2.0 Release prep

.github/workflows/nss-ssltap-test.yml

@@ -125,6 +125,37 @@ jobs:
         path: /tmp/src/dist
         key: nss-build-${{ env.NSS_VERSION }}-latest
 
+    - name: Clone NSS and apply wolfSSL patches
+      if: steps.cache-nss-source.outputs.cache-hit != 'true'
+      run: |
+        mkdir -p /tmp/src
+        cd /tmp/src
+
+        # Clone official Mozilla NSS with specific tag
+        hg clone https://hg.mozilla.org/projects/nss -r ${{ env.NSS_VERSION }}
+
+        # Clone wolfSSL OSP repository for patches
+        git clone https://github.com/wolfSSL/osp.git
+
+        cd nss
+
+        # Apply patches from wolfSSL/osp/nss directory
+        echo "Applying wolfSSL NSS patches..."
+        if [ -d "../osp/nss" ]; then
+          for patch in ../osp/nss/*.patch; do
+            if [ -f "$patch" ]; then
+              echo "Applying patch: $(basename $patch)"
+              patch -p1 < "$patch" || {
+                echo "Warning: Patch $(basename $patch) failed to apply cleanly"
+                echo "Attempting to apply with --reject-file option..."
+                patch -p1 --reject-file=/tmp/$(basename $patch).rej < "$patch" || true
+              }
+            fi
+          done
+        else
+          echo "No patches found in wolfSSL/osp/nss directory"
+        fi
+
     - name: Build NSS
       if: steps.cache-nss-build.outputs.cache-hit != 'true'
       run: |

.github/workflows/nss.yml

@@ -9,6 +9,7 @@ on:
 
 env:
   NSPR_VERSION: NSPR_4_36_BRANCH
+  NSS_VERSION: NSS_3_112_RTM
   WOLFSSL_VERSION: v5.8.0-stable
   #NSS_DEBUG_PKCS11_MODULE: wolfPKCS11
   #NSPR_LOG_MODULES: all:5
@@ -65,27 +66,49 @@ jobs:
       if: steps.cache-nspr.outputs.cache-hit != 'true'
       run: hg clone https://hg.mozilla.org/projects/nspr -r ${{ env.NSPR_VERSION }}
 
-    - name: Cache NSS source
+    - name: Cache NSS source and patches
       id: cache-nss-source
       uses: actions/cache@v4
       with:
-        path: nss
+        path: |
+          nss
+          osp
         key: nss-source-fork
 
-    - name: Clone NSS
+    - name: Clone NSS and apply wolfSSL patches
       if: steps.cache-nss-source.outputs.cache-hit != 'true'
-      uses: actions/checkout@v4
-      with:
-        repository: LinuxJedi/nss
-        ref: nss-tests
-        path: nss
+      run: |
+        # Clone official Mozilla NSS with specific tag
+        hg clone https://hg.mozilla.org/projects/nss -r ${{ env.NSS_VERSION }}
+
+        # Clone wolfSSL OSP repository for patches
+        git clone https://github.com/wolfSSL/osp.git
+
+        cd nss
+
+        # Apply patches from wolfSSL/osp/nss directory
+        echo "Applying wolfSSL NSS patches..."
+        if [ -d "../osp/nss" ]; then
+          for patch in ../osp/nss/*.patch; do
+            if [ -f "$patch" ]; then
+              echo "Applying patch: $(basename $patch)"
+              patch -p1 < "$patch" || {
+                echo "Warning: Patch $(basename $patch) failed to apply cleanly"
+                echo "Attempting to apply with --reject-file option..."
+                patch -p1 --reject-file=/tmp/$(basename $patch).rej < "$patch" || true
+              }
+            fi
+          done
+        else
+          echo "No patches found in wolfSSL/osp/nss directory"
+        fi
 
     - name: Cache NSS build
       id: cache-nss-build
       uses: actions/cache@v4
       with:
         path: dist
-        key: nss-build-fork
+        key: nss-fork-${{ env.NSS_VERSION }}-latest
 
     - name: Build NSS
       if: steps.cache-nss-build.outputs.cache-hit != 'true'
@@ -138,4 +161,3 @@ jobs:
     - name: Run NSS tests
       working-directory: nss/tests
       run: LD_LIBRARY_PATH=$GITHUB_WORKSPACE/build-dir/lib ./all.sh
-

Docker/firefox/Dockerfile

@@ -71,16 +71,13 @@ RUN ./configure --enable-all --enable-aescfb --enable-cryptocb --enable-rsapss -
 RUN make && make install
 WORKDIR /
 
-# Clone and prepare patch for NSS
-RUN git clone https://github.com/LinuxJedi/nss.git
-WORKDIR /nss
-RUN git diff origin/master origin/wolfPKCS11 > /nss.patch
-WORKDIR /
+# Clone osp to get the NSS patch
+RUN git clone https://github.com/wolfSSL/osp
 
 WORKDIR /firefox
 RUN git checkout $FIREFOX_TAG
 WORKDIR /firefox/security/nss
-RUN patch -p1 < /nss.patch
+RUN patch -p1 < /osp/nss/nss-tests-2025-04-11-978205bd37c33d862a5798d8158df7091412d3a7.patch
 RUN touch /mozconfig
 # Enable ASan specific code and build workarounds
 #RUN echo ac_add_options --enable-address-sanitizer >> /firefox/mozconfig

README.md

@@ -108,6 +108,113 @@ Set to any value to stop storage of token data.
 
 ## Release Notes
 
+### wolfPKCS11 Release 2.0 (August 26, 2025)
+
+**Summary**
+
+This release contains many new features so that it can be the PKCS11 backend for NSS. It also includes many bug fixes.
+
+**Detail**
+
+* New examples added
+* Added certificate storage for wolfPKCS11
+* Added new AES algorithms:
+  - `AES-CCM`
+  - `AES-ECB`
+  - `AES-CTS`
+  - `AES-CTR`
+* Compiler fixes
+* Large improvements to TPM storage
+* Reduced memory usage for objects
+* Added support for MAXQ1065
+* Fixed RSA with no public exponent provided
+* Fixed `CKA_CERTIFICATE_TYPE` search for `CKC_X_509`
+* Fixed RSA with no modulus provided
+* Fixed bad memory access with `C_FindObjects` on a certificate object
+* Added new functionality:
+  - `C_Digest*`
+  - `C_SignEncryptUpdate`
+  - `C_DecryptVerifyUpdate`
+  - `C_GetOperationState` and `C_SetOperationState` (Digest only)
+  - `C_SignRecoverInit` and `C_VerifyRecover`
+  - `wolfPKCS11_Debugging_On` and `wolfPKCS11_Debugging_Off`
+* Added new mechanisms:
+  - `CKM_ECDSA_SHA*`
+  - `CKM_SHA*_RSA*`
+  - `CKM_AES_CMAC_GENERAL`
+  - `CKM_AES_CMAC`
+  - `CKM_AES_CBC_ENCRYPT_DATA`
+  - `CKM_HKDF_DATA`
+  - `CKM_HKDF_KEY_GEN`
+  - `CKM_TLS12_KEY_AND_MAC_DERIVE`
+  - `CKM_TLS12_MASTER_KEY_DERIVE`
+  - `CKM_TLS12_MASTER_KEY_DERIVE_DH`
+  - `CKM_NSS_TLS_EXTENDED_MASTER_KEY_DERIVE` (NSS builds only)
+  - `CKM_NSS_TLS_EXTENDED_MASTER_KEY_DERIVE_DH` (NSS builds only)
+  - `CKM_NSS_TLS_PRF_GENERAL_SHA256` (NSS builds only)
+  - `CKM_TLS_MAC`
+  - `CKM_SHA1_RSA_PKCS`
+  - `CKM_SHA1_RSA_PKCS_PSS`
+  - `CKM_SHA3*`
+  - `CKM_MD5`
+  - `CKM_NSS_PKCS12_PBE_SHA*_HMAC_KEY_GEN` (NSS builds only)
+  - `CKM_PKCS5_PBKD2`
+* Added new types:
+  - `CKO_DATA`
+  - `CKO_NSS_TRUST` (NSS builds only)
+* Added new attributes:
+  - `CKA_CERTIFICATE_TYPE`
+  - `CKA_CERTIFICATE_CATEGORY`
+  - `CKA_ID`
+  - `CKA_ISSUER`
+  - `CKA_SERIAL_NUMBER`
+  - `CKA_PUBLIC_KEY_INFO`
+  - `CKA_URL`
+  - `CKA_HASH_OF_SUBJECT_PUBLIC_KEY`
+  - `CKA_HASH_OF_ISSUER_PUBLIC_KEY`
+  - `CKA_NAME_HASH_ALGORITHM`
+  - `CKA_CHECK_VALUE`
+  - `CKA_CERT_SHA1_HASH` (NSS builds only)
+  - `CKA_CERT_MD5_HASH` (NSS builds only)
+  - `CKA_TRUST_SERVER_AUTH` (NSS builds only)
+  - `CKA_TRUST_CLIENT_AUTH` (NSS builds only)
+  - `CKA_TRUST_EMAIL_PROTECTION` (NSS builds only)
+  - `CKA_TRUST_CODE_SIGNING` (NSS builds only)
+  - `CKA_TRUST_STEP_UP_APPROVED` (NSS builds only)
+  - `CKA_NSS_EMAIL` (NSS builds only)
+  - `CKA_NSS_DB` (NSS builds only, not stored)
+* Added SHA3 support for digest and HMAC
+* Added AES key gen and key wrap
+* Added `--enable-nss` for NSS specific PKCS11 quirks
+* Fixed ECC derive key curve error
+* Fixed object boolean attributes and permissions
+* Fixed `C_SetAttributeValue` sometimes erasing keys
+* Fixed wolfCrypt FIPSv5 and FIPSv6 support
+* Fixed token erasure on load error
+* Fixed various memory leaks
+* Complete re-write of file based token path handling
+* Added debugging output
+* Fixed visibility issues
+* Fixed x963 usage for ECC keys
+* Added support for older wolfSSL versions
+* Fixed token overwriting previous objects
+* Fixed token load error handling
+* Improved error handling for `C_Login`
+* Improved Debian packaging
+* Fixed build issues with wolfBoot
+* Fixed `malloc(0)` code path
+* Fixed `C_CopyObject` not doing a deep copy
+* Added `CKM_RSA_PKCS` to wrap / unwrap
+* Fixed ECC curve lookup for FIPSv5
+* Fixed default attributes for keys
+* `C_DestroyObject` now deletes files instead of leaving truncated files
+* Added support for STM32U5 DHUK wrapping
+* Added PBKDF2 support for pins
+  - Enabled by default for FIPS
+  - Enabled using `--enable-pbkdf2` or defining `WOLFPKCS11_PBKDF2`
+* Added `--pbkdf2-iterations` and `PBKDF2_ITERATIONS` to set the number of
+  PBKDF2 iterations for pin handling (default 600,000).
+
 ### wolfPKCS11 Release 1.3 (Mar 22, 2024)
 
 **Summary**

configure.ac

@@ -7,7 +7,7 @@
 #
 AC_COPYRIGHT([Copyright (C) 2014-2023 wolfSSL Inc.])
 AC_PREREQ([2.63])
-AC_INIT([wolfpkcs11],[1.3.0],[https://github.com/wolfssl/wolfpkcs11/issues],[wolfpkcs11],[http://www.wolfssl.com])
+AC_INIT([wolfpkcs11],[2.0.0],[https://github.com/wolfssl/wolfpkcs11/issues],[wolfpkcs11],[http://www.wolfssl.com])
 AC_CONFIG_AUX_DIR([build-aux])
 
 # The following sets CFLAGS to empty if unset on command line.
@@ -36,11 +36,11 @@ AC_CONFIG_HEADERS([wolfpkcs11/config.h])
 # The three numbers in the libpkcs11.so.*.*.* file name. Unfortunately
 
 # increment if interfaces have been removed or changed
-WOLFPKCS11_LIBRARY_VERSION_FIRST=3
+WOLFPKCS11_LIBRARY_VERSION_FIRST=4
 
 # increment if interfaces have been added
 # set to zero if WOLFPKCS11_LIBRARY_VERSION_FIRST is incremented
-WOLFPKCS11_LIBRARY_VERSION_SECOND=1
+WOLFPKCS11_LIBRARY_VERSION_SECOND=0
 
 # increment if source code has changed
 # set to zero if WOLFPKCS11_LIBRARY_VERSION_FIRST is incremented or

debian/changelog

@@ -1,6 +1,6 @@
-wolfpkcs11 (1.3.0) stable; urgency=medium
+wolfpkcs11 (2.0.0) stable; urgency=medium
 
   * For a full changelog see
     https://github.com/wolfSSL/wolfPKCS11/blob/master/README.md
 
- -- wolfSSL <[email protected]>  Mon, 07 Jul 2025 10:30:00 +0000
+ -- wolfSSL <[email protected]>  Tue, 26 Aug 2025 16:49:00 +0000

debian/rules

@@ -15,7 +15,7 @@ DPKG_EXPORT_BUILDFLAGS = 1
 include /usr/share/dpkg/buildflags.mk
 
 # Configure options for the build
-CONFIGURE_OPTS = --enable-debug --enable-aesecb --enable-nss
+CONFIGURE_OPTS = --enable-aesctr --enable-aesccm --enable-aeskeywrap --enable-aesecb --enable-nss
 
 %:
 	dh $@ --with autoreconf

wolfpkcs11/version.h

@@ -28,8 +28,8 @@
 extern "C" {
 #endif
 
-#define LIBWOLFPKCS11_VERSION_STRING "1.3.0"
-#define LIBWOLFPKCS11_VERSION_HEX 0x01003000
+#define LIBWOLFPKCS11_VERSION_STRING "2.0.0"
+#define LIBWOLFPKCS11_VERSION_HEX 0x02000000
 
 #ifdef __cplusplus
 }