Skip to content

PQC Support preparation#157

Merged
dgarske merged 7 commits intowolfSSL:masterfrom
Frauschi:pkcs11_pqc_prep
Feb 12, 2026
Merged

PQC Support preparation#157
dgarske merged 7 commits intowolfSSL:masterfrom
Frauschi:pkcs11_pqc_prep

Conversation

@Frauschi
Copy link
Contributor

@Frauschi Frauschi commented Jan 29, 2026

This PR adds initial work to ultimately support PQC via PKCS#11. For that to work, the PKCS#11 interface has to be upgraded to Version 3.2.

Actually in this PR:

  • Support for PKCS#11 versions 3.0 and 3.2 (adding new functions and, most importantly, adding support for the new C_GetInterface functionality to load the library.
  • Various other PKCS#11 bug fixes and minor feature improvements.

All the new functions from version 3.0 and 3.2 are not filled with logic currently and return CKR_FUNCTION_NOT_SUPPORTED. Adding actual support for all the new C_EncryptMessage() etc. functions similarly to the existing C_Encrypt() etc. would be pretty thorough work, which is not the focus of the current endeavor.

Once this work is merged, follow up PRs add the actual functionality for the PQC algorithms (initially ML-KEM and ML-DSA, LMS and XMSS later).

@Frauschi Frauschi force-pushed the pkcs11_pqc_prep branch 4 times, most recently from 588625d to 86ab969 Compare January 30, 2026 10:26
@Frauschi Frauschi marked this pull request as ready for review January 30, 2026 13:51
@Frauschi Frauschi requested a review from dgarske January 30, 2026 13:52
dgarske
dgarske requested changes Feb 5, 2026
View reviewed changes
Copy link
Collaborator

@dgarske dgarske left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is this expected to fail with v3.2 enabled?

./tests/pkcs11test
...
31: test_recover ... 
tests/pkcs11test.c:5358 - Verify Recover not initialized RETURNED 70 - FAIL
32: test_verify_recover_pkcs ... 
tests/pkcs11test.c:5446 - Verify recover: 70 - FAIL
33: test_verify_recover_x509 ... 
tests/pkcs11test.c:5434 - Sign: 70 - FAIL

@Frauschi Frauschi force-pushed the pkcs11_pqc_prep branch 2 times, most recently from c0c5c44 to dbe724f Compare February 6, 2026 16:53
@Frauschi
Copy link
Contributor Author

Frauschi commented Feb 6, 2026

I fixed the failing tests and added comments for the different versions. But the problem with the definitions for major and minor versions is still todo, as I haven't found a good solution yet to keep this file self-contained (without any includes) while also changing these values depending on the build.

@dgarske
Copy link
Collaborator

dgarske commented Feb 6, 2026

@Frauschi please resolve conflict. This looks good now.

dgarske
dgarske previously approved these changes Feb 6, 2026
View reviewed changes
@Frauschi
Copy link
Contributor Author

Frauschi commented Feb 9, 2026

@Frauschi please resolve conflict. This looks good now.

Done. Should be ready now

@Frauschi Frauschi removed their assignment Feb 9, 2026
@Frauschi Frauschi requested a review from dgarske February 9, 2026 10:05
@dgarske dgarske merged commit 9f8a3a1 into wolfSSL:master Feb 12, 2026
69 checks passed
@Frauschi Frauschi deleted the pkcs11_pqc_prep branch February 12, 2026 13:56
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@dgarske dgarske dgarske approved these changes

@SparkiDev SparkiDev SparkiDev approved these changes

Assignees

@wolfSSL-Bot wolfSSL-Bot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@Frauschi @dgarske @SparkiDev @wolfSSL-Bot