Support for generating keys from known DH parameters is not included unfortunately because even the latest stable GnuTLS release doesn't have the necessary support. I have a patch that implements it using _gnutls_dh_generate_key() but that requires a special GnuTLS 3.8.2 build (--enable-fips140-mode). With that patch all included tests pass here.
Paul, can you take a look? I included your tests so please approve this MR if you think it's okay.
-- v2: bcrypt/tests: Add DH tests. bcrypt: Make sure key_asymmetric_derive_key() returns correct size. bcrypt: Add support for generating DH keys from known parameters. bcrypt: Reject DH keys smaller than 512 bits. bcrypt: Make DH blob size validation more strict in key_import_pair(). bcrypt: Add helpers to create a public/private key pair. bcrypt: Allow or disallow some operations based on whether keys are finalized. bcrypt: Add support for retrieving DH parameters. bcrypt: Add support for setting DH parameters.