Chimera Certificate Standards Compliance

In the evolving landscape of cryptographic security, supporting multiple signature algorithms within a single certificate has become increasingly important. These certificates are known as Chimera certificates, a moniker coined by the X9.146 banking standards team. They provide enhanced security, flexibility, and agility, especially for the transition to post-quantum cryptography. As well, wolfSSL also understands the new TLS 1.3 CKS extension as defined by the X9.146 banking standard draft.

Chimera certificates are X.509 certificates that contain two public keys and signatures. These certificates are implemented through the use of three extensions:

  • Subject Alternative Public Key Info (SAPKI): Contains an alternative public key
  • Alternative Signature Algorithm: Specifies the algorithm used for the alternative signature
  • Alternative Signature Value: Contains the actual bitstring of the alternative signature

In X.509 certificates, extensions can be marked as either “critical” or “non-critical.” Critical extensions MUST be understood and processed by the certificate validator. If a validator doesn’t recognize a critical extension, it MUST reject the certificate. Non-critical extensions can be safely ignored if not understood.

Before release 5.8.0, wolfSSL’s dual algorithm certificate implementation did not properly support the parsing of these extensions if they were marked as Critical. This was because the whole purpose of these extensions was to facilitate migration by allowing unmigrated systems to ignore the alternative public key and signatures. In that context, marking these extensions as critical made no sense.

That said, these extensions are standardized in the 2019 edition of the ITU-T X.509 standard. In that document, under recognition that there might be other future applications for these extensions, marking these extensions as critical is permitted.

The addition of critical extension support for Chimera certificates extensions represents an important compliance step. Without standards, interoperability would not be possible.

As the cryptographic landscape continues to evolve, especially with the ongoing transition to post-quantum algorithms, enhancements such as Chimera certificate support will become increasingly valuable. wolfSSL continues to demonstrate its commitment to providing a robust, standards-compliant, and forward-looking cryptographic library.

If you have question about any of the above, please contact us at >a href=”mailto”facts@wolfssl.com”>facts@wolfSSL.com or call us at +1 425 245 8247.

Download wolfSSL Now

wolfProvider Integration with nginx: Secure Your Web Server with wolfSSL FIPS Cryptography

Securing web servers with robust cryptography is essential in today’s threat landscape. wolfProvider offers a seamless way to enhance nginx security by integrating wolfSSL’s high-performance cryptographic implementations through OpenSSL’s provider framework. This integration allows nginx to leverage wolfSSL’s FIPS cryptography without modifying code.

What is wolfProvider?

wolfProvider is an OpenSSL provider that integrates the wolfCrypt FIPS cryptographic library with OpenSSL’s provider framework. It allows applications using the OpenSSL API, such as nginx, to seamlessly leverage wolfSSL’s FIPS approved cryptographic implementations without modifying application code.

Supported nginx Versions

Our continuous integration testing confirms compatibility with the following nginx versions:
nginx master branch
nginx release-1.27.4

Key Benefits for nginx users

  • Enhanced Security: Access to wolfSSL’s FIPS 140-2/3 validated cryptographic modules for compliance requirements
  • Optimized Performance: Benefit from wolfSSL’s highly optimized cryptographic implementations
  • Seamless Integration: No modifications to nginx or openssl, a simple config file change enables new wolfProvider integration
  • Comprehensive Algorithm Support: Full suite of modern cryptographic algorithms including:
    • AES (128/192/256-bit with ECB, CBC, CTR, GCM, CCM modes)
    • RSA, RSA-PSS for signing, verification, and key operations
    • ECC with ECDSA and ECDH support
    • SHA-1, SHA-2, and SHA-3 family hash functions

Testing and Verification

Our GitHub Actions workflows automatically test the integration to validate the following functionality:

TLS handshakes complete successfully
HTTP/2 connections work properly
Stream and mail modules function correctly
All cryptographic operations perform as expected

Stay updated with wolfProvider for ongoing enhancements! If you have questions about any of the above, please contact us at facts@wolfSSL.com or call us at +1 425 245 8247.

Download wolfSSL Now

wolfSSL Inc. SP800-140C, SP800-140D and Post-Quantum efforts update!

This is an update to previous post wolfSSL Inc. SP800-140C and Post-Quantum efforts update!

The National Institute of Standards and Technology (NIST) has recently updated its guidelines, enabling the certification of several post-quantum cryptographic algorithms through the Cryptographic Module Validation Program (CMVP). Notably, the digital signature algorithms ML-DSA (CRYSTALS-Dilithium), SLH-DSA, LMS, and XMSS are now fully certifiable under the updated SP800-140C standards. Similarly ML-KEM (CRYSTALS-Kyber) is fully certifiable under the updated SP800-140D standards!

In response to these developments, wolfSSL Inc. is proactively planning submissions to the CMVP for all except SLH-DSA. (If you would like to see SLH-DSA included please let us know sooner than later before we submit!)

wolfSSL Inc. has a strong track record in cryptographic module validation, having previously achieved FIPS 140-3 Certificate #4718 for its wolfCrypt Module, the world’s first SP 800-140Br1 validated certificate.

By staying ahead of regulatory changes and actively engaging in the certification process, wolfSSL continues to demonstrate its commitment to providing robust and compliant cryptographic solutions in the evolving landscape of post-quantum security.

As a reminder, be sure the January 1st, 2026 ESV soft transition does not catch you unprepared. The deadline for mandatory ESV validation across all FIPS modules is rapidly approaching. Leverage wolfSSL’s proven expertise to navigate this critical shift. Engage our staff now to architect a robust roadmap and guarantee a successful post-2026 FIPS compliance strategy!

We’d love to hear your feedback or input on this subject please do not hesitate to contact us at support@wolfSSL.com or fips@wolfSSL.com anytime!

If you have questions about any of the above, please contact us at facts@wolfSSL.com or +1 425 245 8247.

Download wolfSSL Now

wolfBoot Now Supports NXP’s New MCX A and MCX W Microcontrollers

wolfSSL is excited to announce that wolfBoot, our secure bootloader, now supports NXP’s MCX A and MCX W microcontroller families. This means developers can bring wolfBoot’s robust secure boot and firmware update capabilities to NXP’s latest low-power and wireless-enabled chips. The MCX A and MCX W series are NXP’s next-generation Arm Cortex-M33 based MCUs, designed for edge and IoT applications. Some topics we will explore today include:

  • Secure boot and firmware authentication
  • MCX A and MCX W series support in wolfBoot
  • TrustZone-M support: supervising security
  • Quantum-resistant cryptography
  • Hybrid Dual-signature authentication

The MCX A series delivers a cost-effective, small-footprint MCU solution with autonomous, low-power peripherals for a wide range of industrial and IoT uses?.

The MCX W series, on the other hand, builds on that foundation by adding integrated wireless connectivity – a unified, pin-compatible platform supporting standards like Matter, Thread, Zigbee, and Bluetooth LE.?

Notably, the MCX W devices also incorporate NXP’s EdgeLock secure enclave technology, providing a built-in hardware security core (a hardware root-of-trust) for key storage and cryptography.?

These new MCUs combine efficient performance, ultra-low power operation, and advanced security features, making them an ideal match for wolfBoot’s secure boot capabilities.

With wolfBoot now running on MCX A and MCX W devices, manufacturers and developers using these chips can ensure that only authenticated, trusted firmware runs on their hardware. wolfBoot performs cryptographic signature verification of firmware at boot time, preventing unauthorized or malicious code from taking control of the device. This addition expands wolfBoot’s platform support and underscores our commitment to securing even the most resource-constrained embedded systems.

Coming soon, WolfSSL will further integrate wolfBoot with the TrustZone-M and hardware security features of the MCX family. In practical terms, this upcoming enhancement will allow wolfBoot to act as the TrustZone-M secure supervisor on these microcontrollers – running in the isolated secure world while the main application runs in the non-secure domain. By leveraging TrustZone, wolfBoot can maintain control over critical security resources: for example, cryptographic keys and operations can be confined to the secure domain. wolfBoot uses this isolation to implement a kind of lightweight hypervisor, meaning applications in the non-secure domain can invoke cryptographic functions without ever directly accessing the secret keys?.

This architecture greatly enhances security – even if an application or network-exposed code is compromised, the attacker cannot extract or misuse the most sensitive assets. Additionally, wolfBoot will make use of the MCX hardware root-of-trust capabilities (such as the EdgeLock secure enclave on the MCX W series) to anchor the boot process in silicon. This hardware-based trust anchor will let wolfBoot verify firmware authenticity using keys stored in tamper-resistant memory and even interface with secure key management services?.

The result is an extremely robust secure boot chain that takes full advantage of the MCX series’ built-in security features.

Another key advantage of wolfBoot on NXP MCX is its forward-looking cryptography, which is increasingly important for longevity in IoT products. wolfBoot already supports several post-quantum cryptography (PQC) signature algorithms – the kinds of digital signatures designed to withstand attacks by quantum computers. This includes hash-based signature schemes like LMS (Leighton-Micali Signature) and XMSSML-DSA, the newly standardized module-lattice-based signature algorithm (derived from the CRYSTALS-Dilithium PQC scheme)?.

These algorithms are quantum-resistant, meaning that unlike RSA or ECC, they are not known to be breakable by quantum computing. This is a critical consideration for future-proofing devices: experts warn that a sufficiently powerful quantum computer could one day defeat classical cryptography by solving the mathematical problems underpinning RSA/ECC much faster than a classical computer?.

By adopting PQC signatures, wolfBoot ensures that devices can remain secure even in a post-quantum future where older algorithms might be vulnerable.

What’s more, wolfBoot supports a hybrid dual-signature approach to firmware authentication.

In hybrid mode, each firmware image can be signed with both a traditional algorithm (e.g. ECDSA or RSA) and a post-quantum algorithm (like LMS or Dilithium). wolfBoot will verify both signatures, and it only boots the new firmware if both cryptographic checks pass. This dual-signing strategy provides defense-in-depth during the transition to PQC. Even if one of the signature algorithms were to be compromised (for instance, a future quantum breakthrough against ECC, or an unforeseen weakness in a new PQC scheme), the second signature still stands as a guardrail. Hybrid signatures also help with adoption: they allow new devices to be compatible with existing classical cryptography infrastructure while gradually introducing PQC, offering a graceful migration path?. wolfBoot’s support for hybrid authentication means developers don’t have to choose between today’s standards and tomorrow’s security – they can have both, ensuring firmware updates are secure against both conventional and quantum threats.

By extending wolfBoot to the NXP MCX A and MCX W families, WolfSSL is empowering developers to build the next generation of connected devices with strong confidence in their boot security. These MCUs are built to drive innovation in smart home gadgets, industrial sensors, wearables, and more – and with wolfBoot, each of those devices can boot up safely, verify its software integrity, and even perform field updates securely with minimal overhead. The combination of NXP’s silicon (with its low-power efficiency, wireless connectivity, and built-in security) and wolfBoot’s advanced secure boot features (from TrustZone supervision to post-quantum signatures) offers a powerful platform for long-term, resilient IoT deployments. As support for TrustZone-M and hardware root-of-trust on MCX devices rolls out, wolfBoot will fully harness the security architecture of these chips – essentially acting as a guardian in the secure world that oversees and protects the entire system from reset to runtime. With optional post-quantum and hybrid signature verification, wolfBoot on MCX is not only securing today’s devices but also future-proofing them for the cryptographic challenges of the years ahead.

WolfSSL’s focus remains on providing easy-to-use, strong security solutions for embedded developers. If you are developing on NXP’s MCX microcontrollers or are interested in bolstering your device’s boot security (with features like TrustZone isolation or quantum-resistant crypto), now is a great time to explore wolfBoot. Feel free to reach out to us at facts@wolfSSL.com to learn more, get sample projects for MCX A/W, or discuss how wolfBoot can help secure your next project. We’re excited to see what innovations the community will build on these new NXP platforms – and even more excited that wolfBoot will be there to keep those devices secure from the moment they power on.

If you have questions about any of the above, please contact us at facts@wolfSSL.com or call us at +1 425 245 8247.

Download wolfSSL Now

Partner Webinar: wolfSSL and Weston Embedded: Interoperability Partners in the IoT Space

Join us on May 1st at 10 AM PT for an insightful webinar, wolfSSL and Weston Embedded: Interoperability Partners in the IoT Space. Hear from wolfSSL Senior Software Developer Anthony Hu, Weston Embedded President and Co-Founder Janos Magasrevy, and Network Stack Lead and Co-Founder Yanko Sosa as they delve into the integration of secure and efficient MQTT communication within embedded systems, showcasing the collaboration between wolfSSL and Weston Embedded.

Register Now: wolfSSL and Weston Embedded: Interoperability Partners in the IoT Space
Date: May 1st | 10 AM PT

Unlock the power of Cs/NET, a commercial TCP/IP stack based on Micrium’s trusted technology. Its MQTT client module supports multiple broker connections for secure and scalable IoT communication.

Harness lightweight TLS with wolfSSL, built for embedded and RTOS environments. Pair it with wolfMQTT, a compact MQTT client supporting v3.1.1, v5.0, and MQTT-SN for secure, high-performance messaging.

What You’ll Learn:

  • Company Introduction: wolfSSL and Weston Embedded
  • Product Overview: wolfMQTT and Cs/NET
  • Build and Setup Demonstrations: Step-by-step guidance on configuring wolfMQTT and Cs/NET
  • Live Demo: Showcasing interoperability between wolfMQTT and Cs/NET
  • Interactive Q&A Session

Don’t miss this opportunity to gain valuable insights into secure MQTT integration for embedded systems.

Register now!

As always, our webinar will include Q&A throughout. If you have questions about any of the above, please contact us at facts@wolfSSL.com or Call us at +1 425 245 8247.

Download wolfSSL Now

Live Webinar: wolfHSM Design for Automotive Hardware Security Modules – Tailored for the Asia-Pacific Time Zone

Learn how wolfHSM enhances automotive security by providing powerful cryptographic protection and seamless hardware integration.

Register today: wolfHSM Design for Automotive Hardware Security Modules – Tailored for the Asia-Pacific Time Zone.
Date: April 30th | 7 PM PT / May 1st | 11 AM JST

wolfHSM is a versatile hardware security module (HSM) framework that secures cryptography, key management, and storage. Integrated with wolfBoot, it enhances firmware update security by offloading cryptographic tasks to the HSM. Compatible with hardware like the Infineon Aurix TriCore TC3XX, it supports post-quantum algorithms, SM ciphers, and FIPS 140-3 compliance—ensuring robust automotive security.

Join us for an exclusive webinar on automotive HSMs, where wolfSSL Software Engineer Bill Phipps will explore the crucial role of wolfHSM in safeguarding modern vehicles. Stay ahead in the fast-evolving field of automotive security by gaining insights into the integration, functionality, and advantages of wolfHSM in automotive applications.

What this webinar will cover:

  • Overview of wolfHSM: Key features and how it enhances automotive system security.
  • Cryptographic Capabilities: Support for post-quantum cryptography, SM ciphers, and FIPS 140-3 compliance.
  • Hardware Integration: Best practices for integrating wolfHSM with Infineon Aurix TriCore TC3XX and other automotive platforms.
  • Security for ECUs: How wolfHSM secures Electronic Control Units (ECUs) and other critical vehicle components.
  • Hands-On Demo: Live demonstration showcasing wolfHSM in action on automotive hardware.

Secure your spot today and gain practical insights on how wolfHSM can elevate your automotive security framework.

Register Now!

As always, our webinar will include Q&A throughout. If you have questions about any of the above, please contact us at facts@wolfSSL.com or +1 425 245 8247.

Download wolfSSL Now

wolfSSL 5.8.0 Released

We are excited to announce that wolfSSL version 5.8.0 is now available. This release brings several important new features and improvements. Below are the key new additions:

New Features

  • Implemented various fixes to support building for Open Watcom, including OS/2 support and Open Watcom 1.9 compatibility (PR 8505, 8484).
  • Added support for STM32H7S (tested on NUCLEO-H7S3L8) (PR 8488).
  • Added support for STM32WBA (PR 8550).
  • Added Extended Master Secret Generation Callback to the –enable-pkcallbacks build (PR 8303).
  • Implemented AES-CTS (–enable-aescts) in wolfCrypt (PR 8594).
  • Added support for libimobiledevice commit 860ffb (PR 8373).
  • Initial ASCON hash256 and AEAD128 support based on NIST SP 800-232 IPD (PR 8307).
  • Added blinding option when using a Curve25519 private key by defining the macro WOLFSSL_CURVE25519_BLINDING (PR 8392).

ML-DSA and Post-Quantum Cryptography Enhancements

In line with NIST’s latest documentation, wolfSSL has updated its Dilithium implementation to ML-DSA (Module-Lattice Digital Signature Algorithm), which is fully supported in this release. Additionally, the release includes updates to further optimize ML-DSA and LMS (Leighton–Micali Signature) schemes, reducing memory usage and improving performance.

Linux Kernel Module (linuxkm) Updates

wolfSSL 5.8.0 expands support for the Linux Kernel Module (linuxkm), with several important enhancements to improve kernel-level cryptographic integration. This includes extended LKCAPI registration support for rfc4106(gcm(aes)), ctr(aes), ofb(aes), ecb(aes), and the legacy one-shot AES-GCM backend. Compatibility improvements have been added for newer kernels (?6.8), and calls to scatterwalk_map() and scatterwalk_unmap() have been updated for Linux 6.15. The release also registers ECDSA, ECDH, and RSA algorithms with the kernel crypto API and introduces safeguards for key handling, including forced zeroing of shared secrets. These changes make it possible to use more wolfSSL functionality in the kernel space.

For a full list of fixes and optimizations check out the ChangeLog.md bundled with wolfSSL. Download the latest release from the download page. If you have questions about any of the above, please contact us at facts@wolfSSL.com or call us at +1 425 245 8247.

Download wolfSSL Now

curl up 2025

Join us for curl up 2025: The Ultimate Event for curl Enthusiasts!

Mark your calendars! curl up 2025 is happening in Prague, Czech Republic, on May 3-4, 2025. This official annual developer conference for curl and libcurl brings together experts, contributors, and users from around the world. It’s the premier event for developers, engineers, and tech enthusiasts working with the curl project.

Date: May 3-4, 2025
Location: Pracovna, Vlkova 36, Praha 3 – Žižkov, 130 00, Czech Republic
Registration: Register here
Fee: Free of charge

curl up 2025 is a unique gathering that celebrates the curl community and its future. Expect insightful sessions on the current state and roadmap of the curl project, security best practices, and emerging technologies. Engage in collaborative discussions on the project’s growth, sustainability, and team expansion.

We’d love to hear from you! If there’s a topic you’re passionate about or a session you’d like to attend, let us know. Your input will help shape the agenda for curl up 2025.

Join us in supporting curl, a crucial open-source project. We are currently seeking sponsors for curl up 2025. Your sponsorship will directly contribute to a community dedicated to maintaining curl’s robustness, security, and continued free accessibility.

Mark your calendars for May 3-4, 2025, and stay tuned for registration details.

See you in Prague!

If you have questions about any of the above, please contact us at facts@wolfSSL.com or call us at +1 425 245 8247.

Download wolfSSL Now

Command-Line Integration Testing for wolfProvider

With PR #95, wolfProvider now supports command-line integration tests for RSA, RSA-PSS, ECC, AES, and hash functions. This ensures interoperability with the OpenSSL default provider. These tests run important cryptographic operations to ensure that wolfProvider can generate keys, sign and verify messages, encrypt and decrypt data, and compute hashes with full cross-provider compatibility. This feature ensures that wolfProvider has continuous interoperability with OpenSSL in a diverse range of environments.

The test suite includes independent test scripts for RSA, RSA-PSS, ECC, AES, and hash operations, making sure that cryptographic operations are identical across providers. For example, an RSA signature created with OpenSSL’s provider can be successfully verified with wolfProvider and vice versa. Similarly, AES encryption tests make sure that ciphertexts from one provider can be decrypted by the other. With these new automated tests now part of CI workflows, users can rest assured that wolfProvider remains robust and fully interoperable with OpenSSL’s crypto ecosystem.

If you have questions about any of the above, please contact us at facts@wolfSSL.com or call us at +1 425 245 8247.

Download wolfSSL Now

wolfSSL Joins the EdgeVerse Techcast: Secure Embedded Development with NXP

We’re excited to announce that wolfSSL is featured in the latest episode of NXP’s EdgeVerse Techcast!

Hosted by Kyle Dando and Bridgette Stone, this episode dives into how wolfSSL delivers lightweight, high-performance security tailored for embedded systems. Join David Garske and Zack Backman from wolfSSL as they walk through everything from TLS/DTLS integration with Zephyr to support for emerging standards like CNSA 2.0 and FIPS 140-3.

You’ll learn how developers can get started in minutes using wolfSSL’s examples on NXP’s Application Code Hub, explore advanced use cases like wolfSSH, wolfMQTT, and upcoming wolfTPM demos, and gain valuable insights into secure development practices for industries ranging from aerospace to finance.

Check out our App Code Hub examples.

Listen now to discover how wolfSSL and NXP are making embedded security faster, leaner, and more future-proof than ever.

Play wolfSSL Episode at:

If you have questions about any of the above, please contact us at facts@wolfSSL.com or call us at +1 425 245 8247.

Download wolfSSL Now

Posts navigation

1 2 3 4 5 200 201 202