffd
@@ -1961,8 +1926,7 @@
 msg = 00000000000000000000000000000000000000000000000000000000000000000000000000000000
 result = valid
 tag = 84f49740e6757f63dd0df7cb7656d0ef
-# The counter for AES-GCM is reduced modulo 2**32. This test vector was
-# constructed to test for correct wrapping of the counter.
+flags = ConstructedIv
 
 # tcId = 194
 # J0:000102030405060708090a0b7fffffff
@@ -1973,8 +1937,7 @@
 msg = 00000000000000000000000000000000000000000000000000000000000000000000000000000000
 result = valid
 tag = 877e15d9889e69a99fcc6d727465c391
-# The counter for AES-GCM is reduced modulo 2**32. This test vector was
-# constructed to test for correct wrapping of the counter.
+flags = ConstructedIv
 
 # tcId = 195
 # J0:000102030405060708090a0b7ffffffe
@@ -1985,8 +1948,7 @@
 msg = 00000000000000000000000000000000000000000000000000000000000000000000000000000000
 result = valid
 tag = cd5757626945976ba9f0264bd6bee894
-# The counter for AES-GCM is reduced modulo 2**32. This test vector was
-# constructed to test for correct wrapping of the counter.
+flags = ConstructedIv
 
 # tcId = 196
 # J0:000102030405060708090a0bffff7fff
@@ -1997,8 +1959,7 @@
 msg = 00000000000000000000000000000000000000000000000000000000000000000000000000000000
 result = valid
 tag = b015d72da62c81cb4d267253b20db9e5
-# The counter for AES-GCM is reduced modulo 2**32. This test vector was
-# constructed to test for correct wrapping of the counter.
+flags = ConstructedIv
 
 # tcId = 197
 # J0:000102030405060708090a0bffff7ffe
@@ -2009,8 +1970,7 @@
 msg = 00000000000000000000000000000000000000000000000000000000000000000000000000000000
 result = valid
 tag = ee74ccb30d649ebf6916d05a7dbe5696
-# The counter for AES-GCM is reduced modulo 2**32. This test vector was
-# constructed to test for correct wrapping of the counter.
+flags = ConstructedIv
 
 # tcId = 198
 # special case
@@ -2342,9 +2302,7 @@
 msg = 
 result = invalid
 tag = cf71978ffcc778f3c85ac9c31b6fe191
-# AES-GCM does not allow an IV of length 0. Encrypting with such an IV leaks the
-# authentication key. Hence using an IV of length 0 is insecure even if the key
-# itself is only used for a single encryption.
+flags = ZeroLengthIv
 
 # tcId = 224
 # 0 size IV is not valid
@@ -2355,9 +2313,7 @@
 msg = 324ced6cd15ecc5b3741541e22c18ad9
 result = invalid
 tag = a2c7e8d7a19b884f742dfec3e76c75ee
-# AES-GCM does not allow an IV of length 0. Encrypting with such an IV leaks the
-# authentication key. Hence using an IV of length 0 is insecure even if the key
-# itself is only used for a single encryption.
+flags = ZeroLengthIv
 
 [ivSize = 0]
 [keySize = 192]
@@ -2372,9 +2328,7 @@
 msg = 
 result = invalid
 tag = ca69a2eb3a096ea36b1015d5dffff532
-# AES-GCM does not allow an IV of length 0. Encrypting with such an IV leaks the
-# authentication key. Hence using an IV of length 0 is insecure even if the key
-# itself is only used for a single encryption.
+flags = ZeroLengthIv
 
 # tcId = 226
 # 0 size IV is not valid
@@ -2385,9 +2339,7 @@
 msg = d62f302742d61d823ea991b93430d589
 result = invalid
 tag = 2c9488d53a0b2b5308c2757dfac7219f
-# AES-GCM does not allow an IV of length 0. Encrypting with such an IV leaks the
-# authentication key. Hence using an IV of length 0 is insecure even if the key
-# itself is only used for a single encryption.
+flags = ZeroLengthIv
 
 [ivSize = 0]
 [keySize = 256]
@@ -2402,9 +2354,7 @@
 msg = 
 result = invalid
 tag = 1726aa695fbaa21a1db88455c670a4b0
-# AES-GCM does not allow an IV of length 0. Encrypting with such an IV leaks the
-# authentication key. Hence using an IV of length 0 is insecure even if the key
-# itself is only used for a single encryption.
+flags = ZeroLengthIv
 
 # tcId = 228
 # 0 size IV is not valid
@@ -2415,9 +2365,7 @@
 msg = c314235341debfafa1526bb61044a7f1
 result = invalid
 tag = 8fe0520ad744a11f0ccfd228454363fa
-# AES-GCM does not allow an IV of length 0. Encrypting with such an IV leaks the
-# authentication key. Hence using an IV of length 0 is insecure even if the key
-# itself is only used for a single encryption.
+flags = ZeroLengthIv
 
 [ivSize = 8]
 [keySize = 128]
@@ -2432,9 +2380,7 @@
 msg = 
 result = acceptable
 tag = af498f701d2470695f6e7c8327a2398b
-# AES-GCM leaks the authentication key if the same IV is used twice. Hence short
-# IV sizes are typically discouraged. This test vector uses an IV smaller than
-# 12 bytes
+flags = SmallIv
 
 # tcId = 230
 # small IV sizes
@@ -2445,9 +2391,7 @@
 msg = f2d99a9f893378e0757d27c2e3a3101b
 result = acceptable
 tag = 96e6fd2cdc707e3ee0a1c90d34c9c36c
-# AES-GCM leaks the authentication key if the same IV is used twice. Hence short
-# IV sizes are typically discouraged. This test vector uses an IV smaller than
-# 12 bytes
+flags = SmallIv
 
 [ivSize = 16]
 [keySize = 128]
@@ -2462,9 +2406,7 @@
 msg = 
 result = acceptable
 tag = 4ccf1efb4da05b4ae4452aea42f5424b
-# AES-GCM leaks the authentication key if the same IV is used twice. Hence short
-# IV sizes are typically discouraged. This test vector uses an IV smaller than
-# 12 bytes
+flags = SmallIv
 
 # tcId = 232
 # small IV sizes
@@ -2475,9 +2417,7 @@
 msg = 5a6ad6db70591d1e520b0122f05021a0
 result = acceptable
 tag = 98f47a5279cebbcac214515710f6cd8a
-# AES-GCM leaks the authentication key if the same IV is used twice. Hence short
-# IV sizes are typically discouraged. This test vector uses an IV smaller than
-# 12 bytes
+flags = SmallIv
 
 [ivSize = 32]
 [keySize = 128]
@@ -2492,9 +2432,7 @@
 msg = 
 result = acceptable
 tag = e574b355bda2980e047e584feb1676ca
-# AES-GCM leaks the authentication key if the same IV is used twice. Hence short
-# IV sizes are typically discouraged. This test vector uses an IV smaller than
-# 12 bytes
+flags = SmallIv
 
 # tcId = 234
 # small IV sizes
@@ -2505,9 +2443,7 @@
 msg = c8f07ba1d65554a9bd40390c30c5529c
 result = acceptable
 tag = 5c0bb79d8240041edce0f94bd4bb384f
-# AES-GCM leaks the authentication key if the same IV is used twice. Hence short
-# IV sizes are typically discouraged. This test vector uses an IV smaller than
-# 12 bytes
+flags = SmallIv
 
 [ivSize = 48]
 [keySize = 128]
@@ -2522,9 +2458,7 @@
 msg = 
 result = acceptable
 tag = 1e2ed72af590cafb8647d185865f5463
-# AES-GCM leaks the authentication key if the same IV is used twice. Hence short
-# IV sizes are typically discouraged. This test vector uses an IV smaller than
-# 12 bytes
+flags = SmallIv
 
 # tcId = 236
 # small IV sizes
@@ -2535,9 +2469,7 @@
 msg = d021e53d9098a2df3d6b903cdad0cd9c
 result = acceptable
 tag = 9c0e22e5c41b1039ff5661ffaefa8e0f
-# AES-GCM leaks the authentication key if the same IV is used twice. Hence short
-# IV sizes are typically discouraged. This test vector uses an IV smaller than
-# 12 bytes
+flags = SmallIv
 
 [ivSize = 8]
 [keySize = 192]
@@ -2552,9 +2484,7 @@
 msg = 
 result = acceptable
 tag = 08d96edb5e22874cd10cb2256ca04bc6
-# AES-GCM leaks the authentication key if the same IV is used twice. Hence short
-# IV sizes are typically discouraged. This test vector uses an IV smaller than
-# 12 bytes
+flags = SmallIv
 
 # tcId = 238
 # small IV sizes
@@ -2565,9 +2495,7 @@
 msg = f2b7b2c9b312cf2af78f003df15c8e19
 result = acceptable
 tag = 96a132ed43924e98feb888ff682bdaef
-# AES-GCM leaks the authentication key if the same IV is used twice. Hence short
-# IV sizes are typically discouraged. This test vector uses an IV smaller than
-# 12 bytes
+flags = SmallIv
 
 [ivSize = 16]
 [keySize = 192]
@@ -2582,9 +2510,7 @@
 msg = 
 result = acceptable
 tag = 1f0d23070fcd748e25bf6454f5c9136e
-# AES-GCM leaks the authentication key if the same IV is used twice. Hence short
-# IV sizes are typically discouraged. This test vector uses an IV smaller than
-# 12 bytes
+flags = SmallIv
 
 # tcId = 240
 # small IV sizes
@@ -2595,9 +2521,7 @@
 msg = 3a2f5ad0eb216e546e0bcaa377b6cbc7
 result = acceptable
 tag = f6e0a979481f9957ddad0f21a777a73a
-# AES-GCM leaks the authentication key if the same IV is used twice. Hence short
-# IV sizes are typically discouraged. This test vector uses an IV smaller than
-# 12 bytes
+flags = SmallIv
 
 [ivSize = 32]
 [keySize = 192]
@@ -2612,9 +2536,7 @@
 msg = 
 result = acceptable
 tag = 1475563e3212f3b5e40062569afd71e3
-# AES-GCM leaks the authentication key if the same IV is used twice. Hence short
-# IV sizes are typically discouraged. This test vector uses an IV smaller than
-# 12 bytes
+flags = SmallIv
 
 # tcId = 242
 # small IV sizes
@@ -2625,9 +2547,7 @@
 msg = 6f79e18b4acd5a03d3a5f7e1a8d0f183
 result = acceptable
 tag = 03ab26993b701910a2e8ecccd2ba9e52
-# AES-GCM leaks the authentication key if the same IV is used twice. Hence short
-# IV sizes are typically discouraged. This test vector uses an IV smaller than
-# 12 bytes
+flags = SmallIv
 
 [ivSize = 48]
 [keySize = 192]
@@ -2642,9 +2562,7 @@
 msg = 
 result = acceptable
 tag = d7b9a6b58a97982916e83219fbf71b1e
-# AES-GCM leaks the authentication key if the same IV is used twice. Hence short
-# IV sizes are typically discouraged. This test vector uses an IV smaller than
-# 12 bytes
+flags = SmallIv
 
 # tcId = 244
 # small IV sizes
@@ -2655,9 +2573,7 @@
 msg = 4ba541a9914729216153801340ab1779
 result = acceptable
 tag = c052a55df3926a50990a532efe3d80ec
-# AES-GCM leaks the authentication key if the same IV is used twice. Hence short
-# IV sizes are typically discouraged. This test vector uses an IV smaller than
-# 12 bytes
+flags = SmallIv
 
 [ivSize = 64]
 [keySize = 192]
@@ -2672,9 +2588,7 @@
 msg = 
 result = acceptable
 tag = f94f2049a6560c470b3a7ca7bbc31a3d
-# AES-GCM leaks the authentication key if the same IV is used twice. Hence short
-# IV sizes are typically discouraged. This test vector uses an IV smaller than
-# 12 bytes
+flags = SmallIv
 
 # tcId = 246
 # small IV sizes
@@ -2685,9 +2599,7 @@
 msg = c4b1e05ca3d591f9543e64de3fc682ac
 result = acceptable
 tag = 7db7402224fd583e312bc0e61cf11366
-# AES-GCM leaks the authentication key if the same IV is used twice. Hence short
-# IV sizes are typically discouraged. This test vector uses an IV smaller than
-# 12 bytes
+flags = SmallIv
 
 [ivSize = 8]
 [keySize = 256]
@@ -2702,9 +2614,7 @@
 msg = 
 result = acceptable
 tag = 2a268bf3a75fd7b00ba230b904bbb014
-# AES-GCM leaks the authentication key if the same IV is used twice. Hence short
-# IV sizes are typically discouraged. This test vector uses an IV smaller than
-# 12 bytes
+flags = SmallIv
 
 # tcId = 248
 # small IV sizes
@@ -2715,9 +2625,7 @@
 msg = 976229f5538f9636476d69f0c328e29d
 result = acceptable
 tag = 8bbad4adc54b37a2b2f0f6e8617548c9
-# AES-GCM leaks the authentication key if the same IV is used twice. Hence short
-# IV sizes are typically discouraged. This test vector uses an IV smaller than
-# 12 bytes
+flags = SmallIv
 
 [ivSize = 16]
 [keySize = 256]
@@ -2732,9 +2640,7 @@
 msg = 
 result = acceptable
 tag = 1d978a693120c11f6d51a3ed88cd4ace
-# AES-GCM leaks the authentication key if the same IV is used twice. Hence short
-# IV sizes are typically discouraged. This test vector uses an IV smaller than
-# 12 bytes
+flags = SmallIv
 
 # tcId = 250
 # small IV sizes
@@ -2745,9 +2651,7 @@
 msg = 5341c78e4ce5bf8fbc3e077d1990dd5d
 result = acceptable
 tag = b63ff43c12073ec5572b1be70f17e231
-# AES-GCM leaks the authentication key if the same IV is used twice. Hence short
-# IV sizes are typically discouraged. This test vector uses an IV smaller than
-# 12 bytes
+flags = SmallIv
 
 [ivSize = 32]
 [keySize = 256]
@@ -2762,9 +2666,7 @@
 msg = 
 result = acceptable
 tag = ae6f7c9a29f0d8204ca50b14a1e0dcf2
-# AES-GCM leaks the authentication key if the same IV is used twice. Hence short
-# IV sizes are typically discouraged. This test vector uses an IV smaller than
-# 12 bytes
+flags = SmallIv
 
 # tcId = 252
 # small IV sizes
@@ -2775,9 +2677,7 @@
 msg = 33efb58c91e8c70271870ec00fe2e202
 result = acceptable
 tag = b824c33c13f289429659aa017c632f71
-# AES-GCM leaks the authentication key if the same IV is used twice. Hence short
-# IV sizes are typically discouraged. This test vector uses an IV smaller than
-# 12 bytes
+flags = SmallIv
 
 [ivSize = 48]
 [keySize = 256]
@@ -2792,9 +2692,7 @@
 msg = 
 result = acceptable
 tag = 3db16725fafc828d414ab61c16a6c38f
-# AES-GCM leaks the authentication key if the same IV is used twice. Hence short
-# IV sizes are typically discouraged. This test vector uses an IV smaller than
-# 12 bytes
+flags = SmallIv
 
 # tcId = 254
 # small IV sizes
@@ -2805,9 +2703,7 @@
 msg = 91222263b12cf5616a049cbe29ab9b5b
 result = acceptable
 tag = c8fc39906aca0c64e14a43ff750abd8a
-# AES-GCM leaks the authentication key if the same IV is used twice. Hence short
-# IV sizes are typically discouraged. This test vector uses an IV smaller than
-# 12 bytes
+flags = SmallIv
 
 [ivSize = 64]
 [keySize = 256]
@@ -2822,9 +2718,7 @@
 msg = 
 result = acceptable
 tag = 1311f9f830d729c189b74ec4f9080fa1
-# AES-GCM leaks the authentication key if the same IV is used twice. Hence short
-# IV sizes are typically discouraged. This test vector uses an IV smaller than
-# 12 bytes
+flags = SmallIv
 
 # tcId = 256
 # small IV sizes
@@ -2835,7 +2729,5 @@
 msg = 82e3e604d2be8fcab74f638d1e70f24c
 result = acceptable
 tag = af68a37cfefecc4ab99ba50a5353edca
-# AES-GCM leaks the authentication key if the same IV is used twice. Hence short
-# IV sizes are typically discouraged. This test vector uses an IV smaller than
-# 12 bytes
+flags = SmallIv
 
diff --git a/third_party/wycheproof_testvectors/dsa_test.txt b/third_party/wycheproof_testvectors/dsa_test.txt
index 3805f12..14ad490 100644
--- a/third_party/wycheproof_testvectors/dsa_test.txt
+++ b/third_party/wycheproof_testvectors/dsa_test.txt
@@ -18,11 +18,7 @@
 msg = 313233343030
 result = acceptable
 sig = 302c0214aa6a258fbf7d90e15614676d377df8b10e38db4a0214496d5220b5f67d3532d1f991203bc3523b964c3b
-# ASN encoded integers with a leading hex-digit in the range 8 .. F are
-# negative. If the first hex-digit of a positive integer is 8 .. F then a
-# leading 0 must be added. Some libraries forgot to do this and therefore
-# generated invalid DSA signatures. Some providers accept such legacy signatures
-# for compatibility.
+flags = NoLeadingZero
 
 # tcId = 2
 # valid
@@ -881,1287 +877,1001 @@
 msg = 313233343030
 result = invalid
 sig = 301a0201000215ff46f4c745f5af5bc1397672c06497fb68880b764f
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 145
 # Signatures with special case values for r and s.
 msg = 313233343030
 result = invalid
 sig = 3006020100020100
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 146
 # Signatures with special case values for r and s.
 msg = 313233343030
 result = invalid
 sig = 3006020100020101
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 147
 # Signatures with special case values for r and s.
 msg = 313233343030
 result = invalid
 sig = 30060201000201ff
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 148
 # Signatures with special case values for r and s.
 msg = 313233343030
 result = invalid
 sig = 301902010002145c859c5d0528521f6344c69fcdb4024bbbfa44d8
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 149
 # Signatures with special case values for r and s.
 msg = 313233343030
 result = invalid
 sig = 301902010002145c859c5d0528521f6344c69fcdb4024bbbfa44d9
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 150
 # Signatures with special case values for r and s.
 msg = 313233343030
 result = invalid
 sig = 301a020100021500b90b38ba0a50a43ec6898d3f9b68049777f489b0
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 151
 # Signatures with special case values for r and s.
 msg = 313233343030
 result = invalid
 sig = 301a020100021500b90b38ba0a50a43ec6898d3f9b68049777f489b1
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 152
 # Signatures with special case values for r and s.
 msg = 313233343030
 result = invalid
 sig = 301a020100021500b90b38ba0a50a43ec6898d3f9b68049777f489b2
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 153
 # Signatures with special case values for r and s.
 msg = 313233343030
 result = invalid
 sig = 301a0201000215010000000000000000000000000000000000000000
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 154
 # Signatures with special case values for r and s.
 msg = 313233343030
 result = invalid
 sig = 30818702010002818100b34ce9c1e78294d3258473842005d2a48c8c566cfca8f84c0606f2529b59a6d38aae071b53bb2167eaa4fc3b01fe176e787e481b6037aac62cbc3d089799536a869fa8cdfea1e8b1fd2d1cd3a30350859a2cd6b3ec2f9bfbb68bb11b4bbe2adaa18d64a93639543ae5e16293e311c0cf8c8d6e180df05d08c2fd2d93d570751f
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 155
 # Signatures with special case values for r and s.
 msg = 313233343030
 result = invalid
 sig = 3008020100090380fe01
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 156
 # Signatures with special case values for r and s.
 msg = 313233343030
 result = invalid
 sig = 3006020100090142
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 157
 # Signatures with special case values for r and s.
 msg = 313233343030
 result = invalid
 sig = 301a0201010215ff46f4c745f5af5bc1397672c06497fb68880b764f
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 158
 # Signatures with special case values for r and s.
 msg = 313233343030
 result = invalid
 sig = 3006020101020100
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 159
 # Signatures with special case values for r and s.
 msg = 313233343030
 result = invalid
 sig = 3006020101020101
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 160
 # Signatures with special case values for r and s.
 msg = 313233343030
 result = invalid
 sig = 30060201010201ff
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 161
 # Signatures with special case values for r and s.
 msg = 313233343030
 result = invalid
 sig = 301902010102145c859c5d0528521f6344c69fcdb4024bbbfa44d8
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 162
 # Signatures with special case values for r and s.
 msg = 313233343030
 result = invalid
 sig = 301902010102145c859c5d0528521f6344c69fcdb4024bbbfa44d9
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 163
 # Signatures with special case values for r and s.
 msg = 313233343030
 result = invalid
 sig = 301a020101021500b90b38ba0a50a43ec6898d3f9b68049777f489b0
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 164
 # Signatures with special case values for r and s.
 msg = 313233343030
 result = invalid
 sig = 301a020101021500b90b38ba0a50a43ec6898d3f9b68049777f489b1
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 165
 # Signatures with special case values for r and s.
 msg = 313233343030
 result = invalid
 sig = 301a020101021500b90b38ba0a50a43ec6898d3f9b68049777f489b2
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 166
 # Signatures with special case values for r and s.
 msg = 313233343030
 result = invalid
 sig = 301a0201010215010000000000000000000000000000000000000000
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 167
 # Signatures with special case values for r and s.
 msg = 313233343030
 result = invalid
 sig = 30818702010102818100b34ce9c1e78294d3258473842005d2a48c8c566cfca8f84c0606f2529b59a6d38aae071b53bb2167eaa4fc3b01fe176e787e481b6037aac62cbc3d089799536a869fa8cdfea1e8b1fd2d1cd3a30350859a2cd6b3ec2f9bfbb68bb11b4bbe2adaa18d64a93639543ae5e16293e311c0cf8c8d6e180df05d08c2fd2d93d570751f
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 168
 # Signatures with special case values for r and s.
 msg = 313233343030
 result = invalid
 sig = 3008020101090380fe01
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 169
 # Signatures with special case values for r and s.
 msg = 313233343030
 result = invalid
 sig = 3006020101090142
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 170
 # Signatures with special case values for r and s.
 msg = 313233343030
 result = invalid
 sig = 301a0201ff0215ff46f4c745f5af5bc1397672c06497fb68880b764f
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 171
 # Signatures with special case values for r and s.
 msg = 313233343030
 result = invalid
 sig = 30060201ff020100
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 172
 # Signatures with special case values for r and s.
 msg = 313233343030
 result = invalid
 sig = 30060201ff020101
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 173
 # Signatures with special case values for r and s.
 msg = 313233343030
 result = invalid
 sig = 30060201ff0201ff
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 174
 # Signatures with special case values for r and s.
 msg = 313233343030
 result = invalid
 sig = 30190201ff02145c859c5d0528521f6344c69fcdb4024bbbfa44d8
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 175
 # Signatures with special case values for r and s.
 msg = 313233343030
 result = invalid
 sig = 30190201ff02145c859c5d0528521f6344c69fcdb4024bbbfa44d9
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 176
 # Signatures with special case values for r and s.
 msg = 313233343030
 result = invalid
 sig = 301a0201ff021500b90b38ba0a50a43ec6898d3f9b68049777f489b0
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 177
 # Signatures with special case values for r and s.
 msg = 313233343030
 result = invalid
 sig = 301a0201ff021500b90b38ba0a50a43ec6898d3f9b68049777f489b1
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 178
 # Signatures with special case values for r and s.
 msg = 313233343030
 result = invalid
 sig = 301a0201ff021500b90b38ba0a50a43ec6898d3f9b68049777f489b2
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 179
 # Signatures with special case values for r and s.
 msg = 313233343030
 result = invalid
 sig = 301a0201ff0215010000000000000000000000000000000000000000
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 180
 # Signatures with special case values for r and s.
 msg = 313233343030
 result = invalid
 sig = 3081870201ff02818100b34ce9c1e78294d3258473842005d2a48c8c566cfca8f84c0606f2529b59a6d38aae071b53bb2167eaa4fc3b01fe176e787e481b6037aac62cbc3d089799536a869fa8cdfea1e8b1fd2d1cd3a30350859a2cd6b3ec2f9bfbb68bb11b4bbe2adaa18d64a93639543ae5e16293e311c0cf8c8d6e180df05d08c2fd2d93d570751f
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 181
 # Signatures with special case values for r and s.
 msg = 313233343030
 result = invalid
 sig = 30080201ff090380fe01
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 182
 # Signatures with special case values for r and s.
 msg = 313233343030
 result = invalid
 sig = 30060201ff090142
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 183
 # Signatures with special case values for r and s.
 msg = 313233343030
 result = invalid
 sig = 302d02145c859c5d0528521f6344c69fcdb4024bbbfa44d80215ff46f4c745f5af5bc1397672c06497fb68880b764f
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 184
 # Signatures with special case values for r and s.
 msg = 313233343030
 result = invalid
 sig = 301902145c859c5d0528521f6344c69fcdb4024bbbfa44d8020100
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 185
 # Signatures with special case values for r and s.
 msg = 313233343030
 result = invalid
 sig = 301902145c859c5d0528521f6344c69fcdb4024bbbfa44d8020101
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 186
 # Signatures with special case values for r and s.
 msg = 313233343030
 result = invalid
 sig = 301902145c859c5d0528521f6344c69fcdb4024bbbfa44d80201ff
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 187
 # Signatures with special case values for r and s.
 msg = 313233343030
 result = invalid
 sig = 302c02145c859c5d0528521f6344c69fcdb4024bbbfa44d802145c859c5d0528521f6344c69fcdb4024bbbfa44d8
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 188
 # Signatures with special case values for r and s.
 msg = 313233343030
 result = invalid
 sig = 302c02145c859c5d0528521f6344c69fcdb4024bbbfa44d802145c859c5d0528521f6344c69fcdb4024bbbfa44d9
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 189
 # Signatures with special case values for r and s.
 msg = 313233343030
 result = invalid
 sig = 302d02145c859c5d0528521f6344c69fcdb4024bbbfa44d8021500b90b38ba0a50a43ec6898d3f9b68049777f489b0
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 190
 # Signatures with special case values for r and s.
 msg = 313233343030
 result = invalid
 sig = 302d02145c859c5d0528521f6344c69fcdb4024bbbfa44d8021500b90b38ba0a50a43ec6898d3f9b68049777f489b1
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 191
 # Signatures with special case values for r and s.
 msg = 313233343030
 result = invalid
 sig = 302d02145c859c5d0528521f6344c69fcdb4024bbbfa44d8021500b90b38ba0a50a43ec6898d3f9b68049777f489b2
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 192
 # Signatures with special case values for r and s.
 msg = 313233343030
 result = invalid
 sig = 302d02145c859c5d0528521f6344c69fcdb4024bbbfa44d80215010000000000000000000000000000000000000000
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 193
 # Signatures with special case values for r and s.
 msg = 313233343030
 result = invalid
 sig = 30819a02145c859c5d0528521f6344c69fcdb4024bbbfa44d802818100b34ce9c1e78294d3258473842005d2a48c8c566cfca8f84c0606f2529b59a6d38aae071b53bb2167eaa4fc3b01fe176e787e481b6037aac62cbc3d089799536a869fa8cdfea1e8b1fd2d1cd3a30350859a2cd6b3ec2f9bfbb68bb11b4bbe2adaa18d64a93639543ae5e16293e311c0cf8c8d6e180df05d08c2fd2d93d570751f
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 194
 # Signatures with special case values for r and s.
 msg = 313233343030
 result = invalid
 sig = 301b02145c859c5d0528521f6344c69fcdb4024bbbfa44d8090380fe01
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 195
 # Signatures with special case values for r and s.
 msg = 313233343030
 result = invalid
 sig = 301902145c859c5d0528521f6344c69fcdb4024bbbfa44d8090142
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 196
 # Signatures with special case values for r and s.
 msg = 313233343030
 result = invalid
 sig = 302d02145c859c5d0528521f6344c69fcdb4024bbbfa44d90215ff46f4c745f5af5bc1397672c06497fb68880b764f
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 197
 # Signatures with special case values for r and s.
 msg = 313233343030
 result = invalid
 sig = 301902145c859c5d0528521f6344c69fcdb4024bbbfa44d9020100
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 198
 # Signatures with special case values for r and s.
 msg = 313233343030
 result = invalid
 sig = 301902145c859c5d0528521f6344c69fcdb4024bbbfa44d9020101
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 199
 # Signatures with special case values for r and s.
 msg = 313233343030
 result = invalid
 sig = 301902145c859c5d0528521f6344c69fcdb4024bbbfa44d90201ff
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 200
 # Signatures with special case values for r and s.
 msg = 313233343030
 result = invalid
 sig = 302c02145c859c5d0528521f6344c69fcdb4024bbbfa44d902145c859c5d0528521f6344c69fcdb4024bbbfa44d8
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 201
 # Signatures with special case values for r and s.
 msg = 313233343030
 result = invalid
 sig = 302c02145c859c5d0528521f6344c69fcdb4024bbbfa44d902145c859c5d0528521f6344c69fcdb4024bbbfa44d9
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 202
 # Signatures with special case values for r and s.
 msg = 313233343030
 result = invalid
 sig = 302d02145c859c5d0528521f6344c69fcdb4024bbbfa44d9021500b90b38ba0a50a43ec6898d3f9b68049777f489b0
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 203
 # Signatures with special case values for r and s.
 msg = 313233343030
 result = invalid
 sig = 302d02145c859c5d0528521f6344c69fcdb4024bbbfa44d9021500b90b38ba0a50a43ec6898d3f9b68049777f489b1
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 204
 # Signatures with special case values for r and s.
 msg = 313233343030
 result = invalid
 sig = 302d02145c859c5d0528521f6344c69fcdb4024bbbfa44d9021500b90b38ba0a50a43ec6898d3f9b68049777f489b2
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 205
 # Signatures with special case values for r and s.
 msg = 313233343030
 result = invalid
 sig = 302d02145c859c5d0528521f6344c69fcdb4024bbbfa44d90215010000000000000000000000000000000000000000
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 206
 # Signatures with special case values for r and s.
 msg = 313233343030
 result = invalid
 sig = 30819a02145c859c5d0528521f6344c69fcdb4024bbbfa44d902818100b34ce9c1e78294d3258473842005d2a48c8c566cfca8f84c0606f2529b59a6d38aae071b53bb2167eaa4fc3b01fe176e787e481b6037aac62cbc3d089799536a869fa8cdfea1e8b1fd2d1cd3a30350859a2cd6b3ec2f9bfbb68bb11b4bbe2adaa18d64a93639543ae5e16293e311c0cf8c8d6e180df05d08c2fd2d93d570751f
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 207
 # Signatures with special case values for r and s.
 msg = 313233343030
 result = invalid
 sig = 301b02145c859c5d0528521f6344c69fcdb4024bbbfa44d9090380fe01
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 208
 # Signatures with special case values for r and s.
 msg = 313233343030
 result = invalid
 sig = 301902145c859c5d0528521f6344c69fcdb4024bbbfa44d9090142
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 209
 # Signatures with special case values for r and s.
 msg = 313233343030
 result = invalid
 sig = 302e021500b90b38ba0a50a43ec6898d3f9b68049777f489b00215ff46f4c745f5af5bc1397672c06497fb68880b764f
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 210
 # Signatures with special case values for r and s.
 msg = 313233343030
 result = invalid
 sig = 301a021500b90b38ba0a50a43ec6898d3f9b68049777f489b0020100
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 211
 # Signatures with special case values for r and s.
 msg = 313233343030
 result = invalid
 sig = 301a021500b90b38ba0a50a43ec6898d3f9b68049777f489b0020101
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 212
 # Signatures with special case values for r and s.
 msg = 313233343030
 result = invalid
 sig = 301a021500b90b38ba0a50a43ec6898d3f9b68049777f489b00201ff
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 213
 # Signatures with special case values for r and s.
 msg = 313233343030
 result = invalid
 sig = 302d021500b90b38ba0a50a43ec6898d3f9b68049777f489b002145c859c5d0528521f6344c69fcdb4024bbbfa44d8
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 214
 # Signatures with special case values for r and s.
 msg = 313233343030
 result = invalid
 sig = 302d021500b90b38ba0a50a43ec6898d3f9b68049777f489b002145c859c5d0528521f6344c69fcdb4024bbbfa44d9
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 215
 # Signatures with special case values for r and s.
 msg = 313233343030
 result = invalid
 sig = 302e021500b90b38ba0a50a43ec6898d3f9b68049777f489b0021500b90b38ba0a50a43ec6898d3f9b68049777f489b0
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 216
 # Signatures with special case values for r and s.
 msg = 313233343030
 result = invalid
 sig = 302e021500b90b38ba0a50a43ec6898d3f9b68049777f489b0021500b90b38ba0a50a43ec6898d3f9b68049777f489b1
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 217
 # Signatures with special case values for r and s.
 msg = 313233343030
 result = invalid
 sig = 302e021500b90b38ba0a50a43ec6898d3f9b68049777f489b0021500b90b38ba0a50a43ec6898d3f9b68049777f489b2
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 218
 # Signatures with special case values for r and s.
 msg = 313233343030
 result = invalid
 sig = 302e021500b90b38ba0a50a43ec6898d3f9b68049777f489b00215010000000000000000000000000000000000000000
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 219
 # Signatures with special case values for r and s.
 msg = 313233343030
 result = invalid
 sig = 30819b021500b90b38ba0a50a43ec6898d3f9b68049777f489b002818100b34ce9c1e78294d3258473842005d2a48c8c566cfca8f84c0606f2529b59a6d38aae071b53bb2167eaa4fc3b01fe176e787e481b6037aac62cbc3d089799536a869fa8cdfea1e8b1fd2d1cd3a30350859a2cd6b3ec2f9bfbb68bb11b4bbe2adaa18d64a93639543ae5e16293e311c0cf8c8d6e180df05d08c2fd2d93d570751f
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 220
 # Signatures with special case values for r and s.
 msg = 313233343030
 result = invalid
 sig = 301c021500b90b38ba0a50a43ec6898d3f9b68049777f489b0090380fe01
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 221
 # Signatures with special case values for r and s.
 msg = 313233343030
 result = invalid
 sig = 301a021500b90b38ba0a50a43ec6898d3f9b68049777f489b0090142
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 222
 # Signatures with special case values for r and s.
 msg = 313233343030
 result = invalid
 sig = 302e021500b90b38ba0a50a43ec6898d3f9b68049777f489b10215ff46f4c745f5af5bc1397672c06497fb68880b764f
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 223
 # Signatures with special case values for r and s.
 msg = 313233343030
 result = invalid
 sig = 301a021500b90b38ba0a50a43ec6898d3f9b68049777f489b1020100
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 224
 # Signatures with special case values for r and s.
 msg = 313233343030
 result = invalid
 sig = 301a021500b90b38ba0a50a43ec6898d3f9b68049777f489b1020101
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 225
 # Signatures with special case values for r and s.
 msg = 313233343030
 result = invalid
 sig = 301a021500b90b38ba0a50a43ec6898d3f9b68049777f489b10201ff
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 226
 # Signatures with special case values for r and s.
 msg = 313233343030
 result = invalid
 sig = 302d021500b90b38ba0a50a43ec6898d3f9b68049777f489b102145c859c5d0528521f6344c69fcdb4024bbbfa44d8
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 227
 # Signatures with special case values for r and s.
 msg = 313233343030
 result = invalid
 sig = 302d021500b90b38ba0a50a43ec6898d3f9b68049777f489b102145c859c5d0528521f6344c69fcdb4024bbbfa44d9
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 228
 # Signatures with special case values for r and s.
 msg = 313233343030
 result = invalid
 sig = 302e021500b90b38ba0a50a43ec6898d3f9b68049777f489b1021500b90b38ba0a50a43ec6898d3f9b68049777f489b0
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 229
 # Signatures with special case values for r and s.
 msg = 313233343030
 result = invalid
 sig = 302e021500b90b38ba0a50a43ec6898d3f9b68049777f489b1021500b90b38ba0a50a43ec6898d3f9b68049777f489b1
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 230
 # Signatures with special case values for r and s.
 msg = 313233343030
 result = invalid
 sig = 302e021500b90b38ba0a50a43ec6898d3f9b68049777f489b1021500b90b38ba0a50a43ec6898d3f9b68049777f489b2
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 231
 # Signatures with special case values for r and s.
 msg = 313233343030
 result = invalid
 sig = 302e021500b90b38ba0a50a43ec6898d3f9b68049777f489b10215010000000000000000000000000000000000000000
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 232
 # Signatures with special case values for r and s.
 msg = 313233343030
 result = invalid
 sig = 30819b021500b90b38ba0a50a43ec6898d3f9b68049777f489b102818100b34ce9c1e78294d3258473842005d2a48c8c566cfca8f84c0606f2529b59a6d38aae071b53bb2167eaa4fc3b01fe176e787e481b6037aac62cbc3d089799536a869fa8cdfea1e8b1fd2d1cd3a30350859a2cd6b3ec2f9bfbb68bb11b4bbe2adaa18d64a93639543ae5e16293e311c0cf8c8d6e180df05d08c2fd2d93d570751f
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 233
 # Signatures with special case values for r and s.
 msg = 313233343030
 result = invalid
 sig = 301c021500b90b38ba0a50a43ec6898d3f9b68049777f489b1090380fe01
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 234
 # Signatures with special case values for r and s.
 msg = 313233343030
 result = invalid
 sig = 301a021500b90b38ba0a50a43ec6898d3f9b68049777f489b1090142
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 235
 # Signatures with special case values for r and s.
 msg = 313233343030
 result = invalid
 sig = 302e021500b90b38ba0a50a43ec6898d3f9b68049777f489b20215ff46f4c745f5af5bc1397672c06497fb68880b764f
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 236
 # Signatures with special case values for r and s.
 msg = 313233343030
 result = invalid
 sig = 301a021500b90b38ba0a50a43ec6898d3f9b68049777f489b2020100
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 237
 # Signatures with special case values for r and s.
 msg = 313233343030
 result = invalid
 sig = 301a021500b90b38ba0a50a43ec6898d3f9b68049777f489b2020101
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 238
 # Signatures with special case values for r and s.
 msg = 313233343030
 result = invalid
 sig = 301a021500b90b38ba0a50a43ec6898d3f9b68049777f489b20201ff
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 239
 # Signatures with special case values for r and s.
 msg = 313233343030
 result = invalid
 sig = 302d021500b90b38ba0a50a43ec6898d3f9b68049777f489b202145c859c5d0528521f6344c69fcdb4024bbbfa44d8
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 240
 # Signatures with special case values for r and s.
 msg = 313233343030
 result = invalid
 sig = 302d021500b90b38ba0a50a43ec6898d3f9b68049777f489b202145c859c5d0528521f6344c69fcdb4024bbbfa44d9
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 241
 # Signatures with special case values for r and s.
 msg = 313233343030
 result = invalid
 sig = 302e021500b90b38ba0a50a43ec6898d3f9b68049777f489b2021500b90b38ba0a50a43ec6898d3f9b68049777f489b0
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 242
 # Signatures with special case values for r and s.
 msg = 313233343030
 result = invalid
 sig = 302e021500b90b38ba0a50a43ec6898d3f9b68049777f489b2021500b90b38ba0a50a43ec6898d3f9b68049777f489b1
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 243
 # Signatures with special case values for r and s.
 msg = 313233343030
 result = invalid
 sig = 302e021500b90b38ba0a50a43ec6898d3f9b68049777f489b2021500b90b38ba0a50a43ec6898d3f9b68049777f489b2
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 244
 # Signatures with special case values for r and s.
 msg = 313233343030
 result = invalid
 sig = 302e021500b90b38ba0a50a43ec6898d3f9b68049777f489b20215010000000000000000000000000000000000000000
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 245
 # Signatures with special case values for r and s.
 msg = 313233343030
 result = invalid
 sig = 30819b021500b90b38ba0a50a43ec6898d3f9b68049777f489b202818100b34ce9c1e78294d3258473842005d2a48c8c566cfca8f84c0606f2529b59a6d38aae071b53bb2167eaa4fc3b01fe176e787e481b6037aac62cbc3d089799536a869fa8cdfea1e8b1fd2d1cd3a30350859a2cd6b3ec2f9bfbb68bb11b4bbe2adaa18d64a93639543ae5e16293e311c0cf8c8d6e180df05d08c2fd2d93d570751f
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 246
 # Signatures with special case values for r and s.
 msg = 313233343030
 result = invalid
 sig = 301c021500b90b38ba0a50a43ec6898d3f9b68049777f489b2090380fe01
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 247
 # Signatures with special case values for r and s.
 msg = 313233343030
 result = invalid
 sig = 301a021500b90b38ba0a50a43ec6898d3f9b68049777f489b2090142
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 248
 # Signatures with special case values for r and s.
 msg = 313233343030
 result = invalid
 sig = 302e02150100000000000000000000000000000000000000000215ff46f4c745f5af5bc1397672c06497fb68880b764f
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 249
 # Signatures with special case values for r and s.
 msg = 313233343030
 result = invalid
 sig = 301a0215010000000000000000000000000000000000000000020100
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 250
 # Signatures with special case values for r and s.
 msg = 313233343030
 result = invalid
 sig = 301a0215010000000000000000000000000000000000000000020101
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 251
 # Signatures with special case values for r and s.
 msg = 313233343030
 result = invalid
 sig = 301a02150100000000000000000000000000000000000000000201ff
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 252
 # Signatures with special case values for r and s.
 msg = 313233343030
 result = invalid
 sig = 302d021501000000000000000000000000000000000000000002145c859c5d0528521f6344c69fcdb4024bbbfa44d8
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 253
 # Signatures with special case values for r and s.
 msg = 313233343030
 result = invalid
 sig = 302d021501000000000000000000000000000000000000000002145c859c5d0528521f6344c69fcdb4024bbbfa44d9
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 254
 # Signatures with special case values for r and s.
 msg = 313233343030
 result = invalid
 sig = 302e0215010000000000000000000000000000000000000000021500b90b38ba0a50a43ec6898d3f9b68049777f489b0
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 255
 # Signatures with special case values for r and s.
 msg = 313233343030
 result = invalid
 sig = 302e0215010000000000000000000000000000000000000000021500b90b38ba0a50a43ec6898d3f9b68049777f489b1
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 256
 # Signatures with special case values for r and s.
 msg = 313233343030
 result = invalid
 sig = 302e0215010000000000000000000000000000000000000000021500b90b38ba0a50a43ec6898d3f9b68049777f489b2
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 257
 # Signatures with special case values for r and s.
 msg = 313233343030
 result = invalid
 sig = 302e02150100000000000000000000000000000000000000000215010000000000000000000000000000000000000000
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 258
 # Signatures with special case values for r and s.
 msg = 313233343030
 result = invalid
 sig = 30819b021501000000000000000000000000000000000000000002818100b34ce9c1e78294d3258473842005d2a48c8c566cfca8f84c0606f2529b59a6d38aae071b53bb2167eaa4fc3b01fe176e787e481b6037aac62cbc3d089799536a869fa8cdfea1e8b1fd2d1cd3a30350859a2cd6b3ec2f9bfbb68bb11b4bbe2adaa18d64a93639543ae5e16293e311c0cf8c8d6e180df05d08c2fd2d93d570751f
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 259
 # Signatures with special case values for r and s.
 msg = 313233343030
 result = invalid
 sig = 301c0215010000000000000000000000000000000000000000090380fe01
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 260
 # Signatures with special case values for r and s.
 msg = 313233343030
 result = invalid
 sig = 301a0215010000000000000000000000000000000000000000090142
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 261
 # Signatures with special case values for r and s.
 msg = 313233343030
 result = invalid
 sig = 30819b02818100b34ce9c1e78294d3258473842005d2a48c8c566cfca8f84c0606f2529b59a6d38aae071b53bb2167eaa4fc3b01fe176e787e481b6037aac62cbc3d089799536a869fa8cdfea1e8b1fd2d1cd3a30350859a2cd6b3ec2f9bfbb68bb11b4bbe2adaa18d64a93639543ae5e16293e311c0cf8c8d6e180df05d08c2fd2d93d570751f0215ff46f4c745f5af5bc1397672c06497fb68880b764f
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 262
 # Signatures with special case values for r and s.
 msg = 313233343030
 result = invalid
 sig = 30818702818100b34ce9c1e78294d3258473842005d2a48c8c566cfca8f84c0606f2529b59a6d38aae071b53bb2167eaa4fc3b01fe176e787e481b6037aac62cbc3d089799536a869fa8cdfea1e8b1fd2d1cd3a30350859a2cd6b3ec2f9bfbb68bb11b4bbe2adaa18d64a93639543ae5e16293e311c0cf8c8d6e180df05d08c2fd2d93d570751f020100
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 263
 # Signatures with special case values for r and s.
 msg = 313233343030
 result = invalid
 sig = 30818702818100b34ce9c1e78294d3258473842005d2a48c8c566cfca8f84c0606f2529b59a6d38aae071b53bb2167eaa4fc3b01fe176e787e481b6037aac62cbc3d089799536a869fa8cdfea1e8b1fd2d1cd3a30350859a2cd6b3ec2f9bfbb68bb11b4bbe2adaa18d64a93639543ae5e16293e311c0cf8c8d6e180df05d08c2fd2d93d570751f020101
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 264
 # Signatures with special case values for r and s.
 msg = 313233343030
 result = invalid
 sig = 30818702818100b34ce9c1e78294d3258473842005d2a48c8c566cfca8f84c0606f2529b59a6d38aae071b53bb2167eaa4fc3b01fe176e787e481b6037aac62cbc3d089799536a869fa8cdfea1e8b1fd2d1cd3a30350859a2cd6b3ec2f9bfbb68bb11b4bbe2adaa18d64a93639543ae5e16293e311c0cf8c8d6e180df05d08c2fd2d93d570751f0201ff
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 265
 # Signatures with special case values for r and s.
 msg = 313233343030
 result = invalid
 sig = 30819a02818100b34ce9c1e78294d3258473842005d2a48c8c566cfca8f84c0606f2529b59a6d38aae071b53bb2167eaa4fc3b01fe176e787e481b6037aac62cbc3d089799536a869fa8cdfea1e8b1fd2d1cd3a30350859a2cd6b3ec2f9bfbb68bb11b4bbe2adaa18d64a93639543ae5e16293e311c0cf8c8d6e180df05d08c2fd2d93d570751f02145c859c5d0528521f6344c69fcdb4024bbbfa44d8
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 266
 # Signatures with special case values for r and s.
 msg = 313233343030
 result = invalid
 sig = 30819a02818100b34ce9c1e78294d3258473842005d2a48c8c566cfca8f84c0606f2529b59a6d38aae071b53bb2167eaa4fc3b01fe176e787e481b6037aac62cbc3d089799536a869fa8cdfea1e8b1fd2d1cd3a30350859a2cd6b3ec2f9bfbb68bb11b4bbe2adaa18d64a93639543ae5e16293e311c0cf8c8d6e180df05d08c2fd2d93d570751f02145c859c5d0528521f6344c69fcdb4024bbbfa44d9
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 267
 # Signatures with special case values for r and s.
 msg = 313233343030
 result = invalid
 sig = 30819b02818100b34ce9c1e78294d3258473842005d2a48c8c566cfca8f84c0606f2529b59a6d38aae071b53bb2167eaa4fc3b01fe176e787e481b6037aac62cbc3d089799536a869fa8cdfea1e8b1fd2d1cd3a30350859a2cd6b3ec2f9bfbb68bb11b4bbe2adaa18d64a93639543ae5e16293e311c0cf8c8d6e180df05d08c2fd2d93d570751f021500b90b38ba0a50a43ec6898d3f9b68049777f489b0
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 268
 # Signatures with special case values for r and s.
 msg = 313233343030
 result = invalid
 sig = 30819b02818100b34ce9c1e78294d3258473842005d2a48c8c566cfca8f84c0606f2529b59a6d38aae071b53bb2167eaa4fc3b01fe176e787e481b6037aac62cbc3d089799536a869fa8cdfea1e8b1fd2d1cd3a30350859a2cd6b3ec2f9bfbb68bb11b4bbe2adaa18d64a93639543ae5e16293e311c0cf8c8d6e180df05d08c2fd2d93d570751f021500b90b38ba0a50a43ec6898d3f9b68049777f489b1
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 269
 # Signatures with special case values for r and s.
 msg = 313233343030
 result = invalid
 sig = 30819b02818100b34ce9c1e78294d3258473842005d2a48c8c566cfca8f84c0606f2529b59a6d38aae071b53bb2167eaa4fc3b01fe176e787e481b6037aac62cbc3d089799536a869fa8cdfea1e8b1fd2d1cd3a30350859a2cd6b3ec2f9bfbb68bb11b4bbe2adaa18d64a93639543ae5e16293e311c0cf8c8d6e180df05d08c2fd2d93d570751f021500b90b38ba0a50a43ec6898d3f9b68049777f489b2
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 270
 # Signatures with special case values for r and s.
 msg = 313233343030
 result = invalid
 sig = 30819b02818100b34ce9c1e78294d3258473842005d2a48c8c566cfca8f84c0606f2529b59a6d38aae071b53bb2167eaa4fc3b01fe176e787e481b6037aac62cbc3d089799536a869fa8cdfea1e8b1fd2d1cd3a30350859a2cd6b3ec2f9bfbb68bb11b4bbe2adaa18d64a93639543ae5e16293e311c0cf8c8d6e180df05d08c2fd2d93d570751f0215010000000000000000000000000000000000000000
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 271
 # Signatures with special case values for r and s.
 msg = 313233343030
 result = invalid
 sig = 3082010802818100b34ce9c1e78294d3258473842005d2a48c8c566cfca8f84c0606f2529b59a6d38aae071b53bb2167eaa4fc3b01fe176e787e481b6037aac62cbc3d089799536a869fa8cdfea1e8b1fd2d1cd3a30350859a2cd6b3ec2f9bfbb68bb11b4bbe2adaa18d64a93639543ae5e16293e311c0cf8c8d6e180df05d08c2fd2d93d570751f02818100b34ce9c1e78294d3258473842005d2a48c8c566cfca8f84c0606f2529b59a6d38aae071b53bb2167eaa4fc3b01fe176e787e481b6037aac62cbc3d089799536a869fa8cdfea1e8b1fd2d1cd3a30350859a2cd6b3ec2f9bfbb68bb11b4bbe2adaa18d64a93639543ae5e16293e311c0cf8c8d6e180df05d08c2fd2d93d570751f
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 272
 # Signatures with special case values for r and s.
 msg = 313233343030
 result = invalid
 sig = 30818902818100b34ce9c1e78294d3258473842005d2a48c8c566cfca8f84c0606f2529b59a6d38aae071b53bb2167eaa4fc3b01fe176e787e481b6037aac62cbc3d089799536a869fa8cdfea1e8b1fd2d1cd3a30350859a2cd6b3ec2f9bfbb68bb11b4bbe2adaa18d64a93639543ae5e16293e311c0cf8c8d6e180df05d08c2fd2d93d570751f090380fe01
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 273
 # Signatures with special case values for r and s.
 msg = 313233343030
 result = invalid
 sig = 30818702818100b34ce9c1e78294d3258473842005d2a48c8c566cfca8f84c0606f2529b59a6d38aae071b53bb2167eaa4fc3b01fe176e787e481b6037aac62cbc3d089799536a869fa8cdfea1e8b1fd2d1cd3a30350859a2cd6b3ec2f9bfbb68bb11b4bbe2adaa18d64a93639543ae5e16293e311c0cf8c8d6e180df05d08c2fd2d93d570751f090142
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 274
 # Signatures with special case values for r and s.
 msg = 313233343030
 result = invalid
 sig = 301c090380fe010215ff46f4c745f5af5bc1397672c06497fb68880b764f
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 275
 # Signatures with special case values for r and s.
 msg = 313233343030
 result = invalid
 sig = 3008090380fe01020100
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 276
 # Signatures with special case values for r and s.
 msg = 313233343030
 result = invalid
 sig = 3008090380fe01020101
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 277
 # Signatures with special case values for r and s.
 msg = 313233343030
 result = invalid
 sig = 3008090380fe010201ff
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 278
 # Signatures with special case values for r and s.
 msg = 313233343030
 result = invalid
 sig = 301b090380fe0102145c859c5d0528521f6344c69fcdb4024bbbfa44d8
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 279
 # Signatures with special case values for r and s.
 msg = 313233343030
 result = invalid
 sig = 301b090380fe0102145c859c5d0528521f6344c69fcdb4024bbbfa44d9
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 280
 # Signatures with special case values for r and s.
 msg = 313233343030
 result = invalid
 sig = 301c090380fe01021500b90b38ba0a50a43ec6898d3f9b68049777f489b0
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 281
 # Signatures with special case values for r and s.
 msg = 313233343030
 result = invalid
 sig = 301c090380fe01021500b90b38ba0a50a43ec6898d3f9b68049777f489b1
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 282
 # Signatures with special case values for r and s.
 msg = 313233343030
 result = invalid
 sig = 301c090380fe01021500b90b38ba0a50a43ec6898d3f9b68049777f489b2
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 283
 # Signatures with special case values for r and s.
 msg = 313233343030
 result = invalid
 sig = 301c090380fe010215010000000000000000000000000000000000000000
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 284
 # Signatures with special case values for r and s.
 msg = 313233343030
 result = invalid
 sig = 308189090380fe0102818100b34ce9c1e78294d3258473842005d2a48c8c566cfca8f84c0606f2529b59a6d38aae071b53bb2167eaa4fc3b01fe176e787e481b6037aac62cbc3d089799536a869fa8cdfea1e8b1fd2d1cd3a30350859a2cd6b3ec2f9bfbb68bb11b4bbe2adaa18d64a93639543ae5e16293e311c0cf8c8d6e180df05d08c2fd2d93d570751f
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 285
 # Signatures with special case values for r and s.
 msg = 313233343030
 result = invalid
 sig = 300a090380fe01090380fe01
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 286
 # Signatures with special case values for r and s.
 msg = 313233343030
 result = invalid
 sig = 3008090380fe01090142
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 287
 # Signature encoding contains wrong type.
@@ -2291,11 +2001,7 @@
 msg = 48656c6c6f
 result = acceptable
 sig = 303c021c1e41b479ad576905b960fe14eadb91b0ccf34843dab916173bb8c9cd021cade65988d237d30f9ef41dd424a4e1c8f16967cf3365813fe8786236
-# ASN encoded integers with a leading hex-digit in the range 8 .. F are
-# negative. If the first hex-digit of a positive integer is 8 .. F then a
-# leading 0 must be added. Some libraries forgot to do this and therefore
-# generated invalid DSA signatures. Some providers accept such legacy signatures
-# for compatibility.
+flags = NoLeadingZero
 
 # tcId = 304
 # valid
@@ -3154,1287 +2860,1001 @@
 msg = 48656c6c6f
 result = invalid
 sig = 3022020100021dff450969597a870820211805983688387a10cd4dcc451a7f3f432a96a3
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 447
 # Signatures with special case values for r and s.
 msg = 48656c6c6f
 result = invalid
 sig = 3006020100020100
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 448
 # Signatures with special case values for r and s.
 msg = 48656c6c6f
 result = invalid
 sig = 3006020100020101
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 449
 # Signatures with special case values for r and s.
 msg = 48656c6c6f
 result = invalid
 sig = 30060201000201ff
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 450
 # Signatures with special case values for r and s.
 msg = 48656c6c6f
 result = invalid
 sig = 3021020100021c5d7b4b5342bc7befef73fd33e4bbe3c2f7995919dd72c0605e6ab4ae
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 451
 # Signatures with special case values for r and s.
 msg = 48656c6c6f
 result = invalid
 sig = 3021020100021c5d7b4b5342bc7befef73fd33e4bbe3c2f7995919dd72c0605e6ab4af
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 452
 # Signatures with special case values for r and s.
 msg = 48656c6c6f
 result = invalid
 sig = 3022020100021d00baf696a68578f7dfdee7fa67c977c785ef32b233bae580c0bcd5695c
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 453
 # Signatures with special case values for r and s.
 msg = 48656c6c6f
 result = invalid
 sig = 3022020100021d00baf696a68578f7dfdee7fa67c977c785ef32b233bae580c0bcd5695d
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 454
 # Signatures with special case values for r and s.
 msg = 48656c6c6f
 result = invalid
 sig = 3022020100021d00baf696a68578f7dfdee7fa67c977c785ef32b233bae580c0bcd5695e
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 455
 # Signatures with special case values for r and s.
 msg = 48656c6c6f
 result = invalid
 sig = 3022020100021d0100000000000000000000000000000000000000000000000000000000
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 456
 # Signatures with special case values for r and s.
 msg = 48656c6c6f
 result = invalid
 sig = 3082010802010002820101008f7935d9b9aae9bfabed887acf4951b6f32ec59e3baf3718e8eac4961f3efd3606e74351a9c4183339b809e7c2ae1c539ba7475b85d011adb8b47987754984695cac0e8f14b3360828a22ffa27110a3d62a993453409a0fe696c4658f84bdd20819c3709a01057b195adcd00233dba5484b6291f9d648ef883448677979cec04b434a6ac2e75e9985de23db0292fc1118c9ffa9d8181e7338db792b730d7b9e349592f68099872153915ea3d6b8b4653c633458f803b32a4c2e0f27290256e4e3f8a3b0838a1c450e4e18c1a29a37ddf5ea143de4b66ff04903ed5cf1623e158d487c608e97f211cd81dca23cb6e380765f822e342be484c05763939601cd667
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 457
 # Signatures with special case values for r and s.
 msg = 48656c6c6f
 result = invalid
 sig = 3008020100090380fe01
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 458
 # Signatures with special case values for r and s.
 msg = 48656c6c6f
 result = invalid
 sig = 3006020100090142
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 459
 # Signatures with special case values for r and s.
 msg = 48656c6c6f
 result = invalid
 sig = 3022020101021dff450969597a870820211805983688387a10cd4dcc451a7f3f432a96a3
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 460
 # Signatures with special case values for r and s.
 msg = 48656c6c6f
 result = invalid
 sig = 3006020101020100
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 461
 # Signatures with special case values for r and s.
 msg = 48656c6c6f
 result = invalid
 sig = 3006020101020101
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 462
 # Signatures with special case values for r and s.
 msg = 48656c6c6f
 result = invalid
 sig = 30060201010201ff
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 463
 # Signatures with special case values for r and s.
 msg = 48656c6c6f
 result = invalid
 sig = 3021020101021c5d7b4b5342bc7befef73fd33e4bbe3c2f7995919dd72c0605e6ab4ae
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 464
 # Signatures with special case values for r and s.
 msg = 48656c6c6f
 result = invalid
 sig = 3021020101021c5d7b4b5342bc7befef73fd33e4bbe3c2f7995919dd72c0605e6ab4af
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 465
 # Signatures with special case values for r and s.
 msg = 48656c6c6f
 result = invalid
 sig = 3022020101021d00baf696a68578f7dfdee7fa67c977c785ef32b233bae580c0bcd5695c
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 466
 # Signatures with special case values for r and s.
 msg = 48656c6c6f
 result = invalid
 sig = 3022020101021d00baf696a68578f7dfdee7fa67c977c785ef32b233bae580c0bcd5695d
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 467
 # Signatures with special case values for r and s.
 msg = 48656c6c6f
 result = invalid
 sig = 3022020101021d00baf696a68578f7dfdee7fa67c977c785ef32b233bae580c0bcd5695e
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 468
 # Signatures with special case values for r and s.
 msg = 48656c6c6f
 result = invalid
 sig = 3022020101021d0100000000000000000000000000000000000000000000000000000000
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 469
 # Signatures with special case values for r and s.
 msg = 48656c6c6f
 result = invalid
 sig = 3082010802010102820101008f7935d9b9aae9bfabed887acf4951b6f32ec59e3baf3718e8eac4961f3efd3606e74351a9c4183339b809e7c2ae1c539ba7475b85d011adb8b47987754984695cac0e8f14b3360828a22ffa27110a3d62a993453409a0fe696c4658f84bdd20819c3709a01057b195adcd00233dba5484b6291f9d648ef883448677979cec04b434a6ac2e75e9985de23db0292fc1118c9ffa9d8181e7338db792b730d7b9e349592f68099872153915ea3d6b8b4653c633458f803b32a4c2e0f27290256e4e3f8a3b0838a1c450e4e18c1a29a37ddf5ea143de4b66ff04903ed5cf1623e158d487c608e97f211cd81dca23cb6e380765f822e342be484c05763939601cd667
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 470
 # Signatures with special case values for r and s.
 msg = 48656c6c6f
 result = invalid
 sig = 3008020101090380fe01
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 471
 # Signatures with special case values for r and s.
 msg = 48656c6c6f
 result = invalid
 sig = 3006020101090142
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 472
 # Signatures with special case values for r and s.
 msg = 48656c6c6f
 result = invalid
 sig = 30220201ff021dff450969597a870820211805983688387a10cd4dcc451a7f3f432a96a3
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 473
 # Signatures with special case values for r and s.
 msg = 48656c6c6f
 result = invalid
 sig = 30060201ff020100
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 474
 # Signatures with special case values for r and s.
 msg = 48656c6c6f
 result = invalid
 sig = 30060201ff020101
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 475
 # Signatures with special case values for r and s.
 msg = 48656c6c6f
 result = invalid
 sig = 30060201ff0201ff
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 476
 # Signatures with special case values for r and s.
 msg = 48656c6c6f
 result = invalid
 sig = 30210201ff021c5d7b4b5342bc7befef73fd33e4bbe3c2f7995919dd72c0605e6ab4ae
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 477
 # Signatures with special case values for r and s.
 msg = 48656c6c6f
 result = invalid
 sig = 30210201ff021c5d7b4b5342bc7befef73fd33e4bbe3c2f7995919dd72c0605e6ab4af
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 478
 # Signatures with special case values for r and s.
 msg = 48656c6c6f
 result = invalid
 sig = 30220201ff021d00baf696a68578f7dfdee7fa67c977c785ef32b233bae580c0bcd5695c
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 479
 # Signatures with special case values for r and s.
 msg = 48656c6c6f
 result = invalid
 sig = 30220201ff021d00baf696a68578f7dfdee7fa67c977c785ef32b233bae580c0bcd5695d
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 480
 # Signatures with special case values for r and s.
 msg = 48656c6c6f
 result = invalid
 sig = 30220201ff021d00baf696a68578f7dfdee7fa67c977c785ef32b233bae580c0bcd5695e
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 481
 # Signatures with special case values for r and s.
 msg = 48656c6c6f
 result = invalid
 sig = 30220201ff021d0100000000000000000000000000000000000000000000000000000000
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 482
 # Signatures with special case values for r and s.
 msg = 48656c6c6f
 result = invalid
 sig = 308201080201ff02820101008f7935d9b9aae9bfabed887acf4951b6f32ec59e3baf3718e8eac4961f3efd3606e74351a9c4183339b809e7c2ae1c539ba7475b85d011adb8b47987754984695cac0e8f14b3360828a22ffa27110a3d62a993453409a0fe696c4658f84bdd20819c3709a01057b195adcd00233dba5484b6291f9d648ef883448677979cec04b434a6ac2e75e9985de23db0292fc1118c9ffa9d8181e7338db792b730d7b9e349592f68099872153915ea3d6b8b4653c633458f803b32a4c2e0f27290256e4e3f8a3b0838a1c450e4e18c1a29a37ddf5ea143de4b66ff04903ed5cf1623e158d487c608e97f211cd81dca23cb6e380765f822e342be484c05763939601cd667
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 483
 # Signatures with special case values for r and s.
 msg = 48656c6c6f
 result = invalid
 sig = 30080201ff090380fe01
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 484
 # Signatures with special case values for r and s.
 msg = 48656c6c6f
 result = invalid
 sig = 30060201ff090142
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 485
 # Signatures with special case values for r and s.
 msg = 48656c6c6f
 result = invalid
 sig = 303d021c5d7b4b5342bc7befef73fd33e4bbe3c2f7995919dd72c0605e6ab4ae021dff450969597a870820211805983688387a10cd4dcc451a7f3f432a96a3
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 486
 # Signatures with special case values for r and s.
 msg = 48656c6c6f
 result = invalid
 sig = 3021021c5d7b4b5342bc7befef73fd33e4bbe3c2f7995919dd72c0605e6ab4ae020100
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 487
 # Signatures with special case values for r and s.
 msg = 48656c6c6f
 result = invalid
 sig = 3021021c5d7b4b5342bc7befef73fd33e4bbe3c2f7995919dd72c0605e6ab4ae020101
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 488
 # Signatures with special case values for r and s.
 msg = 48656c6c6f
 result = invalid
 sig = 3021021c5d7b4b5342bc7befef73fd33e4bbe3c2f7995919dd72c0605e6ab4ae0201ff
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 489
 # Signatures with special case values for r and s.
 msg = 48656c6c6f
 result = invalid
 sig = 303c021c5d7b4b5342bc7befef73fd33e4bbe3c2f7995919dd72c0605e6ab4ae021c5d7b4b5342bc7befef73fd33e4bbe3c2f7995919dd72c0605e6ab4ae
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 490
 # Signatures with special case values for r and s.
 msg = 48656c6c6f
 result = invalid
 sig = 303c021c5d7b4b5342bc7befef73fd33e4bbe3c2f7995919dd72c0605e6ab4ae021c5d7b4b5342bc7befef73fd33e4bbe3c2f7995919dd72c0605e6ab4af
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 491
 # Signatures with special case values for r and s.
 msg = 48656c6c6f
 result = invalid
 sig = 303d021c5d7b4b5342bc7befef73fd33e4bbe3c2f7995919dd72c0605e6ab4ae021d00baf696a68578f7dfdee7fa67c977c785ef32b233bae580c0bcd5695c
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 492
 # Signatures with special case values for r and s.
 msg = 48656c6c6f
 result = invalid
 sig = 303d021c5d7b4b5342bc7befef73fd33e4bbe3c2f7995919dd72c0605e6ab4ae021d00baf696a68578f7dfdee7fa67c977c785ef32b233bae580c0bcd5695d
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 493
 # Signatures with special case values for r and s.
 msg = 48656c6c6f
 result = invalid
 sig = 303d021c5d7b4b5342bc7befef73fd33e4bbe3c2f7995919dd72c0605e6ab4ae021d00baf696a68578f7dfdee7fa67c977c785ef32b233bae580c0bcd5695e
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 494
 # Signatures with special case values for r and s.
 msg = 48656c6c6f
 result = invalid
 sig = 303d021c5d7b4b5342bc7befef73fd33e4bbe3c2f7995919dd72c0605e6ab4ae021d0100000000000000000000000000000000000000000000000000000000
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 495
 # Signatures with special case values for r and s.
 msg = 48656c6c6f
 result = invalid
 sig = 30820123021c5d7b4b5342bc7befef73fd33e4bbe3c2f7995919dd72c0605e6ab4ae02820101008f7935d9b9aae9bfabed887acf4951b6f32ec59e3baf3718e8eac4961f3efd3606e74351a9c4183339b809e7c2ae1c539ba7475b85d011adb8b47987754984695cac0e8f14b3360828a22ffa27110a3d62a993453409a0fe696c4658f84bdd20819c3709a01057b195adcd00233dba5484b6291f9d648ef883448677979cec04b434a6ac2e75e9985de23db0292fc1118c9ffa9d8181e7338db792b730d7b9e349592f68099872153915ea3d6b8b4653c633458f803b32a4c2e0f27290256e4e3f8a3b0838a1c450e4e18c1a29a37ddf5ea143de4b66ff04903ed5cf1623e158d487c608e97f211cd81dca23cb6e380765f822e342be484c05763939601cd667
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 496
 # Signatures with special case values for r and s.
 msg = 48656c6c6f
 result = invalid
 sig = 3023021c5d7b4b5342bc7befef73fd33e4bbe3c2f7995919dd72c0605e6ab4ae090380fe01
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 497
 # Signatures with special case values for r and s.
 msg = 48656c6c6f
 result = invalid
 sig = 3021021c5d7b4b5342bc7befef73fd33e4bbe3c2f7995919dd72c0605e6ab4ae090142
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 498
 # Signatures with special case values for r and s.
 msg = 48656c6c6f
 result = invalid
 sig = 303d021c5d7b4b5342bc7befef73fd33e4bbe3c2f7995919dd72c0605e6ab4af021dff450969597a870820211805983688387a10cd4dcc451a7f3f432a96a3
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 499
 # Signatures with special case values for r and s.
 msg = 48656c6c6f
 result = invalid
 sig = 3021021c5d7b4b5342bc7befef73fd33e4bbe3c2f7995919dd72c0605e6ab4af020100
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 500
 # Signatures with special case values for r and s.
 msg = 48656c6c6f
 result = invalid
 sig = 3021021c5d7b4b5342bc7befef73fd33e4bbe3c2f7995919dd72c0605e6ab4af020101
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 501
 # Signatures with special case values for r and s.
 msg = 48656c6c6f
 result = invalid
 sig = 3021021c5d7b4b5342bc7befef73fd33e4bbe3c2f7995919dd72c0605e6ab4af0201ff
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 502
 # Signatures with special case values for r and s.
 msg = 48656c6c6f
 result = invalid
 sig = 303c021c5d7b4b5342bc7befef73fd33e4bbe3c2f7995919dd72c0605e6ab4af021c5d7b4b5342bc7befef73fd33e4bbe3c2f7995919dd72c0605e6ab4ae
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 503
 # Signatures with special case values for r and s.
 msg = 48656c6c6f
 result = invalid
 sig = 303c021c5d7b4b5342bc7befef73fd33e4bbe3c2f7995919dd72c0605e6ab4af021c5d7b4b5342bc7befef73fd33e4bbe3c2f7995919dd72c0605e6ab4af
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 504
 # Signatures with special case values for r and s.
 msg = 48656c6c6f
 result = invalid
 sig = 303d021c5d7b4b5342bc7befef73fd33e4bbe3c2f7995919dd72c0605e6ab4af021d00baf696a68578f7dfdee7fa67c977c785ef32b233bae580c0bcd5695c
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 505
 # Signatures with special case values for r and s.
 msg = 48656c6c6f
 result = invalid
 sig = 303d021c5d7b4b5342bc7befef73fd33e4bbe3c2f7995919dd72c0605e6ab4af021d00baf696a68578f7dfdee7fa67c977c785ef32b233bae580c0bcd5695d
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 506
 # Signatures with special case values for r and s.
 msg = 48656c6c6f
 result = invalid
 sig = 303d021c5d7b4b5342bc7befef73fd33e4bbe3c2f7995919dd72c0605e6ab4af021d00baf696a68578f7dfdee7fa67c977c785ef32b233bae580c0bcd5695e
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 507
 # Signatures with special case values for r and s.
 msg = 48656c6c6f
 result = invalid
 sig = 303d021c5d7b4b5342bc7befef73fd33e4bbe3c2f7995919dd72c0605e6ab4af021d0100000000000000000000000000000000000000000000000000000000
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 508
 # Signatures with special case values for r and s.
 msg = 48656c6c6f
 result = invalid
 sig = 30820123021c5d7b4b5342bc7befef73fd33e4bbe3c2f7995919dd72c0605e6ab4af02820101008f7935d9b9aae9bfabed887acf4951b6f32ec59e3baf3718e8eac4961f3efd3606e74351a9c4183339b809e7c2ae1c539ba7475b85d011adb8b47987754984695cac0e8f14b3360828a22ffa27110a3d62a993453409a0fe696c4658f84bdd20819c3709a01057b195adcd00233dba5484b6291f9d648ef883448677979cec04b434a6ac2e75e9985de23db0292fc1118c9ffa9d8181e7338db792b730d7b9e349592f68099872153915ea3d6b8b4653c633458f803b32a4c2e0f27290256e4e3f8a3b0838a1c450e4e18c1a29a37ddf5ea143de4b66ff04903ed5cf1623e158d487c608e97f211cd81dca23cb6e380765f822e342be484c05763939601cd667
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 509
 # Signatures with special case values for r and s.
 msg = 48656c6c6f
 result = invalid
 sig = 3023021c5d7b4b5342bc7befef73fd33e4bbe3c2f7995919dd72c0605e6ab4af090380fe01
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 510
 # Signatures with special case values for r and s.
 msg = 48656c6c6f
 result = invalid
 sig = 3021021c5d7b4b5342bc7befef73fd33e4bbe3c2f7995919dd72c0605e6ab4af090142
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 511
 # Signatures with special case values for r and s.
 msg = 48656c6c6f
 result = invalid
 sig = 303e021d00baf696a68578f7dfdee7fa67c977c785ef32b233bae580c0bcd5695c021dff450969597a870820211805983688387a10cd4dcc451a7f3f432a96a3
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 512
 # Signatures with special case values for r and s.
 msg = 48656c6c6f
 result = invalid
 sig = 3022021d00baf696a68578f7dfdee7fa67c977c785ef32b233bae580c0bcd5695c020100
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 513
 # Signatures with special case values for r and s.
 msg = 48656c6c6f
 result = invalid
 sig = 3022021d00baf696a68578f7dfdee7fa67c977c785ef32b233bae580c0bcd5695c020101
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 514
 # Signatures with special case values for r and s.
 msg = 48656c6c6f
 result = invalid
 sig = 3022021d00baf696a68578f7dfdee7fa67c977c785ef32b233bae580c0bcd5695c0201ff
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 515
 # Signatures with special case values for r and s.
 msg = 48656c6c6f
 result = invalid
 sig = 303d021d00baf696a68578f7dfdee7fa67c977c785ef32b233bae580c0bcd5695c021c5d7b4b5342bc7befef73fd33e4bbe3c2f7995919dd72c0605e6ab4ae
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 516
 # Signatures with special case values for r and s.
 msg = 48656c6c6f
 result = invalid
 sig = 303d021d00baf696a68578f7dfdee7fa67c977c785ef32b233bae580c0bcd5695c021c5d7b4b5342bc7befef73fd33e4bbe3c2f7995919dd72c0605e6ab4af
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 517
 # Signatures with special case values for r and s.
 msg = 48656c6c6f
 result = invalid
 sig = 303e021d00baf696a68578f7dfdee7fa67c977c785ef32b233bae580c0bcd5695c021d00baf696a68578f7dfdee7fa67c977c785ef32b233bae580c0bcd5695c
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 518
 # Signatures with special case values for r and s.
 msg = 48656c6c6f
 result = invalid
 sig = 303e021d00baf696a68578f7dfdee7fa67c977c785ef32b233bae580c0bcd5695c021d00baf696a68578f7dfdee7fa67c977c785ef32b233bae580c0bcd5695d
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 519
 # Signatures with special case values for r and s.
 msg = 48656c6c6f
 result = invalid
 sig = 303e021d00baf696a68578f7dfdee7fa67c977c785ef32b233bae580c0bcd5695c021d00baf696a68578f7dfdee7fa67c977c785ef32b233bae580c0bcd5695e
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 520
 # Signatures with special case values for r and s.
 msg = 48656c6c6f
 result = invalid
 sig = 303e021d00baf696a68578f7dfdee7fa67c977c785ef32b233bae580c0bcd5695c021d0100000000000000000000000000000000000000000000000000000000
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 521
 # Signatures with special case values for r and s.
 msg = 48656c6c6f
 result = invalid
 sig = 30820124021d00baf696a68578f7dfdee7fa67c977c785ef32b233bae580c0bcd5695c02820101008f7935d9b9aae9bfabed887acf4951b6f32ec59e3baf3718e8eac4961f3efd3606e74351a9c4183339b809e7c2ae1c539ba7475b85d011adb8b47987754984695cac0e8f14b3360828a22ffa27110a3d62a993453409a0fe696c4658f84bdd20819c3709a01057b195adcd00233dba5484b6291f9d648ef883448677979cec04b434a6ac2e75e9985de23db0292fc1118c9ffa9d8181e7338db792b730d7b9e349592f68099872153915ea3d6b8b4653c633458f803b32a4c2e0f27290256e4e3f8a3b0838a1c450e4e18c1a29a37ddf5ea143de4b66ff04903ed5cf1623e158d487c608e97f211cd81dca23cb6e380765f822e342be484c05763939601cd667
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 522
 # Signatures with special case values for r and s.
 msg = 48656c6c6f
 result = invalid
 sig = 3024021d00baf696a68578f7dfdee7fa67c977c785ef32b233bae580c0bcd5695c090380fe01
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 523
 # Signatures with special case values for r and s.
 msg = 48656c6c6f
 result = invalid
 sig = 3022021d00baf696a68578f7dfdee7fa67c977c785ef32b233bae580c0bcd5695c090142
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 524
 # Signatures with special case values for r and s.
 msg = 48656c6c6f
 result = invalid
 sig = 303e021d00baf696a68578f7dfdee7fa67c977c785ef32b233bae580c0bcd5695d021dff450969597a870820211805983688387a10cd4dcc451a7f3f432a96a3
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 525
 # Signatures with special case values for r and s.
 msg = 48656c6c6f
 result = invalid
 sig = 3022021d00baf696a68578f7dfdee7fa67c977c785ef32b233bae580c0bcd5695d020100
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 526
 # Signatures with special case values for r and s.
 msg = 48656c6c6f
 result = invalid
 sig = 3022021d00baf696a68578f7dfdee7fa67c977c785ef32b233bae580c0bcd5695d020101
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 527
 # Signatures with special case values for r and s.
 msg = 48656c6c6f
 result = invalid
 sig = 3022021d00baf696a68578f7dfdee7fa67c977c785ef32b233bae580c0bcd5695d0201ff
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 528
 # Signatures with special case values for r and s.
 msg = 48656c6c6f
 result = invalid
 sig = 303d021d00baf696a68578f7dfdee7fa67c977c785ef32b233bae580c0bcd5695d021c5d7b4b5342bc7befef73fd33e4bbe3c2f7995919dd72c0605e6ab4ae
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 529
 # Signatures with special case values for r and s.
 msg = 48656c6c6f
 result = invalid
 sig = 303d021d00baf696a68578f7dfdee7fa67c977c785ef32b233bae580c0bcd5695d021c5d7b4b5342bc7befef73fd33e4bbe3c2f7995919dd72c0605e6ab4af
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 530
 # Signatures with special case values for r and s.
 msg = 48656c6c6f
 result = invalid
 sig = 303e021d00baf696a68578f7dfdee7fa67c977c785ef32b233bae580c0bcd5695d021d00baf696a68578f7dfdee7fa67c977c785ef32b233bae580c0bcd5695c
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 531
 # Signatures with special case values for r and s.
 msg = 48656c6c6f
 result = invalid
 sig = 303e021d00baf696a68578f7dfdee7fa67c977c785ef32b233bae580c0bcd5695d021d00baf696a68578f7dfdee7fa67c977c785ef32b233bae580c0bcd5695d
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 532
 # Signatures with special case values for r and s.
 msg = 48656c6c6f
 result = invalid
 sig = 303e021d00baf696a68578f7dfdee7fa67c977c785ef32b233bae580c0bcd5695d021d00baf696a68578f7dfdee7fa67c977c785ef32b233bae580c0bcd5695e
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 533
 # Signatures with special case values for r and s.
 msg = 48656c6c6f
 result = invalid
 sig = 303e021d00baf696a68578f7dfdee7fa67c977c785ef32b233bae580c0bcd5695d021d0100000000000000000000000000000000000000000000000000000000
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 534
 # Signatures with special case values for r and s.
 msg = 48656c6c6f
 result = invalid
 sig = 30820124021d00baf696a68578f7dfdee7fa67c977c785ef32b233bae580c0bcd5695d02820101008f7935d9b9aae9bfabed887acf4951b6f32ec59e3baf3718e8eac4961f3efd3606e74351a9c4183339b809e7c2ae1c539ba7475b85d011adb8b47987754984695cac0e8f14b3360828a22ffa27110a3d62a993453409a0fe696c4658f84bdd20819c3709a01057b195adcd00233dba5484b6291f9d648ef883448677979cec04b434a6ac2e75e9985de23db0292fc1118c9ffa9d8181e7338db792b730d7b9e349592f68099872153915ea3d6b8b4653c633458f803b32a4c2e0f27290256e4e3f8a3b0838a1c450e4e18c1a29a37ddf5ea143de4b66ff04903ed5cf1623e158d487c608e97f211cd81dca23cb6e380765f822e342be484c05763939601cd667
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 535
 # Signatures with special case values for r and s.
 msg = 48656c6c6f
 result = invalid
 sig = 3024021d00baf696a68578f7dfdee7fa67c977c785ef32b233bae580c0bcd5695d090380fe01
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 536
 # Signatures with special case values for r and s.
 msg = 48656c6c6f
 result = invalid
 sig = 3022021d00baf696a68578f7dfdee7fa67c977c785ef32b233bae580c0bcd5695d090142
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 537
 # Signatures with special case values for r and s.
 msg = 48656c6c6f
 result = invalid
 sig = 303e021d00baf696a68578f7dfdee7fa67c977c785ef32b233bae580c0bcd5695e021dff450969597a870820211805983688387a10cd4dcc451a7f3f432a96a3
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 538
 # Signatures with special case values for r and s.
 msg = 48656c6c6f
 result = invalid
 sig = 3022021d00baf696a68578f7dfdee7fa67c977c785ef32b233bae580c0bcd5695e020100
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 539
 # Signatures with special case values for r and s.
 msg = 48656c6c6f
 result = invalid
 sig = 3022021d00baf696a68578f7dfdee7fa67c977c785ef32b233bae580c0bcd5695e020101
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 540
 # Signatures with special case values for r and s.
 msg = 48656c6c6f
 result = invalid
 sig = 3022021d00baf696a68578f7dfdee7fa67c977c785ef32b233bae580c0bcd5695e0201ff
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 541
 # Signatures with special case values for r and s.
 msg = 48656c6c6f
 result = invalid
 sig = 303d021d00baf696a68578f7dfdee7fa67c977c785ef32b233bae580c0bcd5695e021c5d7b4b5342bc7befef73fd33e4bbe3c2f7995919dd72c0605e6ab4ae
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 542
 # Signatures with special case values for r and s.
 msg = 48656c6c6f
 result = invalid
 sig = 303d021d00baf696a68578f7dfdee7fa67c977c785ef32b233bae580c0bcd5695e021c5d7b4b5342bc7befef73fd33e4bbe3c2f7995919dd72c0605e6ab4af
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 543
 # Signatures with special case values for r and s.
 msg = 48656c6c6f
 result = invalid
 sig = 303e021d00baf696a68578f7dfdee7fa67c977c785ef32b233bae580c0bcd5695e021d00baf696a68578f7dfdee7fa67c977c785ef32b233bae580c0bcd5695c
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 544
 # Signatures with special case values for r and s.
 msg = 48656c6c6f
 result = invalid
 sig = 303e021d00baf696a68578f7dfdee7fa67c977c785ef32b233bae580c0bcd5695e021d00baf696a68578f7dfdee7fa67c977c785ef32b233bae580c0bcd5695d
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 545
 # Signatures with special case values for r and s.
 msg = 48656c6c6f
 result = invalid
 sig = 303e021d00baf696a68578f7dfdee7fa67c977c785ef32b233bae580c0bcd5695e021d00baf696a68578f7dfdee7fa67c977c785ef32b233bae580c0bcd5695e
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 546
 # Signatures with special case values for r and s.
 msg = 48656c6c6f
 result = invalid
 sig = 303e021d00baf696a68578f7dfdee7fa67c977c785ef32b233bae580c0bcd5695e021d0100000000000000000000000000000000000000000000000000000000
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 547
 # Signatures with special case values for r and s.
 msg = 48656c6c6f
 result = invalid
 sig = 30820124021d00baf696a68578f7dfdee7fa67c977c785ef32b233bae580c0bcd5695e02820101008f7935d9b9aae9bfabed887acf4951b6f32ec59e3baf3718e8eac4961f3efd3606e74351a9c4183339b809e7c2ae1c539ba7475b85d011adb8b47987754984695cac0e8f14b3360828a22ffa27110a3d62a993453409a0fe696c4658f84bdd20819c3709a01057b195adcd00233dba5484b6291f9d648ef883448677979cec04b434a6ac2e75e9985de23db0292fc1118c9ffa9d8181e7338db792b730d7b9e349592f68099872153915ea3d6b8b4653c633458f803b32a4c2e0f27290256e4e3f8a3b0838a1c450e4e18c1a29a37ddf5ea143de4b66ff04903ed5cf1623e158d487c608e97f211cd81dca23cb6e380765f822e342be484c05763939601cd667
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 548
 # Signatures with special case values for r and s.
 msg = 48656c6c6f
 result = invalid
 sig = 3024021d00baf696a68578f7dfdee7fa67c977c785ef32b233bae580c0bcd5695e090380fe01
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 549
 # Signatures with special case values for r and s.
 msg = 48656c6c6f
 result = invalid
 sig = 3022021d00baf696a68578f7dfdee7fa67c977c785ef32b233bae580c0bcd5695e090142
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 550
 # Signatures with special case values for r and s.
 msg = 48656c6c6f
 result = invalid
 sig = 303e021d0100000000000000000000000000000000000000000000000000000000021dff450969597a870820211805983688387a10cd4dcc451a7f3f432a96a3
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 551
 # Signatures with special case values for r and s.
 msg = 48656c6c6f
 result = invalid
 sig = 3022021d0100000000000000000000000000000000000000000000000000000000020100
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 552
 # Signatures with special case values for r and s.
 msg = 48656c6c6f
 result = invalid
 sig = 3022021d0100000000000000000000000000000000000000000000000000000000020101
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 553
 # Signatures with special case values for r and s.
 msg = 48656c6c6f
 result = invalid
 sig = 3022021d01000000000000000000000000000000000000000000000000000000000201ff
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 554
 # Signatures with special case values for r and s.
 msg = 48656c6c6f
 result = invalid
 sig = 303d021d0100000000000000000000000000000000000000000000000000000000021c5d7b4b5342bc7befef73fd33e4bbe3c2f7995919dd72c0605e6ab4ae
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 555
 # Signatures with special case values for r and s.
 msg = 48656c6c6f
 result = invalid
 sig = 303d021d0100000000000000000000000000000000000000000000000000000000021c5d7b4b5342bc7befef73fd33e4bbe3c2f7995919dd72c0605e6ab4af
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 556
 # Signatures with special case values for r and s.
 msg = 48656c6c6f
 result = invalid
 sig = 303e021d0100000000000000000000000000000000000000000000000000000000021d00baf696a68578f7dfdee7fa67c977c785ef32b233bae580c0bcd5695c
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 557
 # Signatures with special case values for r and s.
 msg = 48656c6c6f
 result = invalid
 sig = 303e021d0100000000000000000000000000000000000000000000000000000000021d00baf696a68578f7dfdee7fa67c977c785ef32b233bae580c0bcd5695d
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 558
 # Signatures with special case values for r and s.
 msg = 48656c6c6f
 result = invalid
 sig = 303e021d0100000000000000000000000000000000000000000000000000000000021d00baf696a68578f7dfdee7fa67c977c785ef32b233bae580c0bcd5695e
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 559
 # Signatures with special case values for r and s.
 msg = 48656c6c6f
 result = invalid
 sig = 303e021d0100000000000000000000000000000000000000000000000000000000021d0100000000000000000000000000000000000000000000000000000000
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 560
 # Signatures with special case values for r and s.
 msg = 48656c6c6f
 result = invalid
 sig = 30820124021d010000000000000000000000000000000000000000000000000000000002820101008f7935d9b9aae9bfabed887acf4951b6f32ec59e3baf3718e8eac4961f3efd3606e74351a9c4183339b809e7c2ae1c539ba7475b85d011adb8b47987754984695cac0e8f14b3360828a22ffa27110a3d62a993453409a0fe696c4658f84bdd20819c3709a01057b195adcd00233dba5484b6291f9d648ef883448677979cec04b434a6ac2e75e9985de23db0292fc1118c9ffa9d8181e7338db792b730d7b9e349592f68099872153915ea3d6b8b4653c633458f803b32a4c2e0f27290256e4e3f8a3b0838a1c450e4e18c1a29a37ddf5ea143de4b66ff04903ed5cf1623e158d487c608e97f211cd81dca23cb6e380765f822e342be484c05763939601cd667
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 561
 # Signatures with special case values for r and s.
 msg = 48656c6c6f
 result = invalid
 sig = 3024021d0100000000000000000000000000000000000000000000000000000000090380fe01
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 562
 # Signatures with special case values for r and s.
 msg = 48656c6c6f
 result = invalid
 sig = 3022021d0100000000000000000000000000000000000000000000000000000000090142
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 563
 # Signatures with special case values for r and s.
 msg = 48656c6c6f
 result = invalid
 sig = 3082012402820101008f7935d9b9aae9bfabed887acf4951b6f32ec59e3baf3718e8eac4961f3efd3606e74351a9c4183339b809e7c2ae1c539ba7475b85d011adb8b47987754984695cac0e8f14b3360828a22ffa27110a3d62a993453409a0fe696c4658f84bdd20819c3709a01057b195adcd00233dba5484b6291f9d648ef883448677979cec04b434a6ac2e75e9985de23db0292fc1118c9ffa9d8181e7338db792b730d7b9e349592f68099872153915ea3d6b8b4653c633458f803b32a4c2e0f27290256e4e3f8a3b0838a1c450e4e18c1a29a37ddf5ea143de4b66ff04903ed5cf1623e158d487c608e97f211cd81dca23cb6e380765f822e342be484c05763939601cd667021dff450969597a870820211805983688387a10cd4dcc451a7f3f432a96a3
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 564
 # Signatures with special case values for r and s.
 msg = 48656c6c6f
 result = invalid
 sig = 3082010802820101008f7935d9b9aae9bfabed887acf4951b6f32ec59e3baf3718e8eac4961f3efd3606e74351a9c4183339b809e7c2ae1c539ba7475b85d011adb8b47987754984695cac0e8f14b3360828a22ffa27110a3d62a993453409a0fe696c4658f84bdd20819c3709a01057b195adcd00233dba5484b6291f9d648ef883448677979cec04b434a6ac2e75e9985de23db0292fc1118c9ffa9d8181e7338db792b730d7b9e349592f68099872153915ea3d6b8b4653c633458f803b32a4c2e0f27290256e4e3f8a3b0838a1c450e4e18c1a29a37ddf5ea143de4b66ff04903ed5cf1623e158d487c608e97f211cd81dca23cb6e380765f822e342be484c05763939601cd667020100
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 565
 # Signatures with special case values for r and s.
 msg = 48656c6c6f
 result = invalid
 sig = 3082010802820101008f7935d9b9aae9bfabed887acf4951b6f32ec59e3baf3718e8eac4961f3efd3606e74351a9c4183339b809e7c2ae1c539ba7475b85d011adb8b47987754984695cac0e8f14b3360828a22ffa27110a3d62a993453409a0fe696c4658f84bdd20819c3709a01057b195adcd00233dba5484b6291f9d648ef883448677979cec04b434a6ac2e75e9985de23db0292fc1118c9ffa9d8181e7338db792b730d7b9e349592f68099872153915ea3d6b8b4653c633458f803b32a4c2e0f27290256e4e3f8a3b0838a1c450e4e18c1a29a37ddf5ea143de4b66ff04903ed5cf1623e158d487c608e97f211cd81dca23cb6e380765f822e342be484c05763939601cd667020101
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 566
 # Signatures with special case values for r and s.
 msg = 48656c6c6f
 result = invalid
 sig = 3082010802820101008f7935d9b9aae9bfabed887acf4951b6f32ec59e3baf3718e8eac4961f3efd3606e74351a9c4183339b809e7c2ae1c539ba7475b85d011adb8b47987754984695cac0e8f14b3360828a22ffa27110a3d62a993453409a0fe696c4658f84bdd20819c3709a01057b195adcd00233dba5484b6291f9d648ef883448677979cec04b434a6ac2e75e9985de23db0292fc1118c9ffa9d8181e7338db792b730d7b9e349592f68099872153915ea3d6b8b4653c633458f803b32a4c2e0f27290256e4e3f8a3b0838a1c450e4e18c1a29a37ddf5ea143de4b66ff04903ed5cf1623e158d487c608e97f211cd81dca23cb6e380765f822e342be484c05763939601cd6670201ff
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 567
 # Signatures with special case values for r and s.
 msg = 48656c6c6f
 result = invalid
 sig = 3082012302820101008f7935d9b9aae9bfabed887acf4951b6f32ec59e3baf3718e8eac4961f3efd3606e74351a9c4183339b809e7c2ae1c539ba7475b85d011adb8b47987754984695cac0e8f14b3360828a22ffa27110a3d62a993453409a0fe696c4658f84bdd20819c3709a01057b195adcd00233dba5484b6291f9d648ef883448677979cec04b434a6ac2e75e9985de23db0292fc1118c9ffa9d8181e7338db792b730d7b9e349592f68099872153915ea3d6b8b4653c633458f803b32a4c2e0f27290256e4e3f8a3b0838a1c450e4e18c1a29a37ddf5ea143de4b66ff04903ed5cf1623e158d487c608e97f211cd81dca23cb6e380765f822e342be484c05763939601cd667021c5d7b4b5342bc7befef73fd33e4bbe3c2f7995919dd72c0605e6ab4ae
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 568
 # Signatures with special case values for r and s.
 msg = 48656c6c6f
 result = invalid
 sig = 3082012302820101008f7935d9b9aae9bfabed887acf4951b6f32ec59e3baf3718e8eac4961f3efd3606e74351a9c4183339b809e7c2ae1c539ba7475b85d011adb8b47987754984695cac0e8f14b3360828a22ffa27110a3d62a993453409a0fe696c4658f84bdd20819c3709a01057b195adcd00233dba5484b6291f9d648ef883448677979cec04b434a6ac2e75e9985de23db0292fc1118c9ffa9d8181e7338db792b730d7b9e349592f68099872153915ea3d6b8b4653c633458f803b32a4c2e0f27290256e4e3f8a3b0838a1c450e4e18c1a29a37ddf5ea143de4b66ff04903ed5cf1623e158d487c608e97f211cd81dca23cb6e380765f822e342be484c05763939601cd667021c5d7b4b5342bc7befef73fd33e4bbe3c2f7995919dd72c0605e6ab4af
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 569
 # Signatures with special case values for r and s.
 msg = 48656c6c6f
 result = invalid
 sig = 3082012402820101008f7935d9b9aae9bfabed887acf4951b6f32ec59e3baf3718e8eac4961f3efd3606e74351a9c4183339b809e7c2ae1c539ba7475b85d011adb8b47987754984695cac0e8f14b3360828a22ffa27110a3d62a993453409a0fe696c4658f84bdd20819c3709a01057b195adcd00233dba5484b6291f9d648ef883448677979cec04b434a6ac2e75e9985de23db0292fc1118c9ffa9d8181e7338db792b730d7b9e349592f68099872153915ea3d6b8b4653c633458f803b32a4c2e0f27290256e4e3f8a3b0838a1c450e4e18c1a29a37ddf5ea143de4b66ff04903ed5cf1623e158d487c608e97f211cd81dca23cb6e380765f822e342be484c05763939601cd667021d00baf696a68578f7dfdee7fa67c977c785ef32b233bae580c0bcd5695c
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 570
 # Signatures with special case values for r and s.
 msg = 48656c6c6f
 result = invalid
 sig = 3082012402820101008f7935d9b9aae9bfabed887acf4951b6f32ec59e3baf3718e8eac4961f3efd3606e74351a9c4183339b809e7c2ae1c539ba7475b85d011adb8b47987754984695cac0e8f14b3360828a22ffa27110a3d62a993453409a0fe696c4658f84bdd20819c3709a01057b195adcd00233dba5484b6291f9d648ef883448677979cec04b434a6ac2e75e9985de23db0292fc1118c9ffa9d8181e7338db792b730d7b9e349592f68099872153915ea3d6b8b4653c633458f803b32a4c2e0f27290256e4e3f8a3b0838a1c450e4e18c1a29a37ddf5ea143de4b66ff04903ed5cf1623e158d487c608e97f211cd81dca23cb6e380765f822e342be484c05763939601cd667021d00baf696a68578f7dfdee7fa67c977c785ef32b233bae580c0bcd5695d
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 571
 # Signatures with special case values for r and s.
 msg = 48656c6c6f
 result = invalid
 sig = 3082012402820101008f7935d9b9aae9bfabed887acf4951b6f32ec59e3baf3718e8eac4961f3efd3606e74351a9c4183339b809e7c2ae1c539ba7475b85d011adb8b47987754984695cac0e8f14b3360828a22ffa27110a3d62a993453409a0fe696c4658f84bdd20819c3709a01057b195adcd00233dba5484b6291f9d648ef883448677979cec04b434a6ac2e75e9985de23db0292fc1118c9ffa9d8181e7338db792b730d7b9e349592f68099872153915ea3d6b8b4653c633458f803b32a4c2e0f27290256e4e3f8a3b0838a1c450e4e18c1a29a37ddf5ea143de4b66ff04903ed5cf1623e158d487c608e97f211cd81dca23cb6e380765f822e342be484c05763939601cd667021d00baf696a68578f7dfdee7fa67c977c785ef32b233bae580c0bcd5695e
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 572
 # Signatures with special case values for r and s.
 msg = 48656c6c6f
 result = invalid
 sig = 3082012402820101008f7935d9b9aae9bfabed887acf4951b6f32ec59e3baf3718e8eac4961f3efd3606e74351a9c4183339b809e7c2ae1c539ba7475b85d011adb8b47987754984695cac0e8f14b3360828a22ffa27110a3d62a993453409a0fe696c4658f84bdd20819c3709a01057b195adcd00233dba5484b6291f9d648ef883448677979cec04b434a6ac2e75e9985de23db0292fc1118c9ffa9d8181e7338db792b730d7b9e349592f68099872153915ea3d6b8b4653c633458f803b32a4c2e0f27290256e4e3f8a3b0838a1c450e4e18c1a29a37ddf5ea143de4b66ff04903ed5cf1623e158d487c608e97f211cd81dca23cb6e380765f822e342be484c05763939601cd667021d0100000000000000000000000000000000000000000000000000000000
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 573
 # Signatures with special case values for r and s.
 msg = 48656c6c6f
 result = invalid
 sig = 3082020a02820101008f7935d9b9aae9bfabed887acf4951b6f32ec59e3baf3718e8eac4961f3efd3606e74351a9c4183339b809e7c2ae1c539ba7475b85d011adb8b47987754984695cac0e8f14b3360828a22ffa27110a3d62a993453409a0fe696c4658f84bdd20819c3709a01057b195adcd00233dba5484b6291f9d648ef883448677979cec04b434a6ac2e75e9985de23db0292fc1118c9ffa9d8181e7338db792b730d7b9e349592f68099872153915ea3d6b8b4653c633458f803b32a4c2e0f27290256e4e3f8a3b0838a1c450e4e18c1a29a37ddf5ea143de4b66ff04903ed5cf1623e158d487c608e97f211cd81dca23cb6e380765f822e342be484c05763939601cd66702820101008f7935d9b9aae9bfabed887acf4951b6f32ec59e3baf3718e8eac4961f3efd3606e74351a9c4183339b809e7c2ae1c539ba7475b85d011adb8b47987754984695cac0e8f14b3360828a22ffa27110a3d62a993453409a0fe696c4658f84bdd20819c3709a01057b195adcd00233dba5484b6291f9d648ef883448677979cec04b434a6ac2e75e9985de23db0292fc1118c9ffa9d8181e7338db792b730d7b9e349592f68099872153915ea3d6b8b4653c633458f803b32a4c2e0f27290256e4e3f8a3b0838a1c450e4e18c1a29a37ddf5ea143de4b66ff04903ed5cf1623e158d487c608e97f211cd81dca23cb6e380765f822e342be484c05763939601cd667
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 574
 # Signatures with special case values for r and s.
 msg = 48656c6c6f
 result = invalid
 sig = 3082010a02820101008f7935d9b9aae9bfabed887acf4951b6f32ec59e3baf3718e8eac4961f3efd3606e74351a9c4183339b809e7c2ae1c539ba7475b85d011adb8b47987754984695cac0e8f14b3360828a22ffa27110a3d62a993453409a0fe696c4658f84bdd20819c3709a01057b195adcd00233dba5484b6291f9d648ef883448677979cec04b434a6ac2e75e9985de23db0292fc1118c9ffa9d8181e7338db792b730d7b9e349592f68099872153915ea3d6b8b4653c633458f803b32a4c2e0f27290256e4e3f8a3b0838a1c450e4e18c1a29a37ddf5ea143de4b66ff04903ed5cf1623e158d487c608e97f211cd81dca23cb6e380765f822e342be484c05763939601cd667090380fe01
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 575
 # Signatures with special case values for r and s.
 msg = 48656c6c6f
 result = invalid
 sig = 3082010802820101008f7935d9b9aae9bfabed887acf4951b6f32ec59e3baf3718e8eac4961f3efd3606e74351a9c4183339b809e7c2ae1c539ba7475b85d011adb8b47987754984695cac0e8f14b3360828a22ffa27110a3d62a993453409a0fe696c4658f84bdd20819c3709a01057b195adcd00233dba5484b6291f9d648ef883448677979cec04b434a6ac2e75e9985de23db0292fc1118c9ffa9d8181e7338db792b730d7b9e349592f68099872153915ea3d6b8b4653c633458f803b32a4c2e0f27290256e4e3f8a3b0838a1c450e4e18c1a29a37ddf5ea143de4b66ff04903ed5cf1623e158d487c608e97f211cd81dca23cb6e380765f822e342be484c05763939601cd667090142
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 576
 # Signatures with special case values for r and s.
 msg = 48656c6c6f
 result = invalid
 sig = 3024090380fe01021dff450969597a870820211805983688387a10cd4dcc451a7f3f432a96a3
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 577
 # Signatures with special case values for r and s.
 msg = 48656c6c6f
 result = invalid
 sig = 3008090380fe01020100
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 578
 # Signatures with special case values for r and s.
 msg = 48656c6c6f
 result = invalid
 sig = 3008090380fe01020101
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 579
 # Signatures with special case values for r and s.
 msg = 48656c6c6f
 result = invalid
 sig = 3008090380fe010201ff
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 580
 # Signatures with special case values for r and s.
 msg = 48656c6c6f
 result = invalid
 sig = 3023090380fe01021c5d7b4b5342bc7befef73fd33e4bbe3c2f7995919dd72c0605e6ab4ae
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 581
 # Signatures with special case values for r and s.
 msg = 48656c6c6f
 result = invalid
 sig = 3023090380fe01021c5d7b4b5342bc7befef73fd33e4bbe3c2f7995919dd72c0605e6ab4af
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 582
 # Signatures with special case values for r and s.
 msg = 48656c6c6f
 result = invalid
 sig = 3024090380fe01021d00baf696a68578f7dfdee7fa67c977c785ef32b233bae580c0bcd5695c
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 583
 # Signatures with special case values for r and s.
 msg = 48656c6c6f
 result = invalid
 sig = 3024090380fe01021d00baf696a68578f7dfdee7fa67c977c785ef32b233bae580c0bcd5695d
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 584
 # Signatures with special case values for r and s.
 msg = 48656c6c6f
 result = invalid
 sig = 3024090380fe01021d00baf696a68578f7dfdee7fa67c977c785ef32b233bae580c0bcd5695e
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 585
 # Signatures with special case values for r and s.
 msg = 48656c6c6f
 result = invalid
 sig = 3024090380fe01021d0100000000000000000000000000000000000000000000000000000000
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 586
 # Signatures with special case values for r and s.
 msg = 48656c6c6f
 result = invalid
 sig = 3082010a090380fe0102820101008f7935d9b9aae9bfabed887acf4951b6f32ec59e3baf3718e8eac4961f3efd3606e74351a9c4183339b809e7c2ae1c539ba7475b85d011adb8b47987754984695cac0e8f14b3360828a22ffa27110a3d62a993453409a0fe696c4658f84bdd20819c3709a01057b195adcd00233dba5484b6291f9d648ef883448677979cec04b434a6ac2e75e9985de23db0292fc1118c9ffa9d8181e7338db792b730d7b9e349592f68099872153915ea3d6b8b4653c633458f803b32a4c2e0f27290256e4e3f8a3b0838a1c450e4e18c1a29a37ddf5ea143de4b66ff04903ed5cf1623e158d487c608e97f211cd81dca23cb6e380765f822e342be484c05763939601cd667
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 587
 # Signatures with special case values for r and s.
 msg = 48656c6c6f
 result = invalid
 sig = 300a090380fe01090380fe01
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 588
 # Signatures with special case values for r and s.
 msg = 48656c6c6f
 result = invalid
 sig = 3008090380fe01090142
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 589
 # Signature encoding contains wrong type.
@@ -4564,11 +3984,7 @@
 msg = 54657374
 result = acceptable
 sig = 303c021c9b6fe4a1cbd4467d7584ae382ae3130a580e61b969a6067373d5ee93021c5fe8234711d68fade4142c8cf60f385470480c386c062b38fb42b116
-# ASN encoded integers with a leading hex-digit in the range 8 .. F are
-# negative. If the first hex-digit of a positive integer is 8 .. F then a
-# leading 0 must be added. Some libraries forgot to do this and therefore
-# generated invalid DSA signatures. Some providers accept such legacy signatures
-# for compatibility.
+flags = NoLeadingZero
 
 # tcId = 606
 # valid
@@ -5427,1287 +4843,1001 @@
 msg = 54657374
 result = invalid
 sig = 3022020100021dff450969597a870820211805983688387a10cd4dcc451a7f3f432a96a3
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 749
 # Signatures with special case values for r and s.
 msg = 54657374
 result = invalid
 sig = 3006020100020100
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 750
 # Signatures with special case values for r and s.
 msg = 54657374
 result = invalid
 sig = 3006020100020101
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 751
 # Signatures with special case values for r and s.
 msg = 54657374
 result = invalid
 sig = 30060201000201ff
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 752
 # Signatures with special case values for r and s.
 msg = 54657374
 result = invalid
 sig = 3021020100021c5d7b4b5342bc7befef73fd33e4bbe3c2f7995919dd72c0605e6ab4ae
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 753
 # Signatures with special case values for r and s.
 msg = 54657374
 result = invalid
 sig = 3021020100021c5d7b4b5342bc7befef73fd33e4bbe3c2f7995919dd72c0605e6ab4af
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 754
 # Signatures with special case values for r and s.
 msg = 54657374
 result = invalid
 sig = 3022020100021d00baf696a68578f7dfdee7fa67c977c785ef32b233bae580c0bcd5695c
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 755
 # Signatures with special case values for r and s.
 msg = 54657374
 result = invalid
 sig = 3022020100021d00baf696a68578f7dfdee7fa67c977c785ef32b233bae580c0bcd5695d
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 756
 # Signatures with special case values for r and s.
 msg = 54657374
 result = invalid
 sig = 3022020100021d00baf696a68578f7dfdee7fa67c977c785ef32b233bae580c0bcd5695e
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 757
 # Signatures with special case values for r and s.
 msg = 54657374
 result = invalid
 sig = 3022020100021d0100000000000000000000000000000000000000000000000000000000
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 758
 # Signatures with special case values for r and s.
 msg = 54657374
 result = invalid
 sig = 3082010802010002820101008f7935d9b9aae9bfabed887acf4951b6f32ec59e3baf3718e8eac4961f3efd3606e74351a9c4183339b809e7c2ae1c539ba7475b85d011adb8b47987754984695cac0e8f14b3360828a22ffa27110a3d62a993453409a0fe696c4658f84bdd20819c3709a01057b195adcd00233dba5484b6291f9d648ef883448677979cec04b434a6ac2e75e9985de23db0292fc1118c9ffa9d8181e7338db792b730d7b9e349592f68099872153915ea3d6b8b4653c633458f803b32a4c2e0f27290256e4e3f8a3b0838a1c450e4e18c1a29a37ddf5ea143de4b66ff04903ed5cf1623e158d487c608e97f211cd81dca23cb6e380765f822e342be484c05763939601cd667
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 759
 # Signatures with special case values for r and s.
 msg = 54657374
 result = invalid
 sig = 3008020100090380fe01
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 760
 # Signatures with special case values for r and s.
 msg = 54657374
 result = invalid
 sig = 3006020100090142
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 761
 # Signatures with special case values for r and s.
 msg = 54657374
 result = invalid
 sig = 3022020101021dff450969597a870820211805983688387a10cd4dcc451a7f3f432a96a3
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 762
 # Signatures with special case values for r and s.
 msg = 54657374
 result = invalid
 sig = 3006020101020100
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 763
 # Signatures with special case values for r and s.
 msg = 54657374
 result = invalid
 sig = 3006020101020101
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 764
 # Signatures with special case values for r and s.
 msg = 54657374
 result = invalid
 sig = 30060201010201ff
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 765
 # Signatures with special case values for r and s.
 msg = 54657374
 result = invalid
 sig = 3021020101021c5d7b4b5342bc7befef73fd33e4bbe3c2f7995919dd72c0605e6ab4ae
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 766
 # Signatures with special case values for r and s.
 msg = 54657374
 result = invalid
 sig = 3021020101021c5d7b4b5342bc7befef73fd33e4bbe3c2f7995919dd72c0605e6ab4af
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 767
 # Signatures with special case values for r and s.
 msg = 54657374
 result = invalid
 sig = 3022020101021d00baf696a68578f7dfdee7fa67c977c785ef32b233bae580c0bcd5695c
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 768
 # Signatures with special case values for r and s.
 msg = 54657374
 result = invalid
 sig = 3022020101021d00baf696a68578f7dfdee7fa67c977c785ef32b233bae580c0bcd5695d
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 769
 # Signatures with special case values for r and s.
 msg = 54657374
 result = invalid
 sig = 3022020101021d00baf696a68578f7dfdee7fa67c977c785ef32b233bae580c0bcd5695e
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 770
 # Signatures with special case values for r and s.
 msg = 54657374
 result = invalid
 sig = 3022020101021d0100000000000000000000000000000000000000000000000000000000
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 771
 # Signatures with special case values for r and s.
 msg = 54657374
 result = invalid
 sig = 3082010802010102820101008f7935d9b9aae9bfabed887acf4951b6f32ec59e3baf3718e8eac4961f3efd3606e74351a9c4183339b809e7c2ae1c539ba7475b85d011adb8b47987754984695cac0e8f14b3360828a22ffa27110a3d62a993453409a0fe696c4658f84bdd20819c3709a01057b195adcd00233dba5484b6291f9d648ef883448677979cec04b434a6ac2e75e9985de23db0292fc1118c9ffa9d8181e7338db792b730d7b9e349592f68099872153915ea3d6b8b4653c633458f803b32a4c2e0f27290256e4e3f8a3b0838a1c450e4e18c1a29a37ddf5ea143de4b66ff04903ed5cf1623e158d487c608e97f211cd81dca23cb6e380765f822e342be484c05763939601cd667
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 772
 # Signatures with special case values for r and s.
 msg = 54657374
 result = invalid
 sig = 3008020101090380fe01
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 773
 # Signatures with special case values for r and s.
 msg = 54657374
 result = invalid
 sig = 3006020101090142
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 774
 # Signatures with special case values for r and s.
 msg = 54657374
 result = invalid
 sig = 30220201ff021dff450969597a870820211805983688387a10cd4dcc451a7f3f432a96a3
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 775
 # Signatures with special case values for r and s.
 msg = 54657374
 result = invalid
 sig = 30060201ff020100
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 776
 # Signatures with special case values for r and s.
 msg = 54657374
 result = invalid
 sig = 30060201ff020101
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 777
 # Signatures with special case values for r and s.
 msg = 54657374
 result = invalid
 sig = 30060201ff0201ff
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 778
 # Signatures with special case values for r and s.
 msg = 54657374
 result = invalid
 sig = 30210201ff021c5d7b4b5342bc7befef73fd33e4bbe3c2f7995919dd72c0605e6ab4ae
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 779
 # Signatures with special case values for r and s.
 msg = 54657374
 result = invalid
 sig = 30210201ff021c5d7b4b5342bc7befef73fd33e4bbe3c2f7995919dd72c0605e6ab4af
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 780
 # Signatures with special case values for r and s.
 msg = 54657374
 result = invalid
 sig = 30220201ff021d00baf696a68578f7dfdee7fa67c977c785ef32b233bae580c0bcd5695c
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 781
 # Signatures with special case values for r and s.
 msg = 54657374
 result = invalid
 sig = 30220201ff021d00baf696a68578f7dfdee7fa67c977c785ef32b233bae580c0bcd5695d
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 782
 # Signatures with special case values for r and s.
 msg = 54657374
 result = invalid
 sig = 30220201ff021d00baf696a68578f7dfdee7fa67c977c785ef32b233bae580c0bcd5695e
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 783
 # Signatures with special case values for r and s.
 msg = 54657374
 result = invalid
 sig = 30220201ff021d0100000000000000000000000000000000000000000000000000000000
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 784
 # Signatures with special case values for r and s.
 msg = 54657374
 result = invalid
 sig = 308201080201ff02820101008f7935d9b9aae9bfabed887acf4951b6f32ec59e3baf3718e8eac4961f3efd3606e74351a9c4183339b809e7c2ae1c539ba7475b85d011adb8b47987754984695cac0e8f14b3360828a22ffa27110a3d62a993453409a0fe696c4658f84bdd20819c3709a01057b195adcd00233dba5484b6291f9d648ef883448677979cec04b434a6ac2e75e9985de23db0292fc1118c9ffa9d8181e7338db792b730d7b9e349592f68099872153915ea3d6b8b4653c633458f803b32a4c2e0f27290256e4e3f8a3b0838a1c450e4e18c1a29a37ddf5ea143de4b66ff04903ed5cf1623e158d487c608e97f211cd81dca23cb6e380765f822e342be484c05763939601cd667
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 785
 # Signatures with special case values for r and s.
 msg = 54657374
 result = invalid
 sig = 30080201ff090380fe01
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 786
 # Signatures with special case values for r and s.
 msg = 54657374
 result = invalid
 sig = 30060201ff090142
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 787
 # Signatures with special case values for r and s.
 msg = 54657374
 result = invalid
 sig = 303d021c5d7b4b5342bc7befef73fd33e4bbe3c2f7995919dd72c0605e6ab4ae021dff450969597a870820211805983688387a10cd4dcc451a7f3f432a96a3
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 788
 # Signatures with special case values for r and s.
 msg = 54657374
 result = invalid
 sig = 3021021c5d7b4b5342bc7befef73fd33e4bbe3c2f7995919dd72c0605e6ab4ae020100
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 789
 # Signatures with special case values for r and s.
 msg = 54657374
 result = invalid
 sig = 3021021c5d7b4b5342bc7befef73fd33e4bbe3c2f7995919dd72c0605e6ab4ae020101
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 790
 # Signatures with special case values for r and s.
 msg = 54657374
 result = invalid
 sig = 3021021c5d7b4b5342bc7befef73fd33e4bbe3c2f7995919dd72c0605e6ab4ae0201ff
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 791
 # Signatures with special case values for r and s.
 msg = 54657374
 result = invalid
 sig = 303c021c5d7b4b5342bc7befef73fd33e4bbe3c2f7995919dd72c0605e6ab4ae021c5d7b4b5342bc7befef73fd33e4bbe3c2f7995919dd72c0605e6ab4ae
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 792
 # Signatures with special case values for r and s.
 msg = 54657374
 result = invalid
 sig = 303c021c5d7b4b5342bc7befef73fd33e4bbe3c2f7995919dd72c0605e6ab4ae021c5d7b4b5342bc7befef73fd33e4bbe3c2f7995919dd72c0605e6ab4af
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 793
 # Signatures with special case values for r and s.
 msg = 54657374
 result = invalid
 sig = 303d021c5d7b4b5342bc7befef73fd33e4bbe3c2f7995919dd72c0605e6ab4ae021d00baf696a68578f7dfdee7fa67c977c785ef32b233bae580c0bcd5695c
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 794
 # Signatures with special case values for r and s.
 msg = 54657374
 result = invalid
 sig = 303d021c5d7b4b5342bc7befef73fd33e4bbe3c2f7995919dd72c0605e6ab4ae021d00baf696a68578f7dfdee7fa67c977c785ef32b233bae580c0bcd5695d
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 795
 # Signatures with special case values for r and s.
 msg = 54657374
 result = invalid
 sig = 303d021c5d7b4b5342bc7befef73fd33e4bbe3c2f7995919dd72c0605e6ab4ae021d00baf696a68578f7dfdee7fa67c977c785ef32b233bae580c0bcd5695e
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 796
 # Signatures with special case values for r and s.
 msg = 54657374
 result = invalid
 sig = 303d021c5d7b4b5342bc7befef73fd33e4bbe3c2f7995919dd72c0605e6ab4ae021d0100000000000000000000000000000000000000000000000000000000
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 797
 # Signatures with special case values for r and s.
 msg = 54657374
 result = invalid
 sig = 30820123021c5d7b4b5342bc7befef73fd33e4bbe3c2f7995919dd72c0605e6ab4ae02820101008f7935d9b9aae9bfabed887acf4951b6f32ec59e3baf3718e8eac4961f3efd3606e74351a9c4183339b809e7c2ae1c539ba7475b85d011adb8b47987754984695cac0e8f14b3360828a22ffa27110a3d62a993453409a0fe696c4658f84bdd20819c3709a01057b195adcd00233dba5484b6291f9d648ef883448677979cec04b434a6ac2e75e9985de23db0292fc1118c9ffa9d8181e7338db792b730d7b9e349592f68099872153915ea3d6b8b4653c633458f803b32a4c2e0f27290256e4e3f8a3b0838a1c450e4e18c1a29a37ddf5ea143de4b66ff04903ed5cf1623e158d487c608e97f211cd81dca23cb6e380765f822e342be484c05763939601cd667
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 798
 # Signatures with special case values for r and s.
 msg = 54657374
 result = invalid
 sig = 3023021c5d7b4b5342bc7befef73fd33e4bbe3c2f7995919dd72c0605e6ab4ae090380fe01
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 799
 # Signatures with special case values for r and s.
 msg = 54657374
 result = invalid
 sig = 3021021c5d7b4b5342bc7befef73fd33e4bbe3c2f7995919dd72c0605e6ab4ae090142
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 800
 # Signatures with special case values for r and s.
 msg = 54657374
 result = invalid
 sig = 303d021c5d7b4b5342bc7befef73fd33e4bbe3c2f7995919dd72c0605e6ab4af021dff450969597a870820211805983688387a10cd4dcc451a7f3f432a96a3
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 801
 # Signatures with special case values for r and s.
 msg = 54657374
 result = invalid
 sig = 3021021c5d7b4b5342bc7befef73fd33e4bbe3c2f7995919dd72c0605e6ab4af020100
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 802
 # Signatures with special case values for r and s.
 msg = 54657374
 result = invalid
 sig = 3021021c5d7b4b5342bc7befef73fd33e4bbe3c2f7995919dd72c0605e6ab4af020101
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 803
 # Signatures with special case values for r and s.
 msg = 54657374
 result = invalid
 sig = 3021021c5d7b4b5342bc7befef73fd33e4bbe3c2f7995919dd72c0605e6ab4af0201ff
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 804
 # Signatures with special case values for r and s.
 msg = 54657374
 result = invalid
 sig = 303c021c5d7b4b5342bc7befef73fd33e4bbe3c2f7995919dd72c0605e6ab4af021c5d7b4b5342bc7befef73fd33e4bbe3c2f7995919dd72c0605e6ab4ae
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 805
 # Signatures with special case values for r and s.
 msg = 54657374
 result = invalid
 sig = 303c021c5d7b4b5342bc7befef73fd33e4bbe3c2f7995919dd72c0605e6ab4af021c5d7b4b5342bc7befef73fd33e4bbe3c2f7995919dd72c0605e6ab4af
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 806
 # Signatures with special case values for r and s.
 msg = 54657374
 result = invalid
 sig = 303d021c5d7b4b5342bc7befef73fd33e4bbe3c2f7995919dd72c0605e6ab4af021d00baf696a68578f7dfdee7fa67c977c785ef32b233bae580c0bcd5695c
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 807
 # Signatures with special case values for r and s.
 msg = 54657374
 result = invalid
 sig = 303d021c5d7b4b5342bc7befef73fd33e4bbe3c2f7995919dd72c0605e6ab4af021d00baf696a68578f7dfdee7fa67c977c785ef32b233bae580c0bcd5695d
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 808
 # Signatures with special case values for r and s.
 msg = 54657374
 result = invalid
 sig = 303d021c5d7b4b5342bc7befef73fd33e4bbe3c2f7995919dd72c0605e6ab4af021d00baf696a68578f7dfdee7fa67c977c785ef32b233bae580c0bcd5695e
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 809
 # Signatures with special case values for r and s.
 msg = 54657374
 result = invalid
 sig = 303d021c5d7b4b5342bc7befef73fd33e4bbe3c2f7995919dd72c0605e6ab4af021d0100000000000000000000000000000000000000000000000000000000
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 810
 # Signatures with special case values for r and s.
 msg = 54657374
 result = invalid
 sig = 30820123021c5d7b4b5342bc7befef73fd33e4bbe3c2f7995919dd72c0605e6ab4af02820101008f7935d9b9aae9bfabed887acf4951b6f32ec59e3baf3718e8eac4961f3efd3606e74351a9c4183339b809e7c2ae1c539ba7475b85d011adb8b47987754984695cac0e8f14b3360828a22ffa27110a3d62a993453409a0fe696c4658f84bdd20819c3709a01057b195adcd00233dba5484b6291f9d648ef883448677979cec04b434a6ac2e75e9985de23db0292fc1118c9ffa9d8181e7338db792b730d7b9e349592f68099872153915ea3d6b8b4653c633458f803b32a4c2e0f27290256e4e3f8a3b0838a1c450e4e18c1a29a37ddf5ea143de4b66ff04903ed5cf1623e158d487c608e97f211cd81dca23cb6e380765f822e342be484c05763939601cd667
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 811
 # Signatures with special case values for r and s.
 msg = 54657374
 result = invalid
 sig = 3023021c5d7b4b5342bc7befef73fd33e4bbe3c2f7995919dd72c0605e6ab4af090380fe01
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 812
 # Signatures with special case values for r and s.
 msg = 54657374
 result = invalid
 sig = 3021021c5d7b4b5342bc7befef73fd33e4bbe3c2f7995919dd72c0605e6ab4af090142
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 813
 # Signatures with special case values for r and s.
 msg = 54657374
 result = invalid
 sig = 303e021d00baf696a68578f7dfdee7fa67c977c785ef32b233bae580c0bcd5695c021dff450969597a870820211805983688387a10cd4dcc451a7f3f432a96a3
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 814
 # Signatures with special case values for r and s.
 msg = 54657374
 result = invalid
 sig = 3022021d00baf696a68578f7dfdee7fa67c977c785ef32b233bae580c0bcd5695c020100
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 815
 # Signatures with special case values for r and s.
 msg = 54657374
 result = invalid
 sig = 3022021d00baf696a68578f7dfdee7fa67c977c785ef32b233bae580c0bcd5695c020101
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 816
 # Signatures with special case values for r and s.
 msg = 54657374
 result = invalid
 sig = 3022021d00baf696a68578f7dfdee7fa67c977c785ef32b233bae580c0bcd5695c0201ff
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 817
 # Signatures with special case values for r and s.
 msg = 54657374
 result = invalid
 sig = 303d021d00baf696a68578f7dfdee7fa67c977c785ef32b233bae580c0bcd5695c021c5d7b4b5342bc7befef73fd33e4bbe3c2f7995919dd72c0605e6ab4ae
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 818
 # Signatures with special case values for r and s.
 msg = 54657374
 result = invalid
 sig = 303d021d00baf696a68578f7dfdee7fa67c977c785ef32b233bae580c0bcd5695c021c5d7b4b5342bc7befef73fd33e4bbe3c2f7995919dd72c0605e6ab4af
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 819
 # Signatures with special case values for r and s.
 msg = 54657374
 result = invalid
 sig = 303e021d00baf696a68578f7dfdee7fa67c977c785ef32b233bae580c0bcd5695c021d00baf696a68578f7dfdee7fa67c977c785ef32b233bae580c0bcd5695c
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 820
 # Signatures with special case values for r and s.
 msg = 54657374
 result = invalid
 sig = 303e021d00baf696a68578f7dfdee7fa67c977c785ef32b233bae580c0bcd5695c021d00baf696a68578f7dfdee7fa67c977c785ef32b233bae580c0bcd5695d
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 821
 # Signatures with special case values for r and s.
 msg = 54657374
 result = invalid
 sig = 303e021d00baf696a68578f7dfdee7fa67c977c785ef32b233bae580c0bcd5695c021d00baf696a68578f7dfdee7fa67c977c785ef32b233bae580c0bcd5695e
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 822
 # Signatures with special case values for r and s.
 msg = 54657374
 result = invalid
 sig = 303e021d00baf696a68578f7dfdee7fa67c977c785ef32b233bae580c0bcd5695c021d0100000000000000000000000000000000000000000000000000000000
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 823
 # Signatures with special case values for r and s.
 msg = 54657374
 result = invalid
 sig = 30820124021d00baf696a68578f7dfdee7fa67c977c785ef32b233bae580c0bcd5695c02820101008f7935d9b9aae9bfabed887acf4951b6f32ec59e3baf3718e8eac4961f3efd3606e74351a9c4183339b809e7c2ae1c539ba7475b85d011adb8b47987754984695cac0e8f14b3360828a22ffa27110a3d62a993453409a0fe696c4658f84bdd20819c3709a01057b195adcd00233dba5484b6291f9d648ef883448677979cec04b434a6ac2e75e9985de23db0292fc1118c9ffa9d8181e7338db792b730d7b9e349592f68099872153915ea3d6b8b4653c633458f803b32a4c2e0f27290256e4e3f8a3b0838a1c450e4e18c1a29a37ddf5ea143de4b66ff04903ed5cf1623e158d487c608e97f211cd81dca23cb6e380765f822e342be484c05763939601cd667
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 824
 # Signatures with special case values for r and s.
 msg = 54657374
 result = invalid
 sig = 3024021d00baf696a68578f7dfdee7fa67c977c785ef32b233bae580c0bcd5695c090380fe01
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 825
 # Signatures with special case values for r and s.
 msg = 54657374
 result = invalid
 sig = 3022021d00baf696a68578f7dfdee7fa67c977c785ef32b233bae580c0bcd5695c090142
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 826
 # Signatures with special case values for r and s.
 msg = 54657374
 result = invalid
 sig = 303e021d00baf696a68578f7dfdee7fa67c977c785ef32b233bae580c0bcd5695d021dff450969597a870820211805983688387a10cd4dcc451a7f3f432a96a3
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 827
 # Signatures with special case values for r and s.
 msg = 54657374
 result = invalid
 sig = 3022021d00baf696a68578f7dfdee7fa67c977c785ef32b233bae580c0bcd5695d020100
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 828
 # Signatures with special case values for r and s.
 msg = 54657374
 result = invalid
 sig = 3022021d00baf696a68578f7dfdee7fa67c977c785ef32b233bae580c0bcd5695d020101
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 829
 # Signatures with special case values for r and s.
 msg = 54657374
 result = invalid
 sig = 3022021d00baf696a68578f7dfdee7fa67c977c785ef32b233bae580c0bcd5695d0201ff
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 830
 # Signatures with special case values for r and s.
 msg = 54657374
 result = invalid
 sig = 303d021d00baf696a68578f7dfdee7fa67c977c785ef32b233bae580c0bcd5695d021c5d7b4b5342bc7befef73fd33e4bbe3c2f7995919dd72c0605e6ab4ae
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 831
 # Signatures with special case values for r and s.
 msg = 54657374
 result = invalid
 sig = 303d021d00baf696a68578f7dfdee7fa67c977c785ef32b233bae580c0bcd5695d021c5d7b4b5342bc7befef73fd33e4bbe3c2f7995919dd72c0605e6ab4af
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 832
 # Signatures with special case values for r and s.
 msg = 54657374
 result = invalid
 sig = 303e021d00baf696a68578f7dfdee7fa67c977c785ef32b233bae580c0bcd5695d021d00baf696a68578f7dfdee7fa67c977c785ef32b233bae580c0bcd5695c
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 833
 # Signatures with special case values for r and s.
 msg = 54657374
 result = invalid
 sig = 303e021d00baf696a68578f7dfdee7fa67c977c785ef32b233bae580c0bcd5695d021d00baf696a68578f7dfdee7fa67c977c785ef32b233bae580c0bcd5695d
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 834
 # Signatures with special case values for r and s.
 msg = 54657374
 result = invalid
 sig = 303e021d00baf696a68578f7dfdee7fa67c977c785ef32b233bae580c0bcd5695d021d00baf696a68578f7dfdee7fa67c977c785ef32b233bae580c0bcd5695e
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 835
 # Signatures with special case values for r and s.
 msg = 54657374
 result = invalid
 sig = 303e021d00baf696a68578f7dfdee7fa67c977c785ef32b233bae580c0bcd5695d021d0100000000000000000000000000000000000000000000000000000000
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 836
 # Signatures with special case values for r and s.
 msg = 54657374
 result = invalid
 sig = 30820124021d00baf696a68578f7dfdee7fa67c977c785ef32b233bae580c0bcd5695d02820101008f7935d9b9aae9bfabed887acf4951b6f32ec59e3baf3718e8eac4961f3efd3606e74351a9c4183339b809e7c2ae1c539ba7475b85d011adb8b47987754984695cac0e8f14b3360828a22ffa27110a3d62a993453409a0fe696c4658f84bdd20819c3709a01057b195adcd00233dba5484b6291f9d648ef883448677979cec04b434a6ac2e75e9985de23db0292fc1118c9ffa9d8181e7338db792b730d7b9e349592f68099872153915ea3d6b8b4653c633458f803b32a4c2e0f27290256e4e3f8a3b0838a1c450e4e18c1a29a37ddf5ea143de4b66ff04903ed5cf1623e158d487c608e97f211cd81dca23cb6e380765f822e342be484c05763939601cd667
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 837
 # Signatures with special case values for r and s.
 msg = 54657374
 result = invalid
 sig = 3024021d00baf696a68578f7dfdee7fa67c977c785ef32b233bae580c0bcd5695d090380fe01
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 838
 # Signatures with special case values for r and s.
 msg = 54657374
 result = invalid
 sig = 3022021d00baf696a68578f7dfdee7fa67c977c785ef32b233bae580c0bcd5695d090142
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 839
 # Signatures with special case values for r and s.
 msg = 54657374
 result = invalid
 sig = 303e021d00baf696a68578f7dfdee7fa67c977c785ef32b233bae580c0bcd5695e021dff450969597a870820211805983688387a10cd4dcc451a7f3f432a96a3
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 840
 # Signatures with special case values for r and s.
 msg = 54657374
 result = invalid
 sig = 3022021d00baf696a68578f7dfdee7fa67c977c785ef32b233bae580c0bcd5695e020100
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 841
 # Signatures with special case values for r and s.
 msg = 54657374
 result = invalid
 sig = 3022021d00baf696a68578f7dfdee7fa67c977c785ef32b233bae580c0bcd5695e020101
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 842
 # Signatures with special case values for r and s.
 msg = 54657374
 result = invalid
 sig = 3022021d00baf696a68578f7dfdee7fa67c977c785ef32b233bae580c0bcd5695e0201ff
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 843
 # Signatures with special case values for r and s.
 msg = 54657374
 result = invalid
 sig = 303d021d00baf696a68578f7dfdee7fa67c977c785ef32b233bae580c0bcd5695e021c5d7b4b5342bc7befef73fd33e4bbe3c2f7995919dd72c0605e6ab4ae
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 844
 # Signatures with special case values for r and s.
 msg = 54657374
 result = invalid
 sig = 303d021d00baf696a68578f7dfdee7fa67c977c785ef32b233bae580c0bcd5695e021c5d7b4b5342bc7befef73fd33e4bbe3c2f7995919dd72c0605e6ab4af
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 845
 # Signatures with special case values for r and s.
 msg = 54657374
 result = invalid
 sig = 303e021d00baf696a68578f7dfdee7fa67c977c785ef32b233bae580c0bcd5695e021d00baf696a68578f7dfdee7fa67c977c785ef32b233bae580c0bcd5695c
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 846
 # Signatures with special case values for r and s.
 msg = 54657374
 result = invalid
 sig = 303e021d00baf696a68578f7dfdee7fa67c977c785ef32b233bae580c0bcd5695e021d00baf696a68578f7dfdee7fa67c977c785ef32b233bae580c0bcd5695d
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 847
 # Signatures with special case values for r and s.
 msg = 54657374
 result = invalid
 sig = 303e021d00baf696a68578f7dfdee7fa67c977c785ef32b233bae580c0bcd5695e021d00baf696a68578f7dfdee7fa67c977c785ef32b233bae580c0bcd5695e
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 848
 # Signatures with special case values for r and s.
 msg = 54657374
 result = invalid
 sig = 303e021d00baf696a68578f7dfdee7fa67c977c785ef32b233bae580c0bcd5695e021d0100000000000000000000000000000000000000000000000000000000
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 849
 # Signatures with special case values for r and s.
 msg = 54657374
 result = invalid
 sig = 30820124021d00baf696a68578f7dfdee7fa67c977c785ef32b233bae580c0bcd5695e02820101008f7935d9b9aae9bfabed887acf4951b6f32ec59e3baf3718e8eac4961f3efd3606e74351a9c4183339b809e7c2ae1c539ba7475b85d011adb8b47987754984695cac0e8f14b3360828a22ffa27110a3d62a993453409a0fe696c4658f84bdd20819c3709a01057b195adcd00233dba5484b6291f9d648ef883448677979cec04b434a6ac2e75e9985de23db0292fc1118c9ffa9d8181e7338db792b730d7b9e349592f68099872153915ea3d6b8b4653c633458f803b32a4c2e0f27290256e4e3f8a3b0838a1c450e4e18c1a29a37ddf5ea143de4b66ff04903ed5cf1623e158d487c608e97f211cd81dca23cb6e380765f822e342be484c05763939601cd667
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 850
 # Signatures with special case values for r and s.
 msg = 54657374
 result = invalid
 sig = 3024021d00baf696a68578f7dfdee7fa67c977c785ef32b233bae580c0bcd5695e090380fe01
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 851
 # Signatures with special case values for r and s.
 msg = 54657374
 result = invalid
 sig = 3022021d00baf696a68578f7dfdee7fa67c977c785ef32b233bae580c0bcd5695e090142
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 852
 # Signatures with special case values for r and s.
 msg = 54657374
 result = invalid
 sig = 303e021d0100000000000000000000000000000000000000000000000000000000021dff450969597a870820211805983688387a10cd4dcc451a7f3f432a96a3
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 853
 # Signatures with special case values for r and s.
 msg = 54657374
 result = invalid
 sig = 3022021d0100000000000000000000000000000000000000000000000000000000020100
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 854
 # Signatures with special case values for r and s.
 msg = 54657374
 result = invalid
 sig = 3022021d0100000000000000000000000000000000000000000000000000000000020101
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 855
 # Signatures with special case values for r and s.
 msg = 54657374
 result = invalid
 sig = 3022021d01000000000000000000000000000000000000000000000000000000000201ff
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 856
 # Signatures with special case values for r and s.
 msg = 54657374
 result = invalid
 sig = 303d021d0100000000000000000000000000000000000000000000000000000000021c5d7b4b5342bc7befef73fd33e4bbe3c2f7995919dd72c0605e6ab4ae
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 857
 # Signatures with special case values for r and s.
 msg = 54657374
 result = invalid
 sig = 303d021d0100000000000000000000000000000000000000000000000000000000021c5d7b4b5342bc7befef73fd33e4bbe3c2f7995919dd72c0605e6ab4af
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 858
 # Signatures with special case values for r and s.
 msg = 54657374
 result = invalid
 sig = 303e021d0100000000000000000000000000000000000000000000000000000000021d00baf696a68578f7dfdee7fa67c977c785ef32b233bae580c0bcd5695c
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 859
 # Signatures with special case values for r and s.
 msg = 54657374
 result = invalid
 sig = 303e021d0100000000000000000000000000000000000000000000000000000000021d00baf696a68578f7dfdee7fa67c977c785ef32b233bae580c0bcd5695d
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 860
 # Signatures with special case values for r and s.
 msg = 54657374
 result = invalid
 sig = 303e021d0100000000000000000000000000000000000000000000000000000000021d00baf696a68578f7dfdee7fa67c977c785ef32b233bae580c0bcd5695e
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 861
 # Signatures with special case values for r and s.
 msg = 54657374
 result = invalid
 sig = 303e021d0100000000000000000000000000000000000000000000000000000000021d0100000000000000000000000000000000000000000000000000000000
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 862
 # Signatures with special case values for r and s.
 msg = 54657374
 result = invalid
 sig = 30820124021d010000000000000000000000000000000000000000000000000000000002820101008f7935d9b9aae9bfabed887acf4951b6f32ec59e3baf3718e8eac4961f3efd3606e74351a9c4183339b809e7c2ae1c539ba7475b85d011adb8b47987754984695cac0e8f14b3360828a22ffa27110a3d62a993453409a0fe696c4658f84bdd20819c3709a01057b195adcd00233dba5484b6291f9d648ef883448677979cec04b434a6ac2e75e9985de23db0292fc1118c9ffa9d8181e7338db792b730d7b9e349592f68099872153915ea3d6b8b4653c633458f803b32a4c2e0f27290256e4e3f8a3b0838a1c450e4e18c1a29a37ddf5ea143de4b66ff04903ed5cf1623e158d487c608e97f211cd81dca23cb6e380765f822e342be484c05763939601cd667
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 863
 # Signatures with special case values for r and s.
 msg = 54657374
 result = invalid
 sig = 3024021d0100000000000000000000000000000000000000000000000000000000090380fe01
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 864
 # Signatures with special case values for r and s.
 msg = 54657374
 result = invalid
 sig = 3022021d0100000000000000000000000000000000000000000000000000000000090142
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 865
 # Signatures with special case values for r and s.
 msg = 54657374
 result = invalid
 sig = 3082012402820101008f7935d9b9aae9bfabed887acf4951b6f32ec59e3baf3718e8eac4961f3efd3606e74351a9c4183339b809e7c2ae1c539ba7475b85d011adb8b47987754984695cac0e8f14b3360828a22ffa27110a3d62a993453409a0fe696c4658f84bdd20819c3709a01057b195adcd00233dba5484b6291f9d648ef883448677979cec04b434a6ac2e75e9985de23db0292fc1118c9ffa9d8181e7338db792b730d7b9e349592f68099872153915ea3d6b8b4653c633458f803b32a4c2e0f27290256e4e3f8a3b0838a1c450e4e18c1a29a37ddf5ea143de4b66ff04903ed5cf1623e158d487c608e97f211cd81dca23cb6e380765f822e342be484c05763939601cd667021dff450969597a870820211805983688387a10cd4dcc451a7f3f432a96a3
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 866
 # Signatures with special case values for r and s.
 msg = 54657374
 result = invalid
 sig = 3082010802820101008f7935d9b9aae9bfabed887acf4951b6f32ec59e3baf3718e8eac4961f3efd3606e74351a9c4183339b809e7c2ae1c539ba7475b85d011adb8b47987754984695cac0e8f14b3360828a22ffa27110a3d62a993453409a0fe696c4658f84bdd20819c3709a01057b195adcd00233dba5484b6291f9d648ef883448677979cec04b434a6ac2e75e9985de23db0292fc1118c9ffa9d8181e7338db792b730d7b9e349592f68099872153915ea3d6b8b4653c633458f803b32a4c2e0f27290256e4e3f8a3b0838a1c450e4e18c1a29a37ddf5ea143de4b66ff04903ed5cf1623e158d487c608e97f211cd81dca23cb6e380765f822e342be484c05763939601cd667020100
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 867
 # Signatures with special case values for r and s.
 msg = 54657374
 result = invalid
 sig = 3082010802820101008f7935d9b9aae9bfabed887acf4951b6f32ec59e3baf3718e8eac4961f3efd3606e74351a9c4183339b809e7c2ae1c539ba7475b85d011adb8b47987754984695cac0e8f14b3360828a22ffa27110a3d62a993453409a0fe696c4658f84bdd20819c3709a01057b195adcd00233dba5484b6291f9d648ef883448677979cec04b434a6ac2e75e9985de23db0292fc1118c9ffa9d8181e7338db792b730d7b9e349592f68099872153915ea3d6b8b4653c633458f803b32a4c2e0f27290256e4e3f8a3b0838a1c450e4e18c1a29a37ddf5ea143de4b66ff04903ed5cf1623e158d487c608e97f211cd81dca23cb6e380765f822e342be484c05763939601cd667020101
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 868
 # Signatures with special case values for r and s.
 msg = 54657374
 result = invalid
 sig = 3082010802820101008f7935d9b9aae9bfabed887acf4951b6f32ec59e3baf3718e8eac4961f3efd3606e74351a9c4183339b809e7c2ae1c539ba7475b85d011adb8b47987754984695cac0e8f14b3360828a22ffa27110a3d62a993453409a0fe696c4658f84bdd20819c3709a01057b195adcd00233dba5484b6291f9d648ef883448677979cec04b434a6ac2e75e9985de23db0292fc1118c9ffa9d8181e7338db792b730d7b9e349592f68099872153915ea3d6b8b4653c633458f803b32a4c2e0f27290256e4e3f8a3b0838a1c450e4e18c1a29a37ddf5ea143de4b66ff04903ed5cf1623e158d487c608e97f211cd81dca23cb6e380765f822e342be484c05763939601cd6670201ff
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 869
 # Signatures with special case values for r and s.
 msg = 54657374
 result = invalid
 sig = 3082012302820101008f7935d9b9aae9bfabed887acf4951b6f32ec59e3baf3718e8eac4961f3efd3606e74351a9c4183339b809e7c2ae1c539ba7475b85d011adb8b47987754984695cac0e8f14b3360828a22ffa27110a3d62a993453409a0fe696c4658f84bdd20819c3709a01057b195adcd00233dba5484b6291f9d648ef883448677979cec04b434a6ac2e75e9985de23db0292fc1118c9ffa9d8181e7338db792b730d7b9e349592f68099872153915ea3d6b8b4653c633458f803b32a4c2e0f27290256e4e3f8a3b0838a1c450e4e18c1a29a37ddf5ea143de4b66ff04903ed5cf1623e158d487c608e97f211cd81dca23cb6e380765f822e342be484c05763939601cd667021c5d7b4b5342bc7befef73fd33e4bbe3c2f7995919dd72c0605e6ab4ae
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 870
 # Signatures with special case values for r and s.
 msg = 54657374
 result = invalid
 sig = 3082012302820101008f7935d9b9aae9bfabed887acf4951b6f32ec59e3baf3718e8eac4961f3efd3606e74351a9c4183339b809e7c2ae1c539ba7475b85d011adb8b47987754984695cac0e8f14b3360828a22ffa27110a3d62a993453409a0fe696c4658f84bdd20819c3709a01057b195adcd00233dba5484b6291f9d648ef883448677979cec04b434a6ac2e75e9985de23db0292fc1118c9ffa9d8181e7338db792b730d7b9e349592f68099872153915ea3d6b8b4653c633458f803b32a4c2e0f27290256e4e3f8a3b0838a1c450e4e18c1a29a37ddf5ea143de4b66ff04903ed5cf1623e158d487c608e97f211cd81dca23cb6e380765f822e342be484c05763939601cd667021c5d7b4b5342bc7befef73fd33e4bbe3c2f7995919dd72c0605e6ab4af
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 871
 # Signatures with special case values for r and s.
 msg = 54657374
 result = invalid
 sig = 3082012402820101008f7935d9b9aae9bfabed887acf4951b6f32ec59e3baf3718e8eac4961f3efd3606e74351a9c4183339b809e7c2ae1c539ba7475b85d011adb8b47987754984695cac0e8f14b3360828a22ffa27110a3d62a993453409a0fe696c4658f84bdd20819c3709a01057b195adcd00233dba5484b6291f9d648ef883448677979cec04b434a6ac2e75e9985de23db0292fc1118c9ffa9d8181e7338db792b730d7b9e349592f68099872153915ea3d6b8b4653c633458f803b32a4c2e0f27290256e4e3f8a3b0838a1c450e4e18c1a29a37ddf5ea143de4b66ff04903ed5cf1623e158d487c608e97f211cd81dca23cb6e380765f822e342be484c05763939601cd667021d00baf696a68578f7dfdee7fa67c977c785ef32b233bae580c0bcd5695c
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 872
 # Signatures with special case values for r and s.
 msg = 54657374
 result = invalid
 sig = 3082012402820101008f7935d9b9aae9bfabed887acf4951b6f32ec59e3baf3718e8eac4961f3efd3606e74351a9c4183339b809e7c2ae1c539ba7475b85d011adb8b47987754984695cac0e8f14b3360828a22ffa27110a3d62a993453409a0fe696c4658f84bdd20819c3709a01057b195adcd00233dba5484b6291f9d648ef883448677979cec04b434a6ac2e75e9985de23db0292fc1118c9ffa9d8181e7338db792b730d7b9e349592f68099872153915ea3d6b8b4653c633458f803b32a4c2e0f27290256e4e3f8a3b0838a1c450e4e18c1a29a37ddf5ea143de4b66ff04903ed5cf1623e158d487c608e97f211cd81dca23cb6e380765f822e342be484c05763939601cd667021d00baf696a68578f7dfdee7fa67c977c785ef32b233bae580c0bcd5695d
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 873
 # Signatures with special case values for r and s.
 msg = 54657374
 result = invalid
 sig = 3082012402820101008f7935d9b9aae9bfabed887acf4951b6f32ec59e3baf3718e8eac4961f3efd3606e74351a9c4183339b809e7c2ae1c539ba7475b85d011adb8b47987754984695cac0e8f14b3360828a22ffa27110a3d62a993453409a0fe696c4658f84bdd20819c3709a01057b195adcd00233dba5484b6291f9d648ef883448677979cec04b434a6ac2e75e9985de23db0292fc1118c9ffa9d8181e7338db792b730d7b9e349592f68099872153915ea3d6b8b4653c633458f803b32a4c2e0f27290256e4e3f8a3b0838a1c450e4e18c1a29a37ddf5ea143de4b66ff04903ed5cf1623e158d487c608e97f211cd81dca23cb6e380765f822e342be484c05763939601cd667021d00baf696a68578f7dfdee7fa67c977c785ef32b233bae580c0bcd5695e
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 874
 # Signatures with special case values for r and s.
 msg = 54657374
 result = invalid
 sig = 3082012402820101008f7935d9b9aae9bfabed887acf4951b6f32ec59e3baf3718e8eac4961f3efd3606e74351a9c4183339b809e7c2ae1c539ba7475b85d011adb8b47987754984695cac0e8f14b3360828a22ffa27110a3d62a993453409a0fe696c4658f84bdd20819c3709a01057b195adcd00233dba5484b6291f9d648ef883448677979cec04b434a6ac2e75e9985de23db0292fc1118c9ffa9d8181e7338db792b730d7b9e349592f68099872153915ea3d6b8b4653c633458f803b32a4c2e0f27290256e4e3f8a3b0838a1c450e4e18c1a29a37ddf5ea143de4b66ff04903ed5cf1623e158d487c608e97f211cd81dca23cb6e380765f822e342be484c05763939601cd667021d0100000000000000000000000000000000000000000000000000000000
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 875
 # Signatures with special case values for r and s.
 msg = 54657374
 result = invalid
 sig = 3082020a02820101008f7935d9b9aae9bfabed887acf4951b6f32ec59e3baf3718e8eac4961f3efd3606e74351a9c4183339b809e7c2ae1c539ba7475b85d011adb8b47987754984695cac0e8f14b3360828a22ffa27110a3d62a993453409a0fe696c4658f84bdd20819c3709a01057b195adcd00233dba5484b6291f9d648ef883448677979cec04b434a6ac2e75e9985de23db0292fc1118c9ffa9d8181e7338db792b730d7b9e349592f68099872153915ea3d6b8b4653c633458f803b32a4c2e0f27290256e4e3f8a3b0838a1c450e4e18c1a29a37ddf5ea143de4b66ff04903ed5cf1623e158d487c608e97f211cd81dca23cb6e380765f822e342be484c05763939601cd66702820101008f7935d9b9aae9bfabed887acf4951b6f32ec59e3baf3718e8eac4961f3efd3606e74351a9c4183339b809e7c2ae1c539ba7475b85d011adb8b47987754984695cac0e8f14b3360828a22ffa27110a3d62a993453409a0fe696c4658f84bdd20819c3709a01057b195adcd00233dba5484b6291f9d648ef883448677979cec04b434a6ac2e75e9985de23db0292fc1118c9ffa9d8181e7338db792b730d7b9e349592f68099872153915ea3d6b8b4653c633458f803b32a4c2e0f27290256e4e3f8a3b0838a1c450e4e18c1a29a37ddf5ea143de4b66ff04903ed5cf1623e158d487c608e97f211cd81dca23cb6e380765f822e342be484c05763939601cd667
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 876
 # Signatures with special case values for r and s.
 msg = 54657374
 result = invalid
 sig = 3082010a02820101008f7935d9b9aae9bfabed887acf4951b6f32ec59e3baf3718e8eac4961f3efd3606e74351a9c4183339b809e7c2ae1c539ba7475b85d011adb8b47987754984695cac0e8f14b3360828a22ffa27110a3d62a993453409a0fe696c4658f84bdd20819c3709a01057b195adcd00233dba5484b6291f9d648ef883448677979cec04b434a6ac2e75e9985de23db0292fc1118c9ffa9d8181e7338db792b730d7b9e349592f68099872153915ea3d6b8b4653c633458f803b32a4c2e0f27290256e4e3f8a3b0838a1c450e4e18c1a29a37ddf5ea143de4b66ff04903ed5cf1623e158d487c608e97f211cd81dca23cb6e380765f822e342be484c05763939601cd667090380fe01
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 877
 # Signatures with special case values for r and s.
 msg = 54657374
 result = invalid
 sig = 3082010802820101008f7935d9b9aae9bfabed887acf4951b6f32ec59e3baf3718e8eac4961f3efd3606e74351a9c4183339b809e7c2ae1c539ba7475b85d011adb8b47987754984695cac0e8f14b3360828a22ffa27110a3d62a993453409a0fe696c4658f84bdd20819c3709a01057b195adcd00233dba5484b6291f9d648ef883448677979cec04b434a6ac2e75e9985de23db0292fc1118c9ffa9d8181e7338db792b730d7b9e349592f68099872153915ea3d6b8b4653c633458f803b32a4c2e0f27290256e4e3f8a3b0838a1c450e4e18c1a29a37ddf5ea143de4b66ff04903ed5cf1623e158d487c608e97f211cd81dca23cb6e380765f822e342be484c05763939601cd667090142
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 878
 # Signatures with special case values for r and s.
 msg = 54657374
 result = invalid
 sig = 3024090380fe01021dff450969597a870820211805983688387a10cd4dcc451a7f3f432a96a3
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 879
 # Signatures with special case values for r and s.
 msg = 54657374
 result = invalid
 sig = 3008090380fe01020100
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 880
 # Signatures with special case values for r and s.
 msg = 54657374
 result = invalid
 sig = 3008090380fe01020101
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 881
 # Signatures with special case values for r and s.
 msg = 54657374
 result = invalid
 sig = 3008090380fe010201ff
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 882
 # Signatures with special case values for r and s.
 msg = 54657374
 result = invalid
 sig = 3023090380fe01021c5d7b4b5342bc7befef73fd33e4bbe3c2f7995919dd72c0605e6ab4ae
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 883
 # Signatures with special case values for r and s.
 msg = 54657374
 result = invalid
 sig = 3023090380fe01021c5d7b4b5342bc7befef73fd33e4bbe3c2f7995919dd72c0605e6ab4af
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 884
 # Signatures with special case values for r and s.
 msg = 54657374
 result = invalid
 sig = 3024090380fe01021d00baf696a68578f7dfdee7fa67c977c785ef32b233bae580c0bcd5695c
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 885
 # Signatures with special case values for r and s.
 msg = 54657374
 result = invalid
 sig = 3024090380fe01021d00baf696a68578f7dfdee7fa67c977c785ef32b233bae580c0bcd5695d
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 886
 # Signatures with special case values for r and s.
 msg = 54657374
 result = invalid
 sig = 3024090380fe01021d00baf696a68578f7dfdee7fa67c977c785ef32b233bae580c0bcd5695e
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 887
 # Signatures with special case values for r and s.
 msg = 54657374
 result = invalid
 sig = 3024090380fe01021d0100000000000000000000000000000000000000000000000000000000
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 888
 # Signatures with special case values for r and s.
 msg = 54657374
 result = invalid
 sig = 3082010a090380fe0102820101008f7935d9b9aae9bfabed887acf4951b6f32ec59e3baf3718e8eac4961f3efd3606e74351a9c4183339b809e7c2ae1c539ba7475b85d011adb8b47987754984695cac0e8f14b3360828a22ffa27110a3d62a993453409a0fe696c4658f84bdd20819c3709a01057b195adcd00233dba5484b6291f9d648ef883448677979cec04b434a6ac2e75e9985de23db0292fc1118c9ffa9d8181e7338db792b730d7b9e349592f68099872153915ea3d6b8b4653c633458f803b32a4c2e0f27290256e4e3f8a3b0838a1c450e4e18c1a29a37ddf5ea143de4b66ff04903ed5cf1623e158d487c608e97f211cd81dca23cb6e380765f822e342be484c05763939601cd667
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 889
 # Signatures with special case values for r and s.
 msg = 54657374
 result = invalid
 sig = 300a090380fe01090380fe01
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 890
 # Signatures with special case values for r and s.
 msg = 54657374
 result = invalid
 sig = 3008090380fe01090142
-# Some implementations of DSA do not properly check for boundaries. In some
-# cases the modular inverse of 0 is simply 0. As a result there are
-# implementations where values such as r=1, s=0 lead to forgeries.
+flags = EdgeCase
 
 # tcId = 891
 # Signature encoding contains wrong type.
diff --git a/third_party/wycheproof_testvectors/ecdh_secp224r1_test.txt b/third_party/wycheproof_testvectors/ecdh_secp224r1_test.txt
index 9354e30..9e339ae 100644
--- a/third_party/wycheproof_testvectors/ecdh_secp224r1_test.txt
+++ b/third_party/wycheproof_testvectors/ecdh_secp224r1_test.txt
@@ -20,8 +20,7 @@
 public = 3032301006072a8648ce3d020106052b81040021031e00027d8ac211e1228eb094e285a957d9912e93deee433ed777440ae9fc71
 result = acceptable
 shared = b8ecdb552d39228ee332bafe4886dbff272f7109edf933bc7542bd4f
-# The point in the public key is compressed. Not every library supports points
-# in compressed format.
+flags = CompressedPoint
 
 # tcId = 3
 # edge case for shared secret
@@ -533,9 +532,7 @@
 public = 304e301006072a8648ce3d020106052b81040021033a0004478e73465bb1183583f4064e67e8b4343af4a05d29dfc04eb60ac2302e5b9a3a1b32e4208d4c284ff26822e09c3a9a4683443e4a35175504
 result = valid
 shared = 475fd96e0eb8cb8f100a5d7fe043a7a6851d1d611da2643a3c6ae708
-# The private key has a special value. Implementations using addition
-# subtraction chains for the point multiplication may get the point at infinity
-# as an intermediate result. See CVE_2017_10176
+flags = AddSubChain
 
 # tcId = 76
 # edge case private key
@@ -543,9 +540,7 @@
 public = 304e301006072a8648ce3d020106052b81040021033a0004478e73465bb1183583f4064e67e8b4343af4a05d29dfc04eb60ac2302e5b9a3a1b32e4208d4c284ff26822e09c3a9a4683443e4a35175504
 result = valid
 shared = 41ef931d669d1f57d8bb95a01a92321da74be8c6cbc3bbe0b2e73ebd
-# The private key has a special value. Implementations using addition
-# subtraction chains for the point multiplication may get the point at infinity
-# as an intermediate result. See CVE_2017_10176
+flags = AddSubChain
 
 # tcId = 77
 # edge case private key
@@ -560,9 +555,7 @@
 public = 304e301006072a8648ce3d020106052b81040021033a0004478e73465bb1183583f4064e67e8b4343af4a05d29dfc04eb60ac2302e5b9a3a1b32e4208d4c284ff26822e09c3a9a4683443e4a35175504
 result = valid
 shared = 11ff15126411299cbd49e2b7542e69e91ef132e2551a16ecfebb23a3
-# The private key has a special value. Implementations using addition
-# subtraction chains for the point multiplication may get the point at infinity
-# as an intermediate result. See CVE_2017_10176
+flags = AddSubChain
 
 # tcId = 79
 # point is not on curve
@@ -688,12 +681,7 @@
 public = 304e301006072a8648ce3d020106052b81040021033a0004a10fb7bf22d299fc5bc43bd2d0e8da28af28ace8430bee28f9e5b57554275c0615d8d9a3011d7bc4c1c4cf4a834c8dc46f25b98854401a5d
 result = invalid
 shared = 
-# The public key has been modified and is invalid. An implementation should
-# always check whether the public key is valid and on the same curve as the
-# private key. The test vector includes the shared secret computed with the
-# original public key if the public point is on the curve of the private key.
-# Generating a shared secret other than the one with the original key likely
-# indicates that the bug is exploitable.
+flags = InvalidPublic
 
 # tcId = 97
 # public point = (0,0)
@@ -701,12 +689,7 @@
 public = 304e301006072a8648ce3d020106052b81040021033a00040000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
 result = invalid
 shared = 
-# The public key has been modified and is invalid. An implementation should
-# always check whether the public key is valid and on the same curve as the
-# private key. The test vector includes the shared secret computed with the
-# original public key if the public point is on the curve of the private key.
-# Generating a shared secret other than the one with the original key likely
-# indicates that the bug is exploitable.
+flags = InvalidPublic
 
 # tcId = 98
 # order = -26959946667150639794667015087019625940457807714424391721682722368061
@@ -714,20 +697,7 @@
 public = 308201133081d406072a8648ce3d02013081c8020101302806072a8648ce3d0101021d00ffffffffffffffffffffffffffffffff000000000000000000000001303c041cfffffffffffffffffffffffffffffffefffffffffffffffffffffffe041cb4050a850c04b3abf54132565044b0b7d7bfd8ba270b39432355ffb4043904b70e0cbd6bb4bf7f321390b94a03c1d356c21122343280d6115c1d21bd376388b5f723fb4c22dfe6cd4375a05a07476444d5819985007e34021dff0000000000000000000000000000e95d1f470fc1ec22d6baa3a3d5c3020101033a0004a10fb7bf22d299fc5bc43bd2d0e8da28af28ace8430bee28f9e5b57554275c0615d8d9a3011d7bc4c1c4cf4a834c8dc46f25b98854401a5b
 result = invalid
 shared = 9b992dad1c2b5dadd3b5aeb84b7a91fb6fe5f46e02ab2c7fa32696a7
-# The order of the public key has been modified. If this order is used in a
-# cryptographic primitive instead of the correct order then private keys may
-# leak. E.g. ECDHC in BC 1.52 suffered from this.
-# The public key has been modified and is invalid. An implementation should
-# always check whether the public key is valid and on the same curve as the
-# private key. The test vector includes the shared secret computed with the
-# original public key if the public point is on the curve of the private key.
-# Generating a shared secret other than the one with the original key likely
-# indicates that the bug is exploitable.
-# The public key does not use a named curve. RFC 3279 allows to encode such
-# curves by explicitly encoding, the parameters of the curve equation, modulus,
-# generator, order and cofactor. However, many crypto libraries only support
-# named curves. Modifying some of the EC parameters and encoding the
-# corresponding public key as an unnamed curve is a potential attack vector.
+flags = WrongOrder,InvalidPublic,UnnamedCurve
 
 # tcId = 99
 # order = 0
@@ -735,20 +705,7 @@
 public = 3081f73081b806072a8648ce3d02013081ac020101302806072a8648ce3d0101021d00ffffffffffffffffffffffffffffffff000000000000000000000001303c041cfffffffffffffffffffffffffffffffefffffffffffffffffffffffe041cb4050a850c04b3abf54132565044b0b7d7bfd8ba270b39432355ffb4043904b70e0cbd6bb4bf7f321390b94a03c1d356c21122343280d6115c1d21bd376388b5f723fb4c22dfe6cd4375a05a07476444d5819985007e34020100020101033a0004a10fb7bf22d299fc5bc43bd2d0e8da28af28ace8430bee28f9e5b57554275c0615d8d9a3011d7bc4c1c4cf4a834c8dc46f25b98854401a5b
 result = invalid
 shared = 9b992dad1c2b5dadd3b5aeb84b7a91fb6fe5f46e02ab2c7fa32696a7
-# The order of the public key has been modified. If this order is used in a
-# cryptographic primitive instead of the correct order then private keys may
-# leak. E.g. ECDHC in BC 1.52 suffered from this.
-# The public key has been modified and is invalid. An implementation should
-# always check whether the public key is valid and on the same curve as the
-# private key. The test vector includes the shared secret computed with the
-# original public key if the public point is on the curve of the private key.
-# Generating a shared secret other than the one with the original key likely
-# indicates that the bug is exploitable.
-# The public key does not use a named curve. RFC 3279 allows to encode such
-# curves by explicitly encoding, the parameters of the curve equation, modulus,
-# generator, order and cofactor. However, many crypto libraries only support
-# named curves. Modifying some of the EC parameters and encoding the
-# corresponding public key as an unnamed curve is a potential attack vector.
+flags = WrongOrder,InvalidPublic,UnnamedCurve
 
 # tcId = 100
 # order = 1
@@ -756,20 +713,7 @@
 public = 3081f73081b806072a8648ce3d02013081ac020101302806072a8648ce3d0101021d00ffffffffffffffffffffffffffffffff000000000000000000000001303c041cfffffffffffffffffffffffffffffffefffffffffffffffffffffffe041cb4050a850c04b3abf54132565044b0b7d7bfd8ba270b39432355ffb4043904b70e0cbd6bb4bf7f321390b94a03c1d356c21122343280d6115c1d21bd376388b5f723fb4c22dfe6cd4375a05a07476444d5819985007e34020101020101033a0004a10fb7bf22d299fc5bc43bd2d0e8da28af28ace8430bee28f9e5b57554275c0615d8d9a3011d7bc4c1c4cf4a834c8dc46f25b98854401a5b
 result = acceptable
 shared = 9b992dad1c2b5dadd3b5aeb84b7a91fb6fe5f46e02ab2c7fa32696a7
-# The order of the public key has been modified. If this order is used in a
-# cryptographic primitive instead of the correct order then private keys may
-# leak. E.g. ECDHC in BC 1.52 suffered from this.
-# A parameter that is typically not used for ECDH has been modified. Sometimes
-# libraries ignore small differences between public and private key. For
-# example, a library might ignore an incorrect cofactor in the public key. We
-# consider ignoring such changes as acceptable as long as these differences do
-# not change the outcome of the ECDH computation, i.e. as long as the
-# computation is done on the curve from the private key.
-# The public key does not use a named curve. RFC 3279 allows to encode such
-# curves by explicitly encoding, the parameters of the curve equation, modulus,
-# generator, order and cofactor. However, many crypto libraries only support
-# named curves. Modifying some of the EC parameters and encoding the
-# corresponding public key as an unnamed curve is a potential attack vector.
+flags = WrongOrder,UnusedParam,UnnamedCurve
 
 # tcId = 101
 # order = 6277101735386680763835789423207665314073163949517624387909
@@ -777,20 +721,7 @@
 public = 3082010f3081d006072a8648ce3d02013081c4020101302806072a8648ce3d0101021d00ffffffffffffffffffffffffffffffff000000000000000000000001303c041cfffffffffffffffffffffffffffffffefffffffffffffffffffffffe041cb4050a850c04b3abf54132565044b0b7d7bfd8ba270b39432355ffb4043904b70e0cbd6bb4bf7f321390b94a03c1d356c21122343280d6115c1d21bd376388b5f723fb4c22dfe6cd4375a05a07476444d5819985007e34021900ffffffffffffffffffffffffffff16a2e0b8f03e13dd2945020101033a0004a10fb7bf22d299fc5bc43bd2d0e8da28af28ace8430bee28f9e5b57554275c0615d8d9a3011d7bc4c1c4cf4a834c8dc46f25b98854401a5b
 result = acceptable
 shared = 9b992dad1c2b5dadd3b5aeb84b7a91fb6fe5f46e02ab2c7fa32696a7
-# The order of the public key has been modified. If this order is used in a
-# cryptographic primitive instead of the correct order then private keys may
-# leak. E.g. ECDHC in BC 1.52 suffered from this.
-# A parameter that is typically not used for ECDH has been modified. Sometimes
-# libraries ignore small differences between public and private key. For
-# example, a library might ignore an incorrect cofactor in the public key. We
-# consider ignoring such changes as acceptable as long as these differences do
-# not change the outcome of the ECDH computation, i.e. as long as the
-# computation is done on the curve from the private key.
-# The public key does not use a named curve. RFC 3279 allows to encode such
-# curves by explicitly encoding, the parameters of the curve equation, modulus,
-# generator, order and cofactor. However, many crypto libraries only support
-# named curves. Modifying some of the EC parameters and encoding the
-# corresponding public key as an unnamed curve is a potential attack vector.
+flags = WrongOrder,UnusedParam,UnnamedCurve
 
 # tcId = 102
 # generator = (0,0)
@@ -798,17 +729,7 @@
 public = 308201133081d406072a8648ce3d02013081c8020101302806072a8648ce3d0101021d00ffffffffffffffffffffffffffffffff000000000000000000000001303c041cfffffffffffffffffffffffffffffffefffffffffffffffffffffffe041cb4050a850c04b3abf54132565044b0b7d7bfd8ba270b39432355ffb40439040000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000021d00ffffffffffffffffffffffffffff16a2e0b8f03e13dd29455c5c2a3d020101033a0004a10fb7bf22d299fc5bc43bd2d0e8da28af28ace8430bee28f9e5b57554275c0615d8d9a3011d7bc4c1c4cf4a834c8dc46f25b98854401a5b
 result = acceptable
 shared = 9b992dad1c2b5dadd3b5aeb84b7a91fb6fe5f46e02ab2c7fa32696a7
-# A parameter that is typically not used for ECDH has been modified. Sometimes
-# libraries ignore small differences between public and private key. For
-# example, a library might ignore an incorrect cofactor in the public key. We
-# consider ignoring such changes as acceptable as long as these differences do
-# not change the outcome of the ECDH computation, i.e. as long as the
-# computation is done on the curve from the private key.
-# The public key does not use a named curve. RFC 3279 allows to encode such
-# curves by explicitly encoding, the parameters of the curve equation, modulus,
-# generator, order and cofactor. However, many crypto libraries only support
-# named curves. Modifying some of the EC parameters and encoding the
-# corresponding public key as an unnamed curve is a potential attack vector.
+flags = UnusedParam,UnnamedCurve
 
 # tcId = 103
 # generator not on curve
@@ -816,17 +737,7 @@
 public = 308201133081d406072a8648ce3d02013081c8020101302806072a8648ce3d0101021d00ffffffffffffffffffffffffffffffff000000000000000000000001303c041cfffffffffffffffffffffffffffffffefffffffffffffffffffffffe041cb4050a850c04b3abf54132565044b0b7d7bfd8ba270b39432355ffb4043904b70e0cbd6bb4bf7f321390b94a03c1d356c21122343280d6115c1d21bd376388b5f723fb4c22dfe6cd4375a05a07476444d5819985007e36021d00ffffffffffffffffffffffffffff16a2e0b8f03e13dd29455c5c2a3d020101033a0004a10fb7bf22d299fc5bc43bd2d0e8da28af28ace8430bee28f9e5b57554275c0615d8d9a3011d7bc4c1c4cf4a834c8dc46f25b98854401a5b
 result = acceptable
 shared = 9b992dad1c2b5dadd3b5aeb84b7a91fb6fe5f46e02ab2c7fa32696a7
-# A parameter that is typically not used for ECDH has been modified. Sometimes
-# libraries ignore small differences between public and private key. For
-# example, a library might ignore an incorrect cofactor in the public key. We
-# consider ignoring such changes as acceptable as long as these differences do
-# not change the outcome of the ECDH computation, i.e. as long as the
-# computation is done on the curve from the private key.
-# The public key does not use a named curve. RFC 3279 allows to encode such
-# curves by explicitly encoding, the parameters of the curve equation, modulus,
-# generator, order and cofactor. However, many crypto libraries only support
-# named curves. Modifying some of the EC parameters and encoding the
-# corresponding public key as an unnamed curve is a potential attack vector.
+flags = UnusedParam,UnnamedCurve
 
 # tcId = 104
 # cofactor = -1
@@ -834,17 +745,7 @@
 public = 308201133081d406072a8648ce3d02013081c8020101302806072a8648ce3d0101021d00ffffffffffffffffffffffffffffffff000000000000000000000001303c041cfffffffffffffffffffffffffffffffefffffffffffffffffffffffe041cb4050a850c04b3abf54132565044b0b7d7bfd8ba270b39432355ffb4043904b70e0cbd6bb4bf7f321390b94a03c1d356c21122343280d6115c1d21bd376388b5f723fb4c22dfe6cd4375a05a07476444d5819985007e34021d00ffffffffffffffffffffffffffff16a2e0b8f03e13dd29455c5c2a3d0201ff033a0004a10fb7bf22d299fc5bc43bd2d0e8da28af28ace8430bee28f9e5b57554275c0615d8d9a3011d7bc4c1c4cf4a834c8dc46f25b98854401a5b
 result = invalid
 shared = 9b992dad1c2b5dadd3b5aeb84b7a91fb6fe5f46e02ab2c7fa32696a7
-# The public key has been modified and is invalid. An implementation should
-# always check whether the public key is valid and on the same curve as the
-# private key. The test vector includes the shared secret computed with the
-# original public key if the public point is on the curve of the private key.
-# Generating a shared secret other than the one with the original key likely
-# indicates that the bug is exploitable.
-# The public key does not use a named curve. RFC 3279 allows to encode such
-# curves by explicitly encoding, the parameters of the curve equation, modulus,
-# generator, order and cofactor. However, many crypto libraries only support
-# named curves. Modifying some of the EC parameters and encoding the
-# corresponding public key as an unnamed curve is a potential attack vector.
+flags = InvalidPublic,UnnamedCurve
 
 # tcId = 105
 # cofactor = 0
@@ -852,17 +753,7 @@
 public = 308201133081d406072a8648ce3d02013081c8020101302806072a8648ce3d0101021d00ffffffffffffffffffffffffffffffff000000000000000000000001303c041cfffffffffffffffffffffffffffffffefffffffffffffffffffffffe041cb4050a850c04b3abf54132565044b0b7d7bfd8ba270b39432355ffb4043904b70e0cbd6bb4bf7f321390b94a03c1d356c21122343280d6115c1d21bd376388b5f723fb4c22dfe6cd4375a05a07476444d5819985007e34021d00ffffffffffffffffffffffffffff16a2e0b8f03e13dd29455c5c2a3d020100033a0004a10fb7bf22d299fc5bc43bd2d0e8da28af28ace8430bee28f9e5b57554275c0615d8d9a3011d7bc4c1c4cf4a834c8dc46f25b98854401a5b
 result = invalid
 shared = 9b992dad1c2b5dadd3b5aeb84b7a91fb6fe5f46e02ab2c7fa32696a7
-# The public key has been modified and is invalid. An implementation should
-# always check whether the public key is valid and on the same curve as the
-# private key. The test vector includes the shared secret computed with the
-# original public key if the public point is on the curve of the private key.
-# Generating a shared secret other than the one with the original key likely
-# indicates that the bug is exploitable.
-# The public key does not use a named curve. RFC 3279 allows to encode such
-# curves by explicitly encoding, the parameters of the curve equation, modulus,
-# generator, order and cofactor. However, many crypto libraries only support
-# named curves. Modifying some of the EC parameters and encoding the
-# corresponding public key as an unnamed curve is a potential attack vector.
+flags = InvalidPublic,UnnamedCurve
 
 # tcId = 106
 # cofactor = 2
@@ -870,17 +761,7 @@
 public = 308201133081d406072a8648ce3d02013081c8020101302806072a8648ce3d0101021d00ffffffffffffffffffffffffffffffff000000000000000000000001303c041cfffffffffffffffffffffffffffffffefffffffffffffffffffffffe041cb4050a850c04b3abf54132565044b0b7d7bfd8ba270b39432355ffb4043904b70e0cbd6bb4bf7f321390b94a03c1d356c21122343280d6115c1d21bd376388b5f723fb4c22dfe6cd4375a05a07476444d5819985007e34021d00ffffffffffffffffffffffffffff16a2e0b8f03e13dd29455c5c2a3d020102033a0004a10fb7bf22d299fc5bc43bd2d0e8da28af28ace8430bee28f9e5b57554275c0615d8d9a3011d7bc4c1c4cf4a834c8dc46f25b98854401a5b
 result = acceptable
 shared = 9b992dad1c2b5dadd3b5aeb84b7a91fb6fe5f46e02ab2c7fa32696a7
-# A parameter that is typically not used for ECDH has been modified. Sometimes
-# libraries ignore small differences between public and private key. For
-# example, a library might ignore an incorrect cofactor in the public key. We
-# consider ignoring such changes as acceptable as long as these differences do
-# not change the outcome of the ECDH computation, i.e. as long as the
-# computation is done on the curve from the private key.
-# The public key does not use a named curve. RFC 3279 allows to encode such
-# curves by explicitly encoding, the parameters of the curve equation, modulus,
-# generator, order and cofactor. However, many crypto libraries only support
-# named curves. Modifying some of the EC parameters and encoding the
-# corresponding public key as an unnamed curve is a potential attack vector.
+flags = UnusedParam,UnnamedCurve
 
 # tcId = 107
 # cofactor =
@@ -889,17 +770,7 @@
 public = 3082012f3081f006072a8648ce3d02013081e4020101302806072a8648ce3d0101021d00ffffffffffffffffffffffffffffffff000000000000000000000001303c041cfffffffffffffffffffffffffffffffefffffffffffffffffffffffe041cb4050a850c04b3abf54132565044b0b7d7bfd8ba270b39432355ffb4043904b70e0cbd6bb4bf7f321390b94a03c1d356c21122343280d6115c1d21bd376388b5f723fb4c22dfe6cd4375a05a07476444d5819985007e34021d00ffffffffffffffffffffffffffff16a2e0b8f03e13dd29455c5c2a3d021d00ffffffffffffffffffffffffffff16a2e0b8f03e13dd29455c5c2a3d033a0004a10fb7bf22d299fc5bc43bd2d0e8da28af28ace8430bee28f9e5b57554275c0615d8d9a3011d7bc4c1c4cf4a834c8dc46f25b98854401a5b
 result = invalid
 shared = 9b992dad1c2b5dadd3b5aeb84b7a91fb6fe5f46e02ab2c7fa32696a7
-# The public key has been modified and is invalid. An implementation should
-# always check whether the public key is valid and on the same curve as the
-# private key. The test vector includes the shared secret computed with the
-# original public key if the public point is on the curve of the private key.
-# Generating a shared secret other than the one with the original key likely
-# indicates that the bug is exploitable.
-# The public key does not use a named curve. RFC 3279 allows to encode such
-# curves by explicitly encoding, the parameters of the curve equation, modulus,
-# generator, order and cofactor. However, many crypto libraries only support
-# named curves. Modifying some of the EC parameters and encoding the
-# corresponding public key as an unnamed curve is a potential attack vector.
+flags = InvalidPublic,UnnamedCurve
 
 # tcId = 108
 # cofactor = None
@@ -907,17 +778,7 @@
 public = 308201103081d106072a8648ce3d02013081c5020101302806072a8648ce3d0101021d00ffffffffffffffffffffffffffffffff000000000000000000000001303c041cfffffffffffffffffffffffffffffffefffffffffffffffffffffffe041cb4050a850c04b3abf54132565044b0b7d7bfd8ba270b39432355ffb4043904b70e0cbd6bb4bf7f321390b94a03c1d356c21122343280d6115c1d21bd376388b5f723fb4c22dfe6cd4375a05a07476444d5819985007e34021d00ffffffffffffffffffffffffffff16a2e0b8f03e13dd29455c5c2a3d033a0004a10fb7bf22d299fc5bc43bd2d0e8da28af28ace8430bee28f9e5b57554275c0615d8d9a3011d7bc4c1c4cf4a834c8dc46f25b98854401a5b
 result = acceptable
 shared = 9b992dad1c2b5dadd3b5aeb84b7a91fb6fe5f46e02ab2c7fa32696a7
-# A parameter that is typically not used for ECDH has been modified. Sometimes
-# libraries ignore small differences between public and private key. For
-# example, a library might ignore an incorrect cofactor in the public key. We
-# consider ignoring such changes as acceptable as long as these differences do
-# not change the outcome of the ECDH computation, i.e. as long as the
-# computation is done on the curve from the private key.
-# The public key does not use a named curve. RFC 3279 allows to encode such
-# curves by explicitly encoding, the parameters of the curve equation, modulus,
-# generator, order and cofactor. However, many crypto libraries only support
-# named curves. Modifying some of the EC parameters and encoding the
-# corresponding public key as an unnamed curve is a potential attack vector.
+flags = UnusedParam,UnnamedCurve
 
 # tcId = 109
 # modified prime
@@ -925,20 +786,7 @@
 public = 308201133081d406072a8648ce3d02013081c8020101302806072a8648ce3d0101021d00c123da0a46a971da9468161e61a5c71a02e6c9bdb3392f4016fb457b303c041c3edc25f5b9568e256b97e9e19e5a38e4fd1936424cc6d0bfe904ba83041cb4050a850c04b3abf54132565044b0b7d7bfd8ba270b39432355ffb4043904000000000000000000285145f31ae4d40000000000000000000003387edad63d1a600740ce66b6f04d67ed06ea1a75c16294336ed05b3fa3021d00ffffffffffffffffffffffffffff16a2e0b8f03e13dd29455c5c2a3d020101033a0004000000000000000000285145f31ae4d40000000000000000000003387edad63d1a600740ce66b6f04d67ed06ea1a75c16294336ed05b3fa3
 result = invalid
 shared = 3de0a5036fcde544c72cbe33cedb8709549bc3b6a4d750ee0de4c80d
-# The modulus of the public key has been modified. The public point of the
-# public key has been chosen so that it is both a point on both the curve of the
-# modified public key and the private key.
-# The public key has been modified and is invalid. An implementation should
-# always check whether the public key is valid and on the same curve as the
-# private key. The test vector includes the shared secret computed with the
-# original public key if the public point is on the curve of the private key.
-# Generating a shared secret other than the one with the original key likely
-# indicates that the bug is exploitable.
-# The public key does not use a named curve. RFC 3279 allows to encode such
-# curves by explicitly encoding, the parameters of the curve equation, modulus,
-# generator, order and cofactor. However, many crypto libraries only support
-# named curves. Modifying some of the EC parameters and encoding the
-# corresponding public key as an unnamed curve is a potential attack vector.
+flags = ModifiedPrime,InvalidPublic,UnnamedCurve
 
 # tcId = 110
 # using secp256r1
@@ -946,12 +794,7 @@
 public = 3059301306072a8648ce3d020106082a8648ce3d03010703420004cbf6606595a3ee50f9fceaa2798c2740c82540516b4e5a7d361ff24e9dd15364e5408b2e679f9d5310d1f6893b36ce16b4a507509175fcb52aea53b781556b39
 result = invalid
 shared = 
-# The public key has been modified and is invalid. An implementation should
-# always check whether the public key is valid and on the same curve as the
-# private key. The test vector includes the shared secret computed with the
-# original public key if the public point is on the curve of the private key.
-# Generating a shared secret other than the one with the original key likely
-# indicates that the bug is exploitable.
+flags = InvalidPublic
 
 # tcId = 111
 # using secp256k1
@@ -959,12 +802,7 @@
 public = 3056301006072a8648ce3d020106052b8104000a03420004a1263e75b87ae0937060ff1472f330ee55cdf8f4329d6284a9ebfbcc856c11684225e72cbebff41e54fb6f00e11afe53a17937bedbf2df787f8ef9584f775838
 result = invalid
 shared = 
-# The public key has been modified and is invalid. An implementation should
-# always check whether the public key is valid and on the same curve as the
-# private key. The test vector includes the shared secret computed with the
-# original public key if the public point is on the curve of the private key.
-# Generating a shared secret other than the one with the original key likely
-# indicates that the bug is exploitable.
+flags = InvalidPublic
 
 # tcId = 112
 # a = 0
@@ -972,17 +810,7 @@
 public = 3081f83081b906072a8648ce3d02013081ad020101302806072a8648ce3d0101021d00ffffffffffffffffffffffffffffffff0000000000000000000000013021040100041cd0d5e347a38ce5b6e1f47edddd8a223bca45d2015de76ec835a4df57043904a10fb7bf22d299fc5bc43bd2d0e8da28af28ace8430bee28f9e5b57554275c0615d8d9a3011d7bc4c1c4cf4a834c8dc46f25b98854401a5b021d00ffffffffffffffffffffffffffff16a2e0b8f03e13dd29455c5c2a3d020101033a0004a10fb7bf22d299fc5bc43bd2d0e8da28af28ace8430bee28f9e5b57554275c0615d8d9a3011d7bc4c1c4cf4a834c8dc46f25b98854401a5b
 result = acceptable
 shared = 9b992dad1c2b5dadd3b5aeb84b7a91fb6fe5f46e02ab2c7fa32696a7
-# A parameter that is typically not used for ECDH has been modified. Sometimes
-# libraries ignore small differences between public and private key. For
-# example, a library might ignore an incorrect cofactor in the public key. We
-# consider ignoring such changes as acceptable as long as these differences do
-# not change the outcome of the ECDH computation, i.e. as long as the
-# computation is done on the curve from the private key.
-# The public key does not use a named curve. RFC 3279 allows to encode such
-# curves by explicitly encoding, the parameters of the curve equation, modulus,
-# generator, order and cofactor. However, many crypto libraries only support
-# named curves. Modifying some of the EC parameters and encoding the
-# corresponding public key as an unnamed curve is a potential attack vector.
+flags = UnusedParam,UnnamedCurve
 
 # tcId = 113
 # public key of order 3
@@ -990,21 +818,7 @@
 public = 308201133081d406072a8648ce3d02013081c8020101302806072a8648ce3d0101021d00ffffffffffffffffffffffffffffffff000000000000000000000001303c041cacb441c744c5af60905e78cd53b10f4aec9f30a302bb4ab0aeb53182041c2356bdcb3ae3e1c1e31741c951add1b2b0f87305d01021232aa22e0c043904bafbb7559c7335192c6f0cc5970e9c92a12e9af1a0cb5403d9bcc4eb7a545a1d9302be01456f17846a445ef45ff7c31710b08a6881dc11d1021d00ffffffffffffffffffffffffffff16a2e0b8f03e13dd29455c5c2a3d020101033a0004bafbb7559c7335192c6f0cc5970e9c92a12e9af1a0cb5403d9bcc4eb85aba5e26cfd41feba90e87b95bba10aa0083ce8ef4f75977e23ee30
 result = invalid
 shared = 
-# The vector contains a weak public key. The curve is not a named curve, the
-# public key point has order 3 and has been chosen to be on the same curve as
-# the private key. This test vector is used to check ECC implementations for
-# missing steps in the verification of the public key.
-# The public key has been modified and is invalid. An implementation should
-# always check whether the public key is valid and on the same curve as the
-# private key. The test vector includes the shared secret computed with the
-# original public key if the public point is on the curve of the private key.
-# Generating a shared secret other than the one with the original key likely
-# indicates that the bug is exploitable.
-# The public key does not use a named curve. RFC 3279 allows to encode such
-# curves by explicitly encoding, the parameters of the curve equation, modulus,
-# generator, order and cofactor. However, many crypto libraries only support
-# named curves. Modifying some of the EC parameters and encoding the
-# corresponding public key as an unnamed curve is a potential attack vector.
+flags = WeakPublicKey,InvalidPublic,UnnamedCurve
 
 # tcId = 114
 # Public key uses wrong curve: secp256r1
@@ -1117,8 +931,7 @@
 public = 3032301006072a8648ce3d020106052b81040021031e00020ca753db5ddeca474241f8d2dafc0844343fd0e37eded2f0192d51b2
 result = invalid
 shared = 
-# The point in the public key is compressed. Not every library supports points
-# in compressed format.
+flags = CompressedPoint
 
 # tcId = 130
 # long form encoding of length of sequence
@@ -1126,9 +939,7 @@
 public = 30814e301006072a8648ce3d020106052b81040021033a000486e2f72bccd974a3f1a4fc2cdcf22043eaf8be047de6be726b62001fda6f50f6df0b51bee99195d8a1a1c97e59e72fa4fcf8c1d21cb3da62
 result = acceptable
 shared = 85a70fc4dfc8509fb9ba1cfcf1879443e2ce176d794228029b10da63
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 131
 # long form encoding of length of sequence
@@ -1136,9 +947,7 @@
 public = 304f30811006072a8648ce3d020106052b81040021033a000486e2f72bccd974a3f1a4fc2cdcf22043eaf8be047de6be726b62001fda6f50f6df0b51bee99195d8a1a1c97e59e72fa4fcf8c1d21cb3da62
 result = acceptable
 shared = 85a70fc4dfc8509fb9ba1cfcf1879443e2ce176d794228029b10da63
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 132
 # length of sequence contains leading 0
@@ -1146,9 +955,7 @@
 public = 3082004e301006072a8648ce3d020106052b81040021033a000486e2f72bccd974a3f1a4fc2cdcf22043eaf8be047de6be726b62001fda6f50f6df0b51bee99195d8a1a1c97e59e72fa4fcf8c1d21cb3da62
 result = acceptable
 shared = 85a70fc4dfc8509fb9ba1cfcf1879443e2ce176d794228029b10da63
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 133
 # length of sequence contains leading 0
@@ -1156,9 +963,7 @@
 public = 30503082001006072a8648ce3d020106052b81040021033a000486e2f72bccd974a3f1a4fc2cdcf22043eaf8be047de6be726b62001fda6f50f6df0b51bee99195d8a1a1c97e59e72fa4fcf8c1d21cb3da62
 result = acceptable
 shared = 85a70fc4dfc8509fb9ba1cfcf1879443e2ce176d794228029b10da63
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 134
 # wrong length of sequence
@@ -1166,9 +971,7 @@
 public = 304f301006072a8648ce3d020106052b81040021033a000486e2f72bccd974a3f1a4fc2cdcf22043eaf8be047de6be726b62001fda6f50f6df0b51bee99195d8a1a1c97e59e72fa4fcf8c1d21cb3da62
 result = acceptable
 shared = 85a70fc4dfc8509fb9ba1cfcf1879443e2ce176d794228029b10da63
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 135
 # wrong length of sequence
@@ -1176,9 +979,7 @@
 public = 304d301006072a8648ce3d020106052b81040021033a000486e2f72bccd974a3f1a4fc2cdcf22043eaf8be047de6be726b62001fda6f50f6df0b51bee99195d8a1a1c97e59e72fa4fcf8c1d21cb3da62
 result = acceptable
 shared = 85a70fc4dfc8509fb9ba1cfcf1879443e2ce176d794228029b10da63
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 136
 # wrong length of sequence
@@ -1186,9 +987,7 @@
 public = 304e301106072a8648ce3d020106052b81040021033a000486e2f72bccd974a3f1a4fc2cdcf22043eaf8be047de6be726b62001fda6f50f6df0b51bee99195d8a1a1c97e59e72fa4fcf8c1d21cb3da62
 result = acceptable
 shared = 85a70fc4dfc8509fb9ba1cfcf1879443e2ce176d794228029b10da63
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 137
 # wrong length of sequence
@@ -1196,9 +995,7 @@
 public = 304e300f06072a8648ce3d020106052b81040021033a000486e2f72bccd974a3f1a4fc2cdcf22043eaf8be047de6be726b62001fda6f50f6df0b51bee99195d8a1a1c97e59e72fa4fcf8c1d21cb3da62
 result = acceptable
 shared = 85a70fc4dfc8509fb9ba1cfcf1879443e2ce176d794228029b10da63
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 138
 # uint32 overflow in length of sequence
@@ -1206,9 +1003,7 @@
 public = 3085010000004e301006072a8648ce3d020106052b81040021033a000486e2f72bccd974a3f1a4fc2cdcf22043eaf8be047de6be726b62001fda6f50f6df0b51bee99195d8a1a1c97e59e72fa4fcf8c1d21cb3da62
 result = acceptable
 shared = 85a70fc4dfc8509fb9ba1cfcf1879443e2ce176d794228029b10da63
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 139
 # uint32 overflow in length of sequence
@@ -1216,9 +1011,7 @@
 public = 30533085010000001006072a8648ce3d020106052b81040021033a000486e2f72bccd974a3f1a4fc2cdcf22043eaf8be047de6be726b62001fda6f50f6df0b51bee99195d8a1a1c97e59e72fa4fcf8c1d21cb3da62
 result = acceptable
 shared = 85a70fc4dfc8509fb9ba1cfcf1879443e2ce176d794228029b10da63
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 140
 # uint64 overflow in length of sequence
@@ -1226,9 +1019,7 @@
 public = 308901000000000000004e301006072a8648ce3d020106052b81040021033a000486e2f72bccd974a3f1a4fc2cdcf22043eaf8be047de6be726b62001fda6f50f6df0b51bee99195d8a1a1c97e59e72fa4fcf8c1d21cb3da62
 result = acceptable
 shared = 85a70fc4dfc8509fb9ba1cfcf1879443e2ce176d794228029b10da63
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 141
 # uint64 overflow in length of sequence
@@ -1236,9 +1027,7 @@
 public = 3057308901000000000000001006072a8648ce3d020106052b81040021033a000486e2f72bccd974a3f1a4fc2cdcf22043eaf8be047de6be726b62001fda6f50f6df0b51bee99195d8a1a1c97e59e72fa4fcf8c1d21cb3da62
 result = acceptable
 shared = 85a70fc4dfc8509fb9ba1cfcf1879443e2ce176d794228029b10da63
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 142
 # length of sequence = 2**31 - 1
@@ -1246,9 +1035,7 @@
 public = 30847fffffff301006072a8648ce3d020106052b81040021033a000486e2f72bccd974a3f1a4fc2cdcf22043eaf8be047de6be726b62001fda6f50f6df0b51bee99195d8a1a1c97e59e72fa4fcf8c1d21cb3da62
 result = acceptable
 shared = 85a70fc4dfc8509fb9ba1cfcf1879443e2ce176d794228029b10da63
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 143
 # length of sequence = 2**31 - 1
@@ -1256,9 +1043,7 @@
 public = 305230847fffffff06072a8648ce3d020106052b81040021033a000486e2f72bccd974a3f1a4fc2cdcf22043eaf8be047de6be726b62001fda6f50f6df0b51bee99195d8a1a1c97e59e72fa4fcf8c1d21cb3da62
 result = acceptable
 shared = 85a70fc4dfc8509fb9ba1cfcf1879443e2ce176d794228029b10da63
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 144
 # length of sequence = 2**32 - 1
@@ -1266,9 +1051,7 @@
 public = 3084ffffffff301006072a8648ce3d020106052b81040021033a000486e2f72bccd974a3f1a4fc2cdcf22043eaf8be047de6be726b62001fda6f50f6df0b51bee99195d8a1a1c97e59e72fa4fcf8c1d21cb3da62
 result = acceptable
 shared = 85a70fc4dfc8509fb9ba1cfcf1879443e2ce176d794228029b10da63
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 145
 # length of sequence = 2**32 - 1
@@ -1276,9 +1059,7 @@
 public = 30523084ffffffff06072a8648ce3d020106052b81040021033a000486e2f72bccd974a3f1a4fc2cdcf22043eaf8be047de6be726b62001fda6f50f6df0b51bee99195d8a1a1c97e59e72fa4fcf8c1d21cb3da62
 result = acceptable
 shared = 85a70fc4dfc8509fb9ba1cfcf1879443e2ce176d794228029b10da63
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 146
 # length of sequence = 2**40 - 1
@@ -1286,9 +1067,7 @@
 public = 3085ffffffffff301006072a8648ce3d020106052b81040021033a000486e2f72bccd974a3f1a4fc2cdcf22043eaf8be047de6be726b62001fda6f50f6df0b51bee99195d8a1a1c97e59e72fa4fcf8c1d21cb3da62
 result = acceptable
 shared = 85a70fc4dfc8509fb9ba1cfcf1879443e2ce176d794228029b10da63
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 147
 # length of sequence = 2**40 - 1
@@ -1296,9 +1075,7 @@
 public = 30533085ffffffffff06072a8648ce3d020106052b81040021033a000486e2f72bccd974a3f1a4fc2cdcf22043eaf8be047de6be726b62001fda6f50f6df0b51bee99195d8a1a1c97e59e72fa4fcf8c1d21cb3da62
 result = acceptable
 shared = 85a70fc4dfc8509fb9ba1cfcf1879443e2ce176d794228029b10da63
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 148
 # length of sequence = 2**64 - 1
@@ -1306,9 +1083,7 @@
 public = 3088ffffffffffffffff301006072a8648ce3d020106052b81040021033a000486e2f72bccd974a3f1a4fc2cdcf22043eaf8be047de6be726b62001fda6f50f6df0b51bee99195d8a1a1c97e59e72fa4fcf8c1d21cb3da62
 result = acceptable
 shared = 85a70fc4dfc8509fb9ba1cfcf1879443e2ce176d794228029b10da63
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 149
 # length of sequence = 2**64 - 1
@@ -1316,9 +1091,7 @@
 public = 30563088ffffffffffffffff06072a8648ce3d020106052b81040021033a000486e2f72bccd974a3f1a4fc2cdcf22043eaf8be047de6be726b62001fda6f50f6df0b51bee99195d8a1a1c97e59e72fa4fcf8c1d21cb3da62
 result = acceptable
 shared = 85a70fc4dfc8509fb9ba1cfcf1879443e2ce176d794228029b10da63
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 150
 # incorrect length of sequence
@@ -1326,9 +1099,7 @@
 public = 30ff301006072a8648ce3d020106052b81040021033a000486e2f72bccd974a3f1a4fc2cdcf22043eaf8be047de6be726b62001fda6f50f6df0b51bee99195d8a1a1c97e59e72fa4fcf8c1d21cb3da62
 result = acceptable
 shared = 85a70fc4dfc8509fb9ba1cfcf1879443e2ce176d794228029b10da63
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 151
 # incorrect length of sequence
@@ -1336,9 +1107,7 @@
 public = 304e30ff06072a8648ce3d020106052b81040021033a000486e2f72bccd974a3f1a4fc2cdcf22043eaf8be047de6be726b62001fda6f50f6df0b51bee99195d8a1a1c97e59e72fa4fcf8c1d21cb3da62
 result = acceptable
 shared = 85a70fc4dfc8509fb9ba1cfcf1879443e2ce176d794228029b10da63
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 152
 # indefinite length without termination
@@ -1346,9 +1115,7 @@
 public = 3080301006072a8648ce3d020106052b81040021033a000486e2f72bccd974a3f1a4fc2cdcf22043eaf8be047de6be726b62001fda6f50f6df0b51bee99195d8a1a1c97e59e72fa4fcf8c1d21cb3da62
 result = acceptable
 shared = 85a70fc4dfc8509fb9ba1cfcf1879443e2ce176d794228029b10da63
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 153
 # indefinite length without termination
@@ -1356,9 +1123,7 @@
 public = 304e308006072a8648ce3d020106052b81040021033a000486e2f72bccd974a3f1a4fc2cdcf22043eaf8be047de6be726b62001fda6f50f6df0b51bee99195d8a1a1c97e59e72fa4fcf8c1d21cb3da62
 result = acceptable
 shared = 85a70fc4dfc8509fb9ba1cfcf1879443e2ce176d794228029b10da63
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 154
 # indefinite length without termination
@@ -1366,9 +1131,7 @@
 public = 304e301006802a8648ce3d020106052b81040021033a000486e2f72bccd974a3f1a4fc2cdcf22043eaf8be047de6be726b62001fda6f50f6df0b51bee99195d8a1a1c97e59e72fa4fcf8c1d21cb3da62
 result = acceptable
 shared = 85a70fc4dfc8509fb9ba1cfcf1879443e2ce176d794228029b10da63
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 155
 # indefinite length without termination
@@ -1376,9 +1139,7 @@
 public = 304e301006072a8648ce3d020106802b81040021033a000486e2f72bccd974a3f1a4fc2cdcf22043eaf8be047de6be726b62001fda6f50f6df0b51bee99195d8a1a1c97e59e72fa4fcf8c1d21cb3da62
 result = acceptable
 shared = 85a70fc4dfc8509fb9ba1cfcf1879443e2ce176d794228029b10da63
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 156
 # indefinite length without termination
@@ -1386,9 +1147,7 @@
 public = 304e301006072a8648ce3d020106052b810400210380000486e2f72bccd974a3f1a4fc2cdcf22043eaf8be047de6be726b62001fda6f50f6df0b51bee99195d8a1a1c97e59e72fa4fcf8c1d21cb3da62
 result = acceptable
 shared = 85a70fc4dfc8509fb9ba1cfcf1879443e2ce176d794228029b10da63
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 157
 # removing sequence
@@ -1396,9 +1155,7 @@
 public = 
 result = acceptable
 shared = 85a70fc4dfc8509fb9ba1cfcf1879443e2ce176d794228029b10da63
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 158
 # removing sequence
@@ -1406,9 +1163,7 @@
 public = 303c033a000486e2f72bccd974a3f1a4fc2cdcf22043eaf8be047de6be726b62001fda6f50f6df0b51bee99195d8a1a1c97e59e72fa4fcf8c1d21cb3da62
 result = acceptable
 shared = 85a70fc4dfc8509fb9ba1cfcf1879443e2ce176d794228029b10da63
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 159
 # lonely sequence tag
@@ -1416,9 +1171,7 @@
 public = 30
 result = acceptable
 shared = 85a70fc4dfc8509fb9ba1cfcf1879443e2ce176d794228029b10da63
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 160
 # lonely sequence tag
@@ -1426,9 +1179,7 @@
 public = 303d30033a000486e2f72bccd974a3f1a4fc2cdcf22043eaf8be047de6be726b62001fda6f50f6df0b51bee99195d8a1a1c97e59e72fa4fcf8c1d21cb3da62
 result = acceptable
 shared = 85a70fc4dfc8509fb9ba1cfcf1879443e2ce176d794228029b10da63
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 161
 # appending 0's to sequence
@@ -1436,9 +1187,7 @@
 public = 3050301006072a8648ce3d020106052b81040021033a000486e2f72bccd974a3f1a4fc2cdcf22043eaf8be047de6be726b62001fda6f50f6df0b51bee99195d8a1a1c97e59e72fa4fcf8c1d21cb3da620000
 result = acceptable
 shared = 85a70fc4dfc8509fb9ba1cfcf1879443e2ce176d794228029b10da63
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 162
 # appending 0's to sequence
@@ -1446,9 +1195,7 @@
 public = 3050301206072a8648ce3d020106052b810400210000033a000486e2f72bccd974a3f1a4fc2cdcf22043eaf8be047de6be726b62001fda6f50f6df0b51bee99195d8a1a1c97e59e72fa4fcf8c1d21cb3da62
 result = acceptable
 shared = 85a70fc4dfc8509fb9ba1cfcf1879443e2ce176d794228029b10da63
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 163
 # prepending 0's to sequence
@@ -1456,9 +1203,7 @@
 public = 30500000301006072a8648ce3d020106052b81040021033a000486e2f72bccd974a3f1a4fc2cdcf22043eaf8be047de6be726b62001fda6f50f6df0b51bee99195d8a1a1c97e59e72fa4fcf8c1d21cb3da62
 result = acceptable
 shared = 85a70fc4dfc8509fb9ba1cfcf1879443e2ce176d794228029b10da63
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 164
 # prepending 0's to sequence
@@ -1466,9 +1211,7 @@
 public = 30503012000006072a8648ce3d020106052b81040021033a000486e2f72bccd974a3f1a4fc2cdcf22043eaf8be047de6be726b62001fda6f50f6df0b51bee99195d8a1a1c97e59e72fa4fcf8c1d21cb3da62
 result = acceptable
 shared = 85a70fc4dfc8509fb9ba1cfcf1879443e2ce176d794228029b10da63
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 165
 # appending unused 0's to sequence
@@ -1476,9 +1219,7 @@
 public = 304e301006072a8648ce3d020106052b81040021033a000486e2f72bccd974a3f1a4fc2cdcf22043eaf8be047de6be726b62001fda6f50f6df0b51bee99195d8a1a1c97e59e72fa4fcf8c1d21cb3da620000
 result = acceptable
 shared = 85a70fc4dfc8509fb9ba1cfcf1879443e2ce176d794228029b10da63
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 166
 # appending unused 0's to sequence
@@ -1486,9 +1227,7 @@
 public = 3050301006072a8648ce3d020106052b810400210000033a000486e2f72bccd974a3f1a4fc2cdcf22043eaf8be047de6be726b62001fda6f50f6df0b51bee99195d8a1a1c97e59e72fa4fcf8c1d21cb3da62
 result = acceptable
 shared = 85a70fc4dfc8509fb9ba1cfcf1879443e2ce176d794228029b10da63
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 167
 # appending null value to sequence
@@ -1496,9 +1235,7 @@
 public = 3050301006072a8648ce3d020106052b81040021033a000486e2f72bccd974a3f1a4fc2cdcf22043eaf8be047de6be726b62001fda6f50f6df0b51bee99195d8a1a1c97e59e72fa4fcf8c1d21cb3da620500
 result = acceptable
 shared = 85a70fc4dfc8509fb9ba1cfcf1879443e2ce176d794228029b10da63
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 168
 # appending null value to sequence
@@ -1506,9 +1243,7 @@
 public = 3050301206072a8648ce3d020106052b810400210500033a000486e2f72bccd974a3f1a4fc2cdcf22043eaf8be047de6be726b62001fda6f50f6df0b51bee99195d8a1a1c97e59e72fa4fcf8c1d21cb3da62
 result = acceptable
 shared = 85a70fc4dfc8509fb9ba1cfcf1879443e2ce176d794228029b10da63
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 169
 # including garbage
@@ -1516,9 +1251,7 @@
 public = 3053498177304e301006072a8648ce3d020106052b81040021033a000486e2f72bccd974a3f1a4fc2cdcf22043eaf8be047de6be726b62001fda6f50f6df0b51bee99195d8a1a1c97e59e72fa4fcf8c1d21cb3da62
 result = acceptable
 shared = 85a70fc4dfc8509fb9ba1cfcf1879443e2ce176d794228029b10da63
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 170
 # including garbage
@@ -1526,9 +1259,7 @@
 public = 30522500304e301006072a8648ce3d020106052b81040021033a000486e2f72bccd974a3f1a4fc2cdcf22043eaf8be047de6be726b62001fda6f50f6df0b51bee99195d8a1a1c97e59e72fa4fcf8c1d21cb3da62
 result = acceptable
 shared = 85a70fc4dfc8509fb9ba1cfcf1879443e2ce176d794228029b10da63
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 171
 # including garbage
@@ -1536,9 +1267,7 @@
 public = 3050304e301006072a8648ce3d020106052b81040021033a000486e2f72bccd974a3f1a4fc2cdcf22043eaf8be047de6be726b62001fda6f50f6df0b51bee99195d8a1a1c97e59e72fa4fcf8c1d21cb3da620004deadbeef
 result = acceptable
 shared = 85a70fc4dfc8509fb9ba1cfcf1879443e2ce176d794228029b10da63
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 172
 # including garbage
@@ -1546,9 +1275,7 @@
 public = 30533015498177301006072a8648ce3d020106052b81040021033a000486e2f72bccd974a3f1a4fc2cdcf22043eaf8be047de6be726b62001fda6f50f6df0b51bee99195d8a1a1c97e59e72fa4fcf8c1d21cb3da62
 result = acceptable
 shared = 85a70fc4dfc8509fb9ba1cfcf1879443e2ce176d794228029b10da63
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 173
 # including garbage
@@ -1556,9 +1283,7 @@
 public = 305230142500301006072a8648ce3d020106052b81040021033a000486e2f72bccd974a3f1a4fc2cdcf22043eaf8be047de6be726b62001fda6f50f6df0b51bee99195d8a1a1c97e59e72fa4fcf8c1d21cb3da62
 result = acceptable
 shared = 85a70fc4dfc8509fb9ba1cfcf1879443e2ce176d794228029b10da63
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 174
 # including garbage
@@ -1566,9 +1291,7 @@
 public = 30563012301006072a8648ce3d020106052b810400210004deadbeef033a000486e2f72bccd974a3f1a4fc2cdcf22043eaf8be047de6be726b62001fda6f50f6df0b51bee99195d8a1a1c97e59e72fa4fcf8c1d21cb3da62
 result = acceptable
 shared = 85a70fc4dfc8509fb9ba1cfcf1879443e2ce176d794228029b10da63
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 175
 # including garbage
@@ -1576,9 +1299,7 @@
 public = 30533015260c49817706072a8648ce3d020106052b81040021033a000486e2f72bccd974a3f1a4fc2cdcf22043eaf8be047de6be726b62001fda6f50f6df0b51bee99195d8a1a1c97e59e72fa4fcf8c1d21cb3da62
 result = acceptable
 shared = 85a70fc4dfc8509fb9ba1cfcf1879443e2ce176d794228029b10da63
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 176
 # including garbage
@@ -1586,9 +1307,7 @@
 public = 30523014260b250006072a8648ce3d020106052b81040021033a000486e2f72bccd974a3f1a4fc2cdcf22043eaf8be047de6be726b62001fda6f50f6df0b51bee99195d8a1a1c97e59e72fa4fcf8c1d21cb3da62
 result = acceptable
 shared = 85a70fc4dfc8509fb9ba1cfcf1879443e2ce176d794228029b10da63
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 177
 # including garbage
@@ -1596,9 +1315,7 @@
 public = 30563018260906072a8648ce3d02010004deadbeef06052b81040021033a000486e2f72bccd974a3f1a4fc2cdcf22043eaf8be047de6be726b62001fda6f50f6df0b51bee99195d8a1a1c97e59e72fa4fcf8c1d21cb3da62
 result = acceptable
 shared = 85a70fc4dfc8509fb9ba1cfcf1879443e2ce176d794228029b10da63
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 178
 # including garbage
@@ -1606,9 +1323,7 @@
 public = 3053301506072a8648ce3d0201260a49817706052b81040021033a000486e2f72bccd974a3f1a4fc2cdcf22043eaf8be047de6be726b62001fda6f50f6df0b51bee99195d8a1a1c97e59e72fa4fcf8c1d21cb3da62
 result = acceptable
 shared = 85a70fc4dfc8509fb9ba1cfcf1879443e2ce176d794228029b10da63
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 179
 # including garbage
@@ -1616,9 +1331,7 @@
 public = 3052301406072a8648ce3d02012609250006052b81040021033a000486e2f72bccd974a3f1a4fc2cdcf22043eaf8be047de6be726b62001fda6f50f6df0b51bee99195d8a1a1c97e59e72fa4fcf8c1d21cb3da62
 result = acceptable
 shared = 85a70fc4dfc8509fb9ba1cfcf1879443e2ce176d794228029b10da63
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 180
 # including garbage
@@ -1626,9 +1339,7 @@
 public = 3056301806072a8648ce3d0201260706052b810400210004deadbeef033a000486e2f72bccd974a3f1a4fc2cdcf22043eaf8be047de6be726b62001fda6f50f6df0b51bee99195d8a1a1c97e59e72fa4fcf8c1d21cb3da62
 result = acceptable
 shared = 85a70fc4dfc8509fb9ba1cfcf1879443e2ce176d794228029b10da63
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 181
 # including garbage
@@ -1636,9 +1347,7 @@
 public = 3053301006072a8648ce3d020106052b81040021233f498177033a000486e2f72bccd974a3f1a4fc2cdcf22043eaf8be047de6be726b62001fda6f50f6df0b51bee99195d8a1a1c97e59e72fa4fcf8c1d21cb3da62
 result = acceptable
 shared = 85a70fc4dfc8509fb9ba1cfcf1879443e2ce176d794228029b10da63
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 182
 # including garbage
@@ -1646,9 +1355,7 @@
 public = 3052301006072a8648ce3d020106052b81040021233e2500033a000486e2f72bccd974a3f1a4fc2cdcf22043eaf8be047de6be726b62001fda6f50f6df0b51bee99195d8a1a1c97e59e72fa4fcf8c1d21cb3da62
 result = acceptable
 shared = 85a70fc4dfc8509fb9ba1cfcf1879443e2ce176d794228029b10da63
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 183
 # including garbage
@@ -1656,9 +1363,7 @@
 public = 3056301006072a8648ce3d020106052b81040021233c033a000486e2f72bccd974a3f1a4fc2cdcf22043eaf8be047de6be726b62001fda6f50f6df0b51bee99195d8a1a1c97e59e72fa4fcf8c1d21cb3da620004deadbeef
 result = acceptable
 shared = 85a70fc4dfc8509fb9ba1cfcf1879443e2ce176d794228029b10da63
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 184
 # including undefined tags
@@ -1666,9 +1371,7 @@
 public = 3056aa00bb00cd00304e301006072a8648ce3d020106052b81040021033a000486e2f72bccd974a3f1a4fc2cdcf22043eaf8be047de6be726b62001fda6f50f6df0b51bee99195d8a1a1c97e59e72fa4fcf8c1d21cb3da62
 result = acceptable
 shared = 85a70fc4dfc8509fb9ba1cfcf1879443e2ce176d794228029b10da63
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 185
 # including undefined tags
@@ -1676,9 +1379,7 @@
 public = 3054aa02aabb304e301006072a8648ce3d020106052b81040021033a000486e2f72bccd974a3f1a4fc2cdcf22043eaf8be047de6be726b62001fda6f50f6df0b51bee99195d8a1a1c97e59e72fa4fcf8c1d21cb3da62
 result = acceptable
 shared = 85a70fc4dfc8509fb9ba1cfcf1879443e2ce176d794228029b10da63
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 186
 # including undefined tags
@@ -1686,9 +1387,7 @@
 public = 30563018aa00bb00cd00301006072a8648ce3d020106052b81040021033a000486e2f72bccd974a3f1a4fc2cdcf22043eaf8be047de6be726b62001fda6f50f6df0b51bee99195d8a1a1c97e59e72fa4fcf8c1d21cb3da62
 result = acceptable
 shared = 85a70fc4dfc8509fb9ba1cfcf1879443e2ce176d794228029b10da63
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 187
 # including undefined tags
@@ -1696,9 +1395,7 @@
 public = 30543016aa02aabb301006072a8648ce3d020106052b81040021033a000486e2f72bccd974a3f1a4fc2cdcf22043eaf8be047de6be726b62001fda6f50f6df0b51bee99195d8a1a1c97e59e72fa4fcf8c1d21cb3da62
 result = acceptable
 shared = 85a70fc4dfc8509fb9ba1cfcf1879443e2ce176d794228029b10da63
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 188
 # including undefined tags
@@ -1706,9 +1403,7 @@
 public = 30563018260faa00bb00cd0006072a8648ce3d020106052b81040021033a000486e2f72bccd974a3f1a4fc2cdcf22043eaf8be047de6be726b62001fda6f50f6df0b51bee99195d8a1a1c97e59e72fa4fcf8c1d21cb3da62
 result = acceptable
 shared = 85a70fc4dfc8509fb9ba1cfcf1879443e2ce176d794228029b10da63
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 189
 # including undefined tags
@@ -1716,9 +1411,7 @@
 public = 30543016260daa02aabb06072a8648ce3d020106052b81040021033a000486e2f72bccd974a3f1a4fc2cdcf22043eaf8be047de6be726b62001fda6f50f6df0b51bee99195d8a1a1c97e59e72fa4fcf8c1d21cb3da62
 result = acceptable
 shared = 85a70fc4dfc8509fb9ba1cfcf1879443e2ce176d794228029b10da63
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 190
 # including undefined tags
@@ -1726,9 +1419,7 @@
 public = 3056301806072a8648ce3d0201260daa00bb00cd0006052b81040021033a000486e2f72bccd974a3f1a4fc2cdcf22043eaf8be047de6be726b62001fda6f50f6df0b51bee99195d8a1a1c97e59e72fa4fcf8c1d21cb3da62
 result = acceptable
 shared = 85a70fc4dfc8509fb9ba1cfcf1879443e2ce176d794228029b10da63
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 191
 # including undefined tags
@@ -1736,9 +1427,7 @@
 public = 3054301606072a8648ce3d0201260baa02aabb06052b81040021033a000486e2f72bccd974a3f1a4fc2cdcf22043eaf8be047de6be726b62001fda6f50f6df0b51bee99195d8a1a1c97e59e72fa4fcf8c1d21cb3da62
 result = acceptable
 shared = 85a70fc4dfc8509fb9ba1cfcf1879443e2ce176d794228029b10da63
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 192
 # including undefined tags
@@ -1746,9 +1435,7 @@
 public = 3056301006072a8648ce3d020106052b810400212342aa00bb00cd00033a000486e2f72bccd974a3f1a4fc2cdcf22043eaf8be047de6be726b62001fda6f50f6df0b51bee99195d8a1a1c97e59e72fa4fcf8c1d21cb3da62
 result = acceptable
 shared = 85a70fc4dfc8509fb9ba1cfcf1879443e2ce176d794228029b10da63
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 193
 # including undefined tags
@@ -1756,9 +1443,7 @@
 public = 3054301006072a8648ce3d020106052b810400212340aa02aabb033a000486e2f72bccd974a3f1a4fc2cdcf22043eaf8be047de6be726b62001fda6f50f6df0b51bee99195d8a1a1c97e59e72fa4fcf8c1d21cb3da62
 result = acceptable
 shared = 85a70fc4dfc8509fb9ba1cfcf1879443e2ce176d794228029b10da63
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 194
 # truncated length of sequence
@@ -1766,9 +1451,7 @@
 public = 3081
 result = acceptable
 shared = 85a70fc4dfc8509fb9ba1cfcf1879443e2ce176d794228029b10da63
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 195
 # truncated length of sequence
@@ -1776,9 +1459,7 @@
 public = 303e3081033a000486e2f72bccd974a3f1a4fc2cdcf22043eaf8be047de6be726b62001fda6f50f6df0b51bee99195d8a1a1c97e59e72fa4fcf8c1d21cb3da62
 result = acceptable
 shared = 85a70fc4dfc8509fb9ba1cfcf1879443e2ce176d794228029b10da63
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 196
 # Replacing sequence with NULL
@@ -1786,9 +1467,7 @@
 public = 0500
 result = acceptable
 shared = 85a70fc4dfc8509fb9ba1cfcf1879443e2ce176d794228029b10da63
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 197
 # Replacing sequence with NULL
@@ -1796,9 +1475,7 @@
 public = 303e0500033a000486e2f72bccd974a3f1a4fc2cdcf22043eaf8be047de6be726b62001fda6f50f6df0b51bee99195d8a1a1c97e59e72fa4fcf8c1d21cb3da62
 result = acceptable
 shared = 85a70fc4dfc8509fb9ba1cfcf1879443e2ce176d794228029b10da63
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 198
 # changing tag value of sequence
@@ -1806,9 +1483,7 @@
 public = 2e4e301006072a8648ce3d020106052b81040021033a000486e2f72bccd974a3f1a4fc2cdcf22043eaf8be047de6be726b62001fda6f50f6df0b51bee99195d8a1a1c97e59e72fa4fcf8c1d21cb3da62
 result = acceptable
 shared = 85a70fc4dfc8509fb9ba1cfcf1879443e2ce176d794228029b10da63
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 199
 # changing tag value of sequence
@@ -1816,9 +1491,7 @@
 public = 2f4e301006072a8648ce3d020106052b81040021033a000486e2f72bccd974a3f1a4fc2cdcf22043eaf8be047de6be726b62001fda6f50f6df0b51bee99195d8a1a1c97e59e72fa4fcf8c1d21cb3da62
 result = acceptable
 shared = 85a70fc4dfc8509fb9ba1cfcf1879443e2ce176d794228029b10da63
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 200
 # changing tag value of sequence
@@ -1826,9 +1499,7 @@
 public = 314e301006072a8648ce3d020106052b81040021033a000486e2f72bccd974a3f1a4fc2cdcf22043eaf8be047de6be726b62001fda6f50f6df0b51bee99195d8a1a1c97e59e72fa4fcf8c1d21cb3da62
 result = acceptable
 shared = 85a70fc4dfc8509fb9ba1cfcf1879443e2ce176d794228029b10da63
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 201
 # changing tag value of sequence
@@ -1836,9 +1507,7 @@
 public = 324e301006072a8648ce3d020106052b81040021033a000486e2f72bccd974a3f1a4fc2cdcf22043eaf8be047de6be726b62001fda6f50f6df0b51bee99195d8a1a1c97e59e72fa4fcf8c1d21cb3da62
 result = acceptable
 shared = 85a70fc4dfc8509fb9ba1cfcf1879443e2ce176d794228029b10da63
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 202
 # changing tag value of sequence
@@ -1846,9 +1515,7 @@
 public = ff4e301006072a8648ce3d020106052b81040021033a000486e2f72bccd974a3f1a4fc2cdcf22043eaf8be047de6be726b62001fda6f50f6df0b51bee99195d8a1a1c97e59e72fa4fcf8c1d21cb3da62
 result = acceptable
 shared = 85a70fc4dfc8509fb9ba1cfcf1879443e2ce176d794228029b10da63
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 203
 # changing tag value of sequence
@@ -1856,9 +1523,7 @@
 public = 304e2e1006072a8648ce3d020106052b81040021033a000486e2f72bccd974a3f1a4fc2cdcf22043eaf8be047de6be726b62001fda6f50f6df0b51bee99195d8a1a1c97e59e72fa4fcf8c1d21cb3da62
 result = acceptable
 shared = 85a70fc4dfc8509fb9ba1cfcf1879443e2ce176d794228029b10da63
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 204
 # changing tag value of sequence
@@ -1866,9 +1531,7 @@
 public = 304e2f1006072a8648ce3d020106052b81040021033a000486e2f72bccd974a3f1a4fc2cdcf22043eaf8be047de6be726b62001fda6f50f6df0b51bee99195d8a1a1c97e59e72fa4fcf8c1d21cb3da62
 result = acceptable
 shared = 85a70fc4dfc8509fb9ba1cfcf1879443e2ce176d794228029b10da63
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 205
 # changing tag value of sequence
@@ -1876,9 +1539,7 @@
 public = 304e311006072a8648ce3d020106052b81040021033a000486e2f72bccd974a3f1a4fc2cdcf22043eaf8be047de6be726b62001fda6f50f6df0b51bee99195d8a1a1c97e59e72fa4fcf8c1d21cb3da62
 result = acceptable
 shared = 85a70fc4dfc8509fb9ba1cfcf1879443e2ce176d794228029b10da63
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 206
 # changing tag value of sequence
@@ -1886,9 +1547,7 @@
 public = 304e321006072a8648ce3d020106052b81040021033a000486e2f72bccd974a3f1a4fc2cdcf22043eaf8be047de6be726b62001fda6f50f6df0b51bee99195d8a1a1c97e59e72fa4fcf8c1d21cb3da62
 result = acceptable
 shared = 85a70fc4dfc8509fb9ba1cfcf1879443e2ce176d794228029b10da63
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 207
 # changing tag value of sequence
@@ -1896,9 +1555,7 @@
 public = 304eff1006072a8648ce3d020106052b81040021033a000486e2f72bccd974a3f1a4fc2cdcf22043eaf8be047de6be726b62001fda6f50f6df0b51bee99195d8a1a1c97e59e72fa4fcf8c1d21cb3da62
 result = acceptable
 shared = 85a70fc4dfc8509fb9ba1cfcf1879443e2ce176d794228029b10da63
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 208
 # dropping value of sequence
@@ -1906,9 +1563,7 @@
 public = 3000
 result = acceptable
 shared = 85a70fc4dfc8509fb9ba1cfcf1879443e2ce176d794228029b10da63
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 209
 # dropping value of sequence
@@ -1916,9 +1571,7 @@
 public = 303e3000033a000486e2f72bccd974a3f1a4fc2cdcf22043eaf8be047de6be726b62001fda6f50f6df0b51bee99195d8a1a1c97e59e72fa4fcf8c1d21cb3da62
 result = acceptable
 shared = 85a70fc4dfc8509fb9ba1cfcf1879443e2ce176d794228029b10da63
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 210
 # truncated sequence
@@ -1926,9 +1579,7 @@
 public = 304d301006072a8648ce3d020106052b81040021033a000486e2f72bccd974a3f1a4fc2cdcf22043eaf8be047de6be726b62001fda6f50f6df0b51bee99195d8a1a1c97e59e72fa4fcf8c1d21cb3da
 result = acceptable
 shared = 85a70fc4dfc8509fb9ba1cfcf1879443e2ce176d794228029b10da63
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 211
 # truncated sequence
@@ -1936,9 +1587,7 @@
 public = 304d1006072a8648ce3d020106052b81040021033a000486e2f72bccd974a3f1a4fc2cdcf22043eaf8be047de6be726b62001fda6f50f6df0b51bee99195d8a1a1c97e59e72fa4fcf8c1d21cb3da62
 result = acceptable
 shared = 85a70fc4dfc8509fb9ba1cfcf1879443e2ce176d794228029b10da63
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 212
 # truncated sequence
@@ -1946,9 +1595,7 @@
 public = 304d300f06072a8648ce3d020106052b810400033a000486e2f72bccd974a3f1a4fc2cdcf22043eaf8be047de6be726b62001fda6f50f6df0b51bee99195d8a1a1c97e59e72fa4fcf8c1d21cb3da62
 result = acceptable
 shared = 85a70fc4dfc8509fb9ba1cfcf1879443e2ce176d794228029b10da63
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 213
 # truncated sequence
@@ -1956,9 +1603,7 @@
 public = 304d300f072a8648ce3d020106052b81040021033a000486e2f72bccd974a3f1a4fc2cdcf22043eaf8be047de6be726b62001fda6f50f6df0b51bee99195d8a1a1c97e59e72fa4fcf8c1d21cb3da62
 result = acceptable
 shared = 85a70fc4dfc8509fb9ba1cfcf1879443e2ce176d794228029b10da63
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 214
 # indefinite length
@@ -1966,9 +1611,7 @@
 public = 3080301006072a8648ce3d020106052b81040021033a000486e2f72bccd974a3f1a4fc2cdcf22043eaf8be047de6be726b62001fda6f50f6df0b51bee99195d8a1a1c97e59e72fa4fcf8c1d21cb3da620000
 result = acceptable
 shared = 85a70fc4dfc8509fb9ba1cfcf1879443e2ce176d794228029b10da63
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 215
 # indefinite length
@@ -1976,9 +1619,7 @@
 public = 3050308006072a8648ce3d020106052b810400210000033a000486e2f72bccd974a3f1a4fc2cdcf22043eaf8be047de6be726b62001fda6f50f6df0b51bee99195d8a1a1c97e59e72fa4fcf8c1d21cb3da62
 result = acceptable
 shared = 85a70fc4dfc8509fb9ba1cfcf1879443e2ce176d794228029b10da63
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 216
 # indefinite length with truncated delimiter
@@ -1986,9 +1627,7 @@
 public = 3080301006072a8648ce3d020106052b81040021033a000486e2f72bccd974a3f1a4fc2cdcf22043eaf8be047de6be726b62001fda6f50f6df0b51bee99195d8a1a1c97e59e72fa4fcf8c1d21cb3da6200
 result = acceptable
 shared = 85a70fc4dfc8509fb9ba1cfcf1879443e2ce176d794228029b10da63
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 217
 # indefinite length with truncated delimiter
@@ -1996,9 +1635,7 @@
 public = 304f308006072a8648ce3d020106052b8104002100033a000486e2f72bccd974a3f1a4fc2cdcf22043eaf8be047de6be726b62001fda6f50f6df0b51bee99195d8a1a1c97e59e72fa4fcf8c1d21cb3da62
 result = acceptable
 shared = 85a70fc4dfc8509fb9ba1cfcf1879443e2ce176d794228029b10da63
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 218
 # indefinite length with additional element
@@ -2006,9 +1643,7 @@
 public = 3080301006072a8648ce3d020106052b81040021033a000486e2f72bccd974a3f1a4fc2cdcf22043eaf8be047de6be726b62001fda6f50f6df0b51bee99195d8a1a1c97e59e72fa4fcf8c1d21cb3da6205000000
 result = acceptable
 shared = 85a70fc4dfc8509fb9ba1cfcf1879443e2ce176d794228029b10da63
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 219
 # indefinite length with additional element
@@ -2016,9 +1651,7 @@
 public = 3052308006072a8648ce3d020106052b8104002105000000033a000486e2f72bccd974a3f1a4fc2cdcf22043eaf8be047de6be726b62001fda6f50f6df0b51bee99195d8a1a1c97e59e72fa4fcf8c1d21cb3da62
 result = acceptable
 shared = 85a70fc4dfc8509fb9ba1cfcf1879443e2ce176d794228029b10da63
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 220
 # indefinite length with truncated element
@@ -2026,9 +1659,7 @@
 public = 3080301006072a8648ce3d020106052b81040021033a000486e2f72bccd974a3f1a4fc2cdcf22043eaf8be047de6be726b62001fda6f50f6df0b51bee99195d8a1a1c97e59e72fa4fcf8c1d21cb3da62060811220000
 result = acceptable
 shared = 85a70fc4dfc8509fb9ba1cfcf1879443e2ce176d794228029b10da63
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 221
 # indefinite length with truncated element
@@ -2036,9 +1667,7 @@
 public = 3054308006072a8648ce3d020106052b81040021060811220000033a000486e2f72bccd974a3f1a4fc2cdcf22043eaf8be047de6be726b62001fda6f50f6df0b51bee99195d8a1a1c97e59e72fa4fcf8c1d21cb3da62
 result = acceptable
 shared = 85a70fc4dfc8509fb9ba1cfcf1879443e2ce176d794228029b10da63
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 222
 # indefinite length with garbage
@@ -2046,9 +1675,7 @@
 public = 3080301006072a8648ce3d020106052b81040021033a000486e2f72bccd974a3f1a4fc2cdcf22043eaf8be047de6be726b62001fda6f50f6df0b51bee99195d8a1a1c97e59e72fa4fcf8c1d21cb3da620000fe02beef
 result = acceptable
 shared = 85a70fc4dfc8509fb9ba1cfcf1879443e2ce176d794228029b10da63
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 223
 # indefinite length with garbage
@@ -2056,9 +1683,7 @@
 public = 3054308006072a8648ce3d020106052b810400210000fe02beef033a000486e2f72bccd974a3f1a4fc2cdcf22043eaf8be047de6be726b62001fda6f50f6df0b51bee99195d8a1a1c97e59e72fa4fcf8c1d21cb3da62
 result = acceptable
 shared = 85a70fc4dfc8509fb9ba1cfcf1879443e2ce176d794228029b10da63
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 224
 # indefinite length with nonempty EOC
@@ -2066,9 +1691,7 @@
 public = 3080301006072a8648ce3d020106052b81040021033a000486e2f72bccd974a3f1a4fc2cdcf22043eaf8be047de6be726b62001fda6f50f6df0b51bee99195d8a1a1c97e59e72fa4fcf8c1d21cb3da620002beef
 result = acceptable
 shared = 85a70fc4dfc8509fb9ba1cfcf1879443e2ce176d794228029b10da63
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 225
 # indefinite length with nonempty EOC
@@ -2076,9 +1699,7 @@
 public = 3052308006072a8648ce3d020106052b810400210002beef033a000486e2f72bccd974a3f1a4fc2cdcf22043eaf8be047de6be726b62001fda6f50f6df0b51bee99195d8a1a1c97e59e72fa4fcf8c1d21cb3da62
 result = acceptable
 shared = 85a70fc4dfc8509fb9ba1cfcf1879443e2ce176d794228029b10da63
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 226
 # prepend empty sequence
@@ -2086,9 +1707,7 @@
 public = 30503000301006072a8648ce3d020106052b81040021033a000486e2f72bccd974a3f1a4fc2cdcf22043eaf8be047de6be726b62001fda6f50f6df0b51bee99195d8a1a1c97e59e72fa4fcf8c1d21cb3da62
 result = acceptable
 shared = 85a70fc4dfc8509fb9ba1cfcf1879443e2ce176d794228029b10da63
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 227
 # prepend empty sequence
@@ -2096,9 +1715,7 @@
 public = 30503012300006072a8648ce3d020106052b81040021033a000486e2f72bccd974a3f1a4fc2cdcf22043eaf8be047de6be726b62001fda6f50f6df0b51bee99195d8a1a1c97e59e72fa4fcf8c1d21cb3da62
 result = acceptable
 shared = 85a70fc4dfc8509fb9ba1cfcf1879443e2ce176d794228029b10da63
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 228
 # append empty sequence
@@ -2106,9 +1723,7 @@
 public = 3050301006072a8648ce3d020106052b81040021033a000486e2f72bccd974a3f1a4fc2cdcf22043eaf8be047de6be726b62001fda6f50f6df0b51bee99195d8a1a1c97e59e72fa4fcf8c1d21cb3da623000
 result = acceptable
 shared = 85a70fc4dfc8509fb9ba1cfcf1879443e2ce176d794228029b10da63
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 229
 # append empty sequence
@@ -2116,9 +1731,7 @@
 public = 3050301206072a8648ce3d020106052b810400213000033a000486e2f72bccd974a3f1a4fc2cdcf22043eaf8be047de6be726b62001fda6f50f6df0b51bee99195d8a1a1c97e59e72fa4fcf8c1d21cb3da62
 result = acceptable
 shared = 85a70fc4dfc8509fb9ba1cfcf1879443e2ce176d794228029b10da63
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 230
 # append garbage with high tag number
@@ -2126,9 +1739,7 @@
 public = 3051301006072a8648ce3d020106052b81040021033a000486e2f72bccd974a3f1a4fc2cdcf22043eaf8be047de6be726b62001fda6f50f6df0b51bee99195d8a1a1c97e59e72fa4fcf8c1d21cb3da62bf7f00
 result = acceptable
 shared = 85a70fc4dfc8509fb9ba1cfcf1879443e2ce176d794228029b10da63
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 231
 # append garbage with high tag number
@@ -2136,9 +1747,7 @@
 public = 3051301306072a8648ce3d020106052b81040021bf7f00033a000486e2f72bccd974a3f1a4fc2cdcf22043eaf8be047de6be726b62001fda6f50f6df0b51bee99195d8a1a1c97e59e72fa4fcf8c1d21cb3da62
 result = acceptable
 shared = 85a70fc4dfc8509fb9ba1cfcf1879443e2ce176d794228029b10da63
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 232
 # sequence of sequence
@@ -2146,9 +1755,7 @@
 public = 3050304e301006072a8648ce3d020106052b81040021033a000486e2f72bccd974a3f1a4fc2cdcf22043eaf8be047de6be726b62001fda6f50f6df0b51bee99195d8a1a1c97e59e72fa4fcf8c1d21cb3da62
 result = acceptable
 shared = 85a70fc4dfc8509fb9ba1cfcf1879443e2ce176d794228029b10da63
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 233
 # sequence of sequence
@@ -2156,9 +1763,7 @@
 public = 30503012301006072a8648ce3d020106052b81040021033a000486e2f72bccd974a3f1a4fc2cdcf22043eaf8be047de6be726b62001fda6f50f6df0b51bee99195d8a1a1c97e59e72fa4fcf8c1d21cb3da62
 result = acceptable
 shared = 85a70fc4dfc8509fb9ba1cfcf1879443e2ce176d794228029b10da63
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 234
 # truncated sequence: removed last 1 elements
@@ -2166,9 +1771,7 @@
 public = 3012301006072a8648ce3d020106052b81040021
 result = acceptable
 shared = 85a70fc4dfc8509fb9ba1cfcf1879443e2ce176d794228029b10da63
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 235
 # truncated sequence: removed last 1 elements
@@ -2176,9 +1779,7 @@
 public = 3047300906072a8648ce3d0201033a000486e2f72bccd974a3f1a4fc2cdcf22043eaf8be047de6be726b62001fda6f50f6df0b51bee99195d8a1a1c97e59e72fa4fcf8c1d21cb3da62
 result = acceptable
 shared = 85a70fc4dfc8509fb9ba1cfcf1879443e2ce176d794228029b10da63
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 236
 # repeating element in sequence
@@ -2186,9 +1787,7 @@
 public = 30818a301006072a8648ce3d020106052b81040021033a000486e2f72bccd974a3f1a4fc2cdcf22043eaf8be047de6be726b62001fda6f50f6df0b51bee99195d8a1a1c97e59e72fa4fcf8c1d21cb3da62033a000486e2f72bccd974a3f1a4fc2cdcf22043eaf8be047de6be726b62001fda6f50f6df0b51bee99195d8a1a1c97e59e72fa4fcf8c1d21cb3da62
 result = acceptable
 shared = 85a70fc4dfc8509fb9ba1cfcf1879443e2ce176d794228029b10da63
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 237
 # repeating element in sequence
@@ -2196,9 +1795,7 @@
 public = 3055301706072a8648ce3d020106052b8104002106052b81040021033a000486e2f72bccd974a3f1a4fc2cdcf22043eaf8be047de6be726b62001fda6f50f6df0b51bee99195d8a1a1c97e59e72fa4fcf8c1d21cb3da62
 result = acceptable
 shared = 85a70fc4dfc8509fb9ba1cfcf1879443e2ce176d794228029b10da63
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 238
 # long form encoding of length of oid
@@ -2206,9 +1803,7 @@
 public = 304f30110681072a8648ce3d020106052b81040021033a000486e2f72bccd974a3f1a4fc2cdcf22043eaf8be047de6be726b62001fda6f50f6df0b51bee99195d8a1a1c97e59e72fa4fcf8c1d21cb3da62
 result = acceptable
 shared = 85a70fc4dfc8509fb9ba1cfcf1879443e2ce176d794228029b10da63
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 239
 # long form encoding of length of oid
@@ -2216,9 +1811,7 @@
 public = 304f301106072a8648ce3d02010681052b81040021033a000486e2f72bccd974a3f1a4fc2cdcf22043eaf8be047de6be726b62001fda6f50f6df0b51bee99195d8a1a1c97e59e72fa4fcf8c1d21cb3da62
 result = acceptable
 shared = 85a70fc4dfc8509fb9ba1cfcf1879443e2ce176d794228029b10da63
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 240
 # length of oid contains leading 0
@@ -2226,9 +1819,7 @@
 public = 30503012068200072a8648ce3d020106052b81040021033a000486e2f72bccd974a3f1a4fc2cdcf22043eaf8be047de6be726b62001fda6f50f6df0b51bee99195d8a1a1c97e59e72fa4fcf8c1d21cb3da62
 result = acceptable
 shared = 85a70fc4dfc8509fb9ba1cfcf1879443e2ce176d794228029b10da63
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 241
 # length of oid contains leading 0
@@ -2236,9 +1827,7 @@
 public = 3050301206072a8648ce3d0201068200052b81040021033a000486e2f72bccd974a3f1a4fc2cdcf22043eaf8be047de6be726b62001fda6f50f6df0b51bee99195d8a1a1c97e59e72fa4fcf8c1d21cb3da62
 result = acceptable
 shared = 85a70fc4dfc8509fb9ba1cfcf1879443e2ce176d794228029b10da63
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 242
 # wrong length of oid
@@ -2246,9 +1835,7 @@
 public = 304e301006082a8648ce3d020106052b81040021033a000486e2f72bccd974a3f1a4fc2cdcf22043eaf8be047de6be726b62001fda6f50f6df0b51bee99195d8a1a1c97e59e72fa4fcf8c1d21cb3da62
 result = acceptable
 shared = 85a70fc4dfc8509fb9ba1cfcf1879443e2ce176d794228029b10da63
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 243
 # wrong length of oid
@@ -2256,9 +1843,7 @@
 public = 304e301006062a8648ce3d020106052b81040021033a000486e2f72bccd974a3f1a4fc2cdcf22043eaf8be047de6be726b62001fda6f50f6df0b51bee99195d8a1a1c97e59e72fa4fcf8c1d21cb3da62
 result = acceptable
 shared = 85a70fc4dfc8509fb9ba1cfcf1879443e2ce176d794228029b10da63
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 244
 # wrong length of oid
@@ -2266,9 +1851,7 @@
 public = 304e301006072a8648ce3d020106062b81040021033a000486e2f72bccd974a3f1a4fc2cdcf22043eaf8be047de6be726b62001fda6f50f6df0b51bee99195d8a1a1c97e59e72fa4fcf8c1d21cb3da62
 result = acceptable
 shared = 85a70fc4dfc8509fb9ba1cfcf1879443e2ce176d794228029b10da63
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 245
 # wrong length of oid
@@ -2276,9 +1859,7 @@
 public = 304e301006072a8648ce3d020106042b81040021033a000486e2f72bccd974a3f1a4fc2cdcf22043eaf8be047de6be726b62001fda6f50f6df0b51bee99195d8a1a1c97e59e72fa4fcf8c1d21cb3da62
 result = acceptable
 shared = 85a70fc4dfc8509fb9ba1cfcf1879443e2ce176d794228029b10da63
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 246
 # uint32 overflow in length of oid
@@ -2286,9 +1867,7 @@
 public = 30533015068501000000072a8648ce3d020106052b81040021033a000486e2f72bccd974a3f1a4fc2cdcf22043eaf8be047de6be726b62001fda6f50f6df0b51bee99195d8a1a1c97e59e72fa4fcf8c1d21cb3da62
 result = acceptable
 shared = 85a70fc4dfc8509fb9ba1cfcf1879443e2ce176d794228029b10da63
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 247
 # uint32 overflow in length of oid
@@ -2296,9 +1875,7 @@
 public = 3053301506072a8648ce3d0201068501000000052b81040021033a000486e2f72bccd974a3f1a4fc2cdcf22043eaf8be047de6be726b62001fda6f50f6df0b51bee99195d8a1a1c97e59e72fa4fcf8c1d21cb3da62
 result = acceptable
 shared = 85a70fc4dfc8509fb9ba1cfcf1879443e2ce176d794228029b10da63
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 248
 # uint64 overflow in length of oid
@@ -2306,9 +1883,7 @@
 public = 3057301906890100000000000000072a8648ce3d020106052b81040021033a000486e2f72bccd974a3f1a4fc2cdcf22043eaf8be047de6be726b62001fda6f50f6df0b51bee99195d8a1a1c97e59e72fa4fcf8c1d21cb3da62
 result = acceptable
 shared = 85a70fc4dfc8509fb9ba1cfcf1879443e2ce176d794228029b10da63
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 249
 # uint64 overflow in length of oid
@@ -2316,9 +1891,7 @@
 public = 3057301906072a8648ce3d020106890100000000000000052b81040021033a000486e2f72bccd974a3f1a4fc2cdcf22043eaf8be047de6be726b62001fda6f50f6df0b51bee99195d8a1a1c97e59e72fa4fcf8c1d21cb3da62
 result = acceptable
 shared = 85a70fc4dfc8509fb9ba1cfcf1879443e2ce176d794228029b10da63
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 250
 # length of oid = 2**31 - 1
@@ -2326,9 +1899,7 @@
 public = 3052301406847fffffff2a8648ce3d020106052b81040021033a000486e2f72bccd974a3f1a4fc2cdcf22043eaf8be047de6be726b62001fda6f50f6df0b51bee99195d8a1a1c97e59e72fa4fcf8c1d21cb3da62
 result = acceptable
 shared = 85a70fc4dfc8509fb9ba1cfcf1879443e2ce176d794228029b10da63
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 251
 # length of oid = 2**31 - 1
@@ -2336,9 +1907,7 @@
 public = 3052301406072a8648ce3d020106847fffffff2b81040021033a000486e2f72bccd974a3f1a4fc2cdcf22043eaf8be047de6be726b62001fda6f50f6df0b51bee99195d8a1a1c97e59e72fa4fcf8c1d21cb3da62
 result = acceptable
 shared = 85a70fc4dfc8509fb9ba1cfcf1879443e2ce176d794228029b10da63
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 252
 # length of oid = 2**32 - 1
@@ -2346,9 +1915,7 @@
 public = 305230140684ffffffff2a8648ce3d020106052b81040021033a000486e2f72bccd974a3f1a4fc2cdcf22043eaf8be047de6be726b62001fda6f50f6df0b51bee99195d8a1a1c97e59e72fa4fcf8c1d21cb3da62
 result = acceptable
 shared = 85a70fc4dfc8509fb9ba1cfcf1879443e2ce176d794228029b10da63
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 253
 # length of oid = 2**32 - 1
@@ -2356,9 +1923,7 @@
 public = 3052301406072a8648ce3d02010684ffffffff2b81040021033a000486e2f72bccd974a3f1a4fc2cdcf22043eaf8be047de6be726b62001fda6f50f6df0b51bee99195d8a1a1c97e59e72fa4fcf8c1d21cb3da62
 result = acceptable
 shared = 85a70fc4dfc8509fb9ba1cfcf1879443e2ce176d794228029b10da63
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 254
 # length of oid = 2**40 - 1
@@ -2366,9 +1931,7 @@
 public = 305330150685ffffffffff2a8648ce3d020106052b81040021033a000486e2f72bccd974a3f1a4fc2cdcf22043eaf8be047de6be726b62001fda6f50f6df0b51bee99195d8a1a1c97e59e72fa4fcf8c1d21cb3da62
 result = acceptable
 shared = 85a70fc4dfc8509fb9ba1cfcf1879443e2ce176d794228029b10da63
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 255
 # length of oid = 2**40 - 1
@@ -2376,9 +1939,7 @@
 public = 3053301506072a8648ce3d02010685ffffffffff2b81040021033a000486e2f72bccd974a3f1a4fc2cdcf22043eaf8be047de6be726b62001fda6f50f6df0b51bee99195d8a1a1c97e59e72fa4fcf8c1d21cb3da62
 result = acceptable
 shared = 85a70fc4dfc8509fb9ba1cfcf1879443e2ce176d794228029b10da63
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 256
 # length of oid = 2**64 - 1
@@ -2386,9 +1947,7 @@
 public = 305630180688ffffffffffffffff2a8648ce3d020106052b81040021033a000486e2f72bccd974a3f1a4fc2cdcf22043eaf8be047de6be726b62001fda6f50f6df0b51bee99195d8a1a1c97e59e72fa4fcf8c1d21cb3da62
 result = acceptable
 shared = 85a70fc4dfc8509fb9ba1cfcf1879443e2ce176d794228029b10da63
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 257
 # length of oid = 2**64 - 1
@@ -2396,9 +1955,7 @@
 public = 3056301806072a8648ce3d02010688ffffffffffffffff2b81040021033a000486e2f72bccd974a3f1a4fc2cdcf22043eaf8be047de6be726b62001fda6f50f6df0b51bee99195d8a1a1c97e59e72fa4fcf8c1d21cb3da62
 result = acceptable
 shared = 85a70fc4dfc8509fb9ba1cfcf1879443e2ce176d794228029b10da63
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 258
 # incorrect length of oid
@@ -2406,9 +1963,7 @@
 public = 304e301006ff2a8648ce3d020106052b81040021033a000486e2f72bccd974a3f1a4fc2cdcf22043eaf8be047de6be726b62001fda6f50f6df0b51bee99195d8a1a1c97e59e72fa4fcf8c1d21cb3da62
 result = acceptable
 shared = 85a70fc4dfc8509fb9ba1cfcf1879443e2ce176d794228029b10da63
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 259
 # incorrect length of oid
@@ -2416,9 +1971,7 @@
 public = 304e301006072a8648ce3d020106ff2b81040021033a000486e2f72bccd974a3f1a4fc2cdcf22043eaf8be047de6be726b62001fda6f50f6df0b51bee99195d8a1a1c97e59e72fa4fcf8c1d21cb3da62
 result = acceptable
 shared = 85a70fc4dfc8509fb9ba1cfcf1879443e2ce176d794228029b10da63
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 260
 # removing oid
@@ -2426,9 +1979,7 @@
 public = 3045300706052b81040021033a000486e2f72bccd974a3f1a4fc2cdcf22043eaf8be047de6be726b62001fda6f50f6df0b51bee99195d8a1a1c97e59e72fa4fcf8c1d21cb3da62
 result = acceptable
 shared = 85a70fc4dfc8509fb9ba1cfcf1879443e2ce176d794228029b10da63
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 261
 # lonely oid tag
@@ -2436,9 +1987,7 @@
 public = 304630080606052b81040021033a000486e2f72bccd974a3f1a4fc2cdcf22043eaf8be047de6be726b62001fda6f50f6df0b51bee99195d8a1a1c97e59e72fa4fcf8c1d21cb3da62
 result = acceptable
 shared = 85a70fc4dfc8509fb9ba1cfcf1879443e2ce176d794228029b10da63
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 262
 # lonely oid tag
@@ -2446,9 +1995,7 @@
 public = 3048300a06072a8648ce3d020106033a000486e2f72bccd974a3f1a4fc2cdcf22043eaf8be047de6be726b62001fda6f50f6df0b51bee99195d8a1a1c97e59e72fa4fcf8c1d21cb3da62
 result = acceptable
 shared = 85a70fc4dfc8509fb9ba1cfcf1879443e2ce176d794228029b10da63
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 263
 # appending 0's to oid
@@ -2456,9 +2003,7 @@
 public = 3050301206092a8648ce3d0201000006052b81040021033a000486e2f72bccd974a3f1a4fc2cdcf22043eaf8be047de6be726b62001fda6f50f6df0b51bee99195d8a1a1c97e59e72fa4fcf8c1d21cb3da62
 result = acceptable
 shared = 85a70fc4dfc8509fb9ba1cfcf1879443e2ce176d794228029b10da63
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 264
 # appending 0's to oid
@@ -2466,9 +2011,7 @@
 public = 3050301206072a8648ce3d020106072b810400210000033a000486e2f72bccd974a3f1a4fc2cdcf22043eaf8be047de6be726b62001fda6f50f6df0b51bee99195d8a1a1c97e59e72fa4fcf8c1d21cb3da62
 result = acceptable
 shared = 85a70fc4dfc8509fb9ba1cfcf1879443e2ce176d794228029b10da63
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 265
 # prepending 0's to oid
@@ -2476,9 +2019,7 @@
 public = 30503012060900002a8648ce3d020106052b81040021033a000486e2f72bccd974a3f1a4fc2cdcf22043eaf8be047de6be726b62001fda6f50f6df0b51bee99195d8a1a1c97e59e72fa4fcf8c1d21cb3da62
 result = acceptable
 shared = 85a70fc4dfc8509fb9ba1cfcf1879443e2ce176d794228029b10da63
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 266
 # prepending 0's to oid
@@ -2486,9 +2027,7 @@
 public = 3050301206072a8648ce3d0201060700002b81040021033a000486e2f72bccd974a3f1a4fc2cdcf22043eaf8be047de6be726b62001fda6f50f6df0b51bee99195d8a1a1c97e59e72fa4fcf8c1d21cb3da62
 result = acceptable
 shared = 85a70fc4dfc8509fb9ba1cfcf1879443e2ce176d794228029b10da63
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 267
 # appending unused 0's to oid
@@ -2496,9 +2035,7 @@
 public = 3050301206072a8648ce3d0201000006052b81040021033a000486e2f72bccd974a3f1a4fc2cdcf22043eaf8be047de6be726b62001fda6f50f6df0b51bee99195d8a1a1c97e59e72fa4fcf8c1d21cb3da62
 result = acceptable
 shared = 85a70fc4dfc8509fb9ba1cfcf1879443e2ce176d794228029b10da63
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 268
 # appending null value to oid
@@ -2506,9 +2043,7 @@
 public = 3050301206092a8648ce3d0201050006052b81040021033a000486e2f72bccd974a3f1a4fc2cdcf22043eaf8be047de6be726b62001fda6f50f6df0b51bee99195d8a1a1c97e59e72fa4fcf8c1d21cb3da62
 result = acceptable
 shared = 85a70fc4dfc8509fb9ba1cfcf1879443e2ce176d794228029b10da63
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 269
 # appending null value to oid
@@ -2516,9 +2051,7 @@
 public = 3050301206072a8648ce3d020106072b810400210500033a000486e2f72bccd974a3f1a4fc2cdcf22043eaf8be047de6be726b62001fda6f50f6df0b51bee99195d8a1a1c97e59e72fa4fcf8c1d21cb3da62
 result = acceptable
 shared = 85a70fc4dfc8509fb9ba1cfcf1879443e2ce176d794228029b10da63
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 270
 # truncated length of oid
@@ -2526,9 +2059,7 @@
 public = 30473009068106052b81040021033a000486e2f72bccd974a3f1a4fc2cdcf22043eaf8be047de6be726b62001fda6f50f6df0b51bee99195d8a1a1c97e59e72fa4fcf8c1d21cb3da62
 result = acceptable
 shared = 85a70fc4dfc8509fb9ba1cfcf1879443e2ce176d794228029b10da63
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 271
 # truncated length of oid
@@ -2536,9 +2067,7 @@
 public = 3049300b06072a8648ce3d02010681033a000486e2f72bccd974a3f1a4fc2cdcf22043eaf8be047de6be726b62001fda6f50f6df0b51bee99195d8a1a1c97e59e72fa4fcf8c1d21cb3da62
 result = acceptable
 shared = 85a70fc4dfc8509fb9ba1cfcf1879443e2ce176d794228029b10da63
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 272
 # Replacing oid with NULL
@@ -2546,9 +2075,7 @@
 public = 30473009050006052b81040021033a000486e2f72bccd974a3f1a4fc2cdcf22043eaf8be047de6be726b62001fda6f50f6df0b51bee99195d8a1a1c97e59e72fa4fcf8c1d21cb3da62
 result = acceptable
 shared = 85a70fc4dfc8509fb9ba1cfcf1879443e2ce176d794228029b10da63
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 273
 # Replacing oid with NULL
@@ -2556,9 +2083,7 @@
 public = 3049300b06072a8648ce3d02010500033a000486e2f72bccd974a3f1a4fc2cdcf22043eaf8be047de6be726b62001fda6f50f6df0b51bee99195d8a1a1c97e59e72fa4fcf8c1d21cb3da62
 result = acceptable
 shared = 85a70fc4dfc8509fb9ba1cfcf1879443e2ce176d794228029b10da63
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 274
 # changing tag value of oid
@@ -2566,9 +2091,7 @@
 public = 304e301004072a8648ce3d020106052b81040021033a000486e2f72bccd974a3f1a4fc2cdcf22043eaf8be047de6be726b62001fda6f50f6df0b51bee99195d8a1a1c97e59e72fa4fcf8c1d21cb3da62
 result = acceptable
 shared = 85a70fc4dfc8509fb9ba1cfcf1879443e2ce176d794228029b10da63
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 275
 # changing tag value of oid
@@ -2576,9 +2099,7 @@
 public = 304e301005072a8648ce3d020106052b81040021033a000486e2f72bccd974a3f1a4fc2cdcf22043eaf8be047de6be726b62001fda6f50f6df0b51bee99195d8a1a1c97e59e72fa4fcf8c1d21cb3da62
 result = acceptable
 shared = 85a70fc4dfc8509fb9ba1cfcf1879443e2ce176d794228029b10da63
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 276
 # changing tag value of oid
@@ -2586,9 +2107,7 @@
 public = 304e301007072a8648ce3d020106052b81040021033a000486e2f72bccd974a3f1a4fc2cdcf22043eaf8be047de6be726b62001fda6f50f6df0b51bee99195d8a1a1c97e59e72fa4fcf8c1d21cb3da62
 result = acceptable
 shared = 85a70fc4dfc8509fb9ba1cfcf1879443e2ce176d794228029b10da63
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 277
 # changing tag value of oid
@@ -2596,9 +2115,7 @@
 public = 304e301008072a8648ce3d020106052b81040021033a000486e2f72bccd974a3f1a4fc2cdcf22043eaf8be047de6be726b62001fda6f50f6df0b51bee99195d8a1a1c97e59e72fa4fcf8c1d21cb3da62
 result = acceptable
 shared = 85a70fc4dfc8509fb9ba1cfcf1879443e2ce176d794228029b10da63
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 278
 # changing tag value of oid
@@ -2606,9 +2123,7 @@
 public = 304e3010ff072a8648ce3d020106052b81040021033a000486e2f72bccd974a3f1a4fc2cdcf22043eaf8be047de6be726b62001fda6f50f6df0b51bee99195d8a1a1c97e59e72fa4fcf8c1d21cb3da62
 result = acceptable
 shared = 85a70fc4dfc8509fb9ba1cfcf1879443e2ce176d794228029b10da63
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 279
 # changing tag value of oid
@@ -2616,9 +2131,7 @@
 public = 304e301006072a8648ce3d020104052b81040021033a000486e2f72bccd974a3f1a4fc2cdcf22043eaf8be047de6be726b62001fda6f50f6df0b51bee99195d8a1a1c97e59e72fa4fcf8c1d21cb3da62
 result = acceptable
 shared = 85a70fc4dfc8509fb9ba1cfcf1879443e2ce176d794228029b10da63
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 280
 # changing tag value of oid
@@ -2626,9 +2139,7 @@
 public = 304e301006072a8648ce3d020105052b81040021033a000486e2f72bccd974a3f1a4fc2cdcf22043eaf8be047de6be726b62001fda6f50f6df0b51bee99195d8a1a1c97e59e72fa4fcf8c1d21cb3da62
 result = acceptable
 shared = 85a70fc4dfc8509fb9ba1cfcf1879443e2ce176d794228029b10da63
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 281
 # changing tag value of oid
@@ -2636,9 +2147,7 @@
 public = 304e301006072a8648ce3d020107052b81040021033a000486e2f72bccd974a3f1a4fc2cdcf22043eaf8be047de6be726b62001fda6f50f6df0b51bee99195d8a1a1c97e59e72fa4fcf8c1d21cb3da62
 result = acceptable
 shared = 85a70fc4dfc8509fb9ba1cfcf1879443e2ce176d794228029b10da63
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 282
 # changing tag value of oid
@@ -2646,9 +2155,7 @@
 public = 304e301006072a8648ce3d020108052b81040021033a000486e2f72bccd974a3f1a4fc2cdcf22043eaf8be047de6be726b62001fda6f50f6df0b51bee99195d8a1a1c97e59e72fa4fcf8c1d21cb3da62
 result = acceptable
 shared = 85a70fc4dfc8509fb9ba1cfcf1879443e2ce176d794228029b10da63
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 283
 # changing tag value of oid
@@ -2656,9 +2163,7 @@
 public = 304e301006072a8648ce3d0201ff052b81040021033a000486e2f72bccd974a3f1a4fc2cdcf22043eaf8be047de6be726b62001fda6f50f6df0b51bee99195d8a1a1c97e59e72fa4fcf8c1d21cb3da62
 result = acceptable
 shared = 85a70fc4dfc8509fb9ba1cfcf1879443e2ce176d794228029b10da63
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 284
 # dropping value of oid
@@ -2666,9 +2171,7 @@
 public = 30473009060006052b81040021033a000486e2f72bccd974a3f1a4fc2cdcf22043eaf8be047de6be726b62001fda6f50f6df0b51bee99195d8a1a1c97e59e72fa4fcf8c1d21cb3da62
 result = acceptable
 shared = 85a70fc4dfc8509fb9ba1cfcf1879443e2ce176d794228029b10da63
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 285
 # dropping value of oid
@@ -2676,9 +2179,7 @@
 public = 3049300b06072a8648ce3d02010600033a000486e2f72bccd974a3f1a4fc2cdcf22043eaf8be047de6be726b62001fda6f50f6df0b51bee99195d8a1a1c97e59e72fa4fcf8c1d21cb3da62
 result = acceptable
 shared = 85a70fc4dfc8509fb9ba1cfcf1879443e2ce176d794228029b10da63
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 286
 # modify first byte of oid
@@ -2686,9 +2187,7 @@
 public = 304e30100607288648ce3d020106052b81040021033a000486e2f72bccd974a3f1a4fc2cdcf22043eaf8be047de6be726b62001fda6f50f6df0b51bee99195d8a1a1c97e59e72fa4fcf8c1d21cb3da62
 result = acceptable
 shared = 85a70fc4dfc8509fb9ba1cfcf1879443e2ce176d794228029b10da63
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 287
 # modify first byte of oid
@@ -2696,9 +2195,7 @@
 public = 304e301006072a8648ce3d020106052981040021033a000486e2f72bccd974a3f1a4fc2cdcf22043eaf8be047de6be726b62001fda6f50f6df0b51bee99195d8a1a1c97e59e72fa4fcf8c1d21cb3da62
 result = acceptable
 shared = 85a70fc4dfc8509fb9ba1cfcf1879443e2ce176d794228029b10da63
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 288
 # modify last byte of oid
@@ -2706,9 +2203,7 @@
 public = 304e301006072a8648ce3d028106052b81040021033a000486e2f72bccd974a3f1a4fc2cdcf22043eaf8be047de6be726b62001fda6f50f6df0b51bee99195d8a1a1c97e59e72fa4fcf8c1d21cb3da62
 result = acceptable
 shared = 85a70fc4dfc8509fb9ba1cfcf1879443e2ce176d794228029b10da63
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 289
 # modify last byte of oid
@@ -2716,9 +2211,7 @@
 public = 304e301006072a8648ce3d020106052b810400a1033a000486e2f72bccd974a3f1a4fc2cdcf22043eaf8be047de6be726b62001fda6f50f6df0b51bee99195d8a1a1c97e59e72fa4fcf8c1d21cb3da62
 result = acceptable
 shared = 85a70fc4dfc8509fb9ba1cfcf1879443e2ce176d794228029b10da63
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 290
 # truncated oid
@@ -2726,9 +2219,7 @@
 public = 304d300f06062a8648ce3d0206052b81040021033a000486e2f72bccd974a3f1a4fc2cdcf22043eaf8be047de6be726b62001fda6f50f6df0b51bee99195d8a1a1c97e59e72fa4fcf8c1d21cb3da62
 result = acceptable
 shared = 85a70fc4dfc8509fb9ba1cfcf1879443e2ce176d794228029b10da63
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 291
 # truncated oid
@@ -2736,9 +2227,7 @@
 public = 304d300f06068648ce3d020106052b81040021033a000486e2f72bccd974a3f1a4fc2cdcf22043eaf8be047de6be726b62001fda6f50f6df0b51bee99195d8a1a1c97e59e72fa4fcf8c1d21cb3da62
 result = acceptable
 shared = 85a70fc4dfc8509fb9ba1cfcf1879443e2ce176d794228029b10da63
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 292
 # truncated oid
@@ -2746,9 +2235,7 @@
 public = 304d300f06072a8648ce3d020106042b810400033a000486e2f72bccd974a3f1a4fc2cdcf22043eaf8be047de6be726b62001fda6f50f6df0b51bee99195d8a1a1c97e59e72fa4fcf8c1d21cb3da62
 result = acceptable
 shared = 85a70fc4dfc8509fb9ba1cfcf1879443e2ce176d794228029b10da63
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 293
 # truncated oid
@@ -2756,9 +2243,7 @@
 public = 304d300f06072a8648ce3d0201060481040021033a000486e2f72bccd974a3f1a4fc2cdcf22043eaf8be047de6be726b62001fda6f50f6df0b51bee99195d8a1a1c97e59e72fa4fcf8c1d21cb3da62
 result = acceptable
 shared = 85a70fc4dfc8509fb9ba1cfcf1879443e2ce176d794228029b10da63
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 294
 # wrong oid
@@ -2766,9 +2251,7 @@
 public = 304c300e06052b0e03021a06052b81040021033a000486e2f72bccd974a3f1a4fc2cdcf22043eaf8be047de6be726b62001fda6f50f6df0b51bee99195d8a1a1c97e59e72fa4fcf8c1d21cb3da62
 result = acceptable
 shared = 85a70fc4dfc8509fb9ba1cfcf1879443e2ce176d794228029b10da63
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 295
 # wrong oid
@@ -2776,9 +2259,7 @@
 public = 30503012060960864801650304020106052b81040021033a000486e2f72bccd974a3f1a4fc2cdcf22043eaf8be047de6be726b62001fda6f50f6df0b51bee99195d8a1a1c97e59e72fa4fcf8c1d21cb3da62
 result = acceptable
 shared = 85a70fc4dfc8509fb9ba1cfcf1879443e2ce176d794228029b10da63
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 296
 # wrong oid
@@ -2786,9 +2267,7 @@
 public = 304e301006072a8648ce3d020106052b0e03021a033a000486e2f72bccd974a3f1a4fc2cdcf22043eaf8be047de6be726b62001fda6f50f6df0b51bee99195d8a1a1c97e59e72fa4fcf8c1d21cb3da62
 result = acceptable
 shared = 85a70fc4dfc8509fb9ba1cfcf1879443e2ce176d794228029b10da63
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 297
 # wrong oid
@@ -2796,9 +2275,7 @@
 public = 3052301406072a8648ce3d02010609608648016503040201033a000486e2f72bccd974a3f1a4fc2cdcf22043eaf8be047de6be726b62001fda6f50f6df0b51bee99195d8a1a1c97e59e72fa4fcf8c1d21cb3da62
 result = acceptable
 shared = 85a70fc4dfc8509fb9ba1cfcf1879443e2ce176d794228029b10da63
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 298
 # longer oid
@@ -2806,9 +2283,7 @@
 public = 304f301106082a8648ce3d02010106052b81040021033a000486e2f72bccd974a3f1a4fc2cdcf22043eaf8be047de6be726b62001fda6f50f6df0b51bee99195d8a1a1c97e59e72fa4fcf8c1d21cb3da62
 result = acceptable
 shared = 85a70fc4dfc8509fb9ba1cfcf1879443e2ce176d794228029b10da63
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 299
 # longer oid
@@ -2816,9 +2291,7 @@
 public = 304f301106072a8648ce3d020106062b8104002101033a000486e2f72bccd974a3f1a4fc2cdcf22043eaf8be047de6be726b62001fda6f50f6df0b51bee99195d8a1a1c97e59e72fa4fcf8c1d21cb3da62
 result = acceptable
 shared = 85a70fc4dfc8509fb9ba1cfcf1879443e2ce176d794228029b10da63
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 300
 # oid with modified node
@@ -2826,9 +2299,7 @@
 public = 304e301006072a8648ce3d021106052b81040021033a000486e2f72bccd974a3f1a4fc2cdcf22043eaf8be047de6be726b62001fda6f50f6df0b51bee99195d8a1a1c97e59e72fa4fcf8c1d21cb3da62
 result = acceptable
 shared = 85a70fc4dfc8509fb9ba1cfcf1879443e2ce176d794228029b10da63
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 301
 # oid with modified node
@@ -2836,9 +2307,7 @@
 public = 30523014060b2a8648ce3d02888080800106052b81040021033a000486e2f72bccd974a3f1a4fc2cdcf22043eaf8be047de6be726b62001fda6f50f6df0b51bee99195d8a1a1c97e59e72fa4fcf8c1d21cb3da62
 result = acceptable
 shared = 85a70fc4dfc8509fb9ba1cfcf1879443e2ce176d794228029b10da63
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 302
 # oid with modified node
@@ -2846,9 +2315,7 @@
 public = 304e301006072a8648ce3d020106052b81040031033a000486e2f72bccd974a3f1a4fc2cdcf22043eaf8be047de6be726b62001fda6f50f6df0b51bee99195d8a1a1c97e59e72fa4fcf8c1d21cb3da62
 result = acceptable
 shared = 85a70fc4dfc8509fb9ba1cfcf1879443e2ce176d794228029b10da63
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 303
 # oid with modified node
@@ -2856,9 +2323,7 @@
 public = 3052301406072a8648ce3d020106092b8104008880808021033a000486e2f72bccd974a3f1a4fc2cdcf22043eaf8be047de6be726b62001fda6f50f6df0b51bee99195d8a1a1c97e59e72fa4fcf8c1d21cb3da62
 result = acceptable
 shared = 85a70fc4dfc8509fb9ba1cfcf1879443e2ce176d794228029b10da63
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 304
 # large integer in oid
@@ -2866,9 +2331,7 @@
 public = 3057301906102a8648ce3d028280808080808080800106052b81040021033a000486e2f72bccd974a3f1a4fc2cdcf22043eaf8be047de6be726b62001fda6f50f6df0b51bee99195d8a1a1c97e59e72fa4fcf8c1d21cb3da62
 result = acceptable
 shared = 85a70fc4dfc8509fb9ba1cfcf1879443e2ce176d794228029b10da63
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 305
 # large integer in oid
@@ -2876,9 +2339,7 @@
 public = 3057301906072a8648ce3d0201060e2b81040082808080808080808021033a000486e2f72bccd974a3f1a4fc2cdcf22043eaf8be047de6be726b62001fda6f50f6df0b51bee99195d8a1a1c97e59e72fa4fcf8c1d21cb3da62
 result = acceptable
 shared = 85a70fc4dfc8509fb9ba1cfcf1879443e2ce176d794228029b10da63
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 306
 # oid with invalid node
@@ -2886,9 +2347,7 @@
 public = 304f301106082a8648ce3d0201e006052b81040021033a000486e2f72bccd974a3f1a4fc2cdcf22043eaf8be047de6be726b62001fda6f50f6df0b51bee99195d8a1a1c97e59e72fa4fcf8c1d21cb3da62
 result = acceptable
 shared = 85a70fc4dfc8509fb9ba1cfcf1879443e2ce176d794228029b10da63
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 307
 # oid with invalid node
@@ -2896,9 +2355,7 @@
 public = 304f301106082a808648ce3d020106052b81040021033a000486e2f72bccd974a3f1a4fc2cdcf22043eaf8be047de6be726b62001fda6f50f6df0b51bee99195d8a1a1c97e59e72fa4fcf8c1d21cb3da62
 result = acceptable
 shared = 85a70fc4dfc8509fb9ba1cfcf1879443e2ce176d794228029b10da63
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 308
 # oid with invalid node
@@ -2906,9 +2363,7 @@
 public = 304f301106072a8648ce3d020106062b81040021e0033a000486e2f72bccd974a3f1a4fc2cdcf22043eaf8be047de6be726b62001fda6f50f6df0b51bee99195d8a1a1c97e59e72fa4fcf8c1d21cb3da62
 result = acceptable
 shared = 85a70fc4dfc8509fb9ba1cfcf1879443e2ce176d794228029b10da63
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 309
 # oid with invalid node
@@ -2916,9 +2371,7 @@
 public = 304f301106072a8648ce3d020106062b8081040021033a000486e2f72bccd974a3f1a4fc2cdcf22043eaf8be047de6be726b62001fda6f50f6df0b51bee99195d8a1a1c97e59e72fa4fcf8c1d21cb3da62
 result = acceptable
 shared = 85a70fc4dfc8509fb9ba1cfcf1879443e2ce176d794228029b10da63
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 310
 # long form encoding of length of bit string
@@ -2926,9 +2379,7 @@
 public = 304f301006072a8648ce3d020106052b8104002103813a000486e2f72bccd974a3f1a4fc2cdcf22043eaf8be047de6be726b62001fda6f50f6df0b51bee99195d8a1a1c97e59e72fa4fcf8c1d21cb3da62
 result = acceptable
 shared = 85a70fc4dfc8509fb9ba1cfcf1879443e2ce176d794228029b10da63
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 311
 # length of bit string contains leading 0
@@ -2936,9 +2387,7 @@
 public = 3050301006072a8648ce3d020106052b810400210382003a000486e2f72bccd974a3f1a4fc2cdcf22043eaf8be047de6be726b62001fda6f50f6df0b51bee99195d8a1a1c97e59e72fa4fcf8c1d21cb3da62
 result = acceptable
 shared = 85a70fc4dfc8509fb9ba1cfcf1879443e2ce176d794228029b10da63
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 312
 # wrong length of bit string
@@ -2946,9 +2395,7 @@
 public = 304e301006072a8648ce3d020106052b81040021033b000486e2f72bccd974a3f1a4fc2cdcf22043eaf8be047de6be726b62001fda6f50f6df0b51bee99195d8a1a1c97e59e72fa4fcf8c1d21cb3da62
 result = acceptable
 shared = 85a70fc4dfc8509fb9ba1cfcf1879443e2ce176d794228029b10da63
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 313
 # wrong length of bit string
@@ -2956,9 +2403,7 @@
 public = 304e301006072a8648ce3d020106052b810400210339000486e2f72bccd974a3f1a4fc2cdcf22043eaf8be047de6be726b62001fda6f50f6df0b51bee99195d8a1a1c97e59e72fa4fcf8c1d21cb3da62
 result = acceptable
 shared = 85a70fc4dfc8509fb9ba1cfcf1879443e2ce176d794228029b10da63
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 314
 # uint32 overflow in length of bit string
@@ -2966,9 +2411,7 @@
 public = 3053301006072a8648ce3d020106052b810400210385010000003a000486e2f72bccd974a3f1a4fc2cdcf22043eaf8be047de6be726b62001fda6f50f6df0b51bee99195d8a1a1c97e59e72fa4fcf8c1d21cb3da62
 result = acceptable
 shared = 85a70fc4dfc8509fb9ba1cfcf1879443e2ce176d794228029b10da63
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 315
 # uint64 overflow in length of bit string
@@ -2976,9 +2419,7 @@
 public = 3057301006072a8648ce3d020106052b81040021038901000000000000003a000486e2f72bccd974a3f1a4fc2cdcf22043eaf8be047de6be726b62001fda6f50f6df0b51bee99195d8a1a1c97e59e72fa4fcf8c1d21cb3da62
 result = acceptable
 shared = 85a70fc4dfc8509fb9ba1cfcf1879443e2ce176d794228029b10da63
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 316
 # length of bit string = 2**31 - 1
@@ -2986,9 +2427,7 @@
 public = 3052301006072a8648ce3d020106052b8104002103847fffffff000486e2f72bccd974a3f1a4fc2cdcf22043eaf8be047de6be726b62001fda6f50f6df0b51bee99195d8a1a1c97e59e72fa4fcf8c1d21cb3da62
 result = acceptable
 shared = 85a70fc4dfc8509fb9ba1cfcf1879443e2ce176d794228029b10da63
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 317
 # length of bit string = 2**32 - 1
@@ -2996,9 +2435,7 @@
 public = 3052301006072a8648ce3d020106052b810400210384ffffffff000486e2f72bccd974a3f1a4fc2cdcf22043eaf8be047de6be726b62001fda6f50f6df0b51bee99195d8a1a1c97e59e72fa4fcf8c1d21cb3da62
 result = acceptable
 shared = 85a70fc4dfc8509fb9ba1cfcf1879443e2ce176d794228029b10da63
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 318
 # length of bit string = 2**40 - 1
@@ -3006,9 +2443,7 @@
 public = 3053301006072a8648ce3d020106052b810400210385ffffffffff000486e2f72bccd974a3f1a4fc2cdcf22043eaf8be047de6be726b62001fda6f50f6df0b51bee99195d8a1a1c97e59e72fa4fcf8c1d21cb3da62
 result = acceptable
 shared = 85a70fc4dfc8509fb9ba1cfcf1879443e2ce176d794228029b10da63
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 319
 # length of bit string = 2**64 - 1
@@ -3016,9 +2451,7 @@
 public = 3056301006072a8648ce3d020106052b810400210388ffffffffffffffff000486e2f72bccd974a3f1a4fc2cdcf22043eaf8be047de6be726b62001fda6f50f6df0b51bee99195d8a1a1c97e59e72fa4fcf8c1d21cb3da62
 result = acceptable
 shared = 85a70fc4dfc8509fb9ba1cfcf1879443e2ce176d794228029b10da63
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 320
 # incorrect length of bit string
@@ -3026,9 +2459,7 @@
 public = 304e301006072a8648ce3d020106052b8104002103ff000486e2f72bccd974a3f1a4fc2cdcf22043eaf8be047de6be726b62001fda6f50f6df0b51bee99195d8a1a1c97e59e72fa4fcf8c1d21cb3da62
 result = acceptable
 shared = 85a70fc4dfc8509fb9ba1cfcf1879443e2ce176d794228029b10da63
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 321
 # lonely bit string tag
@@ -3036,9 +2467,7 @@
 public = 3013301006072a8648ce3d020106052b8104002103
 result = acceptable
 shared = 85a70fc4dfc8509fb9ba1cfcf1879443e2ce176d794228029b10da63
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 322
 # appending 0's to bit string
@@ -3046,9 +2475,7 @@
 public = 3050301006072a8648ce3d020106052b81040021033c000486e2f72bccd974a3f1a4fc2cdcf22043eaf8be047de6be726b62001fda6f50f6df0b51bee99195d8a1a1c97e59e72fa4fcf8c1d21cb3da620000
 result = acceptable
 shared = 85a70fc4dfc8509fb9ba1cfcf1879443e2ce176d794228029b10da63
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 323
 # prepending 0's to bit string
@@ -3056,9 +2483,7 @@
 public = 3050301006072a8648ce3d020106052b81040021033c0000000486e2f72bccd974a3f1a4fc2cdcf22043eaf8be047de6be726b62001fda6f50f6df0b51bee99195d8a1a1c97e59e72fa4fcf8c1d21cb3da62
 result = acceptable
 shared = 85a70fc4dfc8509fb9ba1cfcf1879443e2ce176d794228029b10da63
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 324
 # appending null value to bit string
@@ -3066,9 +2491,7 @@
 public = 3050301006072a8648ce3d020106052b81040021033c000486e2f72bccd974a3f1a4fc2cdcf22043eaf8be047de6be726b62001fda6f50f6df0b51bee99195d8a1a1c97e59e72fa4fcf8c1d21cb3da620500
 result = acceptable
 shared = 85a70fc4dfc8509fb9ba1cfcf1879443e2ce176d794228029b10da63
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 325
 # truncated length of bit string
@@ -3076,9 +2499,7 @@
 public = 3014301006072a8648ce3d020106052b810400210381
 result = acceptable
 shared = 85a70fc4dfc8509fb9ba1cfcf1879443e2ce176d794228029b10da63
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 326
 # Replacing bit string with NULL
@@ -3086,9 +2507,7 @@
 public = 3014301006072a8648ce3d020106052b810400210500
 result = acceptable
 shared = 85a70fc4dfc8509fb9ba1cfcf1879443e2ce176d794228029b10da63
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 327
 # changing tag value of bit string
@@ -3096,9 +2515,7 @@
 public = 304e301006072a8648ce3d020106052b81040021013a000486e2f72bccd974a3f1a4fc2cdcf22043eaf8be047de6be726b62001fda6f50f6df0b51bee99195d8a1a1c97e59e72fa4fcf8c1d21cb3da62
 result = acceptable
 shared = 85a70fc4dfc8509fb9ba1cfcf1879443e2ce176d794228029b10da63
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 328
 # changing tag value of bit string
@@ -3106,9 +2523,7 @@
 public = 304e301006072a8648ce3d020106052b81040021023a000486e2f72bccd974a3f1a4fc2cdcf22043eaf8be047de6be726b62001fda6f50f6df0b51bee99195d8a1a1c97e59e72fa4fcf8c1d21cb3da62
 result = acceptable
 shared = 85a70fc4dfc8509fb9ba1cfcf1879443e2ce176d794228029b10da63
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 329
 # changing tag value of bit string
@@ -3116,9 +2531,7 @@
 public = 304e301006072a8648ce3d020106052b81040021043a000486e2f72bccd974a3f1a4fc2cdcf22043eaf8be047de6be726b62001fda6f50f6df0b51bee99195d8a1a1c97e59e72fa4fcf8c1d21cb3da62
 result = acceptable
 shared = 85a70fc4dfc8509fb9ba1cfcf1879443e2ce176d794228029b10da63
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 330
 # changing tag value of bit string
@@ -3126,9 +2539,7 @@
 public = 304e301006072a8648ce3d020106052b81040021053a000486e2f72bccd974a3f1a4fc2cdcf22043eaf8be047de6be726b62001fda6f50f6df0b51bee99195d8a1a1c97e59e72fa4fcf8c1d21cb3da62
 result = acceptable
 shared = 85a70fc4dfc8509fb9ba1cfcf1879443e2ce176d794228029b10da63
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 331
 # changing tag value of bit string
@@ -3136,9 +2547,7 @@
 public = 304e301006072a8648ce3d020106052b81040021ff3a000486e2f72bccd974a3f1a4fc2cdcf22043eaf8be047de6be726b62001fda6f50f6df0b51bee99195d8a1a1c97e59e72fa4fcf8c1d21cb3da62
 result = acceptable
 shared = 85a70fc4dfc8509fb9ba1cfcf1879443e2ce176d794228029b10da63
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 332
 # dropping value of bit string
@@ -3146,9 +2555,7 @@
 public = 3014301006072a8648ce3d020106052b810400210300
 result = acceptable
 shared = 85a70fc4dfc8509fb9ba1cfcf1879443e2ce176d794228029b10da63
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 333
 # modify first byte of bit string
@@ -3156,9 +2563,7 @@
 public = 304e301006072a8648ce3d020106052b81040021033a020486e2f72bccd974a3f1a4fc2cdcf22043eaf8be047de6be726b62001fda6f50f6df0b51bee99195d8a1a1c97e59e72fa4fcf8c1d21cb3da62
 result = acceptable
 shared = 85a70fc4dfc8509fb9ba1cfcf1879443e2ce176d794228029b10da63
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 334
 # modify last byte of bit string
@@ -3166,9 +2571,7 @@
 public = 304e301006072a8648ce3d020106052b81040021033a000486e2f72bccd974a3f1a4fc2cdcf22043eaf8be047de6be726b62001fda6f50f6df0b51bee99195d8a1a1c97e59e72fa4fcf8c1d21cb3dae2
 result = acceptable
 shared = 85a70fc4dfc8509fb9ba1cfcf1879443e2ce176d794228029b10da63
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 335
 # truncated bit string
@@ -3176,9 +2579,7 @@
 public = 304d301006072a8648ce3d020106052b810400210339000486e2f72bccd974a3f1a4fc2cdcf22043eaf8be047de6be726b62001fda6f50f6df0b51bee99195d8a1a1c97e59e72fa4fcf8c1d21cb3da
 result = acceptable
 shared = 85a70fc4dfc8509fb9ba1cfcf1879443e2ce176d794228029b10da63
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 336
 # truncated bit string
@@ -3186,9 +2587,7 @@
 public = 304d301006072a8648ce3d020106052b8104002103390486e2f72bccd974a3f1a4fc2cdcf22043eaf8be047de6be726b62001fda6f50f6df0b51bee99195d8a1a1c97e59e72fa4fcf8c1d21cb3da62
 result = acceptable
 shared = 85a70fc4dfc8509fb9ba1cfcf1879443e2ce176d794228029b10da63
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 337
 # declaring bits as unused in bit string
@@ -3196,9 +2595,7 @@
 public = 304e301006072a8648ce3d020106052b81040021033a010486e2f72bccd974a3f1a4fc2cdcf22043eaf8be047de6be726b62001fda6f50f6df0b51bee99195d8a1a1c97e59e72fa4fcf8c1d21cb3da62
 result = acceptable
 shared = 85a70fc4dfc8509fb9ba1cfcf1879443e2ce176d794228029b10da63
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 338
 # unused bits in bit string
@@ -3206,9 +2603,7 @@
 public = 3052301006072a8648ce3d020106052b81040021033e200486e2f72bccd974a3f1a4fc2cdcf22043eaf8be047de6be726b62001fda6f50f6df0b51bee99195d8a1a1c97e59e72fa4fcf8c1d21cb3da6201020304
 result = acceptable
 shared = 85a70fc4dfc8509fb9ba1cfcf1879443e2ce176d794228029b10da63
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 339
 # unused bits in empty bit-string
@@ -3216,9 +2611,7 @@
 public = 3015301006072a8648ce3d020106052b81040021030103
 result = acceptable
 shared = 85a70fc4dfc8509fb9ba1cfcf1879443e2ce176d794228029b10da63
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 340
 # 128 unused bits
@@ -3226,7 +2619,5 @@
 public = 304e301006072a8648ce3d020106052b81040021033a800486e2f72bccd974a3f1a4fc2cdcf22043eaf8be047de6be726b62001fda6f50f6df0b51bee99195d8a1a1c97e59e72fa4fcf8c1d21cb3da62
 result = acceptable
 shared = 85a70fc4dfc8509fb9ba1cfcf1879443e2ce176d794228029b10da63
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
diff --git a/third_party/wycheproof_testvectors/ecdh_secp256r1_test.txt b/third_party/wycheproof_testvectors/ecdh_secp256r1_test.txt
index fe35b50..f4a348f 100644
--- a/third_party/wycheproof_testvectors/ecdh_secp256r1_test.txt
+++ b/third_party/wycheproof_testvectors/ecdh_secp256r1_test.txt
@@ -20,8 +20,7 @@
 public = 3039301306072a8648ce3d020106082a8648ce3d0301070322000362d5bd3372af75fe85a040715d0f502428e07046868b0bfdfa61d731afe44f26
 result = acceptable
 shared = 53020d908b0219328b658b525f26780e3ae12bcd952bb25a93bc0895e1714285
-# The point in the public key is compressed. Not every library supports points
-# in compressed format.
+flags = CompressedPoint
 
 # tcId = 3
 # edge case for shared secret
@@ -1303,9 +1302,7 @@
 public = 3059301306072a8648ce3d020106082a8648ce3d0301070342000431028f3377fc8f2b1967edaab90213acad0da9f50897f08f57537f78f116744743a1930189363bbde2ac4cbd1649cdc6f451add71dd2f16a8a867f2b17caa16b
 result = valid
 shared = f7407d61fdf581be4f564621d590ca9b7ba37f31396150f9922f1501da8c83ef
-# The private key has a special value. Implementations using addition
-# subtraction chains for the point multiplication may get the point at infinity
-# as an intermediate result. See CVE_2017_10176
+flags = AddSubChain
 
 # tcId = 186
 # edge case private key
@@ -1313,9 +1310,7 @@
 public = 3059301306072a8648ce3d020106082a8648ce3d0301070342000431028f3377fc8f2b1967edaab90213acad0da9f50897f08f57537f78f116744743a1930189363bbde2ac4cbd1649cdc6f451add71dd2f16a8a867f2b17caa16b
 result = valid
 shared = 82236fd272208693e0574555ca465c6cc512163486084fa57f5e1bd2e2ccc0b3
-# The private key has a special value. Implementations using addition
-# subtraction chains for the point multiplication may get the point at infinity
-# as an intermediate result. See CVE_2017_10176
+flags = AddSubChain
 
 # tcId = 187
 # edge case private key
@@ -1323,9 +1318,7 @@
 public = 3059301306072a8648ce3d020106082a8648ce3d0301070342000431028f3377fc8f2b1967edaab90213acad0da9f50897f08f57537f78f116744743a1930189363bbde2ac4cbd1649cdc6f451add71dd2f16a8a867f2b17caa16b
 result = valid
 shared = 06537149664dba1a9924654cb7f787ed224851b0df25ef53fcf54f8f26cd5f3f
-# The private key has a special value. Implementations using addition
-# subtraction chains for the point multiplication may get the point at infinity
-# as an intermediate result. See CVE_2017_10176
+flags = AddSubChain
 
 # tcId = 188
 # edge case private key
@@ -1333,9 +1326,7 @@
 public = 3059301306072a8648ce3d020106082a8648ce3d0301070342000431028f3377fc8f2b1967edaab90213acad0da9f50897f08f57537f78f116744743a1930189363bbde2ac4cbd1649cdc6f451add71dd2f16a8a867f2b17caa16b
 result = valid
 shared = f2b38539bce995d443c7bfeeefadc9e42cc2c89c60bf4e86eac95d51987bd112
-# The private key has a special value. Implementations using addition
-# subtraction chains for the point multiplication may get the point at infinity
-# as an intermediate result. See CVE_2017_10176
+flags = AddSubChain
 
 # tcId = 189
 # edge case private key
@@ -1350,9 +1341,7 @@
 public = 3059301306072a8648ce3d020106082a8648ce3d0301070342000431028f3377fc8f2b1967edaab90213acad0da9f50897f08f57537f78f116744743a1930189363bbde2ac4cbd1649cdc6f451add71dd2f16a8a867f2b17caa16b
 result = valid
 shared = 027b013a6f166db655d69d643c127ef8ace175311e667dff2520f5b5c75b7659
-# The private key has a special value. Implementations using addition
-# subtraction chains for the point multiplication may get the point at infinity
-# as an intermediate result. See CVE_2017_10176
+flags = AddSubChain
 
 # tcId = 191
 # CVE-2017-8932
@@ -1492,12 +1481,7 @@
 public = 3059301306072a8648ce3d020106082a8648ce3d030107034200041510264c189c3d523ff9916abd7069efa6968d8dc7ddb6457d7869b53ea60cdcfafb7ed4786da15d29ee59256f536da3575a4888c1bb0a95b256f4a7e9fd764c
 result = invalid
 shared = 
-# The public key has been modified and is invalid. An implementation should
-# always check whether the public key is valid and on the same curve as the
-# private key. The test vector includes the shared secret computed with the
-# original public key if the public point is on the curve of the private key.
-# Generating a shared secret other than the one with the original key likely
-# indicates that the bug is exploitable.
+flags = InvalidPublic
 
 # tcId = 211
 # public point = (0,0)
@@ -1505,12 +1489,7 @@
 public = 3059301306072a8648ce3d020106082a8648ce3d0301070342000400000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
 result = invalid
 shared = 
-# The public key has been modified and is invalid. An implementation should
-# always check whether the public key is valid and on the same curve as the
-# private key. The test vector includes the shared secret computed with the
-# original public key if the public point is on the curve of the private key.
-# Generating a shared secret other than the one with the original key likely
-# indicates that the bug is exploitable.
+flags = InvalidPublic
 
 # tcId = 212
 # order =
@@ -1519,20 +1498,7 @@
 public = 308201333081ec06072a8648ce3d02013081e0020101302c06072a8648ce3d0101022100ffffffff00000001000000000000000000000000ffffffffffffffffffffffff30440420ffffffff00000001000000000000000000000000fffffffffffffffffffffffc04205ac635d8aa3a93e7b3ebbd55769886bc651d06b0cc53b0f63bce3c3e27d2604b0441046b17d1f2e12c4247f8bce6e563a440f277037d812deb33a0f4a13945d898c2964fe342e2fe1a7f9b8ee7eb4a7c0f9e162bce33576b315ececbb6406837bf51f50221ff00000000ffffffff00000000000000004319055258e8617b0c46353d039cdaaf020101034200041510264c189c3d523ff9916abd7069efa6968d8dc7ddb6457d7869b53ea60cdcfafb7ed4786da15d29ee59256f536da3575a4888c1bb0a95b256f4a7e9fd764a
 result = invalid
 shared = d003f5cc83852584061f7a8a28bcb5671ecbda096e16e7accfa8f8d311a3db7a
-# The order of the public key has been modified. If this order is used in a
-# cryptographic primitive instead of the correct order then private keys may
-# leak. E.g. ECDHC in BC 1.52 suffered from this.
-# The public key has been modified and is invalid. An implementation should
-# always check whether the public key is valid and on the same curve as the
-# private key. The test vector includes the shared secret computed with the
-# original public key if the public point is on the curve of the private key.
-# Generating a shared secret other than the one with the original key likely
-# indicates that the bug is exploitable.
-# The public key does not use a named curve. RFC 3279 allows to encode such
-# curves by explicitly encoding, the parameters of the curve equation, modulus,
-# generator, order and cofactor. However, many crypto libraries only support
-# named curves. Modifying some of the EC parameters and encoding the
-# corresponding public key as an unnamed curve is a potential attack vector.
+flags = WrongOrder,InvalidPublic,UnnamedCurve
 
 # tcId = 213
 # order = 0
@@ -1540,20 +1506,7 @@
 public = 308201133081cc06072a8648ce3d02013081c0020101302c06072a8648ce3d0101022100ffffffff00000001000000000000000000000000ffffffffffffffffffffffff30440420ffffffff00000001000000000000000000000000fffffffffffffffffffffffc04205ac635d8aa3a93e7b3ebbd55769886bc651d06b0cc53b0f63bce3c3e27d2604b0441046b17d1f2e12c4247f8bce6e563a440f277037d812deb33a0f4a13945d898c2964fe342e2fe1a7f9b8ee7eb4a7c0f9e162bce33576b315ececbb6406837bf51f5020100020101034200041510264c189c3d523ff9916abd7069efa6968d8dc7ddb6457d7869b53ea60cdcfafb7ed4786da15d29ee59256f536da3575a4888c1bb0a95b256f4a7e9fd764a
 result = invalid
 shared = d003f5cc83852584061f7a8a28bcb5671ecbda096e16e7accfa8f8d311a3db7a
-# The order of the public key has been modified. If this order is used in a
-# cryptographic primitive instead of the correct order then private keys may
-# leak. E.g. ECDHC in BC 1.52 suffered from this.
-# The public key has been modified and is invalid. An implementation should
-# always check whether the public key is valid and on the same curve as the
-# private key. The test vector includes the shared secret computed with the
-# original public key if the public point is on the curve of the private key.
-# Generating a shared secret other than the one with the original key likely
-# indicates that the bug is exploitable.
-# The public key does not use a named curve. RFC 3279 allows to encode such
-# curves by explicitly encoding, the parameters of the curve equation, modulus,
-# generator, order and cofactor. However, many crypto libraries only support
-# named curves. Modifying some of the EC parameters and encoding the
-# corresponding public key as an unnamed curve is a potential attack vector.
+flags = WrongOrder,InvalidPublic,UnnamedCurve
 
 # tcId = 214
 # order = 1
@@ -1561,20 +1514,7 @@
 public = 308201133081cc06072a8648ce3d02013081c0020101302c06072a8648ce3d0101022100ffffffff00000001000000000000000000000000ffffffffffffffffffffffff30440420ffffffff00000001000000000000000000000000fffffffffffffffffffffffc04205ac635d8aa3a93e7b3ebbd55769886bc651d06b0cc53b0f63bce3c3e27d2604b0441046b17d1f2e12c4247f8bce6e563a440f277037d812deb33a0f4a13945d898c2964fe342e2fe1a7f9b8ee7eb4a7c0f9e162bce33576b315ececbb6406837bf51f5020101020101034200041510264c189c3d523ff9916abd7069efa6968d8dc7ddb6457d7869b53ea60cdcfafb7ed4786da15d29ee59256f536da3575a4888c1bb0a95b256f4a7e9fd764a
 result = acceptable
 shared = d003f5cc83852584061f7a8a28bcb5671ecbda096e16e7accfa8f8d311a3db7a
-# The order of the public key has been modified. If this order is used in a
-# cryptographic primitive instead of the correct order then private keys may
-# leak. E.g. ECDHC in BC 1.52 suffered from this.
-# A parameter that is typically not used for ECDH has been modified. Sometimes
-# libraries ignore small differences between public and private key. For
-# example, a library might ignore an incorrect cofactor in the public key. We
-# consider ignoring such changes as acceptable as long as these differences do
-# not change the outcome of the ECDH computation, i.e. as long as the
-# computation is done on the curve from the private key.
-# The public key does not use a named curve. RFC 3279 allows to encode such
-# curves by explicitly encoding, the parameters of the curve equation, modulus,
-# generator, order and cofactor. However, many crypto libraries only support
-# named curves. Modifying some of the EC parameters and encoding the
-# corresponding public key as an unnamed curve is a potential attack vector.
+flags = WrongOrder,UnusedParam,UnnamedCurve
 
 # tcId = 215
 # order = 26959946660873538060741835960514744168612397095220107664918121663170
@@ -1582,20 +1522,7 @@
 public = 3082012f3081e806072a8648ce3d02013081dc020101302c06072a8648ce3d0101022100ffffffff00000001000000000000000000000000ffffffffffffffffffffffff30440420ffffffff00000001000000000000000000000000fffffffffffffffffffffffc04205ac635d8aa3a93e7b3ebbd55769886bc651d06b0cc53b0f63bce3c3e27d2604b0441046b17d1f2e12c4247f8bce6e563a440f277037d812deb33a0f4a13945d898c2964fe342e2fe1a7f9b8ee7eb4a7c0f9e162bce33576b315ececbb6406837bf51f5021d00ffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2020101034200041510264c189c3d523ff9916abd7069efa6968d8dc7ddb6457d7869b53ea60cdcfafb7ed4786da15d29ee59256f536da3575a4888c1bb0a95b256f4a7e9fd764a
 result = acceptable
 shared = d003f5cc83852584061f7a8a28bcb5671ecbda096e16e7accfa8f8d311a3db7a
-# The order of the public key has been modified. If this order is used in a
-# cryptographic primitive instead of the correct order then private keys may
-# leak. E.g. ECDHC in BC 1.52 suffered from this.
-# A parameter that is typically not used for ECDH has been modified. Sometimes
-# libraries ignore small differences between public and private key. For
-# example, a library might ignore an incorrect cofactor in the public key. We
-# consider ignoring such changes as acceptable as long as these differences do
-# not change the outcome of the ECDH computation, i.e. as long as the
-# computation is done on the curve from the private key.
-# The public key does not use a named curve. RFC 3279 allows to encode such
-# curves by explicitly encoding, the parameters of the curve equation, modulus,
-# generator, order and cofactor. However, many crypto libraries only support
-# named curves. Modifying some of the EC parameters and encoding the
-# corresponding public key as an unnamed curve is a potential attack vector.
+flags = WrongOrder,UnusedParam,UnnamedCurve
 
 # tcId = 216
 # generator = (0,0)
@@ -1603,17 +1530,7 @@
 public = 308201333081ec06072a8648ce3d02013081e0020101302c06072a8648ce3d0101022100ffffffff00000001000000000000000000000000ffffffffffffffffffffffff30440420ffffffff00000001000000000000000000000000fffffffffffffffffffffffc04205ac635d8aa3a93e7b3ebbd55769886bc651d06b0cc53b0f63bce3c3e27d2604b04410400000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000022100ffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc632551020101034200041510264c189c3d523ff9916abd7069efa6968d8dc7ddb6457d7869b53ea60cdcfafb7ed4786da15d29ee59256f536da3575a4888c1bb0a95b256f4a7e9fd764a
 result = acceptable
 shared = d003f5cc83852584061f7a8a28bcb5671ecbda096e16e7accfa8f8d311a3db7a
-# A parameter that is typically not used for ECDH has been modified. Sometimes
-# libraries ignore small differences between public and private key. For
-# example, a library might ignore an incorrect cofactor in the public key. We
-# consider ignoring such changes as acceptable as long as these differences do
-# not change the outcome of the ECDH computation, i.e. as long as the
-# computation is done on the curve from the private key.
-# The public key does not use a named curve. RFC 3279 allows to encode such
-# curves by explicitly encoding, the parameters of the curve equation, modulus,
-# generator, order and cofactor. However, many crypto libraries only support
-# named curves. Modifying some of the EC parameters and encoding the
-# corresponding public key as an unnamed curve is a potential attack vector.
+flags = UnusedParam,UnnamedCurve
 
 # tcId = 217
 # generator not on curve
@@ -1621,17 +1538,7 @@
 public = 308201333081ec06072a8648ce3d02013081e0020101302c06072a8648ce3d0101022100ffffffff00000001000000000000000000000000ffffffffffffffffffffffff30440420ffffffff00000001000000000000000000000000fffffffffffffffffffffffc04205ac635d8aa3a93e7b3ebbd55769886bc651d06b0cc53b0f63bce3c3e27d2604b0441046b17d1f2e12c4247f8bce6e563a440f277037d812deb33a0f4a13945d898c2964fe342e2fe1a7f9b8ee7eb4a7c0f9e162bce33576b315ececbb6406837bf51f7022100ffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc632551020101034200041510264c189c3d523ff9916abd7069efa6968d8dc7ddb6457d7869b53ea60cdcfafb7ed4786da15d29ee59256f536da3575a4888c1bb0a95b256f4a7e9fd764a
 result = acceptable
 shared = d003f5cc83852584061f7a8a28bcb5671ecbda096e16e7accfa8f8d311a3db7a
-# A parameter that is typically not used for ECDH has been modified. Sometimes
-# libraries ignore small differences between public and private key. For
-# example, a library might ignore an incorrect cofactor in the public key. We
-# consider ignoring such changes as acceptable as long as these differences do
-# not change the outcome of the ECDH computation, i.e. as long as the
-# computation is done on the curve from the private key.
-# The public key does not use a named curve. RFC 3279 allows to encode such
-# curves by explicitly encoding, the parameters of the curve equation, modulus,
-# generator, order and cofactor. However, many crypto libraries only support
-# named curves. Modifying some of the EC parameters and encoding the
-# corresponding public key as an unnamed curve is a potential attack vector.
+flags = UnusedParam,UnnamedCurve
 
 # tcId = 218
 # cofactor = -1
@@ -1639,17 +1546,7 @@
 public = 308201333081ec06072a8648ce3d02013081e0020101302c06072a8648ce3d0101022100ffffffff00000001000000000000000000000000ffffffffffffffffffffffff30440420ffffffff00000001000000000000000000000000fffffffffffffffffffffffc04205ac635d8aa3a93e7b3ebbd55769886bc651d06b0cc53b0f63bce3c3e27d2604b0441046b17d1f2e12c4247f8bce6e563a440f277037d812deb33a0f4a13945d898c2964fe342e2fe1a7f9b8ee7eb4a7c0f9e162bce33576b315ececbb6406837bf51f5022100ffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc6325510201ff034200041510264c189c3d523ff9916abd7069efa6968d8dc7ddb6457d7869b53ea60cdcfafb7ed4786da15d29ee59256f536da3575a4888c1bb0a95b256f4a7e9fd764a
 result = invalid
 shared = d003f5cc83852584061f7a8a28bcb5671ecbda096e16e7accfa8f8d311a3db7a
-# The public key has been modified and is invalid. An implementation should
-# always check whether the public key is valid and on the same curve as the
-# private key. The test vector includes the shared secret computed with the
-# original public key if the public point is on the curve of the private key.
-# Generating a shared secret other than the one with the original key likely
-# indicates that the bug is exploitable.
-# The public key does not use a named curve. RFC 3279 allows to encode such
-# curves by explicitly encoding, the parameters of the curve equation, modulus,
-# generator, order and cofactor. However, many crypto libraries only support
-# named curves. Modifying some of the EC parameters and encoding the
-# corresponding public key as an unnamed curve is a potential attack vector.
+flags = InvalidPublic,UnnamedCurve
 
 # tcId = 219
 # cofactor = 0
@@ -1657,17 +1554,7 @@
 public = 308201333081ec06072a8648ce3d02013081e0020101302c06072a8648ce3d0101022100ffffffff00000001000000000000000000000000ffffffffffffffffffffffff30440420ffffffff00000001000000000000000000000000fffffffffffffffffffffffc04205ac635d8aa3a93e7b3ebbd55769886bc651d06b0cc53b0f63bce3c3e27d2604b0441046b17d1f2e12c4247f8bce6e563a440f277037d812deb33a0f4a13945d898c2964fe342e2fe1a7f9b8ee7eb4a7c0f9e162bce33576b315ececbb6406837bf51f5022100ffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc632551020100034200041510264c189c3d523ff9916abd7069efa6968d8dc7ddb6457d7869b53ea60cdcfafb7ed4786da15d29ee59256f536da3575a4888c1bb0a95b256f4a7e9fd764a
 result = invalid
 shared = d003f5cc83852584061f7a8a28bcb5671ecbda096e16e7accfa8f8d311a3db7a
-# The public key has been modified and is invalid. An implementation should
-# always check whether the public key is valid and on the same curve as the
-# private key. The test vector includes the shared secret computed with the
-# original public key if the public point is on the curve of the private key.
-# Generating a shared secret other than the one with the original key likely
-# indicates that the bug is exploitable.
-# The public key does not use a named curve. RFC 3279 allows to encode such
-# curves by explicitly encoding, the parameters of the curve equation, modulus,
-# generator, order and cofactor. However, many crypto libraries only support
-# named curves. Modifying some of the EC parameters and encoding the
-# corresponding public key as an unnamed curve is a potential attack vector.
+flags = InvalidPublic,UnnamedCurve
 
 # tcId = 220
 # cofactor = 2
@@ -1675,17 +1562,7 @@
 public = 308201333081ec06072a8648ce3d02013081e0020101302c06072a8648ce3d0101022100ffffffff00000001000000000000000000000000ffffffffffffffffffffffff30440420ffffffff00000001000000000000000000000000fffffffffffffffffffffffc04205ac635d8aa3a93e7b3ebbd55769886bc651d06b0cc53b0f63bce3c3e27d2604b0441046b17d1f2e12c4247f8bce6e563a440f277037d812deb33a0f4a13945d898c2964fe342e2fe1a7f9b8ee7eb4a7c0f9e162bce33576b315ececbb6406837bf51f5022100ffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc632551020102034200041510264c189c3d523ff9916abd7069efa6968d8dc7ddb6457d7869b53ea60cdcfafb7ed4786da15d29ee59256f536da3575a4888c1bb0a95b256f4a7e9fd764a
 result = acceptable
 shared = d003f5cc83852584061f7a8a28bcb5671ecbda096e16e7accfa8f8d311a3db7a
-# A parameter that is typically not used for ECDH has been modified. Sometimes
-# libraries ignore small differences between public and private key. For
-# example, a library might ignore an incorrect cofactor in the public key. We
-# consider ignoring such changes as acceptable as long as these differences do
-# not change the outcome of the ECDH computation, i.e. as long as the
-# computation is done on the curve from the private key.
-# The public key does not use a named curve. RFC 3279 allows to encode such
-# curves by explicitly encoding, the parameters of the curve equation, modulus,
-# generator, order and cofactor. However, many crypto libraries only support
-# named curves. Modifying some of the EC parameters and encoding the
-# corresponding public key as an unnamed curve is a potential attack vector.
+flags = UnusedParam,UnnamedCurve
 
 # tcId = 221
 # cofactor =
@@ -1694,17 +1571,7 @@
 public = 308201553082010d06072a8648ce3d020130820100020101302c06072a8648ce3d0101022100ffffffff00000001000000000000000000000000ffffffffffffffffffffffff30440420ffffffff00000001000000000000000000000000fffffffffffffffffffffffc04205ac635d8aa3a93e7b3ebbd55769886bc651d06b0cc53b0f63bce3c3e27d2604b0441046b17d1f2e12c4247f8bce6e563a440f277037d812deb33a0f4a13945d898c2964fe342e2fe1a7f9b8ee7eb4a7c0f9e162bce33576b315ececbb6406837bf51f5022100ffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc632551022100ffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc632551034200041510264c189c3d523ff9916abd7069efa6968d8dc7ddb6457d7869b53ea60cdcfafb7ed4786da15d29ee59256f536da3575a4888c1bb0a95b256f4a7e9fd764a
 result = invalid
 shared = d003f5cc83852584061f7a8a28bcb5671ecbda096e16e7accfa8f8d311a3db7a
-# The public key has been modified and is invalid. An implementation should
-# always check whether the public key is valid and on the same curve as the
-# private key. The test vector includes the shared secret computed with the
-# original public key if the public point is on the curve of the private key.
-# Generating a shared secret other than the one with the original key likely
-# indicates that the bug is exploitable.
-# The public key does not use a named curve. RFC 3279 allows to encode such
-# curves by explicitly encoding, the parameters of the curve equation, modulus,
-# generator, order and cofactor. However, many crypto libraries only support
-# named curves. Modifying some of the EC parameters and encoding the
-# corresponding public key as an unnamed curve is a potential attack vector.
+flags = InvalidPublic,UnnamedCurve
 
 # tcId = 222
 # cofactor = None
@@ -1712,17 +1579,7 @@
 public = 308201303081e906072a8648ce3d02013081dd020101302c06072a8648ce3d0101022100ffffffff00000001000000000000000000000000ffffffffffffffffffffffff30440420ffffffff00000001000000000000000000000000fffffffffffffffffffffffc04205ac635d8aa3a93e7b3ebbd55769886bc651d06b0cc53b0f63bce3c3e27d2604b0441046b17d1f2e12c4247f8bce6e563a440f277037d812deb33a0f4a13945d898c2964fe342e2fe1a7f9b8ee7eb4a7c0f9e162bce33576b315ececbb6406837bf51f5022100ffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc632551034200041510264c189c3d523ff9916abd7069efa6968d8dc7ddb6457d7869b53ea60cdcfafb7ed4786da15d29ee59256f536da3575a4888c1bb0a95b256f4a7e9fd764a
 result = acceptable
 shared = d003f5cc83852584061f7a8a28bcb5671ecbda096e16e7accfa8f8d311a3db7a
-# A parameter that is typically not used for ECDH has been modified. Sometimes
-# libraries ignore small differences between public and private key. For
-# example, a library might ignore an incorrect cofactor in the public key. We
-# consider ignoring such changes as acceptable as long as these differences do
-# not change the outcome of the ECDH computation, i.e. as long as the
-# computation is done on the curve from the private key.
-# The public key does not use a named curve. RFC 3279 allows to encode such
-# curves by explicitly encoding, the parameters of the curve equation, modulus,
-# generator, order and cofactor. However, many crypto libraries only support
-# named curves. Modifying some of the EC parameters and encoding the
-# corresponding public key as an unnamed curve is a potential attack vector.
+flags = UnusedParam,UnnamedCurve
 
 # tcId = 223
 # modified prime
@@ -1730,20 +1587,7 @@
 public = 308201333081ec06072a8648ce3d02013081e0020101302c06072a8648ce3d0101022100fd091059a6893635f900e9449d63f572b2aebc4cff7b4e5e33f1b200e8bbc1453044042002f6efa55976c9cb06ff16bb629c0a8d4d5143b40084b1a1cc0e4dff17443eb704205ac635d8aa3a93e7b3ebbd55769886bc651d06b0cc53b0f63bce3c3e27d2604b0441040000000000000000000006597fa94b1fd90000000000000000000000000000021b8c7dd77f9a95627922eceefea73f028f1ec95ba9b8fa95a3ad24bdf9fff414022100ffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc632551020101034200040000000000000000000006597fa94b1fd90000000000000000000000000000021b8c7dd77f9a95627922eceefea73f028f1ec95ba9b8fa95a3ad24bdf9fff414
 result = invalid
 shared = cea0fbd8f20abc8cf8127c132e29756d25ff1530a88bf5c9e22dc1c137c36be9
-# The modulus of the public key has been modified. The public point of the
-# public key has been chosen so that it is both a point on both the curve of the
-# modified public key and the private key.
-# The public key has been modified and is invalid. An implementation should
-# always check whether the public key is valid and on the same curve as the
-# private key. The test vector includes the shared secret computed with the
-# original public key if the public point is on the curve of the private key.
-# Generating a shared secret other than the one with the original key likely
-# indicates that the bug is exploitable.
-# The public key does not use a named curve. RFC 3279 allows to encode such
-# curves by explicitly encoding, the parameters of the curve equation, modulus,
-# generator, order and cofactor. However, many crypto libraries only support
-# named curves. Modifying some of the EC parameters and encoding the
-# corresponding public key as an unnamed curve is a potential attack vector.
+flags = ModifiedPrime,InvalidPublic,UnnamedCurve
 
 # tcId = 224
 # using secp224r1
@@ -1751,12 +1595,7 @@
 public = 304e301006072a8648ce3d020106052b81040021033a0004074f56dc2ea648ef89c3b72e23bbd2da36f60243e4d2067b70604af1c2165cec2f86603d60c8a611d5b84ba3d91dfe1a480825bcc4af3bcf
 result = invalid
 shared = 
-# The public key has been modified and is invalid. An implementation should
-# always check whether the public key is valid and on the same curve as the
-# private key. The test vector includes the shared secret computed with the
-# original public key if the public point is on the curve of the private key.
-# Generating a shared secret other than the one with the original key likely
-# indicates that the bug is exploitable.
+flags = InvalidPublic
 
 # tcId = 225
 # using secp256k1
@@ -1764,12 +1603,7 @@
 public = 3056301006072a8648ce3d020106052b8104000a03420004a1263e75b87ae0937060ff1472f330ee55cdf8f4329d6284a9ebfbcc856c11684225e72cbebff41e54fb6f00e11afe53a17937bedbf2df787f8ef9584f775838
 result = invalid
 shared = 
-# The public key has been modified and is invalid. An implementation should
-# always check whether the public key is valid and on the same curve as the
-# private key. The test vector includes the shared secret computed with the
-# original public key if the public point is on the curve of the private key.
-# Generating a shared secret other than the one with the original key likely
-# indicates that the bug is exploitable.
+flags = InvalidPublic
 
 # tcId = 226
 # a = 0
@@ -1777,17 +1611,7 @@
 public = 308201143081cd06072a8648ce3d02013081c1020101302c06072a8648ce3d0101022100ffffffff00000001000000000000000000000000ffffffffffffffffffffffff302504010004201b95c2f46065dbf0f3ff09153e4748ed71595e0774ba8e25c364ff1e6be039b70441041510264c189c3d523ff9916abd7069efa6968d8dc7ddb6457d7869b53ea60cdcfafb7ed4786da15d29ee59256f536da3575a4888c1bb0a95b256f4a7e9fd764a022100ffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc632551020101034200041510264c189c3d523ff9916abd7069efa6968d8dc7ddb6457d7869b53ea60cdcfafb7ed4786da15d29ee59256f536da3575a4888c1bb0a95b256f4a7e9fd764a
 result = acceptable
 shared = d003f5cc83852584061f7a8a28bcb5671ecbda096e16e7accfa8f8d311a3db7a
-# A parameter that is typically not used for ECDH has been modified. Sometimes
-# libraries ignore small differences between public and private key. For
-# example, a library might ignore an incorrect cofactor in the public key. We
-# consider ignoring such changes as acceptable as long as these differences do
-# not change the outcome of the ECDH computation, i.e. as long as the
-# computation is done on the curve from the private key.
-# The public key does not use a named curve. RFC 3279 allows to encode such
-# curves by explicitly encoding, the parameters of the curve equation, modulus,
-# generator, order and cofactor. However, many crypto libraries only support
-# named curves. Modifying some of the EC parameters and encoding the
-# corresponding public key as an unnamed curve is a potential attack vector.
+flags = UnusedParam,UnnamedCurve
 
 # tcId = 227
 # public key of order 3
@@ -1795,21 +1619,7 @@
 public = 308201333081ec06072a8648ce3d02013081e0020101302c06072a8648ce3d0101022100ffffffff00000001000000000000000000000000ffffffffffffffffffffffff304404207b5c92a0cac0f30673473f260f89926a14da905bc7e5e07df1e8df69059d98570420cb2eaa5643572372d5cba1e69f687d287fd62f5518322af2614ce512dd680a76044104843587c1bea197a1be63c67c9f1641c70f7d3cba49147e9fc0c9bb246e1498186049243e8e92743df2f9994d60f90ab21635e00183e69b317f00ad226da8f546022100ffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc63255102010103420004843587c1bea197a1be63c67c9f1641c70f7d3cba49147e9fc0c9bb246e1498189fb6dbc0716d8bc30d0666b29f06f54de9ca1fff7c1964ce80ff52dd92570ab9
 result = invalid
 shared = 
-# The vector contains a weak public key. The curve is not a named curve, the
-# public key point has order 3 and has been chosen to be on the same curve as
-# the private key. This test vector is used to check ECC implementations for
-# missing steps in the verification of the public key.
-# The public key has been modified and is invalid. An implementation should
-# always check whether the public key is valid and on the same curve as the
-# private key. The test vector includes the shared secret computed with the
-# original public key if the public point is on the curve of the private key.
-# Generating a shared secret other than the one with the original key likely
-# indicates that the bug is exploitable.
-# The public key does not use a named curve. RFC 3279 allows to encode such
-# curves by explicitly encoding, the parameters of the curve equation, modulus,
-# generator, order and cofactor. However, many crypto libraries only support
-# named curves. Modifying some of the EC parameters and encoding the
-# corresponding public key as an unnamed curve is a potential attack vector.
+flags = WeakPublicKey,InvalidPublic,UnnamedCurve
 
 # tcId = 228
 # Public key uses wrong curve: secp224r1
@@ -1922,8 +1732,7 @@
 public = 3039301306072a8648ce3d020106082a8648ce3d03010703220002fd4bf61763b46581fd9174d623516cf3c81edd40e29ffa2777fb6cb0ae3ce535
 result = invalid
 shared = 
-# The point in the public key is compressed. Not every library supports points
-# in compressed format.
+flags = CompressedPoint
 
 # tcId = 244
 # public key is a low order point on twist
@@ -1931,8 +1740,7 @@
 public = 3039301306072a8648ce3d020106082a8648ce3d03010703220003efdde3b32872a9effcf3b94cbf73aa7b39f9683ece9121b9852167f4e3da609b
 result = invalid
 shared = 
-# The point in the public key is compressed. Not every library supports points
-# in compressed format.
+flags = CompressedPoint
 
 # tcId = 245
 # public key is a low order point on twist
@@ -1940,8 +1748,7 @@
 public = 3039301306072a8648ce3d020106082a8648ce3d03010703220002efdde3b32872a9effcf3b94cbf73aa7b39f9683ece9121b9852167f4e3da609b
 result = invalid
 shared = 
-# The point in the public key is compressed. Not every library supports points
-# in compressed format.
+flags = CompressedPoint
 
 # tcId = 246
 # public key is a low order point on twist
@@ -1949,8 +1756,7 @@
 public = 3039301306072a8648ce3d020106082a8648ce3d03010703220002c49524b2adfd8f5f972ef554652836e2efb2d306c6d3b0689234cec93ae73db5
 result = invalid
 shared = 
-# The point in the public key is compressed. Not every library supports points
-# in compressed format.
+flags = CompressedPoint
 
 # tcId = 247
 # public key is a low order point on twist
@@ -1958,8 +1764,7 @@
 public = 3039301306072a8648ce3d020106082a8648ce3d0301070322000318f9bae7747cd844e98525b7ccd0daf6e1d20a818b2175a9a91e4eae5343bc98
 result = invalid
 shared = 
-# The point in the public key is compressed. Not every library supports points
-# in compressed format.
+flags = CompressedPoint
 
 # tcId = 248
 # public key is a low order point on twist
@@ -1967,8 +1772,7 @@
 public = 3039301306072a8648ce3d020106082a8648ce3d0301070322000218f9bae7747cd844e98525b7ccd0daf6e1d20a818b2175a9a91e4eae5343bc98
 result = invalid
 shared = 
-# The point in the public key is compressed. Not every library supports points
-# in compressed format.
+flags = CompressedPoint
 
 # tcId = 249
 # public key is a low order point on twist
@@ -1976,8 +1780,7 @@
 public = 3039301306072a8648ce3d020106082a8648ce3d03010703220003c49524b2adfd8f5f972ef554652836e2efb2d306c6d3b0689234cec93ae73db5
 result = invalid
 shared = 
-# The point in the public key is compressed. Not every library supports points
-# in compressed format.
+flags = CompressedPoint
 
 # tcId = 250
 # long form encoding of length of sequence
@@ -1985,9 +1788,7 @@
 public = 308159301306072a8648ce3d020106082a8648ce3d030107034200042998705a9a71c783e1cf4397dbed9375a44e4cb88053594b0ea982203b6363b063d0af4971d1c3813db3c7799f9f9324cbe1b90054c81b510ff6297160add66b
 result = acceptable
 shared = f0b6d851dcd8e9a8c474d695137962f082c4f2a1a2eefb182df58d88a72829e4
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 251
 # long form encoding of length of sequence
@@ -1995,9 +1796,7 @@
 public = 305a30811306072a8648ce3d020106082a8648ce3d030107034200042998705a9a71c783e1cf4397dbed9375a44e4cb88053594b0ea982203b6363b063d0af4971d1c3813db3c7799f9f9324cbe1b90054c81b510ff6297160add66b
 result = acceptable
 shared = f0b6d851dcd8e9a8c474d695137962f082c4f2a1a2eefb182df58d88a72829e4
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 252
 # length of sequence contains leading 0
@@ -2005,9 +1804,7 @@
 public = 30820059301306072a8648ce3d020106082a8648ce3d030107034200042998705a9a71c783e1cf4397dbed9375a44e4cb88053594b0ea982203b6363b063d0af4971d1c3813db3c7799f9f9324cbe1b90054c81b510ff6297160add66b
 result = acceptable
 shared = f0b6d851dcd8e9a8c474d695137962f082c4f2a1a2eefb182df58d88a72829e4
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 253
 # length of sequence contains leading 0
@@ -2015,9 +1812,7 @@
 public = 305b3082001306072a8648ce3d020106082a8648ce3d030107034200042998705a9a71c783e1cf4397dbed9375a44e4cb88053594b0ea982203b6363b063d0af4971d1c3813db3c7799f9f9324cbe1b90054c81b510ff6297160add66b
 result = acceptable
 shared = f0b6d851dcd8e9a8c474d695137962f082c4f2a1a2eefb182df58d88a72829e4
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 254
 # wrong length of sequence
@@ -2025,9 +1820,7 @@
 public = 305a301306072a8648ce3d020106082a8648ce3d030107034200042998705a9a71c783e1cf4397dbed9375a44e4cb88053594b0ea982203b6363b063d0af4971d1c3813db3c7799f9f9324cbe1b90054c81b510ff6297160add66b
 result = acceptable
 shared = f0b6d851dcd8e9a8c474d695137962f082c4f2a1a2eefb182df58d88a72829e4
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 255
 # wrong length of sequence
@@ -2035,9 +1828,7 @@
 public = 3058301306072a8648ce3d020106082a8648ce3d030107034200042998705a9a71c783e1cf4397dbed9375a44e4cb88053594b0ea982203b6363b063d0af4971d1c3813db3c7799f9f9324cbe1b90054c81b510ff6297160add66b
 result = acceptable
 shared = f0b6d851dcd8e9a8c474d695137962f082c4f2a1a2eefb182df58d88a72829e4
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 256
 # wrong length of sequence
@@ -2045,9 +1836,7 @@
 public = 3059301406072a8648ce3d020106082a8648ce3d030107034200042998705a9a71c783e1cf4397dbed9375a44e4cb88053594b0ea982203b6363b063d0af4971d1c3813db3c7799f9f9324cbe1b90054c81b510ff6297160add66b
 result = acceptable
 shared = f0b6d851dcd8e9a8c474d695137962f082c4f2a1a2eefb182df58d88a72829e4
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 257
 # wrong length of sequence
@@ -2055,9 +1844,7 @@
 public = 3059301206072a8648ce3d020106082a8648ce3d030107034200042998705a9a71c783e1cf4397dbed9375a44e4cb88053594b0ea982203b6363b063d0af4971d1c3813db3c7799f9f9324cbe1b90054c81b510ff6297160add66b
 result = acceptable
 shared = f0b6d851dcd8e9a8c474d695137962f082c4f2a1a2eefb182df58d88a72829e4
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 258
 # uint32 overflow in length of sequence
@@ -2065,9 +1852,7 @@
 public = 30850100000059301306072a8648ce3d020106082a8648ce3d030107034200042998705a9a71c783e1cf4397dbed9375a44e4cb88053594b0ea982203b6363b063d0af4971d1c3813db3c7799f9f9324cbe1b90054c81b510ff6297160add66b
 result = acceptable
 shared = f0b6d851dcd8e9a8c474d695137962f082c4f2a1a2eefb182df58d88a72829e4
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 259
 # uint32 overflow in length of sequence
@@ -2075,9 +1860,7 @@
 public = 305e3085010000001306072a8648ce3d020106082a8648ce3d030107034200042998705a9a71c783e1cf4397dbed9375a44e4cb88053594b0ea982203b6363b063d0af4971d1c3813db3c7799f9f9324cbe1b90054c81b510ff6297160add66b
 result = acceptable
 shared = f0b6d851dcd8e9a8c474d695137962f082c4f2a1a2eefb182df58d88a72829e4
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 260
 # uint64 overflow in length of sequence
@@ -2085,9 +1868,7 @@
 public = 3089010000000000000059301306072a8648ce3d020106082a8648ce3d030107034200042998705a9a71c783e1cf4397dbed9375a44e4cb88053594b0ea982203b6363b063d0af4971d1c3813db3c7799f9f9324cbe1b90054c81b510ff6297160add66b
 result = acceptable
 shared = f0b6d851dcd8e9a8c474d695137962f082c4f2a1a2eefb182df58d88a72829e4
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 261
 # uint64 overflow in length of sequence
@@ -2095,9 +1876,7 @@
 public = 3062308901000000000000001306072a8648ce3d020106082a8648ce3d030107034200042998705a9a71c783e1cf4397dbed9375a44e4cb88053594b0ea982203b6363b063d0af4971d1c3813db3c7799f9f9324cbe1b90054c81b510ff6297160add66b
 result = acceptable
 shared = f0b6d851dcd8e9a8c474d695137962f082c4f2a1a2eefb182df58d88a72829e4
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 262
 # length of sequence = 2**31 - 1
@@ -2105,9 +1884,7 @@
 public = 30847fffffff301306072a8648ce3d020106082a8648ce3d030107034200042998705a9a71c783e1cf4397dbed9375a44e4cb88053594b0ea982203b6363b063d0af4971d1c3813db3c7799f9f9324cbe1b90054c81b510ff6297160add66b
 result = acceptable
 shared = f0b6d851dcd8e9a8c474d695137962f082c4f2a1a2eefb182df58d88a72829e4
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 263
 # length of sequence = 2**31 - 1
@@ -2115,9 +1892,7 @@
 public = 305d30847fffffff06072a8648ce3d020106082a8648ce3d030107034200042998705a9a71c783e1cf4397dbed9375a44e4cb88053594b0ea982203b6363b063d0af4971d1c3813db3c7799f9f9324cbe1b90054c81b510ff6297160add66b
 result = acceptable
 shared = f0b6d851dcd8e9a8c474d695137962f082c4f2a1a2eefb182df58d88a72829e4
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 264
 # length of sequence = 2**32 - 1
@@ -2125,9 +1900,7 @@
 public = 3084ffffffff301306072a8648ce3d020106082a8648ce3d030107034200042998705a9a71c783e1cf4397dbed9375a44e4cb88053594b0ea982203b6363b063d0af4971d1c3813db3c7799f9f9324cbe1b90054c81b510ff6297160add66b
 result = acceptable
 shared = f0b6d851dcd8e9a8c474d695137962f082c4f2a1a2eefb182df58d88a72829e4
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 265
 # length of sequence = 2**32 - 1
@@ -2135,9 +1908,7 @@
 public = 305d3084ffffffff06072a8648ce3d020106082a8648ce3d030107034200042998705a9a71c783e1cf4397dbed9375a44e4cb88053594b0ea982203b6363b063d0af4971d1c3813db3c7799f9f9324cbe1b90054c81b510ff6297160add66b
 result = acceptable
 shared = f0b6d851dcd8e9a8c474d695137962f082c4f2a1a2eefb182df58d88a72829e4
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 266
 # length of sequence = 2**40 - 1
@@ -2145,9 +1916,7 @@
 public = 3085ffffffffff301306072a8648ce3d020106082a8648ce3d030107034200042998705a9a71c783e1cf4397dbed9375a44e4cb88053594b0ea982203b6363b063d0af4971d1c3813db3c7799f9f9324cbe1b90054c81b510ff6297160add66b
 result = acceptable
 shared = f0b6d851dcd8e9a8c474d695137962f082c4f2a1a2eefb182df58d88a72829e4
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 267
 # length of sequence = 2**40 - 1
@@ -2155,9 +1924,7 @@
 public = 305e3085ffffffffff06072a8648ce3d020106082a8648ce3d030107034200042998705a9a71c783e1cf4397dbed9375a44e4cb88053594b0ea982203b6363b063d0af4971d1c3813db3c7799f9f9324cbe1b90054c81b510ff6297160add66b
 result = acceptable
 shared = f0b6d851dcd8e9a8c474d695137962f082c4f2a1a2eefb182df58d88a72829e4
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 268
 # length of sequence = 2**64 - 1
@@ -2165,9 +1932,7 @@
 public = 3088ffffffffffffffff301306072a8648ce3d020106082a8648ce3d030107034200042998705a9a71c783e1cf4397dbed9375a44e4cb88053594b0ea982203b6363b063d0af4971d1c3813db3c7799f9f9324cbe1b90054c81b510ff6297160add66b
 result = acceptable
 shared = f0b6d851dcd8e9a8c474d695137962f082c4f2a1a2eefb182df58d88a72829e4
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 269
 # length of sequence = 2**64 - 1
@@ -2175,9 +1940,7 @@
 public = 30613088ffffffffffffffff06072a8648ce3d020106082a8648ce3d030107034200042998705a9a71c783e1cf4397dbed9375a44e4cb88053594b0ea982203b6363b063d0af4971d1c3813db3c7799f9f9324cbe1b90054c81b510ff6297160add66b
 result = acceptable
 shared = f0b6d851dcd8e9a8c474d695137962f082c4f2a1a2eefb182df58d88a72829e4
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 270
 # incorrect length of sequence
@@ -2185,9 +1948,7 @@
 public = 30ff301306072a8648ce3d020106082a8648ce3d030107034200042998705a9a71c783e1cf4397dbed9375a44e4cb88053594b0ea982203b6363b063d0af4971d1c3813db3c7799f9f9324cbe1b90054c81b510ff6297160add66b
 result = acceptable
 shared = f0b6d851dcd8e9a8c474d695137962f082c4f2a1a2eefb182df58d88a72829e4
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 271
 # incorrect length of sequence
@@ -2195,9 +1956,7 @@
 public = 305930ff06072a8648ce3d020106082a8648ce3d030107034200042998705a9a71c783e1cf4397dbed9375a44e4cb88053594b0ea982203b6363b063d0af4971d1c3813db3c7799f9f9324cbe1b90054c81b510ff6297160add66b
 result = acceptable
 shared = f0b6d851dcd8e9a8c474d695137962f082c4f2a1a2eefb182df58d88a72829e4
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 272
 # indefinite length without termination
@@ -2205,9 +1964,7 @@
 public = 3080301306072a8648ce3d020106082a8648ce3d030107034200042998705a9a71c783e1cf4397dbed9375a44e4cb88053594b0ea982203b6363b063d0af4971d1c3813db3c7799f9f9324cbe1b90054c81b510ff6297160add66b
 result = acceptable
 shared = f0b6d851dcd8e9a8c474d695137962f082c4f2a1a2eefb182df58d88a72829e4
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 273
 # indefinite length without termination
@@ -2215,9 +1972,7 @@
 public = 3059308006072a8648ce3d020106082a8648ce3d030107034200042998705a9a71c783e1cf4397dbed9375a44e4cb88053594b0ea982203b6363b063d0af4971d1c3813db3c7799f9f9324cbe1b90054c81b510ff6297160add66b
 result = acceptable
 shared = f0b6d851dcd8e9a8c474d695137962f082c4f2a1a2eefb182df58d88a72829e4
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 274
 # indefinite length without termination
@@ -2225,9 +1980,7 @@
 public = 3059301306802a8648ce3d020106082a8648ce3d030107034200042998705a9a71c783e1cf4397dbed9375a44e4cb88053594b0ea982203b6363b063d0af4971d1c3813db3c7799f9f9324cbe1b90054c81b510ff6297160add66b
 result = acceptable
 shared = f0b6d851dcd8e9a8c474d695137962f082c4f2a1a2eefb182df58d88a72829e4
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 275
 # indefinite length without termination
@@ -2235,9 +1988,7 @@
 public = 3059301306072a8648ce3d020106802a8648ce3d030107034200042998705a9a71c783e1cf4397dbed9375a44e4cb88053594b0ea982203b6363b063d0af4971d1c3813db3c7799f9f9324cbe1b90054c81b510ff6297160add66b
 result = acceptable
 shared = f0b6d851dcd8e9a8c474d695137962f082c4f2a1a2eefb182df58d88a72829e4
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 276
 # indefinite length without termination
@@ -2245,9 +1996,7 @@
 public = 3059301306072a8648ce3d020106082a8648ce3d030107038000042998705a9a71c783e1cf4397dbed9375a44e4cb88053594b0ea982203b6363b063d0af4971d1c3813db3c7799f9f9324cbe1b90054c81b510ff6297160add66b
 result = acceptable
 shared = f0b6d851dcd8e9a8c474d695137962f082c4f2a1a2eefb182df58d88a72829e4
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 277
 # removing sequence
@@ -2255,9 +2004,7 @@
 public = 
 result = acceptable
 shared = f0b6d851dcd8e9a8c474d695137962f082c4f2a1a2eefb182df58d88a72829e4
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 278
 # removing sequence
@@ -2265,9 +2012,7 @@
 public = 3044034200042998705a9a71c783e1cf4397dbed9375a44e4cb88053594b0ea982203b6363b063d0af4971d1c3813db3c7799f9f9324cbe1b90054c81b510ff6297160add66b
 result = acceptable
 shared = f0b6d851dcd8e9a8c474d695137962f082c4f2a1a2eefb182df58d88a72829e4
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 279
 # lonely sequence tag
@@ -2275,9 +2020,7 @@
 public = 30
 result = acceptable
 shared = f0b6d851dcd8e9a8c474d695137962f082c4f2a1a2eefb182df58d88a72829e4
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 280
 # lonely sequence tag
@@ -2285,9 +2028,7 @@
 public = 304530034200042998705a9a71c783e1cf4397dbed9375a44e4cb88053594b0ea982203b6363b063d0af4971d1c3813db3c7799f9f9324cbe1b90054c81b510ff6297160add66b
 result = acceptable
 shared = f0b6d851dcd8e9a8c474d695137962f082c4f2a1a2eefb182df58d88a72829e4
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 281
 # appending 0's to sequence
@@ -2295,9 +2036,7 @@
 public = 305b301306072a8648ce3d020106082a8648ce3d030107034200042998705a9a71c783e1cf4397dbed9375a44e4cb88053594b0ea982203b6363b063d0af4971d1c3813db3c7799f9f9324cbe1b90054c81b510ff6297160add66b0000
 result = acceptable
 shared = f0b6d851dcd8e9a8c474d695137962f082c4f2a1a2eefb182df58d88a72829e4
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 282
 # appending 0's to sequence
@@ -2305,9 +2044,7 @@
 public = 305b301506072a8648ce3d020106082a8648ce3d0301070000034200042998705a9a71c783e1cf4397dbed9375a44e4cb88053594b0ea982203b6363b063d0af4971d1c3813db3c7799f9f9324cbe1b90054c81b510ff6297160add66b
 result = acceptable
 shared = f0b6d851dcd8e9a8c474d695137962f082c4f2a1a2eefb182df58d88a72829e4
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 283
 # prepending 0's to sequence
@@ -2315,9 +2052,7 @@
 public = 305b0000301306072a8648ce3d020106082a8648ce3d030107034200042998705a9a71c783e1cf4397dbed9375a44e4cb88053594b0ea982203b6363b063d0af4971d1c3813db3c7799f9f9324cbe1b90054c81b510ff6297160add66b
 result = acceptable
 shared = f0b6d851dcd8e9a8c474d695137962f082c4f2a1a2eefb182df58d88a72829e4
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 284
 # prepending 0's to sequence
@@ -2325,9 +2060,7 @@
 public = 305b3015000006072a8648ce3d020106082a8648ce3d030107034200042998705a9a71c783e1cf4397dbed9375a44e4cb88053594b0ea982203b6363b063d0af4971d1c3813db3c7799f9f9324cbe1b90054c81b510ff6297160add66b
 result = acceptable
 shared = f0b6d851dcd8e9a8c474d695137962f082c4f2a1a2eefb182df58d88a72829e4
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 285
 # appending unused 0's to sequence
@@ -2335,9 +2068,7 @@
 public = 3059301306072a8648ce3d020106082a8648ce3d030107034200042998705a9a71c783e1cf4397dbed9375a44e4cb88053594b0ea982203b6363b063d0af4971d1c3813db3c7799f9f9324cbe1b90054c81b510ff6297160add66b0000
 result = acceptable
 shared = f0b6d851dcd8e9a8c474d695137962f082c4f2a1a2eefb182df58d88a72829e4
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 286
 # appending unused 0's to sequence
@@ -2345,9 +2076,7 @@
 public = 305b301306072a8648ce3d020106082a8648ce3d0301070000034200042998705a9a71c783e1cf4397dbed9375a44e4cb88053594b0ea982203b6363b063d0af4971d1c3813db3c7799f9f9324cbe1b90054c81b510ff6297160add66b
 result = acceptable
 shared = f0b6d851dcd8e9a8c474d695137962f082c4f2a1a2eefb182df58d88a72829e4
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 287
 # appending null value to sequence
@@ -2355,9 +2084,7 @@
 public = 305b301306072a8648ce3d020106082a8648ce3d030107034200042998705a9a71c783e1cf4397dbed9375a44e4cb88053594b0ea982203b6363b063d0af4971d1c3813db3c7799f9f9324cbe1b90054c81b510ff6297160add66b0500
 result = acceptable
 shared = f0b6d851dcd8e9a8c474d695137962f082c4f2a1a2eefb182df58d88a72829e4
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 288
 # appending null value to sequence
@@ -2365,9 +2092,7 @@
 public = 305b301506072a8648ce3d020106082a8648ce3d0301070500034200042998705a9a71c783e1cf4397dbed9375a44e4cb88053594b0ea982203b6363b063d0af4971d1c3813db3c7799f9f9324cbe1b90054c81b510ff6297160add66b
 result = acceptable
 shared = f0b6d851dcd8e9a8c474d695137962f082c4f2a1a2eefb182df58d88a72829e4
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 289
 # including garbage
@@ -2375,9 +2100,7 @@
 public = 305e4981773059301306072a8648ce3d020106082a8648ce3d030107034200042998705a9a71c783e1cf4397dbed9375a44e4cb88053594b0ea982203b6363b063d0af4971d1c3813db3c7799f9f9324cbe1b90054c81b510ff6297160add66b
 result = acceptable
 shared = f0b6d851dcd8e9a8c474d695137962f082c4f2a1a2eefb182df58d88a72829e4
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 290
 # including garbage
@@ -2385,9 +2108,7 @@
 public = 305d25003059301306072a8648ce3d020106082a8648ce3d030107034200042998705a9a71c783e1cf4397dbed9375a44e4cb88053594b0ea982203b6363b063d0af4971d1c3813db3c7799f9f9324cbe1b90054c81b510ff6297160add66b
 result = acceptable
 shared = f0b6d851dcd8e9a8c474d695137962f082c4f2a1a2eefb182df58d88a72829e4
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 291
 # including garbage
@@ -2395,9 +2116,7 @@
 public = 305b3059301306072a8648ce3d020106082a8648ce3d030107034200042998705a9a71c783e1cf4397dbed9375a44e4cb88053594b0ea982203b6363b063d0af4971d1c3813db3c7799f9f9324cbe1b90054c81b510ff6297160add66b0004deadbeef
 result = acceptable
 shared = f0b6d851dcd8e9a8c474d695137962f082c4f2a1a2eefb182df58d88a72829e4
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 292
 # including garbage
@@ -2405,9 +2124,7 @@
 public = 305e3018498177301306072a8648ce3d020106082a8648ce3d030107034200042998705a9a71c783e1cf4397dbed9375a44e4cb88053594b0ea982203b6363b063d0af4971d1c3813db3c7799f9f9324cbe1b90054c81b510ff6297160add66b
 result = acceptable
 shared = f0b6d851dcd8e9a8c474d695137962f082c4f2a1a2eefb182df58d88a72829e4
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 293
 # including garbage
@@ -2415,9 +2132,7 @@
 public = 305d30172500301306072a8648ce3d020106082a8648ce3d030107034200042998705a9a71c783e1cf4397dbed9375a44e4cb88053594b0ea982203b6363b063d0af4971d1c3813db3c7799f9f9324cbe1b90054c81b510ff6297160add66b
 result = acceptable
 shared = f0b6d851dcd8e9a8c474d695137962f082c4f2a1a2eefb182df58d88a72829e4
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 294
 # including garbage
@@ -2425,9 +2140,7 @@
 public = 30613015301306072a8648ce3d020106082a8648ce3d0301070004deadbeef034200042998705a9a71c783e1cf4397dbed9375a44e4cb88053594b0ea982203b6363b063d0af4971d1c3813db3c7799f9f9324cbe1b90054c81b510ff6297160add66b
 result = acceptable
 shared = f0b6d851dcd8e9a8c474d695137962f082c4f2a1a2eefb182df58d88a72829e4
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 295
 # including garbage
@@ -2435,9 +2148,7 @@
 public = 305e3018260c49817706072a8648ce3d020106082a8648ce3d030107034200042998705a9a71c783e1cf4397dbed9375a44e4cb88053594b0ea982203b6363b063d0af4971d1c3813db3c7799f9f9324cbe1b90054c81b510ff6297160add66b
 result = acceptable
 shared = f0b6d851dcd8e9a8c474d695137962f082c4f2a1a2eefb182df58d88a72829e4
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 296
 # including garbage
@@ -2445,9 +2156,7 @@
 public = 305d3017260b250006072a8648ce3d020106082a8648ce3d030107034200042998705a9a71c783e1cf4397dbed9375a44e4cb88053594b0ea982203b6363b063d0af4971d1c3813db3c7799f9f9324cbe1b90054c81b510ff6297160add66b
 result = acceptable
 shared = f0b6d851dcd8e9a8c474d695137962f082c4f2a1a2eefb182df58d88a72829e4
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 297
 # including garbage
@@ -2455,9 +2164,7 @@
 public = 3061301b260906072a8648ce3d02010004deadbeef06082a8648ce3d030107034200042998705a9a71c783e1cf4397dbed9375a44e4cb88053594b0ea982203b6363b063d0af4971d1c3813db3c7799f9f9324cbe1b90054c81b510ff6297160add66b
 result = acceptable
 shared = f0b6d851dcd8e9a8c474d695137962f082c4f2a1a2eefb182df58d88a72829e4
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 298
 # including garbage
@@ -2465,9 +2172,7 @@
 public = 305e301806072a8648ce3d0201260d49817706082a8648ce3d030107034200042998705a9a71c783e1cf4397dbed9375a44e4cb88053594b0ea982203b6363b063d0af4971d1c3813db3c7799f9f9324cbe1b90054c81b510ff6297160add66b
 result = acceptable
 shared = f0b6d851dcd8e9a8c474d695137962f082c4f2a1a2eefb182df58d88a72829e4
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 299
 # including garbage
@@ -2475,9 +2180,7 @@
 public = 305d301706072a8648ce3d0201260c250006082a8648ce3d030107034200042998705a9a71c783e1cf4397dbed9375a44e4cb88053594b0ea982203b6363b063d0af4971d1c3813db3c7799f9f9324cbe1b90054c81b510ff6297160add66b
 result = acceptable
 shared = f0b6d851dcd8e9a8c474d695137962f082c4f2a1a2eefb182df58d88a72829e4
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 300
 # including garbage
@@ -2485,9 +2188,7 @@
 public = 3061301b06072a8648ce3d0201260a06082a8648ce3d0301070004deadbeef034200042998705a9a71c783e1cf4397dbed9375a44e4cb88053594b0ea982203b6363b063d0af4971d1c3813db3c7799f9f9324cbe1b90054c81b510ff6297160add66b
 result = acceptable
 shared = f0b6d851dcd8e9a8c474d695137962f082c4f2a1a2eefb182df58d88a72829e4
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 301
 # including garbage
@@ -2495,9 +2196,7 @@
 public = 305e301306072a8648ce3d020106082a8648ce3d0301072347498177034200042998705a9a71c783e1cf4397dbed9375a44e4cb88053594b0ea982203b6363b063d0af4971d1c3813db3c7799f9f9324cbe1b90054c81b510ff6297160add66b
 result = acceptable
 shared = f0b6d851dcd8e9a8c474d695137962f082c4f2a1a2eefb182df58d88a72829e4
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 302
 # including garbage
@@ -2505,9 +2204,7 @@
 public = 305d301306072a8648ce3d020106082a8648ce3d03010723462500034200042998705a9a71c783e1cf4397dbed9375a44e4cb88053594b0ea982203b6363b063d0af4971d1c3813db3c7799f9f9324cbe1b90054c81b510ff6297160add66b
 result = acceptable
 shared = f0b6d851dcd8e9a8c474d695137962f082c4f2a1a2eefb182df58d88a72829e4
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 303
 # including garbage
@@ -2515,9 +2212,7 @@
 public = 3061301306072a8648ce3d020106082a8648ce3d0301072344034200042998705a9a71c783e1cf4397dbed9375a44e4cb88053594b0ea982203b6363b063d0af4971d1c3813db3c7799f9f9324cbe1b90054c81b510ff6297160add66b0004deadbeef
 result = acceptable
 shared = f0b6d851dcd8e9a8c474d695137962f082c4f2a1a2eefb182df58d88a72829e4
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 304
 # including undefined tags
@@ -2525,9 +2220,7 @@
 public = 3061aa00bb00cd003059301306072a8648ce3d020106082a8648ce3d030107034200042998705a9a71c783e1cf4397dbed9375a44e4cb88053594b0ea982203b6363b063d0af4971d1c3813db3c7799f9f9324cbe1b90054c81b510ff6297160add66b
 result = acceptable
 shared = f0b6d851dcd8e9a8c474d695137962f082c4f2a1a2eefb182df58d88a72829e4
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 305
 # including undefined tags
@@ -2535,9 +2228,7 @@
 public = 305faa02aabb3059301306072a8648ce3d020106082a8648ce3d030107034200042998705a9a71c783e1cf4397dbed9375a44e4cb88053594b0ea982203b6363b063d0af4971d1c3813db3c7799f9f9324cbe1b90054c81b510ff6297160add66b
 result = acceptable
 shared = f0b6d851dcd8e9a8c474d695137962f082c4f2a1a2eefb182df58d88a72829e4
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 306
 # including undefined tags
@@ -2545,9 +2236,7 @@
 public = 3061301baa00bb00cd00301306072a8648ce3d020106082a8648ce3d030107034200042998705a9a71c783e1cf4397dbed9375a44e4cb88053594b0ea982203b6363b063d0af4971d1c3813db3c7799f9f9324cbe1b90054c81b510ff6297160add66b
 result = acceptable
 shared = f0b6d851dcd8e9a8c474d695137962f082c4f2a1a2eefb182df58d88a72829e4
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 307
 # including undefined tags
@@ -2555,9 +2244,7 @@
 public = 305f3019aa02aabb301306072a8648ce3d020106082a8648ce3d030107034200042998705a9a71c783e1cf4397dbed9375a44e4cb88053594b0ea982203b6363b063d0af4971d1c3813db3c7799f9f9324cbe1b90054c81b510ff6297160add66b
 result = acceptable
 shared = f0b6d851dcd8e9a8c474d695137962f082c4f2a1a2eefb182df58d88a72829e4
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 308
 # including undefined tags
@@ -2565,9 +2252,7 @@
 public = 3061301b260faa00bb00cd0006072a8648ce3d020106082a8648ce3d030107034200042998705a9a71c783e1cf4397dbed9375a44e4cb88053594b0ea982203b6363b063d0af4971d1c3813db3c7799f9f9324cbe1b90054c81b510ff6297160add66b
 result = acceptable
 shared = f0b6d851dcd8e9a8c474d695137962f082c4f2a1a2eefb182df58d88a72829e4
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 309
 # including undefined tags
@@ -2575,9 +2260,7 @@
 public = 305f3019260daa02aabb06072a8648ce3d020106082a8648ce3d030107034200042998705a9a71c783e1cf4397dbed9375a44e4cb88053594b0ea982203b6363b063d0af4971d1c3813db3c7799f9f9324cbe1b90054c81b510ff6297160add66b
 result = acceptable
 shared = f0b6d851dcd8e9a8c474d695137962f082c4f2a1a2eefb182df58d88a72829e4
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 310
 # including undefined tags
@@ -2585,9 +2268,7 @@
 public = 3061301b06072a8648ce3d02012610aa00bb00cd0006082a8648ce3d030107034200042998705a9a71c783e1cf4397dbed9375a44e4cb88053594b0ea982203b6363b063d0af4971d1c3813db3c7799f9f9324cbe1b90054c81b510ff6297160add66b
 result = acceptable
 shared = f0b6d851dcd8e9a8c474d695137962f082c4f2a1a2eefb182df58d88a72829e4
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 311
 # including undefined tags
@@ -2595,9 +2276,7 @@
 public = 305f301906072a8648ce3d0201260eaa02aabb06082a8648ce3d030107034200042998705a9a71c783e1cf4397dbed9375a44e4cb88053594b0ea982203b6363b063d0af4971d1c3813db3c7799f9f9324cbe1b90054c81b510ff6297160add66b
 result = acceptable
 shared = f0b6d851dcd8e9a8c474d695137962f082c4f2a1a2eefb182df58d88a72829e4
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 312
 # including undefined tags
@@ -2605,9 +2284,7 @@
 public = 3061301306072a8648ce3d020106082a8648ce3d030107234aaa00bb00cd00034200042998705a9a71c783e1cf4397dbed9375a44e4cb88053594b0ea982203b6363b063d0af4971d1c3813db3c7799f9f9324cbe1b90054c81b510ff6297160add66b
 result = acceptable
 shared = f0b6d851dcd8e9a8c474d695137962f082c4f2a1a2eefb182df58d88a72829e4
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 313
 # including undefined tags
@@ -2615,9 +2292,7 @@
 public = 305f301306072a8648ce3d020106082a8648ce3d0301072348aa02aabb034200042998705a9a71c783e1cf4397dbed9375a44e4cb88053594b0ea982203b6363b063d0af4971d1c3813db3c7799f9f9324cbe1b90054c81b510ff6297160add66b
 result = acceptable
 shared = f0b6d851dcd8e9a8c474d695137962f082c4f2a1a2eefb182df58d88a72829e4
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 314
 # truncated length of sequence
@@ -2625,9 +2300,7 @@
 public = 3081
 result = acceptable
 shared = f0b6d851dcd8e9a8c474d695137962f082c4f2a1a2eefb182df58d88a72829e4
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 315
 # truncated length of sequence
@@ -2635,9 +2308,7 @@
 public = 30463081034200042998705a9a71c783e1cf4397dbed9375a44e4cb88053594b0ea982203b6363b063d0af4971d1c3813db3c7799f9f9324cbe1b90054c81b510ff6297160add66b
 result = acceptable
 shared = f0b6d851dcd8e9a8c474d695137962f082c4f2a1a2eefb182df58d88a72829e4
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 316
 # Replacing sequence with NULL
@@ -2645,9 +2316,7 @@
 public = 0500
 result = acceptable
 shared = f0b6d851dcd8e9a8c474d695137962f082c4f2a1a2eefb182df58d88a72829e4
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 317
 # Replacing sequence with NULL
@@ -2655,9 +2324,7 @@
 public = 30460500034200042998705a9a71c783e1cf4397dbed9375a44e4cb88053594b0ea982203b6363b063d0af4971d1c3813db3c7799f9f9324cbe1b90054c81b510ff6297160add66b
 result = acceptable
 shared = f0b6d851dcd8e9a8c474d695137962f082c4f2a1a2eefb182df58d88a72829e4
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 318
 # changing tag value of sequence
@@ -2665,9 +2332,7 @@
 public = 2e59301306072a8648ce3d020106082a8648ce3d030107034200042998705a9a71c783e1cf4397dbed9375a44e4cb88053594b0ea982203b6363b063d0af4971d1c3813db3c7799f9f9324cbe1b90054c81b510ff6297160add66b
 result = acceptable
 shared = f0b6d851dcd8e9a8c474d695137962f082c4f2a1a2eefb182df58d88a72829e4
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 319
 # changing tag value of sequence
@@ -2675,9 +2340,7 @@
 public = 2f59301306072a8648ce3d020106082a8648ce3d030107034200042998705a9a71c783e1cf4397dbed9375a44e4cb88053594b0ea982203b6363b063d0af4971d1c3813db3c7799f9f9324cbe1b90054c81b510ff6297160add66b
 result = acceptable
 shared = f0b6d851dcd8e9a8c474d695137962f082c4f2a1a2eefb182df58d88a72829e4
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 320
 # changing tag value of sequence
@@ -2685,9 +2348,7 @@
 public = 3159301306072a8648ce3d020106082a8648ce3d030107034200042998705a9a71c783e1cf4397dbed9375a44e4cb88053594b0ea982203b6363b063d0af4971d1c3813db3c7799f9f9324cbe1b90054c81b510ff6297160add66b
 result = acceptable
 shared = f0b6d851dcd8e9a8c474d695137962f082c4f2a1a2eefb182df58d88a72829e4
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 321
 # changing tag value of sequence
@@ -2695,9 +2356,7 @@
 public = 3259301306072a8648ce3d020106082a8648ce3d030107034200042998705a9a71c783e1cf4397dbed9375a44e4cb88053594b0ea982203b6363b063d0af4971d1c3813db3c7799f9f9324cbe1b90054c81b510ff6297160add66b
 result = acceptable
 shared = f0b6d851dcd8e9a8c474d695137962f082c4f2a1a2eefb182df58d88a72829e4
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 322
 # changing tag value of sequence
@@ -2705,9 +2364,7 @@
 public = ff59301306072a8648ce3d020106082a8648ce3d030107034200042998705a9a71c783e1cf4397dbed9375a44e4cb88053594b0ea982203b6363b063d0af4971d1c3813db3c7799f9f9324cbe1b90054c81b510ff6297160add66b
 result = acceptable
 shared = f0b6d851dcd8e9a8c474d695137962f082c4f2a1a2eefb182df58d88a72829e4
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 323
 # changing tag value of sequence
@@ -2715,9 +2372,7 @@
 public = 30592e1306072a8648ce3d020106082a8648ce3d030107034200042998705a9a71c783e1cf4397dbed9375a44e4cb88053594b0ea982203b6363b063d0af4971d1c3813db3c7799f9f9324cbe1b90054c81b510ff6297160add66b
 result = acceptable
 shared = f0b6d851dcd8e9a8c474d695137962f082c4f2a1a2eefb182df58d88a72829e4
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 324
 # changing tag value of sequence
@@ -2725,9 +2380,7 @@
 public = 30592f1306072a8648ce3d020106082a8648ce3d030107034200042998705a9a71c783e1cf4397dbed9375a44e4cb88053594b0ea982203b6363b063d0af4971d1c3813db3c7799f9f9324cbe1b90054c81b510ff6297160add66b
 result = acceptable
 shared = f0b6d851dcd8e9a8c474d695137962f082c4f2a1a2eefb182df58d88a72829e4
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 325
 # changing tag value of sequence
@@ -2735,9 +2388,7 @@
 public = 3059311306072a8648ce3d020106082a8648ce3d030107034200042998705a9a71c783e1cf4397dbed9375a44e4cb88053594b0ea982203b6363b063d0af4971d1c3813db3c7799f9f9324cbe1b90054c81b510ff6297160add66b
 result = acceptable
 shared = f0b6d851dcd8e9a8c474d695137962f082c4f2a1a2eefb182df58d88a72829e4
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 326
 # changing tag value of sequence
@@ -2745,9 +2396,7 @@
 public = 3059321306072a8648ce3d020106082a8648ce3d030107034200042998705a9a71c783e1cf4397dbed9375a44e4cb88053594b0ea982203b6363b063d0af4971d1c3813db3c7799f9f9324cbe1b90054c81b510ff6297160add66b
 result = acceptable
 shared = f0b6d851dcd8e9a8c474d695137962f082c4f2a1a2eefb182df58d88a72829e4
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 327
 # changing tag value of sequence
@@ -2755,9 +2404,7 @@
 public = 3059ff1306072a8648ce3d020106082a8648ce3d030107034200042998705a9a71c783e1cf4397dbed9375a44e4cb88053594b0ea982203b6363b063d0af4971d1c3813db3c7799f9f9324cbe1b90054c81b510ff6297160add66b
 result = acceptable
 shared = f0b6d851dcd8e9a8c474d695137962f082c4f2a1a2eefb182df58d88a72829e4
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 328
 # dropping value of sequence
@@ -2765,9 +2412,7 @@
 public = 3000
 result = acceptable
 shared = f0b6d851dcd8e9a8c474d695137962f082c4f2a1a2eefb182df58d88a72829e4
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 329
 # dropping value of sequence
@@ -2775,9 +2420,7 @@
 public = 30463000034200042998705a9a71c783e1cf4397dbed9375a44e4cb88053594b0ea982203b6363b063d0af4971d1c3813db3c7799f9f9324cbe1b90054c81b510ff6297160add66b
 result = acceptable
 shared = f0b6d851dcd8e9a8c474d695137962f082c4f2a1a2eefb182df58d88a72829e4
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 330
 # truncated sequence
@@ -2785,9 +2428,7 @@
 public = 3058301306072a8648ce3d020106082a8648ce3d030107034200042998705a9a71c783e1cf4397dbed9375a44e4cb88053594b0ea982203b6363b063d0af4971d1c3813db3c7799f9f9324cbe1b90054c81b510ff6297160add6
 result = acceptable
 shared = f0b6d851dcd8e9a8c474d695137962f082c4f2a1a2eefb182df58d88a72829e4
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 331
 # truncated sequence
@@ -2795,9 +2436,7 @@
 public = 30581306072a8648ce3d020106082a8648ce3d030107034200042998705a9a71c783e1cf4397dbed9375a44e4cb88053594b0ea982203b6363b063d0af4971d1c3813db3c7799f9f9324cbe1b90054c81b510ff6297160add66b
 result = acceptable
 shared = f0b6d851dcd8e9a8c474d695137962f082c4f2a1a2eefb182df58d88a72829e4
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 332
 # truncated sequence
@@ -2805,9 +2444,7 @@
 public = 3058301206072a8648ce3d020106082a8648ce3d0301034200042998705a9a71c783e1cf4397dbed9375a44e4cb88053594b0ea982203b6363b063d0af4971d1c3813db3c7799f9f9324cbe1b90054c81b510ff6297160add66b
 result = acceptable
 shared = f0b6d851dcd8e9a8c474d695137962f082c4f2a1a2eefb182df58d88a72829e4
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 333
 # truncated sequence
@@ -2815,9 +2452,7 @@
 public = 30583012072a8648ce3d020106082a8648ce3d030107034200042998705a9a71c783e1cf4397dbed9375a44e4cb88053594b0ea982203b6363b063d0af4971d1c3813db3c7799f9f9324cbe1b90054c81b510ff6297160add66b
 result = acceptable
 shared = f0b6d851dcd8e9a8c474d695137962f082c4f2a1a2eefb182df58d88a72829e4
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 334
 # indefinite length
@@ -2825,9 +2460,7 @@
 public = 3080301306072a8648ce3d020106082a8648ce3d030107034200042998705a9a71c783e1cf4397dbed9375a44e4cb88053594b0ea982203b6363b063d0af4971d1c3813db3c7799f9f9324cbe1b90054c81b510ff6297160add66b0000
 result = acceptable
 shared = f0b6d851dcd8e9a8c474d695137962f082c4f2a1a2eefb182df58d88a72829e4
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 335
 # indefinite length
@@ -2835,9 +2468,7 @@
 public = 305b308006072a8648ce3d020106082a8648ce3d0301070000034200042998705a9a71c783e1cf4397dbed9375a44e4cb88053594b0ea982203b6363b063d0af4971d1c3813db3c7799f9f9324cbe1b90054c81b510ff6297160add66b
 result = acceptable
 shared = f0b6d851dcd8e9a8c474d695137962f082c4f2a1a2eefb182df58d88a72829e4
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 336
 # indefinite length with truncated delimiter
@@ -2845,9 +2476,7 @@
 public = 3080301306072a8648ce3d020106082a8648ce3d030107034200042998705a9a71c783e1cf4397dbed9375a44e4cb88053594b0ea982203b6363b063d0af4971d1c3813db3c7799f9f9324cbe1b90054c81b510ff6297160add66b00
 result = acceptable
 shared = f0b6d851dcd8e9a8c474d695137962f082c4f2a1a2eefb182df58d88a72829e4
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 337
 # indefinite length with truncated delimiter
@@ -2855,9 +2484,7 @@
 public = 305a308006072a8648ce3d020106082a8648ce3d03010700034200042998705a9a71c783e1cf4397dbed9375a44e4cb88053594b0ea982203b6363b063d0af4971d1c3813db3c7799f9f9324cbe1b90054c81b510ff6297160add66b
 result = acceptable
 shared = f0b6d851dcd8e9a8c474d695137962f082c4f2a1a2eefb182df58d88a72829e4
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 338
 # indefinite length with additional element
@@ -2865,9 +2492,7 @@
 public = 3080301306072a8648ce3d020106082a8648ce3d030107034200042998705a9a71c783e1cf4397dbed9375a44e4cb88053594b0ea982203b6363b063d0af4971d1c3813db3c7799f9f9324cbe1b90054c81b510ff6297160add66b05000000
 result = acceptable
 shared = f0b6d851dcd8e9a8c474d695137962f082c4f2a1a2eefb182df58d88a72829e4
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 339
 # indefinite length with additional element
@@ -2875,9 +2500,7 @@
 public = 305d308006072a8648ce3d020106082a8648ce3d03010705000000034200042998705a9a71c783e1cf4397dbed9375a44e4cb88053594b0ea982203b6363b063d0af4971d1c3813db3c7799f9f9324cbe1b90054c81b510ff6297160add66b
 result = acceptable
 shared = f0b6d851dcd8e9a8c474d695137962f082c4f2a1a2eefb182df58d88a72829e4
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 340
 # indefinite length with truncated element
@@ -2885,9 +2508,7 @@
 public = 3080301306072a8648ce3d020106082a8648ce3d030107034200042998705a9a71c783e1cf4397dbed9375a44e4cb88053594b0ea982203b6363b063d0af4971d1c3813db3c7799f9f9324cbe1b90054c81b510ff6297160add66b060811220000
 result = acceptable
 shared = f0b6d851dcd8e9a8c474d695137962f082c4f2a1a2eefb182df58d88a72829e4
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 341
 # indefinite length with truncated element
@@ -2895,9 +2516,7 @@
 public = 305f308006072a8648ce3d020106082a8648ce3d030107060811220000034200042998705a9a71c783e1cf4397dbed9375a44e4cb88053594b0ea982203b6363b063d0af4971d1c3813db3c7799f9f9324cbe1b90054c81b510ff6297160add66b
 result = acceptable
 shared = f0b6d851dcd8e9a8c474d695137962f082c4f2a1a2eefb182df58d88a72829e4
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 342
 # indefinite length with garbage
@@ -2905,9 +2524,7 @@
 public = 3080301306072a8648ce3d020106082a8648ce3d030107034200042998705a9a71c783e1cf4397dbed9375a44e4cb88053594b0ea982203b6363b063d0af4971d1c3813db3c7799f9f9324cbe1b90054c81b510ff6297160add66b0000fe02beef
 result = acceptable
 shared = f0b6d851dcd8e9a8c474d695137962f082c4f2a1a2eefb182df58d88a72829e4
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 343
 # indefinite length with garbage
@@ -2915,9 +2532,7 @@
 public = 305f308006072a8648ce3d020106082a8648ce3d0301070000fe02beef034200042998705a9a71c783e1cf4397dbed9375a44e4cb88053594b0ea982203b6363b063d0af4971d1c3813db3c7799f9f9324cbe1b90054c81b510ff6297160add66b
 result = acceptable
 shared = f0b6d851dcd8e9a8c474d695137962f082c4f2a1a2eefb182df58d88a72829e4
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 344
 # indefinite length with nonempty EOC
@@ -2925,9 +2540,7 @@
 public = 3080301306072a8648ce3d020106082a8648ce3d030107034200042998705a9a71c783e1cf4397dbed9375a44e4cb88053594b0ea982203b6363b063d0af4971d1c3813db3c7799f9f9324cbe1b90054c81b510ff6297160add66b0002beef
 result = acceptable
 shared = f0b6d851dcd8e9a8c474d695137962f082c4f2a1a2eefb182df58d88a72829e4
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 345
 # indefinite length with nonempty EOC
@@ -2935,9 +2548,7 @@
 public = 305d308006072a8648ce3d020106082a8648ce3d0301070002beef034200042998705a9a71c783e1cf4397dbed9375a44e4cb88053594b0ea982203b6363b063d0af4971d1c3813db3c7799f9f9324cbe1b90054c81b510ff6297160add66b
 result = acceptable
 shared = f0b6d851dcd8e9a8c474d695137962f082c4f2a1a2eefb182df58d88a72829e4
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 346
 # prepend empty sequence
@@ -2945,9 +2556,7 @@
 public = 305b3000301306072a8648ce3d020106082a8648ce3d030107034200042998705a9a71c783e1cf4397dbed9375a44e4cb88053594b0ea982203b6363b063d0af4971d1c3813db3c7799f9f9324cbe1b90054c81b510ff6297160add66b
 result = acceptable
 shared = f0b6d851dcd8e9a8c474d695137962f082c4f2a1a2eefb182df58d88a72829e4
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 347
 # prepend empty sequence
@@ -2955,9 +2564,7 @@
 public = 305b3015300006072a8648ce3d020106082a8648ce3d030107034200042998705a9a71c783e1cf4397dbed9375a44e4cb88053594b0ea982203b6363b063d0af4971d1c3813db3c7799f9f9324cbe1b90054c81b510ff6297160add66b
 result = acceptable
 shared = f0b6d851dcd8e9a8c474d695137962f082c4f2a1a2eefb182df58d88a72829e4
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 348
 # append empty sequence
@@ -2965,9 +2572,7 @@
 public = 305b301306072a8648ce3d020106082a8648ce3d030107034200042998705a9a71c783e1cf4397dbed9375a44e4cb88053594b0ea982203b6363b063d0af4971d1c3813db3c7799f9f9324cbe1b90054c81b510ff6297160add66b3000
 result = acceptable
 shared = f0b6d851dcd8e9a8c474d695137962f082c4f2a1a2eefb182df58d88a72829e4
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 349
 # append empty sequence
@@ -2975,9 +2580,7 @@
 public = 305b301506072a8648ce3d020106082a8648ce3d0301073000034200042998705a9a71c783e1cf4397dbed9375a44e4cb88053594b0ea982203b6363b063d0af4971d1c3813db3c7799f9f9324cbe1b90054c81b510ff6297160add66b
 result = acceptable
 shared = f0b6d851dcd8e9a8c474d695137962f082c4f2a1a2eefb182df58d88a72829e4
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 350
 # append garbage with high tag number
@@ -2985,9 +2588,7 @@
 public = 305c301306072a8648ce3d020106082a8648ce3d030107034200042998705a9a71c783e1cf4397dbed9375a44e4cb88053594b0ea982203b6363b063d0af4971d1c3813db3c7799f9f9324cbe1b90054c81b510ff6297160add66bbf7f00
 result = acceptable
 shared = f0b6d851dcd8e9a8c474d695137962f082c4f2a1a2eefb182df58d88a72829e4
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 351
 # append garbage with high tag number
@@ -2995,9 +2596,7 @@
 public = 305c301606072a8648ce3d020106082a8648ce3d030107bf7f00034200042998705a9a71c783e1cf4397dbed9375a44e4cb88053594b0ea982203b6363b063d0af4971d1c3813db3c7799f9f9324cbe1b90054c81b510ff6297160add66b
 result = acceptable
 shared = f0b6d851dcd8e9a8c474d695137962f082c4f2a1a2eefb182df58d88a72829e4
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 352
 # sequence of sequence
@@ -3005,9 +2604,7 @@
 public = 305b3059301306072a8648ce3d020106082a8648ce3d030107034200042998705a9a71c783e1cf4397dbed9375a44e4cb88053594b0ea982203b6363b063d0af4971d1c3813db3c7799f9f9324cbe1b90054c81b510ff6297160add66b
 result = acceptable
 shared = f0b6d851dcd8e9a8c474d695137962f082c4f2a1a2eefb182df58d88a72829e4
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 353
 # sequence of sequence
@@ -3015,9 +2612,7 @@
 public = 305b3015301306072a8648ce3d020106082a8648ce3d030107034200042998705a9a71c783e1cf4397dbed9375a44e4cb88053594b0ea982203b6363b063d0af4971d1c3813db3c7799f9f9324cbe1b90054c81b510ff6297160add66b
 result = acceptable
 shared = f0b6d851dcd8e9a8c474d695137962f082c4f2a1a2eefb182df58d88a72829e4
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 354
 # truncated sequence: removed last 1 elements
@@ -3025,9 +2620,7 @@
 public = 3015301306072a8648ce3d020106082a8648ce3d030107
 result = acceptable
 shared = f0b6d851dcd8e9a8c474d695137962f082c4f2a1a2eefb182df58d88a72829e4
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 355
 # truncated sequence: removed last 1 elements
@@ -3035,9 +2628,7 @@
 public = 304f300906072a8648ce3d0201034200042998705a9a71c783e1cf4397dbed9375a44e4cb88053594b0ea982203b6363b063d0af4971d1c3813db3c7799f9f9324cbe1b90054c81b510ff6297160add66b
 result = acceptable
 shared = f0b6d851dcd8e9a8c474d695137962f082c4f2a1a2eefb182df58d88a72829e4
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 356
 # repeating element in sequence
@@ -3045,9 +2636,7 @@
 public = 30819d301306072a8648ce3d020106082a8648ce3d030107034200042998705a9a71c783e1cf4397dbed9375a44e4cb88053594b0ea982203b6363b063d0af4971d1c3813db3c7799f9f9324cbe1b90054c81b510ff6297160add66b034200042998705a9a71c783e1cf4397dbed9375a44e4cb88053594b0ea982203b6363b063d0af4971d1c3813db3c7799f9f9324cbe1b90054c81b510ff6297160add66b
 result = acceptable
 shared = f0b6d851dcd8e9a8c474d695137962f082c4f2a1a2eefb182df58d88a72829e4
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 357
 # repeating element in sequence
@@ -3055,9 +2644,7 @@
 public = 3063301d06072a8648ce3d020106082a8648ce3d03010706082a8648ce3d030107034200042998705a9a71c783e1cf4397dbed9375a44e4cb88053594b0ea982203b6363b063d0af4971d1c3813db3c7799f9f9324cbe1b90054c81b510ff6297160add66b
 result = acceptable
 shared = f0b6d851dcd8e9a8c474d695137962f082c4f2a1a2eefb182df58d88a72829e4
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 358
 # long form encoding of length of oid
@@ -3065,9 +2652,7 @@
 public = 305a30140681072a8648ce3d020106082a8648ce3d030107034200042998705a9a71c783e1cf4397dbed9375a44e4cb88053594b0ea982203b6363b063d0af4971d1c3813db3c7799f9f9324cbe1b90054c81b510ff6297160add66b
 result = acceptable
 shared = f0b6d851dcd8e9a8c474d695137962f082c4f2a1a2eefb182df58d88a72829e4
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 359
 # long form encoding of length of oid
@@ -3075,9 +2660,7 @@
 public = 305a301406072a8648ce3d02010681082a8648ce3d030107034200042998705a9a71c783e1cf4397dbed9375a44e4cb88053594b0ea982203b6363b063d0af4971d1c3813db3c7799f9f9324cbe1b90054c81b510ff6297160add66b
 result = acceptable
 shared = f0b6d851dcd8e9a8c474d695137962f082c4f2a1a2eefb182df58d88a72829e4
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 360
 # length of oid contains leading 0
@@ -3085,9 +2668,7 @@
 public = 305b3015068200072a8648ce3d020106082a8648ce3d030107034200042998705a9a71c783e1cf4397dbed9375a44e4cb88053594b0ea982203b6363b063d0af4971d1c3813db3c7799f9f9324cbe1b90054c81b510ff6297160add66b
 result = acceptable
 shared = f0b6d851dcd8e9a8c474d695137962f082c4f2a1a2eefb182df58d88a72829e4
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 361
 # length of oid contains leading 0
@@ -3095,9 +2676,7 @@
 public = 305b301506072a8648ce3d0201068200082a8648ce3d030107034200042998705a9a71c783e1cf4397dbed9375a44e4cb88053594b0ea982203b6363b063d0af4971d1c3813db3c7799f9f9324cbe1b90054c81b510ff6297160add66b
 result = acceptable
 shared = f0b6d851dcd8e9a8c474d695137962f082c4f2a1a2eefb182df58d88a72829e4
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 362
 # wrong length of oid
@@ -3105,9 +2684,7 @@
 public = 3059301306082a8648ce3d020106082a8648ce3d030107034200042998705a9a71c783e1cf4397dbed9375a44e4cb88053594b0ea982203b6363b063d0af4971d1c3813db3c7799f9f9324cbe1b90054c81b510ff6297160add66b
 result = acceptable
 shared = f0b6d851dcd8e9a8c474d695137962f082c4f2a1a2eefb182df58d88a72829e4
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 363
 # wrong length of oid
@@ -3115,9 +2692,7 @@
 public = 3059301306062a8648ce3d020106082a8648ce3d030107034200042998705a9a71c783e1cf4397dbed9375a44e4cb88053594b0ea982203b6363b063d0af4971d1c3813db3c7799f9f9324cbe1b90054c81b510ff6297160add66b
 result = acceptable
 shared = f0b6d851dcd8e9a8c474d695137962f082c4f2a1a2eefb182df58d88a72829e4
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 364
 # wrong length of oid
@@ -3125,9 +2700,7 @@
 public = 3059301306072a8648ce3d020106092a8648ce3d030107034200042998705a9a71c783e1cf4397dbed9375a44e4cb88053594b0ea982203b6363b063d0af4971d1c3813db3c7799f9f9324cbe1b90054c81b510ff6297160add66b
 result = acceptable
 shared = f0b6d851dcd8e9a8c474d695137962f082c4f2a1a2eefb182df58d88a72829e4
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 365
 # wrong length of oid
@@ -3135,9 +2708,7 @@
 public = 3059301306072a8648ce3d020106072a8648ce3d030107034200042998705a9a71c783e1cf4397dbed9375a44e4cb88053594b0ea982203b6363b063d0af4971d1c3813db3c7799f9f9324cbe1b90054c81b510ff6297160add66b
 result = acceptable
 shared = f0b6d851dcd8e9a8c474d695137962f082c4f2a1a2eefb182df58d88a72829e4
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 366
 # uint32 overflow in length of oid
@@ -3145,9 +2716,7 @@
 public = 305e3018068501000000072a8648ce3d020106082a8648ce3d030107034200042998705a9a71c783e1cf4397dbed9375a44e4cb88053594b0ea982203b6363b063d0af4971d1c3813db3c7799f9f9324cbe1b90054c81b510ff6297160add66b
 result = acceptable
 shared = f0b6d851dcd8e9a8c474d695137962f082c4f2a1a2eefb182df58d88a72829e4
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 367
 # uint32 overflow in length of oid
@@ -3155,9 +2724,7 @@
 public = 305e301806072a8648ce3d0201068501000000082a8648ce3d030107034200042998705a9a71c783e1cf4397dbed9375a44e4cb88053594b0ea982203b6363b063d0af4971d1c3813db3c7799f9f9324cbe1b90054c81b510ff6297160add66b
 result = acceptable
 shared = f0b6d851dcd8e9a8c474d695137962f082c4f2a1a2eefb182df58d88a72829e4
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 368
 # uint64 overflow in length of oid
@@ -3165,9 +2732,7 @@
 public = 3062301c06890100000000000000072a8648ce3d020106082a8648ce3d030107034200042998705a9a71c783e1cf4397dbed9375a44e4cb88053594b0ea982203b6363b063d0af4971d1c3813db3c7799f9f9324cbe1b90054c81b510ff6297160add66b
 result = acceptable
 shared = f0b6d851dcd8e9a8c474d695137962f082c4f2a1a2eefb182df58d88a72829e4
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 369
 # uint64 overflow in length of oid
@@ -3175,9 +2740,7 @@
 public = 3062301c06072a8648ce3d020106890100000000000000082a8648ce3d030107034200042998705a9a71c783e1cf4397dbed9375a44e4cb88053594b0ea982203b6363b063d0af4971d1c3813db3c7799f9f9324cbe1b90054c81b510ff6297160add66b
 result = acceptable
 shared = f0b6d851dcd8e9a8c474d695137962f082c4f2a1a2eefb182df58d88a72829e4
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 370
 # length of oid = 2**31 - 1
@@ -3185,9 +2748,7 @@
 public = 305d301706847fffffff2a8648ce3d020106082a8648ce3d030107034200042998705a9a71c783e1cf4397dbed9375a44e4cb88053594b0ea982203b6363b063d0af4971d1c3813db3c7799f9f9324cbe1b90054c81b510ff6297160add66b
 result = acceptable
 shared = f0b6d851dcd8e9a8c474d695137962f082c4f2a1a2eefb182df58d88a72829e4
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 371
 # length of oid = 2**31 - 1
@@ -3195,9 +2756,7 @@
 public = 305d301706072a8648ce3d020106847fffffff2a8648ce3d030107034200042998705a9a71c783e1cf4397dbed9375a44e4cb88053594b0ea982203b6363b063d0af4971d1c3813db3c7799f9f9324cbe1b90054c81b510ff6297160add66b
 result = acceptable
 shared = f0b6d851dcd8e9a8c474d695137962f082c4f2a1a2eefb182df58d88a72829e4
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 372
 # length of oid = 2**32 - 1
@@ -3205,9 +2764,7 @@
 public = 305d30170684ffffffff2a8648ce3d020106082a8648ce3d030107034200042998705a9a71c783e1cf4397dbed9375a44e4cb88053594b0ea982203b6363b063d0af4971d1c3813db3c7799f9f9324cbe1b90054c81b510ff6297160add66b
 result = acceptable
 shared = f0b6d851dcd8e9a8c474d695137962f082c4f2a1a2eefb182df58d88a72829e4
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 373
 # length of oid = 2**32 - 1
@@ -3215,9 +2772,7 @@
 public = 305d301706072a8648ce3d02010684ffffffff2a8648ce3d030107034200042998705a9a71c783e1cf4397dbed9375a44e4cb88053594b0ea982203b6363b063d0af4971d1c3813db3c7799f9f9324cbe1b90054c81b510ff6297160add66b
 result = acceptable
 shared = f0b6d851dcd8e9a8c474d695137962f082c4f2a1a2eefb182df58d88a72829e4
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 374
 # length of oid = 2**40 - 1
@@ -3225,9 +2780,7 @@
 public = 305e30180685ffffffffff2a8648ce3d020106082a8648ce3d030107034200042998705a9a71c783e1cf4397dbed9375a44e4cb88053594b0ea982203b6363b063d0af4971d1c3813db3c7799f9f9324cbe1b90054c81b510ff6297160add66b
 result = acceptable
 shared = f0b6d851dcd8e9a8c474d695137962f082c4f2a1a2eefb182df58d88a72829e4
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 375
 # length of oid = 2**40 - 1
@@ -3235,9 +2788,7 @@
 public = 305e301806072a8648ce3d02010685ffffffffff2a8648ce3d030107034200042998705a9a71c783e1cf4397dbed9375a44e4cb88053594b0ea982203b6363b063d0af4971d1c3813db3c7799f9f9324cbe1b90054c81b510ff6297160add66b
 result = acceptable
 shared = f0b6d851dcd8e9a8c474d695137962f082c4f2a1a2eefb182df58d88a72829e4
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 376
 # length of oid = 2**64 - 1
@@ -3245,9 +2796,7 @@
 public = 3061301b0688ffffffffffffffff2a8648ce3d020106082a8648ce3d030107034200042998705a9a71c783e1cf4397dbed9375a44e4cb88053594b0ea982203b6363b063d0af4971d1c3813db3c7799f9f9324cbe1b90054c81b510ff6297160add66b
 result = acceptable
 shared = f0b6d851dcd8e9a8c474d695137962f082c4f2a1a2eefb182df58d88a72829e4
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 377
 # length of oid = 2**64 - 1
@@ -3255,9 +2804,7 @@
 public = 3061301b06072a8648ce3d02010688ffffffffffffffff2a8648ce3d030107034200042998705a9a71c783e1cf4397dbed9375a44e4cb88053594b0ea982203b6363b063d0af4971d1c3813db3c7799f9f9324cbe1b90054c81b510ff6297160add66b
 result = acceptable
 shared = f0b6d851dcd8e9a8c474d695137962f082c4f2a1a2eefb182df58d88a72829e4
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 378
 # incorrect length of oid
@@ -3265,9 +2812,7 @@
 public = 3059301306ff2a8648ce3d020106082a8648ce3d030107034200042998705a9a71c783e1cf4397dbed9375a44e4cb88053594b0ea982203b6363b063d0af4971d1c3813db3c7799f9f9324cbe1b90054c81b510ff6297160add66b
 result = acceptable
 shared = f0b6d851dcd8e9a8c474d695137962f082c4f2a1a2eefb182df58d88a72829e4
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 379
 # incorrect length of oid
@@ -3275,9 +2820,7 @@
 public = 3059301306072a8648ce3d020106ff2a8648ce3d030107034200042998705a9a71c783e1cf4397dbed9375a44e4cb88053594b0ea982203b6363b063d0af4971d1c3813db3c7799f9f9324cbe1b90054c81b510ff6297160add66b
 result = acceptable
 shared = f0b6d851dcd8e9a8c474d695137962f082c4f2a1a2eefb182df58d88a72829e4
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 380
 # removing oid
@@ -3285,9 +2828,7 @@
 public = 3050300a06082a8648ce3d030107034200042998705a9a71c783e1cf4397dbed9375a44e4cb88053594b0ea982203b6363b063d0af4971d1c3813db3c7799f9f9324cbe1b90054c81b510ff6297160add66b
 result = acceptable
 shared = f0b6d851dcd8e9a8c474d695137962f082c4f2a1a2eefb182df58d88a72829e4
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 381
 # lonely oid tag
@@ -3295,9 +2836,7 @@
 public = 3051300b0606082a8648ce3d030107034200042998705a9a71c783e1cf4397dbed9375a44e4cb88053594b0ea982203b6363b063d0af4971d1c3813db3c7799f9f9324cbe1b90054c81b510ff6297160add66b
 result = acceptable
 shared = f0b6d851dcd8e9a8c474d695137962f082c4f2a1a2eefb182df58d88a72829e4
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 382
 # lonely oid tag
@@ -3305,9 +2844,7 @@
 public = 3050300a06072a8648ce3d020106034200042998705a9a71c783e1cf4397dbed9375a44e4cb88053594b0ea982203b6363b063d0af4971d1c3813db3c7799f9f9324cbe1b90054c81b510ff6297160add66b
 result = acceptable
 shared = f0b6d851dcd8e9a8c474d695137962f082c4f2a1a2eefb182df58d88a72829e4
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 383
 # appending 0's to oid
@@ -3315,9 +2852,7 @@
 public = 305b301506092a8648ce3d0201000006082a8648ce3d030107034200042998705a9a71c783e1cf4397dbed9375a44e4cb88053594b0ea982203b6363b063d0af4971d1c3813db3c7799f9f9324cbe1b90054c81b510ff6297160add66b
 result = acceptable
 shared = f0b6d851dcd8e9a8c474d695137962f082c4f2a1a2eefb182df58d88a72829e4
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 384
 # appending 0's to oid
@@ -3325,9 +2860,7 @@
 public = 305b301506072a8648ce3d0201060a2a8648ce3d0301070000034200042998705a9a71c783e1cf4397dbed9375a44e4cb88053594b0ea982203b6363b063d0af4971d1c3813db3c7799f9f9324cbe1b90054c81b510ff6297160add66b
 result = acceptable
 shared = f0b6d851dcd8e9a8c474d695137962f082c4f2a1a2eefb182df58d88a72829e4
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 385
 # prepending 0's to oid
@@ -3335,9 +2868,7 @@
 public = 305b3015060900002a8648ce3d020106082a8648ce3d030107034200042998705a9a71c783e1cf4397dbed9375a44e4cb88053594b0ea982203b6363b063d0af4971d1c3813db3c7799f9f9324cbe1b90054c81b510ff6297160add66b
 result = acceptable
 shared = f0b6d851dcd8e9a8c474d695137962f082c4f2a1a2eefb182df58d88a72829e4
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 386
 # prepending 0's to oid
@@ -3345,9 +2876,7 @@
 public = 305b301506072a8648ce3d0201060a00002a8648ce3d030107034200042998705a9a71c783e1cf4397dbed9375a44e4cb88053594b0ea982203b6363b063d0af4971d1c3813db3c7799f9f9324cbe1b90054c81b510ff6297160add66b
 result = acceptable
 shared = f0b6d851dcd8e9a8c474d695137962f082c4f2a1a2eefb182df58d88a72829e4
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 387
 # appending unused 0's to oid
@@ -3355,9 +2884,7 @@
 public = 305b301506072a8648ce3d0201000006082a8648ce3d030107034200042998705a9a71c783e1cf4397dbed9375a44e4cb88053594b0ea982203b6363b063d0af4971d1c3813db3c7799f9f9324cbe1b90054c81b510ff6297160add66b
 result = acceptable
 shared = f0b6d851dcd8e9a8c474d695137962f082c4f2a1a2eefb182df58d88a72829e4
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 388
 # appending null value to oid
@@ -3365,9 +2892,7 @@
 public = 305b301506092a8648ce3d0201050006082a8648ce3d030107034200042998705a9a71c783e1cf4397dbed9375a44e4cb88053594b0ea982203b6363b063d0af4971d1c3813db3c7799f9f9324cbe1b90054c81b510ff6297160add66b
 result = acceptable
 shared = f0b6d851dcd8e9a8c474d695137962f082c4f2a1a2eefb182df58d88a72829e4
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 389
 # appending null value to oid
@@ -3375,9 +2900,7 @@
 public = 305b301506072a8648ce3d0201060a2a8648ce3d0301070500034200042998705a9a71c783e1cf4397dbed9375a44e4cb88053594b0ea982203b6363b063d0af4971d1c3813db3c7799f9f9324cbe1b90054c81b510ff6297160add66b
 result = acceptable
 shared = f0b6d851dcd8e9a8c474d695137962f082c4f2a1a2eefb182df58d88a72829e4
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 390
 # truncated length of oid
@@ -3385,9 +2908,7 @@
 public = 3052300c068106082a8648ce3d030107034200042998705a9a71c783e1cf4397dbed9375a44e4cb88053594b0ea982203b6363b063d0af4971d1c3813db3c7799f9f9324cbe1b90054c81b510ff6297160add66b
 result = acceptable
 shared = f0b6d851dcd8e9a8c474d695137962f082c4f2a1a2eefb182df58d88a72829e4
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 391
 # truncated length of oid
@@ -3395,9 +2916,7 @@
 public = 3051300b06072a8648ce3d02010681034200042998705a9a71c783e1cf4397dbed9375a44e4cb88053594b0ea982203b6363b063d0af4971d1c3813db3c7799f9f9324cbe1b90054c81b510ff6297160add66b
 result = acceptable
 shared = f0b6d851dcd8e9a8c474d695137962f082c4f2a1a2eefb182df58d88a72829e4
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 392
 # Replacing oid with NULL
@@ -3405,9 +2924,7 @@
 public = 3052300c050006082a8648ce3d030107034200042998705a9a71c783e1cf4397dbed9375a44e4cb88053594b0ea982203b6363b063d0af4971d1c3813db3c7799f9f9324cbe1b90054c81b510ff6297160add66b
 result = acceptable
 shared = f0b6d851dcd8e9a8c474d695137962f082c4f2a1a2eefb182df58d88a72829e4
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 393
 # Replacing oid with NULL
@@ -3415,9 +2932,7 @@
 public = 3051300b06072a8648ce3d02010500034200042998705a9a71c783e1cf4397dbed9375a44e4cb88053594b0ea982203b6363b063d0af4971d1c3813db3c7799f9f9324cbe1b90054c81b510ff6297160add66b
 result = acceptable
 shared = f0b6d851dcd8e9a8c474d695137962f082c4f2a1a2eefb182df58d88a72829e4
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 394
 # changing tag value of oid
@@ -3425,9 +2940,7 @@
 public = 3059301304072a8648ce3d020106082a8648ce3d030107034200042998705a9a71c783e1cf4397dbed9375a44e4cb88053594b0ea982203b6363b063d0af4971d1c3813db3c7799f9f9324cbe1b90054c81b510ff6297160add66b
 result = acceptable
 shared = f0b6d851dcd8e9a8c474d695137962f082c4f2a1a2eefb182df58d88a72829e4
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 395
 # changing tag value of oid
@@ -3435,9 +2948,7 @@
 public = 3059301305072a8648ce3d020106082a8648ce3d030107034200042998705a9a71c783e1cf4397dbed9375a44e4cb88053594b0ea982203b6363b063d0af4971d1c3813db3c7799f9f9324cbe1b90054c81b510ff6297160add66b
 result = acceptable
 shared = f0b6d851dcd8e9a8c474d695137962f082c4f2a1a2eefb182df58d88a72829e4
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 396
 # changing tag value of oid
@@ -3445,9 +2956,7 @@
 public = 3059301307072a8648ce3d020106082a8648ce3d030107034200042998705a9a71c783e1cf4397dbed9375a44e4cb88053594b0ea982203b6363b063d0af4971d1c3813db3c7799f9f9324cbe1b90054c81b510ff6297160add66b
 result = acceptable
 shared = f0b6d851dcd8e9a8c474d695137962f082c4f2a1a2eefb182df58d88a72829e4
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 397
 # changing tag value of oid
@@ -3455,9 +2964,7 @@
 public = 3059301308072a8648ce3d020106082a8648ce3d030107034200042998705a9a71c783e1cf4397dbed9375a44e4cb88053594b0ea982203b6363b063d0af4971d1c3813db3c7799f9f9324cbe1b90054c81b510ff6297160add66b
 result = acceptable
 shared = f0b6d851dcd8e9a8c474d695137962f082c4f2a1a2eefb182df58d88a72829e4
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 398
 # changing tag value of oid
@@ -3465,9 +2972,7 @@
 public = 30593013ff072a8648ce3d020106082a8648ce3d030107034200042998705a9a71c783e1cf4397dbed9375a44e4cb88053594b0ea982203b6363b063d0af4971d1c3813db3c7799f9f9324cbe1b90054c81b510ff6297160add66b
 result = acceptable
 shared = f0b6d851dcd8e9a8c474d695137962f082c4f2a1a2eefb182df58d88a72829e4
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 399
 # changing tag value of oid
@@ -3475,9 +2980,7 @@
 public = 3059301306072a8648ce3d020104082a8648ce3d030107034200042998705a9a71c783e1cf4397dbed9375a44e4cb88053594b0ea982203b6363b063d0af4971d1c3813db3c7799f9f9324cbe1b90054c81b510ff6297160add66b
 result = acceptable
 shared = f0b6d851dcd8e9a8c474d695137962f082c4f2a1a2eefb182df58d88a72829e4
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 400
 # changing tag value of oid
@@ -3485,9 +2988,7 @@
 public = 3059301306072a8648ce3d020105082a8648ce3d030107034200042998705a9a71c783e1cf4397dbed9375a44e4cb88053594b0ea982203b6363b063d0af4971d1c3813db3c7799f9f9324cbe1b90054c81b510ff6297160add66b
 result = acceptable
 shared = f0b6d851dcd8e9a8c474d695137962f082c4f2a1a2eefb182df58d88a72829e4
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 401
 # changing tag value of oid
@@ -3495,9 +2996,7 @@
 public = 3059301306072a8648ce3d020107082a8648ce3d030107034200042998705a9a71c783e1cf4397dbed9375a44e4cb88053594b0ea982203b6363b063d0af4971d1c3813db3c7799f9f9324cbe1b90054c81b510ff6297160add66b
 result = acceptable
 shared = f0b6d851dcd8e9a8c474d695137962f082c4f2a1a2eefb182df58d88a72829e4
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 402
 # changing tag value of oid
@@ -3505,9 +3004,7 @@
 public = 3059301306072a8648ce3d020108082a8648ce3d030107034200042998705a9a71c783e1cf4397dbed9375a44e4cb88053594b0ea982203b6363b063d0af4971d1c3813db3c7799f9f9324cbe1b90054c81b510ff6297160add66b
 result = acceptable
 shared = f0b6d851dcd8e9a8c474d695137962f082c4f2a1a2eefb182df58d88a72829e4
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 403
 # changing tag value of oid
@@ -3515,9 +3012,7 @@
 public = 3059301306072a8648ce3d0201ff082a8648ce3d030107034200042998705a9a71c783e1cf4397dbed9375a44e4cb88053594b0ea982203b6363b063d0af4971d1c3813db3c7799f9f9324cbe1b90054c81b510ff6297160add66b
 result = acceptable
 shared = f0b6d851dcd8e9a8c474d695137962f082c4f2a1a2eefb182df58d88a72829e4
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 404
 # dropping value of oid
@@ -3525,9 +3020,7 @@
 public = 3052300c060006082a8648ce3d030107034200042998705a9a71c783e1cf4397dbed9375a44e4cb88053594b0ea982203b6363b063d0af4971d1c3813db3c7799f9f9324cbe1b90054c81b510ff6297160add66b
 result = acceptable
 shared = f0b6d851dcd8e9a8c474d695137962f082c4f2a1a2eefb182df58d88a72829e4
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 405
 # dropping value of oid
@@ -3535,9 +3028,7 @@
 public = 3051300b06072a8648ce3d02010600034200042998705a9a71c783e1cf4397dbed9375a44e4cb88053594b0ea982203b6363b063d0af4971d1c3813db3c7799f9f9324cbe1b90054c81b510ff6297160add66b
 result = acceptable
 shared = f0b6d851dcd8e9a8c474d695137962f082c4f2a1a2eefb182df58d88a72829e4
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 406
 # modify first byte of oid
@@ -3545,9 +3036,7 @@
 public = 305930130607288648ce3d020106082a8648ce3d030107034200042998705a9a71c783e1cf4397dbed9375a44e4cb88053594b0ea982203b6363b063d0af4971d1c3813db3c7799f9f9324cbe1b90054c81b510ff6297160add66b
 result = acceptable
 shared = f0b6d851dcd8e9a8c474d695137962f082c4f2a1a2eefb182df58d88a72829e4
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 407
 # modify first byte of oid
@@ -3555,9 +3044,7 @@
 public = 3059301306072a8648ce3d02010608288648ce3d030107034200042998705a9a71c783e1cf4397dbed9375a44e4cb88053594b0ea982203b6363b063d0af4971d1c3813db3c7799f9f9324cbe1b90054c81b510ff6297160add66b
 result = acceptable
 shared = f0b6d851dcd8e9a8c474d695137962f082c4f2a1a2eefb182df58d88a72829e4
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 408
 # modify last byte of oid
@@ -3565,9 +3052,7 @@
 public = 3059301306072a8648ce3d028106082a8648ce3d030107034200042998705a9a71c783e1cf4397dbed9375a44e4cb88053594b0ea982203b6363b063d0af4971d1c3813db3c7799f9f9324cbe1b90054c81b510ff6297160add66b
 result = acceptable
 shared = f0b6d851dcd8e9a8c474d695137962f082c4f2a1a2eefb182df58d88a72829e4
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 409
 # modify last byte of oid
@@ -3575,9 +3060,7 @@
 public = 3059301306072a8648ce3d020106082a8648ce3d030187034200042998705a9a71c783e1cf4397dbed9375a44e4cb88053594b0ea982203b6363b063d0af4971d1c3813db3c7799f9f9324cbe1b90054c81b510ff6297160add66b
 result = acceptable
 shared = f0b6d851dcd8e9a8c474d695137962f082c4f2a1a2eefb182df58d88a72829e4
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 410
 # truncated oid
@@ -3585,9 +3068,7 @@
 public = 3058301206062a8648ce3d0206082a8648ce3d030107034200042998705a9a71c783e1cf4397dbed9375a44e4cb88053594b0ea982203b6363b063d0af4971d1c3813db3c7799f9f9324cbe1b90054c81b510ff6297160add66b
 result = acceptable
 shared = f0b6d851dcd8e9a8c474d695137962f082c4f2a1a2eefb182df58d88a72829e4
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 411
 # truncated oid
@@ -3595,9 +3076,7 @@
 public = 3058301206068648ce3d020106082a8648ce3d030107034200042998705a9a71c783e1cf4397dbed9375a44e4cb88053594b0ea982203b6363b063d0af4971d1c3813db3c7799f9f9324cbe1b90054c81b510ff6297160add66b
 result = acceptable
 shared = f0b6d851dcd8e9a8c474d695137962f082c4f2a1a2eefb182df58d88a72829e4
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 412
 # truncated oid
@@ -3605,9 +3084,7 @@
 public = 3058301206072a8648ce3d020106072a8648ce3d0301034200042998705a9a71c783e1cf4397dbed9375a44e4cb88053594b0ea982203b6363b063d0af4971d1c3813db3c7799f9f9324cbe1b90054c81b510ff6297160add66b
 result = acceptable
 shared = f0b6d851dcd8e9a8c474d695137962f082c4f2a1a2eefb182df58d88a72829e4
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 413
 # truncated oid
@@ -3615,9 +3092,7 @@
 public = 3058301206072a8648ce3d020106078648ce3d030107034200042998705a9a71c783e1cf4397dbed9375a44e4cb88053594b0ea982203b6363b063d0af4971d1c3813db3c7799f9f9324cbe1b90054c81b510ff6297160add66b
 result = acceptable
 shared = f0b6d851dcd8e9a8c474d695137962f082c4f2a1a2eefb182df58d88a72829e4
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 414
 # wrong oid
@@ -3625,9 +3100,7 @@
 public = 3057301106052b0e03021a06082a8648ce3d030107034200042998705a9a71c783e1cf4397dbed9375a44e4cb88053594b0ea982203b6363b063d0af4971d1c3813db3c7799f9f9324cbe1b90054c81b510ff6297160add66b
 result = acceptable
 shared = f0b6d851dcd8e9a8c474d695137962f082c4f2a1a2eefb182df58d88a72829e4
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 415
 # wrong oid
@@ -3635,9 +3108,7 @@
 public = 305b3015060960864801650304020106082a8648ce3d030107034200042998705a9a71c783e1cf4397dbed9375a44e4cb88053594b0ea982203b6363b063d0af4971d1c3813db3c7799f9f9324cbe1b90054c81b510ff6297160add66b
 result = acceptable
 shared = f0b6d851dcd8e9a8c474d695137962f082c4f2a1a2eefb182df58d88a72829e4
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 416
 # wrong oid
@@ -3645,9 +3116,7 @@
 public = 3056301006072a8648ce3d020106052b0e03021a034200042998705a9a71c783e1cf4397dbed9375a44e4cb88053594b0ea982203b6363b063d0af4971d1c3813db3c7799f9f9324cbe1b90054c81b510ff6297160add66b
 result = acceptable
 shared = f0b6d851dcd8e9a8c474d695137962f082c4f2a1a2eefb182df58d88a72829e4
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 417
 # wrong oid
@@ -3655,9 +3124,7 @@
 public = 305a301406072a8648ce3d02010609608648016503040201034200042998705a9a71c783e1cf4397dbed9375a44e4cb88053594b0ea982203b6363b063d0af4971d1c3813db3c7799f9f9324cbe1b90054c81b510ff6297160add66b
 result = acceptable
 shared = f0b6d851dcd8e9a8c474d695137962f082c4f2a1a2eefb182df58d88a72829e4
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 418
 # longer oid
@@ -3665,9 +3132,7 @@
 public = 305a301406082a8648ce3d02010106082a8648ce3d030107034200042998705a9a71c783e1cf4397dbed9375a44e4cb88053594b0ea982203b6363b063d0af4971d1c3813db3c7799f9f9324cbe1b90054c81b510ff6297160add66b
 result = acceptable
 shared = f0b6d851dcd8e9a8c474d695137962f082c4f2a1a2eefb182df58d88a72829e4
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 419
 # longer oid
@@ -3675,9 +3140,7 @@
 public = 305a301406072a8648ce3d020106092a8648ce3d03010701034200042998705a9a71c783e1cf4397dbed9375a44e4cb88053594b0ea982203b6363b063d0af4971d1c3813db3c7799f9f9324cbe1b90054c81b510ff6297160add66b
 result = acceptable
 shared = f0b6d851dcd8e9a8c474d695137962f082c4f2a1a2eefb182df58d88a72829e4
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 420
 # oid with modified node
@@ -3685,9 +3148,7 @@
 public = 3059301306072a8648ce3d021106082a8648ce3d030107034200042998705a9a71c783e1cf4397dbed9375a44e4cb88053594b0ea982203b6363b063d0af4971d1c3813db3c7799f9f9324cbe1b90054c81b510ff6297160add66b
 result = acceptable
 shared = f0b6d851dcd8e9a8c474d695137962f082c4f2a1a2eefb182df58d88a72829e4
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 421
 # oid with modified node
@@ -3695,9 +3156,7 @@
 public = 305d3017060b2a8648ce3d02888080800106082a8648ce3d030107034200042998705a9a71c783e1cf4397dbed9375a44e4cb88053594b0ea982203b6363b063d0af4971d1c3813db3c7799f9f9324cbe1b90054c81b510ff6297160add66b
 result = acceptable
 shared = f0b6d851dcd8e9a8c474d695137962f082c4f2a1a2eefb182df58d88a72829e4
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 422
 # oid with modified node
@@ -3705,9 +3164,7 @@
 public = 3059301306072a8648ce3d020106082a8648ce3d030117034200042998705a9a71c783e1cf4397dbed9375a44e4cb88053594b0ea982203b6363b063d0af4971d1c3813db3c7799f9f9324cbe1b90054c81b510ff6297160add66b
 result = acceptable
 shared = f0b6d851dcd8e9a8c474d695137962f082c4f2a1a2eefb182df58d88a72829e4
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 423
 # oid with modified node
@@ -3715,9 +3172,7 @@
 public = 305d301706072a8648ce3d0201060c2a8648ce3d03018880808007034200042998705a9a71c783e1cf4397dbed9375a44e4cb88053594b0ea982203b6363b063d0af4971d1c3813db3c7799f9f9324cbe1b90054c81b510ff6297160add66b
 result = acceptable
 shared = f0b6d851dcd8e9a8c474d695137962f082c4f2a1a2eefb182df58d88a72829e4
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 424
 # large integer in oid
@@ -3725,9 +3180,7 @@
 public = 3062301c06102a8648ce3d028280808080808080800106082a8648ce3d030107034200042998705a9a71c783e1cf4397dbed9375a44e4cb88053594b0ea982203b6363b063d0af4971d1c3813db3c7799f9f9324cbe1b90054c81b510ff6297160add66b
 result = acceptable
 shared = f0b6d851dcd8e9a8c474d695137962f082c4f2a1a2eefb182df58d88a72829e4
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 425
 # large integer in oid
@@ -3735,9 +3188,7 @@
 public = 3062301c06072a8648ce3d020106112a8648ce3d030182808080808080808007034200042998705a9a71c783e1cf4397dbed9375a44e4cb88053594b0ea982203b6363b063d0af4971d1c3813db3c7799f9f9324cbe1b90054c81b510ff6297160add66b
 result = acceptable
 shared = f0b6d851dcd8e9a8c474d695137962f082c4f2a1a2eefb182df58d88a72829e4
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 426
 # oid with invalid node
@@ -3745,9 +3196,7 @@
 public = 305a301406082a8648ce3d0201e006082a8648ce3d030107034200042998705a9a71c783e1cf4397dbed9375a44e4cb88053594b0ea982203b6363b063d0af4971d1c3813db3c7799f9f9324cbe1b90054c81b510ff6297160add66b
 result = acceptable
 shared = f0b6d851dcd8e9a8c474d695137962f082c4f2a1a2eefb182df58d88a72829e4
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 427
 # oid with invalid node
@@ -3755,9 +3204,7 @@
 public = 305a301406082a808648ce3d020106082a8648ce3d030107034200042998705a9a71c783e1cf4397dbed9375a44e4cb88053594b0ea982203b6363b063d0af4971d1c3813db3c7799f9f9324cbe1b90054c81b510ff6297160add66b
 result = acceptable
 shared = f0b6d851dcd8e9a8c474d695137962f082c4f2a1a2eefb182df58d88a72829e4
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 428
 # oid with invalid node
@@ -3765,9 +3212,7 @@
 public = 305a301406072a8648ce3d020106092a8648ce3d030107e0034200042998705a9a71c783e1cf4397dbed9375a44e4cb88053594b0ea982203b6363b063d0af4971d1c3813db3c7799f9f9324cbe1b90054c81b510ff6297160add66b
 result = acceptable
 shared = f0b6d851dcd8e9a8c474d695137962f082c4f2a1a2eefb182df58d88a72829e4
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 429
 # oid with invalid node
@@ -3775,9 +3220,7 @@
 public = 305a301406072a8648ce3d020106092a808648ce3d030107034200042998705a9a71c783e1cf4397dbed9375a44e4cb88053594b0ea982203b6363b063d0af4971d1c3813db3c7799f9f9324cbe1b90054c81b510ff6297160add66b
 result = acceptable
 shared = f0b6d851dcd8e9a8c474d695137962f082c4f2a1a2eefb182df58d88a72829e4
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 430
 # long form encoding of length of bit string
@@ -3785,9 +3228,7 @@
 public = 305a301306072a8648ce3d020106082a8648ce3d03010703814200042998705a9a71c783e1cf4397dbed9375a44e4cb88053594b0ea982203b6363b063d0af4971d1c3813db3c7799f9f9324cbe1b90054c81b510ff6297160add66b
 result = acceptable
 shared = f0b6d851dcd8e9a8c474d695137962f082c4f2a1a2eefb182df58d88a72829e4
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 431
 # length of bit string contains leading 0
@@ -3795,9 +3236,7 @@
 public = 305b301306072a8648ce3d020106082a8648ce3d0301070382004200042998705a9a71c783e1cf4397dbed9375a44e4cb88053594b0ea982203b6363b063d0af4971d1c3813db3c7799f9f9324cbe1b90054c81b510ff6297160add66b
 result = acceptable
 shared = f0b6d851dcd8e9a8c474d695137962f082c4f2a1a2eefb182df58d88a72829e4
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 432
 # wrong length of bit string
@@ -3805,9 +3244,7 @@
 public = 3059301306072a8648ce3d020106082a8648ce3d030107034300042998705a9a71c783e1cf4397dbed9375a44e4cb88053594b0ea982203b6363b063d0af4971d1c3813db3c7799f9f9324cbe1b90054c81b510ff6297160add66b
 result = acceptable
 shared = f0b6d851dcd8e9a8c474d695137962f082c4f2a1a2eefb182df58d88a72829e4
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 433
 # wrong length of bit string
@@ -3815,9 +3252,7 @@
 public = 3059301306072a8648ce3d020106082a8648ce3d030107034100042998705a9a71c783e1cf4397dbed9375a44e4cb88053594b0ea982203b6363b063d0af4971d1c3813db3c7799f9f9324cbe1b90054c81b510ff6297160add66b
 result = acceptable
 shared = f0b6d851dcd8e9a8c474d695137962f082c4f2a1a2eefb182df58d88a72829e4
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 434
 # uint32 overflow in length of bit string
@@ -3825,9 +3260,7 @@
 public = 305e301306072a8648ce3d020106082a8648ce3d0301070385010000004200042998705a9a71c783e1cf4397dbed9375a44e4cb88053594b0ea982203b6363b063d0af4971d1c3813db3c7799f9f9324cbe1b90054c81b510ff6297160add66b
 result = acceptable
 shared = f0b6d851dcd8e9a8c474d695137962f082c4f2a1a2eefb182df58d88a72829e4
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 435
 # uint64 overflow in length of bit string
@@ -3835,9 +3268,7 @@
 public = 3062301306072a8648ce3d020106082a8648ce3d030107038901000000000000004200042998705a9a71c783e1cf4397dbed9375a44e4cb88053594b0ea982203b6363b063d0af4971d1c3813db3c7799f9f9324cbe1b90054c81b510ff6297160add66b
 result = acceptable
 shared = f0b6d851dcd8e9a8c474d695137962f082c4f2a1a2eefb182df58d88a72829e4
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 436
 # length of bit string = 2**31 - 1
@@ -3845,9 +3276,7 @@
 public = 305d301306072a8648ce3d020106082a8648ce3d03010703847fffffff00042998705a9a71c783e1cf4397dbed9375a44e4cb88053594b0ea982203b6363b063d0af4971d1c3813db3c7799f9f9324cbe1b90054c81b510ff6297160add66b
 result = acceptable
 shared = f0b6d851dcd8e9a8c474d695137962f082c4f2a1a2eefb182df58d88a72829e4
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 437
 # length of bit string = 2**32 - 1
@@ -3855,9 +3284,7 @@
 public = 305d301306072a8648ce3d020106082a8648ce3d0301070384ffffffff00042998705a9a71c783e1cf4397dbed9375a44e4cb88053594b0ea982203b6363b063d0af4971d1c3813db3c7799f9f9324cbe1b90054c81b510ff6297160add66b
 result = acceptable
 shared = f0b6d851dcd8e9a8c474d695137962f082c4f2a1a2eefb182df58d88a72829e4
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 438
 # length of bit string = 2**40 - 1
@@ -3865,9 +3292,7 @@
 public = 305e301306072a8648ce3d020106082a8648ce3d0301070385ffffffffff00042998705a9a71c783e1cf4397dbed9375a44e4cb88053594b0ea982203b6363b063d0af4971d1c3813db3c7799f9f9324cbe1b90054c81b510ff6297160add66b
 result = acceptable
 shared = f0b6d851dcd8e9a8c474d695137962f082c4f2a1a2eefb182df58d88a72829e4
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 439
 # length of bit string = 2**64 - 1
@@ -3875,9 +3300,7 @@
 public = 3061301306072a8648ce3d020106082a8648ce3d0301070388ffffffffffffffff00042998705a9a71c783e1cf4397dbed9375a44e4cb88053594b0ea982203b6363b063d0af4971d1c3813db3c7799f9f9324cbe1b90054c81b510ff6297160add66b
 result = acceptable
 shared = f0b6d851dcd8e9a8c474d695137962f082c4f2a1a2eefb182df58d88a72829e4
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 440
 # incorrect length of bit string
@@ -3885,9 +3308,7 @@
 public = 3059301306072a8648ce3d020106082a8648ce3d03010703ff00042998705a9a71c783e1cf4397dbed9375a44e4cb88053594b0ea982203b6363b063d0af4971d1c3813db3c7799f9f9324cbe1b90054c81b510ff6297160add66b
 result = acceptable
 shared = f0b6d851dcd8e9a8c474d695137962f082c4f2a1a2eefb182df58d88a72829e4
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 441
 # lonely bit string tag
@@ -3895,9 +3316,7 @@
 public = 3016301306072a8648ce3d020106082a8648ce3d03010703
 result = acceptable
 shared = f0b6d851dcd8e9a8c474d695137962f082c4f2a1a2eefb182df58d88a72829e4
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 442
 # appending 0's to bit string
@@ -3905,9 +3324,7 @@
 public = 305b301306072a8648ce3d020106082a8648ce3d030107034400042998705a9a71c783e1cf4397dbed9375a44e4cb88053594b0ea982203b6363b063d0af4971d1c3813db3c7799f9f9324cbe1b90054c81b510ff6297160add66b0000
 result = acceptable
 shared = f0b6d851dcd8e9a8c474d695137962f082c4f2a1a2eefb182df58d88a72829e4
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 443
 # prepending 0's to bit string
@@ -3915,9 +3332,7 @@
 public = 305b301306072a8648ce3d020106082a8648ce3d0301070344000000042998705a9a71c783e1cf4397dbed9375a44e4cb88053594b0ea982203b6363b063d0af4971d1c3813db3c7799f9f9324cbe1b90054c81b510ff6297160add66b
 result = acceptable
 shared = f0b6d851dcd8e9a8c474d695137962f082c4f2a1a2eefb182df58d88a72829e4
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 444
 # appending null value to bit string
@@ -3925,9 +3340,7 @@
 public = 305b301306072a8648ce3d020106082a8648ce3d030107034400042998705a9a71c783e1cf4397dbed9375a44e4cb88053594b0ea982203b6363b063d0af4971d1c3813db3c7799f9f9324cbe1b90054c81b510ff6297160add66b0500
 result = acceptable
 shared = f0b6d851dcd8e9a8c474d695137962f082c4f2a1a2eefb182df58d88a72829e4
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 445
 # truncated length of bit string
@@ -3935,9 +3348,7 @@
 public = 3017301306072a8648ce3d020106082a8648ce3d0301070381
 result = acceptable
 shared = f0b6d851dcd8e9a8c474d695137962f082c4f2a1a2eefb182df58d88a72829e4
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 446
 # Replacing bit string with NULL
@@ -3945,9 +3356,7 @@
 public = 3017301306072a8648ce3d020106082a8648ce3d0301070500
 result = acceptable
 shared = f0b6d851dcd8e9a8c474d695137962f082c4f2a1a2eefb182df58d88a72829e4
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 447
 # changing tag value of bit string
@@ -3955,9 +3364,7 @@
 public = 3059301306072a8648ce3d020106082a8648ce3d030107014200042998705a9a71c783e1cf4397dbed9375a44e4cb88053594b0ea982203b6363b063d0af4971d1c3813db3c7799f9f9324cbe1b90054c81b510ff6297160add66b
 result = acceptable
 shared = f0b6d851dcd8e9a8c474d695137962f082c4f2a1a2eefb182df58d88a72829e4
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 448
 # changing tag value of bit string
@@ -3965,9 +3372,7 @@
 public = 3059301306072a8648ce3d020106082a8648ce3d030107024200042998705a9a71c783e1cf4397dbed9375a44e4cb88053594b0ea982203b6363b063d0af4971d1c3813db3c7799f9f9324cbe1b90054c81b510ff6297160add66b
 result = acceptable
 shared = f0b6d851dcd8e9a8c474d695137962f082c4f2a1a2eefb182df58d88a72829e4
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 449
 # changing tag value of bit string
@@ -3975,9 +3380,7 @@
 public = 3059301306072a8648ce3d020106082a8648ce3d030107044200042998705a9a71c783e1cf4397dbed9375a44e4cb88053594b0ea982203b6363b063d0af4971d1c3813db3c7799f9f9324cbe1b90054c81b510ff6297160add66b
 result = acceptable
 shared = f0b6d851dcd8e9a8c474d695137962f082c4f2a1a2eefb182df58d88a72829e4
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 450
 # changing tag value of bit string
@@ -3985,9 +3388,7 @@
 public = 3059301306072a8648ce3d020106082a8648ce3d030107054200042998705a9a71c783e1cf4397dbed9375a44e4cb88053594b0ea982203b6363b063d0af4971d1c3813db3c7799f9f9324cbe1b90054c81b510ff6297160add66b
 result = acceptable
 shared = f0b6d851dcd8e9a8c474d695137962f082c4f2a1a2eefb182df58d88a72829e4
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 451
 # changing tag value of bit string
@@ -3995,9 +3396,7 @@
 public = 3059301306072a8648ce3d020106082a8648ce3d030107ff4200042998705a9a71c783e1cf4397dbed9375a44e4cb88053594b0ea982203b6363b063d0af4971d1c3813db3c7799f9f9324cbe1b90054c81b510ff6297160add66b
 result = acceptable
 shared = f0b6d851dcd8e9a8c474d695137962f082c4f2a1a2eefb182df58d88a72829e4
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 452
 # dropping value of bit string
@@ -4005,9 +3404,7 @@
 public = 3017301306072a8648ce3d020106082a8648ce3d0301070300
 result = acceptable
 shared = f0b6d851dcd8e9a8c474d695137962f082c4f2a1a2eefb182df58d88a72829e4
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 453
 # modify first byte of bit string
@@ -4015,9 +3412,7 @@
 public = 3059301306072a8648ce3d020106082a8648ce3d030107034202042998705a9a71c783e1cf4397dbed9375a44e4cb88053594b0ea982203b6363b063d0af4971d1c3813db3c7799f9f9324cbe1b90054c81b510ff6297160add66b
 result = acceptable
 shared = f0b6d851dcd8e9a8c474d695137962f082c4f2a1a2eefb182df58d88a72829e4
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 454
 # modify last byte of bit string
@@ -4025,9 +3420,7 @@
 public = 3059301306072a8648ce3d020106082a8648ce3d030107034200042998705a9a71c783e1cf4397dbed9375a44e4cb88053594b0ea982203b6363b063d0af4971d1c3813db3c7799f9f9324cbe1b90054c81b510ff6297160add6eb
 result = acceptable
 shared = f0b6d851dcd8e9a8c474d695137962f082c4f2a1a2eefb182df58d88a72829e4
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 455
 # truncated bit string
@@ -4035,9 +3428,7 @@
 public = 3058301306072a8648ce3d020106082a8648ce3d030107034100042998705a9a71c783e1cf4397dbed9375a44e4cb88053594b0ea982203b6363b063d0af4971d1c3813db3c7799f9f9324cbe1b90054c81b510ff6297160add6
 result = acceptable
 shared = f0b6d851dcd8e9a8c474d695137962f082c4f2a1a2eefb182df58d88a72829e4
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 456
 # truncated bit string
@@ -4045,9 +3436,7 @@
 public = 3058301306072a8648ce3d020106082a8648ce3d0301070341042998705a9a71c783e1cf4397dbed9375a44e4cb88053594b0ea982203b6363b063d0af4971d1c3813db3c7799f9f9324cbe1b90054c81b510ff6297160add66b
 result = acceptable
 shared = f0b6d851dcd8e9a8c474d695137962f082c4f2a1a2eefb182df58d88a72829e4
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 457
 # declaring bits as unused in bit string
@@ -4055,9 +3444,7 @@
 public = 3059301306072a8648ce3d020106082a8648ce3d030107034201042998705a9a71c783e1cf4397dbed9375a44e4cb88053594b0ea982203b6363b063d0af4971d1c3813db3c7799f9f9324cbe1b90054c81b510ff6297160add66b
 result = acceptable
 shared = f0b6d851dcd8e9a8c474d695137962f082c4f2a1a2eefb182df58d88a72829e4
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 458
 # unused bits in bit string
@@ -4065,9 +3452,7 @@
 public = 305d301306072a8648ce3d020106082a8648ce3d030107034620042998705a9a71c783e1cf4397dbed9375a44e4cb88053594b0ea982203b6363b063d0af4971d1c3813db3c7799f9f9324cbe1b90054c81b510ff6297160add66b01020304
 result = acceptable
 shared = f0b6d851dcd8e9a8c474d695137962f082c4f2a1a2eefb182df58d88a72829e4
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 459
 # unused bits in empty bit-string
@@ -4075,9 +3460,7 @@
 public = 3018301306072a8648ce3d020106082a8648ce3d030107030103
 result = acceptable
 shared = f0b6d851dcd8e9a8c474d695137962f082c4f2a1a2eefb182df58d88a72829e4
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
 # tcId = 460
 # 128 unused bits
@@ -4085,7 +3468,5 @@
 public = 3059301306072a8648ce3d020106082a8648ce3d030107034280042998705a9a71c783e1cf4397dbed9375a44e4cb88053594b0ea982203b6363b063d0af4971d1c3813db3c7799f9f9324cbe1b90054c81b510ff6297160add66b
 result = acceptable
 shared = f0b6d851dcd8e9a8c474d695137962f082c4f2a1a2eefb182df58d88a72829e4
-# The public key in this test uses an invalid ASN encoding. Some cases where the
-# ASN parser is not strictly checking the ASN format are benign as long as the
-# ECDH computation still returns the correct shared value.
+flags = InvalidAsn
 
diff --git a/third_party/wycheproof_testvectors/ecdh_secp384r1_test.txt b/third_party/wycheproof_testvectors/ecdh_secp384r1_test.txt
index a78e765..10c0773 100644
--- a/third_party/wycheproof_testvectors/ecdh_secp384r1_test.txt
+++ b/third_party/wycheproof_testvectors/ecdh_secp384r1_test.txt
@@ -20,8 +20,7 @@
 public = 3046301006072a8648ce3d020106052b8104002203320002790a6e059ef9a5940163183d4a7809135d29791643fc43a2f17ee8bf677ab84f791b64a6be15969ffa012dd9185d8796
 result = acceptable
 shared = 6461defb95d996b24296f5a1832b34db05ed031114fbe7d98d098f93859866e4de1e229da71fef0c77fe49b249190135
-# The point in the public key is compressed. Not every library supports points
-# in compressed format.
+flags = CompressedPoint
 
 # tcId = 3
 # edge case for shared secret
@@ -1167,9 +1166,7 @@
 public = 3076301006072a8648ce3d020106052b8104002203620004e9dfaaab808b3aac1ccca7cc6242a7ee583249afe8ee8f66b904cc8eec34ad334456e00f33a94de8b5169cf0199550c020156e9651734ff999c5f3ea62b83d0083a6093f234457251ecf72c41e4df7cea2420b5454a7f690034380bac981e92e
 result = valid
 shared = 2ecf9dc47e8b07ae61ddbd1680ead02698e9e8469f78d5a28328e48d0c9d7a2ac787e50cba58cc44a32fb1235d2d7027
-# The private key has a special value. Implementations using addition
-# subtraction chains for the point multiplication may get the point at infinity
-# as an intermediate result. See CVE_2017_10176
+flags = AddSubChain
 
 # tcId = 162
 # edge case private key
@@ -1177,9 +1174,7 @@
 public = 3076301006072a8648ce3d020106052b8104002203620004e9dfaaab808b3aac1ccca7cc6242a7ee583249afe8ee8f66b904cc8eec34ad334456e00f33a94de8b5169cf0199550c020156e9651734ff999c5f3ea62b83d0083a6093f234457251ecf72c41e4df7cea2420b5454a7f690034380bac981e92e
 result = valid
 shared = 06ee9f55079d3d3c18c683ba33e0d2521be97c4fbf7917bf3b6287d58ffcde2df88842e3f5530b39549ac20974b1b60e
-# The private key has a special value. Implementations using addition
-# subtraction chains for the point multiplication may get the point at infinity
-# as an intermediate result. See CVE_2017_10176
+flags = AddSubChain
 
 # tcId = 163
 # edge case private key
@@ -1194,9 +1189,7 @@
 public = 3076301006072a8648ce3d020106052b8104002203620004e9dfaaab808b3aac1ccca7cc6242a7ee583249afe8ee8f66b904cc8eec34ad334456e00f33a94de8b5169cf0199550c020156e9651734ff999c5f3ea62b83d0083a6093f234457251ecf72c41e4df7cea2420b5454a7f690034380bac981e92e
 result = valid
 shared = 024c5281487216058270cd1cfe259e948310e4adc263a9edaa4da0bc3f5f8ce8ffc88ae41b2c050bf6dd9c8c66857237
-# The private key has a special value. Implementations using addition
-# subtraction chains for the point multiplication may get the point at infinity
-# as an intermediate result. See CVE_2017_10176
+flags = AddSubChain
 
 # tcId = 165
 # point is not on curve
@@ -1322,12 +1315,7 @@
 public = 3076301006072a8648ce3d020106052b81040022036200042121a348f9743855859c496f91d0f39fe728fc46e48d007713051b22f1c0257fe20dd85b21df7e1ec82bf8b39b2138a2ae74f80e6257778f8cca9f279b57d25eeeb155960642972f0567e204514f0ac1eb1e27db5115053211914961d09644c8
 result = invalid
 shared = 
-# The public key has been modified and is invalid. An implementation should
-# always check whether the public key is valid and on the same curve as the
-# private key. The test vector includes the shared secret computed with the
-# original public key if the public point is on the curve of the private key.
-# Generating a shared secret other than the one with the original key likely
-# indicates that the bug is exploitable.
+flags = InvalidPublic
 
 # tcId = 183
 # public point = (0,0)
@@ -1335,12 +1323,7 @@
 public = 3076301006072a8648ce3d020106052b8104002203620004000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
 result = invalid
 shared = 
-# The public key has been modified and is invalid. An implementation should
-# always check whether the public key is valid and on the same curve as the
-# private key. The test vector includes the shared secret computed with the
-# original public key if the public point is on the curve of the private key.
-# Generating a shared secret other than the one with the original key likely
-# indicates that the bug is exploitable.
+flags = InvalidPublic
 
 # tcId = 184
 # order =
@@ -1349,20 +1332,7 @@
 public = 308201b53082014d06072a8648ce3d020130820140020101303c06072a8648ce3d0101023100fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffeffffffff0000000000000000ffffffff30640430fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffeffffffff0000000000000000fffffffc0430b3312fa7e23ee7e4988e056be3f82d19181d9c6efe8141120314088f5013875ac656398d8a2ed19d2a85c8edd3ec2aef046104aa87ca22be8b05378eb1c71ef320ad746e1d3b628ba79b9859f741e082542a385502f25dbf55296c3a545e3872760ab73617de4a96262c6f5d9e98bf9292dc29f8f41dbd289a147ce9da3113b5f0b8c00a60b1ce1d7e819d7a431d7c90ea0e5f0231ff000000000000000000000000000000000000000000000000389cb27e0bc8d220a7e5f24db74f58851313e695333ad68d020101036200042121a348f9743855859c496f91d0f39fe728fc46e48d007713051b22f1c0257fe20dd85b21df7e1ec82bf8b39b2138a2ae74f80e6257778f8cca9f279b57d25eeeb155960642972f0567e204514f0ac1eb1e27db5115053211914961d09644c6
 result = invalid
 shared = 455cf3c0b0090688599825522ef3312878201514f6330ccc7f42ec1945204adfe419b2dbbfb942dc98b16d8323150cf6
-# The order of the public key has been modified. If this order is used in a
-# cryptographic primitive instead of the correct order then private keys may
-# leak. E.g. ECDHC in BC 1.52 suffered from this.
-# The public key has been modified and is invalid. An implementation should
-# always check whether the public key is valid and on the same curve as the
-# private key. The test vector includes the shared secret computed with the
-# original public key if the public point is on the curve of the private key.
-# Generating a shared secret other than the one with the original key likely
-# indicates that the bug is exploitable.
-# The public key does not use a named curve. RFC 3279 allows to encode such
-# curves by explicitly encoding, the parameters of the curve equation, modulus,
-# generator, order and cofactor. However, many crypto libraries only support
-# named curves. Modifying some of the EC parameters and encoding the
-# corresponding public key as an unnamed curve is a potential attack vector.
+flags = WrongOrder,InvalidPublic,UnnamedCurve
 
 # tcId = 185
 # order = 0
@@ -1370,20 +1340,7 @@
 public = 308201853082011d06072a8648ce3d020130820110020101303c06072a8648ce3d0101023100fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffeffffffff0000000000000000ffffffff30640430fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffeffffffff0000000000000000fffffffc0430b3312fa7e23ee7e4988e056be3f82d19181d9c6efe8141120314088f5013875ac656398d8a2ed19d2a85c8edd3ec2aef046104aa87ca22be8b05378eb1c71ef320ad746e1d3b628ba79b9859f741e082542a385502f25dbf55296c3a545e3872760ab73617de4a96262c6f5d9e98bf9292dc29f8f41dbd289a147ce9da3113b5f0b8c00a60b1ce1d7e819d7a431d7c90ea0e5f020100020101036200042121a348f9743855859c496f91d0f39fe728fc46e48d007713051b22f1c0257fe20dd85b21df7e1ec82bf8b39b2138a2ae74f80e6257778f8cca9f279b57d25eeeb155960642972f0567e204514f0ac1eb1e27db5115053211914961d09644c6
 result = invalid
 shared = 455cf3c0b0090688599825522ef3312878201514f6330ccc7f42ec1945204adfe419b2dbbfb942dc98b16d8323150cf6
-# The order of the public key has been modified. If this order is used in a
-# cryptographic primitive instead of the correct order then private keys may
-# leak. E.g. ECDHC in BC 1.52 suffered from this.
-# The public key has been modified and is invalid. An implementation should
-# always check whether the public key is valid and on the same curve as the
-# private key. The test vector includes the shared secret computed with the
-# original public key if the public point is on the curve of the private key.
-# Generating a shared secret other than the one with the original key likely
-# indicates that the bug is exploitable.
-# The public key does not use a named curve. RFC 3279 allows to encode such
-# curves by explicitly encoding, the parameters of the curve equation, modulus,
-# generator, order and cofactor. However, many crypto libraries only support
-# named curves. Modifying some of the EC parameters and encoding the
-# corresponding public key as an unnamed curve is a potential attack vector.
+flags = WrongOrder,InvalidPublic,UnnamedCurve
 
 # tcId = 186
 # order = 1
@@ -1391,20 +1348,7 @@
 public = 308201853082011d06072a8648ce3d020130820110020101303c06072a8648ce3d0101023100fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffeffffffff0000000000000000ffffffff30640430fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffeffffffff0000000000000000fffffffc0430b3312fa7e23ee7e4988e056be3f82d19181d9c6efe8141120314088f5013875ac656398d8a2ed19d2a85c8edd3ec2aef046104aa87ca22be8b05378eb1c71ef320ad746e1d3b628ba79b9859f741e082542a385502f25dbf55296c3a545e3872760ab73617de4a96262c6f5d9e98bf9292dc29f8f41dbd289a147ce9da3113b5f0b8c00a60b1ce1d7e819d7a431d7c90ea0e5f020101020101036200042121a348f9743855859c496f91d0f39fe728fc46e48d007713051b22f1c0257fe20dd85b21df7e1ec82bf8b39b2138a2ae74f80e6257778f8cca9f279b57d25eeeb155960642972f0567e204514f0ac1eb1e27db5115053211914961d09644c6
 result = acceptable
 shared = 455cf3c0b0090688599825522ef3312878201514f6330ccc7f42ec1945204adfe419b2dbbfb942dc98b16d8323150cf6
-# The order of the public key has been modified. If this order is used in a
-# cryptographic primitive instead of the correct order then private keys may
-# leak. E.g. ECDHC in BC 1.52 suffered from this.
-# A parameter that is typically not used for ECDH has been modified. Sometimes
-# libraries ignore small differences between public and private key. For
-# example, a library might ignore an incorrect cofactor in the public key. We
-# consider ignoring such changes as acceptable as long as these differences do
-# not change the outcome of the ECDH computation, i.e. as long as the
-# computation is done on the curve from the private key.
-# The public key does not use a named curve. RFC 3279 allows to encode such
-# curves by explicitly encoding, the parameters of the curve equation, modulus,
-# generator, order and cofactor. However, many crypto libraries only support
-# named curves. Modifying some of the EC parameters and encoding the
-# corresponding public key as an unnamed curve is a potential attack vector.
+flags = WrongOrder,UnusedParam,UnnamedCurve
 
 # tcId = 187
 # order =
@@ -1413,20 +1357,7 @@
 public = 308201b13082014906072a8648ce3d02013082013c020101303c06072a8648ce3d0101023100fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffeffffffff0000000000000000ffffffff30640430fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffeffffffff0000000000000000fffffffc0430b3312fa7e23ee7e4988e056be3f82d19181d9c6efe8141120314088f5013875ac656398d8a2ed19d2a85c8edd3ec2aef046104aa87ca22be8b05378eb1c71ef320ad746e1d3b628ba79b9859f741e082542a385502f25dbf55296c3a545e3872760ab73617de4a96262c6f5d9e98bf9292dc29f8f41dbd289a147ce9da3113b5f0b8c00a60b1ce1d7e819d7a431d7c90ea0e5f022d00ffffffffffffffffffffffffffffffffffffffffffffffffc7634d81f4372ddf581a0db248b0a77aecec196a020101036200042121a348f9743855859c496f91d0f39fe728fc46e48d007713051b22f1c0257fe20dd85b21df7e1ec82bf8b39b2138a2ae74f80e6257778f8cca9f279b57d25eeeb155960642972f0567e204514f0ac1eb1e27db5115053211914961d09644c6
 result = acceptable
 shared = 455cf3c0b0090688599825522ef3312878201514f6330ccc7f42ec1945204adfe419b2dbbfb942dc98b16d8323150cf6
-# The order of the public key has been modified. If this order is used in a
-# cryptographic primitive instead of the correct order then private keys may
-# leak. E.g. ECDHC in BC 1.52 suffered from this.
-# A parameter that is typically not used for ECDH has been modified. Sometimes
-# libraries ignore small differences between public and private key. For
-# example, a library might ignore an incorrect cofactor in the public key. We
-# consider ignoring such changes as acceptable as long as these differences do
-# not change the outcome of the ECDH computation, i.e. as long as the
-# computation is done on the curve from the private key.
-# The public key does not use a named curve. RFC 3279 allows to encode such
-# curves by explicitly encoding, the parameters of the curve equation, modulus,
-# generator, order and cofactor. However, many crypto libraries only support
-# named curves. Modifying some of the EC parameters and encoding the
-# corresponding public key as an unnamed curve is a potential attack vector.
+flags = WrongOrder,UnusedParam,UnnamedCurve
 
 # tcId = 188
 # generator = (0,0)
@@ -1434,17 +1365,7 @@
 public = 308201b53082014d06072a8648ce3d020130820140020101303c06072a8648ce3d0101023100fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffeffffffff0000000000000000ffffffff30640430fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffeffffffff0000000000000000fffffffc0430b3312fa7e23ee7e4988e056be3f82d19181d9c6efe8141120314088f5013875ac656398d8a2ed19d2a85c8edd3ec2aef046104000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000023100ffffffffffffffffffffffffffffffffffffffffffffffffc7634d81f4372ddf581a0db248b0a77aecec196accc52973020101036200042121a348f9743855859c496f91d0f39fe728fc46e48d007713051b22f1c0257fe20dd85b21df7e1ec82bf8b39b2138a2ae74f80e6257778f8cca9f279b57d25eeeb155960642972f0567e204514f0ac1eb1e27db5115053211914961d09644c6
 result = acceptable
 shared = 455cf3c0b0090688599825522ef3312878201514f6330ccc7f42ec1945204adfe419b2dbbfb942dc98b16d8323150cf6
-# A parameter that is typically not used for ECDH has been modified. Sometimes
-# libraries ignore small differences between public and private key. For
-# example, a library might ignore an incorrect cofactor in the public key. We
-# consider ignoring such changes as acceptable as long as these differences do
-# not change the outcome of the ECDH computation, i.e. as long as the
-# computation is done on the curve from the private key.
-# The public key does not use a named curve. RFC 3279 allows to encode such
-# curves by explicitly encoding, the parameters of the curve equation, modulus,
-# generator, order and cofactor. However, many crypto libraries only support
-# named curves. Modifying some of the EC parameters and encoding the
-# corresponding public key as an unnamed curve is a potential attack vector.
+flags = UnusedParam,UnnamedCurve
 
 # tcId = 189
 # generator not on curve
@@ -1452,17 +1373,7 @@
 public = 308201b53082014d06072a8648ce3d020130820140020101303c06072a8648ce3d0101023100fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffeffffffff0000000000000000ffffffff30640430fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffeffffffff0000000000000000fffffffc0430b3312fa7e23ee7e4988e056be3f82d19181d9c6efe8141120314088f5013875ac656398d8a2ed19d2a85c8edd3ec2aef046104aa87ca22be8b05378eb1c71ef320ad746e1d3b628ba79b9859f741e082542a385502f25dbf55296c3a545e3872760ab73617de4a96262c6f5d9e98bf9292dc29f8f41dbd289a147ce9da3113b5f0b8c00a60b1ce1d7e819d7a431d7c90ea0e61023100ffffffffffffffffffffffffffffffffffffffffffffffffc7634d81f4372ddf581a0db248b0a77aecec196accc52973020101036200042121a348f9743855859c496f91d0f39fe728fc46e48d007713051b22f1c0257fe20dd85b21df7e1ec82bf8b39b2138a2ae74f80e6257778f8cca9f279b57d25eeeb155960642972f0567e204514f0ac1eb1e27db5115053211914961d09644c6
 result = acceptable
 shared = 455cf3c0b0090688599825522ef3312878201514f6330ccc7f42ec1945204adfe419b2dbbfb942dc98b16d8323150cf6
-# A parameter that is typically not used for ECDH has been modified. Sometimes
-# libraries ignore small differences between public and private key. For
-# example, a library might ignore an incorrect cofactor in the public key. We
-# consider ignoring such changes as acceptable as long as these differences do
-# not change the outcome of the ECDH computation, i.e. as long as the
-# computation is done on the curve from the private key.
-# The public key does not use a named curve. RFC 3279 allows to encode such
-# curves by explicitly encoding, the parameters of the curve equation, modulus,
-# generator, order and cofactor. However, many crypto libraries only support
-# named curves. Modifying some of the EC parameters and encoding the
-# corresponding public key as an unnamed curve is a potential attack vector.
+flags = UnusedParam,UnnamedCurve
 
 # tcId = 190
 # cofactor = -1
@@ -1470,17 +1381,7 @@
 public = 308201b53082014d06072a8648ce3d020130820140020101303c06072a8648ce3d0101023100fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffeffffffff0000000000000000ffffffff30640430fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffeffffffff0000000000000000fffffffc0430b3312fa7e23ee7e4988e056be3f82d19181d9c6efe8141120314088f5013875ac656398d8a2ed19d2a85c8edd3ec2aef046104aa87ca22be8b05378eb1c71ef320ad746e1d3b628ba79b9859f741e082542a385502f25dbf55296c3a545e3872760ab73617de4a96262c6f5d9e98bf9292dc29f8f41dbd289a147ce9da3113b5f0b8c00a60b1ce1d7e819d7a431d7c90ea0e5f023100ffffffffffffffffffffffffffffffffffffffffffffffffc7634d81f4372ddf581a0db248b0a77aecec196accc529730201ff036200042121a348f9743855859c496f91d0f39fe728fc46e48d007713051b22f1c0257fe20dd85b21df7e1ec82bf8b39b2138a2ae74f80e6257778f8cca9f279b57d25eeeb155960642972f0567e204514f0ac1eb1e27db5115053211914961d09644c6
 result = invalid
 shared = 455cf3c0b0090688599825522ef3312878201514f6330ccc7f42ec1945204adfe419b2dbbfb942dc98b16d8323150cf6
-# The public key has been modified and is invalid. An implementation should
-# always check whether the public key is valid and on the same curve as the
-# private key. The test vector includes the shared secret computed with the
-# original public key if the public point is on the curve of the private key.
-# Generating a shared secret other than the one with the original key likely
-# indicates that the bug is exploitable.
-# The public key does not use a named curve. RFC 3279 allows to encode such
-# curves by explicitly encoding, the parameters of the curve equation, modulus,
-# generator, order and cofactor. However, many crypto libraries only support
-# named curves. Modifying some of the EC parameters and encoding the
-# corresponding public key as an unnamed curve is a potential attack vector.
+flags = InvalidPublic,UnnamedCurve
 
 # tcId = 191
 # cofactor = 0
@@ -1488,17 +1389,7 @@
 public = 308201b53082014d06072a8648ce3d020130820140020101303c06072a8648ce3d0101023100fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffeffffffff0000000000000000ffffffff30640430fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffeffffffff0000000000000000fffffffc0430b3312fa7e23ee7e4988e056be3f82d19181d9c6efe8141120314088f5013875ac656398d8a2ed19d2a85c8edd3ec2aef046104aa87ca22be8b05378eb1c71ef320ad746e1d3b628ba79b9859f741e082542a385502f25dbf55296c3a545e3872760ab73617de4a96262c6f5d9e98bf9292dc29f8f41dbd289a147ce9da3113b5f0b8c00a60b1ce1d7e819d7a431d7c90ea0e5f023100ffffffffffffffffffffffffffffffffffffffffffffffffc7634d81f4372ddf581a0db248b0a77aecec196accc52973020100036200042121a348f9743855859c496f91d0f39fe728fc46e48d007713051b22f1c0257fe20dd85b21df7e1ec82bf8b39b2138a2ae74f80e6257778f8cca9f279b57d25eeeb155960642972f0567e204514f0ac1eb1e27db5115053211914961d09644c6
 result = invalid
 shared = 455cf3c0b0090688599825522ef3312878201514f6330ccc7f42ec1945204adfe419b2dbbfb942dc98b16d8323150cf6
-# The public key has been modified and is invalid. An implementation should
-# always check whether the public key is valid and on the same curve as the
-# private key. The test vector includes the shared secret computed with the
-# original public key if the public point is on the curve of the private key.
-# Generating a shared secret other than the one with the original key likely
-# indicates that the bug is exploitable.
-# The public key does not use a named curve. RFC 3279 allows to encode such
-# curves by explicitly encoding, the parameters of the curve equation, modulus,
-# generator, order and cofactor. However, many crypto libraries only support
-# named curves. Modifying some of the EC parameters and encoding the
-# corresponding public key as an unnamed curve is a potential attack vector.
+flags = InvalidPublic,UnnamedCurve
 
 # tcId = 192
 # cofactor = 2
@@ -1506,17 +1397,7 @@
 public = 308201b53082014d06072a8648ce3d020130820140020101303c06072a8648ce3d0101023100fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffeffffffff0000000000000000ffffffff30640430fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffeffffffff0000000000000000fffffffc0430b3312fa7e23ee7e4988e056be3f82d19181d9c6efe8141120314088f5013875ac656398d8a2ed19d2a85c8edd3ec2aef046104aa87ca22be8b05378eb1c71ef320ad746e1d3b628ba79b9859f741e082542a385502f25dbf55296c3a545e3872760ab73617de4a96262c6f5d9e98bf9292dc29f8f41dbd289a147ce9da3113b5f0b8c00a60b1ce1d7e819d7a431d7c90ea0e5f023100ffffffffffffffffffffffffffffffffffffffffffffffffc7634d81f4372ddf581a0db248b0a77aecec196accc52973020102036200042121a348f9743855859c496f91d0f39fe728fc46e48d007713051b22f1c0257fe20dd85b21df7e1ec82bf8b39b2138a2ae74f80e6257778f8cca9f279b57d25eeeb155960642972f0567e204514f0ac1eb1e27db5115053211914961d09644c6
 result = acceptable
 shared = 455cf3c0b0090688599825522ef3312878201514f6330ccc7f42ec1945204adfe419b2dbbfb942dc98b16d8323150cf6
-# A parameter that is typically not used for ECDH has been modified. Sometimes
-# libraries ignore small differences between public and private key. For
-# example, a library might ignore an incorrect cofactor in the public key. We
-# consider ignoring such changes as acceptable as long as these differences do
-# not change the outcome of the ECDH computation, i.e. as long as the
-# computation is done on the curve from the private key.
-# The public key does not use a named curve. RFC 3279 allows to encode such
-# curves by explicitly encoding, the parameters of the curve equation, modulus,
-# generator, order and cofactor. However, many crypto libraries only support
-# named curves. Modifying some of the EC parameters and encoding the
-# corresponding public key as an unnamed curve is a potential attack vector.
+flags = UnusedParam,UnnamedCurve
 
 # tcId = 193
 # cofactor =
@@ -1525,17 +1406,7 @@
 public = 308201e53082017d06072a8648ce3d020130820170020101303c06072a8648ce3d0101023100fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffeffffffff0000000000000000ffffffff30640430fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffeffffffff0000000000000000fffffffc0430b3312fa7e23ee7e4988e056be3f82d19181d9c6efe8141120314088f5013875ac656398d8a2ed19d2a85c8edd3ec2aef046104aa87ca22be8b05378eb1c71ef320ad746e1d3b628ba79b9859f741e082542a385502f25dbf55296c3a545e3872760ab73617de4a96262c6f5d9e98bf9292dc29f8f41dbd289a147ce9da3113b5f0b8c00a60b1ce1d7e819d7a431d7c90ea0e5f023100ffffffffffffffffffffffffffffffffffffffffffffffffc7634d81f4372ddf581a0db248b0a77aecec196accc52973023100ffffffffffffffffffffffffffffffffffffffffffffffffc7634d81f4372ddf581a0db248b0a77aecec196accc52973036200042121a348f9743855859c496f91d0f39fe728fc46e48d007713051b22f1c0257fe20dd85b21df7e1ec82bf8b39b2138a2ae74f80e6257778f8cca9f279b57d25eeeb155960642972f0567e204514f0ac1eb1e27db5115053211914961d09644c6
 result = invalid
 shared = 455cf3c0b0090688599825522ef3312878201514f6330ccc7f42ec1945204adfe419b2dbbfb942dc98b16d8323150cf6
-# The public key has been modified and is invalid. An implementation should
-# always check whether the public key is valid and on the same curve as the
-# private key. The test vector includes the shared secret computed with the
-# original public key if the public point is on the curve of the private key.
-# Generating a shared secret other than the one with the original key likely
-# indicates that the bug is exploitable.
-# The public key does not use a named curve. RFC 3279 allows to encode such
-# curves by explicitly encoding, the parameters of the curve equation, modulus,
-# generator, order and cofactor. However, many crypto libraries only support
-# named curves. Modifying some of the EC parameters and encoding the
-# corresponding public key as an unnamed curve is a potential attack vector.
+flags = InvalidPublic,UnnamedCurve