Highlights:

• Chimera (dual-algorithm) certificates. wolfCLU can now generate Chimera certificates carrying both a conventional and a post-quantum signature on a single X.509 cert, so one certificate satisfies both classical and PQC-aware verifiers. (PR 182, @Yu-Ma28051503)

• OCSP client and responder. New OCSP client and responder, both with HTTP and SCGI transports. SCGI lets the responder be fronted by nginx in production. (PR 200, @julek-wolfssl)

• Cross-platform Python tests. The shell-based test suite was ported to Python (unittest), so it now runs on Windows in addition to Linux and macOS. (PR 215, @julek-wolfssl)

• Explicit key files for enc. The enc command now accepts an explicit key file instead of deriving the key from a password. (PR 224, @embhorn)

Security Hardening:
A large set of fixes from static analysis using wolfSSL internal Fenrir project: out-of-bounds writes in argv processing, a stack buffer overflow in encryption setup, a shell command injection, a use-after-free, a potential double-free, a heap buffer over-read, plus numerous null-pointer and sanity-check fixes across command and init paths. (PRs 202–223; @miyazakh, @aidangarske, @JacobBarthelmeh, @yosuke-wolfssl, and others)

Other Changes:
ML-DSA sign/verify now passes a context for OpenSSL interop (PR 195), the post-quantum groups list was updated to match the latest wolfSSL (PR 209), and there were assorted fixes to the enc, pkey, req, and ECC sign/verify paths along with expanded test coverage and README updates. See the full commit log for details.

Download wolfCLU now and contact facts@wolfssl.com for any questions.

If you have questions about any of the above, please contact us at facts@wolfssl.com or call us at +1 425 245 8247.

Download wolfSSL Now