diff --git a/.github/workflows/debian-package-test.yml b/.github/workflows/debian-package-test.yml
index da7596a5..b46a9a08 100644
--- a/.github/workflows/debian-package-test.yml
+++ b/.github/workflows/debian-package-test.yml
@@ -44,7 +44,9 @@ jobs:
     - name: wolfssl install
       working-directory: ./wolfssl
       run: |
-        sudo dpkg -i libwolfssl_*.deb libwolfssl-dev_*.deb
+        # Install wolfSSL packages staged in parent directory by dpkg-buildpackage
+        sudo dpkg -i ../libwolfssl_*.deb ../libwolfssl-dev_*.deb
+        sudo apt-get -f install -y
 
     # Setup wolfPKCS11
     - name: wolfpkcs11 autogen
@@ -62,6 +64,7 @@ jobs:
     - name: Test debian package installation
       run: |
         sudo dpkg -i libwolfpkcs11_*.deb libwolfpkcs11-dev_*.deb
+        sudo apt-get -f install -y
         
     # Verify installation
     - name: Verify package installation
diff --git a/.github/workflows/nss-ssltap-test.yml b/.github/workflows/nss-ssltap-test.yml
index 6543a38d..0b472baa 100644
--- a/.github/workflows/nss-ssltap-test.yml
+++ b/.github/workflows/nss-ssltap-test.yml
@@ -92,6 +92,8 @@ jobs:
       run: |
         mkdir -p /tmp/src
         cd /tmp/src
+        # Defensive cleanup to avoid 'destination ... is not empty' errors
+        rm -rf nss osp
 
         # Clone official Mozilla NSS with specific tag
         hg clone https://hg.mozilla.org/projects/nss -r ${{ env.NSS_VERSION }}
@@ -125,36 +127,7 @@ jobs:
         path: /tmp/src/dist
         key: nss-build-${{ env.NSS_VERSION }}-latest
 
-    - name: Clone NSS and apply wolfSSL patches
-      if: steps.cache-nss-source.outputs.cache-hit != 'true'
-      run: |
-        mkdir -p /tmp/src
-        cd /tmp/src
-
-        # Clone official Mozilla NSS with specific tag
-        hg clone https://hg.mozilla.org/projects/nss -r ${{ env.NSS_VERSION }}
-
-        # Clone wolfSSL OSP repository for patches
-        git clone https://github.com/wolfSSL/osp.git
 
-        cd nss
-
-        # Apply patches from wolfSSL/osp/nss directory
-        echo "Applying wolfSSL NSS patches..."
-        if [ -d "../osp/nss" ]; then
-          for patch in ../osp/nss/*.patch; do
-            if [ -f "$patch" ]; then
-              echo "Applying patch: $(basename $patch)"
-              patch -p1 < "$patch" || {
-                echo "Warning: Patch $(basename $patch) failed to apply cleanly"
-                echo "Attempting to apply with --reject-file option..."
-                patch -p1 --reject-file=/tmp/$(basename $patch).rej < "$patch" || true
-              }
-            fi
-          done
-        else
-          echo "No patches found in wolfSSL/osp/nss directory"
-        fi
 
     - name: Build NSS
       if: steps.cache-nss-build.outputs.cache-hit != 'true'
diff --git a/src/internal.c b/src/internal.c
index f8c18d1d..fb88358a 100644
--- a/src/internal.c
+++ b/src/internal.c
@@ -1064,7 +1064,11 @@ static int wolfPKCS11_Store_Name(int type, CK_ULONG id1, CK_ULONG id2, char* nam
 #ifndef WOLFPKCS11_NO_ENV
     const char* str = NULL;
 #endif
-    char homePath[47]; /* Must fit within name buffer size limit */
+    /* Reserve enough space in the final filename for suffixes such as
+     * "/wp11_rsakey_priv_%016lx_%016lx" (47 chars worst-case).
+     */
+    enum { WP11_STORE_SUFFIX_RESERVE = 48 };
+    char homePath[256];
 
     /* Path order:
      * 1. Environment variable WOLFPKCS11_TOKEN_PATH
@@ -1125,7 +1129,13 @@ static int wolfPKCS11_Store_Name(int type, CK_ULONG id1, CK_ULONG id2, char* nam
 #endif
 
     /* 47 is maximum number of character to a filename and path separator. */
-    if (str == NULL || (XSTRLEN(str) > nameLen - sizeof(homePath))) {
+    if (str == NULL) {
+        return -1;
+    }
+    if (nameLen <= WP11_STORE_SUFFIX_RESERVE) {
+        return -1;
+    }
+    if (XSTRLEN(str) > (size_t)(nameLen - WP11_STORE_SUFFIX_RESERVE - 1)) {
         return -1;
     }