wolfSSL · Frauschi · Jan 26, 2026 · Jan 26, 2026 · Jan 29, 2026 · Jan 29, 2026
diff --git a/.github/workflows/alpine-architecture-tests.yml b/.github/workflows/alpine-architecture-tests.yml
@@ -7,7 +7,7 @@ on:
     branches: [ '*' ]
 
 env:
-  WOLFSSL_VERSION: v5.8.0-stable
+  WOLFSSL_VERSION: v5.8.4-stable
 
 jobs:
   alpine-architecture-tests:

diff --git a/.github/workflows/nss-cmsutil-test.yml b/.github/workflows/nss-cmsutil-test.yml
@@ -10,7 +10,7 @@ on:
 env:
   NSPR_VERSION: NSPR_4_36_BRANCH
   NSS_VERSION: NSS_3_112_RTM
-  WOLFSSL_VERSION: v5.8.0-stable
+  WOLFSSL_VERSION: v5.8.4-stable
   NSS_DEBUG_PKCS11_MODULE: wolfPKCS11
   NSPR_LOG_MODULES: all:5
   NSPR_LOG_FILE: /logs/nss.log
@@ -238,10 +238,10 @@ jobs:
 
         # Step 2: Generate user certificate and key pair directly in NSS
         echo "   Generating user certificate and key pair in NSS database..."
-        
+
         # Create random seed for key generation
         dd if=/dev/urandom of=noise.bin bs=20 count=1 2>/dev/null
-        
+
         # Generate certificate request with key pair (creates DER format)
         printf '\n\n' | certutil -R -s "CN=Test User,O=NSS Test,C=US" \
         -o user-req.der -d /nss-test/nssdb -z noise.bin

diff --git a/.github/workflows/nss-curl-test.yml b/.github/workflows/nss-curl-test.yml
@@ -9,7 +9,7 @@ on:
 env:
   NSPR_VERSION: NSPR_4_36_BRANCH
   NSS_VERSION: NSS_3_112_RTM
-  WOLFSSL_VERSION: v5.8.0-stable
+  WOLFSSL_VERSION: v5.8.4-stable
   CURL_VERSION: 8.0.0
   NSS_DEBUG_PKCS11_MODULE: "wolfPKCS11"
   NSPR_LOG_MODULES: all:5
@@ -51,7 +51,7 @@ jobs:
             ca-certificates \
             libnss3-tools
           sudo rm -rf /var/lib/apt/lists/*
-      
+
       - name: Cache NSPR
         id: cache-nspr
         uses: actions/cache@v4
@@ -87,7 +87,7 @@ jobs:
         run: |
           mkdir -p /tmp/src
           cd /tmp/src
-          
+
           # Clone official Mozilla NSS with specific tag
           hg clone https://hg.mozilla.org/projects/nss -r ${{ env.NSS_VERSION }}
 
@@ -211,7 +211,7 @@ jobs:
         run: |
           sudo mkdir -p /etc/pki/nssdb
           cd /etc/pki
-          
+
           # Initialize NSS database
           sudo certutil -N -d sql:/etc/pki/nssdb --empty-password
 

diff --git a/.github/workflows/nss-pdfsig-test.yml b/.github/workflows/nss-pdfsig-test.yml
@@ -9,7 +9,7 @@ on:
 env:
   NSPR_VERSION: NSPR_4_36_BRANCH
   NSS_VERSION: NSS_3_112_RTM
-  WOLFSSL_VERSION: v5.8.0-stable
+  WOLFSSL_VERSION: v5.8.4-stable
 
 jobs:
   test-nss-pdf-signing:

diff --git a/.github/workflows/nss-pk12util-debian-test.yml b/.github/workflows/nss-pk12util-debian-test.yml
@@ -8,7 +8,7 @@ on:
   workflow_dispatch:
 
 env:
-  WOLFSSL_VERSION: v5.8.0-stable
+  WOLFSSL_VERSION: v5.8.2-stable # make deb seems to be broken with v5.8.4-stable
   NSS_DEBUG_PKCS11_MODULE: wolfPKCS11
   NSPR_LOG_MODULES: all:5
   NSPR_LOG_FILE: /logs/nss.log

diff --git a/.github/workflows/nss-pk12util-test.yml b/.github/workflows/nss-pk12util-test.yml
@@ -10,7 +10,7 @@ on:
 env:
   NSPR_VERSION: NSPR_4_36_BRANCH
   NSS_VERSION: NSS_3_112_RTM
-  WOLFSSL_VERSION: v5.8.0-stable
+  WOLFSSL_VERSION: v5.8.4-stable
   NSS_DEBUG_PKCS11_MODULE: wolfPKCS11
   NSPR_LOG_MODULES: all:5
   NSPR_LOG_FILE: /logs/nss.log

diff --git a/.github/workflows/nss-ssltap-test.yml b/.github/workflows/nss-ssltap-test.yml
@@ -10,7 +10,7 @@ on:
 env:
   NSPR_VERSION: NSPR_4_36_BRANCH
   NSS_VERSION: NSS_3_112_RTM
-  WOLFSSL_VERSION: v5.8.0-stable
+  WOLFSSL_VERSION: v5.8.4-stable
   NSS_DEBUG_PKCS11_MODULE: wolfPKCS11
   NSPR_LOG_MODULES: all:5
   NSPR_LOG_FILE: /logs/nss.log

diff --git a/.github/workflows/nss.yml b/.github/workflows/nss.yml
@@ -10,7 +10,7 @@ on:
 env:
   NSPR_VERSION: NSPR_4_36_BRANCH
   NSS_VERSION: NSS_3_112_RTM
-  WOLFSSL_VERSION: v5.8.0-stable
+  WOLFSSL_VERSION: v5.8.4-stable
   #NSS_DEBUG_PKCS11_MODULE: wolfPKCS11
   #NSPR_LOG_MODULES: all:5
   #NSPR_LOG_FILE: /logs/nss.log

diff --git a/.github/workflows/storage-upgrade-test-tpm.yml b/.github/workflows/storage-upgrade-test-tpm.yml
@@ -5,7 +5,7 @@ on:
     branches: [ '*' ]
 
 env:
-  WOLFSSL_VERSION: v5.8.0-stable
+  WOLFSSL_VERSION: v5.8.4-stable
 
 jobs:
   storage-upgrade-test-tpm:

diff --git a/.github/workflows/storage-upgrade-test.yml b/.github/workflows/storage-upgrade-test.yml
@@ -5,7 +5,7 @@ on:
     branches: [ '*' ]
 
 env:
-  WOLFSSL_VERSION: v5.8.0-stable
+  WOLFSSL_VERSION: v5.8.4-stable
 
 jobs:
   storage-upgrade-test:
@@ -20,7 +20,7 @@ jobs:
           # - name: v1.3.0
           #   ref: v1.3.0-stable
           #   branch-dir: v1.3.0-stable-branch
-    
+
     steps:
     # Checkout the PR branch
     - name: Checkout PR branch
@@ -52,7 +52,7 @@ jobs:
         repository: wolfssl/wolfssl
         path: wolfssl
         ref: ${{ env.WOLFSSL_VERSION }}
-    
+
     - name: Build wolfssl
       if: steps.cache-wolfssl.outputs.cache-hit != 'true'
       working-directory: ./wolfssl
@@ -109,30 +109,30 @@ jobs:
     - name: Copy storage files from ${{ matrix.base-ref.name }} to PR
       run: |
         echo "=== Copying storage files from ${{ matrix.base-ref.name }} to PR branch ==="
-        
+
         # Create directories if they don't exist
         mkdir -p pr-branch/store
-        
+
         # Copy store files
         if [ -d "${{ matrix.base-ref.branch-dir }}/store" ]; then
           cp -rv ${{ matrix.base-ref.branch-dir }}/store/* pr-branch/store/ 2>/dev/null || echo "No files in ${{ matrix.base-ref.branch-dir }}/store/"
         fi
-        
+
         echo "=== Storage file copy completed ==="
 
     - name: Test storage format compatibility (${{ matrix.base-ref.name }} → PR)
       working-directory: ./pr-branch
       run: |
         echo "=== Testing storage format compatibility with PR branch ==="
         echo "This tests that the PR can read storage files created by ${{ matrix.base-ref.name }} branch"
-        
+
         # List the copied files for verification
         echo "Files in store directory:"
         ls -la store/* 2>/dev/null || echo "No wp* files in store/"
-        
+
         # Run the tests with the copied storage files
         ./tests/pkcs11test
-        
+
         echo "=== Storage format upgrade test (${{ matrix.base-ref.name }} → PR) completed successfully ==="
 
     # Upload artifacts for debugging if needed

diff --git a/.github/workflows/unit-test.yml b/.github/workflows/unit-test.yml
@@ -90,7 +90,18 @@ jobs:
     uses: ./.github/workflows/build-workflow.yml
     with:
       config: --enable-pbkdf2 --with-pbkdf2-iterations=1000
-
+  pkcs11v3only:
+    uses: ./.github/workflows/build-workflow.yml
+    with:
+      config: --enable-pkcs11v30 --disable-pkcs11v32
+  pkcs11v32:
+    uses: ./.github/workflows/build-workflow.yml
+    with:
+      config: --enable-pkcs11v32
+  pkcs11v32-static:
+    uses: ./.github/workflows/build-workflow.yml
+    with:
+      config: --enable-pkcs11v32 --disable-shared
   debug:
     uses: ./.github/workflows/build-workflow.yml
     with:

diff --git a/.gitignore b/.gitignore
@@ -38,6 +38,7 @@ tests/object_id_uniqueness_test
 tests/rsa_session_persistence_test
 tests/debug_test
 tests/token_path_test
+tests/pkcs11v3test
 examples/add_aes_key
 examples/add_hmac_key
 examples/add_rsa_key
@@ -61,6 +62,7 @@ test/*
 .project
 .settings
 add_cert_file
+.cache
 
 tests/wp11_rsakey_*
 tests/wp11_dhkey_*

diff --git a/Docker/firefox/Dockerfile b/Docker/firefox/Dockerfile
@@ -1,6 +1,6 @@
 FROM ubuntu:24.04
 
-ARG WOLFSSL_TAG=v5.8.0-stable
+ARG WOLFSSL_TAG=v5.8.4-stable
 ARG FIREFOX_TAG=78c455227887c316bdde0be2738e31fcecb4547d
 # geckodriver should be updated when updating the Firefox version
 ARG GECKODRIVER_TAG=v0.36.0

diff --git a/configure.ac b/configure.ac
@@ -481,6 +481,30 @@ then
     AM_CFLAGS="$AM_CFLAGS -DWOLFPKCS11_DEFAULT_TOKEN_PATH=\"$WOLFPKCS11_DEFAULT_TOKEN_PATH\""
 fi
 
+AC_ARG_ENABLE([pkcs11v30],
+    [AS_HELP_STRING([--enable-pkcs11v30],[Enable PKCS#11 Version 3.0 support (default: enabled)])],
+    [ ENABLED_PKCS11V3_0=$enableval ],
+    [ ENABLED_PKCS11V3_0=yes ]
+    )
+if test "$ENABLED_PKCS11V3_0" = "yes"
+then
+    AM_CFLAGS="$AM_CFLAGS -DWOLFPKCS11_PKCS11_V3_0"
+fi
+
+AC_ARG_ENABLE([pkcs11v32],
+    [AS_HELP_STRING([--enable-pkcs11v32],[Enable PKCS#11 Version 3.2 support (default: disabled)])],
+    [ ENABLED_PKCS11V3_2=$enableval ],
+    [ ENABLED_PKCS11V3_2=no ]
+    )
+if test "$ENABLED_PKCS11V3_2" = "yes"
+then
+    if test "$ENABLED_PKCS11V3_0" = "no"
+    then
+        ENABLED_PKCS11V3_0=yes
+    fi
+    AM_CFLAGS="$AM_CFLAGS -DWOLFPKCS11_PKCS11_V3_2"
+fi
+
 
 AM_CONDITIONAL([BUILD_STATIC],[test "x$enable_shared" = "xno"])
 
@@ -657,3 +681,5 @@ echo "   * ECC:                        $ENABLED_ECC"
 echo "   * HKDF:                       $ENABLED_HKDF"
 echo "   * NSS modifications:          $ENABLED_NSS"
 echo "   * Default token path:         $WOLFPKCS11_DEFAULT_TOKEN_PATH"
+echo "   * PKCS#11 Version 3.0:        $ENABLED_PKCS11V3_0"
+echo "   * PKCS#11 Version 3.2:        $ENABLED_PKCS11V3_2"