The wolfSSL team is thrilled to announce a monumental update to wolfPKCS11, now available in the master branch on GitHub. This release transforms wolfPKCS11 into a premier, high-performance PKCS#11 provider by incorporating an incredible 42 new cryptographic mechanisms and 8 new API functions. This focused engineering effort enables wolfPKCS11 to serve as a complete and robust backend for Mozilla’s Network Security Services (NSS).
This achievement makes our vision from the “Firefox Gets FIPS 140-3 Power” post a production-ready reality. Now, any application using NSS—including Firefox, Thunderbird, and Linux server products—can be powered by our FIPS 140-3 validated wolfCrypt engine, bringing federally certified security and our signature performance and efficiency to the entire NSS ecosystem.
The Strategic Advantage: FIPS-Powered NSS
PKCS#11 is the industry-standard API for communicating with cryptographic hardware and software modules. NSS uses a PKCS#11 module to perform all its cryptographic operations. Our update provides the comprehensive support NSS requires, allowing wolfPKCS11 to act as a “drop-in” bridge to our wolfCrypt engine.
This integration provides a simple and efficient pathway to FIPS compliance for organizations in regulated industries. Instead of complex and costly application overhauls, using wolfPKCS11 with a FIPS-validated wolfCrypt backend becomes a straightforward configuration change, saving immense time and resources.
Feature Highlights: A New Level of Capability
The 42 new mechanisms expand wolfPKCS11’s capabilities to cover the full spectrum of modern cryptographic needs. Key additions include:
- Modern Signatures: Support for the modern and provably secure RSA-PSS signature schemes (CKM_SHA256_RSA_PKCS_PSS, etc.), which are more resilient against cryptographic attacks than older standards.
- Advanced Key Derivation: The inclusion of the HMAC-based Key Derivation Function (HKDF) and specific TLS and NSS mechanisms allows applications to offload their entire TLS key schedule to a FIPS-certified boundary.
- Comprehensive Algorithm Support: A full suite of SHA-2 and SHA-3 hashing algorithms, along with advanced AES capabilities like CKM_AES_KEY_WRAP_PAD for secure key management, ensures broad compatibility and robust security.
In addition to new mechanisms, the 8 new API functions provide developers with advanced control for sophisticated applications. Functions like C_GetOperationState and C_SetOperationState allow for saving and restoring the progress of cryptographic operations, which is critical for resilience in embedded systems. Others, like C_VerifyRecover, add support for specialized signature schemes, ensuring comprehensive standards compliance.
Quality, Reliability, and Getting Started
This release is reinforced by significant under-the-hood improvements. A new –enable-nss compile-time option streamlines integration, and our vastly improved CI pipeline now includes extensive regression testing against the NSS suite, static analysis, and dynamic sanitizers to guarantee stability. We’ve also included numerous fixes for TPM users and improved the handling of object attributes for greater security and reliability.
The latest updates transform wolfPKCS11 into a fully-featured, highly reliable, and FIPS-capable PKCS#11 implementation. It is now uniquely positioned to bring the industry-leading performance and certified security of wolfCrypt to the entire ecosystem of applications built on NSS.
Developers are encouraged to explore these powerful new features, which are available now on the master branch of the official wolfPKCS11 GitHub repository. For hands-on examples of how to use wolfPKCS11 with NSS, please see our dedicated examples repository.
For any technical questions, please reach out to us at support@wolfssl.com. For inquiries related to FIPS 140-3 validation, commercial licensing, or questions about any of the above, please contact us at facts@wolfssl.com or call us at +1 425 245 8247.
Download wolfSSL Now