From 651e4cae8afd8ed33944b21284e32f67f04b901b Mon Sep 17 00:00:00 2001
From: Yosuke Shimizu <yosuke@wolfssl.com>
Date: Thu, 16 Apr 2026 13:38:32 +0900
Subject: [PATCH] Add kex integration test for ed25519 server key

---
 examples/echoserver/echoserver.c |  32 +++++++++++++
 keys/include.am                  |   3 +-
 keys/server-key-ed25519.der      | Bin 0 -> 82 bytes
 keys/server-key-ed25519.pem      |   4 ++
 tests/kex.c                      |  78 +++++++++++++++++++++++++++++++
 wolfssh/certs_test.h             |  15 ++++++
 6 files changed, 131 insertions(+), 1 deletion(-)
 create mode 100644 keys/server-key-ed25519.der
 create mode 100644 keys/server-key-ed25519.pem

diff --git a/examples/echoserver/echoserver.c b/examples/echoserver/echoserver.c
index a6a83140f..67c897c74 100644
--- a/examples/echoserver/echoserver.c
+++ b/examples/echoserver/echoserver.c
@@ -1737,6 +1737,26 @@ static int load_key(byte isEcc, byte* buf, word32 bufSz)
 }
 
 
+#ifndef WOLFSSH_NO_ED25519
+/* returns buffer size on success */
+static int load_key_ed25519(byte* buf, word32 bufSz)
+{
+    word32 sz = 0;
+
+#ifndef NO_FILESYSTEM
+    sz = load_file("./keys/server-key-ed25519.der", buf, &bufSz);
+#else
+    if ((word32)sizeof_ed25519_key_der_ssh > bufSz)
+        return 0;
+    WMEMCPY(buf, ed25519_key_der_ssh, sizeof_ed25519_key_der_ssh);
+    sz = (word32)sizeof_ed25519_key_der_ssh;
+#endif
+
+    return sz;
+}
+#endif /* WOLFSSH_NO_ED25519 */
+
+
 typedef struct StrList {
     const char* str;
     struct StrList* next;
@@ -2954,6 +2974,18 @@ THREAD_RETURN WOLFSSH_THREAD echoserver_test(void* args)
         }
         #endif
 
+        #ifndef WOLFSSH_NO_ED25519
+        bufSz = EXAMPLE_KEYLOAD_BUFFER_SZ;
+        bufSz = load_key_ed25519(keyLoadBuf, bufSz);
+        if (bufSz == 0) {
+            ES_ERROR("Couldn't load Ed25519 key file.\n");
+        }
+        if (wolfSSH_CTX_UsePrivateKey_buffer(ctx, keyLoadBuf, bufSz,
+                                             WOLFSSH_FORMAT_ASN1) < 0) {
+            ES_ERROR("Couldn't use Ed25519 key buffer.\n");
+        }
+        #endif /* WOLFSSH_NO_ED25519 */
+
         #ifndef NO_FILESYSTEM
         if (userPubKey) {
             byte* userBuf = NULL;
diff --git a/keys/include.am b/keys/include.am
index cc2aa720f..fd82f10c5 100644
--- a/keys/include.am
+++ b/keys/include.am
@@ -23,5 +23,6 @@ EXTRA_DIST+= \
             keys/fred-cert.der keys/fred-cert.pem \
             keys/server-key.pem keys/fred-key.der keys/fred-key.pem \
             keys/id_ecdsa keys/id_ecdsa.pub keys/id_rsa keys/id_rsa.pub \
-            keys/renewcerts.sh keys/renewcerts.cnf
+            keys/renewcerts.sh keys/renewcerts.cnf \
+            keys/server-key-ed25519.der keys/server-key-ed25519.pem
 
diff --git a/keys/server-key-ed25519.der b/keys/server-key-ed25519.der
new file mode 100644
index 0000000000000000000000000000000000000000..7719de44df20d584e745bcb50fa3fbac4d8881a5
GIT binary patch
literal 82
zcmV-Y0ImNpPyzt}Fa-t!D`jv5A_O36XY&qZ>Qesntz}I`U|~2|5eJ0u1C)~#dwVk)
oy7n1?AP-gypM82_hwvsA88PIt9qGO9N`F<ZCM}^Q<nBsQ0B80d+W-In

literal 0
HcmV?d00001

diff --git a/keys/server-key-ed25519.pem b/keys/server-key-ed25519.pem
new file mode 100644
index 000000000..c4992f196
--- /dev/null
+++ b/keys/server-key-ed25519.pem
@@ -0,0 +1,4 @@
+-----BEGIN PRIVATE KEY-----
+MFACAQAwBQYDK2VwBCIEIGpn8w5k6lL+9K1lTUVgYThYEQeE8AOUkxR7ezMauvYZ
+gSAPVgyffXpih/AmFhkx5LId6b3uSn9VriYtoSXk7kpRAA==
+-----END PRIVATE KEY-----
diff --git a/tests/kex.c b/tests/kex.c
index 26dc1262a..97a813a99 100644
--- a/tests/kex.c
+++ b/tests/kex.c
@@ -305,6 +305,81 @@ static int wolfSSH_KexTest_Connect(const char* kex)
     return EXIT_SUCCESS;
 }
 
+
+#ifndef WOLFSSH_NO_ED25519
+static int wolfSSH_KexTest_Ed25519HostKey(void)
+{
+    tcp_ready ready;
+    THREAD_TYPE serverThread;
+    func_args serverArgs;
+    func_args clientArgs;
+    char sA[NUMARGS][ARGLEN];
+    char *serverArgv[NUMARGS] =
+        { sA[0], sA[1], sA[2], sA[3], sA[4], sA[5], sA[6], sA[7], sA[8],
+          sA[9], sA[10], sA[11] };
+    char cA[NUMARGS][ARGLEN];
+    char *clientArgv[NUMARGS] =
+        { cA[0], cA[1], cA[2], cA[3], cA[4], cA[5], cA[6], cA[7], cA[8],
+          cA[9], cA[10], cA[11] };
+    int serverArgc = 0;
+    int clientArgc = 0;
+
+    InitTcpReady(&ready);
+
+    ADD_ARG(serverArgv, serverArgc, "echoserver");
+    ADD_ARG(serverArgv, serverArgc, "-1");
+    ADD_ARG(serverArgv, serverArgc, "-f");
+    #if !defined(USE_WINDOWS_API) && !defined(WOLFSSH_ZEPHYR)
+        ADD_ARG(serverArgv, serverArgc, "-p");
+        ADD_ARG(serverArgv, serverArgc, "-0");
+    #endif
+    ADD_ARG(serverArgv, serverArgc, "-k");
+    ADD_ARG(serverArgv, serverArgc, "ssh-ed25519");
+
+    serverArgs.argc = serverArgc;
+    serverArgs.argv = serverArgv;
+    serverArgs.return_code = EXIT_SUCCESS;
+    serverArgs.signal = &ready;
+    serverArgs.user_auth = NULL;
+    ThreadStart(echoserver_test, &serverArgs, &serverThread);
+    WaitTcpReady(&ready);
+
+    ADD_ARG(clientArgv, clientArgc, "client");
+    ADD_ARG(clientArgv, clientArgc, "-u");
+    ADD_ARG(clientArgv, clientArgc, "jill");
+    #if !defined(USE_WINDOWS_API) && !defined(WOLFSSH_ZEPHYR)
+        ADD_ARG(clientArgv, clientArgc, "-p");
+        ADD_ARG_INT(clientArgv, clientArgc, ready.port);
+    #endif
+
+    clientArgs.argc = clientArgc;
+    clientArgs.argv = clientArgv;
+    clientArgs.return_code = EXIT_SUCCESS;
+    clientArgs.signal = &ready;
+    clientArgs.user_auth = tsClientUserAuth;
+
+    client_test(&clientArgs);
+
+#ifdef WOLFSSH_ZEPHYR
+    k_sleep(Z_TIMEOUT_TICKS(100));
+#endif
+    ThreadJoin(serverThread);
+
+    if (clientArgs.return_code == WS_SOCKET_ERROR_E) {
+        clientArgs.return_code = WS_SUCCESS;
+    }
+    if (serverArgs.return_code == WS_SOCKET_ERROR_E) {
+        serverArgs.return_code = WS_SUCCESS;
+    }
+    AssertIntEQ(WS_SUCCESS, clientArgs.return_code);
+    AssertIntEQ(WS_SUCCESS, serverArgs.return_code);
+
+    FreeTcpReady(&ready);
+
+    return EXIT_SUCCESS;
+}
+#endif /* WOLFSSH_NO_ED25519 */
+
 #endif /* KEXTEST_AVAILABLE */
 
 int wolfSSH_KexTest(int argc, char** argv)
@@ -353,6 +428,9 @@ int wolfSSH_KexTest(int argc, char** argv)
     AssertIntEQ(wolfSSH_KexTest_Connect("mlkem1024nistp384-sha384"),
             EXIT_SUCCESS);
 #endif
+#ifndef WOLFSSH_NO_ED25519
+    AssertIntEQ(wolfSSH_KexTest_Ed25519HostKey(), EXIT_SUCCESS);
+#endif
 
     AssertIntEQ(wolfSSH_Cleanup(), WS_SUCCESS);
 
diff --git a/wolfssh/certs_test.h b/wolfssh/certs_test.h
index 5b39eb8ee..96f24f598 100644
--- a/wolfssh/certs_test.h
+++ b/wolfssh/certs_test.h
@@ -229,6 +229,21 @@ static const unsigned char ecc_key_der_521_ssh[] =
 };
 #define sizeof_ecc_key_der_521_ssh (sizeof(ecc_key_der_521_ssh))
 
+#ifndef WOLFSSH_NO_ED25519
+/* ./keys/server-key-ed25519.der (private+public) */
+static const unsigned char ed25519_key_der_ssh[] =
+{
+    0x30, 0x50, 0x02, 0x01, 0x00, 0x30, 0x05, 0x06, 0x03, 0x2b, 0x65, 0x70,
+    0x04, 0x22, 0x04, 0x20, 0x6a, 0x67, 0xf3, 0x0e, 0x64, 0xea, 0x52, 0xfe,
+    0xf4, 0xad, 0x65, 0x4d, 0x45, 0x60, 0x61, 0x38, 0x58, 0x11, 0x07, 0x84,
+    0xf0, 0x03, 0x94, 0x93, 0x14, 0x7b, 0x7b, 0x33, 0x1a, 0xba, 0xf6, 0x19,
+    0x81, 0x20, 0x0f, 0x56, 0x0c, 0x9f, 0x7d, 0x7a, 0x62, 0x87, 0xf0, 0x26,
+    0x16, 0x19, 0x31, 0xe4, 0xb2, 0x1d, 0xe9, 0xbd, 0xee, 0x4a, 0x7f, 0x55,
+    0xae, 0x26, 0x2d, 0xa1, 0x25, 0xe4, 0xee, 0x4a, 0x51, 0x00
+};
+#define sizeof_ed25519_key_der_ssh (sizeof(ed25519_key_der_ssh))
+#endif /* WOLFSSH_NO_ED25519 */
+
 #endif /* NO_FILESYSTEM */
 
 #endif /* _WOLFSSL_CERTS_TEST_H_ */