We are thrilled to announce the release of wolfPKCS11 v2.0.0, a landmark update that solidifies its position as a top-tier, high-performance PKCS#11 provider. This release is the culmination of the work detailed in our previous blog posts, “Firefox Gets FIPS 140-3 Power” and “wolfPKCS11 Supercharged,” and it brings a new era of security, performance, and flexibility to the PKCS#11 ecosystem.
What’s New in v2.0.0?
This release is brimming with features that establish wolfPKCS11 as a comprehensive and robust backend for Mozilla’s Network Security Services (NSS). This enables any application that relies on NSS to be powered by our FIPS 140-3 validated wolfCrypt engine.
Here are some of the key highlights:
- Full NSS Backend Support: With the addition of 50 new cryptographic mechanisms and a dozen new API functions, wolfPKCS11 now provides extensive support for NSS. This allows for a seamless “drop-in” replacement for the default NSS cryptographic module, offering a straightforward path to FIPS compliance for applications like Firefox, Thunderbird, and various Linux server products.
- Modern and Secure Cryptography: We’ve integrated support for modern and provably secure signature schemes like RSA-PSS, which provide enhanced resilience against cryptographic attacks.
- Advanced Cryptographic Operations: This release introduces a suite of powerful new functions for advanced cryptographic operations. These include comprehensive C_Digest functions for hashing, as well as multi-part signing and encryption with C_SignEncryptUpdate and decryption and verification with C_DecryptVerifyUpdate. We have also added C_SignRecoverInit and C_VerifyRecover for signature schemes with message recovery, providing more options for secure and efficient data handling.
- Comprehensive Algorithm Support: This release includes a full suite of SHA-2 and SHA-3 hashing algorithms, alongside advanced AES capabilities like CKM_AES_KEY_WRAP_PAD for secure key management.
Enhanced Debugging for a Smoother Development Experience
We understand that a smooth development process is crucial. That’s why we’ve introduced new debugging features in this release. You can now enable debug logging for the API, giving you more visibility into the inner workings of the token and helping you troubleshoot issues more effectively.
Our Commitment to Quality and Reliability
This release is not just about adding new features; it’s also a testament to our unwavering commitment to quality and reliability.
You might be wondering about upgrading. Don’t worry! These new features maintain full backward compatibility. The PKCS#11 standard provides a stable API, and this release focuses on “filling in the gaps” by implementing more of the standard’s functions. To ensure a seamless transition for existing users, we also perform rigorous upgrade testing on the token storage, so you can update with confidence.
We’ve introduced a new –enable-nss compile-time option to streamline integration and have significantly improved our CI pipeline with extensive regression testing against the NSS suite, static analysis, and dynamic sanitizers to guarantee stability.
We have also included numerous fixes for TPM users and improved the handling of object attributes for greater security and reliability. These updates transform wolfPKCS11 into a fully-featured, highly reliable, and FIPS-capable PKCS#11 implementation.
Get Started Today!
The latest version of wolfPKCS11 is available now on the wolfSSL download page. We invite you to explore these powerful new features and discover how they can bring the industry-leading performance and certified security of wolfCrypt to the entire ecosystem of applications built on NSS.
For any technical questions, please reach out to us at support@wolfssl.com. For inquiries related to FIPS 140-3 validation, commercial licensing, or any other questions, please contact us at facts@wolfssl.com or call us at +1 425 245 8247.
Download wolfSSL Now