wolfSSL
diff --git a/‎.github/workflows/debian-package.yml‎
Lines changed: 23 additions & 6 deletions b/‎.github/workflows/debian-package.yml‎
Lines changed: 23 additions & 6 deletions
diff --git a/‎debian/install-wolfprov.sh‎
Lines changed: 1 addition & 1 deletion b/‎debian/install-wolfprov.sh‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎debian/libwolfprov.postinst‎
Lines changed: 97 additions & 28 deletions b/‎debian/libwolfprov.postinst‎
Lines changed: 97 additions & 28 deletions
diff --git a/‎src/wp_rsa_kmgmt.c‎
Lines changed: 113 additions & 6 deletions b/‎src/wp_rsa_kmgmt.c‎
Lines changed: 113 additions & 6 deletions
@@ -62,19 +62,36 @@ jobs:
           name: debian-packages-${{ matrix.fips_ref }}${{ matrix.replace_default && '-replace-default' || '' }}-${{ matrix.wolfssl_ref }}-${{ matrix.openssl_ref }}
           path: /tmp
 
-      - name: Install wolfSSL/OpenSSL/wolfprov packages
+      - name: Install OpenSSL packages
         run: |
-          apt install --reinstall -y --allow-downgrades --allow-change-held-packages \
-            ${{ env.WOLFSSL_PACKAGES_PATH }}/libwolfssl_*.deb
+          if [ "${{ matrix.replace_default }}" = "true" ]; then
+            # Install OpenSSL packages for replace-default mode
+            apt install --reinstall -y --allow-downgrades --allow-change-held-packages \
+              ${{ env.OPENSSL_PACKAGES_PATH }}/openssl_*.deb \
+                ${{ env.OPENSSL_PACKAGES_PATH }}/libssl3_*.deb \
+                ${{ env.OPENSSL_PACKAGES_PATH }}/libssl-dev_*.deb
+          else 
+            # Install standard OpenSSL packages
+            apt-get update
+            apt-get install -y \
+              openssl libssl3 libssl-dev
+          fi
 
+      - name: Install wolfSSL and wolfProvider packages
+        run: |
           apt install --reinstall -y --allow-downgrades --allow-change-held-packages \
-            ${{ env.OPENSSL_PACKAGES_PATH }}/openssl_*.deb \
-            ${{ env.OPENSSL_PACKAGES_PATH }}/libssl3_*.deb \
-            ${{ env.OPENSSL_PACKAGES_PATH }}/libssl-dev_*.deb
+            ${{ env.WOLFSSL_PACKAGES_PATH }}/libwolfssl_*.deb
 
           apt install --reinstall -y --allow-downgrades --allow-change-held-packages \
             ${{ env.WOLFPROV_PACKAGES_PATH }}/libwolfprov_*.deb
 
+          # In standalone mode, use OPENSSL_CONF to enable wolfProvider.
+          if [ "${{ matrix.replace_default }}" = "false" ]; then
+            echo "Setting OPENSSL_CONF to /etc/ssl/openssl.cnf.d/wolfprovider.conf"
+            # export OPENSSL_CONF=/etc/ssl/openssl.cnf.d/wolfprovider.conf
+            echo "OPENSSL_CONF=/etc/ssl/openssl.cnf.d/wolfprovider.conf" >> "$GITHUB_ENV"
+          fi
+
       - name: Verify wolfProvider is properly installed
         run: |
           $GITHUB_WORKSPACE/scripts/verify-install.sh \
 
@@ -189,7 +189,7 @@ main() {
     fi
 
     if [ -n "$output_dir" ]; then
-        output_dir=$(realpath $output_dir)
+        output_dir=$(realpath "$output_dir")
     fi
 
     work_dir=$(mktemp -d)
 
@@ -1,12 +1,6 @@
 #!/bin/sh
 set -e
 
-# Define the include line to add to the openssl.cnf file
-INCLUDE_LINE=".include /etc/ssl/openssl.cnf.d/wolfprovider.conf"
-
-# Search for the openssl.cnf file in /usr, /lib and /etc
-CONF_FILES=$(find /usr /lib /etc -name openssl.cnf 2>/dev/null)
-
 # Check if we are in replace-default mode by reading the openssl version
 REPLACE_DEFAULT=0
 if command -v openssl >/dev/null 2>&1; then
@@ -16,29 +10,104 @@ if command -v openssl >/dev/null 2>&1; then
     fi  
 fi
 
-if [ $REPLACE_DEFAULT -eq 1 ]; then
-    # Remove INCLUDE_LINE from each CONF_FILE
-    # Replace default mode should automatically find wolfProvider.
-    # Using the config file or OPENSSL_CONF will cause:
-    #   1. the provider name to be 'libwolfprov' instead of 'default'
-    #   2. the provider init call to happen twice
-    # Neither of these is harmful, but it's not ideal.
-    for CONF_FILE in $CONF_FILES; do
-        # Remove any line containing both ".include" and "wolfprovider.conf"
-        sed -i '/\.include/ { /wolfprovider\.conf/ d; }' "$CONF_FILE"
-        printf "Removed wolfprovider include line(s) from %s\n" "$CONF_FILE"
-    done
-else
-    # For each CONF_FILE, apply the include line to the openssl.cnf file, if not already applied
-    for CONF_FILE in $CONF_FILES; do
-        if grep -qF "$INCLUDE_LINE" "$CONF_FILE"; then
-            echo "Include line already exists in $CONF_FILE"
-        else 
-            echo "Adding include for wolfprovider to $CONF_FILE..."
-            echo "$INCLUDE_LINE" >> "$CONF_FILE"
-        fi
-    done
+if [ "$1" = "configure" ]; then
+    if [ $REPLACE_DEFAULT -eq 1 ]; then
+        cat <<'EOF'
+============================================================
+                 wolfProvider Installation Notes
+============================================================
+
+wolfProvider is installed in replace-default mode with a 
+patched version of OpenSSL that uses wolfProvider as the 
+crypto backend. wolfProvider will appear as the 'default' 
+provider.
+
+No other conf file modifications or environment variables 
+are required.
+
+To verify installation, run:
+  openssl version
+  openssl list -providers
+
+wolfProvider configuration file installed at:
+  /etc/ssl/openssl.cnf.d/wolfprovider.conf
+
+============================================================
+EOF
+    else
+        cat <<'EOF'
+============================================================
+                 wolfProvider Installation Notes
+============================================================
+
+To use wolfProvider with OpenSSL, choose ONE of the options
+below depending on your use case.
+
+  1) System-wide enable:
+
+     Add the following line to your /etc/ssl/openssl.cnf:
+
+         .include /etc/ssl/openssl.cnf.d/wolfprovider.conf
+
+     This makes wolfProvider available to applications that 
+     execute with the standard system OpenSSL configuration. 
+     Note that many applications, such as anything executing 
+     from systemd, will ignore the global configuration 
+     entirely and will not use wolfProvider.
+
+
+  2) Per-command enable (no system-wide changes)
+
+     Set OPENSSL_CONF environment variable when running applications:
+
+         OPENSSL_CONF=/etc/ssl/openssl.cnf.d/wolfprovider.conf <your-application>
+
+     Most applications with standard environment variable handling will
+     be able to use this method, not just the openssl binary. For example:
+
+         OPENSSL_CONF=/etc/ssl/openssl.cnf.d/wolfprovider.conf openssl <command>
+
+     This enables use of wolfProvider whenever the environment variable 
+     is set for the current shell.
+
+
+  3) Application-level integration (for developers)
+
+     In your application, you can create a dedicated OpenSSL
+     library context and explicitly load wolfProvider, e.g.:
+
+         OSSL_LIB_CTX *wpLibCtx = OSSL_LIB_CTX_new();
+         OSSL_PROVIDER *wpProv = OSSL_PROVIDER_load(wpLibCtx, "wolfprovider");
+         /* Use wpLibCtx with EVP, etc. */
+         EVP_function(wpLibCtx, ...);
+         OSSL_PROVIDER_unload(wpProv);
+         OSSL_LIB_CTX_free(wpLibCtx);
+
+     This keeps wolfProvider usage scoped to specific code paths
+     without requiring any system-wide configuration changes.
+
+To verify installation and configuration, run:
+  openssl version
+  openssl list -providers
+
+wolfProvider configuration file installed at:
+  /etc/ssl/openssl.cnf.d/wolfprovider.conf
+
+============================================================
+EOF
+    fi
 fi
 
+# Search for the openssl.cnf file in /usr, /lib and /etc
+CONF_FILES=$(find /usr /lib /etc -name openssl.cnf 2>/dev/null)
+
+# Warn user on install or removal if our config file is already included.
+for CONF_FILE in $CONF_FILES; do
+    if grep '.include' "$CONF_FILE" | grep -q "wolfprovider.conf"; then
+        echo "WARNING: wolfprovider.conf is already included in $CONF_FILE"
+    fi
+done
+
+
 #DEBHELPER#
 exit 0
@@ -909,6 +909,72 @@ static int wp_rsa_get_params_key_data(wp_Rsa* rsa,  OSSL_PARAM params[])
     return ok;
 }
 
+/**
+ * Convert a wolfCrypt hashType to the equivalent OpenSSL digest name.
+ *
+ * @param [in]  hashType    WolfProvider digest id.
+ * @param [out] osslDigest  Corresponding OpenSSL digest name.
+ * @return  1 on success.
+ * @return  0 on failure.
+ */
+static int wp_digest_to_ossl_digest(enum wc_HashType hashType,
+        const char** osslDigest)
+{
+    int ok = 1;
+
+    switch (hashType) {
+    case WC_HASH_TYPE_MD5:
+        *osslDigest = OSSL_DIGEST_NAME_MD5;
+        break;
+
+    case WC_HASH_TYPE_SHA:
+        *osslDigest = OSSL_DIGEST_NAME_SHA1;
+        break;
+
+    case WC_HASH_TYPE_SHA256:
+        *osslDigest = OSSL_DIGEST_NAME_SHA2_256;
+        break;
+
+    case WC_HASH_TYPE_SHA384:
+        *osslDigest = OSSL_DIGEST_NAME_SHA2_384;
+        break;
+
+    case WC_HASH_TYPE_SHA512:
+        *osslDigest = OSSL_DIGEST_NAME_SHA2_512;
+        break;
+
+    case WC_HASH_TYPE_NONE:
+    case WC_HASH_TYPE_MD2:
+    case WC_HASH_TYPE_MD4:
+    case WC_HASH_TYPE_SHA224:
+    case WC_HASH_TYPE_MD5_SHA:
+    case WC_HASH_TYPE_SHA3_224:
+    case WC_HASH_TYPE_SHA3_256:
+    case WC_HASH_TYPE_SHA3_384:
+    case WC_HASH_TYPE_SHA3_512:
+    case WC_HASH_TYPE_BLAKE2B:
+    case WC_HASH_TYPE_BLAKE2S:
+#ifndef WOLFSSL_NOSHA512_224
+    case WC_HASH_TYPE_SHA512_224:
+#endif
+#ifndef WOLFSSL_NOSHA512_256
+    case WC_HASH_TYPE_SHA512_256:
+#endif
+#ifdef WOLFSSL_SHAKE128
+    case WC_HASH_TYPE_SHAKE128:
+#endif
+#ifdef WOLFSSL_SHAKE256
+    case WC_HASH_TYPE_SHAKE256:
+#endif
+#ifdef WOLFSSL_SM3
+    case WC_HASH_TYPE_SM3:
+#endif
+        ok = 0;
+    }
+
+    return ok;
+}
+
 /**
  * Get the PSS parameters into the parameters array.
  *
@@ -921,19 +987,22 @@ static int wp_rsa_get_params_pss(wp_RsaPssParams* pss,  OSSL_PARAM params[])
 {
     int ok = 1;
     OSSL_PARAM* p;
+    const char* osslDigest = NULL;
 
     WOLFPROV_ENTER(WP_LOG_COMP_RSA, "wp_rsa_get_params_pss");
 
     if (pss->hashType != WP_RSA_PSS_DIGEST_DEF) {
         p = OSSL_PARAM_locate(params, OSSL_PKEY_PARAM_RSA_DIGEST);
-        if ((p != NULL) && !OSSL_PARAM_set_utf8_string(p, pss->mdName)) {
+        if ((p != NULL) && wp_digest_to_ossl_digest(pss->hashType, &osslDigest)
+                && !OSSL_PARAM_set_utf8_string(p, osslDigest)) {
             ok = 0;
         }
     }
     /* MGF is default so don't set. */
     if (ok && (pss->mgf != WP_RSA_PSS_MGF_DEF)) {
         p = OSSL_PARAM_locate(params, OSSL_PKEY_PARAM_RSA_MGF1_DIGEST);
-        if ((p != NULL) && !OSSL_PARAM_set_utf8_string(p, pss->mgfMdName)) {
+        if ((p != NULL) && wp_digest_to_ossl_digest(pss->hashType, &osslDigest)
+                && !OSSL_PARAM_set_utf8_string(p, osslDigest)) {
             ok = 0;
         }
     }
@@ -1144,7 +1213,7 @@ static int wp_rsa_import_key_data(wp_Rsa* rsa, const OSSL_PARAM params[],
 
     /* N and E params are the only ones required by OSSL, so match that.
      * See ossl_rsa_fromdata() and RSA_set0_key() in OpenSSL. */
-    if (OSSL_PARAM_locate_const(params, OSSL_PKEY_PARAM_RSA_N) == NULL || 
+    if (OSSL_PARAM_locate_const(params, OSSL_PKEY_PARAM_RSA_N) == NULL ||
         OSSL_PARAM_locate_const(params, OSSL_PKEY_PARAM_RSA_E) == NULL) {
         WOLFPROV_MSG(WP_LOG_COMP_RSA, "Param N or E is missing");
         ok = 0;
@@ -1160,7 +1229,7 @@ static int wp_rsa_import_key_data(wp_Rsa* rsa, const OSSL_PARAM params[],
             index = -1;
             for (j = 0; j < (int)ARRAY_SIZE(wp_rsa_param_key); j++) {
                 if (XSTRNCMP(p->key, wp_rsa_param_key[j], XSTRLEN(p->key)) == 0) {
-                    index = j; 
+                    index = j;
                     break;
                 }
             }
@@ -2374,7 +2443,7 @@ static int wp_rsa_decode_enc_pki(wp_Rsa* rsa, unsigned char* data, word32 len,
     size_t passwordSz = sizeof(password);
 
     WOLFPROV_ENTER_SILENT(WP_LOG_COMP_RSA, WOLFPROV_FUNC_NAME);
-    
+
     if (!wolfssl_prov_is_running()) {
         ok = 0;
     }
@@ -2567,7 +2636,7 @@ int wp_rsa_pss_encode_alg_id(const wp_Rsa* rsa, const char* mdName,
     WOLFPROV_ENTER(WP_LOG_COMP_RSA, "wp_rsa_pss_encode_alg_id");
 
     if (pssAlgId == NULL) {
-        /* Length opf header without optional parts. */
+        /* Length of header without optional parts. */
         i = 2 + sizeof(rsa_pss_oid) + 2;
     }
     else {
@@ -2928,6 +2997,14 @@ static int wp_rsa_encode_pki_size(const wp_Rsa* rsa, size_t* keyLen, int algoId)
     if (ok) {
         *keyLen = len;
     }
+    if (ok && (rsa->type == RSA_FLAG_TYPE_RSASSAPSS)) {
+        word32 pssLen = 0;
+        ok = wp_rsa_pss_encode_alg_id(rsa, rsa->pssParams.mdName,
+            rsa->pssParams.mgfMdName, rsa->pssParams.saltLen, NULL, &pssLen);
+        if (ok) {
+            *keyLen += pssLen;
+        }
+    }
 
     WOLFPROV_LEAVE(WP_LOG_COMP_RSA, __FILE__ ":" WOLFPROV_STRINGIZE(__LINE__), ok);
     return ok;
@@ -2981,6 +3058,36 @@ static int wp_rsa_encode_pki(const wp_Rsa* rsa, unsigned char* keyData,
             ok = 0;
         }
     }
+    if (ok && rsa->type == RSA_FLAG_TYPE_RSASSAPSS) {
+        word32 pssLen = 0;
+        word32 i;
+
+        /* Find where Algorithm ID is by looking for RSA PKCS#1 OID. */
+        ok = wp_rsa_find_oid(keyData, ret, rsa_pkcs1_oid, RSA_PKCS1_OID_SZ,
+            &i);
+        if (ok) {
+            i += 11;
+            /* Get length of encoded RSA-PSS Algorithm ID. */
+            ok = wp_rsa_pss_encode_alg_id(rsa, rsa->pssParams.mdName,
+                rsa->pssParams.mgfMdName, rsa->pssParams.saltLen, NULL,
+                &pssLen);
+        }
+        if (ok) {
+            /* Move rest of key to after RSA-PSS Algorithm ID. */
+            XMEMMOVE(keyData + 7 + pssLen, keyData + i, ret - i);
+            /* Encode RSA-PSS Algorithm ID. */
+            ok = wp_rsa_pss_encode_alg_id(rsa, rsa->pssParams.mdName,
+                rsa->pssParams.mgfMdName, rsa->pssParams.saltLen,
+                keyData + 7, &pssLen);
+        }
+        if (ok) {
+            /* Update return length. */
+            ret += pssLen - 13;
+            /* Update first sequence. */
+            keyData[2] = (byte)((ret - 4) >> 8);
+            keyData[3] = (byte)((ret - 4) & 0xff);
+        }
+    }
     if (ok) {
         *keyLen = ret;
     }