Enhancing Linux Cryptography: Integrating wolfCrypt FIPS 140-3 via NSS and PKCS#11

In the rapidly changing landscape of cybersecurity, ensuring compliance with rigorous standards like FIPS 140-3 is essential for organizations in sensitive sectors such as government, finance, and healthcare. By integrating FIPS-certified cryptography into Mozilla’s Network Security Services (NSS) library through the PKCS#11 standard—an API for cryptographic operations—we are contributing to a broader goal of achieving FIPS 140-3 compliance across an entire Linux distribution.

Firefox employs the NSS library for its cryptographic functions. The NSS library utilizes the PKCS#11 standard—a widely adopted application programming interface (API) that enables secure cryptographic operations—to interact with its default cryptographic library, freebl.

The Role of FIPS Certification

FIPS certification ensures that cryptographic implementations meet rigorous security standards set by the National Institute of Standards and Technology (NIST). Achieving FIPS compliance is vital for organizations requiring high-security assurance, as it validates the integrity and reliability of cryptographic operations. wolfCrypt has attained FIPS 140-3 certification, making it a robust choice for environments where security cannot be compromised.

Integrating wolfCrypt into NSS

To integrate wolfCrypt into NSS, we substitute the default softokn-freebl library with wolfPKCS11. This enables NSS to utilize wolfCrypt’s FIPS-certified algorithms through the PKCS#11 interface, allowing applications to leverage secure cryptographic functions seamlessly and efficiently. By utilizing the PKCS#11 interface, we are able to provide a binary drop-in replacement without modifying anything outside of configuration files. You can follow our progress over at the nss feature branch in the wolfPKCS11 repository at github.

Benefits Beyond Firefox

This initiative is part of a larger effort to provide FIPS-certified cryptography across entire Linux distributions. Similar projects include integrating wolfCrypt with libraries such as libgcrypt and GnuTLS. These efforts aim to create a uniform cryptographic layer, reducing complexity and potential vulnerabilities associated with managing multiple cryptographic libraries.

For more information or to explore how your organization can benefit from integrating wolfCrypt FIPS, contact our team at facts@wolfssl.com or call us at +1 425 245 8247.

Download wolfSSL Now

Ready for the Future? wolfHSM is Coming to Infineon TC4xx

Are you building an automotive HSM application and wondering how to future-proof it against quantum threats?

Or do you just want an open source HSM solution that offers maximum flexibility and performance that you can seamlessly tailor to your exact use case, with no vendor lock-in?

wolfHSM on Infineon’s AURIX™ TC4xx platform is designed to help you stay ahead. Whether you’re targeting FIPS 140-3, CNSA 2.0, or simply want a flexible, modern, post-quantum HSM foundation, this is the platform you’ve been waiting for.

The Future is Quantum-Resistant

With the rise of quantum computing, traditional cryptographic primitives are no longer enough. Regulatory bodies and standards like CNSA 2.0 and FIPS 140-3 are driving the move toward post-quantum algorithms.

wolfHSM is engineered with this in mind—modular, lightweight, and designed to integrate emerging post-quantum crypto alongside traditional algorithms. And with hardware-backed isolation and acceleration on the AURIX TC4xx, you get security without sacrificing performance.

Why wolfHSM on TC4xx?

  • Designed for Automotive HSM use cases: secure boot, key storage, secure diagnostics, and OTA.
  • Perfect fit for Industrial HSM environments: factory provisioning, secure communications, and machine authentication.
  • Built for compliance: roadmap includes FIPS 140-3 HSM capabilities and support for CNSA 2.0 suites. AUTOSAR integration and ASIL certification packages available.

Want In?

We’re actively developing wolfHSM support for TC4xx with an eye toward FIPS 140-3 and CNSA 2.0 compliance, including post-quantum algorithms. If you’re designing a post-quantum HSM or need a hardened for your next platform, we want to hear from you.

Are you interested in early access or collaboration?
Reach out to us at facts@wolfssl.com and we can help future-proof your security.

If you have questions about any of the above, please contact us at facts@wolfSSL.com or call us at +1 425 245 8247.

Download wolfSSL Now

wolfSSL arrives to NXP’s Application Code Hub

The NXP Application Code Hub, in collaboration with wolfSSL, now provides developers with a practical foundation for building secure IoT applications using NXP’s MCUXpresso VS Code extension.

This ecosystem combines NXP’s powerful microcontrollers with wolfSSL’s security libraries, all running on the Zephyr RTOS.

Available Initial Examples:

These examples are initially designed specifically for NXP’s FRDM-MCXN947 development board, but because they are using Zephyr they can easily be adapted to any board or chip supported by Zephyr and NXP!

If you have questions about any of the above, please contact us at facts@wolfSSL.com or call us at +1 425 245 8247.

Download wolfSSL Now

GnuTLS Gets a wolfCrypt Boost

We’re excited to announce our ongoing work integrating wolfCrypt with GnuTLS! Unlike traditional approaches that require extensive application rewrites, our solution operates entirely behind the scenes. By patching GnuTLS at the library level, we’re creating a seamless path for applications to leverage wolfCrypt’s powerful cryptographic capabilities without changing a single line of their application code. Our development strategy focuses on progressive implementation, tackling core cryptographic operations first and methodically expanding to cover the complete security spectrum. This approach means organizations can benefit from enhanced security immediately, with more capabilities rolling out steadily. For teams working in regulated environments requiring FIPS certification, this integration offers a remarkable advantage and immediate access to wolfCrypt’s FIPS 140-3 certified algorithms without the typical development and certification marathon.

What makes this integration particularly significant is GnuTLS’s central role in secure communications infrastructure. Our approach aims to transform what would typically be a massive certification challenge into a straightforward library update, allowing organizations to achieve FIPS compliance without disrupting their existing architecture. For Linux distribution maintainers, this integration will eliminate the traditional compromise between security and compatibility when deploying certified cryptography. Certificate validation and protocol handling will continue through the familiar GnuTLS interface while benefiting from wolfCrypt’s certified implementation underneath. Our goal is to help reduce the time needed for certification processes, enabling organizations to more efficiently deploy secure communications in regulated environments without compromising on compatibility or performance.

Take a more in depth look here: https://github.com/wolfssl/gnutls-wolfssl

For more details or questions about this effort, please reach out to facts@wolfSSL.com or +1 425 245 8247.

Download wolfSSL Now

Live Webinar: wolfSSL solutions for the AMD/Xilinx UltraScale+ MPSoC and Versal

Learn how to secure AMD/Xilinx UltraScale+ MPSoC Versal with wolfSSL’s high-performance cryptographic solutions.

As cybersecurity threats evolve, embedded systems require robust, high-performance cryptography. wolfSSL provides lightweight, high-speed, and FIPS 140-3 validated cryptography tailored for resource-constrained environments like AMD/Xilinx UltraScale+ MPSoC and Versal. With support for secure boot, firmware updates, and TLS 1.3, wolfSSL ensures end-to-end security while meeting key compliance standards such as DO-178 and CNSA 2.0.

Join wolfSSL Senior Software Engineer David Garske for a deep dive into best practices for securing AMD/Xilinx-based embedded systems. Learn how to implement secure boot, firmware updates, and TLS 1.3 while ensuring compliance and optimizing performance.

Register today: wolfSSL solutions for the AMD/Xilinx UltraScale+ MPSoC and Versal
Date: April 16th | 9 AM PT

What You’ll Learn:

  • wolfSSL solutions for AMD/Xilinx UltraScale+ MPSoC and Versal
  • Best practices for embedded security
  • Post-Quantum Cryptography (PQC), CNSA 2.0, and Cyber Resilience Act (CRA) updates
  • FIPS 140-3 and DO-178 compliance essentials
  • Secure boot implementation and cryptographic performance

Register now to secure your AMD/Xilinx UltraScale+ systems with wolfSSL!

As always, our webinar will include Q&A throughout. If you have questions about any of the above, please contact us at facts@wolfSSL.com or call us at +1 425 245 8247.

Download wolfSSL Now

curl up 2025 – Save The Date

Join us for curl up 2025: The Ultimate Event for curl Enthusiasts!

Mark your calendars! curl up 2025 is happening in Prague, Czech Republic, on May 3-4, 2025. This official annual developer conference for curl and libcurl brings together experts, contributors, and users from around the world. It’s the premier event for developers, engineers, and tech enthusiasts working with the curl project.

Date: May 3-4, 2025
Location: Pracovna, Vlkova 36, Praha 3 – Žižkov, 130 00, Czech Republic
Registration: Register here
Fee: Free of charge

curl up 2025 is a unique gathering that celebrates the curl community and its future. Expect insightful sessions on the current state and roadmap of the curl project, security best practices, and emerging technologies. Engage in collaborative discussions on the project’s growth, sustainability, and team expansion.

We’d love to hear from you! If there’s a topic you’re passionate about or a session you’d like to attend, let us know. Your input will help shape the agenda for curl up 2025.

Join us in supporting curl, a crucial open-source project. We are currently seeking sponsors for curl up 2025. Your sponsorship will directly contribute to a community dedicated to maintaining curl’s robustness, security, and continued free accessibility.

Mark your calendars for May 3-4, 2025, and stay tuned for registration details.

See you in Prague!

If you have questions about any of the above, please contact us at facts@wolfSSL.com or call us at +1 425 245 8247.

Download wolfSSL Now

wolfCrypt Python: PQC Algorithm Support

wolfCrypt Python, a Python wrapper for wolfSSL’s cryptographic library wolfCrypt, now has supported Python APIs that can utilize the PQC algorithms ML-KEM and ML-DSA.

The ML-KEM (Module Lattice-based Key Encapsulation Mechanism) APIs provide quantum-resistant key exchange with three parameter sets (512/768/1024). The implementation includes key generation, encapsulation, decapsulation, and key import/export functionality.

The ML-DSA (Module Lattice-based Digital Signature Algorithm) APIs provide quantum-resistant digital signatures with three parameter sets (44/65/87). Features include key generation, signing, and verification.

Using the Python API, you can try out the PQC algorithm quickly with little effort. The following links show information to start the PQC trials with wolfCrypt Python.

If you have questions about any of the above, please contact us at facts@wolfSSL.com or +1 425 245 8247.

Download wolfSSL Now

wolfSSH Support With TPM Public Key Authentication

wolfSSH now supports TPM public key authentication with RSA. This feature enhances security for embedded and IoT applications by leveraging TPM 2.0 functionality for client side authentication. Below is a summary of the key changes that were made in PR# 754.

TPM Public Key Authentication with RSA
PR# 754 provides TPM-based RSA authentication for client-side public key operations to facilitate integration into non-TPM RSA workflows.

Benefits of Using TPM for Public Key Authentication

  1. Hardware-Backed Security
    When using public key authentication, a TPM device provides the ability to safely secure and manage private keys and cryptographic algorithms inside the TPM. Since the private key is loaded securely inside the TPM and used only from within the TPM this allows for higher security. In this case the TPM device generates and supplies a secure keyblob that holds the private and public key data. wolfSSH reads and verifies this data and formats the key in a way that can be utilized in the SSH functionality.
  2. Specialized Performance
    While maintaining the lightweight, high-performance aspects of wolfSSH and implementing TPM-based features, wolfSSL has combined the security benefits of hardware-backed key storage and SSH functionality, ensuring robust authentication without compromising efficiency or security.

Testing
To test the SSH TPM-based public key authentication, we developed a comprehensive github CI workflow that tests with and without custom keyauth. The general steps we followed where:

  1. TPM Simulator:
    Ran the TPM 2.0 server from a TPM simulator.
  2. Key Generation:
    Generated a keyblob with wolfTPM’s keygen tool, converting the public key to the SSH format using ssh-keygen.
  3. Server & Client Setup:
    Start the server and supply the base-64 encoded public key:
    `./examples/echoserver/echoserver -s key.ssh`
    Run the client with the TPM 2.0 keyblob and user supplied password:
    `./examples/client/client -i ../wolfTPM/keyblob.bin -u hansel -K ThisIsMyKeyAuth`
  4. Testing Command with Debugging:
    Used `--enable-debug` to enable debug output and verified functionality through command line debug logs.

The CI test tpm-ssh.yml validates proper operation of TPM-based public key authentication by validating outputs and testing with a custom and default keyauth. This process ensures that wolfSSH functions correctly and securely with TPM-based keys.

Conclusion
With TPM public key authentication, wolfSSH combines the best of both worlds: secure private key handling and robust SSH functionality. These changes enhance security without compromising performance, making it an ideal choice for users seeking both ease of use and advanced cryptographic protection.

For more details and steps to get started you can refer to the TPM section in the wolfSSH README. For more information or questions, contact us at facts@wolfSSL.com or +1 425 245 8247.

Download wolfSSL Now

curl Distro Discussion 2025

Join the second annual curl Distro Discussion on April 10th at 3 PM UTC (5 PM CEST). This online event brings together Linux and BSD distributions, OS maintainers, and the curl community for an in-depth two-hour conference. The event is free and open to anyone interested in improving curl’s integration within operating systems and package distributions.

Join us: curl Distro Discussion 2025
Date: April 10th | 3 PM UTC (5 PM CEST)

This is a unique opportunity for curl developers, maintainers, and distributors to discuss important aspects of curl deployment across various operating systems. Our goal is to make curl more efficient and secure within distributions.

Key discussion topics include:

  • Enhancing curl’s build system, third-party library, and documentation for distributors
  • Strategies to streamline security advisories and patch management
  • Discussion on HTTP/3, long-term support, and TLS advancements
  • Exploring Post-Quantum Cryptography in curl
  • The future of wcurl and trurl
    And more…

Feel free to add your own proposed discussion topics and sign up as an intended participant. Mark your calendar for April 10th at 3 PM UTC (5 PM CEST) and be part of shaping curl’s future in distributions and secure networking.

Check out the details of curl Distro Discussion 2025, and share this invitation with others in the open-source and security communities to help spread the word and ensure the right people are invited.

If you have questions about any of the above, please contact us at facts@wolfSSL.com or call us at +1 425 245 8247.

Download wolfSSL Now

Live Webinar: Everything You Need to Know about DTLS 1.3

Learn How DTLS 1.3 Enhances Security and Performance in UDP-Based Applications.

Register Now: Everything You Need to Know about DTLS 1.3
Date: April 9th | 10 AM PT

As a leader in DTLS 1.3 implementation, wolfSSL continues to advance secure communication with optimized performance and robust security features. Our latest updates make it easier than ever to integrate DTLS 1.3 into your projects.

Join us on April 9th at 10 AM PT, as wolfSSL Software Developer Marco Oliverio dives into the latest features and practical applications of DTLS 1.3. Discover the key improvements over DTLS 1.2, how wolfSSL is revolutionizing secure communication, and what these changes mean for your project’s security and performance.

What You’ll Learn:

  • Why Upgrade: Stronger security & better performance with DTLS 1.3
  • Key Differences: DTLS 1.3 vs. DTLS 1.2
  • wolfSSL in Action: Best Practices & real-world use cases
  • Hands-On Demos: Integrating DTLS 1.3 into UDP applications
  • DTLS 1.3 at wolfSSL: Explore the new features of DTLS 1.3 and get a preview of our roadmap for future developments

Register Now!

As always, our webinar will include Q&A throughout. If you have questions about any of the above, please contact us at facts@wolfSSL.com or call us at +1 425 245 8247.

Download wolfSSL Now

Posts navigation

1 2 3 4 5 198 199 200